Security Case Study Competition

Improving Security at Green Star Bank

Background

As the Chief Information Security Officer (CISO) at Green Star Bank in Michigan, you have become aware of a recent security beach incident. An employee who works remotely from home fell for a spear phishing email that installed malware on her bank-supplied laptop. As a result, the attacker was able to remotely observe the employee initiating bank transactions, and soon used the employee’s bank employee credentials to login and initiate transfers to an off shore bank account. The bank officer who provided secondary approval for the transfers failed to detect or question the fraudulent transfers and the bank suffered a $1.2m loss. Before detection, the attacker scanned the bank’s systems and created alternative logins in order to maintain access in the future.

As a result of this event, you have contracted with an outside company to perform a thorough penetration test of the bank’s operations. In addition, the pen testing company suggested that the testing include a test of employee passwords for common weaknesses, but especially for sport or seasonal themes. The existing bank password policy requires that passwords conform to the policy. Current password guidelines are…

  • Length of 8-12, must contain upper and lower case, numbers and symbols
  • Contain no part of user’s name
  • Not be identical to the previous ten (10) passwords.
  • Passwords expire after 90 days
  • Passwords may not be transmitted to another person

During the pen testing, the testers crafted password testing scripts that use passwords based on local football teams, seasons of the year, and holidays. Staying below the login failure lockout threshold of 5 attempts, the testers brute force tested these passwords against employee login credentials. They discovered a significant number of employees with passwords based on words such as “Wolverines” “UM Rules” “State” “Spartans” “Summer” “Beach” “Fall” “Thanksgiving” and “Christmas”. The pen testers described these passwords as representative of a larger problem that is difficult to stop with the existing password policy guidelines.

Your job, as CISO, is to craft potential security procedures to mitigate against weak passwords and remote employees’ susceptibility to phishing and social engineering attacks. Be sure to fully describe your recommendations and how each will solve a problem described herein.

Solutions should/may include

  • Password manager use required
  • Improved mail scanning software
  • Malware detection software
  • Removal of local admin rights on PCs (preventing unauthorized software from being installed)
  • Multi factor
    • RSA token/ Google Authenticator
    • IP restrictions
    • Bank certificate on company computers
  • All remote employees connect via VPN
  • White listing apps that may be installed
  • Intrusion detection and behavioral analysis
    • Suspicious applications
    • Too many Failed login attempts
    • Attempts to access areas outside of normal
    • Scanning activity
  • Phishing campaigns to detect susceptible employees
  • Mandatory phishing training for all employees
  • Departmental training geared towards controls in place (ensure officers actually do review transactions)
  • Improved password policy
    • Longer passwords
    • Password n
    • ever used before
    • Not solely a dictionary word (may contain dictionary words)
    • Longer passwords expire after longer time
    • Discouraging password reuse between password resets (same password but with minor changes) or between applications (e.g. Bank & Facebook)

Judging

GuidelinesPercentage
Security Policy –
• The extent to which the team’s proposals and justifications satisfy the goals of the project and meet the performance expectations of the company
• The extent to which the proposed recommendations holistically blend the elements into a workable technological solution for the agents
70
Supporting statement –
• The extent to which the team fully and clearly describes the proposed security policy, demonstrates an understanding of the client’s needs and security issues, technical accuracy, professionalism, and creativity
15
Recorded Video –
• Displays technical accuracy, understanding of the various proposed security issues, professionalism, creativity, and production quality
15
Total100
The Details
  • Submission Instructions

    • Upload your video to YouTube.com (make sure that you don’t make your video private so we can access it!)
    • Complete the online submission form which includes the:
      • link to your video
      • names and email addresses of the team members
      • Link to the recorded video presentation (10 minutes max) of the policy that would be presented to the CEO and board of directors.
      • An introduction to the members of your team, and a description of the role each one played.
      • ADDITIONAL DETAILS ARE FORTHCOMING
  • Timeline

    • All preliminary submissions must be received no later than March 1, 2017
    • Finalists will be announced on or around March 14, 2017
    • The winner will be revealed at the Student Chapters Leadership Conference between April 13-15, 2017
  • Prizes

    First place: $500

    Second place: $250

    Third place: $100

Preliminary Round

For the preliminary round, student teams must submit a report that contains:

  1. A detailed description of the proposed security procedures, protocols, processes or trainingthat your team recommends. Clear justifications for each of the recommendations is required.
  2. A statement on why you believe that your proposals will accomplish the goals of mitigating against weak passwords and remote employees’ susceptibility to phishing and social engineering attacks.
  3. A recorded video presentation (10 minutes max) of the policy recommendations that would be presented to the CEO and board of directors.
  4. An introduction to the members of your team, and a description of the role each one played.
Final Round

The top four submissions as scored by the judges will move on to the final round to be held at the Student Chapters Leadership Conference.  In this round, the team will make a live presentation of the policy recommendation.

Other Rules

  • The project submissions must entirely be the work of the project team. While faculty and other individuals can help review the submission, they should not contribute to the content of the report or the solution.
  • Incomplete submissions will not be considered, so make sure you have all of your submission deliverables are in the submission package.
  • The contest materials must be submitted by the due dates. Late submissions will not be accepted and no extensions will be given.