1. Written assignments/communication must demonstrate professionalism, proper grammar, spelling and clarity of communication. Assignments handwritten or single-spaced will not be accepted. Poorly written assignments will receive a lowered grade. Do not let the power of your ideas be affected by poor grammar, spelling or clarity. Here are the formatting requirements for the files:
· Must have a cover page showing the title of the paper, due date, authors of the paper and class#
· In doc or docx format only (submissions other file formats will receive no credit)
· Margins1”,top, bottom, right and left
· Acceptable fonts: Arial or, Times new roman
· Font color: black – Using other colors on the cover page is allowed
· Font height: 12 pts.
· Line spacing: double
Ranking The Pairs
Team "A"
CMGT/430
September 29, 2016
Richard Zinne
Ranking The Pairs
Vulnerability
Threat
Probability
Impact
Suggested Mitigation Steps
Activity Monitoring
Security scans and Intrusion deception systems
3 (High)
3(High)
(6) Firewall and Security System monitoring will be up-to-date and logs will be looked at once a week unless others needed
Patch levels
Unnecessary exposure to known attack vectors
3 (High)
3 (High)
(6) Use of vulnerability scanning tools to monitor unpatched systems. A policy that includes the governance, standards and schedule of patching. Employment of best practice patch methods and procedures.
Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees)
Potentially allowing attackers to cause excessive heating, furnace failures or frozen water pipes by manipulating thermostat functionality.
3 (High)
3 (High)
(6) Ensure company security policy is in effect immediately following a terminated employee.
Poor implementation of file export capability in business enterprise software.
Asset leakage which can happen through brute force attacks and even guesswork.
3 (High)
3 (High)
(6) Enterprise Resource Planning (ERP).
Use of session cookies to maintain state over HTTP browsers.
The cookies could be reverse engineered and leading to attackers identifying loopholes in the logic.
2 (Med)
3(High)
(5) Store no sensitive or secure data in cookies or other headers, insure you have an expirations time
OS command execution in function modules.
An attacker could have the ability to execute OS commands even without authorization.
2 (Med)
3 (High)
(5) CALL 'SYSTEM'/ SAP authorizations
Door locks and padlocks from vendors like Quicklock, iBlulock, Plantraco, Ceomate, were found to be vulnerable to password sniffing and replay attacks.
A captured command can be replayed later to open the locks. Giving access to Highly Secured Areas. - Loosing Critical Information and Data within Organizational systems.
2 (Med)
3 (High)
(5) Ensure latest door lock and padlock software, along with all drivers are updated.
Susceptibility to dust, heat and humidity
- Hardware failure
2 (Med)
3 (High)
(5) Prep ...
1. Written assignmentscommunication must demonstrate professional.docx
1. 1. Written assignments/communication must demonstrate
professionalism, proper grammar, spelling and clarity of
communication. Assignments handwritten or single-spaced will
not be accepted. Poorly written assignments will receive a
lowered grade. Do not let the power of your ideas be affected by
poor grammar, spelling or clarity. Here are the formatting
requirements for the files:
· Must have a cover page showing the title of the paper, due
date, authors of the paper and class#
· In doc or docx format only (submissions other file formats
will receive no credit)
· Margins1”,top, bottom, right and left
· Acceptable fonts: Arial or, Times new roman
· Font color: black – Using other colors on the cover page is
allowed
· Font height: 12 pts.
· Line spacing: double
Ranking The Pairs
Team "A"
CMGT/430
September 29, 2016
Richard Zinne
Ranking The Pairs
2. Vulnerability
Threat
Probability
Impact
Suggested Mitigation Steps
Activity Monitoring
Security scans and Intrusion deception systems
3 (High)
3(High)
(6) Firewall and Security System monitoring will be up-to-date
and logs will be looked at once a week unless others needed
Patch levels
Unnecessary exposure to known attack vectors
3 (High)
3 (High)
(6) Use of vulnerability scanning tools to monitor unpatched
systems. A policy that includes the governance, standards and
schedule of patching. Employment of best practice patch
methods and procedures.
Insiders (poorly trained, disgruntled, malicious, negligent,
dishonest, or terminated employees)
Potentially allowing attackers to cause excessive heating,
furnace failures or frozen water pipes by manipulating
thermostat functionality.
3 (High)
3 (High)
(6) Ensure company security policy is in effect immediately
following a terminated employee.
3. Poor implementation of file export capability in business
enterprise software.
Asset leakage which can happen through brute force attacks and
even guesswork.
3 (High)
3 (High)
(6) Enterprise Resource Planning (ERP).
Use of session cookies to maintain state over HTTP browsers.
The cookies could be reverse engineered and leading to
attackers identifying loopholes in the logic.
2 (Med)
3(High)
(5) Store no sensitive or secure data in cookies or other headers,
insure you have an expirations time
OS command execution in function modules.
An attacker could have the ability to execute OS commands
even without authorization.
2 (Med)
3 (High)
(5) CALL 'SYSTEM'/ SAP authorizations
Door locks and padlocks from vendors like Quicklock, iBlulock,
Plantraco, Ceomate, were found to be vulnerable to password
sniffing and replay attacks.
A captured command can be replayed later to open the locks.
