Security

Scenario: Harry and Mae’s Inc. Case Study- Asset and Vulnerability Value, Risk Exposure, and Likelihood

black and white rectangular frame

Dear Harry and Mae’s Inc.’s I.T. Staff and Executives,

Per your request, I have taken the identified threats to your assets a step further by applying the following rankings: asset value, vulnerability value, likelihood, and risk exposure. I calculated the below chart by deciphering the value of the asset, what could happen to it, the possibility of it happening, and then by using this information, calculating the asset’s risk exposure. Armed with the following chart, Harry and Mae’s will have an accurate description of what it needs to focus on in terms of risk management, what it needs to prioritize, and what can wait for later, thus granting the ability to manage resources better. Please let me know if you have any further questions.

Thank you,

William Donaldson, Teckzor Inc.

AssetDescriptionAsset Value (1-Low, 3-High)VulnerabilitiesVulnerability Value (1-Low, 3-High)ThreatsLikelihood Value (1-Low, 3-High)Risk Exposure (1-Low, 3-High)
InternetComcast Business Services: Fully redundant fiber (100Mbps down and 50Mbps up)2- If the Internet goes down, without a second ISP, the organization’s operation will stop.While there is a fully redundant dual-fiber ring consisting of two fiber pairs, if the network does indeed go down, the entire system and security software/hardware will be inaccessible.1Denial of Service32
Nexus Core 700 SwitchesNX-OS 5.02- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work.No policy on system updates. Various reported issues. Running NX-OS 5.0.1  Denial of Service21
Cisco ME 3600X Switches2nd layer, located in each building on campus2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work.Poor password policy. Open access possible with a breach.  2Denial of Service, Elevation of Privilege33
Aruba WAPsAruba Networks Grid3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work.Accessible access to Wi-Fi, allowing the possibility of an attack.  2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege23
Dell SonicWall NSA 4600Connect Comcast Internet to the core network2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work.(External Threat) Default policy and settings are allowing for the possibility of a breach. (Internal Threat) Default policy and settings allow for the possibility of a breach/error due to no policy for updates. Reported issues.2Denial of Service, Spoofing, Elevation of Privilege22
Aruba 6000 Mod ControllersServes Aruba WAPs2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work.(External Threat) Default policy and settings are allowing for the possibility of a breach or downed network. (Internal Threat) Guest account. Reported issues.2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege33
Barracuda Spam and Virus FirewallCore network, forwards mail traffic1- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppages of work. Furthermore, malware and viruses can inflict damage if able to get through.(External Threat) Network settings/location. (Internal Threat) No policy for updates. Reported issues.2Denial of Service, Spoofing, Elevation of Privilege22
Cisco 2960-S P.O.E. Switches3rd layer connects Desktop P.C.s and P.O.E. phones with Gigabit copper LANs1- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage of work.Power outage would cripple network.1  Denial of Service32
FTP ServerEnabled for both internal/external networks and remote situations. Also used as a staging server2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work.Encryption/Authentication issues increase the possibility of compromised data.1  Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege22
HP StorageWorks Server (SAN)200TByte, provides storage for the HP ProLiant DL380 G7 Servers3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss.Lack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns.2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege23
Email Server (Microsoft Exchange Server 2010 SP3Internal and external (with public IP address) connections2- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss.(External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access. (Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities.2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege22
Web Server (IIS)Internal and external (with public IP address) connections2- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss.Poor authentication measures allow for unauthorized external access.2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege33
HP ProLiant DL380 G7 ServersVersion 5.1 of VMWare vSphere3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss.The last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities.1  Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege33
A.D. Domain ControllerOne account for the entire campus3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss.Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege33
First AD Organizational UnitCampus3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss.Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege23
Second A.D. Organizational UnitAccounting and Finance Group3- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss.Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.2Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege23
Dell OptiPlex 3020 WorkstationsWindows 7, joined to AD3- If an error or incompatibilities with outdated software occurs, there will be  a significant reduction or stoppageof work, as well as potential data loss.(Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures. (External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10.1  Denial of Service, Spoofing, Tampering, Repudiation, Elevation of Privilege, Information Disclosure22
P.O.S. SystemHosted as a virtual server on VMware vSphere Hypervisor (ESXi) version 5.13- If an error or incompatibilities with outdated software occurs, there will be significant reduction or stoppages of work, as well as potential data loss and virus/malware infections.Poor system policy and authentication settings and lack of encryption and training can enable unauthorized access to customer data.  3Denial of Service, Spoofing, Tampering, Repudiation, Information Disclosure Elevation of Privilege33
