SlideShare a Scribd company logo

Group Project RisksThreatsWeaknessesCountermeasures©.docx

Download as DOCX, PDF
W
whittemorelucilla

Group Project Risks Threats Weaknesses Countermeasures © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 South Texas University – Case Study Background: A gulf-coast University is located at the tip of a peninsula, surrounded on three sides by water. The area is periodically threatened by hurricanes and high wind are the major concern. Severe hurricanes can cause flooding to the University grounds. The University has 10 major buildings that support Administration, classrooms, student center, library, and athletics. Electricity is provided to all building but there are no UPS systems in place should power be lost Sprinkler systems provide fire protection Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 2 South Texas University – Case Study The University conducted an independent audit of its IT Network and Enterprise systems and put controls into place to protect its Information Technology infrastructure and minimize risks to its data center operations. These include the University’s Web Servers, Email Servers, Enterprise Systems and other Administrative systems that are maintained by the University’s IT department managed by the CIO. Information Technology maintains the campus Wireless and LAN/WAN infrastructure and all telecommunication rooms are under key control locks. The Data Center and some telecommunication rooms are located on the 1st floor of their respective buildings. All systems and infrastructure are under a Risk Management Plan and are considered protected however periodic InfoSec audits (to include penetration testing, asset management scans, and InfoSec policy/procedure compliance reviews) are not conducted. The new Cyber Security Analyst / InfoSec Manager has now been charged to conduct a walk-thru of the campus to identify other automated systems that may be at risk. Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 3 University Data Center Is housed on the 1st floor of a classroom building The exterior walls do not have windows but the interior walls have windows that face the building’s hallway Electricity feeds the entire building and an overload of circuits in the building may lead to a power outage There are no UPS systems to maintain power during an electrical outage The A/C system feeds the entire building and may not be sufficient to keep the building adequately cooled During summer fans are used to cool the equipment The entryway to the computer room has a Break Room a Coffee Pot and Microwave are located in the Break Room Access to the Computer room uses Key Cards i ...