Giving access to Highly Secured Areas. - Loosing Critical
Information and Data within Organizational systems.
2 (Med)
3 (High)
(5) Ensure latest door lock and padlock software, along with all
drivers are updated.
Susceptibility to dust, heat and humidity
- Hardware failure
2 (Med)
4. 3 (High)
(5) Prepare and initiate proper preventive maintenance
techniques on equipment. Properly weatherproof all locations
with IT equipment.
Data centers in geographical locations prone to natural disasters
- Full-scale service outage
2 (Med)
3 (High)
(5) Evaluate and implement measures that support Disaster
Recovery (DR) capabilities in geographical locations not prone
to natural disasters.
The use of tokens in conducting authenticated application
Profile extractions using these tokens
2 (Med)
3 (High)
(5) Enterprise IT Policy/Standard Statement
Unsecured administrative interfaces
Open attack or abuse broadsides to mission critical systems
2 (Med)
3 (High)
(5) Properly secure administrative interfaces, assign IP access
lists and install SSL certificates.
User Account Management
Restrictions on Folders,
Directories - Read or Modified
2 (Med)
3(High)
(5) Only people that need access to certain groups will have
access to files for RW modification
Insiders (poorly trained, disgruntled, malicious, negligent,
dishonest, or terminated employees
Potentially allowing attackers to cause excessive heating,
furnace failures or frozen water pipes by manipulating
5. thermostat functionality.
2 (Med)
3(High)
(5) Training of employees will be 6-12 months with employees
that are 1-5 years’ new hires will be trained for 6 months and
then again at end of year.
Firewalls
Access from an IP that is not blocked on network
1(Low)
3 (High)
(4) Firewalls will have the latest Firmware and will be Pen
tested regularly
Inadequate continuity planning
Extended outages and business loss
1 (Low)
3 (High)
(4) Develop a concise Business Continuity Plan (BCP) that
covers all business processes.
Access Control w/ Auditing
Un-authorization to a controlled area
2 (Med)
2 (Med)
(4) Badge employees only match with PIN access.
Violation and Security Activity Reports .
Manipulation of logs
2 (Med)
2 (Med)
(4) Logs will be checked and backed up in different locations
and more than one person will have access to them
Physical access to critical equipment (Data Center)
Damage or unauthorized access to enterprise assets
1(Low)
3 (High)
(4) Properly secured physical data center access points. The use
of NFC key cards, access lists and controlled access hours.
6. Default credentials on network devices
Unauthorized of unintended access to network devices
1 (Low)
3 (High)
(4) Policy and procedure regrading password policy on network
devices as well as policy or procedure for the installation that
addresses changing the default password.
Rogue access points
Unmonitored insecure network access
1 (Low)
3 (High)
(4) Port security and MAC filtering prevent rogue devices from
obtaining DHCP addresses of going outside of the port they are
attached to.
Rogue access points
Unmonitored insecure network access
1 (Low)
3 (High)
(4) Port security and MAC filtering prevent rogue devices from
obtaining DHCP addresses of going outside of the port they are
attached to.
Wheelchair Technology
A wheelchair from an unknown vendor had a vulnerability that
could be exploited to disable a safety feature and take control of
the device. Using technology in highly populated areas, and
hacking medical devices etc.
1 (Low)
3 (High)
(4) Configure security settings on wheelchair technology to
prevent access.
Social engineering attacks.
Employees are a weak link that can be exploited. They could
click on infected links and download infected files. They could
infect computer systems or even create backdoors that could be
used later to access the company networks
3 (High)
7. 1 (Low)
(4) Install anti-virus software, firewalls, email filters and keep
these up-to-date. Set your operating system to automatically
update, and if your smartphone doesn’t automatically update,
manually update it whenever you receive a notice to do so. Use
an anti-phishing tool offered by your web browser or third party
to alert you to risks.
Inadequate video surveillance (internal)
- Internal threats; stolen secrets or product; physical activities
not reviewable
1 (Low)
2 (Med)
(3) Implement surveillance cameras in all locations holding
products or sensitive equipment.
Inadequate video surveillance (external)
- External threats; competitor surveillance; staff safety;
physical activities not reviewable
1 (Low)
1 (Low)
(2) Implement surveillance cameras covering entrance and exit
points, as well as early/late staff parking.
Compromise of user credentials due to inadequate user training.
Damage to the CIA triad
2 (Med)
1 (Low)
(3) Proper role based access and adequate user training will
prevent or significantly limit the impact of this threat.
Overlooking non-traditional IP devices I.E. building controls,
POS, medical equipment
Unsecured unmonitored devices on the network
1 (Low)
1 (Low)
(2) Ensuring that non-essential building controls or equipment
resides on its own physical and logical network.
8. Thermostat Vulnerability
A thermostat from Trane used a weak plain text protocol.
- Potentially allowing attackers to cause excessive heating,
furnace failures or frozen water pipes by manipulating
thermostat functionality.
1 (Low)
2 (Med)
(3) Secure capabilities of thermostat functionality via plain text
protocol.
Running head: RANKING THE PAIRS
1
RANKING THE PAIRS
4
Running head:
RANKING THE
PAIRS
1