Course Name and Number

Course Name and Number: Information Security & Risk Management ISOL533
Student Name: Modupe Blessing Igbafen
Instructor Name: Dr. Alan Coble
Lab Due Date: 04/01/2018
Assignment 1 Lab: Report
What is the purpose of an IT Risk Assessment?
The main purpose of assessing IT risk is to recognize and classify any actions that could create a threat to an organization’s incessant process. Several of these threats include the security of digital systems or network and data. IT risk assessment is believed to be a component of an enterprise risk management system.

Risks, threats, and Vulnerabilities Primary Domain Impacted Risk Impact/Factor
Unauthorized access from public Internet REMOTE ACCESS DOMAIN 1
Hacker penetrates your
IT infrastructure and gain access to your internal network USERS DOMAIN 1
Mobile employee needs secure browser access to sales-order entry system REMOTE ACCESS DOMAIN 1
Workstation operating system (OS) has a known software vulnerability LAN-to-WAN 3
Denial of service attack on organization Demilitarized Zone (DMZ) and email server SYSTEM APPLICATION DOMAIN 1
Remote communications from home office REMOTE ACCESS DOMAIN 3
Weak ingress/egress traffic
-filtering degrades performance LAN-to-WAN 2
Workstation browser has software vulnerability WORKSTATION DOMAIN 3
Wireless Local Area Network (WLAN) access points are needed for LAN connectivity within a warehouse LAN-to-WAN 2
Need to prevent eavesdropping on WLAN due to customer privacy data access LAN-to-WAN 3
User destroys data in application, deletes all files USER DOMAIN 2
Fire destroys primary data center SYSTEM APPLICATION DOMAIN 1
Intraoffice employee romance gone bad USER DOMAIN 3
Service provider service level agreement (SLA) is not achieved LAN-to-WAN DOMAIN 1
Loss of production data SYSTEM APPLICATION DOMAIN 2
Unauthorized access to organization- owned workstations USER DOMAIN 2
LAN server OS has a known software vulnerability LAN DOMAIN 3
User downloads and clicks on an unknown e-mail attachment USER DOMAIN 2
Service provider has a major network outage WAN DOMAIN 3
User inserts CDs and USB hard drives with personal photos, music, and videos on organization-owned computers USER DOMAIN 1
Virtual Private Network (VPN) tunneling between the remote computer and ingress/egress router REMOTE ACCESS DOMAIN 1
Denial of service (DoS)/ distributed denial of service (DDoS) attack from the Wide Area Network ( WAN)/Internet WAN 1
Executive Summary
Paragraph 1- Findings:
If users, workers, contractors etc. do not understand the value security, security will definitely be bypassed. IT In User’s domain, a user can unknowingly/knowingly download software from a malicious site, insert infected USB drive or CD, or worse still destroy data and delete files due to personal grudges. Social engineering is another worst nightmare of the user domain. The Workstation domain, which is the end-user computer of an individual user where productions takes place. Workstation domain is very prone to malicious software (malware) and vulnerable when not kept up to date in routine patches. Its can have a known software vulnerability allows hackers to connect remotely and steal data. It that hard drive can fail and cause lots of loss of data. The LAN domain is a trusted zone that can have known software vulnerability of worms spreading through the OS thereby affecting other computers connected to it. Hackers or unauthorized person can gain access to an organization workstation through LAN and a weak password can easily be cracked. WAN domain risk are service provider can have a major outage, the server receiving a DOS/DDOS attack, anonymous upload of illegal software can be allowed by the server amongst others. The System Application domain that holds several levels of applications can prone to a fire hazard, which can destroy primary data center or a denial of service attack, and also and SQL injection attack that modifies data and allows attackers to have access to organizations primary server. Remote Access Domain that uses VPN to provide access has the vulnerability of being infected with a virus due to VPN tunneling between remote system and egress/ingress router being attacked and the remote user might not be aware of it. Hackers can penetrate LAN-to-WAN domain that is a boundary between the trusted and untrusted zone, weak ingress/egress traffic can degrade performance, and malicious software can be mistakenly or knowingly downloaded if an unnecessary port is opened through the firewall.

Paragraph 2-Approach/Prioritization:
All the domains are vulnerable to all stages of impact from low to high. The risk impact factors are assigned with how mild or critical the effect of the risk involve in mind. If the threat, vulnerability, and risk poses an obvious damage issue like a loss of costly major asset and resources, might cause injury, or it violates the organization’s vision and goals, then the domain will be assigned a critical stage. However, if it has a moderate effect or no poses no immediate danger, then the risk, threat, or vulnerability should be assigned a medium to low level of impact. To identify the level of risk is very vital and necessary in order to avoid the impacts in the organizations daily operations. Nevertheless, the likelihood of a risk, threat, and vulnerability occurring will definitely contributes to its prioritization as well.

