Skip to main content
sudoRunner
sudoRunner

IST 456: Security & Risk Management with Enigma Glass Labs

Security & Risk Management Case Study

This portfolio-safe case study summarizes selected IST 456 Security and Risk Management work focused on SIEM-style investigation, ransomware response, compromised credentials, data exfiltration, security policy analysis, ISO/IEC 27000 concepts, contingency planning, compliance, and risk-based security recommendations.

Course IST 456
Project Type Security & Risk Management Lab Collection
Platform Enigma Glass Security Lab Environment
Focus SIEM Investigation · Risk Management · GRC · Incident Response
Themes Ransomware · Credential Compromise · Data Exfiltration · Policy · Compliance
Publishing Level Portfolio-Safe / No Raw Lab Data Published

Overview
#

IST 456 focused on security and risk management from both a technical and governance perspective.

The course included hands-on lab work in the Enigma Glass security environment, written analysis, executive-style summaries, and group work around security policies, standards, and contingency planning.

The strongest portfolio angle is that this course connects technical security investigation with security management and GRC thinking.

The work covered:

  • SIEM-style event review
  • ransomware outbreak analysis
  • compromised credential investigation
  • malicious document activity
  • failed and successful logon review
  • data exfiltration analysis
  • FTP-based file transfer risk
  • threat intelligence reporting
  • risk mitigation recommendations
  • security policy analysis
  • acceptable use and information assurance policy review
  • ISO/IEC 27000-series standards
  • contingency planning for physical and cyber incidents
  • compliance with personal information breach notification requirements
  • banking threats and vulnerabilities
  • insider threat concerns
  • MFA, least privilege, segmentation, training, monitoring, and backup recommendations

This page is intentionally written as a portfolio-safe summary. It does not publish raw lab screenshots, full answers, private lab data, user accounts, internal simulated environment details, or complete group submissions.

Why This Project Matters
#

Security and risk management sits between technical investigation and business decision-making.

A security analyst may identify suspicious activity, but a security manager or consultant must also ask:

  • What is the risk?
  • What assets are affected?
  • What controls failed?
  • What should be contained first?
  • Which policies apply?
  • Which stakeholders need to know?
  • Which compliance obligations may be triggered?
  • What should be improved to prevent recurrence?
  • How should the organization document and communicate the event?

IST 456 helped connect those questions to practical labs and written security management work.

This makes the course relevant to ServiceNow SecOps, Vulnerability Response, security operations, incident response, GRC, risk management, and cybersecurity consulting.

Portfolio-Safe Publishing Approach
#

Security note: This case study summarizes security management and lab work without publishing raw lab screenshots, simulated user records, complete reports, private student identifiers, environment-specific details, or full academic submissions.

This page excludes:

  • raw Enigma Glass screenshots
  • full lab answer sheets
  • simulated user account details
  • exact environment data
  • complete group submissions
  • private student identifiers
  • complete policy writeups
  • full academic answers
  • raw threat intelligence report templates
  • private course materials

Instead, it presents:

  • security investigation themes
  • risk management lessons
  • portfolio-safe evidence summaries
  • policy and standards concepts
  • GRC and compliance takeaways
  • professional recommendations
  • relevance to security operations and ServiceNow SecOps

Major Workstreams
#

Enigma Glass SIEM Labs
#

Used an Enigma Glass lab environment to investigate ransomware, compromised credentials, quarantine failures, failed logons, suspicious files, and data exfiltration events.

SIEM Investigation

Ransomware Outbreak Analysis
#

Reviewed threat detection events, quarantine failures, suspicious executable behavior, WannaCry-style ransomware indicators, SMB/MS17-010 risk, and hardening recommendations.

Ransomware

Compromised Credentials
#

Investigated abnormal account activity, suspicious logons, malicious document activity, failed authentication, successful suspicious login, credential theft risk, and remediation steps.

Credential Risk

Data Exfiltration
#

Analyzed suspected data exfiltration involving FTP file download behavior, external destination concerns, possible credential compromise, insider threat questions, and zero trust recommendations.

