Client : Twitcher — social streaming platform
Scenario : Startup scaled from 1K to 10M DAU with no security program
Team : Allsafe Cybersecurity — Rudy Cortes, Ryan Reindl, Ryan Oyler,
Jules Keller, Marco Zuniga, Adam Channita
Audience : Incoming CISO
Deliverable: 15-domain enterprise risk assessment — 15-minute CISO briefing
Date : Fall 2023
Course : CIS196 Ethical Hacking (CySA+ aligned) — Cypress College
Twitcher scaled from 10 to 75,000 employees in five years. Security was never prioritized during that growth. Post-IPO, the Board hired their first CISO. Our team — operating as Allsafe Cybersecurity — was engaged to assess Twitcher's current security posture across 15 domains and deliver findings and remediation recommendations to the incoming CISO in a 15-minute briefing.
What we know going in:
| Finding | Risk signal |
|---|---|
| Single perimeter firewall at the edge | No defense in depth — flat network |
| End-of-life email security (Microsoft Forefront) | Unpatched, unsupported — active attack surface |
| Employees managing too many credentials | Password fatigue → reuse, weak passwords |
| Passwords written under keyboards | Physical credential exposure |
| Employees don't know how to respond to suspicious activity | Zero security awareness |
| No guidance on handling confidential data | Data loss and compliance risk |
| Email and collaboration tools accessible without VPN | Exposed attack surface |
| IT team unaware of EternalBlue and Log4j | No vulnerability management program |
| No data backups | Zero recovery capability |
| DevOps pushing features without security review | No secure SDLC |
| Sales team using unauthorized SaaS tools | Uncontrolled shadow IT |
| Employees leaving laptops in vehicles | Physical security failure |
Current situation: Email, instant messaging, and collaboration tools are publicly accessible without VPN. Twitcher has only one perimeter firewall at the edge.
Risks: Unsecured access to collaboration tools increases exposure to data breaches. A single perimeter firewall creates a single point of failure — no internal segmentation means an attacker who breaches the perimeter has unrestricted lateral movement.
Mitigation: Implement VPN access for collaboration tools and enforce MFA. Deploy a multi-layered security approach by adding additional firewalls to segment the network. Implement IDS/IPS solutions — Suricata, McAfee, or Snort — for internal traffic monitoring.
Current situation: Employees leave corporate laptops in vehicles in an area with known vehicle thefts. There are no data backups.
Risks: Increased risk of physical theft and loss of sensitive corporate data. No backups mean any data loss event — deletion, theft, ransomware — has no recovery path. A ransomware attack in this state is an existential event.
Mitigation: Provide awareness training on physical security risks associated with leaving laptops in vehicles. Implement remote data wipe capabilities via MDM. Implement regular automated backup procedures and store backups in an isolated, secure environment separate from production.
Current situation: Employees don't know what to do when they encounter suspicious activity. The IT team has never heard of EternalBlue, Log4j, or other high-profile vulnerabilities.
Risks: Employees may fall victim to phishing or social engineering without the knowledge to identify and respond. IT's lack of awareness about critical vulnerabilities like EternalBlue and Log4Shell leaves the organization exposed to known, actively exploited exploits.
Mitigation: Conduct regular cybersecurity awareness training and develop a clear incident response procedure. Implement automated vulnerability scanning tools — OpenVAS, OWASP ZAP, Nessus — to regularly assess systems and applications. Ensure the IT team is trained to interpret and act on scan results.
Current situation: Employees complain about too many usernames and passwords. Employees are writing passwords down.
Risks: Password fatigue leads to weak passwords, reuse, account lockouts, and ultimately unauthorized access. Written credentials are a physical security vulnerability accessible to anyone near the workstation.
Mitigation:
- Do less: Deploy an enterprise password manager — 1Password or Keeper — so employees only manage one master credential
- Do more: Implement SSO (Okta, OneLogin) to eliminate the need for multiple credentials entirely
- Pair either solution with MFA to add a second layer of defense beyond the password
Current situation: Email, instant messaging, and collaboration tools are publicly accessible without VPN — indicating no centralized identity enforcement.
Risks: Identity misconfigurations, over-privileged accounts, privilege abuse, and improper identity lifecycle management. When employees leave, access may persist across systems without a formal deprovisioning process.
