Selected Cybersecurity Projects

Internal Security Audit & Risk Assessment (Botium Toys)

Scenario Summary
Conducted an internal security audit for a small U.S.-based e-commerce company to assess security controls, compliance gaps, and overall security risk posture as the business expanded its online and international operations. The audit focused on identifying risks to customer data, business continuity, and regulatory compliance.

My Role
Acted as a junior security analyst conducting an internal audit by reviewing asset inventory, evaluating administrative, technical, and physical controls, and assessing compliance with PCI DSS and GDPR requirements. Documented findings and provided security recommendations to reduce risk and improve the organization’s security posture.

Frameworks & Standards

• NIST Cybersecurity Framework (CSF)

• PCI DSS

• GDPR

Used as guidance to evaluate security controls, assess risk, and identify compliance gaps.

Audit Process

Administrative / Managerial Controls

Least Privilege
During the audit, least privilege access controls were not implemented. All employees had broad access to internally stored data, including sensitive customer and cardholder information. This significantly increased the risk of data exposure and lateral movement in the event of a compromised account. Implementing role-based access controls would reduce the overall impact of account compromise and limit unauthorized access to sensitive assets.

Separation of Duties
In the Botium Toys audit, separation of duties wasn’t implemented, which meant the same person could access sensitive data and make system changes. That creates a high risk of insider abuse or undetected fraud. Separating responsibilities introduces checks and balances and reduces the likelihood that a single compromised or malicious user could cause widespread damage.

Password Policies
Weak password policies were identified as a security gap, as they create a false sense of protection while remaining susceptible to brute-force and password-spraying attacks. This increases the likelihood of credential compromise, which could result in unauthorized access to internal systems and sensitive data.

Disaster Recovery Plans
The audit identified that Botium Toys did not have documented disaster recovery plans or backups for critical systems and data. The absence of recovery planning significantly increases the risk of permanent data loss and prolonged business disruption following a cyberattack, system failure, or operational incident. Without defined recovery procedures, the organization would be unable to restore normal operations in a timely manner, resulting in financial loss and damage to customer trust.

Technical Controls

Firewall
Botium Toys has a firewall in place that filters inbound and outbound network traffic based on defined security rules, helping to block unauthorized or malicious connections at the network perimeter. While this provides an important layer of preventative security, a firewall alone does not detect malicious activity occurring within the network or identify compromised accounts. Without additional monitoring and detection controls, threats that bypass perimeter defenses may go unnoticed.

Intrusion Detection System (IDS)
The audit identified that Botium Toys does not have an intrusion detection system in place. While the organization relies on a firewall and antivirus software, the absence of an IDS limits visibility into malicious activity occurring within the network. Without detection capabilities, compromised accounts or suspicious behavior may go unnoticed until significant damage has occurred, increasing the risk of prolonged attacker presence and delayed incident response.

Encryption
The audit identified that customer credit card data was accepted, processed, and stored without encryption. The lack of encryption poses a significant risk to the confidentiality of sensitive data, as unauthorized users could access cardholder information in plaintext if systems are compromised. This represents a critical compliance gap with PCI DSS requirements and increases the likelihood of financial loss, regulatory penalties, and reputational damage in the event of a data breach.

Backups
The audit identified that Botium Toys does not maintain backups of critical systems or data. The absence of backups creates a significant availability risk, as data loss resulting from hardware failure, system outages, human error, or security incidents would be permanent. Without the ability to restore critical data, the organization would be unable to return systems to normal operation, resulting in prolonged business disruption and potential financial loss.

Antivirus Software
Botium Toys uses antivirus software that is regularly monitored by the IT department, which helps detect and remediate known malware threats. However, antivirus alone is insufficient to protect against modern attack techniques such as credential compromise, brute-force attacks, or abuse of legitimate user access. Without additional detection and access controls, attackers could bypass antivirus protections and carry out malicious activity without triggering alerts.

Manual Monitoring/ Legacy Systems
The audit identified that legacy systems are monitored and maintained manually without a defined schedule. This approach increases risk, as legacy systems are often more vulnerable due to limited vendor support and lack of regular security updates. Without continuous monitoring, malicious activity targeting these systems may go undetected for extended periods, increasing the likelihood of system compromise before intervention can occur.

