Introductory Physics Electrostatics Practice Problems Spring Semester 1. In the picture at the right, calculate the net force (magnitude and direction) on 𝑞1. 2. Two objects separated by a distance of 1.75 m have charges +𝑄 and +3𝑄. A third charge 𝑞 is placed in-between the two positive charges so they are all on a line. Where should 𝑞 be placed so that it is in equilibrium with the other two charges? Give your answer as a distance measured from charge +𝑄. 3. Three point charges are located on a circular arc (𝑟 = 3.80 cm) as shown on the right. First find the electric force (magnitude and direction) exerted on a −5.07 nC charge placed at position P. Then remove that charge and find the total electric field (magnitude and direction) at point P. (Adapted from Problem #26 in your book.) 4. Two charges (𝑞1 = +8.0 𝜇𝐶 and 𝑞2 = −3.0 𝜇𝐶) are separated by a distance of 1.0 m. Where along the line connecting the two charges is the net electric field equal to zero? Give your answer as a distance measured from 𝑞2. 5. Charge 𝑄1 = +50 𝜇𝐶 is positioned at 𝑥 = −26 cm, while charge 𝑄2 = −50 𝜇𝐶 is positioned at 𝑥 = +26 cm. What is the net electric field (magnitude and direction) at the xy-coordinate (0, +30) cm? Answers: 1) 23 N, 24° above +x; 2) 0.641 m; 3) 1.01 × 10−4 N to the left, 1.99 × 104 N/C to the right; 4) 1.6 m; 5) 3.7 × 106 N/C to the right Question #1 Question #3 Running Head: VULNERABILITY ASSESSMENT REPORT 1 VULNERABILITY ASSESSMENT REPORT 15 Vulnerability Assessment Report Table of Contents 1.0. Vulnerability Assessment Report 2 1.1. Scope of Work 2 1.2. Work breakdown Structure [represented in a separate file] 3 1.3. Threats and Vulnerability Report 3 1.3.1. Explanations of Threats and Vulnerabilities 3 1.3.2. Classification of threats and vulnerabilities 6 1.3.3. Prioritization of threats and vulnerabilities 6 1.4. Network Analysis Tools 7 1.4.1. Alcatel Lucent’s Motive Network Analyzer – Copper (NA-C) 7 1.4.2. SolarWinds NetFlow Traffic Analyzer, aka Orion NTA 8 1.4.3. Nagios Network Analyzer 8 1.4.4. Caspa free 9 Table1: Vulnerability Assessment Matrix 10 1.5. Lessons Learned Report 11 References 14 1.0. Vulnerability Assessment Report 1.1. Scope of Work Comment by Hank Williams: This should be the Overview section of the paper. This first paragraph is not relevant to a business report prepared for the CTO. It is a lot of general cyber security fluff. Please stay focused on writing a solid vulnerability assessment as this will not do. While you have titled this section Scope of Work, you have not actually provided any scope of work. Please review the recording of the F2F session to understand expectations for this section. Every business entity or government institutions experience constant threats from many sources. All business companies are subject to risks, and there is no organization which is 100

1. Introductory Physics Electrostatics Practice Problems Spring
Semester
1. In the picture at the right, calculate the net force (magnitude
and
direction) on �1.
2. Two objects separated by a distance of 1.75 m have charges
+�
and +3�. A third charge � is placed in-between the two
positive
charges so they are all on a line. Where should � be placed so
that
it is in equilibrium with the other two charges? Give your
answer
as a distance measured from charge +�.

2. 3. Three point charges are located on a circular arc (� = 3.80
cm) as
shown on the right. First find the electric force (magnitude and
direction) exerted on a −5.07 nC charge placed at position P.
Then
remove that charge and find the total electric field (magnitude
and
direction) at point P. (Adapted from Problem #26 in your
book.)
4. Two charges (�1 = +8.0 �� and �2 = −3.0 ��) are
separated by a distance of 1.0 m. Where along
the line connecting the two charges is the net electric field
equal to zero? Give your answer as a
distance measured from �2.
5. Charge �1 = +50 �� is positioned at � = −26 cm, while
charge �2 = −50 �� is positioned at
� = +26 cm. What is the net electric field (magnitude and

3. direction) at the xy-coordinate
(0, +30) cm?
Answers:
1) 23 N, 24° above +x; 2) 0.641 m; 3) 1.01 × 10−4 N to the
left, 1.99 × 104 N/C to the right;
4) 1.6 m; 5) 3.7 × 106 N/C to the right
Question #1
Question #3
Running Head: VULNERABILITY ASSESSMENT REPORT 1
VULNERABILITY ASSESSMENT REPORT 15
Vulnerability Assessment Report
Table of Contents
1.0. Vulnerability Assessment Report 2
1.1. Scope of Work 2
1.2. Work breakdown Structure [represented in a separate file]
3
1.3. Threats and Vulnerability Report 3

4. 1.3.1. Explanations of Threats and Vulnerabilities 3
1.3.2. Classification of threats and vulnerabilities 6
1.3.3. Prioritization of threats and vulnerabilities 6
1.4. Network Analysis Tools 7
1.4.1. Alcatel Lucent’s Motive Network Analyzer – Copper
(NA-C) 7
1.4.2. SolarWinds NetFlow Traffic Analyzer, aka Orion NTA 8
1.4.3. Nagios Network Analyzer 8
1.4.4. Caspa free 9
Table1: Vulnerability Assessment Matrix10
1.5. Lessons Learned Report 11
References 14
1.0. Vulnerability Assessment Report
1.1. Scope of Work Comment by Hank Williams: This should
be the Overview section of the paper.
This first paragraph is not relevant to a business report prepared
for the CTO. It is a lot of general cyber security fluff. Please
stay focused on writing a solid vulnerability assessment as this
will not do.
While you have titled this section Scope of Work, you have not
actually provided any scope of work. Please review the
recording of the F2F session to understand expectations for this
section.
Every business entity or government institutions
experience constant threats from many sources. All business
companies are subject to risks, and there is no organization
which is 100% safe from an attack. The existence of many
threats usually limits the organizational ability to prevent them
all. For instance, the leading antivirus company Kaspersky Lab
reports that the current malicious files processed by Kaspersky
Lab improve 360,000 per day. In other words, there are over

