Question

Risk Assessment Homework

In this assignment, you will perform a qualitative risk assessment, using a template that has been provided below.   

A listing of threats has been prepopulated for you. These threats have been categorized by type as shown below:

Threat Origination Category	Type Identifier
Threats launched purposefully	P
Threats created by unintentional human or machine errors	U
Threats caused by environmental agents or disruptions	E

Purposeful threats are launched by threat actors for a variety of reasons and the reasons may never be fully known. Threat actors could be motivated by curiosity, monetary gain, political gain, social activism, revenge or many other driving forces. It is possible that some threats could have more than one threat origination category. Some threat types are more likely to occur than others. The following table takes threat types into consideration to help determine the likelihood that vulnerability could be exploited. The threat table shown in Table 2-2 is designed to offer typical threats to information systems and these threats have been considered for the organization. Not all of these will be relevant to the findings in your risk assessment, however you will need to identify those that are.

ID	Threat Name	Type     ID	Description	Typical Impact to Data or System
				Confidentiality	Integrity	Availability
T-1	Alteration	U, P, E	Alteration of data, files, or records.		Modification
T-2	Audit Compromise	P	An unauthorized user gains access to the audit trail and could cause audit records to be deleted or modified, or prevents future audit records from being recorded, thus masking a security relevant event. Also applies to a purposeful act by an Administrator to mask unauthorized activity.		Modification or Destruction	Unavailable Accurate Records
T-3	Bomb	P	An intentional explosion.		Modification or Destruction	Denial of Service
T-4	Communications Failure	U, E	Cut of fiber optic lines, trees falling on telephone lines.			Denial of Service
T-5	Compromising Emanations	P	Eavesdropping can occur via electronic media directed against large scale electronic facilities that do not process classified National Security Information.	Disclosure
T-6	Cyber Brute Force	P	Unauthorized user could gain access to the information systems by random or systematic guessing of passwords, possibly supported by password cracking utilities.	Disclosure	Modification or Destruction	Denial of Service
T-7	Data Disclosure	P, U	An attacker uses techniques that could result in the disclosure of sensitive information by exploiting weaknesses in the design or configuration. Also used in instances where misconfiguration or the lack of a security control can lead to the unintentional disclosure of data.	Disclosure
T-8	Data Entry Error	U	Human inattention, lack of knowledge, and failure to cross-check system activities could contribute to errors becoming integrated and ingrained in automated systems.		Modification
T-9	Denial of Service	P	An adversary uses techniques to attack a single target rendering it unable to respond and could cause denial of service for users of the targeted information systems.			Denial of Service
T-10	Distributed Denial of Service Attack	P	An adversary uses multiple compromised information systems to attack a single target and could cause denial of service for users of the targeted information systems.			Denial of Service
T-11	Earthquake	E	Seismic activity can damage the information system or its facility. Please refer to the following document for earthquake probability maps http://pubs.usgs.gov/of/2008/1128/pdf/OF08-1128_v1.1.pdf .		Destruction	Denial of Service
T-12	Electromagnetic Interference	E, P	Disruption of electronic and wire transmissions could be caused by high frequency (HF), very high frequency (VHF), and ultra-high frequency (UHF) communications devices (jamming) or sun spots.			Denial of Service
T-13	Espionage	P	The illegal covert act of copying, reproducing, recording, photographing or intercepting to obtain sensitive information .	Disclosure	Modification
T-14	Fire	E, P	Fire can be caused by arson, electrical problems, lightning, chemical agents, or other unrelated proximity fires.		Destruction	Denial of Service
T-15	Floods	E	Water damage caused by flood hazards can be caused by proximity to local flood plains. Flood maps and base flood elevation should be considered.		Destruction	Denial of Service
T-16	Fraud	P	Intentional deception regarding data or information about an information system could compromise the confidentiality, integrity, or availability of an information system.	Disclosure	Modification or Destruction	Unavailable Accurate Records
T-17	Hardware or Equipment Failure	E	Hardware or equipment may fail due to a variety of reasons.			Denial of Service
T-18	Hardware Tampering	P	An unauthorized modification to hardware that alters the proper functioning of equipment in a manner that degrades the security functionality the asset provides.		Modification	Denial of Service
T-19	Hurricane	E	A category 1, 2, 3, 4, or 5 land falling hurricane could impact the facilities that house the information systems.		Destruction	Denial of Service
T-20	Malicious Software	P	Software that damages a system such a virus, Trojan, or worm.		Modification or Destruction	Denial of Service
T-21	Phishing Attack	P	Adversary attempts to acquire sensitive information such as usernames, passwords, or SSNs, by pretending to be communications from a legitimate/trustworthy source. Typical attacks occur via email, instant messaging, or comparable means; commonly directing users to Web sites that appear to be legitimate sites, while actually stealing the entered information.	Disclosure	Modification or Destruction	Denial of Service
T-22	Power Interruptions	E	Power interruptions may be due to any number of reasons such as electrical grid failures, generator failures, uninterruptable power supply failures (e.g. spike, surge, brownout, or blackout).			Denial of Service
T-23	Procedural Error	U	An error in procedures could result in unintended consequences. This is also used where there is a lack of defined procedures that introduces an element of risk.	Disclosure	Modification or Destruction	Denial of Service
T-24	Procedural Violations	P	Violations of standard procedures.	Disclosure	Modification or Destruction	Denial of Service
T-25	Resource Exhaustion	U	An errant (buggy) process may create a situation that exhausts critical resources preventing access to services.			Denial of Service
T-26	Sabotage	P	Underhand interference with work.		Modification or Destruction	Denial of Service
T-27	Scavenging	P	Searching through disposal containers (e.g. dumpsters) to acquire unauthorized data.	Disclosure
T-28	Severe Weather	E	Naturally occurring forces of nature could disrupt the operation of an information system by freezing, sleet, hail, heat, lightning, thunderstorms, tornados, or snowfall.		Destruction	Denial of Service
T-29	Social Engineering	P	An attacker manipulates people into performing actions or divulging confidential information, as well as possible access to computer systems or facilities.	Disclosure
T-30	Software Tampering	P	Unauthorized modification of software (e.g. files, programs, database records) that alters the proper operational functions.		Modification or Destruction
T-31	Terrorist	P	An individual performing a deliberate violent act could use a variety of agents to damage the information system, its facility, and/or its operations.		Modification or Destruction	Denial of Service
T-32	Theft	P	An adversary could steal elements of the hardware.			Denial of Service
T-33	Time and State	P	An attacker exploits weaknesses in timing or state of functions to perform actions that would otherwise be prevented (e.g. race conditions, manipulation user state).	Disclosure	Modification	Denial of Service
T-34	Transportation Accidents	E	Transportation accidents include train derailments, river barge accidents, trucking accidents, and airlines accidents. Local transportation accidents typically occur when airports, sea ports, railroad tracks, and major trucking routes occur in close proximity to systems facilities. Likelihood of HAZMAT cargo should be determined when considering the probability of local transportation accidents.		Destruction	Denial of Service
T-35	Unauthorized Facility Access	P	An unauthorized individual accesses a facility which may result in comprises of confidentiality, integrity, or availability.	Disclosure	Modification or Destruction	Denial of Service
T-36	Unauthorized Systems Access	P	An unauthorized user accesses a system or data.	Disclosure	Modification or Destruction

