3
ISE 510 Security Risk Analysis & Plan
Week 8 HW
Developing a Risk Remediation Plan
30 points
<Last Name, First Name>
Due <DATE>
Submitted on <DATE>
If late let me know why:
=====================================
Delete these instructions in blue font before submission:
Change file name to HW#8_LAST_FIRST
A few comments up front:
- The Jones and Bartlett Learning, TOPIC 4, is a valuable source of information.
- I encourage you to read through the HW problems below and if you have questions *about* the problem, please ask either through the Classroom or via email.
- If you are rusty on security fundamentals then now is a good time to brush up! Let me know and I can point you to refresher resources
1) The table below has a list of Risks Threats and Vulnerabilities. The primary Domain is provided. You are to place the Impact Factor based on the definitions below, and then place a likelihood factor (Low, Medium, High) based on your experience, research or insight.
1 = Critical: A risk, threat or vulnerability that impacts compliance (privacy laws requirements for securing privacy data and implementing proper security controls) and places the organization at increased liability
2 = Major: A risk, threat or vulnerability that impacts confidentiality, integrity or availability of the organization’s intellectual property assets and IT infrastructure
3 = Minor: A risk, threat or vulnerability that impacts user or employee productivity or availability of the IT infrastructure.
The first one is done as an example.
Rule 1: If there is a Risk Threat or Vulnerability and it has not been exploited yet, it can only have an Impact of 2 or 3.
Rule 2: There are no more than ten 1’s
#
Risks Threats and Vulnerabilities
Domain (primary)
Impact Factor
Likelihood Factor
EX
Technician (user) uses P2P file sharing on company owned PC
#1 - USER domain
2 (might be 1 if it was exploited)
high
1
Unauthorized access from Internet to corporate servers and applications
#7 - Remote Access Domain
2
User destroys data in application and deletes all files she has access too.
#6 Application domain
3
Hacker penetrates your IT infrastructure and gains access to your internal network because default password is left on router
#4 LAN-to-WAN domain
4
Two employee’s relationship goes sour
#1 - USER domain
5
Fire destroys data center
#6 Application domain
6
Workstation OS has known vulnerabilities
#2 Workstation domain
7
Internet Service provider has 2% loss of service which is below the SLA.
#5 WAN Domain
8
Hacker penetrates IT system by a phishing attach
#1 - USER domain
9
LAN switch has default username and password
#3 - LAN Domain
10
Denial of service attack on email server
#5 WAN Domain
11
User turns off screensaver on PC
#1 User domain
12
Corporate Data server has no backups
#6 Application domain
13
VPN tunneling between remote computer and ingress/egress router
#4 LAN-to-WAN domain
14
Internet Service Provider has major outag ...
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
3 ISE 510 Security Risk Analysis & Plan Week 8 HW De.docx
1. 3
ISE 510 Security Risk Analysis & Plan
Week 8 HW
Developing a Risk Remediation Plan
30 points
<Last Name, First Name>
Due <DATE>
Submitted on <DATE>
If late let me know why:
=====================================
Delete these instructions in blue font before submission:
Change file name to HW#8_LAST_FIRST
A few comments up front:
- The Jones and Bartlett Learning, TOPIC 4, is a valuable
source of information.
- I encourage you to read through the HW problems below and
if you have questions *about* the problem, please ask either
through the Classroom or via email.
- If you are rusty on security fundamentals then now is a good
time to brush up! Let me know and I can point you to refresher
resources
2. 1) The table below has a list of Risks Threats and
Vulnerabilities. The primary Domain is provided. You are to
place the Impact Factor based on the definitions below, and then
place a likelihood factor (Low, Medium, High) based on your
experience, research or insight.
1 = Critical: A risk, threat or vulnerability that impacts
compliance (privacy laws requirements for securing privacy
data and implementing proper security controls) and places the
organization at increased liability
2 = Major: A risk, threat or vulnerability that impacts
confidentiality, integrity or availability of the organization’s
intellectual property assets and IT infrastructure
3 = Minor: A risk, threat or vulnerability that impacts user or
employee productivity or availability of the IT infrastructure.
The first one is done as an example.
Rule 1: If there is a Risk Threat or Vulnerability and it has not
been exploited yet, it can only have an Impact of 2 or 3.
Rule 2: There are no more than ten 1’s
#
Risks Threats and Vulnerabilities
Domain (primary)
Impact Factor
Likelihood Factor
EX
Technician (user) uses P2P file sharing on company owned PC
#1 - USER domain
2 (might be 1 if it was exploited)
high
1
Unauthorized access from Internet to corporate servers and
applications
#7 - Remote Access Domain
3. 2
User destroys data in application and deletes all files she has
access too.