5. 250 new malware threats detected every day. However, malware
is not the only threats in organizational systems. There are
many other cyber security threats and network vulnerabilities
that cybercriminals or malicious actors can exploit to cause
harm or steal company’s data. Vulnerability refers to the
weakness or a flaw in a network or system that can be utilized
to allow an attacker to manipulate the system in some way or
cause harm. The company’s most common vulnerability
examples include malware, unpatched security vulnerability,
hidden backdoor programs, superuser account privileges,
automated running of scripts without virus check, unknown
programming interfaces, phishing attacks, IoT devices, and
employees. The process of mitigating vulnerabilities in an
organization is known as vulnerability assessment.
Vulnerability assessment involves identifying, classifying and
ranking of different vulnerabilities. Vulnerabilities that exist in
Ambit Group are due to an anticipated interaction of various
software program, underlying weakness in an individual
program or system components.
Ambit Group is a company that deals with technological
innovations and changes daily. In this company, we are familiar
with current trends in technology and incorporating these
technological innovations and changes into business solutions
for competitive advantage. We supply all cloud-based app
solutions to our customers in medium-sized companies in
Germany, Switzerland and Austria regions. Our services include
End2End processes and implementation of customized solutions
in the global and local level. We are part of Microsoft Part Eco
System integrating specialized partners such as IoT, BI, DMS,
Office 365 and Azure. We are located in Switzerland. Our
company is highly sensitive to vulnerability assessment.
Vulnerability assessment enables the company to stay ahead of
cybercriminals. It also helps us to keep up with compliance
requirements for our contracts. We also identify, classify and
rank vulnerabilities in our organization to ensure that our
employees and partners engage in proper security practices. As

6. the newly appointed chief information officer, my role is going
to identify, classify and rank different vulnerabilities that
Ambit Group have been experiencing and give suggestions on
how we can adequately mitigate these vulnerabilities.
Comment by Hank Williams: Do not use 1st person.
Remain formal and use 3rd person at all times. Comment by
Hank Williams: This is not in keeping with the scenario of a
mid-sized company providing support to the federal gov’t.
Please make sure you follow the scenario. Your paper will not
be considered acceptable if you do not.
1.2. Work breakdown Structure [represented in a separate file]
Comment by Hank Williams: The WBS must be inline here
and not is a separate file or section.
1.3. Threats and Vulnerability Report
1.3.1. Explanations of Threats and Vulnerabilities Comment by
Hank Williams: It’s clear that you have not looked at my
templates.
This section is not an explanation of threats and vulnerabilities.
There is a tiny discussion in the first paragraph but most of this
section is non-relevant fluff. Some of this section could be
used in the SOW section and some in the Methodology section.
Nearly all organization face some level of risk associated with
some threats. Much vulnerability is as a result of natural events
or accidents while others are intended to cause harm. These
factors also produce some of the weaknesses in Ambit Group. In
Ambit Group, there are external vulnerabilities, internal,
vulnerabilities resulting from existing security measures, and
vulnerabilities which come as a result of compliance
requirements. Regardless of the nature of the vulnerability,
organizational management has the responsibility to limit and
manage risks resulting from these threats to the extent possible.
Risk management is usually undertaken in relation to the
provisions that the federal government has provided. Public
security owners through the organizational chief security

7. information develop and implement a security risk management
methodology which complies with the interagency security
committee standards (Gujar, Ng & Yang, 2018). The risk
management methodology aims at supporting the security needs
of a facility. Ambit Group regularly assesses the vulnerability
of its security system to support the needs of the company.
As the newly appointed chief security information officer of
Ambit Group, the first step I will use to assess the
organizational vulnerability is to undertake threat assessment.
Vulnerability assessment involves identifying various types of
vulnerabilities, classifying and then ranking the vulnerabilities.
Some of the examples of vulnerabilities of Ambit Group that
were identified include malware, unpatched security
vulnerability, hidden backdoor programs, superuser account
privileges, automated running of scripts without virus check,
unknown programming interfaces, phishing attacks, IoT
devices, and employees (Hodson, 2019). Vulnerabilities that
exist in Ambit Group are due to an anticipated interaction of
different software program, underlying weakness in an
individual program or system components. My role is to
consider all spectrums of threats during a vulnerability
assessment. There are both human-made and natural threats the
agency is going to expand on. Considering a broader range of
threats will ensure that all vulnerabilities in the security system
are carefully managed, and the likelihood of the risks occurring
will also be reduced.
Internal threats contribute to more than 55% of Ambit Group’s
security vulnerabilities. Internal vulnerabilities come from
partners, employees and ex-employees (Hodson, 2019).
Common internal threats in Ambit Group security system results
from opening malicious emails, accessing corporate systems on
unknown people, lose of laptop and other electronic devices,
taking advantages of database privileges, introducing a corrupt
tool to the organizational network, social engineering, and
becoming victims of phishing schemes. Internal vulnerable also
come to a result of the wrong procedures used in the installation

8. of security systems as well as policies used.
Many organizations experience a big challenge in overcoming
employees’ complacency. This is because the insiders usually
access much information about the organization and can easily
tamper with it, given that they know how the sensitive
information about an organization is protected. In most cases,
internal threats result from unintended actions as opposed to
external threats which usually results from intentional acts such
as vandalism, data theft and disruption of services.
Internal and external threats in Ambit Group can be prevented
through the following ways: installation of IDSN that can be
used to alert any form of suspicious activity in the network—
monitoring all database access usage patterns and movement to
detect data authorized by SQL, leakage, and significant data
transactions. Assessing data vulnerability can also be done by
deploying strong user authentication as well as through keeping
devices up to date.
Internal and external threats can also be prevented by
calculating risk scores. Calculating risk scores helps to capture
vulnerabilities and produce a numerical score that reflects its
severity. Other ways to avoid manage internal and external
threats include training the workforce, removal of excessive
privileges, data encryption and embracement of the cloud.
I was also able to find that the most commonly used method to
cause system vulnerabilities is the use of social media to hide
cyber attacks. Hackers create a link and attach it to a post put
up by robot accounts on Facebook or Twitter. This kind of
attacks has become very popular in the modern world. The
attacks are modified in a way that they relate to posts that we
engage with on social media. Many organizations are still
struggling to keep up with the changing security landscape.
1.3.2. Classification of threats and vulnerabilities
Threats and vulnerabilities in the Ambit Group security system
can be classified based on the severity of the risks. Weaknesses
in the Ambit Group mainly results from internal threats caused
by employee’s partners and ex-employees. Since the company

