WGU C845 VUN1 Task 3| Passed on First Attempt |Latest Update with Complete Solution

WGUC845VUN1Task3|PassedonFirst t9 t9 t9 t9 t9 t9 t9 t9 t9




Attempt |Latest Update with Complete Solution
t9 t9 t9 t9 t9 t9 t9




VUN1 — VUN1Task 3:Evaluating &DefendingData Securityand SystemOperations
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




INFORMATION SYSTEMS SECURITY – C845
t9 t9 t9 t9 t9




A. DataProtectionRisksandCryptographic t9 t9 t9 t9




Recommendations
t9




A1.IdentifiedDataProtection Risks
t9 t9 t9 t9




1. Risk1(DataatRest):UnencryptedDataRepositoryLeadingtoMassDataBreach.
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




o Vulnerability:Theon-premisesFinanceserverdatabasestoreshighlysensitivecustomer PII t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




and financial records in clear text.
t9 t9 t9 t9 t9 t9




o Threat:An attackerwho gains accessto theserver(e.g., throughacompromised t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




applicationorsystemvulnerability)candirectlyexfiltratetheentiredatabasefile.
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




o Consequence:Thiswouldleadtoacatastrophicmassdatabreach,violatingregulations (like t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




GDPR or GLBA), causing significant financial loss, and irreparably damaging customer
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




trust. t9




2. Risk2(DatainTransit):UnencryptedInternalDataTransferLeadingtoEavesdroppingand
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




Manipulation. t9




o Vulnerability: The HR and Finance departments use an internal FTP server with legacy t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




protocols that do not encrypt data during transfer.
t9 t9 t9 t9 t9 t9 t9 t9




o Threat: A malicious insider or an attacker who has gained a foothold on the corporate t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




network can trivially intercept (eavesdrop on) the data packets containing payroll and
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




employee information. They could also alter the data in transit.
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




o Consequence: This exposes sensitive employee data (like salaries and social security t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




numbers) for theft and allows for fraudulent manipulation of payroll data, leading to
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




financial fraud and compliance failures.
t9 t9 t9 t9 t9




A2. Recommended Cryptographic Methods
t 9 t 9 t 9




1. Tomitigatetheriskoftheunencrypteddatabase,FinSecureshouldimplementApplication-Level
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




Encryption for the most sensitive fields (e.g., SSN, account numbers) in addition to full-disk or
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9

, database-levelencryption.This provides adefense-in-depth approach. t9 t9 t9 t9 t9 t9




2. To mitigate the risk of the unencrypted FTP transfer, FinSecure must decommission the legacy FTP
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




server and mandate the use of SFTP (SSH File Transfer Protocol) or HTTPS for all internal file transfers
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




containing sensitive data.
t9 t9 t9




A2a. Justification of Recommendations
t 9 t 9 t 9




1. Application-Level Encryption for Data at Rest: This method encrypts data before it is written to the
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




database. It directly supports data confidentiality by ensuring that specific, high-value data
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




elementsareencryptedwithauniquekey,separatefromthedatabaseorstoragesystem.Evenif an
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




attacker bypasses the database server'ssecurity and gains direct access to the storage media or
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




database files, the encrypted fields remain unreadable. This provides a critical layer of protection
t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9 t9




beyond transparent disk encryption.
t9 t9 t9 t9