Paragraph 3- Risk Impact/Assessment:
The risk impact of the seven domains can be categorized as follows:
Systems/Applications Domain Risk Impacts:1
User Domain Risk Impacts:3
WAN Domain Risk Impacts:2
Workstation Domain Risk Impacts:3
LAN Domain Risk Impacts:2
LAN-to-WAN Domain Risk Impacts:2
Remote Access Domain Risk Impacts:1There is no doubt that there were issues with all of the seven domains of the IT infrastructure and all the domains are somehow vulnerable to all levels of impact. The system application and the remote domain are at a critical stage. In addition, the LAN-to-WAN, WAN, and LAN are somehow at a major stage while user and workstation domains are at the minor stage Even though the Workstation domain seems to carry the least risk possible, but it should not be overlooked due to its direct connection to the organization’s network.
Paragraph 4-Recommendation:
The threats, risks, and vulnerabilities in the seven domains of an IT structure and its resource are daily menace. It is very imperative that both individual employees and the organization recognize their own threats, risks, and vulnerabilities and find a way to mitigate them. As we can see, the system application domain is at a critical stage alongside the remote access domain. The LAN-to-WAN, WAN, and LAN are somehow at a major stage while user and workstation domains are at the minor stage. I recommend using an advanced firewall configuration. By taking into cognizance the likelihood and vulnerability of the seven IT domains risk analysis, we must focus on the categorization of risk and work together to mitigate them and probably alleviate the danger involved.

Course Name and Number: Information Security & Risk Management ISOL533
Student Name: Modupe Blessing Igbafen
Instructor Name: Dr. Alan Coble
Lab Due Date: 04/01/2018
What is the goal or objective of an IT risk assessment?
The objective of an IT risk assessment is to help an organization to mitigate risk after identifying the risk and their impacts/factors within the seven domains. In addition, a successful business decision in regards of a solutions method and prioritization should be made.

Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?
Gathering accurate cost fundamentals and possible liabilities is somehow problematic to categorize in an IT infrastructure. In addition, it is somehow difficult to tell what type of impact a known attack will have on the organization.
What was your rationale in assigning “1” risk impact/ risk factor value of “Critical” for an identified risk, threat, or vulnerability?
My rationale for assigning Critical level or “1” impact to identified risk, vulnerability, or threats is the likelihood that the risk will definitely occur and has the potential to effect an organization’s legal compliance and liabilities from clients for non- conformity is the greatest risk to a business.

After you had assigned the “1” and “2” and “3” risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the “1,” “2,” and “3” risk elements? What would you say to executive management about your final recommended prioritization?
I would prioritize the risk element by the level of their urgency or imperativeness and apply mitigate techniques before it causes havoc in the organization. After categorizing all risk and making sure that the risks are logged into the risk register, I will recommend that everyone in the organization should be trained, and creates awareness to all levels of management after making sure that the appropriate countermeasures for threats are in place. I will also urge the management to obtain a Service level Agreement (SLA) so that our systems will always be functioning favorably.

Identify a risk-mitigation solution for each of the following risk factors:
User downloads and clicks on an unknown e-mail attachment: Add restrictions that would not allow users to download or open attachments.

Workstation OS has known software vulnerability: Try to patch the vulnerability or create security measures that prevent that software vulnerability from being exploited.

Need to prevent eavesdropping on WLAN due to customer privacy data access: WLAN network keys that require a password for wireless access should be utilized and the broadcasting of WAPs’ require second level authentication prior to granting WLAN access because it has a more preferable encryption methods.
Weak ingress/egress traffic filtering degrades performance: Customization of firewall settings, the application of WAN optimization and data compression solutions when accessing remote systems; applications and data, and the enabling of Access Control lists (ACLs) on outbound router WAN interfaces in keeping with policy is needed.
DoS/DDoS attack from the WAN/Internet: The application of filter on external IP firewalls an IP router WAN interfaces to block TCP SYN and ICMP (ping) and advice the Internet Service Providers to implement correct filters on IP router WAN interfaces.

Remote access from home office: Permission of access of specified IP addresses.

Production server corrupts database: Implementation of regular data backups and off-site data storing for monthly data archiving. Classification of data recovery techniques based on defined RTOs and utilizing RAID (Redundant Array of Independent Disks) in setup to mitigate loss of data.