...------------------------------------------------- Week 1 Laboratory How to Identify Threats & Vulnerabilities in an IT Infrastructure Learning Objectives and Outcomes Upon completing this lab, students will be able to: * Identify common risks, threats, and vulnerabilities found throughout the seven domains of a typical IT infrastructure. * Align risks, threats, and vulnerabilities to one of the seven domains of a typical IT infrastructure * Given a scenario, prioritize risks, threats, and vulnerabilities based on their risk impact to the organization * Prioritize the identified critical, major, and minor software vulnerabilities Christopher Plummer Week 1 Lab: Assessment Worksheet Part A – List of Risks, Threats, and Vulnerabilities Commonly Found in an IT Infrastructure Overview One of the most important first steps to risk management and implementing a risk mitigation strategy is to identify known risks, threats, and vulnerabilities and organize them. The purpose of the seven domains of a typical IT infrastructure is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation. This lab requires students to identify risks, threats, and vulnerabilities and map them to the domain that these impact from a risk management perspective. Lab Assessment Questions & Answers The following risks, threats, and vulnerabilities were found in a healthcare IT infrastructure servicing patients with life-threatening...
Words: 546 - Pages: 3
...Lab #2 Assessment Worksheet Align Risks, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls 1. a. Unauthorized access from public internet - HIGH b. User destroys data in application and deletes all files - LOW c. Workstation OS has a known software vulnerability – HIGH d. Communication circuit outages - MEDIUM e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - MEDIUM 2. a. PO9.3 Event Identification – Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. b. PO9.4 Risk Assessment – Assess the likelihood and impact of risks, using qualitative and quantitative methods. c. PO9.5 Risk Response – Develop a response designed to mitigate exposure to each risk – Identify risk strategies such as avoidance, reduction, acceptance – determine associated responsibilities; and consider risk tolerance levels. 3. a. Unauthorized access from public internet - AVAILABILITY b. User destroys data in application and deletes all files - INTEGRITY c. Workstation OS has a known software vulnerability – CONFIDENTIALITY d. Communication circuit outages - AVAILABILITY e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - INTEGRITY 4. a. Unauthorized access from public internet...
Words: 934 - Pages: 4
...Lab 2 - Align Risks, Threats, and Vulnerabilities to COBIT PO9 Risk Mgmt. Controls Part 1 4. Discuss the primary goal of the COBIT v4.1 framework. Provide a basic description of cobit. * The purpose of Control Objectives for Information and related Technology (COBIT) is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems. 5. Explain the major objective of the Control area (COBIT 4.1 Controls Collaboration link on the left side of the COBIT website) * “The COBIT Controls area within ISACA's Knowledge Center promotes collaboration and sharing of information, solutions and experience among COBIT users.” 6. From the COBIT Domains and Control Objectives section, list each of the types of control objectives and briefly describe them based on the descriptions on the website. * Plan and Organize – “This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological...
Words: 4162 - Pages: 17
...security policy helps to mitigate the risks and threats the business encounters. However, unless a company happens to be in the information security industry, the task of identifying, assessing, and categorizing the myriad of risks can be an overwhelming one. Thankfully, a company’s IT infrastructure can be divided in a logical manner to more easily sort the risks. These divisions are the seven IT domains. The purpose of the seven domains of a typical IT infrastructure is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation. In this lab, you will identify known risks, threats, and vulnerabilities, and you will determine which domain of a typical IT infrastructure is affected. You will then discuss security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. You will next determine which appropriate security policy definition will help mitigate the identified risk, threat, or vulnerability. You will organize your results into a framework that can become part of a layered security strategy. Learning Objectives Upon completing this lab, you will be able to: • Identify risks, threats, and vulnerabilities commonly found in the seven domains of a typical IT infrastructure. Determine which domain is impacted by the risk, threat, or vulnerability. Determine which domain is impacted by the risk, threat, or vulnerability. Determine security policies to address...
