Dear Harry and Mae’s Inc.’s I.T. Staff and Executives,
Per your request, I have taken the identified threats to your assets a step further by applying the following rankings: asset value, vulnerability value, likelihood, and risk exposure. I calculated the below chart by deciphering the value of the asset, what could happen to it, the possibility of it happening, and then by using this information, calculating the asset’s risk exposure. Armed with the following chart, Harry and Mae’s will have an accurate description of what it needs to focus on in terms of risk management, what it needs to prioritize, and what can wait for later, thus granting the ability to manage resources better. Please let me know if you have any further questions.
Thank you,
William Donaldson, Teckzor Inc.
| Asset | Description | Asset Value (1-Low, 3-High) | Vulnerabilities | Vulnerability Value (1-Low, 3-High) | Threats | Likelihood Value (1-Low, 3-High) | Risk Exposure (1-Low, 3-High) |
| Internet | Comcast Business Services: Fully redundant fiber (100Mbps down and 50Mbps up) | 2- If the Internet goes down, without a second ISP, the organization’s operation will stop. | While there is a fully redundant dual-fiber ring consisting of two fiber pairs, if the network does indeed go down, the entire system and security software/hardware will be inaccessible. | 1 | Denial of Service | 3 | 2 |
| Nexus Core 700 Switches | NX-OS 5.0 | 2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. | No policy on system updates. Various reported issues. Running NX-OS 5.0. | 1 | Denial of Service | 2 | 1 |
| Cisco ME 3600X Switches | 2nd layer, located in each building on campus | 2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. | Poor password policy. Open access possible with a breach. | 2 | Denial of Service, Elevation of Privilege | 3 | 3 |
| Aruba WAPs | Aruba Networks Grid | 3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. | Accessible access to Wi-Fi, allowing the possibility of an attack. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Dell SonicWall NSA 4600 | Connect Comcast Internet to the core network | 2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. | (External Threat) Default policy and settings are allowing for the possibility of a breach. (Internal Threat) Default policy and settings allow for the possibility of a breach/error due to no policy for updates. Reported issues. | 2 | Denial of Service, Spoofing, Elevation of Privilege | 2 | 2 |
| Aruba 6000 Mod Controllers | Serves Aruba WAPs | 2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. | (External Threat) Default policy and settings are allowing for the possibility of a breach or downed network. (Internal Threat) Guest account. Reported issues. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 3 | 3 |
| Barracuda Spam and Virus Firewall | Core network, forwards mail traffic | 1- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppages of work. Furthermore, malware and viruses can inflict damage if able to get through. | (External Threat) Network settings/location. (Internal Threat) No policy for updates. Reported issues. | 2 | Denial of Service, Spoofing, Elevation of Privilege | 2 | 2 |
| Cisco 2960-S P.O.E. Switches | 3rd layer connects Desktop P.C.s and P.O.E. phones with Gigabit copper LANs | 1- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage of work. | Power outage would cripple network. | 1 | Denial of Service | 3 | 2 |
| FTP Server | Enabled for both internal/external networks and remote situations. Also used as a staging server | 2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. | Encryption/Authentication issues increase the possibility of compromised data. | 1 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 2 | 2 |
| HP StorageWorks Server (SAN) | 200TByte, provides storage for the HP ProLiant DL380 G7 Servers | 3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss. | Lack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Email Server (Microsoft Exchange Server 2010 SP3 | Internal and external (with public IP address) connections | 2- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss. | (External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access. (Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 2 | 2 |
| Web Server (IIS) | Internal and external (with public IP address) connections | 2- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss. | Poor authentication measures allow for unauthorized external access. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 3 | 3 |
| HP ProLiant DL380 G7 Servers | Version 5.1 of VMWare vSphere | 3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss. | The last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities. | 1 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 3 | 3 |
| A.D. Domain Controller | One account for the entire campus | 3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss. | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 3 | 3 |
| First AD Organizational Unit | Campus | 3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss. | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Second A.D. Organizational Unit | Accounting and Finance Group | 3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss. | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | 2 | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Dell OptiPlex 3020 Workstations | Windows 7, joined to AD | 3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppageof work, as well as potential data loss. | (Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures. (External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10. | 1 | Denial of Service, Spoofing, Tampering, Repudiation, Elevation of Privilege, Information Disclosure | 2 | 2 |
| P.O.S. System | Hosted as a virtual server on VMware vSphere Hypervisor (ESXi) version 5.1 | 3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss and virus/malware infections. | Poor system policy and authentication settings and lack of encryption and training can enable unauthorized access to customer data. | 3 | Denial of Service, Spoofing, Tampering, Repudiation, Information Disclosure Elevation of Privilege | 3 | 3 |
