Question

In: Computer Science

NIST SP 800-30 is a National Institute of Standards and Technology publication that includes the following...

NIST SP 800-30 is a National Institute of Standards and Technology publication that includes the following terms, which relate to the potential harm an organization might sustain when threats exploit vulnerabilities: very high, high, moderate, low, and very low. The terms are defined in the course textbook in section “Threats, Vulnerabilities, and Impact.” Research a well-known company, and identify at least one example for each term.  

Solutions

Expert Solution

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. The Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.

Threat:

A threat is the potential for a particular threat-source to successfully exercise a particular
vulnerability. A vulnerability is a weakness that can
be accidentally triggered or intentionally exploited. A
threat-source does not present a risk when there is no Threat: The potential for a threat-
vulnerability that can be exercised

Common Threat-Sources
Natural Threats—Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such
events.
Human Threats—Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network
based attacks, malicious software upload, unauthorized
access to confidential information).
Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.

Vulnerability:

a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness

presents examples of vulnerability/threat pairs.

For your home, your vulnerability is that you don't have bars or security screens on your windows. This is a vulnerability, as unscrupulous people can easily break the window and gain entry into your home. It's a gap in your protection.

Other examples of vulnerability include these:

  • A weakness in a firewall that lets hackers get into a computer network
  • Unlocked doors at businesses, and/or
  • Lack of security cameras

All of these represent a weakness that can be used by others to hurt a business or any other asset that you care about. Actually, your business is considered one of your assets. All of your supplies, materials, and finished products for your business are all assets, too.

3. Impact:

The next major step in measuring level of risk is to determine the adverse impact resulting from
a successful threat exercise of a vulnerability. Before beginning the impact analysis, it is
necessary to obtain the following necessary information

Therefore, the adverse impact of a security event can be described in terms of loss or degradation
of any, or a combination of any, of the following three security goals: integrity, availability, and
confidentiality. The following list provides a brief description of each security goal and the
consequence (or impact) of its not being met:
• Loss of Integrity. System and data integrity refers to the requirement that
information be protected from improper modification. Integrity is lost if unauthorized
changes are made to the data or IT system by either intentional or accidental acts. If
the loss of system or data integrity is not corrected, continued use of the contaminated
system or corrupted data could result in inaccuracy, fraud, or erroneous decisions.
Also, violation of integrity may be the first step in a successful attack against system
availability or confidentiality. For all these reasons, loss of integrity reduces the
assurance of an IT system.
• Loss of Availability. If a mission-critical IT system is unavailable to its end users,
the organization’s mission may be affected. Loss of system functionality and
operational effectiveness, for example, may result in loss of productive time, thus
impeding the end users’ performance of their functions in supporting the
organization’s mission.
• Loss of Confidentiality. System and data confidentiality refers to the protection of
information from unauthorized disclosure. The impact of unauthorized disclosure of
confidential information can range from the jeopardizing of national security to the
disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional
disclosure could result in loss of public confidence, embarrassment, or legal action
against the organization.


Related Solutions

Explain what is to be done when cybersecurity framework controls (NIST SP 800-53) cannot be implemented.
Explain what is to be done when cybersecurity framework controls (NIST SP 800-53) cannot be implemented.
Assess the relationships between continuous monitoring for 1) NIST Systems Security Engineering, SP 800-160, Systems Security...
Assess the relationships between continuous monitoring for 1) NIST Systems Security Engineering, SP 800-160, Systems Security Engineering and 2) IETF SACM. Consider for your Analysis and Conclusions utilizing the NIST enterprise levels: • Level 1: Organization • Level 2: Mission/Business Processes • Level 3: System
The National Institute for Occupational Safety and Health (NIOSH) sets standards for CCl4 in air at...
The National Institute for Occupational Safety and Health (NIOSH) sets standards for CCl4 in air at 12.6 mg/m^3 of air (a time average over 40 hr). The CCl4 found in a sample is 4800 ppb. Does the sample meet the NIOSH standard? INCLUDE THE PROCEDURE
Which of the following is not one of the ethical standards included in the Institute of...
Which of the following is not one of the ethical standards included in the Institute of Management Accountants (IMA) Statement of Ethical Professional Practice? Objectivity. Integrity. Competence. Credibility. Confidentiality.
Of the following intervals, which includes the most prime numbers? A. 20 and 30 B. 30...
Of the following intervals, which includes the most prime numbers? A. 20 and 30 B. 30 and 40 C. 40 and 50 D. 50 and 60 Please explain clearly. How do we even find prime numbers between these intervals. Thank you.
The ledger of Marco Rentals on 30 June 2019 includes the following selected accounts before adjusting...
The ledger of Marco Rentals on 30 June 2019 includes the following selected accounts before adjusting entries have been prepared: Debit $ Credit $ Prepaid insurance 28080 Supplies 16800 Equipment 195000 Accumulated depreciation—equipment 39000 Bank loan 156000 Rent revenue received in advance 72540 Rent revenue 468000 Wages expense 109200 An analysis of the accounts shows the following adjustments that need to be made: The equipment depreciates $3250 per month. The rent revenue received in advance was for 9 months commencing...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT