USA: +1(669)289-8683 
Sign in
Extend your table from Week Two to include Probability of Risk and Impact of Risk on the organization and include mitigation steps of the top 20 pairs.
Part 1
Fill out the final three columns in the table from the previous week.
Rate the probability and impact of each vulnerability-threat pair as High, Medium, or Low. Note that these are independent of each other.
Rank the pairs in the order they should be addressed by the organization. Note that High/High rows will be at the top and Low/Low rows at the bottom. The team will have to decide where to rank rows not at these extremes.
Suggest specific mitigation steps to take for the top 20 rows. You will go into more detail for the final project due in Week Five. Leave the Suggested Mitigation Steps column empty for rows below the top 20.
Part 2
Prepare a brief explanation on the final rankings.
·
Describe how the team finally ranked the pairs and the reasoning behind the suggested mitigation steps.
· Focus on the top 20 rows, but cover why the others were ranked lower and will not be addressed at this time.
· Keep this explanation brief and clear but informative.
Riordan Network Vulnerabilities
Vulnerability
Threat
Probability
Impact
Suggested Mitigation Steps
1
USB DRIVE
The most common way to infect a network from inside a firewall
Implement and enforce policies regarding use of such devices.
2
LAPTOP
Can tap directly into the network and infect with malware allowing others access
Implement and enforce policies regarding portable devices.
3
BLUETOOTH
Identity detection, DOS,
involuntary control and access of data
Implement and enforce policies regarding use of such devices.
4
WI-FI
Clear text data can be captured
Implement and enforce policies regarding use of such devices.
5
FIREWALL
Protects content on desktops and in turn keeps entire network safe
Install and configure firewalls
6
NETWORK PROTOCOLS
Flawed unpatched protocols can cause remote sabotage and DOS
Disable unused protocols and monitor ones being used.
7
SMARTPHONES
Potentially pose the same threats as notebooks and thumb drives
Implement and enforce policies regarding use of such devices.
8
OPTICAL MEDIA
Being able to steal and leaking confidential data
Implement and enforce policies regarding access and use of recordable media.
9
ROUTERS
Exposed ports, Network access
Install and configure routers based on industry standards
10
NETWORK CABLES
Reduce the danger of electronic interference or loss of network connectivity
Install cable in areas to minimize interference. Label cables.
11
PRINTERS
While the print task is in the queue, the data is unencrypted and vulnerable to theft
Update printer firmware and keep an update inventory of all printers and drivers
12
FAX MACHINES
Unsecure faxing will put you at risk for confidential and identity theft
Implement and enforce policies regarding information distribution
13
SAN STORAGE
Network availability
Limit access to data storage based on classification and need to know.
14
EMPLOYEES
Individuals having access to restricted area of the network
Maintain a strict access control policy for restricted areas.
15
SERVERS
Open to brute force attacks, botnets, cross-site scripting and DOS
Harden servers against cyber attacks using industry standard or better.
16
WORKSTATIONS
Can be used by attackers as “slave” machines in coordinated attacks.
Harden workstations against cyber attacks using industry standard or better.
17
VIDEO CONFRENCING
Machines set to auto answer will allow the attacker to essentially gain a front-row seat inside corporate meetings
Should be hardened disable auto answer to prevent eaves dropping.
18
THEFT
Attacker steals privilege information to gain access
Access control and password policy
19
IMPERSONATION
Attacker poses as a service provider or custodial crew to physically gain access
Security awareness training and policy
20
LAPTOPS/TABLETS
Portable and easy to hide and attach to network.
Implement and enforce portable device policy
21
USB DEVICES
MP3 Players, etc
Implement strict policies regarding USB devices.
22
FIRE ALARM
Fire retardant system does not work when needed
Test fire alarm system periodically
23
ELECTRICAL POWER
No backup power in case of public power outage
Backup generators and UPS for critical systems
24
AIR CONDITION SYSTEM
Cooling system fail causing equipment to overheat and fail
Service and maintain heating and cooling system.