1 of 32
Group Project Risks Threats Weaknesses Countermeasures © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 South Texas University – Case Study Background: A gulf-coast University is located at the tip of a peninsula, surrounded on three sides by water. The area is periodically threatened by hurricanes and high wind are the major concern. Severe hurricanes can cause flooding to the University grounds. The University has 10 major buildings that support Administration, classrooms, student center, library, and athletics. Electricity is provided to all building but there are no UPS systems in place should power be lost Sprinkler systems provide fire protection
Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 2 South Texas University – Case Study The University conducted an independent audit of its IT Network and Enterprise systems and put controls into place to protect its Information Technology infrastructure and minimize risks to its data center operations. These include the University’s Web Servers, Email Servers, Enterprise Systems and other Administrative systems that are maintained by the University’s IT department managed by the CIO. Information Technology maintains the campus Wireless and LAN/WAN infrastructure and all telecommunication rooms are under key control locks. The Data Center and some telecommunication rooms are located on the 1st floor of their respective buildings. All systems and infrastructure are under a Risk Management Plan and are considered protected however periodic InfoSec audits (to include penetration testing, asset management scans, and InfoSec policy/procedure compliance reviews) are not conducted. The new Cyber Security Analyst / InfoSec Manager has now been charged to conduct a walk-thru of the campus to identify other automated systems that may be at risk.
Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 3 University Data Center Is housed on the 1st floor of a classroom building The exterior walls do not have windows but the interior walls have windows that face the building’s hallway Electricity feeds the entire building and an overload of circuits in the building may lead to a power outage There are no UPS systems to maintain power during an electrical outage The A/C system feeds the entire building and may not be sufficient to keep the building adequately cooled During summer fans are used to cool the equipment The entryway to the computer room has a Break Room a Coffee Pot and Microwave are located in the Break Room Access to the Computer room uses Key Cards issued to authorized personnel only The Computer Room has raised floors A sprinkler system runs across ceiling but the sprinklers are capped (water still fills the pipes) There is No Fire Suppression system Page ‹#› Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 4 Other University Systems Enrollment Management is housed in an old 2-story library Electricity is provided to the entire building but may not be stable No UPS systems exist Sprinkler systems provide fire protection. Administrators are issued laptops for home use but inventory control and access control policies are not followed Laptops often contain sensitive and protected data 1st Floor: Front counter clerks assist students who stand in line waiting for help Computers are sometimes left logged-in even when unmanned Students sometime crowd around the counters and hear confidential information provided to the clerks by other students Cubicles are used by specialists to process student records Cubicles cannot be locked Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
5 Other University Systems Enrollment Management (continued) Cubicles (continued) Students can wander into these areas when staff are not present Login Passwords are sometimes taped to the computers Student records are sometimes left out on the counters Some Student Record’s cabinets cannot be locked Employees sometimes download music and pictures to their computers from the internet and external devices Computer may not have the latest software patches Back Offices are used by specialized staff and managers Offices are not locked and have windows Records vault contains all physical records and is locked after hours Office is located on the 1st floor Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 6 Other University Systems Enrollment Management (continued) 2nd Floor: Application Server is kept in office that is rarely locked and has
windows Servers support internal systems and have no access to the Internet System Administrators work for Enrollment Management SysAdmins are not subject to IT Risk Management policies SysAdmins have little to no security awareness training System may not contain latest patches Report Server Data extracts from Report server includes National ID Users include Administrative staff but can include student workers Users can download data to USB drives System may not contain latest patches User’s access is not terminated when duties change Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 7 Other University Systems The University has 5 colleges located in separate buildings Each College maintain its own server(s) (and internal LANs) to track programs, research and other initiatives. Colleges use existing staff and student workers to manage their servers (typically computer science students) SysAdmins are not subject to IT Risk Management policies SysAdmins have no security awareness training System may not contain latest patches
Servers are stored in offices and the doors are rarely locked and the rooms often have multiple windows Servers may not be protected by a firewall and access the Internet Each college maintains its own research systems and student databases which can be accessed externally IT user authentication policies are not followed SysAdmins may use generic Administrator passwords or post Administrator passwords at their computers Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 8 Seven Domains of a Typical IT Infrastructure Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9 Figure 4-1: The seven domains of a typical IT infrastructure. User domain: Includes usernames, passwords or other
authentication, and social engineering. The InfoSec Security Manager’s initial review of security discovered that there was no policy to update passwords on a regular basis and no requirement for strong passwords. Users posted passwords at their computers so that others could login and use the computer when they were away. Security awareness campaigns did not exist and few users knew there was a security policy or about social engineering. Workstation Domain: Includes end user systems, laptops, desk tops, and cells phones. There was no automated controls in place to force logoff after inactivity and no inventory control or asset management system in place to know if laptops were onsite or offsite. LAN Domain: Includes equipment required to create an internal LAN, such as hubs, switches, and media. Most hardware was protected in the Computer Center but communication’s closets throughout the organization were not well protected from environmental damages. LAN-WAN Domain: Includes the transition area between the LAN and the WAN (routers and firewall). IT infrastructure was well protected but IT had no knowledge about systems outside their management. WAN Domain: Includes routers and circuits connecting the wide area network. IT infrastructure was well protected but IT had no knowledge about web systems outside their management System/Application Domain: Includes applications on the network (e-mail, database and Web apps). IT managed the administrative systems but had limited visibility of apps used throughout the institution. Remote Access Domain: How remote users use your network (i.e. Virtual Private Network (VPN)). IT administrative systems were protected via VPN but since VPN was costly, there was concern that
access to other systems was not protected. Template List all Risks-Threats-Weaknesses-Countermeasures and Domain Impacted as identified in the scenario: Example: Location: Enrollment Management 2nd floor office Risk: Loss of university equipment Loss of university data Threat: Server being stolen from Enrollment Management office Weakness: Office is left unlocked etc. Countermeasure: Lock doors Move server to IT Data Center Domain Impacted: Workstation Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 10
© 2012 Jones and Bartlett Learning, LLC www.jblearning.com Fundamentals of Information Systems Security Page 13 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Seven Domains of a Typical IT Infrastructure Page 14 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Lack of user awareness User apathy toward policies User violating security policy User inserting CD/DVD/USB with personal files User Domain Common Threats
User downloading photos, music, or videos User destructing systems, applications, and data Disgruntled employee attacking organization or committing sabotage Employee blackmail or extortion Page 16 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Unauthorized workstation access Unauthorized access to systems, applications, and data Desktop or laptop operating system vulnerabilities Desktop or laptop application software vulnerabilities or patches Workstation Domain Common Threats Viruses, malicious code, and other malware
User inserting CD/DVD/USB with personal files User downloading photos, music, or videos Page 18 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Unauthorized physical access to LAN Unauthorized access to systems, applications, and data LAN server operating system vulnerabilities LAN server application software vulnerabilities and software patch updates LAN Domain Common Threats Rogue users on WLANs Confidentiality of data on WLANs LAN server configuration guidelines and standards
Page 20 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Unauthorized probing and port scanning Unauthorized access Internet Protocol (IP) router, firewall, and network appliance operating system vulnerability Local users downloading unknown file types from unknown sources WAN LAN-to-WAN Domain Common Threats Page 21 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Open, public, and accessible data Most of the traffic being sent as clear text Vulnerable to eavesdropping
Vulnerable to malicious attacks Vulnerable to Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks WAN WAN Domain Common Threats Vulnerable to corruption of information and data Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications Hackers and attackers e-mailing Trojans, worms, and malicious software freely and constantly Page 23 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Internet applications, and data
ential data compromised remotely standards Remote Access Domain Common Threats Page 24 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Cloud Computing wiring closets -to-manage servers that require high availability tual environments Systems/Applications Domain Common Threats Appendix B: Common Information Systems Assets Asset Class Overall IT Environment
Asset Name Asset Rating Highest level description of your asset Next level definition (if needed) Asset Value Rating Tangible Physical infrastructure Data centers 5 Tangible Physical infrastructure Servers 3 Tangible Physical infrastructure Desktop computers 1 Tangible Physical infrastructure Mobile computers 3 Tangible Physical infrastructure PDAs 1 Tangible Physical infrastructure Cell phones 1 Tangible Physical infrastructure Server application software 1 Tangible Physical infrastructure
End-user application software 1 Tangible Physical infrastructure Development tools 3 Tangible Physical infrastructure Routers 3 Tangible Physical infrastructure Network switches 3 Tangible Physical infrastructure Fax machines 1 Tangible Physical infrastructure PBXs 3 Tangible Physical infrastructure Removable media (tapes, floppy disks, CD-ROMs, DVDs, portable hard drives, PC card storage devices, USB storage devices, and so on.) 1 Tangible Physical infrastructure Power supplies 3 Tangible Physical infrastructure Uninterruptible power supplies 3
Tangible Physical infrastructure Fire suppression systems 3 Tangible Physical infrastructure Air conditioning systems 3 Tangible Physical infrastructure Air filtration systems 1 Tangible Physical infrastructure Other environmental control systems 3 Tangible Intranet data Source code 5 Tangible Intranet data Human resources data 5 Tangible Intranet data Financial data 5 Tangible Intranet data Marketing data 5 Tangible Intranet data Employee passwords 5
Tangible Intranet data Employee private cryptographic keys 5 Tangible Intranet data Computer system cryptographic keys 5 Tangible Intranet data Smart cards 5 Tangible Intranet data Intellectual property 5 Tangible Intranet data Data for regulatory requirements (GLBA, HIPAA, CA SB1386, EU Data Protection Directive, and so on.) 5 Tangible Intranet data U.S. Employee Social Security numbers 5 Tangible Intranet data Employee drivers' license numbers 5 Tangible Intranet data Strategic plans 3 Tangible Intranet data Customer consumer credit reports
5 Tangible Intranet data Customer medical records 5 Tangible Intranet data Employee biometric identifiers 5 Tangible Intranet data Employee business contact data 1 Tangible Intranet data Employee personal contact data 3 Tangible Intranet data Purchase order data 5 Tangible Intranet data Network infrastructure design 3 Tangible Intranet data Internal Web sites 3 Tangible Intranet data Employee ethnographic data 3 Tangible Extranet data Partner contract data
5 Tangible Extranet data Partner financial data 5 Tangible Extranet data Partner contact data 3 Tangible Extranet data Partner collaboration application 3 Tangible Extranet data Partner cryptographic keys 5 Tangible Extranet data Partner credit reports 3 Tangible Extranet data Partner purchase order data 3 Tangible Extranet data Supplier contract data 5 Asset Class Overall IT Environment Asset Name Asset Rating Highest level description of your asset Next level definition (if needed)
Asset Value Rating Tangible Extranet data Supplier collaboration application 3 Tangible Extranet data Supplier cryptographic keys 5 Tangible Extranet data Supplier credit reports 3 Tangible Extranet data Supplier purchase order data 3 Tangible Internet data Web site sales application 5 Tangible Internet data Web site marketing data 3 Tangible Internet data Customer credit card data 5 Tangible Internet data Customer contact data 3 Tangible Internet data Public cryptographic keys
1 Tangible Internet data Press releases 1 Tangible Internet data White papers 1 Tangible Internet data Product documentation 1 Tangible Internet data Training materials 3 Intangible Reputation 5 Intangible Goodwill 3 Intangible Employee moral 3 Intangible Employee productivity 3 IT Services Messaging E-mail/scheduling (for example, Microsoft Exchange)
3 IT Services Messaging Instant messaging 1 IT Services Messaging Microsoft Outlook® Web Access (OWA) 1 IT Services Core infrastructure Active Directory® directory service 3 IT Services Core infrastructure Domain Name System (DNS) 3 IT Services Core infrastructure Dynamic Host Configuration Protocol (DHCP) 3 IT Services Core infrastructure Enterprise management tools 3 IT Services Core infrastructure File sharing 3 IT Services Core infrastructure Storage 3 IT Services Core infrastructure Dial-up remote access
3 IT Services Core infrastructure Telephony 3 IT Services Core infrastructure Virtual Private Networking (VPN) access 3 IT Services Core infrastructure Microsoft Windows® Internet Naming Service (WINS) 1 Services Other infrastructure Collaboration services (for example, Microsoft SharePoint®) Appendix C: Common Threats Threat Example High level description of the threat Specific example Catastrophic incident Fire Catastrophic incident Flood Catastrophic incident Earthquake Catastrophic incident Severe storm
Catastrophic incident Terrorist attack Catastrophic incident Civil unrest/riots Catastrophic incident Landslide Catastrophic incident Avalanche Catastrophic incident Industrial accident Mechanical failure Power outage Mechanical failure Hardware failure Mechanical failure Network outage Mechanical failure Environmental controls failure Mechanical failure Construction accident Non-malicious person Uninformed employee Non-malicious person Uninformed user Malicious person Hacker, cracker Malicious person Computer criminal Malicious person Industrial espionage Malicious person Government sponsored espionage Malicious person Social engineering Malicious person Disgruntled current employee
Malicious person Disgruntled former employee Malicious person Terrorist Malicious person Negligent employee Malicious person Dishonest employee (bribed or victim of blackmail) Malicious person Malicious mobile code Appendix D: Vulnerabilties Vulnerability Class Vulnerability Example High level vulnerability class Brief description of the vulnerability Specific example (if applicable) Physical Unlocked doors Physical Unguarded access to computing facilities Physical Insufficient fire suppression systems Physical Poorly designed buildings Physical Poorly constructed buildings
Physical Flammable materials used in construction Physical Flammable materials used in finishing Physical Unlocked windows Physical Walls susceptible to physical assault Physical Interior walls do not completely seal the room at both the ceiling and floor Natural Facility located on a fault line Natural Facility located in a flood zone Natural Facility located in an avalanche area Hardware Missing patches Hardware Outdated firmware Hardware Misconfigured systems Hardware Systems not physically secured
Hardware Management protocols allowed over public interfaces Software Out of date antivirus software Software Missing patches Software Poorly written applications Cross site scripting Software Poorly written applications SQL injection Software Poorly written applications Code weaknesses such as buffer overflows Software Deliberately placed weaknesses Vendor backdoors for management or system recovery Software Deliberately placed weaknesses Spyware such as keyloggers Software Deliberately placed weaknesses Trojan horses Software Deliberately placed weaknesses Software Configuration errors Manual provisioning leading to inconsistent configurations Software Configuration errors
Systems not hardened Software Configuration errors Systems not audited Software Configuration errors Systems not monitored Media Electrical interference Communications Unencrypted network protocols Communications Connections to multiple networks Communications Unnecessary protocols allowed Communications No filtering between network segments Human Poorly defined procedures Insufficient incident response preparedness Human Poorly defined procedures Manual provisioning Human Poorly defined procedures Insufficient disaster recovery plans Human Poorly defined procedures Testing on production systems Human Poorly defined procedures
Violations not reported Human Poorly defined procedures Poor change control Human Stolen credentials Page 3 Source: The Security Risk Management Guide Microsoft Corp. Sheet1Risk-Threat-Weakness-Countermeasure(s)Domain(s) ImpactedRisk: Loss of company server (Asset)Systems/Applications DomainThreat: Hardware being stolen from office where server is located (Colleges, Enrollment Management, etc)Weakness: Server is stored in an office that is not always lockedCountermeasure(s): Lock Doors Relocate server to data centerRisk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s): Group # ISOL 533 Group Project Page &P of &N
Group Project RisksThreatsWeaknessesCountermeasures©.docx