Exfiltration

Security Policy and Standards
#

Reviewed security policies, acceptable use, information assurance, privacy, HIPAA-related policy concepts, ISO/IEC 27000-series standards, and mid-size organization applicability.

GRC

Contingency Planning
#

Developed contingency planning concepts for incidents such as power failure, denial-of-service, fire, burst pipe, remote work, employee communication, and business continuity.

Contingency

Enigma Glass Lab Evidence
#

Lab / Scenario
Portfolio-Safe Summary
Focus
Ransomware Outbreak
Reviewed threat detection events, quarantine failures, suspicious file names, WannaCry-style ransomware behavior, SMB exposure, patching, segmentation, and user alert recommendations.
Ransomware
Compromised Credentials
Investigated abnormal user activity, malicious document events, failed logon activity, successful suspicious login, credential harvesting risk, account remediation, and MFA recommendations.
Identity Risk
Phishing / Malicious PDF
Reviewed phishing-style activity involving malicious document download, sandbox-style research, credential theft risk, lateral movement concerns, and employee awareness recommendations.
Phishing
Data Exfiltration
Analyzed suspected FTP-based data exfiltration, AV events, external transfer timing, insider threat or credential compromise questions, investigation next steps, and blocking/zero trust recommendations.
Exfiltration
Threat Intelligence Reporting
Converted findings into threat research notes and remediation recommendations intended for management or executive-style briefings.
Reporting

Security Management and GRC Evidence
#

Topic
Portfolio-Safe Summary
GRC Angle
Security Policies and Standards
Group work reviewed university-style information assurance, acceptable use, privacy, HIPAA-related policy concepts, and policy revision history.
Policy
ISO/IEC 27000 Series
Analyzed ISO/IEC 27001 and related standards as an information security management system framework for protecting confidentiality, integrity, and availability.
Standards
Policy and Compliance Executive Summary
Reviewed Pennsylvania Breach of Personal Information Notification Act considerations, PII exposure, university departments handling sensitive data, and control recommendations such as MFA and incident response planning.
Compliance
Banking Threats and Vulnerabilities
Analyzed mobile banking vulnerabilities, malware, phishing, denial-of-service, insider threat, weak authentication, unpatched systems, and risk mitigation strategy.
Risk Analysis
Contingency Planning
Developed planning concepts for incidents such as power failure, denial-of-service attacks, fire, burst water pipe, business continuity, remote work, employee communication, and recovery procedures.
Resilience

Technical Investigation Workflow
#

1

Review Security Events
#

Started with SIEM-style dashboards and event records to identify affected users, affected workstations, threat detections, failed quarantines, suspicious files, and abnormal activity.

Event Review

2

Identify Indicators and Patterns
#

Looked for suspicious filenames, malicious document activity, logon anomalies, failed authentication, successful suspicious access, external transfers, and unusual timing.

Indicator Review

3

Research the Threat
#

Used threat research to connect events to ransomware, phishing, malicious documents, credential theft, data exfiltration, and known attack behaviors.

Threat Research

4

Assess Business Risk
#

Translated technical findings into risks such as credential compromise, lateral movement, ransomware spread, data theft, operational disruption, and compliance exposure.

Risk Analysis

5

Recommend Remediation
#

Recommended containment, password resets, MFA, patching, backup validation, segmentation, employee training, monitoring, zero trust, and incident response plan improvement.

Remediation

6

Communicate Findings
#

Summarized findings in threat intelligence and management-facing language suitable for escalation, reporting, and decision support.

Reporting

Ransomware Response Themes
#

The ransomware lab focused on a WannaCry-style scenario.

The analysis involved:

  • reviewing threat detection events
  • identifying affected hostnames
  • reviewing quarantine failure events
  • connecting suspicious file activity to ransomware behavior
  • researching WannaCry-style malware behavior
  • understanding Windows operating system impact
  • identifying SMB/MS17-010 as a key risk area
  • recommending patching
  • recommending disabling unnecessary SMB exposure
  • recommending spam filtering
  • recommending network segmentation
  • recommending employee awareness alerts

The key security management lesson was that ransomware response requires both immediate containment and longer-term defensive hardening.

