Posted: April 25th, 2025

SHORT RESPONSE

To begin this assignment, review the prompt and grading rubric in the

Module Two Short Response Guidelines and Rubric

. You will be working through

Breach Analysis Simulation Scenario One PPT

, or its

text-based alternative PDF

, which is an interactive scenario that you will use to address questions in the prompt. When you have finished your work, submit the assignment here for grading and instructor feedback.

CYB 250 Module Two Short Response Guidelines and Rubric

Overview

In cybersecurity, data protec�on should be the first priority. There are two basic concepts: data at rest and data in transit. Each version of data is protected slightly differently. It may be

sufficient to protect data at rest with some type of encryp�on that is difficult to crack over a long period of �me, while the data in transit only needs to be protected un�l it gets past the

en�ty that is trying to decipher it. In either case, it is important to know what to do when a breach or incident occurs. Having a strong computer incident response team (CIRT) is a valuable

resource for any company. The premise behind incident response is to iden�fy an a�ack, contain and eradicate its effects, and minimize the risk of incident recurrence.

What is the shortest amount of �me it can take to restore the system to a safe state? The shortest amount of �me might not be the most cost-effec�ve. Therefore, the company must

priori�ze its ac�ons and make sure that in trying to fix the cyber incident, it doesn’t cause the company more harm. There are many incidents and ac�ons that the CIRT needs to be ready for,

so having a highly defined and well-prac�ced incident response plan is important for the company’s well-being. Having the proper resources, whether they are personnel or informa�on

technology related, can play a role in how fast the company recovers from the incident. Being prepared for the worst possible cases, having a strong understanding of the influences of the

confiden�ality, integrity, and availability (CIA) triad, and knowing how the company will react to those situa�ons could mean the difference between company survival or deeper

consequences, such as company closure. Having the proper CIRT is about having the right people for the job. This does not mean that all of senior management needs to be on the CIRT. This

does mean that the company must figure out what the proper makeup of the team should be. The team members must be knowledgeable in their roles as they need to be sure that the

decisions they make are in the best interests of the company.

Prompt

A�er reviewing Breach Analysis Simula�on Scenario One, address the cri�cal elements below:

I. Reflec�on on CIA and Data Protec�on

A. Select a tenet of the CIA triad and explain how the principle applies to the scenario. Jus�fy your response with details or examples from the scenario.

B. Explain the issues with Secure Sockets Layer (SSL) that facilitated its depreca�on and how Transport Layer Security (TLS) remedies those issues.

II. Incident Response Plan

A. In small organiza�ons, there typically isn’t a large membership to form the CIRT. Explain how organiza�ons with a small IT department ensure that the CIRT is prepared to handle

all possible situa�ons.

What to Submit

Your submission should be 1 to 2 pages in length. Use double spacing, 12-point Times New Roman font, and one-inch margins. All sources must be cited using APA format. Use a file name

that includes the course code, the assignment �tle, and your name—for example, CYB_123_Assignment_Firstname_Lastname x.



11/5/24, 11:04 AM Assignment Information

https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623161/View 1/2

https://app.readspeaker.com/cgi-bin/rsent?customerid=9568&url=https%3A%2F%2Flearn.snhu.edu%2Fcontent%2Fenforced%2F1748997-CYB-250-15105.202486-1%2FModule%2520Two%2520Short%2520Response%2520Guidelines%2520and%2520Rubric.html&lang=en_us&readid=d2l_read_element_1

Module Two Short Response Rubric

Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value

Reflec�on on CIA and Data

Protec�on: Tenet of CIA

Triad

Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Selects a tenet of the CIA triad

and explains how the principle

applies to the scenario,

including details or examples

from the scenario

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

30

Reflec�on on CIA and Data

Protec�on: Issues with SSL

Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Explains the issues with SSL

that facilitated its depreca�on

and how TLS remedies those

issues

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

30

Incident Response Plan:

Form the CIRT

Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Explains how organiza�ons

with a small IT department

ensure that the CIRT is

prepared to handle all possible

situa�ons

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

30

Ar�cula�on of Response Submission is free of errors

related to cita�ons, grammar,

spelling, and organiza�on and

is presented in a professional

and easy-to-read format

Submission has no major errors

related to cita�ons, grammar,

spelling, or organiza�on

Submission has some errors

related to cita�ons, grammar,

spelling, or organiza�on that

nega�vely impact readability

and ar�cula�on of main ideas

Submission has cri�cal errors

related to cita�ons, grammar,

spelling, or organiza�on that

prevent understanding of ideas

10

Total: 100%

11/5/24, 11:04 AM Assignment Information

https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623161/View 2/2

Published by Articulate® Storyline www.articulate.com

CYB 250 Module Two Short Response Text Version

Breach Analysis Simulation

Scenario One

Breach Analysis Simulation Introduction

Read through the following scenario. You will then be asked to make choices based on your
experience as a security analyst. While there is a best path through the simulation, many of the
other options are viable. You are encouraged to explore all of the options to enhance your
knowledge and to prepare you for future breaches. The purpose of this simulation is to develop
your systems thinking mindset and mature your cyber defense strategies.