Physical/ Operational Controls

Locks
The audit identified that Botium Toys’ physical locations, including the main offices, storefront, and warehouse, are secured with sufficient locks. These controls help prevent unauthorized physical access to facilities, reducing the risk of theft, tampering, or damage to physical assets such as inventory and on-site systems.

CCTV
The audit identified that all Botium Toys locations are equipped with up-to-date CCTV surveillance systems. CCTV serves as both a deterrent and detective control by discouraging unauthorized access and providing recorded evidence in the event of theft, tampering, or other security incidents. These systems support post-incident investigations and help strengthen overall physical security monitoring.

Fire Detection/ Prevention
The audit identified that Botium Toys has functioning fire detection and prevention systems in place across its facilities. These controls help protect personnel and physical assets by detecting fires early and reducing the likelihood of catastrophic damage. Fire detection systems enable timely evacuation, while prevention measures help limit the spread and impact of a fire, supporting overall business continuity and safety.

Key Findings

• Excessive Access to Sensitive Data
  The audit identified that least privilege and separation of duties were not implemented, resulting in broad employee access to sensitive internal and customer data. This significantly increases the risk of data exposure and lateral movement in the event of a compromised account.

• Lack of Encryption for Cardholder Data
  Customer credit card information is accepted, processed, and stored without encryption, creating a critical confidentiality risk and a major compliance gap with PCI DSS requirements.

• No Backups or Disaster Recovery Planning
  Botium Toys does not maintain backups or documented disaster recovery plans, placing critical systems and data at risk of permanent loss following cyber incidents, hardware failures, or operational disruptions.

• Limited Threat Detection Capabilities
  While a firewall and antivirus software are in place, the absence of an intrusion detection system limits visibility into malicious activity occurring within the network, increasing the likelihood of delayed detection and response.

• Weak Password Controls
  Existing password policies do not meet modern complexity standards and are not centrally enforced, increasing the risk of credential compromise through brute-force or password-spraying attacks.

Security Impact

• Risk of Data Breach and Regulatory Penalties
  The lack of encryption, weak access controls, and excessive access to sensitive data significantly increase the likelihood of a customer data breach. Exposure of credit card information and PII could result in financial fraud, regulatory penalties under PCI DSS and GDPR, and legal liability.

• Increased Likelihood of Undetected Attacks
  Limited detection capabilities, including the absence of an intrusion detection system and reliance on antivirus alone, reduce visibility into malicious activity. This increases the risk that compromised accounts or internal threats could remain undetected for extended periods, delaying incident response and increasing overall damage.

• Business Disruption and Data Loss
  The absence of backups and disaster recovery planning creates a high availability risk. System failures, cyber incidents, or operational disruptions could result in permanent data loss and prolonged downtime, preventing the organization from restoring normal business operations.

• Loss of Customer Trust and Reputational Damage
  Security incidents impacting customer data or service availability could erode customer trust and damage Botium Toys’ reputation. For an e-commerce business, reputational harm may lead to reduced customer retention and long-term revenue loss.

Recommendations

• Implement Least Privilege and Separation of Duties
  Restrict access to sensitive systems and customer data based on job roles to reduce the risk of insider threats and limit the impact of compromised accounts.

• Encrypt Customer Credit Card and Sensitive Data
  Implement encryption for cardholder data at rest and in transit to protect confidentiality and address critical PCI DSS compliance gaps.

• Establish Regular Backups and Disaster Recovery Plans
  Create and maintain backups of critical systems and data, along with documented recovery procedures, to ensure business continuity and minimize downtime following incidents or system failures.

• Improve Detection and Monitoring Capabilities
  Deploy an intrusion detection system (IDS) to increase visibility into malicious activity and support faster detection and response to potential security incidents.

• Strengthen Password Policies and Account Management
  Enforce modern password complexity requirements and implement centralized password management to reduce the risk of credential compromise.

Denial-of-Service (DoS) Incident Analysis

Scenario Summary
A multimedia company providing web design, graphic design, and social media marketing services experienced a Denial-of-Service (DoS) attack that disrupted internal network operations for approximately two hours. During the incident, the organization’s network services became unresponsive due to a flood of incoming ICMP packets.

The investigation revealed that the attack was made possible by an unconfigured firewall, which allowed unrestricted ICMP traffic to enter the network. The excessive traffic overwhelmed network resources, preventing legitimate internal and external users from accessing critical services.