Mitigation:
- SSO (Okta, OneLogin) — centralized identity management and policy enforcement
- PAM (CyberArk, BeyondTrust) — control, manage, and monitor privileged access to critical systems with full audit trail
- Zero Trust (Cloudflare Zero Trust) — verify identity via MFA, enforce least privilege, and maintain consistent monitoring across all access attempts
Current situation: The email security solution Forefront is end-of-life.
Risks: Forefront can only protect against threats discovered while it was still active. Any vulnerability found after EOL will not be patched. The solution cannot support newer, more secure protocols — making it unable to defend against modern phishing, BEC, and malware delivery techniques.
Mitigation: Replace Forefront immediately with a current email security platform (Proofpoint, Microsoft Defender for Office 365, or Mimecast). Track the lifecycle of the replacement solution to ensure it continues to receive updates. Implement SPF, DKIM, and DMARC to prevent domain spoofing.
Current situation: There are no data backups.
Risks: There is currently no way to recover data lost from deletion, theft, or ransomware. Recovering from any disaster is effectively impossible. A ransomware attack would leave the company with no option other than paying the ransom — with no guarantee of recovery.
Mitigation: Create and maintain backups of all data immediately. Maintain multiple backup types — physical and cloud — to increase the probability of backups surviving any single failure. Keep physical backups both on-site and at a separate off-site location. Define and test recovery procedures regularly.
Current situation: Employees don't know what to do when they encounter something suspicious on their computers.
Why it matters: Awareness training helps employees understand the role they play in preventing security breaches. Without it, employees cannot identify phishing attempts, social engineering, or malicious software — making them the most exploitable attack vector in the organization.
Mitigation: Provide security awareness training to all employees covering basic cyber hygiene. Ensure every employee understands the incident response plan and their specific role in it. Run phishing simulations to measure and track improvement over time.
Current situation: Employees don't know what to do with confidential and sensitive company information.
Risks: Twitcher handles consumer information including payment data. Poor data handling habits can lead to a breach affecting all consumers — resulting in regulatory penalties under GDPR, PCI DSS, and CCPA, permanent reputational damage, and potential class-action liability.
Mitigation: Create and enforce security, vulnerability management, and incident response policies. Provide clear guidance on how vulnerabilities should be identified, assessed, and remediated. Ensure all data handling practices comply with applicable regulations — GDPR, PCI DSS, and CCPA are all relevant given Twitcher's user base and data types.
Current situation: The IT team has never heard of EternalBlue or Log4j. Forefront is outdated.
Risks: Running end-of-life software exposes Twitcher to all vulnerabilities discovered after the EOL date. EternalBlue (MS17-010) powered WannaCry and NotPetya — two of the most damaging ransomware campaigns in history. Log4Shell affected millions of Java applications. Ignorance of these vulnerabilities does not mean immunity.
Mitigation: Build a dedicated patching and configuration management function to ensure software, firmware, and hardware are kept current. Deploy Nessus for vulnerability scanning — it is designed to make assessment simple, intuitive, and actionable. Establish a patch cadence with defined SLAs by severity: critical within 24–72 hours, high within 7 days.
Current situation: The DevOps team is in a hurry to push new features.
Risks: Rushed development introduces vulnerabilities before they can be identified. Rapid, untested changes risk system stability and performance. Quick releases without security review may violate compliance requirements, exposing Twitcher to regulatory and legal risk.
Mitigation: Integrate security into the DevOps lifecycle (DevSecOps) to prevent insecure features from reaching production. Implement automated security testing (SAST/DAST) to identify issues early in development. Adopt a phased release approach rather than all-at-once deployments — allows issues to be caught and resolved in smaller, controlled environments before full rollout.
Current situation: The sales team subscribed to SaaS tools without IT approval because IT was too slow to meet their needs.
Risks: Unauthorized tools create security, compliance, and integration gaps. Corporate data stored in unapproved applications bypasses DLP controls, audit logging, and offboarding processes. Non-compliance with industry regulations becomes likely when data flows through unvetted systems. Data governance and integrity become impossible to maintain.
Mitigation: Conduct regular awareness sessions on Shadow IT risks. Establish a collaborative, fast-turnaround process for tool evaluation and approval — address the underlying IT responsiveness problem that drove the behavior in the first place. Clearly communicate and enforce an acceptable use policy covering software procurement.
