Risk Management week 4 with excel work
Reference Info
CONFIDENTIALITY
SCORE DESCRIPTION CRITERIA THREAT MATRIX
5 Very High Data Classification=Confidential with additional classification of Legally Privileged or Regulated Data AGENT ACTION
4 High Data Classification=Confidential Trusted Insider Eavesdropping and Interception of Data for exfiltration
3 Medium Data Classification=Internal Use External Intruders, Malicious Insiders, Malicious Code System intrusion, unauthorized system access, denial the use and functionality, unchecked data alterations, damage and destruction of data
2 Low Data Classification=Public Trusted Insider Denial of user actions or activity
1 Very Low Unclassified Trusted Insider Unchecked data alteration
Natural Equipment damage or destruction due to natural causes (fire, water, earthquake)
INTEGRITY
SCORE DESCRIPTION CRITERIA
5 Very High Business Critical = Y
Financially Important = Y
4 High Does not apply
3 Medium Business Critical = Y
Financially Important = N
OR
Business Critical = N
Financially Important = Y
2 Low Does not apply
1 Very Low Business Critical = N
Financially Important = N
AVAILABILITY
SCORE DESCRIPTION CRITERIA
5 Very High Business Critical = Y
Number of User = High
4 High Business Critical = Y
Number of User = Medium OR Low
3 Medium Business Critical = N
Number of User = High
2 Low Business Critical = N
Number of User = Medium
1 Very Low Business Critical = N
Number of Users = Low
Asset List Audit Results
Asset Template Control Survey NVD URL Vendor CVE reference
Asset Asset Description/Notes Data Protection (in motion) and Encryption Controls Data Protection (at rest) and Encryption Controls Malicious Code Protection Patch and Vulnerability Management Controls Authentication and Access Control Security Configuration User Provisioning and Review Controls Security Awareness Network Controls Auditing and Logging Controls Backup and Contingency Controls Operational (Change Controls) Physical Controls
DNS server BIND server running 9.10.0, 9.10.0-P1 located in DMZ – See week 2 lab results for open ports 3 3 3 3 3 3 3 5 3 3 3 3 5
Windows Server 2008 R2 This system handles payroll for all employees of the organization 2 3 4 4 5 5 5 5 5 3 5 5 5
MS Exchange Server:2016:cumulative_update_9 The email system for the organization 2 2 4 4 5 3 3 5 5 3 5 5 5
Windows 7 SP1, SP2 There are 100 workstations that are still on Windows 7 due to specialized software application that has not been updated to run on Windows 10 and hardware does not support Windows 10. 1 1 3 3 4 3 3 5 3 3 3 3 1
Windows XP SP1 Workstations There are 25 workstations that run XP due to specialized Industrial Control Systems software. 1 1 1 1 1 3 3 5 5 3 4 5 3
Pulse Secure VPN Server 8.2R1.0 gateways Appliance VPN service used by remote employee. Appliance is end of life and will no longer be supported after 2019 by vendor. 2 2 4 2 5 3 3 5 3 4 4 3 5 https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3apulsesecure%3apulse_connect_secure%3a8.2%3ar1.0 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 https://nvd.nist.gov/vuln/detail/CVE-2019-11510
Oracle Enterprise Manager Base Platform, versions 13.2, 13.3 Enterprise database management 4 4 5 4 5 3 3 5 4 3 5 5 5
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0 Enterprise database management 4 4 5 4 5 3 3 5 4 3 5 5 5
Adobe Acrobat and Reader – 2019.012.20040 Adobe products that are part of desktop base image 1 1 4 4 1 1 2 1 2 1 1 3 5
KACE Systems Management Appliance running Quest KACE Systems Management Appliance Server Center version 9.1.317 Unified endpoint management. The vendor will end support at end of 2019. 2 3 3 3 5 5 5 5 5 3 3 3 5
Cisco IPS 4200 series sensors 6.0 Used to monitor the Windows XP SP1 workstations running the ICS software. The company stopped paying for a maintenance contract in 2013. The vendor has stopped all support for this unit. 4 3 3 3 5 5 5 5 5 3 5 5 5
https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3apulsesecure%3apulse_connect_secure%3a8.2%3ar1.0
https://nvd.nist.gov/vuln/detail/CVE-2019-11510
Protection Controls
Data Protection Controls
Encryption at rest matches org standards. Additional DLP mechanisms in place. 5
Encryption at rest matches org standards. 4
Encryption at rest but does not match org standards. 3
N/A 2
No encryption at all 1
Data Protection Controls
Encryption at rest. All system drives and backups are encrypted 5
N/A 4
Encryption at rest. Not all asset areas are encrypted. Exceptions noted. 3
N/A 2
No encryption at all 1
Malicious Code Protection
AV is in place. Regularly updated. 5
N/A 4
AV is in place. Not regularly updated 3
N/A 2
No AV in place 1