Published by Articulate® Storyline www.articulate.com

Breach Analysis Simulation: Scenario One

You are a security analyst working for a company that provides an e-commerce website. Over
the last year, you have had discussions with your supervisor about updates to the systems,
including a transition to Transport Layer Security (TLS) from Secure Sockets Layer (SSL). The
changes have not been implemented due to budgetary constraints. While performing file
system maintenance, you notice low disk quota on the web server.

1. Challenge One

1.1 Challenge One

What is this low disk quota? This is odd; last audit, there was sufficient space. Normal business
operations wouldn’t cause this. What should you do next? Below are the possible answers:

● Try to diagnose the source of the breach
● Consult the incident response plan
● Notify your supervisor

Published by Articulate® Storyline www.articulate.com

1.2 Try to diagnose the source of the breach

Good thought, but beware! Breaches are complex issues. Many additional obligations beyond
solving the breach need to be addressed. For instance, evidence gathering must be considered,
and communications to stakeholders must be drafted. Finding the source of the breach may be
time-consuming; consequently, other entities can be working on remediation actions during this
time. Try selecting a different response.

1.3 Consult the incident response plan

Although technically this response is the correct process, all employees should know that
alerting their supervisor is the first step; this results in faster action in initiating the proper
response. When you consult the incident response plan, it directs you to immediately contact
your supervisor. Where should the incident response plan be located? Below are the possible
answers:

● Stored digitally on the network
● Each employee should have a hard copy at his/her desk
● Printed out and stored in one specific location

Published by Articulate® Storyline www.articulate.com

1.3.1 Stored digitally on the network

No, this is not the ideal selection because the network could be compromised or otherwise
inaccessible. Try selecting a different response.

1.3.2 Each employee should have a hard copy at his/her desk

Not quite! Although organizations might choose to do this, it represents an overuse of resources
and creates potential issues related to the frequent updating necessary to this document. Try
selecting a different response.

Published by Articulate® Storyline www.articulate.com

1.3.3 Printed out and stored in one specific location

Correct! This is standard practice; a single hard copy that is always up to date with the most
current actions prevents issues. It is important to ensure that all individuals are notified when
updates to this document occur.

Now that you have determined where the incident response plan should be located, return to
Challenge One and try selecting a different response.

1.4 Notify your supervisor

Correct! As an analyst, you need to contact your supervisor, who will contact the computer
incident response team and mobilize the appropriate personnel to remedy the situation.

Published by Articulate® Storyline www.articulate.com

2. Challenge Two

2.1 Challenge Two: Dialogue with Supervisor

Supervisor: “There do appear to be irregularities with the network. I would like you to do some
investigating and find evidence to support your concerns about a breach.”
Where should you look first to try to find evidence of the breach? Below are the possible
answers:

● Look for irregularities in the active directory
● Analyze access control logs
● Look at the files on the web server

2.2 Analyze access control logs

Looking at access control logs can be a good start when trying to identify who accessed which
areas of the network. However, this is a time-consuming process, and if the hacker is
experienced, it may be difficult to determine whether unauthorized individuals accessed parts of
the network they weren’t supposed to. After review of the access control logs, no evidence of a
breach was found here. Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

2.3 Look for irregularities in the active directory

A goal of hackers is to establish a presence in the network. From this presence, hackers look to
escalate privilege to gain access to information on the system or network and hide their activity
within the network. Looking for irregularities is a good foundational step in trying to identify
rogue activity on a network. In this case, there was no clear evidence that the attack progressed
past the initial access to the network. This choice is something to keep in mind if irregularities of
individual performances occur on the network. Try selecting a different response.

2.4 Look at the files on the web server

Correct! Looking at the files on the web server has uncovered the presence of rogue or
unauthorized files. Hackers typically test the waters by trying to upload files to web servers.
They are trying to discover whether or not they can infiltrate your system. If successful, hackers
would try to exploit this vulnerability and look to secure their presence in the network through
the web server. For this challenge, all three choices are viable, but checking for rogue or
unauthorized files can be one of the fastest methods of detecting an attack.