9. deals in technological devices and innovation, it is associated
with many challenges of cybercrimes. The attack on the
company’s security system is related to the sensitive
information that is only available with the organization’s
employees. For that matter, the internal organizational threats
should be classified first, and priority should be given to them.
Internal threats are classified first in consideration of the
potential impact of loss from the successful attack. An effect of
the failure is the degree to which the mission of the company is
affected by a successful attack from a given threat. The impact
of a risk can be classified as devastating, severe, noticeable, or
minor. Successful internal threats are catastrophic, while
external threats are severe. Other elements of vulnerabilities
such as existing security measures and compliance requirements
can be classified as noticeable and minor, respectively. The
aspects of vulnerabilities were also classified as ‘very high’,
‘high’, ‘moderate’ and ‘low’.
1.3.3. Prioritization of threats and vulnerabilities
Threats which were found to be more severe were given
priority. Highly rated weaknesses and threats such as threats
which result from employees were given priority. The
prevention and management of high and most severe risks help
to limit the number of vulnerabilities as well as reducing
impacts of the equivalent threats (Siddi, 2018). Threats which
were found to have less impact and fewer impacts were given
low priority because the organization has enough time to
prevent them and manage them effectively.
1.4. Network Analysis Tools Comment by Hank Williams:
None of the tools you have listed are actual Vulnerability
Assessment tools that would be used in an assessment. If you
had watched the video you would know of a number of
acceptable tools. Please watch the video.
The vulnerability assessment process requires specific network
analysis tools that help in identifying, categorizing, and ranking
of security flaws called vulnerabilities among network
infrastructure, computers, hardware, and software systems. In

10. Ambit Group, vulnerabilities are detected during vulnerability
assessment, thus develops the need for vulnerability disclosure.
Therefore, my role as the CSIO is to discover all kinds of
vulnerabilities for the organization in order to prevent the
organization from malicious activities such as cracking the
website, LANS, and systems.
The choice of network analysis tools during vulnerability
assessment was based on the following criteria. I first
recognized and realized the approach of my company how it is
managed and structured. I then traced the applications,
applications, and systems that are used in the company. The
next step entailed examinations of the unobserved data sources,
which can allow simple data entry to the protected information.
The next step involved classifying both the physical and virtual
servers that run the sensitive business applications. The next
step involved tracking all the existing security measures which
are already in place, and finally, I inspected the organizational
network for any possible vulnerability. This process involved
the use of specific vulnerability scanners. Vulnerability
scanners automate security auditing (Burns & Fry, 2019). Since
my role was to undertake a vulnerability assessment for the
organization, it was highly essential to scan the vulnerabilities
so that I could come up with different security risks. The
following tools were used to analyze the security network of the
organization: Orion NTA, Alcatel Lucent’s Motive Network
Analyzer, Nagios Network Analyzer, and Caspa Free.
1.4.1. Alcatel Lucent’s Motive Network Analyzer – Copper
(NA-C)
Motive Network Analyzer-Copper (NA-C) provides detailed
inspection to networks with quick troubleshooting and fault
localization experience through its smart carrier data diagnosis,
data collection, and repair capabilities (Lang & Schreiner,
2017). The use of this tool was also significant because it
enabled the carrier’s network to maximize daily DSL stability to
match the requirements of high bandwidth services. It also
helped in easy upgrading to VDSL2 and ADSL2+. Another

11. advantage of using motive NA-C is that it offers multivendor
DSLAM support, and it provides on-command line quality
inspections. The disadvantage of using purpose NA-C was that
it has sophisticated features that are not easily understood, and
it is a domain-specific analysis.
1.4.2. SolarWinds NetFlow Traffic Analyzer, aka Orion NTA
Orion NTA is a widely used Netflow analysis tool. Orion NTA
is highly preferred because it helps in exploring traffic flow
activities over the network (Lang & Schreiner, 2017). It also
examines the device behavior for excessive traffic flow, so it
enabled me to regulate excess bandwidth utilization without
updating networking resources. This utility administrator also
helped me to customize different chart elements; therefore, I
was able to simplify the chart view by removing unnecessary
information. It has the following advantages: it offers different
chart customization, and it allows for full SNMP protection.
One disadvantage of using Orion NTA is that NPM is mandatory
for maximum functionalities.
1.4.3. Nagios Network Analyzer
Nagios Network Analyzer offers a comprehensive analysis of
network services such as HTTP, ICMP, and POP3. This network
utility was used because it generates easy and quick interpreted
charts. Its advantages include: it has a comprehensive
dashboard, it gives easily understandable graphs, it also
provides automated system alerts, and advanced user protection.
The only disadvantage is that sometimes it fails to respond with
sflow capture.
1.4.4. Caspa free
Caspa free is a freeware. It is a freeware tool for
troubleshooting, Ethernet monitoring, and analysis. This utility
was used to analyze LAN and WLAN, and to capture and
automate diagnosis. Caspa free can recognize and analyze
several network protocols with its e-mail monitoring, TCP
monitoring sequence charts, and smart custom reporting (Silva,
Nguyen, Correia, Clemente & Martins, 2019). This tool is
recommended for vulnerability assessment because it provides

12. in-depth LAN analysis; it is easy and quick to understand.
However, it offers very few options for customization and is
limited to Ethernet packets analysis.
For further analysis and assessment of vulnerabilities in Ambit
Group, the above tools are highly recommended for they address
and give compressive reports concerning the organization’s
security systems. The organization should consider combining
the use of these tools for proper management and prevention of
malicious activities into its system.
Table1: Vulnerability Assessment MatrixComment by Hank
Williams: The chart you have does not make sense. Please use
what I have provided in the templates.
All graphical aids (charts, tables, graphs, etc.) must have text
explaining the graphic. Otherwise the reader does not know the
context for your graphic.
Defined Threat
Vulnerability
Impact of Loss
Low
Medium
High
Very High
Minor

