Based on an analysis of the given study, I believe that the following are some of the controls that the company did not have in place, which could have easily helped in thwarting the security breach.
1) Inventory and Control of Hardware Assets: The company did not have monitoring systems in place to identify, monitor and prevent unauthorized devices from accessing the system.
2) Continuous Vulnerability Management: The company lacked tools to monitor and detect existing worldwide known vulnerabilities in order to remediate them.
3) Maintenance, Monitoring, and Analysis of Audit Logs: The company did not have the tools and capability to monitor and analyze logs, which could have helped the company in quick identification of the nature of attack and remediation of the systems.
4) Data Recovery Capabilities: The company lacked data recovery tools as it took them many weeks to restore the entire system back to its original state and make it fully functional.
5) Secure Configuration for Network Devices, such as Firewalls, Routers and Switches: The company servers were not securely configured with firewalls which could have helped to prevent the denial of service attacks.
6) Boundary Defense: The company did not have any mechanism of whitelisting the IP addresses. This helps to identify whether the request is coming from a recognized source or a malicious source.
7) Data Protection: The personal information of the customers such as credit card information, login credentials were not encrypted properly and helped the attackers to steal the data easily and expose it online.
8) Penetration Tests and Red Team Exercises: The company had quite a few network and database related vulnerabilities which could have been avoided by performing penetration testing and red team exercises; which comprises of security experts in two teams, one as attacker and other as a defender and they simulate all possible known security attacks to test the stability of the systems.
9) Application Software Security: The company lacked best coding practices and guidelines in application development because SQL injection attack that happened is a technique which takes advantage of poor database query implementation.
10) Incident Response and Management: The company did not have any clear plan in place which would have helped the staff to determine the next course of action in case of any such security attacks and it took them more than a week to even acknowledge that such a breach had taken place.