Compromised Credential Themes
#

The compromised credential lab focused on suspicious account activity.

The analysis involved:

  • reviewing workstation events
  • identifying quarantine failure counts
  • correlating suspicious document activity with abnormal account behavior
  • reviewing failed and successful logon events
  • considering geographic anomalies
  • interpreting malicious document infection as a possible credential compromise source
  • recommending workstation isolation
  • recommending credential resets
  • recommending MFA
  • recommending activity log review
  • recommending malware removal or system restoration
  • recommending backups and SIEM monitoring
  • recommending least privilege, segmentation, training, and penetration testing

The key lesson was that identity compromise can become a gateway to broader organizational compromise.

Data Exfiltration Themes
#

The data exfiltration lab focused on suspicious outbound data movement.

The analysis involved:

  • reviewing cloud IOC indicators
  • reviewing antivirus events by user
  • reviewing network activity
  • identifying an FTP file download event
  • considering credential compromise or insider threat possibilities
  • recognizing external destination risk
  • recommending log review and audit activity
  • recommending unauthorized connection removal
  • recommending IP blocking where appropriate
  • recommending zero trust principles
  • recommending FTP restrictions
  • recommending employee training and access control review

The key security management lesson was that exfiltration investigation requires both technical evidence and business context.

Security Policy and Standards Themes
#

The group policy and standards work connected security management to formal governance.

The work covered:

  • information assurance and IT security policy
  • acceptable use policy
  • privacy policy
  • HIPAA-related policy concepts
  • data classification
  • approved IT services
  • access requirements
  • security responsibility matrices
  • information security modernization
  • policy revision history
  • ISO/IEC 27001 and related ISO/IEC 27000-series guidance
  • information security management systems
  • confidentiality, integrity, and availability
  • risk assessment
  • control selection
  • compliance support
  • certification and stakeholder confidence

This supports a GRC-aware cybersecurity perspective because technical controls need policy support and management accountability.

Contingency Planning Themes
#

The contingency planning work focused on preparing for both cyber and physical incidents affecting a business.

The planning addressed:

  • power failure
  • denial-of-service attacks
  • fire
  • burst water pipe
  • before/during/after incident responsibilities
  • IT department responsibilities
  • user responsibilities
  • UPS and generator planning
  • hot-site or remote-work options
  • emergency contact information
  • documentation review
  • business continuity
  • customer data protection
  • operational recovery
  • lessons learned

This supports security and risk management because not all disruptions are purely cyber incidents. Physical failures, outages, facilities incidents, and cyberattacks can all affect availability and business continuity.

Control Recommendations
#

Across the course, recurring control recommendations included:

Control Area
How It Appeared in the Work
Risk Reduced
Multi-Factor Authentication
Recommended for credential compromise, account protection, and compliance-oriented improvement.
Identity Risk
Patch Management
Recommended for ransomware hardening, especially where known vulnerabilities could support worm-like spread.
Vulnerability Risk
Network Segmentation
Recommended to limit lateral movement and reduce ransomware spread across an organization.
Lateral Movement
SIEM and Monitoring
Used in Enigma Glass labs and recommended for better visibility into suspicious activity and investigations.
Detection
Least Privilege
Recommended to reduce privilege escalation and limit the impact of compromised credentials.
Access Control
Backups and Recovery
Recommended for ransomware recovery, system restoration, and continuity planning.
Recovery
Security Awareness Training
Recommended for phishing, malicious documents, ransomware prevention, and user behavior improvement.
Human Risk
Zero Trust Principles
Recommended in the data exfiltration context to reduce implicit trust and enforce stronger access controls.
Data Protection