13. Noticeable
Severe
Devastating
Rating Category
Description
Very High
The risk is totally unacceptable. Immediate measures must be
taken to reduce these risks and mitigate hazards.
High
The risk is unacceptable. Measures to reduce risk and mitigation
hazards should be implemented as soon as possible.
Medium
The risk may be acceptable over the short term. Plans to reduce
risk and mitigate hazards should be included in future plans and
budgets.
1.5. Lessons Learned Report Comment by Hank Williams:
You have the wrong focus. The lessons learned should be on
the assessment process, not the results of the assessment. What
went right and what went wrong while conducting the
assessment.
The vulnerability assessment process is a fundamental process

14. that all organizations should consider undertaking or regular
basis. As have been indicated in the finding, organizations
experience many risks in their information system from
malicious activities which are created by internal employees,
partners or ex-employees. A practical and most outstanding way
to ensure that unintended people are kept away from accessing
the organizational systems, every company must consider
undertaking precautionary measures that aim at preventing and
managing their network from malicious attacks. The study
indicates that internal threats are the most common types of
threats in many organizations. Internal threats are threats that
are caused by internal employees. Internal employees have
access to lots of organizational information. Many employees
are also exposed to sensitive information of the company.
Enabling an employee to have the security codes of the
information system of an organization can result in interference
or tampering with confidential information of the company. To
prevent employees from causing internal threats to the
organizations, many ways have been suggested in this study.
Internal and external threats in Ambit Group can be prevented
through the following ways: installation of IDSN that can be
used to alert any form of suspicious activity in the network—
monitoring all database access usage patterns and movement to
detect data authorized by SQL, leakage, and significant data
transactions. Assessing data vulnerability can also be done by
deploying strong user authentication as well as through keeping
devices up to date.
Internal and external threats can also be prevented by
calculating risk scores. Calculating risk scores helps to capture
vulnerabilities and produce a numerical score that reflects its
severity. Other ways to manage internal and external threats
include training the workforce, removal of excessive privileges,
data encryption and embracement of the cloud.
The study also identifies that threats and vulnerabilities in the
Ambit Group security system can be classified based on the
severity of the risks. Weaknesses in the Ambit Group mainly

15. results from internal threats caused by employee’s partners and
ex-employees. Since the company deals in technological devices
and innovation, it is associated with many challenges of
cybercrimes. The attack on the company’s security system is
related to the sensitive information that is only available with
the organization’s employees. For that matter, the internal
organizational threats should be classified first, and priority
should be given to them. Internal threats are classified first in
consideration of the potential impact of loss from the successful
attack. An effect of the failure is the degree to which the
mission of the company is affected by a successful attack from a
given threat. The impact of a risk can be classified as
devastating, severe, noticeable, or minor. Successful internal
threats are catastrophic, while external threats are severe. Other
elements of vulnerabilities such as existing security measures
and compliance requirements can be classified as noticeable and
minor, respectively. The aspects of vulnerabilities were also
classified as ‘very high’, ‘high’, ‘moderate’ and ‘low’.
Tools that were used to analyze the security network of the
organization include Orion NTA, Alcatel Lucent’s Motive
Network Analyzer, Nagios Network Analyzer, and Caspa Free.
Every tool that was used had the advantage over the other. The
choice of these tools was based on their ability to provide a
good breakdown of the risks which can be easily interpreted to
the organizational management so that actions should be taken
upon most severe threats.
Based on the vulnerability assessment matrix, there are certain
risks that the organization must address immediately. The model
was used to analyze internal threats, and it indicates that there
are severe risks that the organization must address as soon as
possible because they can be catastrophic to the organization
and can even interfere with the normal functioning of the
organization. There are certain levels of risks that have been
identified based on the nature of impacts. Risks which are
associated with minor effects or loss results to low vulnerability
in the organization and those which are characterized with

16. noticeable impacts have a likelihood of causing weaknesses to
the organizational system. Risks that can result in severe and
devastating effects are associated with significant flaws to the
organization. Therefore, the organization must give priority to
risks with major flaws because its impacts may be severe and
devastating to the organization. The process of managing and
prevention of threats in the organization should follow the
findings in the vulnerability assessment matrix. Risks which
indicate significant impacts should be given priority, followed
by those which may result in low impact or loss.
Organizations should also consider putting enough money for
vulnerability assessment and risk management. The amount of
money required for risk management should be based on the
findings of vulnerability assessment. Organizations can manage
risks and protect their assets when they engage in vulnerability
assessment regularly.
References
Burns, W. D., & Fry, R. (2019). U.S. Patent No. 10,511,623.
Washington, DC: U.S. Patent and Trademark Office.
Gujar, G., Ng, A. K., & Yang, Z. (2018). A Methodology to
Prioritize Security Vulnerabilities in Ports. In Contemporary
Container Security (pp. 63-79). Palgrave Macmillan, Cham.
Hodson, C. J. (2019). Cyber Risk Management: Prioritize
Threats, Identify Vulnerabilities and Apply Controls. Kogan
Page Publishers.
Lang, U., & Schreiner, R. (2017). U.S. Patent No. 9,563,771.
Washington, DC: U.S. Patent and Trademark Office.
Siddi, M. (2018). Identities and vulnerabilities: The Ukraine
crisis and the securitisation of the EU-Russia gas trade. In
Energy Security in Europe (pp. 251-273). Palgrave Macmillan,
Cham.
Silva, F. G., Nguyen, Q. T., Correia, A. F., Clemente, F. M., &
Martins, F. M. L. (2019). Network Analysis Tools. In Ultimate

