Acme Enterprise Systems (AES) has hired you to perform a security risk assessment on their networks. They are interested in determining where their weak spots are, what kinds of risk those weak spots areas pose, and what they can do about them (on a budget).

AES has 75 employees, to include: Accounting/Backoffice, Software Developers, and Sales. AES has a headquarters office in Maitland Florida, with a regional office in Jacksonville and Tampa. Each site is connected together over a VPN to allow for one cohesive network. AES develops a software product called BIRDS. BIRDS is a web-based software-as-a-solution product they host out of their primary office in Maitland. The web server infrastructure consists of 3 large servers, each of which runs a webserver and database server (there are three for scaling).The IT Director has one IT Administrator to help him secure and operate the networks. Upon questioning, they did not know what the CIS standards were. They use a Windows domain controller, but have not applied any group policy. Each user in the network has local administrator accounts. The only end-point control applied appears to be Windows Defender for Antivirus. The IT director can VPN in to the network from home, no 2FA. No audit of expired user accounts has ever been performed. On the network: The environment consists of about 100 machines. There is no segmentation between any networks, including the web infrastructure. On inspection, it was found that the firewalls were all unpatched and had been for several years. They have a Dell Sonicwall at each site and they use a SonicPoint access point at each site for Wireless access. The Wireless network is secured using WEP and MAC Filtering. In speaking with the developers, it was discovered that they are developing custom software in PHP without using any frameworks. Developers had no knowledge of secure coding practices, or security in general. All user-work is done using laptops over wifi. Acme was recently hit with a CryptoLocker variant that spread through their entire enterprise, encrypting all their files and source code. They were forced to pay roughly $5000 in ransoms because they had no recent back-ups to restore from. Acme is a very typical company who has not thought about security. Using the information gathered so far, provide ACME with a comprehensive report and roadmap to improve their security posture.