Words: 1159 - Pages: 5
...Steps: Student steps needed to perform Lab #2 – Align Risk, Threats, & Vulnerabilities to the COBIT Risk Management Controls: 1. Connect your removable hard drive or USB hard drive to a classroom workstation. 2. Boot up your classroom workstation and DHCP for an IP host address. Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com All Rights Reserved. -11- Student Lab Manual 3. Login to your classroom workstation and enable Microsoft Word. 4. Conduct a high-level narrative discussion and review of the COBIT v4.1 Framework. 5. Review the COBIT P09 Control Objective definition, scope, and focus areas for assessing and managing IT risk. 6. Relate how the COBIT (P09) Control Objective definition relates to assessing and managing IT risk within each of the seven domains of a typical IT infrastructure: User, Workstation, LAN, LAN-to-WAN, WAN, Remote Access, Systems/Applications Domains 7. Explore the structure and format of how to align risks, threats, and vulnerabilities identified from your IT infrastructure to the COBIT P09 Control Objective definition, scope, and focus areas Information, Applications, Infrastructure, and People. 8. Explore the hierarchy for assessing and managing IT risks: • Step #1: Align the risk, threat or vulnerability assessment to C-I-A primary first and assess • Step #2: Align the risk, threat, or vulnerability remediation to Effectiveness, Efficiency, Compliance,...
Words: 381 - Pages: 2
...Critical Infrastructure Protection Pamela S. York CIS502, Dr. Glenn Hines 2/14/15 Abstract The explosion of the accessibility of information and data via the today’s Web has brought along the concern and need for cyber security. With these issues of cyber security has also come the need to protect national informational assets from hackers and such who utilize the Web as a means to attack information that can aid in cyber terrorism. Information professionals are now looking to measures of protection that will ensure private citizens are not put into danger by the threat of cyber espionage. This also has extended to the protection of critical infrastructure within the United States and abroad. Critical Infrastructure Protection With the ever evolving presence of cyber-attacks that threaten to put citizens’ privacy and Internet security at risk, the government has had to intervene in order to take measures to protect its’ citizens due to the alarming fact that cyber-attacks are replacing other modes of attacks by terrorists. The Department of Homeland Security, created in 2002, was developed to carry out broad missions such as preventing terrorist attacks within the United States. This was mainly in response to the terrorist attacks that occurred on U.S. soil on September 11, 2001. Since then the DHS has taken on the mission of developing security that extends to information security and developing plans to implement critical infrastructure. The Homeland Security Act...
Words: 1329 - Pages: 6
... Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Identify risks, threats, and vulnerabilities in the 7 domains of a typical IT infrastructure * Review existing IT security policies as part of a policy framework definition * Align IT security policies throughout the 7 domains of a typical IT infrastructure as part of a layered security strategy * Identify gaps in the IT security policy framework definition * Recommend other IT security policies that can help mitigate all known risks, threats, and vulnerabilities throughout the 7 domains of a typical IT infrastructure Week 5 Lab Part 1: Assessment Worksheet (PART A) Sample IT Security Policy Framework Definition Overview Given the following IT security policy framework definition, specify which policy probably can cover the identified risk, threat, or vulnerability. If there is none, then identify that as a gap. Insert your recommendation for an IT security policy that can eliminate the gap. Risk – Threat – Vulnerability | IT Security Policy Definition | Unauthorized access from pubic Internet | Acceptable use policy | User destroys data in application and deletes all files | Backup Recovery Policy | Hacker penetrates your IT infrastructure and gains access to your internal network | Threat Assessment & Management Policy | Intra-office employee romance gone bad | Acceptable use Policy | Fire destroys primary...
Words: 1625 - Pages: 7
...________________________________________________________________ Overview In this lab, you defined the purpose of an IT risk management plan, you defined the scope for an IT risk management plan that encompasses the seven domains of a typical IT infrastructure, you related the risks, threats, and vulnerabilities to the plan, and you created an IT risk management plan outline that incorporates the five major parts of an IT risk management process. Lab Assessment Questions & Answers 1. What is the goal or objective of an IT risk management plan? 2. What are the five fundamental components of an IT risk management plan? 3. Define what risk planning is. 4. What is the first step in performing risk management? 5. What is the exercise called when you are trying to gauge how significant a risk is? 25 6. What practice helps address a risk? 7. What ongoing practice helps track risk in real time? 8. True or False: Once a company completes all risk management steps (identification, assessment, response, and monitoring), the task is done. 9. Given that an IT risk management plan can be large in scope, why is it a good idea to develop a risk management plan team? 10. In the seven domains of a typical IT infrastructure, which domain is the most difficult to plan, identify, assess, treat, and monitor? 11. Which compliance laws or standards does the health care organization mentioned in the HandsOn Steps have to comply with (consider these: Health Insurance Portability and Accountability ...
