IAA202_LAB4_SE140442

Overview
The following risks, threats, and vulnerabilities were found in an IT infrastructure. Your
Instructor will assign you one of four different scenarios and vertical industries each of
which is under a unique compliance law.

1. Scenario/Vertical Industry:
 A. Healthcare provider under HIPPA compliance law
 B. Regional bank under GLBA compliance law
 C. Nationwide retailer under PCI DSS standard requirements
 D. Higher-education institution under FERPA compliance law

2. Given the list, perform a qualitative risk assessment by assigning a

risk impact/risk factor to each of identified risks, threats, and
vulnerabilities throughout the seven domains of a typical IT
infrastructure that the risk, threat, or vulnerability resides.

Risk-Threat- Primary Domain Risk Impact/Factor

Vulnerability Impacted
Unauthorized access from Remote Access Domain 1
public Internet
User destroys data in Systems/Application 3
application and deletes all Domain
files
Hacker penetrates your IT LAN-to-WAN Domain 1
infrastructure and gains
access to your internal
network
Intra-office employee User Domain 3
romance gone bad
Fire destroys primary data Systems/Application 1
center Domain
Risk-Threat- Primary Domain Risk Impact/Factor
Vulnerability Impacted
Service provider SLA is not Service provider SLA is not 3
achieved achieved
Workstation OS has a Workstation Domain 2
known software
 vulnerability
Unauthorized access to Workstation Domain 1
organization owned
workstations
Loss of production data Systems/Application 2
Domain
Denial of service attack on LAN-to-WAN Domain 1
organization DMZ e-mail
server
Remote communications Remote Access Domain 2
from home office
LAN server OS has a LAN Domain 2
known software
vulnerability
User downloads and clicks User Domain 1
on an unknown
Workstation browser has a Workstation Domain 3
software vulnerability
Mobile employee needs Remote Access Domain 3
secure browser access to
sales order entry system
Service provider has a WAN Domain 2
major network outage
Weak ingress/egress traffic LAN-to-WAN Domain 3
filtering degrades
performance
User inserts CDs and USB User Domain 2
hard drives with personal
photos, music, and videos
on organization owned
computers
VPN tunneling between LAN-to-WAN Domain 2
remote computer and
ingress/egress router is
needed
WLAN access points are LAN Domain 3
needed for LAN
connectivity within a
warehouse
Need to prevent LAN Domain 1
eavesdropping on WLAN
due to customer privacy
data access
DoS/DDoS attack from the WAN Domain 1
WAN/Internet
3. For each of the identified risks, threats, and vulnerabilities,
prioritize them by listing a “1”, “2”, and “3” next to each risk, threat,
vulnerability found within each of the seven domains of a typical IT
infrastructure. “1” = Critical, “2” = Major, “3” = Minor. Define the
following qualitative risk impact/risk factor metrics:

a. “1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law
requirement for securing privacy data and implementing proper security controls,
etc.) and places the organization in a position of increased liability.
b. “2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s
intellectual property assets and IT infrastructure. c. “3”Minor – a risk, threat, or
vulnerability that can impact user or employee productivity or availability of the IT
infrastructure.

User Domain Risk Impacts: (refer to previous chart)

 User downloads and clicks on an unknown e-mail attachment.
 User inserts CDs and USB hard drives with personal photos, music, and
videos on organization owned computers.
 Intra-office employee romance gone bad

Workstation Domain Risk Impacts: (refer to previous chart)

 Unauthorized access to organization owned workstations.
 Workstation OS has a known software vulnerability.
 Workstation browser has software vulnerability.

LAN Domain Risk Impacts: (refer to previous chart)

 Denial of service attack on organization DMZ and e-mail server.

 VPN tunneling between remote computer and ingress/egress router is

needed.

 Weak ingress/egress traffic filtering degrades performance.

 WAN Domain Risk Impacts: (refer to previous chart)
 DoS/DDoS attack from the WAN/Internet.
 Service provider has a major network outage.
 Service provider SLA is not achieved.