Recommended

Managing Risk in Information SystemsChapter 4Developing a .docx
Managing Risk in Information SystemsChapter 4Developing a .docxManaging Risk in Information SystemsChapter 4Developing a .docx
Managing Risk in Information SystemsChapter 4Developing a .docx
croysierkathey
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
Kristi DeRoche
 
An organized and Secured Local Area Network in Naval Post Graduate School
An organized and Secured Local Area Network in Naval Post Graduate SchoolAn organized and Secured Local Area Network in Naval Post Graduate School
An organized and Secured Local Area Network in Naval Post Graduate School
Jude Rainer
 
6.Copyright © 2014 Pearson Education, Inc. Securing I.docx
6.Copyright © 2014 Pearson Education, Inc. Securing I.docx6.Copyright © 2014 Pearson Education, Inc. Securing I.docx
6.Copyright © 2014 Pearson Education, Inc. Securing I.docx
alinainglis
 
Dlp notes
Dlp notesDlp notes
Dlp notes
anuepcet
 
data-leakage-prevention
data-leakage-prevention data-leakage-prevention
data-leakage-prevention
anuepcet
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network Infrastructure
Muhammad Zeeshan
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptx
Mohammad512578
 

Recommended

Managing Risk in Information SystemsChapter 4Developing a .docx
Managing Risk in Information SystemsChapter 4Developing a .docxManaging Risk in Information SystemsChapter 4Developing a .docx
Managing Risk in Information SystemsChapter 4Developing a .docx
croysierkathey
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
Kristi DeRoche
 
An organized and Secured Local Area Network in Naval Post Graduate School
An organized and Secured Local Area Network in Naval Post Graduate SchoolAn organized and Secured Local Area Network in Naval Post Graduate School
An organized and Secured Local Area Network in Naval Post Graduate School
Jude Rainer
 
6.Copyright © 2014 Pearson Education, Inc. Securing I.docx
6.Copyright © 2014 Pearson Education, Inc. Securing I.docx6.Copyright © 2014 Pearson Education, Inc. Securing I.docx
6.Copyright © 2014 Pearson Education, Inc. Securing I.docx
alinainglis
 
Dlp notes
Dlp notesDlp notes
Dlp notes
anuepcet
 
data-leakage-prevention
data-leakage-prevention data-leakage-prevention
data-leakage-prevention
anuepcet
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network Infrastructure
Muhammad Zeeshan
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptx
Mohammad512578
 
Implementing whole disk encryption State Wide, the good, the bad and the encr...
Implementing whole disk encryption State Wide, the good, the bad and the encr...Implementing whole disk encryption State Wide, the good, the bad and the encr...
Implementing whole disk encryption State Wide, the good, the bad and the encr...
Duane Rigsby
 
Security
SecuritySecurity
Security
Dr. Vardhan choubey
 
Employee Technology Handbook.pdf
Employee Technology Handbook.pdfEmployee Technology Handbook.pdf
Employee Technology Handbook.pdf
Hemprasad Badgujar
 
Information and Communication technology
Information and Communication technologyInformation and Communication technology
Information and Communication technology
JamesRoyBacolinaDuga
 
LU - SGHE Application Management Services Webinar
LU - SGHE Application Management Services WebinarLU - SGHE Application Management Services Webinar
LU - SGHE Application Management Services Webinar
Michael Dobe, Ph.D.
 