17. Performance Analysis Tool (uPATO) (pp. 1-4). Springer, Cham.
Project 1: Final Vulnerability Assessment Report
Maria Sosa is depending on you, the chief information security
officer at your organization, to provide her and other executive-
level stockholders with a final vulnerability assessment report.
This thorough report should be presented with your findings and
recommendations.
Final Vulnerability Assessment Report (seven- to 10-page
report using this template: Assignment 7, Steps 11 and 12) This
report should include the following components:
· Title Page
· Include:
· for whom you are preparing the document, the title, the date
prepared, and your name as the preparer of the document
· Table of Contents
· with all sections
· Overview (introduction and purpose)
· Include mission-critical aspects of current organizational
processes:
· personnel
· physical security
· network security
· cybersecurity tools and processes
· Scope of Work (one-page report: Assignment 1, Steps 1 and 2)
· Identify the elements that will be assessed within the
organization for this assessment. Discuss items such as the type
of network/system, what elements you'll assess (network,
applications, web dmz, databases, physical security, personnel
security, etc).
· Work Breakdown Structure (spreadsheet: Assignment 2, Step
3)
· Provide a breakdown of the major actions to be performed in
the assessment
· Should cover pre-assessment, assessment, and post-assessment
activities

18. · Include key elements that need to be tested and analyzed
· State how each element will be assessed (Examine, Interview
or Test)
· See
https://www.projectmanagementdocs.com/template/project-
planning/work-breakdown-structure/#axzz69vGBl6bh for a good
example of a WBS.
· Network Analysis Tools Report (one- to two-page report:
Assignment 4, Step 7)
· Description of the tools and methods that were utilized in the
assessment.
· Vulnerability Assessment Methodology
· Discuss how you classified risks (3x3 risk matrix, etc.)
· Vulnerabilities Assessment Findings (two- to three-page
report: Assignment 3, Steps 4-6 & 8. Use the template
provided)
· Provide an intro to this section prior to the tables
· Use the Vulnerability/Threat/Risk Matrix table (new table for
each identified weakness)
· description of threats and vulnerabilities
· classifications of threats, vulnerabilities, and risk along with
priority (all of these should be in a low/moderate/high format)
· description of remediation action along with cost
· Provide additional information after the tables pertaining to
the findings as needed.
· Lessons Learned Report (two- to three-page report:
Assignment 6, Steps 9 and 10)
· This is Lessons Learned on the Assessment process, not on the
system security
· consider the report’s approach including:
· factors
· assessment completion
· next steps
· other issues to address

19. Risk Classification Matrix for the Vulnerability Assessment
Methodology section
Impact
Likelihood
Low
Moderate
High
High
Moderate
High
Very High
Moderate
Low
Moderate
High
Low
Very Low
Low
Moderate
Vulnerability/Threat/Risk Matrix
VUL ID #
Vulnerability Description
Threat Description
Likelihood

20. Impact
High
low
Risk Level
Priority
Moderate
Asset
Recommended Remediation
Cost
Table to report each finding in the Vulnerabilities Assessment
Findings section
Project 1: Final Vulnerability Assessment Report
Maria Sosa is depending on you, the chief information security
officer at your organization, to provide her and other executive-
level stockholders with a final vulnerability assessment report.
This thorough report should be presented with your findings and
recommendations.
Final Vulnerability Assessment Report (seven- to 10-page
report using this template: Assignment 7, Steps 11 and 12) This
report should include the following components:
· Title Page
· Include:
· for whom you are preparing the document, the title, the date

21. prepared, and your name as the preparer of the document
· Table of Contents
· with all sections
· Overview (introduction and purpose)
· Include mission-critical aspects of current organizational
processes:
· personnel
· physical security
· network security
· cybersecurity tools and processes
· Scope of Work (one-page report: Assignment 1, Steps 1 and 2)
· Identify the elements that will be assessed within the
organization for this assessment. Discuss items such as the type
of network/system, what elements you'll assess (network,
applications, web dmz, databases, physical security, personnel
security, etc).
· Work Breakdown Structure (spreadsheet: Assignment 2, Step
3)
· Provide a breakdown of the major actions to be performed in
the assessment
· Should cover pre-assessment, assessment, and post-assessment
activities
· Include key elements that need to be tested and analyzed
· State how each element will be assessed (Examine, Interview
or Test)
· See
https://www.projectmanagementdocs.com/template/project-
planning/work-breakdown-structure/#axzz69vGBl6bh for a good
example of a WBS.
· Network Analysis Tools Report (one- to two-page report:
Assignment 4, Step 7)
· Description of the tools and methods that were utilized in the
assessment.
· Vulnerability Assessment Methodology
· Discuss how you classified risks (3x3 risk matrix, etc.)
· Vulnerabilities Assessment Findings (two- to three-page

22. report: Assignment 3, Steps 4-6 & 8. Use the template
provided)
· Provide an intro to this section prior to the tables
· Use the Vulnerability/Threat/Risk Matrix table (new table for
each identified weakness)
· description of threats and vulnerabilities
· classifications of threats, vulnerabilities, and risk along with
priority (all of these should be in a low/moderate/high format)
· description of remediation action along with cost
· Provide additional information after the tables pertaining to
the findings as needed.
· Lessons Learned Report (two- to three-page report:
Assignment 6, Steps 9 and 10)
· This is Lessons Learned on the Assessment process, not on the
system security
· consider the report’s approach including:
· factors
· assessment completion
· next steps
· other issues to address
Risk Classification Matrix for the Vulnerability Assessment
Methodology section
Impact
Likelihood
Low
Moderate
High
High
Moderate
High

23. Very High
Moderate
Low
Moderate
High
Low
Very Low
Low
Moderate
Vulnerability/Threat/Risk Matrix
VUL ID #
Vulnerability Description
Threat Description
Likelihood
Impact
High
low
Risk Level
Priority
Moderate

24. Asset
Recommended Remediation
Cost
Table to report each finding in the Vulnerabilities Assessment
Findings section
1. SCOPE OF WORK- 1 page SOW report
2. WORK BREAKDOWN STRUCTURE- WBS
3. THREATS AND VULNERABILITES REPORT- 2 or 3page
report
4. NETWORK ANALYSIS TOOLS REPORT- 1 OR 2 page
report
5. VULNERABILITY ASSESSMENT- matrix
6. LESSONS LEARNED REPORT- 2 or 3 page report
7. FINAL VULNERABILITY ASSESSMENT REPORT-Your
final document will be seven to 10 pages long, not including
charts and graphics, and will include appendices, including a
vulnerability assessment matrix.
Project 1 Start Here
Vulnerabilities are security holes or flaws that can leave a
system open to attack. These may be from an inherent weakness
in the system itself, in procedures used, external sources, or
anything that may leave information exposed.
It is important that organizations actively assess their
vulnerabilities and ways to address them. In this project, you
will perform a vulnerability assessment, which identifies,
classifies, and ranks the vulnerabilities for your organization
from a disaster-management perspective.
The assessment will be completed in a series of steps. You will
classify and prioritize threats, assess vulnerabilities, and