Analyze Risk

The risk analysis for each vulnerability consists of assessing threats to determine the likelihood that a vulnerability could be exploited and the potential impact should the vulnerability be exploited. Essentially, risk is proportional to both likelihood of exploitation and possible impact. The following sections provide a brief description of each component used to determine the risk.

Likelihood

This risk analysis process is based on qualitative risk analysis. In qualitative risk analysis the impact of exploiting a threat is measured in relative terms. When a system is easy to exploit, it has a High likelihood that a threat could exploit the vulnerability. Likelihood definitions for the exploitation of vulnerabilities are found in the following table.

Likelihood	Description
Low	There is little to no chance that a threat could exploit vulnerability and cause loss to the system or its data.
Medium	There is a Medium chance that a threat could exploit vulnerability and cause loss to the system or its data.
High	There is a High chance that a threat could exploit vulnerability and cause loss to the system or its data.

Impact

Impact refers to the magnitude of potential harm that could be caused to the system (or its data) by successful exploitation. Definitions for the impact resulting from the exploitation of a vulnerability are described in the following table. Since exploitation has not yet occurred, these values are perceived values. If the exploitation of vulnerability can cause significant loss to a system (or its data) then the impact of the exploit is considered to be High.

Impact	Description
Low	If vulnerabilities are exploited by threats, little to no loss to the system, networks, or data would occur.
Medium	If vulnerabilities are exploited by threats, Medium loss to the system, networks, and data would occur.
High	If vulnerabilities are exploited by threats, significant loss to the system, networks, and data would occur.

Risk Level

The risk level for the finding is the intersection of the likelihood value and impact value as depicted the table depicted below. The combination of High likelihood and High impact creates the highest risk exposure. The risk exposure matrix shown in the table below presents the same likelihood and impact severity ratings as those found in NIST SP 800-30 Risk Management Guide for Information Technology Systems.

	Impact
Likelihood	High	Medium	Low
High	High	Medium	Low
Medium	Medium	Medium	Low
Low	Low	Low	Low

Risk Assessment Results

This section documents the technical and non-technical security risks to the system.   Complete the following risk assessment table, ensuring that you have addressed at least 20 risks. You will be graded on your ability to demonstrate knowledge that the security controls are appropriate to the controlling the risks you have identified, as well as being able to identify appropriate risk levels based on the Impact and Likelihood levels.    

The following provides a brief description of the information documented in each column:

Identifier: Provides a unique number used for referencing each vulnerability in the form of R#-Security Control ID.

Threat: Indicates the applicable threat type from the table of threats..

Risk Description: Provides a brief description of the risk.

Business Impact: Provides a brief description of the impact to the organization if the risk is realized.

Recommended Corrective Action: Provides a brief description of the corrective action(s) recommended for mitigating the risks associated with the finding.

Likelihood: Provides the likelihood of a threat exploiting the vulnerability. This is determined by applying the methodology outlined in Section 3 of this document.

Impact: Provides the impact of a threat exploiting the vulnerability. This is determined by applying the methodology outlined in Section 3 of this document.

Risk Level: Provides the risk level (high, Medium, low) for the vulnerability. This is determined by applying the methodology outlined in Section 3 of this document.

  

Identifier	Threat ID	Risk Description	Business Impact	Recommended Corrective Action	Likelihood	Impact	Risk Level
	T-1, T-8, T-23, T-24, T-36	Notification is not performed when account changes are made.	The lack of notification allows unauthorized changes to individuals who elevate permissions and group membership to occur without detection.	Enable auditing of all activities performed under privileged accounts in GPOs and develop a process to allow these events to be reviewed by an individual who does not have Administrative privileges.	Low	Medium	Low
Malicious Code/Social Engineering
Application and Network Attacks
Physical Security
Wireless
Email and Web
Mobile Devices

Answer 1