System security
System securitySystem security
System security
ReachLocal Services India
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET Journal
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- ingles
isidro luna beltran
 
PACE-IT, Security+3.5: Types of Application Attacks (part 2)
PACE-IT, Security+3.5: Types of Application Attacks (part 2)PACE-IT, Security+3.5: Types of Application Attacks (part 2)
PACE-IT, Security+3.5: Types of Application Attacks (part 2)
Pace IT at Edmonds Community College
 
PACE-IT, Security+2.7: Physical Security and Enviornmental Controls
PACE-IT, Security+2.7: Physical Security and Enviornmental ControlsPACE-IT, Security+2.7: Physical Security and Enviornmental Controls
PACE-IT, Security+2.7: Physical Security and Enviornmental Controls
Pace IT at Edmonds Community College
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
christiandean12115
 
Cyber Security for SCADA
Cyber Security for SCADACyber Security for SCADA
Cyber Security for SCADA
Richard Umbrino
 
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
LindaWatson19
 
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docxRunning head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
todd521
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
541 week 3 networks
541 week 3 networks541 week 3 networks
541 week 3 networks
Julie
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
Mohamed Madar
 
Faculty lunch slides 121127 v5 1
Faculty lunch slides 121127 v5 1Faculty lunch slides 121127 v5 1
Faculty lunch slides 121127 v5 1
Julie Thorson Journitz
 
For this lab assignment, you are identifying IT domains for identi.docx
For this lab assignment, you are identifying IT domains for identi.docxFor this lab assignment, you are identifying IT domains for identi.docx
For this lab assignment, you are identifying IT domains for identi.docx
hanneloremccaffery
 
PACE-IT, Security+3.5: Types of Application Attacks (part 1)
PACE-IT, Security+3.5: Types of Application Attacks (part 1)PACE-IT, Security+3.5: Types of Application Attacks (part 1)
PACE-IT, Security+3.5: Types of Application Attacks (part 1)
Pace IT at Edmonds Community College
 
Database reports provide us with the ability to further analyze ou.docx
Database reports provide us with the ability to further analyze ou.docxDatabase reports provide us with the ability to further analyze ou.docx
Database reports provide us with the ability to further analyze ou.docx
whittemorelucilla
 
DataInformationKnowledge1.  Discuss the relationship between.docx
DataInformationKnowledge1.  Discuss the relationship between.docxDataInformationKnowledge1.  Discuss the relationship between.docx
DataInformationKnowledge1.  Discuss the relationship between.docx
whittemorelucilla
 

More Related Content

Similar to Group Project RisksThreatsWeaknessesCountermeasures©.docx

Implementing whole disk encryption State Wide, the good, the bad and the encr...
Implementing whole disk encryption State Wide, the good, the bad and the encr...Implementing whole disk encryption State Wide, the good, the bad and the encr...
Implementing whole disk encryption State Wide, the good, the bad and the encr...
Duane Rigsby
 
Security
SecuritySecurity
Security
Dr. Vardhan choubey
 
Employee Technology Handbook.pdf
Employee Technology Handbook.pdfEmployee Technology Handbook.pdf
Employee Technology Handbook.pdf
Hemprasad Badgujar
 
Information and Communication technology
Information and Communication technologyInformation and Communication technology
Information and Communication technology
JamesRoyBacolinaDuga
 
LU - SGHE Application Management Services Webinar
LU - SGHE Application Management Services WebinarLU - SGHE Application Management Services Webinar
LU - SGHE Application Management Services Webinar
Michael Dobe, Ph.D.
 
System security
System securitySystem security
System security
ReachLocal Services India
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET Journal
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- ingles
isidro luna beltran
 
PACE-IT, Security+3.5: Types of Application Attacks (part 2)
PACE-IT, Security+3.5: Types of Application Attacks (part 2)PACE-IT, Security+3.5: Types of Application Attacks (part 2)
PACE-IT, Security+3.5: Types of Application Attacks (part 2)
Pace IT at Edmonds Community College
 
PACE-IT, Security+2.7: Physical Security and Enviornmental Controls
PACE-IT, Security+2.7: Physical Security and Enviornmental ControlsPACE-IT, Security+2.7: Physical Security and Enviornmental Controls
PACE-IT, Security+2.7: Physical Security and Enviornmental Controls
Pace IT at Edmonds Community College
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
christiandean12115
 
Cyber Security for SCADA
Cyber Security for SCADACyber Security for SCADA
Cyber Security for SCADA
Richard Umbrino
 
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
LindaWatson19
 
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docxRunning head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
todd521
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
541 week 3 networks
541 week 3 networks541 week 3 networks
541 week 3 networks
Julie
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
Mohamed Madar
 
Faculty lunch slides 121127 v5 1
Faculty lunch slides 121127 v5 1Faculty lunch slides 121127 v5 1
Faculty lunch slides 121127 v5 1
Julie Thorson Journitz
 
For this lab assignment, you are identifying IT domains for identi.docx
For this lab assignment, you are identifying IT domains for identi.docxFor this lab assignment, you are identifying IT domains for identi.docx
For this lab assignment, you are identifying IT domains for identi.docx
hanneloremccaffery
 
PACE-IT, Security+3.5: Types of Application Attacks (part 1)
PACE-IT, Security+3.5: Types of Application Attacks (part 1)PACE-IT, Security+3.5: Types of Application Attacks (part 1)
PACE-IT, Security+3.5: Types of Application Attacks (part 1)
Pace IT at Edmonds Community College
 

Similar to Group Project RisksThreatsWeaknessesCountermeasures©.docx (20)

Implementing whole disk encryption State Wide, the good, the bad and the encr...
Implementing whole disk encryption State Wide, the good, the bad and the encr...Implementing whole disk encryption State Wide, the good, the bad and the encr...
Implementing whole disk encryption State Wide, the good, the bad and the encr...
 