25. include a "lessons learned" section as part of the assessment.
Your final document will be seven to 10 pages long, not
including charts and graphics, and will include appendices,
including a vulnerability assessment matrix. Throughout the
process, you will be submitting portions of the document to
your instructor for feedback so you can make adjustments
before submitting the final assessment.
You will be assessed on the coherence, inclusiveness, and
feasibility of your findings and recommendations on the
vulnerabilities of an organization from a disaster-management
perspective.
This is the first of four sequential projects in this course. There
are 12 steps in this project. Now that you have an idea of the
task ahead, review the scenario next to get started.
Vulnerability Assessment Management
Scene 1
You have just been promoted to the newly created role of chief
information security officer, or CISO, at your organization, a
midsize federal government contracting group.
Maria Sosa, the chief technology officer and your new boss,
stops to talk. “Can you stop by my office? I’d like to talk to you
about a new project.”
Scene 2
Maria gives you a friendly greeting as you enter.
“As you know, your new role involves helping us stay ahead of
cyber criminals, keeping up with compliance requirements for
our contracts, and ensuring that our partners and employees
engage in proper security practices.”
You nod.
“I’m concerned that the contractor we hired to develop our last
vulnerability assessment just didn’t understand the big picture
of how our organization works. Instead of using an outside
vendor, I’d like you [emphasis] to take the lead on the
assessment this year.”

26. “I realize this is a highly technical process, but as you are
working, I’d like you to keep the “big picture” in mind. Look at
people, processes, and technology across the entire organization
and really tie vulnerabilities to possible business impacts.”
Scene 3
You head back to your office, excited about the prospect of
tackling your first big assignment as CISO. You will have to
combine technical and research abilities to come up with an
assessment that ranks the vulnerabilities of the system from a
disaster management perspective. As part of this assignment,
you will present your prioritized list and supporting information
to the executives in a professional manner.
Step 1: Classify Aspects to Be Addressed
Before beginning the vulnerability assessment, you must first
create a preliminary classification of mission-critical aspects to
be addressed in the assessment. Determine what "secure" means
to the organization by reviewing the topic of cybersecurity
vulnerability, evaluating existing business practices, and
interviewing senior personnel.
Prepare an overview of the mission-critical aspects of the
organization's current processes. Include personnel, physical
security, network security, and cybersecurity in the overview.
You will use this overview to prepare a scope of work in the
following step.Step 2: Create a Scope of Work (SoW)
In this step, you will perform a vulnerability assessment once
again as the CISO. Since the previous contractor was an
external consultant, you will be able to offer insights and
consider the big picture of the organization when conducting the
assessment. You will prepare for the assessment by creating a
comprehensive list of security needs based on findings from the
previous step. This list should identify threats, risks, and
vulnerabilities to achieve a holistic view of the risk across the
entity.
The SoW is the key element to any project and important to
learn. It should be filed as supplementary documentation for

27. purposes of evaluating execution and directional purposes of
meeting milestones of a multiphase comprehensive project plan
within the vulnerability assessment. The scope of work will be
the first section of the final vulnerability assessment report.
Combine the overview from the previous step with the list of
security needs into a one-page SoW report. Submit the report
for feedback. In the next step, you will use what you have
created to compile a comprehensive project plan.Step 3:
Develop a Comprehensive Work Breakdown Structure (WBS)
Within the previous step, the SoW report conveyed a brief
overview of the organization's critical aspects and a list of the
organization's security needs. Now, you are ready to develop a
comprehensive work breakdown structure (WBS). This
breakdown provides more detail, so you will need to devise
examples of procedures you might recommend to your
organization. Some examples include a penetration
test, baseline analysis, or system logging. Note the tools and
techniques to use in conducting a vulnerability assessment to be
used later in the project.
Using a spreadsheet, create the comprehensive work breakdown
structure, including key elements that must be tested and
analyzed. Organize the spreadsheet using the elements
identified in the SoW from the previous steps and the following:
· internal threats: personnel, policies, procedures
· external threats: systems, connectivity, databases
· existing security measures: software, hardware,
telecommunications, cloud resources
· compliance requirements: legal aspects (federal, state, and
local), contractual demands up and down the supply chain
· Note the security threats and vulnerabilities. This plan will
serve as the second section of the final vulnerability assessment
report.
· Submit the comprehensive work breakdown structure for
feedback. In the next step, you will provide detailed
explanations on those security threats and vulnerabilities.Step
4: Explain Security Threats and Vulnerabilities

28. In the previous step, you developed a comprehensive work
breakdown structure. In this step, you will explain the security
threats and vulnerabilities included in the plan. In the
explanations, consider relevant concepts such as the threat
modeling process and third-party outsourcing issues. Include
system and application security threats and vulnerabilities.
Reference aspects that are not being included. Note that you
would need to obtain management agreement with the initial
analysis of mission-critical components to be included in the
assessment. This phase includes management input into the
prioritization process of all risks from internal and external
sources.
This information will be used in the following steps to develop
the threats and vulnerabilities report, which will then be
included in the Final Vulnerability Assessment Report.
Next, you will classify the risk of threats and
vulnerabilities.Step 5: Classify the Risk of Threats and
Vulnerabilities
Throughout this project, you have developed a foundation for
the vulnerability assessment by classifying critical
organizational aspects, creating a scope of work, and explaining
security threats and vulnerabilities. Now, you are ready to
classify the organization's risk according to the relevant data
determined in the project plan.
Company demands, management input, compliance
requirements, and industry probability of exploitation are all
considerations when classifying the risk of threats and
vulnerabilities. Based on these considerations for the midsize
government contracting group, further clarify the vulnerabilities
you have itemized. Explain why each is a vulnerability, as well
as why that particular vulnerability is relevant to the overall
assessment. Consider continuous monitoring issues as you work
through the classification. Use the threat and vulnerability
explanations from the previous step and risk classifications
from this step to develop the threats and vulnerabilities report.
In the next step, you will prioritize the threats and

