Cybersecurity-Master-Journey
Capstone 2: Perform an Impact Analysis to Address Vulnerabilities
π’ Capital Ink Publishing - Cybersecurity Risk Assessment
π Simulation-Based Capstone Project
This assessment was completed as part of the IBM SkillsBuild Cybersecurity Certificate program. Capital Ink Publishing is a simulated digital publishing scenario created for educational purposes. All findings, recommendations, and artifacts demonstrate applied learning of vulnerability analysis, impact assessment, and risk mitigation.
π― Challenge
Conduct a comprehensive cybersecurity risk assessment for a digital publishing company, identifying vulnerabilities, analyzing threats, assessing business impacts, and prioritizing mitigation strategies using industry frameworks.
π οΈ Tools & Frameworks Used
- OWASP ZAP (Vulnerability Scanning)
- CVSS 3.0 (Vulnerability Scoring)
- IBM X-Force Exchange (Threat Intelligence)
- NIST Cybersecurity Framework
- Industry Best Practices
π Key Vulnerabilities Identified
| Vulnerability | Type | CVSS Score | Risk Level |
| Active Malware Infection | Data Exfiltration | 9.8 | π΄ Critical |
| Unauthorized Database Access | Access Control | 7.5 | π΄ High |
| Cross-Site Scripting (XSS) | Injection | 6.1 | π High |
| Cross-Site Request Forgery (CSRF) | Session Management | 6.5 | π High |
| Cloud Metadata Exposure | Misconfiguration | 5.3 | π‘ Moderate |
| Missing Security Headers | Configuration | 4.3 | π‘ Moderate |
π Impact Analysis
Network Integrity Impact
- Malware: Compromised workstations spreading laterally, corrupting network integrity
- Unauthorized Access: Attackers mapping network topology, bypassing segmentation
Business Continuity Impact
- Operational: Potential system downtime, extended recovery time
- Financial: Lost productivity, incident response costs, revenue loss
- Reputation: Loss of customer trust from credential theft
Data Security Impact
- Confidentiality: CRITICAL - Active theft of unpublished manuscripts, customer PII, financial records
- Compliance: Potential GDPR/CCPA violations, legal notification requirements
- Integrity: Attackers performing unauthorized actions via session hijacking
π― Skills Demonstrated
β Evaluate Organizational Security
- Assessed current security posture across web applications, databases, and cloud infrastructure
- Identified gaps in technical, administrative, and operational controls
β Analyze Cybersecurity Threat Impact
- Evaluated effects on network integrity, business continuity, and data security
- Assessed confidentiality, integrity, and availability (CIA) impacts
β Categorize Vulnerabilities by Severity
- Applied CVSS 3.0 scoring framework
- Prioritized using risk-based approach (Critical β High β Moderate β Low)
β Justify Threat Mitigation Tactics
- Recommended technical, administrative, and operational controls
- Provided implementation timelines (24h, 1 week, 1 month, 3 months)
- Explained effectiveness and business rationale for each control
π€ Key Deliverables
β Comprehensive Risk Assessment Report
- Executive summary with critical findings
- Vulnerability identification using OWASP ZAP
- Threat intelligence analysis (IBM X-Force)
β Prioritized Mitigation Plan
- Immediate actions (24 hours): Malware containment, access control updates
- Short-term (1 week): MFA deployment, XSS remediation
- Medium-term (1 month): Security headers, employee training
- Long-term (3 months): Secure backups, architecture review
β Security Controls Framework
- Technical controls (Antivirus, WAF, Encryption)
- Administrative controls (Policies, Training, Audits)
- Operational controls (Monitoring, Patch Management)
β Implementation Roadmap
- Prioritized timeline with clear rationales
- Resource requirements and success metrics
- KPIs for ongoing measurement
π‘ What I Learned
This capstone reinforced that vulnerability management is about risk-based prioritization, not just finding bugs.
Key insights:
- Active threats demand immediate response: Malware with data exfiltration capabilities requires containment within 24 hours, not weeks
- Business context matters: A βmoderateβ CVSS score can be critical if it affects core revenue systems or customer trust
- Defense-in-depth is essential: No single control is sufficient; technical, administrative, and operational controls must work together
- Communication is critical: Executive summaries and clear timelines help leadership allocate resources effectively
Most importantly, I learned that security assessments arenβt just technical exercises theyβre business continuity tools that protect customer data, intellectual property, and organizational reputation.
π Official Microcredential
| Field | Details |
| Credential | IBM SkillsBuild: Vulnerability Management |
| Issued | May 08, 2026 |
| Credential ID | 173b0ebb-a010-4f62-8c83-54e8def38ffb |
| Verify | π View on Credly |
Badge Display
βΉοΈ This capstone was completed in a controlled simulation environment. Proprietary simulation materials are not shared publicly per IBM SkillsBuild policy. This report and the official microcredential serve as verified proof of competency.