Off Campus-NAT FirewallNo further data2- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through.Poor access/authentication measures.2Denial of Service, Spoofing, Elevation of Privilege Information Disclosure1  2
Off Campus-WAPSetup by franchise owner2 If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppages of workPoor access/authentication measures.2Denial of Service, Spoofing, Information Disclosure Elevation of Privilege1  2
EmployeesNo further data3- Lack of education and training can open up various risks such as social engineering attacks and the misuse of systems, hardware, etc.Lack of education/training1  Spoofing, Tampering, Repudiation, Information Disclosure Elevation of Privilege33
Symantec Endpoint ProtectionAll Campus Workstations3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through.Symantec Endpoint Protection’s access should not be given to 1/3 of the employees.2Denial of Service, Repudiation Elevation of Privilege33
W.S.U.S.Updates Microsoft applications3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through.No update policy.1Denial of Service Elevation of Privilege22
Microsoft Internet Explorer 10Company Standard Browser3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through.Lack of company-wide enforced browser and settings.1Denial of Service, Repudiation, Information Disclosure Elevation of Privilege12
Norton Antivirus SoftwareOff-Campus3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through.Lack of a uniform security system; for this system, all employees should not have access, and instead, only I.T. admins2Denial of Service, Repudiation, Information Disclosure Elevation of Privilege33
Microsoft PPTP VPN Clients(Off-Campus) P.O.S. Processing3- If an error or incompatibilities with outdated software occurs, there will be a significant reduction or stoppage work. Furthermore, malware and viruses can inflict damage if able to get through.Current ability to be minimized, thus allowing malware-infection opportunities.3Denial of Service, Repudiation. Elevation of Privilege33
Campus BuildingPhysical Location3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, hardware, software, physical structures.1Unknown22
Off-Campus BuildingsPhysical Location3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, hardware, software, physical structures.1Unknown22
Perimeter FenceCampus3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, hardware, software, physical structures.1Unknown22
Surveillance CamerasCampus3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, hardware, software, physical structures.1Denial of Service. Elevation of Privilege22
Smart Card Access SystemsCampus3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, hardware, software, physical structures.1Denial of Service, Elevation of Privilege22
Security StaffCampus3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, skills, and training.1Spoofing, Repudiation, Elevation of Privilege22
Security AlarmsCampus3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, hardware, software, physical structures.1Denial of Service22
U.P.S.Campus, 36-hours3- If the main power goes out, and the UPS fails, the company will be unable to work and possibly lose data.Possible outdated policies, hardware, and software.1Denial of Service22
Security Fire, Water, etc. SensorsCampus3- Unauthorized intrusions and damage/loss of property can occur.Possible outdated security policies, hardware, software, physical structures.1Denial of Service22
Power GeneratorCampus3- If the main power goes out, and the UPS fails, the company will be unable to work and possibly lose data.Possible outdated policies, hardware, and software.1Denial of Service22
(B.Y.O.D.) Employee Mobile DevicesCampus3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible.No enforced regulations, policies, or hardware/software requirements.2Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege23
Website-  http://www.harryandmae.comHosted on the single web server, public3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible.No enforced regulations, policies, or maintenance and security procedures.2Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege23
Website-  http://www.haryandmae.local.Hosted on the single web server, private (pay statements, work performance, vacation time, personal information)3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible.No enforced regulations, policies, or maintenance and security procedures.2Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege23
Website-  http://www.HandMScranton.comOwned by franchise owner in Scranton, PA3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible.No enforced regulations, policies, or maintenance and security procedures.2Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege23
Company Facebook AccountOwned by franchise owner in Scranton, PA3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible.No enforced regulations, policies, or maintenance and security procedures.2Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege23
Company Twitter AccountOwned by franchise owner in Scranton, PA3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible.No enforced regulations, policies, or maintenance and security procedures.2Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege23
Company Instagram AccountOwned by franchise owner in Scranton, PA3-Malware and viruses can inflict damage, data loss/theft, and social engineering attacks are all possible.No enforced regulations, policies, or maintenance and security procedures.2Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege23

References

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Eppler, M. (2008). Envisioning Risk. A Systematic Framework for Risk Visualization in Risk Management and Communication. Retrieved September 24, 2020, from http://www.knowledge-communication.org/pdf/envisioning-risk.pdf.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s