#6 Application domain
3
Hacker penetrates your IT infrastructure and gains access to
your internal network because default password is left on router
#4 LAN-to-WAN domain
4
Two employee’s relationship goes sour
#1 - USER domain
5
Fire destroys data center
#6 Application domain
6
Workstation OS has known vulnerabilities
#2 Workstation domain
7
Internet Service provider has 2% loss of service which is below
the SLA.
#5 WAN Domain
8
Hacker penetrates IT system by a phishing attach
4. #1 - USER domain
9
LAN switch has default username and password
#3 - LAN Domain
10
Denial of service attack on email server
#5 WAN Domain
11
User turns off screensaver on PC
#1 User domain
12
Corporate Data server has no backups
#6 Application domain
13
VPN tunneling between remote computer and ingress/egress
router
#4 LAN-to-WAN domain
14
Internet Service Provider has major outage; no employees can
access Internet
#5 WAN domain
15
5. Web browser vulnerabilities exist on client machines
#2 Workstation domain
16
A general-purpose sniffer is found on organization-controlled
client PCs
#2 Workstation domain
17
System admin has found DNS cache poisoning attack
#5 WAN Domain
18
The Telecommunications closet where the switches and routers
reside is unlocked and open because the AC is broken.
#3 - LAN Domain
19
Attacker tries brute force attack against Corporate Portal
#7 - Remote Access Domain
20
DDoS attack from the WAN/Internet
#5 WAN Domain
21
WLAN access points are needed for LAN connectivity within
warehouse
#3 - LAN Domain
6. 22
WLAN access points need to be protected from eavesdropping
#3 - LAN Domain
23
Weak ingress/egress traffic filtering degrades performance
#4 LAN-to-WAN domain
2) Frequency Table
Looking at your table above, count the number of “High-1” and
place the number in cell High-1; then High-2, High-3, Med-1
etc. repeat for all cells. The total of all the cells will be 23.
Impact
1
2
3
7. Low
Medium
High
Probability
What can you observe about the distribution? Is this company in
trouble or are they close to being secure?
3) Remediation plan
For the top 3 most critical risks, threats, or vulnerabilities, give
a primary and an alternate remediation course of action. The
primary course of action is what you recommend to
Management, the alternative is usually not as effective but
cheaper. Be sure to consider cost in your recommendation to
Management. Use references on each.
3-1. State the risk, threat, or vulnerability here
Primary:
Alternate:
3-2. State the risk, threat, or vulnerability here
Primary:
Alternate:
3-3. State the risk, threat, or vulnerability here
Primary:
Alternate:
4) General Questions regarding Risk-Mitigation:
a) What risk-mitigation solutions do you recommend for the
problem of: User inserts CDs and USB hard drives with
personal photos, music, and videos on organization-owned
8. computers?
b) Why is Continuity of Operations an important risk-mitigation
requirement?
c) Why is the Remote Access Domain the most risk-prone of all
in a typical IT infrastructure?
d) When considering the implementation of software updates,
software patches, and software fixes, why must you test the
upgrade or software patch before you implement it?
Appendix
- Seven major areas of risk in IT infrastructure
From: Jones and Bartlett Learning, TOPIC 1.
Q: What are the major areas of risk in IT infrastructure? See
Image below.
A: The seven domains of the typical IT infrastructure are the
major areas of risk.
1. USER: The user domain risk areas include user names,
passwords, biometric or other authentication, and social
engineering.
2. WORKSTATION: In the workstation domain, the risk areas
include end user systems, laptops, desktops, and cells phones.
The “desktop domain” where most users enter the IT
infrastructure
3. LAN: In the local area network (LAN) domain, the risk areas
include the equipment required to create an internal LAN, such
as hubs, switches, and media. Small network organized by
function or department, allowing access to all resources on the
LANs.
9. 4. LAN-to-WAN: The risk areas in the LAN-to-wide area
network (WAN) domain include the transition area between the
LAN and the WAN, including the router and the firewall. The
point at which the IT infrastructure joins a WAN and the
Internet
5. WAN: The WAN domain risk areas include the routers and
circuits connecting the WAN. The point at which the WAN
connects to other WANs via the Internet
6. APPLICATION: In the system, or application, domain, the
risk areas include the applications you run on your network,
such as e-mail, database, and Web applications. Holds all of the
mission-critical systems, applications, and data
7. REMOTE ACCESS: The risk areas in the remote access
domain include applications, such as a virtual private network
(VPN) to guide remote or travelling users. Connects remote
employees and partners to the IT infrastructure
Seven major areas of risk in IT infrastructure