Security
SecuritySecurity
Security
 
Employee Technology Handbook.pdf
Employee Technology Handbook.pdfEmployee Technology Handbook.pdf
Employee Technology Handbook.pdf
 
Information and Communication technology
Information and Communication technologyInformation and Communication technology
Information and Communication technology
 
LU - SGHE Application Management Services Webinar
LU - SGHE Application Management Services WebinarLU - SGHE Application Management Services Webinar
LU - SGHE Application Management Services Webinar
 
System security
System securitySystem security
System security
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- ingles
 
PACE-IT, Security+3.5: Types of Application Attacks (part 2)
PACE-IT, Security+3.5: Types of Application Attacks (part 2)PACE-IT, Security+3.5: Types of Application Attacks (part 2)
PACE-IT, Security+3.5: Types of Application Attacks (part 2)
 
PACE-IT, Security+2.7: Physical Security and Enviornmental Controls
PACE-IT, Security+2.7: Physical Security and Enviornmental ControlsPACE-IT, Security+2.7: Physical Security and Enviornmental Controls
PACE-IT, Security+2.7: Physical Security and Enviornmental Controls
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 
Cyber Security for SCADA
Cyber Security for SCADACyber Security for SCADA
Cyber Security for SCADA
 
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
 
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docxRunning head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
541 week 3 networks
541 week 3 networks541 week 3 networks
541 week 3 networks
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Faculty lunch slides 121127 v5 1
Faculty lunch slides 121127 v5 1Faculty lunch slides 121127 v5 1
Faculty lunch slides 121127 v5 1
 
For this lab assignment, you are identifying IT domains for identi.docx
For this lab assignment, you are identifying IT domains for identi.docxFor this lab assignment, you are identifying IT domains for identi.docx
For this lab assignment, you are identifying IT domains for identi.docx
 
PACE-IT, Security+3.5: Types of Application Attacks (part 1)
PACE-IT, Security+3.5: Types of Application Attacks (part 1)PACE-IT, Security+3.5: Types of Application Attacks (part 1)
PACE-IT, Security+3.5: Types of Application Attacks (part 1)
 

More from whittemorelucilla

Database reports provide us with the ability to further analyze ou.docx
Database reports provide us with the ability to further analyze ou.docxDatabase reports provide us with the ability to further analyze ou.docx
Database reports provide us with the ability to further analyze ou.docx
whittemorelucilla
 
DataInformationKnowledge1.  Discuss the relationship between.docx
DataInformationKnowledge1.  Discuss the relationship between.docxDataInformationKnowledge1.  Discuss the relationship between.docx
DataInformationKnowledge1.  Discuss the relationship between.docx
whittemorelucilla
 
DataHole 12 Score6757555455555455575775655565656555655656556566643.docx
DataHole 12 Score6757555455555455575775655565656555655656556566643.docxDataHole 12 Score6757555455555455575775655565656555655656556566643.docx
DataHole 12 Score6757555455555455575775655565656555655656556566643.docx
whittemorelucilla
 
DataDestination PalletsTotal CasesCases redCases whiteCases organi.docx
DataDestination PalletsTotal CasesCases redCases whiteCases organi.docxDataDestination PalletsTotal CasesCases redCases whiteCases organi.docx
DataDestination PalletsTotal CasesCases redCases whiteCases organi.docx
whittemorelucilla
 
DataIllinois Tool WorksConsolidated Statement of Income($ in milli.docx
DataIllinois Tool WorksConsolidated Statement of Income($ in milli.docxDataIllinois Tool WorksConsolidated Statement of Income($ in milli.docx
DataIllinois Tool WorksConsolidated Statement of Income($ in milli.docx
whittemorelucilla
 
DataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docx
DataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docxDataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docx
DataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docx
whittemorelucilla
 
DataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docx
DataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docxDataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docx
DataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docx
whittemorelucilla
 
DataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docx
DataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docxDataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docx
DataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docx
whittemorelucilla
 
Database Project CharterBusiness CaseKhalia HartUnive.docx
Database Project CharterBusiness CaseKhalia HartUnive.docxDatabase Project CharterBusiness CaseKhalia HartUnive.docx
Database Project CharterBusiness CaseKhalia HartUnive.docx
whittemorelucilla
 
Databases selected Multiple databases...Full Text (1223 .docx
Databases selected Multiple databases...Full Text (1223 .docxDatabases selected Multiple databases...Full Text (1223 .docx
Databases selected Multiple databases...Full Text (1223 .docx
whittemorelucilla
 
Database SystemsDesign, Implementation, and ManagementCo.docx
Database SystemsDesign, Implementation, and ManagementCo.docxDatabase SystemsDesign, Implementation, and ManagementCo.docx
Database SystemsDesign, Implementation, and ManagementCo.docx
whittemorelucilla
 
DATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docx
DATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docxDATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docx
DATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docx
whittemorelucilla
 
Database Security Assessment Transcript You are a contracting office.docx
Database Security Assessment Transcript You are a contracting office.docxDatabase Security Assessment Transcript You are a contracting office.docx
Database Security Assessment Transcript You are a contracting office.docx
whittemorelucilla
 
Data.docx
Data.docxData.docx
Data.docx
whittemorelucilla
 
Database Design Mid Term ExamSpring 2020Name ________________.docx
Database Design Mid Term ExamSpring 2020Name ________________.docxDatabase Design Mid Term ExamSpring 2020Name ________________.docx
Database Design Mid Term ExamSpring 2020Name ________________.docx
whittemorelucilla
 
Database Justification MemoCreate a 1-page memo for the .docx
Database Justification MemoCreate a 1-page memo for the .docxDatabase Justification MemoCreate a 1-page memo for the .docx
Database Justification MemoCreate a 1-page memo for the .docx
whittemorelucilla
 
Database Concept Maphttpwikieducator.orgCCNCCCN.docx
Database Concept Maphttpwikieducator.orgCCNCCCN.docxDatabase Concept Maphttpwikieducator.orgCCNCCCN.docx
Database Concept Maphttpwikieducator.orgCCNCCCN.docx
whittemorelucilla
 
Database Dump Script(Details of project in file)Mac1) O.docx
Database Dump Script(Details of project in file)Mac1) O.docxDatabase Dump Script(Details of project in file)Mac1) O.docx
Database Dump Script(Details of project in file)Mac1) O.docx
whittemorelucilla
 
Database Design 1. What is a data model A. method of sto.docx
Database Design 1. What is a data model A. method of sto.docxDatabase Design 1. What is a data model A. method of sto.docx
Database Design 1. What is a data model A. method of sto.docx
whittemorelucilla
 
DataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docx
DataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docxDataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docx
DataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docx
whittemorelucilla
 

More from whittemorelucilla (20)

Database reports provide us with the ability to further analyze ou.docx
Database reports provide us with the ability to further analyze ou.docxDatabase reports provide us with the ability to further analyze ou.docx
Database reports provide us with the ability to further analyze ou.docx
 
DataInformationKnowledge1.  Discuss the relationship between.docx
DataInformationKnowledge1.  Discuss the relationship between.docxDataInformationKnowledge1.  Discuss the relationship between.docx
DataInformationKnowledge1.  Discuss the relationship between.docx
 
DataHole 12 Score6757555455555455575775655565656555655656556566643.docx
DataHole 12 Score6757555455555455575775655565656555655656556566643.docxDataHole 12 Score6757555455555455575775655565656555655656556566643.docx
DataHole 12 Score6757555455555455575775655565656555655656556566643.docx
 