25
POOR MAINTENANCE
Do not know when unauthorized equipment is attached to the network
Inventory and label all equipment and document change management
Logical Network Vulnerabilities
1
DATABASE
SQL Injection, DOS Attacks, Database Exposure and Privilege elevation
2
VPN
Confidential information can be inadvertently downloaded. Unobstructed route for Malware.
3
MAN-IN-THE-MIDDLE
Attacker monitors and steals
Information in real time
Use cryptography and Hashed Message Authentication Codes
4
PRIVILEGE ESCALATION
Individual gains access to
network higher functions due to misconfiguration
Check Roles, Use strong ACLs; and use standard encryption
5
PHISHING
Used by an attacker to collect sensitive information to gain access
Segment network and encrypt data
6
FOOTPRINTING
Attacker use default username and weak or blank password to gain access to the network
Strong password, do not use blank password or weak
7
HIJACKING
Attacker can take over your internet browser downloading additional malware
Use session and communication encryption. Apply patch to fix vulnerabilities
8
SOCIAL ENGINEERING
Attackers will trick users into revealing their passwords
Security awareness training.
9
PASSWORDS
Easy guessable passwords, hackers gain initial access to a system.
Enforce strong password; lock out and audit trails
10
DIGITIAL CERTIFICATE
Attackers hack into certificate authorities and issue false certificates for legitimate websites
Revoke PKI and maintain list of revoked keys to id false certificates.
11
OPERATING SYSTEM
If not patched regularly the network is open to security vulnerabilities
Harden OS
12
TCP/IP
Vulnerable to a variety of attacks ranging from password sniffing to denial of service
Disable unnecessary protocols
13
Spyware, Virus, Phishing, and spam
Conduct cyber security awareness to educate end user of email threats.
14
WEB BROWSERS
Attacker can take over your browser making you vulnerable if the browser plug-ins are not fully patched
Configure secure web permissions; Use .Net Framework access control
15
INSTANT MESSAGING
Vulnerable to firewall tunneling, identity theft, data security leaks, and authentication spoofing
Strong password, do not cache password,
16
SECURITY MISCONFIG
Attackers can access networks virtually without attracting attention
Configure based on industry standard. Avoid custom configuration
17
WEB APPLICATIONS
DOS, Elevation of privilege, Information disclosure, and impersonation
Input validation
Use HTMLEncode and URLEncode functions to encode any output
18
MALWARE
Can infect networked resources and possibly bring down the network
Update definition files and patches.
19
SOFTWARE DEFECT
Allows data to be viewed by unauthorized people
Apply updates and patch vulnerabilities. Or uninstall and replace.
20
SPOOFING
An attacker pretends to be an entity to take over communication between systems
Strong authentication.
Do not store secrets Do not pass credentials in plaintext over the wire.
Protect authentication cookies with SSL.
21
DOS ATTACK
An attack on a network that causes a loss of service to users
Resource and bandwidth throttling techniques.
Validate and filter input.
22
SNIFFER ATTACK
Can read, monitor, and capture network data exchanges
Segment network. Encrypt data.
23
BUFFER OVERFLOW
Exploits poorly written software to allow attackers to take over the target system
Validate input
Inspect API managed code.
Use the /GS flag to compile code
24
REMOTE ACCESS
Without the appropriate security measures (SSL VPN), all communications are being transmitted in clear text
Configure remote access with the necessary security parameters to ensure secure communication.
25
NO ANTIVIRUS
Not Protected against virus and other malware attacks
Install, configure and update antivirus software.
3
Created a table of 50 vulnerabilities and threat pairs relevant to the organization
0.00
0.70
0.85
1.00
0.85
Comment: Trying to find 50 vulnerabilities is not an easy task. Not every item is a vulnerability. Some are attacks, some are threats, and some are vulnerabilities.