| Off Campus-NAT Firewall | No further data | 2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through. | Poor access/authentication measures. | 2 | Denial of Service, Spoofing, Elevation of Privilege Information Disclosure | 1 | 2 |
| Off Campus-WAP | Setup by franchise owner | 2 If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppages of work | Poor access/authentication measures. | 2 | Denial of Service, Spoofing, Information Disclosure Elevation of Privilege | 1 | 2 |
| Employees | No further data | 3- Lack of education and training can open up various risks such as social engineering attacks and the misuse of systems, hardware, etc. | Lack of education/training | 1 | Spoofing, Tampering, Repudiation, Information Disclosure Elevation of Privilege | 3 | 3 |
| Symantec Endpoint Protection | All Campus Workstations | 3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through. | Symantec Endpoint Protection’s access should not be given to 1/3 of the employees. | 2 | Denial of Service, Repudiation Elevation of Privilege | 3 | 3 |
| W.S.U.S. | Updates Microsoft applications | 3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through. | No update policy. | 1 | Denial of Service Elevation of Privilege | 2 | 2 |
| Microsoft Internet Explorer 10 | Company Standard Browser | 3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through. | Lack of company-wide enforced browser and settings. | 1 | Denial of Service, Repudiation, Information Disclosure Elevation of Privilege | 1 | 2 |
| Norton Antivirus Software | Off-Campus | 3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through. | Lack of a uniform security system; for this system, all employees should not have access, and instead, only I.T. admins | 2 | Denial of Service, Repudiation, Information Disclosure Elevation of Privilege | 3 | 3 |
| Microsoft PPTP VPN Clients | (Off-Campus) P.O.S. Processing | 3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through. | Current ability to be minimized, thus allowing malware-infection opportunities. | 3 | Denial of Service, Repudiation. Elevation of Privilege | 3 | 3 |
| Campus Building | Physical Location | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, hardware, software, physical structures. | 1 | Unknown | 2 | 2 |
| Off-Campus Buildings | Physical Location | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, hardware, software, physical structures. | 1 | Unknown | 2 | 2 |
| Perimeter Fence | Campus | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, hardware, software, physical structures. | 1 | Unknown | 2 | 2 |
| Surveillance Cameras | Campus | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, hardware, software, physical structures. | 1 | Denial of Service. Elevation of Privilege | 2 | 2 |
| Smart Card Access Systems | Campus | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, hardware, software, physical structures. | 1 | Denial of Service, Elevation of Privilege | 2 | 2 |
| Security Staff | Campus | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, skills, and training. | 1 | Spoofing, Repudiation, Elevation of Privilege | 2 | 2 |
| Security Alarms | Campus | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, hardware, software, physical structures. | 1 | Denial of Service | 2 | 2 |
| U.P.S. | Campus, 36-hours | 3- If the main power goes out, and the UPS fails, the company will be unable to work and possibly lose data. | Possible outdated policies, hardware, and software. | 1 | Denial of Service | 2 | 2 |
| Security Fire, Water, etc. Sensors | Campus | 3- Unauthorized intrusions and damage/loss of property can occur. | Possible outdated security policies, hardware, software, physical structures. | 1 | Denial of Service | 2 | 2 |
| Power Generator | Campus | 3- If the main power goes out, and the UPS fails, the company will be unable to work and possibly lose data. | Possible outdated policies, hardware, and software. | 1 | Denial of Service | 2 | 2 |
| (B.Y.O.D.) Employee Mobile Devices | Campus | 3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible. | No enforced regulations, policies, or hardware/software requirements. | 2 | Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Website- http://www.harryandmae.com | Hosted on the single web server, public | 3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible. | No enforced regulations, policies, or maintenance and security procedures. | 2 | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Website- http://www.haryandmae.local. | Hosted on the single web server, private (pay statements, work performance, vacation time, personal information) | 3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible. | No enforced regulations, policies, or maintenance and security procedures. | 2 | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Website- http://www.HandMScranton.com | Owned by franchise owner in Scranton, PA | 3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible. | No enforced regulations, policies, or maintenance and security procedures. | 2 | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Company Facebook Account | Owned by franchise owner in Scranton, PA | 3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible. | No enforced regulations, policies, or maintenance and security procedures. | 2 | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Company Twitter Account | Owned by franchise owner in Scranton, PA | 3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible. | No enforced regulations, policies, or maintenance and security procedures. | 2 | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | 2 | 3 |
| Company Instagram Account | Owned by franchise owner in Scranton, PA | 3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible. | No enforced regulations, policies, or maintenance and security procedures. | 2 | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | 2 | 3 |
References
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.
Eppler, M. (2008). Envisioning Risk. A Systematic Framework for Risk Visualization in Risk Management and Communication. Retrieved September 24, 2020, from http://www.knowledge-communication.org/pdf/envisioning-risk.pdf.
Categories: Security
Securing The Universe 