DataDestination PalletsTotal CasesCases redCases whiteCases organi.docx
DataDestination PalletsTotal CasesCases redCases whiteCases organi.docxDataDestination PalletsTotal CasesCases redCases whiteCases organi.docx
DataDestination PalletsTotal CasesCases redCases whiteCases organi.docx
 
DataIllinois Tool WorksConsolidated Statement of Income($ in milli.docx
DataIllinois Tool WorksConsolidated Statement of Income($ in milli.docxDataIllinois Tool WorksConsolidated Statement of Income($ in milli.docx
DataIllinois Tool WorksConsolidated Statement of Income($ in milli.docx
 
DataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docx
DataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docxDataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docx
DataIDSalaryCompa-ratioMidpoint AgePerformance RatingServiceGender.docx
 
DataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docx
DataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docxDataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docx
DataCity1997 Median Price1997 Change1998 Forecast1993-98 Annualize.docx
 
DataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docx
DataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docxDataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docx
DataClientRoom QualityFood QualityService Quality1GPG2GGG3GGG4GPG5.docx
 
Database Project CharterBusiness CaseKhalia HartUnive.docx
Database Project CharterBusiness CaseKhalia HartUnive.docxDatabase Project CharterBusiness CaseKhalia HartUnive.docx
Database Project CharterBusiness CaseKhalia HartUnive.docx
 
Databases selected Multiple databases...Full Text (1223 .docx
Databases selected Multiple databases...Full Text (1223 .docxDatabases selected Multiple databases...Full Text (1223 .docx
Databases selected Multiple databases...Full Text (1223 .docx
 
Database SystemsDesign, Implementation, and ManagementCo.docx
Database SystemsDesign, Implementation, and ManagementCo.docxDatabase SystemsDesign, Implementation, and ManagementCo.docx
Database SystemsDesign, Implementation, and ManagementCo.docx
 
DATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docx
DATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docxDATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docx
DATABASE SYSTEMS DEVELOPMENT & IMPLEMENTATION PLAN1DATABASE SYS.docx
 
Database Security Assessment Transcript You are a contracting office.docx
Database Security Assessment Transcript You are a contracting office.docxDatabase Security Assessment Transcript You are a contracting office.docx
Database Security Assessment Transcript You are a contracting office.docx
 
Data.docx
Data.docxData.docx
Data.docx
 
Database Design Mid Term ExamSpring 2020Name ________________.docx
Database Design Mid Term ExamSpring 2020Name ________________.docxDatabase Design Mid Term ExamSpring 2020Name ________________.docx
Database Design Mid Term ExamSpring 2020Name ________________.docx
 
Database Justification MemoCreate a 1-page memo for the .docx
Database Justification MemoCreate a 1-page memo for the .docxDatabase Justification MemoCreate a 1-page memo for the .docx
Database Justification MemoCreate a 1-page memo for the .docx
 
Database Concept Maphttpwikieducator.orgCCNCCCN.docx
Database Concept Maphttpwikieducator.orgCCNCCCN.docxDatabase Concept Maphttpwikieducator.orgCCNCCCN.docx
Database Concept Maphttpwikieducator.orgCCNCCCN.docx
 
Database Dump Script(Details of project in file)Mac1) O.docx
Database Dump Script(Details of project in file)Mac1) O.docxDatabase Dump Script(Details of project in file)Mac1) O.docx
Database Dump Script(Details of project in file)Mac1) O.docx
 
Database Design 1. What is a data model A. method of sto.docx
Database Design 1. What is a data model A. method of sto.docxDatabase Design 1. What is a data model A. method of sto.docx
Database Design 1. What is a data model A. method of sto.docx
 
DataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docx
DataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docxDataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docx
DataAGEGENDERETHNICMAJORSEMHOUSEGPAHRSNEWSPAPTVHRSSLEEPWEIGHTHEIGH.docx
 

Recently uploaded

writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
Nicholas Montgomery
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
mulvey2
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
Priyankaranawat4
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
Celine George
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
BBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview TrainingBBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
Katrina Pritchard
 
Life upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for studentLife upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for student
NgcHiNguyn25
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
National Information Standards Organization (NISO)
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
Nguyen Thanh Tu Collection
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
Celine George
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
Jyoti Chand
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint Presentations.pptxHow to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint Presentations.pptx
HajraNaeem15
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Denish Jangid
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
TechSoup
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
adhitya5119
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
Celine George
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
Celine George
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
Dr. Shivangi Singh Parihar
 

Recently uploaded (20)

writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
BBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview TrainingBBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
 
Life upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for studentLife upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for student
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint Presentations.pptxHow to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint Presentations.pptx
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
 

