Lab #1: Assessment Worksheet

Part A – List of Risks, Threats, and Vulnerabilities

Commonly Found in an IT Infrastructure
Risk Management in Information
Course Name:
Systems (IAA202)
Nguyễn Trí Vương - HE161634
Student Name:
Đào Mạnh Công - HE161422

Instructor Name Hồ Kim Cường

Lab Due Date

Risk – Threat – Vulnerability Primary Domain Impacted

1. Unauthorized access from public Internet Remote Access
2. User destroys data in application and deletes all files System/Application
3. Hacker penetrates your IT infrastructure LAN to WAN
and gains access to your internal network
4. Intra-office employee romance gone bad User
5. Fire destroys primary data center System/Application
6. Communication circuit outages WAN
7. Workstation OS has a known software vulnerability Workstation
8. Unauthorized access to organization owned Workstation
Workstations
9. Loss of production data System/Application
10. Denial of service attack on organization e-mail LAN to WAN
Server
 Risk – Threat – Vulnerability Primary Domain Impacted
1. Remote communications from home office Remote Access
2. LAN server OS has a known software vulnerability LAN
3. User downloads an unknown e –mail User
attachment
4. Workstation browser has software vulnerability Workstation
5. Service provider has a major network outage WAN
6. Weak ingress/egress traffic filtering degrades LAN to WAN
Performance
7. User inserts CDs and USB hard drives User
with personal photos, music, and videos on
organization owned computers
8. VPN tunneling between remote computer LAN to WAN
and ingress/egress router
9. WLAN access points are needed for LAN connectivity LAN
within a warehouse
10. Need to prevent rogue users from unauthorized WLAN LAN
access
Overview
One of the most important first steps to risk management and implementing a risk
mitigation strategy is to identify known risks, threats, and vulnerabilities and organize
them. The purpose of the seven domains of a typical IT infrastructure is to help organize
the roles, responsibilities, and accountabilities for risk management and risk mitigation.
This lab requires students to identify risks, threats, and vulnerabilities and map them to
the domain that these impact from a risk management perspective.
Lab Assessment Questions
Given the scenario of a healthcare organization, answer the following Lab #1 assessment
questions from a risk management perspective:

1. - Healthcare organizations are under strict compliance to HIPPA privacy requirements

which require that an organization have proper security controls for handling personal
healthcare information (PHI) privacy data. This includes security controls for the IT
infrastructure handling PHI privacy data.
- Which one of the listed risks, threats, or vulnerabilities can violate HIPPA privacy
requirements? List one and justify your answer in one or two sentences.
A user uses an organization's computer to visit an unknown website for personal
purposes, the user's actions can expose the computer to external attacks.
Attackers can deliver malware or botnets through users accessing an unknown port. Once
the computer is infected, hackers can use the computer and the risk factor here is what
happens if this PHI privacy data is compromised and disclosed.

2. How many threats and vulnerabilities did you find that impacted risk in each of the
seven domains of a typical IT infrastructure?
 User Domain: 3
 Workstation Domain: 3
 LAN Domain: 3
 LAN-to-WAN Domain: 4
 WAN Domain: 2
 Remote Access Domain: 2
 System/Application Domain: 3

3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
- Lan to Wan domain.

4. What is the risk impact or risk factor (critical, major, minor) that you would
qualitatively assign to the risks, threats, and vulnerabilities you identified for the LAN-
to-WAN Domain for the healthcare and HIPPA compliance scenario?
 Hacker penetrates IT infrastructure and gains access to your internal network:
Critical, PHI can be compromised.
 Denial of service attack on organization's e-mail server: Minor, can be mitigated.
 Weak ingress/egress traffic filtering degrades performance: Minor, can be
mitigated.
 VPN tunneling between the remote computer and ingress/egress router: Major, if
electronic protected health information (ePHI) is being accessed remotely.

5. Of the three Systems/Application Domain risks, threats, and vulnerabilities identified,

which one requires a disaster recovery plan and business continuity plan to maintain
continued operations during a catastrophic outage?
- Fire destroys primary data center.

6. Which domain represents the greatest risk and uncertainty to an organization?

- People are often influenced by emotions in many things in life and are attracted by
money, status, lust, ... and information security is no exception. In particular, the user
domain is the last important link in accessing IT infrastructure, so it is also the weakest
and greatest risk link in an organization's IT security. That is why the implementation of
policies, 2-layer security, access management, awareness raising and ethics training as
well as professionalism in employee information security is what helps us to improve and
solve problems. resolve this issue.

7. Which domain requires stringent access controls and encryption for connectivity to
corporate resources from home?
- We need to strengthen access control and encrypt the remote access domain because
otherwise we can expose information such as revealing the location of individuals,
devices or even an entire company or organization.
8. Which domain requires annual security awareness training and employee background
checks for sensitive positions to help mitigate risk from employee sabotage?
- I’m sure those would be the user and workstation domain because if these domains are
not checked every year, the occurrence of problems that not only cause great damage to
the company can also affect the development of the whole team in terms of skills, income
to the company reputation is low and we can’t evaluate the employee sabotage.

9. Which domains need software vulnerability assessment to reduce the risk from
software vulnerabilities?
- Workstation domain (workstations, any smart device in the organization)
- LAN Domain (related to network equipment)
- System/application domains (web servers host Web sites and serve them to Web clients,
network storage areas (SANs), network attached storage (NAS), backup devices).

10. Which domain requires AUPs (Acceptable Use Policy) to minimize unnecessary User
initiated Internet traffic and can be monitored and controlled by web content filters?
User domain

11. In which domain do you implement web content filters?

LAN to WAN domain

12. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the
Workstation Domain, which domain does WLAN fall within?
LAN domain

13. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer privacy has
just implemented their online banking solution allowing customers to access their
accounts and perform transactions via their computer or PDA device. Online banking
servers and their public Internet hosting would fall within which domains of security
responsibility?
-O
n li n e

bank i n g

s e r ve r s : System/Application Domain
- pub li c

ne

t
ho sti n g : LAN-to-WAN Domain
-O

n li n e

bank i n g

s e r ve r s : System/Application Domain
- pub li c

ne

t
ho sti n g : LAN-to-WAN Domain
-O

n li n e

bank i n g

s e r ve r s : System/Application Domain
- pub li c

ne

t
ho sti n g : LAN-to-WAN Domain
-O

n li n e

bank i n g

s e r ve r s : System/Application Domain
- pub li c

ne

t
 ho sti n g : LAN-to-WAN Domain
ub li c

ne

t
ho sti n g : LAN-to-WAN Domain
 Online banking server: System/ Application domain
 Public internet hosting: LAN to WAN domain

14. Customers that conduct online banking using their laptop or personal computer must
use HTTPS, the secure and encrypted version of HTTP: browser communications.
HTTPS:// encrypts webpage data inputs and data through the public Internet and decrypts
that webpage and data once displayed on your browser. True or False.
- True

15. Explain how a layered security strategy throughout the 7-domains of a typical IT
infrastructure can help mitigate risk exposure for loss of privacy data or confidential data
from the Systems/Application Domain.
- Organizations can design a layered security solution by examining where privacy and
confidential data reside and are accessed. Implementing security controls in the User and
Workstation Domains grants appropriate access to systems and data. Additional measures
in the LAN and LAN-to-WAN Domains provide access controls to authorized users.
Keeping servers, operating systems, and software updated mitigates risks within the
System/Application Domain.