Student Lab Manual

Lab #1: Assessment Worksheet

Part A – List of Risks, Threats, and Vulnerabilities

Commonly Found in an IT Infrastructure

Course Name: IAA202

Student Name: Bạch Quang Lâm_HE172445

Class: IA1803

Risk – Threat – Vulnerability Primary Domain Impacted

1/ Unauthorized access from public Internet Remote Access Domain

2/ User destroys data in application and deletes System/Application Domain

all files

3/ Hacker penetrates your IT infrastructure and LAN-to-WAN Domain

gains access to your internal network

4/ Intra-office employee romance gone bad User Domain

5/ Fire destroys primary data center System/Application

6/ Communication circuit outages WAN

7/ Workstation OS has a known software vulnerability Workstation

8/ Unauthorized access to organization owned Workstations Workstation

9/ Loss of production data System/Application

10/Denial of service attack on organization e-mail LAN-to-WAN

Server

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com
All Rights Reserved.
-6-
 Student Lab Manual

Risk – Threat – Vulnerability Primary Domain Impacted

1/ Remote communications from home office Remote Access

2/ LAN server OS has a known software vulnerability LAN Domain

3/ User downloads an unknown e–mail attachment User Domain

4/ Workstation browser has software vulnerability Workstation Domain

5/ Service provider has a major network outage WAN Domain

6/ Weak ingress/egress traffic filtering degrades LAN-to-WAN Domain

Performance

7/ User inserts CDs and USB hard drives

with personal photos, music, and videos User Domain
on organization owned computers

8/ VPN tunneling between remote LAN-to-WAN Domain

computer and ingress/egress router

9/ WLAN access points are needed for LAN Domain

LAN connectivity within a warehouse

10/ Need to prevent rogue users from LAN Domain

unauthorized WLAN access

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com
All Rights Reserved.
-7-
 Student Lab Manual

Lab #1: Assessment

Worksheet

Identify Threats and Vulnerabilities in an IT

Infrastructure

Course Name: IAA202

Student Name: Bạch Quang Lâm_HE172445

Class: IA1803

Lab Assessment Questions

Given the scenario of a healthcare organization, answer the following Lab #1 assessment questions
from a risk management perspective:

1. Healthcare organizations are under strict compliance to HIPPA privacy requirements which
require that an organization have proper security controls for handling personal healthcare
information (PHI) privacy data. This includes security controls for the IT infrastructure handling
PHI privacy data. Which one of the listed risks, threats, or vulnerabilities can violate HIPPA
privacy requirements? List one and justify your answer in one or two sentences.
- User inserts CDs and USB hard drives with personal photos, music, and videos on organization
owned computers.

2. How many threats and vulnerabilities did you find that impacted risk within each of the seven
domains of a typical IT infrastructure?
User Domain: 3
Workstation Domain: 3
LAN Domain: 3
LAN-to-WAN Domain: 4
WAN Domain: 2
Remote Access Domain: 2
Systems/Application Domain: 3

3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
- LAN-to-WAN Domain

4. What is the risk impact or risk factor (critical, major, minor) that you would qualitatively assign to
the risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for the
healthcare and HIPPA compliance scenario?
- Hacker penetrates IT infrastructure and gains access to your internal network: Critical, as it may
impact on all of Organization’s information systems.
- Unauthorized access from public Internet: Minor, as it can be denied or strict.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com
All Rights Reserved.
-8-
 Student Lab Manual
5. Of the three Systems/Application Domain risks, threats, and vulnerabilities identified, which one
requires a disaster recovery plan and business continuity plan to maintain continued operations
during a catastrophic outage?
- Fire destroys primary data center

6. Which domain represents the greatest risk and uncertainty to an organization?

- User Domain: People is considered the weakest link in the security chain and are chronically
responsible for the failure of security systems.

7. Which domain requires stringent access controls and encryption for connectivity to
corporate resources from home?
- Remote Access Domain due to the risk of sniffing attack and the integrity while transfer

8. Which domain requires annual security awareness training and employee background checks
for sensitive positions to help mitigate risk from employee sabotage?
- User Domain: People is considered the weakest link in the security chain and are
chronically responsible for the failure of security systems

9. Which domains need software vulnerability assessments to mitigate risk from

software vulnerabilities?
- Workstation Domain (workstation, corporate-issued mobile devices)
- LAN Domain (regarding the network devices)
- System/Application Domain (servers, storage area network (SAN), network
attached storage (NAS), backup devices)

10. Which domain requires AUPs to minimize unnecessary User initiated Internet traffic and
can be monitored and controlled by web content filters
- System/application domain requires AUP to minimize unnecessary internet traffic

11. In which domain do you implement web content filters?

- LAN-to-WAN Domain

12. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the Workstation
Domain, which domain does WLAN fall within?
- LAN Domain

13. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer privacy has just
implemented their online banking solution allowing customers to access their accounts and
perform transactions via their computer or personal digital assistant (PDA) device. Online
banking servers and their public Internet hosting would fall within which domains of security
responsibility?
- Online banking servers: System/Application Domain
- public Internet hosting: LAN-to-WAN Domain

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com
All Rights Reserved.
-9-
 Student Lab Manual
14. True

15. Explain how a layered security strategy throughout the 7-domains of a typical IT infrastructure
can help mitigate risk exposure for loss of privacy data or confidential data from the
Systems/Application Domain.
- In short, the idea of a layered security is that any single defense may be flawed, and the
most certain way to find the flaws is to be compromised by an attack -- so a series of different
defenses should each be used to cover the gaps in the others' protective capabilities.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com
All Rights Reserved.
-10-