Patch and Vuln Management Controls
Patched and Scanned Regularly. 5
Patched Regularly but not Scanned 4
Scanned Regularly and Patched (not regular) 3
Patched (not regular) 2
Not Patched 1
Authentication and Access Control
Uses 2 factor authentication. Uses complex passwords 5
Password complexity enforced 4
Password complexity not enforced 3
Uses common, generic or default passwords or accounts used (non-service) 2
Passwords not enforced 1
Security Configuration
Security hardening baselines are utlilized. Separate security hardening review is conducted for all layers of the stack (OS, DB, Misc. Services, etc) 5
N/A 4
Security hardening baselines are utilized. Separate security review not conducted. 3
N/A 2
No hardening review are conducted. 1
User Provisioning and Review Controls
User provisioning process is in place for the asset and a regular user review is in place. 5
N/A 4
User provisioning process is in place for the asset 3
N/A 2
User provisioning is ad hoc 1
Security Awareness
All users of the system has received security awareness training. 5
N/A 4
Not all users have undergone security awareness training 3
N/A 2
No security awareness training was provided to users of the system. 1
Network Controls
System is in an isolated firewalled segment and network monitoring devices are in place (IDS/IPS) 5
System is an isolated and firewalled segment 4
Network monitoring devices are in place (IDS/IPS) 3
N/A 2
No security awareness training was provided to users of the system. 1
Auditing and Logging Controls
System logs all relevant events and are being reviewed regularly 5
System logs all relevant events and are being reviewed on a case to case basis 4
System logs all relevant events 3
System has logging in place but there are exceptions 2
System does not log any events 1
Operational (Change Control)
All system changes undergoes change control. 5
N/A 4
System undergoes change control but some exceptions noted. 3
N/A 2
There is no change control process for the system. 1
Physical Controls
System is placed in a secured data center 5
N/A 4
System is placed in a secure area within the user/department area 3
N/A 2
System us in a common user area 1
Risk Assessment
Asset Threat Agent Threat Action Attack vector Vulnerability CVE Score Reference CVSS Score Reference Confidentiality Integrity Availability Impact Exposure Frequency Control Effectiveness Level Likelihood Risk Risk Classification Recommended Treatment and Discussion Management Review
DNS server External External Intrusion Network In DNS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ high Medium high medium medium high high high high high Patches for attacks.
Windows Server 2008 R2 Internal External Intrusion Non-network In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ high Medium high medium low medium low low low low Improved firewall
MS Exchange Server:2016:cumulative_update_9 External System Intrusion Non-network In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://stratixsystems.com/five-server-security-concerns-need-know-3/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ high Medium high medium medium medium medium medium medium medium
Windows 7 SP1, SP2 Internal System Intrusion Non-network In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://stratixsystems.com/five-server-security-concerns-need-know-3/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ high low high medium low low low low low high
Windows XP SP1 Workstations Internal System Intrusion Network In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://stratixsystems.com/five-server-security-concerns-need-know-3/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ High low high low low low medium medium medium medium
Pulse Secure VPN Server 8.2R1.0 gateways Appliance External Threat System Intrusion Network In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11510&vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1&source=NIST https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11510&vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1&source=NIST High High High High High High Low High High High Vendor software updates available. Take device offline until patches applied
Oracle Enterprise Manager Base Platform, versions 13.2, 13.3 Internal System Intrusion Non-network an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ Low high Low low high high high medium medium medium Improved firewall
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0 Internal System Intrusion Non-network an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ Low medium Low high low low low low low low Patches for attacks.