Published by Articulate® Storyline www.articulate.com

3. Challenge Three

3.1 Challenge Three: Conversation with Supervisor

Supervisor: “Good work on identifying the issues with rogue files on the network. It appears that
the attacker was able to place the files on the network because of the weak SSL encryption.
Moving forward, we have reevaluated the budget and made the transition to TLS a priority. But
we need to complete some steps before moving to TLS.”

3.2 Challenge Three: Conversation with Supervisor, Continued

Supervisor: “What do you think is the most important step to be sure we are ready to transition
to TLS?” Below are the possible answers:

● “Hardware. I think we need to ensure that processors, RAM, network media (gigabit
ethernet or fiber optic), network peripherals, and servers are capable and up to the
task. Processing time becomes a consideration when implementing TLS because cyphers
can take time to process so you may experience a degradation of your network and lag
time. We want to make sure that our communication infrastructure can handle the

Published by Articulate® Storyline www.articulate.com

bandwidth and our network peripherals are as up to date as possible. We will also want
to assess the health of our servers and server operating systems.”

● “Desktop and server software. I think we need to perform a health check for the local
machines and take an inventory of other information systems as a first step. The
communication between software across the organization is complex, and we need to
ensure that everything works and is thoroughly tested. The last thing we want is to lose
availability of the network because of software upgrades. Another factor with software
is the cost of licensing both desktop and server software. This can be a big consideration
as we plan the transition to TLS.”

● “Personnel: Implementing TLS requires personnel who are trained in the technical
complexities required to complete this task. These personnel need to know why
implementing TLS is important and also how to implement it.”

3.3 Desktop and server software

Supervisor: “Great point! While software considerations are important, I think they are
secondary to hardware considerations because hardware is the first major component we will
focus on when upgrading to TLS. We need the underlying infrastructure in place before making
the move. Hardware upgrades have their own challenges and need to be completed first.
Software is an important consideration because, once the right infrastructure is in place, the
correct software is also required for TLS implementation.” Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

3.4 Personnel

Supervisor: “Great point! While having the right personnel is key, I would argue that this is the
third priority of the choices provided. Having the right personnel is an important consideration,
along with being able to identify the right skill set needed, but having the proper infrastructure
in place is the most important consideration.” Try selecting a different response.

3.5 Hardware

Supervisor: “I agree! This should be our highest priority consideration when transitioning to TLS.
While it is important to take hardware, software, and personnel into consideration, hardware is
the most important because having the infrastructure to run TLS is essential.”

Published by Articulate® Storyline www.articulate.com

Challenge Review

Your previous suspicions were aligned with what the incident response team discovered during
its investigation. Your initial step of notifying your supervisor was key to having a timely
response to the incident. The incident response team agreed that migrating from SSL to TLS is a
part of the solution.

4. Challenge Four

4.1 Challenge Four

Supervisor: “Thanks for all of your help in identifying the breach and making recommendations
for the remediation! We have successfully implemented TLS, and SSL has been removed from
the system. Moving forward, what are your thoughts on what happens now that the upgrade
has been implemented?” Below are the possible answers:

● “We can continue business as usual because updates have been made and vulnerability
has been remediated.”

● “We should reevaluate security policies.”
● “We should conduct a security audit.”

Published by Articulate® Storyline www.articulate.com

4.2 “We can continue business as usual because updates have been made and vulnerability
has been remediated.”

Supervisor: “I disagree. While we may be tempted to continue business as usual after
implementing updates to remediate a vulnerability, it is really important to conduct a security
audit to uncover any unintended consequences of those updates and to reevaluate our system
health.” Try selecting a different response.

4.3 “We should reevaluate security policies.”

Supervisor: “Great point! This is an important step in implementing new solutions, but I think
that conducting a security audit should be our first priority because we could uncover
unintended consequences from the changes.” Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

4.4 “We should conduct a security audit.”

Supervisor: “I agree! Conducting a security audit should be our first priority. By conducting the
security audit, we will perform an evaluation of all systems, which may uncover other issues
from implementation of the vulnerability remediation.”

Breach Analysis Simulation Scenario One Summary

Nice work! This activity is meant to enhance your knowledge about managing a breach by
exploring choices that you could make during a given scenario. It is important that during a
breach you remain calm and stick to the incident response plan. The knowledge gained from this
assignment will help you to form a baseline of cyber defense strategies and your systems
thinking mindset.