Group Project RisksThreatsWeaknessesCountermeasures©.docx

  • 1. Group Project Risks Threats Weaknesses Countermeasures © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 South Texas University – Case Study Background: A gulf-coast University is located at the tip of a peninsula, surrounded on three sides by water. The area is periodically threatened by hurricanes and high wind are the major concern. Severe hurricanes can cause flooding to the University grounds. The University has 10 major buildings that support Administration, classrooms, student center, library, and athletics. Electricity is provided to all building but there are no UPS systems in place should power be lost Sprinkler systems provide fire protection
  • 2. Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 2 South Texas University – Case Study The University conducted an independent audit of its IT Network and Enterprise systems and put controls into place to protect its Information Technology infrastructure and minimize risks to its data center operations. These include the University’s Web Servers, Email Servers, Enterprise Systems and other Administrative systems that are maintained by the University’s IT department managed by the CIO. Information Technology maintains the campus Wireless and LAN/WAN infrastructure and all telecommunication rooms are under key control locks. The Data Center and some telecommunication rooms are located on the 1st floor of their respective buildings. All systems and infrastructure are under a Risk Management Plan and are considered protected however periodic InfoSec audits (to include penetration testing, asset management scans, and InfoSec policy/procedure compliance reviews) are not conducted. The new Cyber Security Analyst / InfoSec Manager has now been charged to conduct a walk-thru of the campus to identify other automated systems that may be at risk.
  • 3. Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 3 University Data Center Is housed on the 1st floor of a classroom building The exterior walls do not have windows but the interior walls have windows that face the building’s hallway Electricity feeds the entire building and an overload of circuits in the building may lead to a power outage There are no UPS systems to maintain power during an electrical outage The A/C system feeds the entire building and may not be sufficient to keep the building adequately cooled During summer fans are used to cool the equipment The entryway to the computer room has a Break Room a Coffee Pot and Microwave are located in the Break Room Access to the Computer room uses Key Cards issued to authorized personnel only The Computer Room has raised floors A sprinkler system runs across ceiling but the sprinklers are capped (water still fills the pipes) There is No Fire Suppression system Page ‹#› Managing Risk in Information Systems
  • 4. © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 4 Other University Systems Enrollment Management is housed in an old 2-story library Electricity is provided to the entire building but may not be stable No UPS systems exist Sprinkler systems provide fire protection. Administrators are issued laptops for home use but inventory control and access control policies are not followed Laptops often contain sensitive and protected data 1st Floor: Front counter clerks assist students who stand in line waiting for help Computers are sometimes left logged-in even when unmanned Students sometime crowd around the counters and hear confidential information provided to the clerks by other students Cubicles are used by specialists to process student records Cubicles cannot be locked Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
  • 5. 5 Other University Systems Enrollment Management (continued) Cubicles (continued) Students can wander into these areas when staff are not present Login Passwords are sometimes taped to the computers Student records are sometimes left out on the counters Some Student Record’s cabinets cannot be locked Employees sometimes download music and pictures to their computers from the internet and external devices Computer may not have the latest software patches Back Offices are used by specialized staff and managers Offices are not locked and have windows Records vault contains all physical records and is locked after hours Office is located on the 1st floor Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 6 Other University Systems Enrollment Management (continued) 2nd Floor: Application Server is kept in office that is rarely locked and has
  • 6. windows Servers support internal systems and have no access to the Internet System Administrators work for Enrollment Management SysAdmins are not subject to IT Risk Management policies SysAdmins have little to no security awareness training System may not contain latest patches Report Server Data extracts from Report server includes National ID Users include Administrative staff but can include student workers Users can download data to USB drives System may not contain latest patches User’s access is not terminated when duties change Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 7 Other University Systems The University has 5 colleges located in separate buildings Each College maintain its own server(s) (and internal LANs) to track programs, research and other initiatives. Colleges use existing staff and student workers to manage their servers (typically computer science students) SysAdmins are not subject to IT Risk Management policies SysAdmins have no security awareness training System may not contain latest patches
  • 7. Servers are stored in offices and the doors are rarely locked and the rooms often have multiple windows Servers may not be protected by a firewall and access the Internet Each college maintains its own research systems and student databases which can be accessed externally IT user authentication policies are not followed SysAdmins may use generic Administrator passwords or post Administrator passwords at their computers Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 8 Seven Domains of a Typical IT Infrastructure Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9 Figure 4-1: The seven domains of a typical IT infrastructure. User domain: Includes usernames, passwords or other
  • 8. authentication, and social engineering. The InfoSec Security Manager’s initial review of security discovered that there was no policy to update passwords on a regular basis and no requirement for strong passwords. Users posted passwords at their computers so that others could login and use the computer when they were away. Security awareness campaigns did not exist and few users knew there was a security policy or about social engineering. Workstation Domain: Includes end user systems, laptops, desk tops, and cells phones. There was no automated controls in place to force logoff after inactivity and no inventory control or asset management system in place to know if laptops were onsite or offsite. LAN Domain: Includes equipment required to create an internal LAN, such as hubs, switches, and media. Most hardware was protected in the Computer Center but communication’s closets throughout the organization were not well protected from environmental damages. LAN-WAN Domain: Includes the transition area between the LAN and the WAN (routers and firewall). IT infrastructure was well protected but IT had no knowledge about systems outside their management. WAN Domain: Includes routers and circuits connecting the wide area network. IT infrastructure was well protected but IT had no knowledge about web systems outside their management System/Application Domain: Includes applications on the network (e-mail, database and Web apps). IT managed the administrative systems but had limited visibility of apps used throughout the institution. Remote Access Domain: How remote users use your network (i.e. Virtual Private Network (VPN)). IT administrative systems were protected via VPN but since VPN was costly, there was concern that
  • 9. access to other systems was not protected. Template List all Risks-Threats-Weaknesses-Countermeasures and Domain Impacted as identified in the scenario: Example: Location: Enrollment Management 2nd floor office Risk: Loss of university equipment Loss of university data Threat: Server being stolen from Enrollment Management office Weakness: Office is left unlocked etc. Countermeasure: Lock doors Move server to IT Data Center Domain Impacted: Workstation Page ‹#› Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 10
  • 10. © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Fundamentals of Information Systems Security Page 13 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Seven Domains of a Typical IT Infrastructure Page 14 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Lack of user awareness User apathy toward policies User violating security policy User inserting CD/DVD/USB with personal files User Domain Common Threats
  • 11. User downloading photos, music, or videos User destructing systems, applications, and data Disgruntled employee attacking organization or committing sabotage Employee blackmail or extortion Page 16 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Unauthorized workstation access Unauthorized access to systems, applications, and data Desktop or laptop operating system vulnerabilities Desktop or laptop application software vulnerabilities or patches Workstation Domain Common Threats Viruses, malicious code, and other malware
  • 12. User inserting CD/DVD/USB with personal files User downloading photos, music, or videos Page 18 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Unauthorized physical access to LAN Unauthorized access to systems, applications, and data LAN server operating system vulnerabilities LAN server application software vulnerabilities and software patch updates LAN Domain Common Threats Rogue users on WLANs Confidentiality of data on WLANs LAN server configuration guidelines and standards