29. vulnerabilities you have explained and classified.
Step 6: Prioritize Threats and Vulnerabilities
Now that you have explained and classified the threats and
vulnerabilities, you will prioritize them using a reasonable
approach as explained in the project plan. As you prioritize the
identified threats and vulnerabilities, you will need to:
· include both internal and external sources
· consider assessment of exposure to outages
· consider information resource valuation
· indicate which approach you are using and justify your choice
Use this information, along with the threat vulnerabilities
explanations and risk classifications from the previous steps, to
develop the threats and vulnerabilities report.
Compose a two- to three-page report regarding specific threats
and vulnerabilities of the technical aspects of the environment.
This report will be used in the final vulnerability assessment
report.
Submit the threats and vulnerabilities report for feedback. Next,
you will take a closer look at network analysis tools.Step 7:
Analyze Network Analysis Tools
Now that you have finished the threats and vulnerabilities
report, you will analyze how network analysis tools are
employed to identify vulnerabilities. Earlier in the project, as
you developed the comprehensive project plan, you should have
read about tools and techniques available for vulnerability
assessment activities. Research the tools relevant to the project
plan and provide a cogent analysis of which tool or tools to
recommend for this project. Consider threat remediation and
make special note of tools used to identify software
communications vulnerabilities.
Include the findings in a one- to two-page report, including a
justification of your decision based on peer-reviewed reference
materials cited in APA format. This report will be used in the
final vulnerability assessment report.
Submit the network analysis tools report for feedback. In the
next step, you will assess vulnerabilities.Step 8: Assess

30. Vulnerabilities
So far, you have considered the scope of work to complete a
vulnerability assessment for the organization, created a
comprehensive work breakdown structure, explained, classified,
and prioritized threats and vulnerabilities, and have chosen the
network analysis tools to be used. It is finally time to assess
vulnerabilities.
Using the Vulnerability Assessment Matrix template, complete
the vulnerability assessment for your organization. This matrix
will serve as Appendix B of the final vulnerability assessment
report.
Submit the matrix for feedback. Next, you will record "lessons
learned" as a conclusion to be used in the final report.Step 9:
Review and Record Findings
After completing the vulnerability assessment in the previous
step, you should now take time to review and consider your
findings. Review the work you have completed and the feedback
that you have received. Record any lessons that you have
learned that may be beneficial in the future.
Issues that may be addressed include whether nontechnical
factors should be considered during the vulnerability
assessment, the point at which the assessment is complete, next
steps, and any other issues that you noticed throughout. Record
your notes thoroughly, as they will be the basis for the "lessons
learned" report completed in the next step.Step 10: Write
Lessons Learned Report
Based on the work done and research accomplished, consider
what you have learned so far. Build upon the findings recorded
in the previous step to write a lessons learned report.
Is a vulnerability assessment a technical undertaking only, or
should it consider other factors? When is the assessment
complete? What are the "next steps" based on your assessment?
These are some examples of issues that should be addressed.
This report will serve as the conclusion of the final report.
Submit a two- to three-page report of lessons learned for
feedback. Once this reflection is complete, you will be ready to

31. compile the overall vulnerability assessment report. In the next
step, you will revise your findings as necessary.Step 11: Review
and Revise Report Sections
Now that you have completed all the major sections of the
vulnerability assessment, it is time to prepare the individual
sections of the final report. Review the feedback from the SoW,
Work Breakdown Structure, Threats and Vulnerabilities Report,
Network Analysis Tools Report, Vulnerability Assessment, and
Lessons Learned Report. Make any appropriate revisions to
incorporate the received feedback. Compile the findings in
preparation to submit the final report.
Once the revisions are complete, the final report is ready to
submit in the last step.Step 12: Write Overview and Compile
Final Vulnerability Assessment Report
You have reached the final step. Use the Final Vulnerability
Assessment Report template in preparing the final report. In
APA style, write an overview and compile all the sections
prepared throughout the project into a report according to the
template. Since this report will be delivered to Maria and other
top executives, tailor your writing to the appropriate audience.
Be sure that coherent paragraphs or points are developed so that
each is internally unified, functioning as part of the whole
document.
When you are finished, submit the final report.
Final Vulnerability Assessment Report
Maria Sosa is depending on you, the chief information security
officer at your organization, to provide her and other executive-
level stockholders with a final vulnerability assessment report.
This thorough report should be presented with your findings and
recommendations.
Final Vulnerability Assessment Report (seven- to 10-page
report using this template: Assignment 7, Steps 11 and 12) This
report should include the following components:

32. · Title Page
· Include:
· for whom you are preparing the document, the title, the date
prepared, and your name as the preparer of the document
· Table of Contents
· with all sections
· Overview (introduction and purpose)
· Include mission-critical aspects of current organizational
processes:
· personnel
· physical security
· network security
· cybersecurity
· Scope of Work (one-page report: Assignment 1, Steps 1 and 2)
· Include identified security threats, risks, and vulnerabilities
within the organization from the preliminary classification of
mission-critical aspects
· Work Breakdown Structure (spreadsheet: Assignment 2, Step
3)
· Include key elements that need to be tested and analyzed:
· internal threats
· external threats
· existing security measures
· compliance requirements
· Threats and Vulnerabilities Report (two- to three-page report:
Assignment 3, Steps 4-6)
· Include:
· explanation of threats and vulnerabilities
· classifications of threats and vulnerabilities
· prioritizations of threats and vulnerabilities
· Lessons Learned Report (two- to three-page report:
Assignment 6, Steps 9 and 10)
· Include:
· reviewed and recorded findings
· consider the report’s approach including:
· factors