Words: 434 - Pages: 2
...Lab 2 Align Risk, Treats, & Vulnerabilities to COBIT P09 Risk Management Controls 1. Risk Factors a. Remote communications from home office (MEDIUM Risk) b. LAN server OS has known software vulnerability (HIGH Risk) c. User downloads an unknown e-mail attachment (HIGH Risk) 2. COBIT Risk Management * No. * Yes, the identified software vulnerabilities relate to risk context for both internal and external access. * Yes, the identified software vulnerabilities themselves are events that represent risk identification. Once identified, the event can be assessed for risk. * Yes, once risk events are identified (such as software vulnerabilities), they can properly assessed (quantitatively or qualitatively). * Yes, once the risk has been assessed (high, medium, low) the response that risk can be aligned appropriately. * No. 3. Vulnerability impacts a. Remote communications from home office (Confidentiality) b. LAN server OS has known software vulnerability (Integrity) c. User downloads an unknown e-mail attachment (Availability) 4. Effectiveness, Efficiency, Compliance, and Reliability 5. Mitigated and managed a. Remote communications from home office * Information – Medium Impact, Firewall, Keep up to date * Application – Low Impact, HTTPS for email websites, Make sure it is secured * Infrastructure – Medium Impact, Workstation must have malware and anti-virus detection, Keep up to date * People...
Words: 794 - Pages: 4
...physical and logical access control methods that will mitigate the risks identified. 1. Firewall (1) 2. Windows 2008 Active Directory Domain Controllers (DC) (1) 3. File Server (1) 4. Desktop computers (4) 5. Dedicated T1 Connection (1) Write a ten to fifteen (10-15) page paper in which you: 6. Identify and analyze any potential physical vulnerabilities and threats that require consideration. 7. Identify and analyze any potential logical vulnerabilities and threats that require consideration. 8. Illustrate in writing the potential impact of all identified physical vulnerabilities and threats to the network and the pharmacy. 9. Identify all potential vulnerabilities that may exist in the documented network. 10. Illustrate in writing the potential impact of all identified logical vulnerabilities to the network and the pharmacy. 11. For each physical vulnerability and threat identified, choose a strategy for dealing with the risk (i.e., risk mitigation, risk assignment, risk acceptance, or risk avoidance). 12. For each logical vulnerability and threat identified, choose a strategy for dealing with the risk (i.e., risk mitigation, risk assignment, risk acceptance, or risk...
Words: 520 - Pages: 3
...more susceptible to these threats because computers have become more interconnected and, thus, more interdependent and accessible to a larger number of individuals. In addition, the number of individuals with computer skills is increasing, and intrusion, or “hacking,” techniques are becoming more widely known via the Internet and other media. Arisk assessment is not about creating huge amounts of paperwork , but rather about identifying sensible measures to control the risks in your workplace. You are probably already taking steps to protect your employees, but your risk assessment will help you decide whether you have covered all you need to. Think about how accidents and ill health could happen and concentrate on real risks – those that are most likely and which will cause the most harm. For some risks, other regulations require particular control measures. Your assessment can help you identify where you need to look at certain risks and these particular control measures in more detail. These control measures do not have to be assessed separately but can be considered as part of, or an extension of, your overall risk assessment. Although all elements of the risk management cycle are important, risk assessments provide the foundation for other elements of the cycle. In particular, risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Since risks and threats change over time, it is important...