Adobe Acrobat and Reader – 2019.012.20040 External System Intrusion Non-network In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ Low high Low medium high high high high high high Vendor software updates available. Take device offline until patches applied
Quest KACE Systems Management Appliance Server Center version 9.1.317 Internal System Intrusion Network Iattacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ Low high Low high Low high high high medium medium Cyber Software
Cisco IPS 4200 series sensors 6.0 Internal External Intrusion Network In Cicco, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ https://stratixsystems.com/five-server-security-concerns-need-know-3/ Low high Low high Low high high medium medium medium Cyber Software
Preparing the Impact Score
Now that we have gone through the process of determining confidentiality, integrity and availability impact scores, we will now apply the impact score in the context of the asset and the threat and vulnerability pair affecting the asset. The basic steps here are:
1.Go through each threat and vulnerability pair matrix for each asset.
2.For each threat and vulnerability pair assign a confidentiality, integrity and availability score using your determination matrices as represented in Reference Info Worksheet Tab. Remember that in most cases, one threat would only be applicable to one impact. For instance, eavesdropping and interception is considered more of a confidentiality threat than an availability threat. In cases where the impact does not apply just place a zero in the score. Risk Identification Exercise
PURPOSE OF ASSIGNMENT
According to NIST, the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations.” This exercise will take the student through performing a risk assessment on IT assets using the NIST SP 800-30R1 “Guide for Conducting Risk Assessments.”
INSTRUCTIONS FOR CONDUCTING RISK ASSESSMENT AND ANALYSIS
You have been requested to conduct a cyber risk assessment and analyze the results for a set of IT assets listed in the attached excel file. This worksheet was generated from a recent IT asset audit that was conducted at the request of the IT director.
You will use the 4-step Risk Assessment Process to determine risk of these assets.
You are to research each of the assets for any vulnerability using the NIST National Vulnerability Database and the Common Vulnerability Exploit web sites. The Pulse Secure VPN Server 8.2R1.0 gateways Appliance example has these references listed.
Once you have identified the vulnerabilities, you have the flexibility to Identify Threat Sources and Events, the Likelihood of Occurrence, Determine the Magnitude of Impact.
For each asset:
1) Assess the inherent risk given the existing set of controls.
2) Make a recommendation on how to manage the risk.
3) Assess the residual risk of each asset,. Assume your risk management recommendation is accepted.
asset-list week4.xlsx
FORMATTING REQUIREMENTS
Refer to the UCOL Format and Style Requirements on the Course Homepage, and be sure to properly cite your sources usingTurabian Author-Date style citations.(Links to an external site.)Links to an external site.
Rubric
ICT-4215 Assignment Rubric 2 (2)
ICT-4215 Assignment Rubric 2 (2)
Criteria
Ratings
Pts
This criterion is linked to a Learning OutcomeContent and Assignment tasks completed
15.0to >13.0pts
Full Marks
13.0to >9.0pts
minimally meets expectations
9.0to >0.0pts
Below Expectations
0.0pts
No Marks
15.0pts
This criterion is linked to a Learning OutcomeWriting & logic (communicates purposefully, solid narrative flow)
5.0to >3.0pts
Full Marks
3.0to >2.0pts
minimally meets expectations
2.0to >0.0pts
Below Expectations
0.0pts
No Marks
5.0pts
This criterion is linked to a Learning OutcomeGrammar and Citation (error-free, follows assignment guidelines, and Turabian)
5.0to >3.0pts
Full Marks
3.0to >2.0pts
minimally meets expectations
2.0to >0.0pts
Below Expectations
0.0pts
No Marks
5.0pts
Total Points:25.0