Current situation: Limited or absent risk assessment methodology. Inadequate understanding of potential threats and vulnerabilities.
Risks: Without a formal risk assessment process, threats go unidentified until they become incidents. Vulnerabilities are not prioritized systematically — critical gaps may be overlooked while resources are spent on lower-risk items. Without a structured process, the CISO cannot demonstrate due diligence to the Board or regulators.
Mitigation: Develop a structured framework for identifying, assessing, and prioritizing risks — adopt NIST CSF as the baseline. Conduct periodic risk assessments to maintain alignment with evolving business and technology. Engage stakeholders across all departments to ensure comprehensive coverage. Report risk posture to the Board quarterly in business terms.
Current situation: Employees leave corporate laptops in vehicles in an area with known vehicle thefts.
Risks: Eavesdropping attacks — unauthorized personnel gain physical proximity to employees and their devices. Compromised key attack — stolen laptops provide unaccounted access to corporate systems if not encrypted or remotely wipeable.
Mitigation: Implement physical security controls — perimeter barriers (fences, gates, locks), access checkpoints, access cards, biometrics, and CCTV/surveillance cameras. Enforce a policy prohibiting storage of corporate assets in unattended vehicles. Require full-disk encryption on all laptops so stolen hardware yields no accessible data.
Current situation: Single perimeter firewall. Employees unaware of data handling requirements. Sales team using unauthorized SaaS tools — IT visibility into the environment is minimal.
Risks: Over-privileged access across systems. Unauthorized SaaS tools create blind spots in monitoring. The single firewall is a single point of failure with no compensating controls. No centralized detection capability means threats can persist indefinitely without discovery.
Mitigation: Invest in database, server, and computing infrastructure to support centralized logging and monitoring. Deploy a SIEM to aggregate and correlate logs from all critical systems. Train staff against phishing and ransomware as immediate near-term controls. Build toward 24/7 monitoring — either through an internal SOC team or a Managed Detection and Response (MDR) provider.
| Domain | Severity | Priority |
|---|---|---|
| BCP / Disaster Recovery | 🔴 Critical | Immediate — no backups is existential |
| Vulnerability & Patch Management | 🔴 Critical | Immediate — EternalBlue/Log4j exposure |
| Email Security | 🔴 Critical | Immediate — EOL solution, active phishing risk |
| IAM Security | 🔴 High | Week 1 — no centralized identity, no MFA |
| Endpoint Security | 🔴 High | Week 1 — no EDR, no IR procedures |
| Network Security | 🟠 High | Month 1 — flat network, single firewall |
| SOC | 🟠 High | Month 1 — no detection capability |
| Awareness Training | 🟠 High | Month 1 — employees are primary attack vector |
| Password Management | 🟡 Medium | Month 1 — credentials on sticky notes |
| Physical Security | 🟡 Medium | Month 1 — laptops in vehicles |
| DLP | 🟡 Medium | Month 2 — no backups, no classification |
| Application Security | 🟡 Medium | Month 2 — no secure SDLC |
| Shadow IT | 🟡 Medium | Month 2 — unauthorized SaaS in use |
| Policies & Governance | 🟡 Medium | Month 2 — GDPR/PCI DSS/CCPA compliance gap |
| Risk Assessment Methodology | 🟢 Foundation | Ongoing — framework for all other work |
Three actions in the first 30 days before anything else:
1. Back up everything. No other remediation matters if a ransomware attack hits tomorrow and there is no recovery path.
2. Emergency patch cycle. Scan immediately and patch EternalBlue and Log4Shell exposure. These are known, actively exploited vulnerabilities with public proof-of-concept code available to any attacker.
3. Replace Forefront. It is retired software. Every day it runs is another day phishing emails land in executive inboxes with no filtering.
Everything else on this list is important — but these three actions address the most immediate existential risk.
- 15-domain enterprise security assessment methodology
- Risk identification, impact scoring, and remediation prioritization
- Regulatory compliance mapping — GDPR, PCI DSS, CCPA
- Security framework application — NIST CSF, Zero Trust
- GRC fundamentals — policies, governance, audit
- CISO-level communication — translating technical risk into business impact
- Team-based security consulting engagement simulation
grc risk-assessment nist-csf enterprise-security ciso compliance gdpr pci-dss cybersecurity cysa-plus