C796 CAPSTONE LATEST UPDATES MAY2023 WITH COMPREHENSIVE SOLUTIONS

arrenton Oil Company is a medium-sized company that provides multiple services to the consumer. Fuel Transportation is their primary means of revenue, in which they have over 100 vehicles and drivers to deliver fuel products to a multitude of vendors across central and east central Missouri, with a few stops into western Illinois. The currently own 55 convenience stores, with plans to acquire 10 more through the buyout of an existing chain. And lastly, they own 3 different hotels in the area. In total, they have over 1,000 employees across each functional area of their business model. Warrenton Oil Company, at its corporate office, currently utilizes a Windows Server Domain to incorporate all network security policies. The servers that are currently in place as the Primary Domain Controller (PDC) and Backup Domain Controller (BDC) are housed in outdated server hardware, and are running out of compliance Operating Systems (OS) of Small Business Server 2003 and Windows Server 2012. While Windows Server 2012 has support until October 10, 2023 ( 2003 reached End-of-Life (EOL) was reached on July 11th, 2017, meaning it needs to be immediately upgraded to be in compliance with current cyber security policies and procedures. In addition to the Server OS being EOL, the server hardware is also outdated, and needs to be updated to ensure that when new Server OS is installed, the hardware has the processing and memory capacity to facilitate the network traffic that will be present. Additionally, the hardware needs to have redundancy built in (power supplies, processors, etc.), as well as the network having redundancy built in. 3 These are necessary to ensure that each branch of the business model has access to the data they need, when they need it, and in a manner that is conducive to their business interests. The primary concern with the current environment is the vulnerabilities inherent with Small Business Server 2003, those which cannot be remediated. One such vulnerability is CVE- which is an Exec Code vulnerability present in an untrusted search path in the Data Access Objects () library, which allows for “the execution of arbitrary code and gives access to the DLL’s. This allows for DLL high jacking via a Trojan horse ” ( 662227/Microsoft-Windows-Server-2003--.html) . Installing new server software will immediately mitigate this vulnerability and is one of the primary needs for a Domain Controller Transition. Root Causes Typically, an environment may be out of compliance due to an antiquated patch management policy. They may not be able to afford new hardware, or software components to regain compliance. In Warrenton Oil Company’s case, it is simply due to the key stakeholders not wanting to put forth the funds necessary to improve the organizations overall level of security in its network. However, the Kaseya breach in July of 2021 prompted the management team to rethink its stance on cyber security and subsequently purchase the equipment and software necessary to secure our internal network from such ransomware attacks that Kaseya was victim to ( kaseyaransomware-attack-faq-what-we-know-now/). The root cause of the security problem that is present at Warrenton Oil Company can be contributed to two items specifically: 1) Lack of stakeholder commitment to the security of their data. 4 2) No security breaches have occurred, leaving those to believe there is no security issue, as nothing has happened yet. As with all Cyber Security related issues, it is 90% human and 10% technical error that makes up most incidents. The key stakeholders now understand the immense importance of not only having a solid security incident response plan in place, but hardware and software components that secure the network from attacks. The security needs of the organization are also required by the PCI-DSS, as we sell directly out of our warehouse and not only from the convenience stores. PCI-DSS determines the requirements for a safe network for processing payment card data ( fe_P). Key Stakeholders The following personnel are key stakeholders in this project: 1) Company president – His compliance with this project was necessary, as his approval or disapproval trumps all. 2) Chief Financial Officer – Must clear the purchase of all related equipment, software, and licensing agreements for the multitude of software components needed for this project. 3) Director of Retail Operations – Back Office software is housed remotely but must have a domain trust established to work. This is paramount to retail operations, as without this trust, updated pricing, reports, etc., cannot be provided. 4) 55 Remote Endpoints – The primary reasoning behind the Domain Controller Transition. They rely on us for nearly all their data, it is essential we are working within compliance requirements. 5) IT Director – He is the supervisor of the project; he ensures all key metrics are met.