The incident response team mitigated the attack by blocking incoming ICMP traffic, taking non-critical services offline, restoring essential services, and implementing additional firewall rules and monitoring controls. Following containment, the organization evaluated improvements to its network security posture using the NIST Cybersecurity Framework (CSF) to reduce the risk of similar incidents in the future.

My Role
Acted as a junior security analyst responding to a network-based Denial-of-Service (DoS) incident. Reviewed incident details, identified the root cause of service disruption, assessed business impact related to system availability, and documented findings. Evaluated existing security controls, recommended firewall configuration improvements, and aligned response actions with industry security frameworks to reduce the risk of future attacks.

Frameworks & Standards
NIST Cybersecurity Framework (CSF)

• Identify: Recognized the DoS attack and affected assets

• Protect: Recommended firewall rules and traffic filtering

• Detect: Emphasized monitoring for abnormal ICMP traffic

• Respond: Documented containment and mitigation steps

• Recover: Addressed service restoration and future resilience

  Key Takeaways

  • Misconfigured or unconfigured firewalls significantly increase exposure to network-based attacks.

  • DoS attacks primarily impact the Availability component of the CIA triad.

  • Proper traffic filtering, monitoring, and defensive configuration are essential to maintaining service uptime.

  • Even basic network controls can prevent high-impact outages when correctly implemented.

Detection & Response

Detection
The denial-of-service (DoS) attack was identified through abnormal spikes in network traffic and system performance degradation. Monitoring systems indicated a significant increase in inbound ICMP packets originating from external sources. Network resources became saturated, leading to service outages across internal systems.

Key detection indicators included:

• Unusual surge in ICMP traffic

• Increased CPU and memory utilization on network devices

• Internal services becoming unreachable

• Network latency and timeouts affecting both internal and external users

The absence of restrictive firewall rules allowed excessive ICMP traffic to enter the network without filtering or rate limiting.

Response
Upon confirmation of the attack, the incident response team initiated containment procedures:

• Blocked or rate-limited incoming ICMP traffic at the firewall

• Implemented proper firewall configuration rules

• Temporarily isolated affected network segments

• Prioritized restoration of critical internal services

• Monitored network traffic to ensure attack traffic subsided

After containment, the organization implemented stronger firewall policies, enhanced traffic monitoring, and reviewed network configuration management procedures to reduce the likelihood of recurrence.

Recovery & Preventative Controls

Recovery
Following containment of the ICMP flood, the organization focused on restoring full service availability and stabilizing network operations.

Recovery actions included:

• Verifying that firewall rules were properly configured and enforced

• Gradually restoring non-critical services after confirming network stability

• Monitoring system performance to ensure no residual impact remained

• Confirming internal and external service accessibility

Once traffic levels returned to normal and system resources stabilized, full operational capability was restored.

Preventive Controls & Security Improvements
To reduce the likelihood of future denial-of-service incidents, the organization implemented the following improvements:

• Properly configured firewall rules to restrict unnecessary ICMP traffic

• Implemented rate limiting for inbound ICMP packets

• Enhanced network monitoring and alerting for traffic anomalies

• Established configuration management procedures for firewall validation

• Conducted periodic reviews of network exposure and perimeter security
  

Additionally, the organization aligned improvements with the NIST Cybersecurity Framework (CSF) functions:

• Identify: Reviewed firewall configuration management practices

• Protect: Implemented stronger perimeter filtering controls

• Detect: Enhanced traffic monitoring and anomaly detection

• Respond: Documented incident handling procedures

• Recover: Improved service restoration processes
  

These actions strengthened the organization’s overall security posture and improved resilience against network-based availability attacks.

Key Takeaways & Skills Demonstrated
This incident analysis demonstrates my ability to think through security events using a structured, risk-based approach aligned with industry frameworks.

