Risk Assessment Homework

In this assignment, you will perform a qualitative riskassessment, using a template that has been provided below.  

A listing of threats has been prepopulated for you. Thesethreats have been categorized by type as shown below:

Threat Origination Category	Type Identifier
Threats launched purposefully	P
Threats created by unintentional human or machine errors	U
Threats caused by environmental agents or disruptions	E

Purposeful threats are launched by threat actors for a varietyof reasons and the reasons may never be fully known. Threat actorscould be motivated by curiosity, monetary gain, political gain,social activism, revenge or many other driving forces. It ispossible that some threats could have more than one threatorigination category. Some threat types are more likely to occurthan others. The following table takes threat types intoconsideration to help determine the likelihood that vulnerabilitycould be exploited. The threat table shown in Table 2-2 is designedto offer typical threats to information systems and these threatshave been considered for the organization. Not all of thesewill be relevant to the findings in your risk assessment, howeveryou will need to identify those that are.

ID	Threat Name	Type     ID	Description	Typical Impact to Data or System
				Confidentiality	Integrity	Availability
T-1	Alteration	U, P, E	Alteration of data, files, or records.		Modification
T-2	Audit Compromise	P	An unauthorized user gains access to the audit trail and couldcause audit records to be deleted or modified, or prevents futureaudit records from being recorded, thus masking a security relevantevent. Also applies to a purposeful act by an Administrator to maskunauthorized activity.		Modification or Destruction	Unavailable Accurate Records
T-3	Bomb	P	An intentional explosion.		Modification or Destruction	Denial of Service
T-4	Communications Failure	U, E	Cut of fiber optic lines, trees falling on telephone lines.			Denial of Service
T-5	Compromising Emanations	P	Eavesdropping can occur via electronic media directed againstlarge scale electronic facilities that do not process classifiedNational Security Information.	Disclosure
T-6	Cyber Brute Force	P	Unauthorized user could gain access to the information systemsby random or systematic guessing of passwords, possibly supportedby password cracking utilities.	Disclosure	Modification or Destruction	Denial of Service
T-7	Data Disclosure	P, U	An attacker uses techniques that could result in the disclosureof sensitive information by exploiting weaknesses in the design orconfiguration. Also used in instances where misconfiguration or thelack of a security control can lead to the unintentional disclosureof data.	Disclosure
T-8	Data Entry Error	U	Human inattention, lack of knowledge, and failure to cross-checksystem activities could contribute to errors becoming integratedand ingrained in automated systems.		Modification
T-9	Denial of Service	P	An adversary uses techniques to attack a single target renderingit unable to respond and could cause denial of service for users ofthe targeted information systems.			Denial of Service
T-10	Distributed Denial of Service Attack	P	An adversary uses multiple compromised information systems toattack a single target and could cause denial of service for usersof the targeted information systems.			Denial of Service
T-11	Earthquake	E	Seismic activity can damage the information system or itsfacility. Please refer to the following document for earthquakeprobability mapshttp://pubs.usgs.gov/of/2008/1128/pdf/OF08-1128_v1.1.pdf .		Destruction	Denial of Service
T-12	Electromagnetic Interference	E, P	Disruption of electronic and wire transmissions could be causedby high frequency (HF), very high frequency (VHF), and ultra-highfrequency (UHF) communications devices (jamming) or sun spots.			Denial of Service
T-13	Espionage	P	The illegal covert act of copying, reproducing, recording,photographing or intercepting to obtain sensitive information .	Disclosure	Modification
T-14	Fire	E, P	Fire can be caused by arson, electrical problems, lightning,chemical agents, or other unrelated proximity fires.		Destruction	Denial of Service
T-15	Floods	E	Water damage caused by flood hazards can be caused by proximityto local flood plains. Flood maps and base flood elevation shouldbe considered.		Destruction	Denial of Service
T-16	Fraud	P	Intentional deception regarding data or information about aninformation system could compromise the confidentiality, integrity,or availability of an information system.	Disclosure	Modification or Destruction	Unavailable Accurate Records
T-17	Hardware or Equipment Failure	E	Hardware or equipment may fail due to a variety of reasons.			Denial of Service
T-18	Hardware Tampering	P	An unauthorized modification to hardware that alters the properfunctioning of equipment in a manner that degrades the securityfunctionality the asset provides.		Modification	Denial of Service
T-19	Hurricane	E	A category 1, 2, 3, 4, or 5 land falling hurricane could impactthe facilities that house the information systems.		Destruction	Denial of Service
T-20	Malicious Software	P	Software that damages a system such a virus, Trojan, orworm.		Modification or Destruction	Denial of Service
T-21	Phishing Attack	P	Adversary attempts to acquire sensitive information such asusernames, passwords, or SSNs, by pretending to be communicationsfrom a legitimate/trustworthy source. Typical attacks occur via email, instant messaging, orcomparable means; commonly directing users to Web sites that appearto be legitimate sites, while actually stealing the enteredinformation.	Disclosure	Modification or Destruction	Denial of Service
T-22	Power Interruptions	E	Power interruptions may be due to any number of reasons such aselectrical grid failures, generator failures, uninterruptable powersupply failures (e.g. spike, surge, brownout, or blackout).			Denial of Service
T-23	Procedural Error	U	An error in procedures could result in unintended consequences.This is also used where there is a lack of defined procedures thatintroduces an element of risk.	Disclosure	Modification or Destruction	Denial of Service
T-24	Procedural Violations	P	Violations of standard procedures.	Disclosure	Modification or Destruction	Denial of Service
T-25	Resource Exhaustion	U	An errant (buggy) process may create a situation that exhaustscritical resources preventing access to services.			Denial of Service
T-26	Sabotage	P	Underhand interference with work.		Modification or Destruction	Denial of Service
T-27	Scavenging	P	Searching through disposal containers (e.g. dumpsters) toacquire unauthorized data.	Disclosure
T-28	Severe Weather	E	Naturally occurring forces of nature could disrupt the operationof an information system by freezing, sleet, hail, heat, lightning,thunderstorms, tornados, or snowfall.		Destruction	Denial of Service
T-29	Social Engineering	P	An attacker manipulates people into performing actions ordivulging confidential information, as well as possible access tocomputer systems or facilities.	Disclosure
T-30	Software Tampering	P	Unauthorized modification of software (e.g. files, programs,database records) that alters the proper operational functions.		Modification or Destruction
T-31	Terrorist	P	An individual performing a deliberate violent act could use avariety of agents to damage the information system, its facility,and/or its operations.		Modification or Destruction	Denial of Service
T-32	Theft	P	An adversary could steal elements of the hardware.			Denial of Service
T-33	Time and State	P	An attacker exploits weaknesses in timing or state of functionsto perform actions that would otherwise be prevented (e.g. raceconditions, manipulation user state).	Disclosure	Modification	Denial of Service
T-34	Transportation Accidents	E	Transportation accidents include train derailments, river bargeaccidents, trucking accidents, and airlines accidents. Localtransportation accidents typically occur when airports, sea ports,railroad tracks, and major trucking routes occur in close proximityto systems facilities. Likelihood of HAZMAT cargo should bedetermined when considering the probability of local transportationaccidents.		Destruction	Denial of Service
T-35	Unauthorized Facility Access	P	An unauthorized individual accesses a facility which may resultin comprises of confidentiality, integrity, or availability.	Disclosure	Modification or Destruction	Denial of Service
T-36	Unauthorized Systems Access	P	An unauthorized user accesses a system or data.	Disclosure	Modification or Destruction

