CYB 240 Project One Guidelines and Ru
ic Vulnerability Summary Report
CYB 240 Project One Guidelines and Ru
ic
Vulnerability Summary Report
Overview
When you perform new system-wide hardware or software updates, it’s a good idea to run a vulnerability scan. Reading vulnerability scan reports is an
important skill for you as a cybersecurity analyst. Interpreting and prioritizing what is important to the organization will be a key part of your role. You will get to
practice these skills in this project by creating a vulnerability summary report.
The project incorporates one milestone, which will be submitted in Module Four. The project will be submitted in Module Six.
In this assignment, you will demonstrate your mastery of the following competencies:
● CYB-240-01: Identify and troubleshoot deficiencies related to web application security
● CYB-240-03: Identify and troubleshoot deficiencies related to tiered web application security
Scenario
You are a cybersecurity analyst and work for an IT company that is having issues with its computer systems. The company has supplied you with vulnerability
analysis scan (OpenVAS) reports that detail several issues with security. You will use the reports to identify the vulnerabilities that you will analyze for your
project.
The system you will be working with is three tiered with a database back-end server and a web server front end. The system contains both Windows and Linux
components.
Prompt
You must address the critical elements listed below in your vulnerability summary report. The codes shown in
ackets indicate the course competency to which
each critical element is aligned.
I. Server: Select a server-related vulnerability from the vulnerability analysis report. For the selected vulnerability:
A. Briefly describe the risk posed by the vulnerability. [CYB-240-01]
B. Summarize one other incident this vulnerability has caused in the industry. [CYB-240-01]
C. Provide evidence of successful remediation of the vulnerability (e.g., screenshot of successful software upgrade, vulnerability analysis report, or
failed Metasploit attack). [CYB-240-01]
1
II. Other tier: Select a non-server-related vulnerability from the vulnerability analysis report. For the selected vulnerability:
A. Briefly describe the risk posed by the vulnerability. [CYB-240-03]
B. Summarize one other incident this vulnerability has caused in the industry. [CYB-240-03]
C. Provide evidence of successful remediation of the vulnerability (e.g., screenshot of successful software upgrade, vulnerability analysis report, or
failed Metasploit attack). [CYB-240-03]
Project One Ru
ic
Guidelines for Submission: Your submission should be 2–3 pages in length and should be written in APA format. Use double spacing, 12-point Times New Roman
font, and one-inch margins. Include at least two references, which should be cited according to APA style. Use a file name that includes the course code, the
assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.
Critical Elements Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Server:
Risk
[CYB-240-01]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Briefly describes the risk
posed by the vulnerability
Addresses “Proficient”
criteria, but there are gaps in
clarity, logic, or detail
Does not address critical
element, or response is
i
elevant
15
Server:
Other Incident
[CYB-240-01]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Summarizes one other
incident this vulnerability has
caused in the industry
Addresses “Proficient”
criteria, but there are gaps in
clarity, logic, or detail
Does not address critical
element, or response is
i
elevant
15
Server:
Evidence of Successful
Remediation
[CYB-240-01]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Provides evidence of
successful remediation of the
identified vulnerability
Addresses “Proficient”
criteria, but there are gaps in
clarity, logic, or detail
Does not address critical
element, or response is
i
elevant
15
Other Tier:
Risk
[CYB-240-03]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Briefly describes the risk
posed by the vulnerability
Addresses “Proficient”
criteria, but there are gaps in
clarity, logic, or detail
Does not address critical
element, or response is
i
elevant
15
2
Critical Elements Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Other Tier:
Other Incident
[CYB-240-03]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Summarizes one other
incident this vulnerability has
caused in the industry
Addresses “Proficient”
criteria, but there are gaps in
clarity, logic, or detail
Does not address critical
element, or response is
i
elevant
15
Other Tier:
Evidence of Successful
Remediation
[CYB-240-03]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Provides evidence of
successful remediation of the
identified vulnerability
Addresses “Proficient”
criteria, but there are gaps in
clarity, logic, or detail
Does not address critical
element, or response is
i
elevant
15
Articulation of Response Submission is free of e
ors
elated to grammar, spelling,
and organization and is
presented in a professional
and easy-to-read format
Submission has no major
e
ors related to grammar,
spelling, or organization
Submission has some e
ors
elated to grammar, spelling,
or organization that
negatively impact readability
and articulation of main
ideas
Submission has critical e
ors
elated to grammar, spelling,
or organization that prevent
understanding of ideas
10
Total 100%
3
CYB 240 Project One Guidelines and Ru
ic Vulnerability Summary Report
Overview
Scenario
Prompt
Project One Ru
ic
CYB 240 Project Two Scenario One
You are a newly hired analyst for a health insurance company with a central office and several satellite
offices. The central office administers all back-end servers and pushes out all communications to
satellite offices via a web interface. The organization has requested a security analyst be part of a new
web application development from the start of the project to advise on possible security risks. The
application is used as an interface with the patient information system, and it is used by internal
employees only.
A member of the IT team has reviewed the design documents for the new development project, and has
provided the following list of system specifications:
● Three-tiered system:
○ MySQL Database
Cu
ent system specifications:
■ Proper authentication to access data in table
■ Communication with transaction server done through PHP
○ Microsoft Transaction Server
Cu
ent system specifications:
■ Transaction server has administrative access to MySQL database
■ Communication to the database is done over company network
■ Communication to the web server front end is done over the internet
■ Components sent to web server front end are in XML format with weak
metadata
■ Transactions sent to web server are unencrypted and 1-1 (not batched)
○ Web Server Front End
Cu
ent system specifications:
■ Data displayed on webpages is in clear text using HTTP protocols
■ Log-on access to web server is via client-side scripting