Words: 3691 - Pages: 15
...Business Challenges Risk Management Fundamentals 2 Managing Risk: Threats, Vulnerabilities, and Exploits 29 Managing Compliance 57 Developing a Risk Management Plan 85 CHaPTeR Risk Management Fundamentals 1 R ISK MANAGEMENT IS IMPORTANT to the success of every company— a company that takes no risks doesn’t thrive. On the other hand, a company that ignores risk can fail when a single threat is exploited. Nowadays, nformation technology (IT) systems contribute to the success i of most com anies. If you don’t properly manage IT risks, they can also p contribute to your company’s failure. Effective risk management starts by understanding threats and vulnerabilities. You build on this knowledge by identifying ways to mitigate the risks. Risks can be mitigated by reducing vulnerabilities or reducing the impact of the risk. You can then create different plans to mitigate risks in different areas of the company. A company typically has several risk mitigation plans in place. Risk management is presented in three parts in this textbook. Part 1 is titled “Risk Management Business Challenges.” It lays a foundation for the book, with definitions of many of the terms and techniques of risk management. It finishes with details on how to develop a risk management plan. Part 2 is titled “Mitigating Risk.” This section covers risk assessments. Once you identify risks, you can take steps to reduce them. It ends with methods for turning a risk ...
Words: 10618 - Pages: 43
...One of the most important first steps to risk management and implementing a security strategy is to identify all resources and hosts within the IT infrastructure. Once you identify the workstations and servers, you now must then find the threats and vulnerabilities found on these workstations and servers. Servers that support mission critical applications require security operations and management procedures to ensure C-I-A throughout. Servers that house customer privacy data or intellectual property require additional security controls to ensure the C-I-A of that data. This lab requires the students to identify threats and vulnerabilities found within the Workstation, LAN, and Systems/Applications Domains.1. What are the differences between ZeNmap GUI (Nmap) and Nessus?ZeNmap is used to map a network and Nessus is used to Test a network for vulnerabilities.2. Which scanning application is better for performing a network discovery reconnaissance probing of an IP network infrastructure? Nmaps sole purpose is just that, network probing and recon.3. Which scanning application is better for performing a software vulnerability assessment with suggested remediation steps? Nessus would be a better tool for this operation. While you can find network vulnerabilities with Nmap, it is not used as such.4. How many total scripts (i.e., test scans) does the Intense Scan using ZenMap GUI perform?Port Scanning, OS detection, Version detection, Network Distance, TCP sequence prediction, Trace...
Words: 310 - Pages: 2
...Qualitative Risk Assessment for an IT Infrastructure Course Name and Number: CYBS 221 1001 Student Name: Kendall Watson Instructor Name: Dave Anderson Lab Due Date: September 20, 2015 at 11:59pm Overview In this lab, you defined the purpose of an IT risk assessment, you aligned identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of a typical IT infrastructure, you classified the risks, threats, and vulnerabilities, and you prioritized them. Finally, you wrote an executive summary that addresses the risk assessment findings, risk assessment impact, and recommendations to remediate areas of noncompliance. Lab Assessment Questions & Answers 1. What is an IT risk assessment's goal or objective? Click here to enter text. The goal is to define how the risk to the system will be managed, controlled, and monitored. 2. Why is it difficult to conduct a quantitative risk assessment for an IT infrastructure? A qualitative assessment is based on opinion than actual fact, and IT risk assessments need to be based on a quantitative analysis. 3. What was your rationale in assigning a "1" risk impact/risk factor value of "Critical" to an identified risk, threat, or vulnerability? The critical needs to be mitigated immediately. 4. After you had assigned the "1," "2," and "3" risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the "1," "2," and "3"...
Words: 428 - Pages: 2
...our customers. The immediate supervisor has tasked us with identifying inherent risks associated with this pharmacy and establishing physical and logical access control methods that will mitigate all risks identified. There are few basic things to be cognizant of as we carry out this task. Security is easiest to define by breaking it into pieces. An information system consists of the hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations. Information systems security is the collection of activities that protect the information system and the data stored in (Kim & Solomon 2012). We should also be aware of what we are up against. Cyberspace brings new threats to people and organizations. People need to protect their privacy. Businesses and organizations are responsible for protecting both their intellectual property and any personal or private data they handle. Various laws require organizations to use security controls to protect private and confidential data. Recent U.S. laws related to information security include the following: Federal Information Security Management Act (FISMA) which requires federal civilian agencies to provide security controls over resources that support federal operations; Sarbanes-Oxley Act (SOX) which requires publicly traded companies to submit accurate and reliable financial reporting; and Health Insurance...
Words: 3283 - Pages: 14