33. · assessment completion
· next steps
· other issues to address
· Network Analysis Tools Report (one- to two-page report:
Assignment 4, Step 7--include as Appendix A)
· Include comprehensive recommendations of all components
within each key element that should be tested and analyzed:
· internal threats
· external threats
· existing security measures
· compliance requirements
· Vulnerability Assessment Matrix (one-page matrix using
template: Assignment 5, Step 8--include as Appendix B)
· Assess vulnerabilities of your organization
Vulnerability Assessment
A vulnerability is a "weakness in any information system,
security production, internal controls, or implementation that
could be exposed by a threat source" (NIST, 2012, p. 9).
Vulnerabilities may result from an improperly configured
system (weak passwords, unnecessary ports and protocols, etc.),
as well as from missing software patches.
Vulnerability assessments involve the use of tools and processes
to identify vulnerabilities present in the systems for which an
organization is responsible. A vulnerability assessment
identifies errors which could be used for nefarious activities by
hackers.
Vulnerability assessment is an important part of an
organization's overall risk management strategy. Such
assessments are conducted to meet governmental regulations
and requirements, and to help guide organizational IT security
practices, stay on top of emerging security threats, ensure that
staff members are using appropriate measures, and to
demonstrate to customers that your organization is vigilant on
security issues.
One commonly used assessment tool is a vulnerability scanner,

34. which is used to create a network map or inventory that
identifies systems that are functional on a network, as well as
their open ports, running services, and operating systems (such
as Microsoft Windows 7, Linux, etc.). Once a map has been
created, the vulnerability scanner has the ability to assess
systems with a database of known vulnerabilities.
Other tools and processes used to identify, quantify, and
prioritize a system's vulnerabilities include network discovery,
network port and service identification, documentation and log
review, integrity checking, or a combination of several methods.
Penetration Test
Penetration tests are an integral part of any security and risk
management enterprise. Therefore, cybersecurity professionals
should have a basic understanding of key concepts and
terminologies regarding penetration testing. Whereas a
vulnerability assessment identifies vulnerabilities within a
system, a penetration test attempts to exploit those
vulnerabilities to gain access to sensitive information.
A penetration test is an attempt to gather information to
determine whether vulnerabilities exist in security components,
networks, and applications of an organization. The intent of a
penetration test is to "attack" the system in the same manner as
would a hacker.
Performing a penetration test gives an organization a much
more realistic appreciation of the types of vulnerabilities it may
be hosting. Further, it provides the organization with a holistic
and comprehensive picture of its true exposure to hackers. For
instance, a vulnerability assessment may reveal that multiple
systems in an organization are exhibiting vulnerabilities. A
penetration test will attempt to use these vulnerabilities to allow
the tester to potentially compromise the organization's most
sensitive information.
If an organization intends to perform a penetration test, or to
have a third party perform a penetration test, it is imperative
that rules of engagement be defined before the activity begins.
Rules of engagement lay out acceptable methodologies and

35. guidelines for the penetration testing process. Without these
rules, a penetration test could inadvertently expose sensitive
data or cause system interruptions unacceptable to the
organization's management.
Depending on the perimeters of an investigation or assessment,
a penetration test may extend beyond virtual connections into
physical aspects of how the organization protects data. Testers
may be permitted to do the following:
· Look for written passwords—The penetration tester may look
for passwords written down and stored on a user's desk, under
his or her keyboard, or on a whiteboard. Written passwords are
common security hazards that contribute to an organization's
overall exposure to attackers.
· Go dumpster diving—Dumpster diving refers to the act of
combing through an organization's trash in search of sensitive
information. Sensitive information may be personal information,
such as data records containing medical or credit card
information, or it may be data records containing organizational
information, such as charts or employee phone numbers that can
be used for social engineering attacks.
· Engage in social engineering—Social engineering describes
methods employed by hackers and penetration testers to use
people's social dispositions against them. For instance, if a
tester called a military organization and claimed to be a senior
officer, the junior person receiving the call would possibly be
too intimidated to follow proper procedure and screen the caller
appropriately before disclosing sensitive information.
· Piggyback into a secure facility—Piggybacking occurs when
an unauthorized user gains access to a facility by following
closely behind an authorized employee who has used his or her
credentials to enter the facility. The piggybacker may facilitate
entrance by dressing like a member of a maintenance crew or in
attire that leads the victim to believe the attacker is actually a
senior executive. From a penetration-testing perspective,
gaining physical access to a sensitive computing device
represents a significant breach of an organization's physical

36. security controls.
Baseline Analysis
An asset is a possession (item or object) that has value and must
be protected against harm or loss. Information and information
systems are assets. Information is an asset because the
organization must spend money to obtain it so that the
information can be used to produce goods and services.
Examples of valuable information assets include formulas,
customer and vendor lists, sales plans, and marketing strategies.
An information system is an asset because each component of
the system costs money to purchase or replace.
Asset security is an integral party of cybersecurity. The
cybersecurity measures required to protect business assets are
determined by identifying the assets that require protection and
then assessing the specific threats and vulnerabilities (for each
asset or type of asset) that are present in the organization's
operating environment.
Critical infrastructure assets are those assets that are essential
for the functioning of the organization. Examples of critical
infrastructure assets include interrupted power supply to
facilities, data backups, physical access control to buildings,
etc.
Baseline analysis is based on the idea that a company must
establish a minimum set of safeguards to protect its critical
infrastructure assets. This baseline provides the CIO or the
organization's main stakeholders with a benchmark to ensure
that their systems provide a minimum level of security across
multiple applications and products.
System Logging
Analyzing system logs is a method of tracking vulnerabilities
and preventing future attacks. Log system analysis provides a
snapshot of files that have been accessed, and each log contains
information related to a specific activity.
The analysis should include investigating user rights (who can
access data and what type of data), to ensure that the separation

37. of duties and least privilege standards are applied. Analysis
should also check for logging anomalies. Incongruities in log
settings, configurations, and processes might indicate malicious
activity, system flaws, or failure to follow set security
procedures.
System logs can also give insight into the systems data-loss
prevention strategies, which identify and protect sensitive
information. Data loss prevention measures reduce the chance
of a breach of sensitive data.
Vulnerability Assessment Matrix
Internal Threat and Vulnerability Matrix
Threat/Vulnerability
Classification
Priority (High-Medium-Low)
Analysis Tool Used
Remediation Plan

38. External Threat and Vulnerability Matrix
Threat/Vulnerability
Classification
Priority (High-Medium-Low)
Analysis Tool Used
Remediation Plan