  • 13. Page 20 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Unauthorized probing and port scanning Unauthorized access Internet Protocol (IP) router, firewall, and network appliance operating system vulnerability Local users downloading unknown file types from unknown sources WAN LAN-to-WAN Domain Common Threats Page 21 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Open, public, and accessible data Most of the traffic being sent as clear text Vulnerable to eavesdropping
  • 14. Vulnerable to malicious attacks Vulnerable to Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks WAN WAN Domain Common Threats Vulnerable to corruption of information and data Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications Hackers and attackers e-mailing Trojans, worms, and malicious software freely and constantly Page 23 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Internet applications, and data
  • 15. ential data compromised remotely standards Remote Access Domain Common Threats Page 24 Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Cloud Computing wiring closets -to-manage servers that require high availability tual environments Systems/Applications Domain Common Threats Appendix B: Common Information Systems Assets Asset Class Overall IT Environment
  • 16. Asset Name Asset Rating Highest level description of your asset Next level definition (if needed) Asset Value Rating Tangible Physical infrastructure Data centers 5 Tangible Physical infrastructure Servers 3 Tangible Physical infrastructure Desktop computers 1 Tangible Physical infrastructure Mobile computers 3 Tangible Physical infrastructure PDAs 1 Tangible Physical infrastructure Cell phones 1 Tangible Physical infrastructure Server application software 1 Tangible Physical infrastructure
  • 17. End-user application software 1 Tangible Physical infrastructure Development tools 3 Tangible Physical infrastructure Routers 3 Tangible Physical infrastructure Network switches 3 Tangible Physical infrastructure Fax machines 1 Tangible Physical infrastructure PBXs 3 Tangible Physical infrastructure Removable media (tapes, floppy disks, CD-ROMs, DVDs, portable hard drives, PC card storage devices, USB storage devices, and so on.) 1 Tangible Physical infrastructure Power supplies 3 Tangible Physical infrastructure Uninterruptible power supplies 3
  • 18. Tangible Physical infrastructure Fire suppression systems 3 Tangible Physical infrastructure Air conditioning systems 3 Tangible Physical infrastructure Air filtration systems 1 Tangible Physical infrastructure Other environmental control systems 3 Tangible Intranet data Source code 5 Tangible Intranet data Human resources data 5 Tangible Intranet data Financial data 5 Tangible Intranet data Marketing data 5 Tangible Intranet data Employee passwords 5
  • 19. Tangible Intranet data Employee private cryptographic keys 5 Tangible Intranet data Computer system cryptographic keys 5 Tangible Intranet data Smart cards 5 Tangible Intranet data Intellectual property 5 Tangible Intranet data Data for regulatory requirements (GLBA, HIPAA, CA SB1386, EU Data Protection Directive, and so on.) 5 Tangible Intranet data U.S. Employee Social Security numbers 5 Tangible Intranet data Employee drivers' license numbers 5 Tangible Intranet data Strategic plans 3 Tangible Intranet data Customer consumer credit reports
  • 20. 5 Tangible Intranet data Customer medical records 5 Tangible Intranet data Employee biometric identifiers 5 Tangible Intranet data Employee business contact data 1 Tangible Intranet data Employee personal contact data 3 Tangible Intranet data Purchase order data 5 Tangible Intranet data Network infrastructure design 3 Tangible Intranet data Internal Web sites 3 Tangible Intranet data Employee ethnographic data 3 Tangible Extranet data Partner contract data
  • 21. 5 Tangible Extranet data Partner financial data 5 Tangible Extranet data Partner contact data 3 Tangible Extranet data Partner collaboration application 3 Tangible Extranet data Partner cryptographic keys 5 Tangible Extranet data Partner credit reports 3 Tangible Extranet data Partner purchase order data 3 Tangible Extranet data Supplier contract data 5 Asset Class Overall IT Environment Asset Name Asset Rating Highest level description of your asset Next level definition (if needed)
  • 22. Asset Value Rating Tangible Extranet data Supplier collaboration application 3 Tangible Extranet data Supplier cryptographic keys 5 Tangible Extranet data Supplier credit reports 3 Tangible Extranet data Supplier purchase order data 3 Tangible Internet data Web site sales application 5 Tangible Internet data Web site marketing data 3 Tangible Internet data Customer credit card data 5 Tangible Internet data Customer contact data 3 Tangible Internet data Public cryptographic keys
  • 23. 1 Tangible Internet data Press releases 1 Tangible Internet data White papers 1 Tangible Internet data Product documentation 1 Tangible Internet data Training materials 3 Intangible Reputation 5 Intangible Goodwill 3 Intangible Employee moral 3 Intangible Employee productivity 3 IT Services Messaging E-mail/scheduling (for example, Microsoft Exchange)
  • 24. 3 IT Services Messaging Instant messaging 1 IT Services Messaging Microsoft Outlook® Web Access (OWA) 1 IT Services Core infrastructure Active Directory® directory service 3 IT Services Core infrastructure Domain Name System (DNS) 3 IT Services Core infrastructure Dynamic Host Configuration Protocol (DHCP) 3 IT Services Core infrastructure Enterprise management tools 3 IT Services Core infrastructure File sharing 3 IT Services Core infrastructure Storage 3 IT Services Core infrastructure Dial-up remote access
  • 25. 3 IT Services Core infrastructure Telephony 3 IT Services Core infrastructure Virtual Private Networking (VPN) access 3 IT Services Core infrastructure Microsoft Windows® Internet Naming Service (WINS) 1 Services Other infrastructure Collaboration services (for example, Microsoft SharePoint®) Appendix C: Common Threats Threat Example High level description of the threat Specific example Catastrophic incident Fire Catastrophic incident Flood Catastrophic incident Earthquake Catastrophic incident Severe storm
  • 26. Catastrophic incident Terrorist attack Catastrophic incident Civil unrest/riots Catastrophic incident Landslide Catastrophic incident Avalanche Catastrophic incident Industrial accident Mechanical failure Power outage Mechanical failure Hardware failure Mechanical failure Network outage Mechanical failure Environmental controls failure Mechanical failure Construction accident Non-malicious person Uninformed employee Non-malicious person Uninformed user Malicious person Hacker, cracker Malicious person Computer criminal Malicious person Industrial espionage Malicious person Government sponsored espionage Malicious person Social engineering Malicious person Disgruntled current employee
  • 27. Malicious person Disgruntled former employee Malicious person Terrorist Malicious person Negligent employee Malicious person Dishonest employee (bribed or victim of blackmail) Malicious person Malicious mobile code Appendix D: Vulnerabilties Vulnerability Class Vulnerability Example High level vulnerability class Brief description of the vulnerability Specific example (if applicable) Physical Unlocked doors Physical Unguarded access to computing facilities Physical Insufficient fire suppression systems Physical Poorly designed buildings Physical Poorly constructed buildings
  • 28. Physical Flammable materials used in construction Physical Flammable materials used in finishing Physical Unlocked windows Physical Walls susceptible to physical assault Physical Interior walls do not completely seal the room at both the ceiling and floor Natural Facility located on a fault line Natural Facility located in a flood zone Natural Facility located in an avalanche area Hardware Missing patches Hardware Outdated firmware Hardware Misconfigured systems Hardware Systems not physically secured
  • 29. Hardware Management protocols allowed over public interfaces Software Out of date antivirus software Software Missing patches Software Poorly written applications Cross site scripting Software Poorly written applications SQL injection Software Poorly written applications Code weaknesses such as buffer overflows Software Deliberately placed weaknesses Vendor backdoors for management or system recovery Software Deliberately placed weaknesses Spyware such as keyloggers Software Deliberately placed weaknesses Trojan horses Software Deliberately placed weaknesses Software Configuration errors Manual provisioning leading to inconsistent configurations Software Configuration errors
  • 30. Systems not hardened Software Configuration errors Systems not audited Software Configuration errors Systems not monitored Media Electrical interference Communications Unencrypted network protocols Communications Connections to multiple networks Communications Unnecessary protocols allowed Communications No filtering between network segments Human Poorly defined procedures Insufficient incident response preparedness Human Poorly defined procedures Manual provisioning Human Poorly defined procedures Insufficient disaster recovery plans Human Poorly defined procedures Testing on production systems Human Poorly defined procedures
  • 31. Violations not reported Human Poorly defined procedures Poor change control Human Stolen credentials Page 3 Source: The Security Risk Management Guide Microsoft Corp. Sheet1Risk-Threat-Weakness-Countermeasure(s)Domain(s) ImpactedRisk: Loss of company server (Asset)Systems/Applications DomainThreat: Hardware being stolen from office where server is located (Colleges, Enrollment Management, etc)Weakness: Server is stored in an office that is not always lockedCountermeasure(s): Lock Doors Relocate server to data centerRisk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s):Risk: Threat: Weakness: Countermeasure(s): Group # ISOL 533 Group Project Page &P of &N