Analyze Risk

The risk analysis for each vulnerability consists of assessingthreats to determine the likelihood that a vulnerability could beexploited and the potential impact should the vulnerability beexploited. Essentially, risk is proportional to both likelihood ofexploitation and possible impact. The following sections provide abrief description of each component used to determine the risk.

Likelihood

This risk analysis process is based on qualitative riskanalysis. In qualitative risk analysis the impact of exploiting athreat is measured in relative terms. When a system is easy toexploit, it has a High likelihood that a threat could exploit thevulnerability. Likelihood definitions for the exploitation ofvulnerabilities are found in the following table.

Likelihood	Description
Low	There is little to no chance that a threat could exploitvulnerability and cause loss to the system or its data.
Medium	There is a Medium chance that a threat could exploitvulnerability and cause loss to the system or its data.
High	There is a High chance that a threat could exploit vulnerabilityand cause loss to the system or its data.

Impact

Impact refers to the magnitude of potential harm that could becaused to the system (or its data) by successful exploitation.Definitions for the impact resulting from the exploitation of avulnerability are described in the following table. Sinceexploitation has not yet occurred, these values are perceivedvalues. If the exploitation of vulnerability can cause significantloss to a system (or its data) then the impact of the exploit isconsidered to be High.

Impact	Description
Low	If vulnerabilities are exploited by threats, little to no lossto the system, networks, or data would occur.
Medium	If vulnerabilities are exploited by threats, Medium loss to thesystem, networks, and data would occur.
High	If vulnerabilities are exploited by threats, significant loss tothe system, networks, and data would occur.

Risk Level

The risk level for the finding is the intersection of thelikelihood value and impact value as depicted the table depictedbelow. The combination of High likelihood and High impact createsthe highest risk exposure. The risk exposure matrix shown in thetable below presents the same likelihood and impact severityratings as those found in NIST SP 800-30 Risk Management Guidefor Information Technology Systems.

	Impact
Likelihood	High	Medium	Low
High	High	Medium	Low
Medium	Medium	Medium	Low
Low	Low	Low	Low

Risk Assessment Results

This section documents the technical and non-technical securityrisks to the system.   Complete the following riskassessment table, ensuring that you have addressed at least 20risks. You will be graded on your ability to demonstrateknowledge that the security controls are appropriate to thecontrolling the risks you have identified, as well as being able toidentify appropriate risk levels based on the Impact and Likelihoodlevels.    

The following provides a brief description of the informationdocumented in each column:

Identifier: Provides a unique numberused for referencing each vulnerability in the form of R#-SecurityControl ID.

Threat: Indicates the applicablethreat type from the table of threats..

Risk Description: Provides a briefdescription of the risk.

Business Impact: Provides a briefdescription of the impact to the organization if the risk isrealized.

Recommended Corrective Action:Provides a brief description of the corrective action(s)recommended for mitigating the risks associated with thefinding.

Likelihood: Provides the likelihood ofa threat exploiting the vulnerability. This is determined byapplying the methodology outlined in Section 3 of thisdocument.

Impact: Provides the impact of athreat exploiting the vulnerability. This is determined by applyingthe methodology outlined in Section 3 of this document.

Risk Level: Provides the risk level(high, Medium, low) for the vulnerability. This is determined byapplying the methodology outlined in Section 3 of thisdocument.

  

Identifier	Threat ID	Risk Description	Business Impact	Recommended Corrective Action	Likelihood	Impact	Risk Level
	T-1, T-8, T-23, T-24, T-36	Notification is not performed when account changes aremade.	The lack of notification allows unauthorized changes toindividuals who elevate permissions and group membership to occurwithout detection.	Enable auditing of all activities performed under privilegedaccounts in GPOs and develop a process to allow these events to bereviewed by an individual who does not have Administrativeprivileges.	Low	Medium	Low
Malicious Code/Social Engineering
Application and Network Attacks
Physical Security
Wireless
Email and Web
Mobile Devices