Technical Skills Demonstrated

• Identified root cause of a network-based DoS attack (unconfigured firewall)

• Analyzed ICMP flood behavior and its impact on system resources

• Assessed availability impact using the CIA Triad

• Evaluated firewall misconfiguration as a perimeter security weakness

• Proposed technical remediation including rate limiting and rule hardening
  

Analytical & SOC-Relevant Skills

• Connected technical failure to business impact

• Documented incident timeline and response actions

• Applied structured response thinking using NIST CSF

• Distinguished between containment, recovery, and prevention phases

• Assessed risk in terms of likelihood and operational impact
  

Security Framework Alignment

Applied concepts from:

• NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover)

• Network security best practices

• Defense-in-depth principles

Vulnerability Assessment of Publicly Exposed Database

Scenario Summary
Conducted a qualitative vulnerability assessment for an e-commerce company that had a production database server publicly accessible over the internet for approximately three years. The database stored business-critical customer and prospect information and was regularly accessed by remote employees worldwide. The exposure created a significant attack surface and increased the risk of unauthorized access, data exfiltration, service disruption, and reputational damage. The objective of this assessment was to evaluate potential threat sources, determine business impact, and provide actionable remediation recommendations aligned with NIST SP 800-30.

My Role
Acted as a junior cybersecurity analyst performing a risk-based vulnerability assessment on a publicly exposed remote database server. Evaluated threat sources, analyzed potential threat events, estimated likelihood and severity scores using qualitative risk methodology, and developed remediation recommendations to reduce overall business risk.

Frameworks & Standards

• NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments)

• CIA Triad (Confidentiality, Integrity, Availability)

• Principle of Least Privilege

• Defense in Depth
  

Purpose of the Assessment
The purpose of this vulnerability assessment was to evaluate the security risks associated with a publicly exposed database server containing business-critical data. Because the database supports remote employee operations and customer prospecting, its availability and confidentiality are essential to business continuity. If compromised, the organization could face data breaches, service disruption, financial loss, and reputational damage. This assessment aims to identify high-level risks and provide leadership with actionable recommendations to reduce exposure and strengthen overall security posture.

Risk Assessment (Qualitative)
Threat 1: External Malicious Actor (Cybercriminal)

Threat Event: Unauthorized access and data exfiltration
Likelihood: 3 (High)
Severity: 3 (High)
Risk Score: 9 (High)

Reasoning:
A publicly exposed database significantly increases the probability of automated scanning, brute-force attempts, or exploitation. If sensitive customer data is exfiltrated, the organization could face regulatory penalties, financial fraud, and reputational damage.

Threat 2: Competitor or Opportunistic Attacker

Threat Event: Denial-of-Service attack against database
Likelihood: 2 (Moderate)
Severity: 3 (High)
Risk Score: 6 (Moderate–High)

Reasoning:
Because the server is publicly accessible, it may be targeted to disrupt business operations. If unavailable, remote employees cannot access customer data, directly impacting revenue-generating activities.

Threat 3: Insider or Credential Compromise

Threat Event: Unauthorized modification or deletion of records
Likelihood: 2 (Moderate)
Severity: 3 (High)
Risk Score: 6 (Moderate–High)

Reasoning:
If authentication controls are weak or credentials are compromised, internal or external actors could alter or destroy records, affecting data integrity and operational reliability.

Approach
This assessment was conducted using a qualitative risk methodology aligned with NIST SP 800-30. Threat sources were selected based on realistic adversaries targeting publicly accessible systems. Likelihood was estimated based on exposure level and attack feasibility, while severity was evaluated according to potential business disruption, financial impact, and reputational damage. The focus was on identifying high-impact risks that warrant immediate remediation and resource prioritization.

Remediation & Mitigation Strategy
To reduce overall risk, the following controls are recommended:

• Remove public internet exposure and restrict access via VPN or secure access gateway

• Implement role-based access control (RBAC) and enforce least privilege

• Deploy multi-factor authentication (MFA) for all database access

• Implement firewall rules and IP allowlisting

• Enable logging and centralized monitoring for database activity

• Encrypt sensitive data at rest and in transit

• Conduct regular vulnerability scans and configuration audits
  

These controls support defense in depth and significantly reduce the likelihood of unauthorized access, service disruption, and data compromise.

Key Findings

• The publicly exposed database presents a high confidentiality and availability risk.

• Lack of network segmentation increases attack surface.

• Absence of strict access controls increases risk of credential misuse.

• Current exposure creates unnecessary business and regulatory liability.

Security Impact

If left unremediated, the vulnerable database could lead to:

• Data breach involving customer information

• Extended business downtime

• Financial losses due to fraud or operational disruption

• Reputational damage and customer trust erosion

• Potential legal or regulatory consequences

Skills Demonstrated

• Qualitative risk analysis (Likelihood × Severity)

• NIST SP 800-30 application

• Threat modeling

• Business impact analysis

• Remediation planning

• Executive-level security communication