Capability-to-Evidence Map
#

Capability
Evidence from IST 456
Status
SIEM Investigation
Used Enigma Glass lab workflows to review ransomware, compromised credentials, failed logons, quarantine failures, suspicious files, and data exfiltration events.
Completed
Threat Research
Connected observed events to ransomware, phishing, malicious documents, credential theft, FTP data exfiltration, and known attack behavior.
Completed
Risk Management
Translated technical activity into business risk involving confidentiality, integrity, availability, compliance, identity risk, and operational disruption.
Completed
GRC and Policy Analysis
Reviewed security policies, acceptable use, privacy, HIPAA-related policy concepts, ISO/IEC 27000-series standards, and compliance considerations.
Completed
Contingency Planning
Developed incident response and continuity planning concepts for power failure, DoS, fire, burst pipe, remote work, user responsibilities, and recovery activities.
Completed
Executive Communication
Created written analysis and executive-style summaries connecting technical risk, compliance, controls, and organizational impact.
Completed

What I Learned
#

This course reinforced several security management lessons:

  • SIEM alerts need context before they become actionable incidents
  • quarantine failure can be as important as threat detection
  • ransomware response requires patching, segmentation, backups, and communication
  • compromised credentials can lead to broader lateral movement and privilege escalation risk
  • data exfiltration analysis requires business context and transfer-protocol review
  • phishing and malicious documents remain major identity and endpoint risks
  • MFA, least privilege, monitoring, backups, and training are recurring defensive controls
  • security policy gives technical controls organizational authority
  • ISO-style standards support structured information security management
  • contingency planning must address both cyber and physical disruptions
  • executive communication is part of security management, not an afterthought

Professional Relevance
#

This project supports roles involving:

  • cybersecurity analysis
  • security operations
  • ServiceNow SecOps consulting
  • vulnerability management
  • incident response
  • Governance, Risk & Privacy management
  • compliance support
  • SIEM investigation
  • executive reporting
  • contingency planning
  • security policy support

It is especially relevant to ServiceNow SecOps because security risk management requires structured triage, assignment ownership, remediation tracking, control recommendations, documentation, validation, and stakeholder communication.

Relationship to Other Portfolio Projects
#

IST 456 complements several other portfolio areas.

Related Project
How It Connects
Angle
CYBER 342W
CYBER 342W focuses more deeply on incident response planning, NIST lifecycle, CSIRT, DR/BC, and communication strategy.
IR Planning
CYBER 440
CYBER 440 focuses on hands-on capstone investigation, forensic images, network evidence, memory analysis, logs, and remediation reporting.
IR / Forensics
IST 432
IST 432 focuses on cyber law, privacy, governance, legal risk, and regulatory interpretation.
Cyber Law / GRC
ServiceNow SecOps Lab Hub
ServiceNow SecOps connects these risk and response ideas to workflow, ownership, remediation tracking, validation, and closure.
SecOps Workflow

Portfolio-Safe Redaction Notes
#

This case study intentionally excludes:

  • raw lab screenshots
  • complete lab answers
  • full group submissions
  • simulated user records
  • exact Enigma Glass environment details
  • private student identifiers
  • complete policy writeups
  • raw threat intelligence templates
  • private course materials

The goal is to show security management, SIEM investigation, policy, risk, and GRC-related reasoning without exposing raw academic work.

Related Portfolio Areas#

Security Operations
#

The Enigma Glass labs support SOC-style investigation, event review, threat detection, quarantine failure review, identity risk, and exfiltration analysis.

SOC-Relevant

Risk Management
#

The course connects threats and vulnerabilities to business risk, compliance obligations, policy, controls, and recovery planning.

Risk Management

ServiceNow SecOps
#

The work maps naturally to SecOps concepts such as triage, prioritization, assignment, remediation, risk communication, and closure.

SecOps-Relevant

GRC and Compliance
#

Policy analysis, ISO/IEC 27000-series work, breach notification analysis, and contingency planning support a GRC-aware cybersecurity perspective.

GRC

Next Steps
#

This project can later be connected to:

  • a GRC capability section
  • a security risk management review path
  • a ServiceNow SecOps risk-to-remediation workflow
  • a ransomware triage checklist
  • a compromised credential triage checklist
  • a data exfiltration investigation checklist
  • a policy-to-control mapping page
  • a contingency planning / business continuity section

For now, this page serves as the main portfolio-safe summary of my IST 456 Security and Risk Management work.