Remote Access Domain Risk Impacts: (refer to previous chart)

 Unauthorized access from public Internet.

 Remote communications from home office.
 Mobile employee needs secure browser access to sales order entry system

Systems/Applications Domain Risk Impacts:

(refer to previous chart)
 Fire destroys primary data center.
 Loss of production data.
 User destroys data in application and deletes all files

1. What is the goal or objective of an IT risk assessment?

The goal of the RA is to identify and mitigate risks. it’s used to identify and
evaluate risks based on an analysis of threats and vulnerabilities to assets. Risks
are quantified based on their importance or impact severity. These risks are then
prioritized.

2. Why is it difficult to conduct a qualitative risk assessment for an

IT infrastructure?
It is difficult to conduct a qualitative risk assessment for an IT infrastructure because it is
hard to tell what kind of impact a given attack will have on the infrastructure. This is
based on the probability and impact of a risk. It is not based on dollar values; it instead is
done by gathering opinions of experts. They could all have a different opinion or priority
which could cause an issue.
3. What was your rationale in assigning “1” risk impact/ risk factor
value of “Critical” for an identified risk, threat, or vulnerability? I
assigned critical impact values for threats that severely
compromise patient data or that made the system useless such
as DoS attacks.

“1” was given to a risk, threat or vulnerability that impacts compliance and places the
organization in a position of increased liability

4. When you assembled all of the “1” and “2” and “3” risk
impact/risk factor values to the identified risks, threats, and
vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk
elements?

What would you say to executive management in regards to your final recommended
prioritization? Management should acquire a SLA so that our systems will always be
functioning optimally. I would also recommend that the appropriate countermeasures for
threats are in place. I prioritized them by least destructive to most destructive. I would
always look at risk/threats by how much damage they could potentially cause to the
organization

5. Identify a risk mitigation solution for of the following risk

factors:

A: User downloads and clicks on an unknown e-mail attachment-- Attachments are a

significant security risk associated with emails. Effective email attachment filtering and
restrictions reduce the likelihood of malicious content entering the network.

B: Workstation OS has a known software vulnerability—Define a workstation operating

system vulnerability window policy definition. Start periodic workstation domain
vulnerability tests to find all vulnerabilities.

C: Need to prevent eavesdropping on WLAN due to customer privacy data access—Use

WLAN network keys that require a password for wireless access. Turn of broadcasting
of WAPs, require second level authentication prior to granting WLAN access.
D: Weak ingress/egress traffic filtering degrades performance—Apply WAN optimization
and data compression solutions when accessing remote systems; applications and data.
Enable Access Control lists (ACLs) on outbound router WAN interfaces in keeping with
policy.

E: DoS/DDoS attack from the WAN/Internet—Apply filter on exterior IP stateful firewalls

an IP router WAN interfaces to block TCP SYN and ICMP (ping). Alert your ISP provider
to put the proper filters on its IP router WAN interfaces in accordance with CERT
Advisory CA- 1996-21. F: Remote access from office—Apply first level and second level
security for remote access to sensitive systems, applications and data.

G: Production Server corrupts database—Implement daily data backups and off-site

data storage for monthly data archiving. Define data recovery procedures based on
defined RTOs.

User downloads and clicks on an unknown e-mail attachment – Add restrictions that
would not allow users to download or open attachments.

Workstation OS has a known software vulnerability – Try to patch the vulnerability or

create security measures that prevent that software vulnerability from being exploited.

Need to prevent eavesdropping on WLAN due to customer privacy data access – Make
sure you are using WPA2 because it uses better encryption methods.

Weak ingress/egress traffic filtering degrades performance – Customize firewall settings

DoS/DDoS attack from the WAN/Internet – Acquire more bandwidth

Remote access from home office – Allow access of specified IP addresses only.

Production server corrupts database – Use a RAID setup to mitigate loss of data