You work at the XYZ Financial Bank, and a fellow co-worker approaches you and states the only safeguard controls needed for the bank are the physical controls

SEC 4301, IS Disaster Recovery 1

Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:

3. Analyze an impact assessment for organization threat analysis. 3.1 Deconstruct the system function assets. 3.2 Generalize the aspects between historical data and threat modeling. 3.3 Interpret the findings from the threat, vulnerabilities, and exploits assessment.

Required Unit Resources Chapter 7: Identifying Assets and Activities to Be Protected Chapter 8: Identifying and Analyzing Threats, Vulnerabilities, and Exploits Chapter 9: Identifying and Analyzing Risk Mitigation Security Controls Unit Lesson

Asset Accessibility and Availability Previously, the hardware and software assets were identified in the risk assessment. Now these assets need be protected and addressed; these assets are within the business continuity plan (BCP). The BCP helps the organization to address and document a set of plans in the event of a disaster to the organization. All employees and individuals who need access to information from the network infrastructure must have 100% accessibility and availability to organizational data. However, in a real word scenario, 100% is usually equated to 99.999% of the time; the 0.001% is negligible downtime (Gibson, 2015). Nevertheless, how does an organization even maintain a 99.999% system access and availability? The answer is redundancy of devices to create what is known as a failover cluster system. Backup systems are important in order to avoid system access failure that causes system unavailability to all employees who need information to do their jobs for the organization. Organizations can utilize manual or automated methods for system functions to aid in system uptime. Some of these methods are used in a hybrid method such as combining both methods of manual and automation for system functions. These services are important to such areas for hardware, software, and people assets (Gibson, 2015). These are the basic critical assets of the organization.

UNIT IV STUDY GUIDE Identifying Key Components of Risk Assessment

SEC 4301, IS Disaster Recovery 2

UNIT x STUDY GUIDE Title

The assets shown in Figure 4.1 are susceptible to both access and availability and are explained further below.

Figure 4.1: System Function Assets

(Gibson, 2015)

• Hardware assets: Think of these assets as tangible devices. Any device that can be seen, touched, and sometimes smelled are assets that need to be identified. Attributes—the assets’ location, model number, or manufacturer—need to be acknowledged, as no two devices are identical (Gibson, 2015).

• Software assets: Coding software, operating systems (OS), and applications are software applications that physically cannot be accessed but can be used through input devices. Such software has attributes, such as the version number, name of application, patches, and equipment on which the software is installed, that need to be inventoried and identified for each device (Gibson, 2015).

• Personnel assets: People, just like hardware and software, are prone to failure. Such failure could be lack of personnel, single point of failure of the only person who has access to a device, or lack of skill development because of stagnate job position (Gibson, 2015). Like hardware and software, personnel are subject to viruses, emergencies, and non-emergency issues.

Other areas that are important to the access and availability are information data assets, inventory management, and facilities and supplies (Gibson, 2015). Although not as critical as the hardware, software, and people assets, the other areas play an important role in the identification of the assets for risk management.

Threats, Vulnerabilities, and Exploits Identification Previously, the threats, vulnerabilities, and exploits (TVE) were introduced and defined. With this information, the TVE needs to be identified and analyzed throughout the seven domains of the information technology (IT) infrastructure. The threat assessment is to identify as many potential threats to the infrastructure as possible (Gibson, 2015). The assessment aligns with the confidentiality, integrity, and availability or the CIA triad to identify the threats. Risks can be calculated by the following formula: risk = vulnerability x threat (Gibson, 2015). The figure below represents the diverse threats to the organization.

SEC 4301, IS Disaster Recovery 3

UNIT x STUDY GUIDE Title

Figure 4.2: Typical Organizational Threats (Modified)

The external and internal attacks are people intrusions to the organizational network, either through unintentional or intentional penetration attacks. One might think the external attacks are numerous; however, a large number of attacks are unintentional from employees within the organization. Below are a few examples of unintentional attack by employees:

• misconfigured devices allowing unauthorized entry, • weak passwords, • disgruntled employees, • employees who are terminated from organization and still have access to computer systems, and • not enforcing privilege escalation regarding need to know versus least privilege access (Gibson,

2015). These are just a few of many reasons why there are attacks within the organizations’ IT infrastructure. The external attackers are those hackers who seek to gain access into the organization’s devices for several reasons such as profit, ego, manipulation/destruction, or just for fun! As mentioned prior, there are two methods that can be used in identifying the threat assessment assets by either historical data or modeling (Gibson, 2015). The image below briefly articulates the difference between the two methods.

SEC 4301, IS Disaster Recovery 4

UNIT x STUDY GUIDE Title

Figure 4.3: Historical Data versus Threat Modeling Method (Gibson, 2015) Vulnerabilities look into the weaknesses of different assets within the IT infrastructure. Identification of these vulnerabilities is an integral part of vulnerability assessment (Gibson, 2015). IT devices and personnel are plagued by vulnerabilities. For example, servers can easily be subjected to buffer overflows or social engineering by personnel. There are, however, regulations and compliance acts that help keep vulnerability weaknesses in check. The Health Insurance Portability and Accountability Act (HIPAA) provides compliance requirements that must be met to protect and distribute patient information. There are two methods that can be used for vulnerability assessments. The first is the internal assessment in which security personnel will try to exploit vulnerabilities within the organization and then report the results of what was found in vulnerable assets. The external assessment is the second method, and traditionally, this method of assessment is conducted by outside personnel who are not part of the organization (Gibson, 2015). The advantage of an external assessment is it eliminates personal bias; however, the disadvantage is there is no real-time reporting as the outside parties must first gather the information and format that information into a report, which could take time to process for review. Exploit assessments are conducted on the seven domains to determine where exploited vulnerabilities will occur (Gibson, 2015). Although, historical data and modeling could provide information on known exploits, it cannot examine areas that have never been exploited for threats. In-other words, the security team must conduct a simulated attack by exploiting the weaknesses in the seven domains. The findings from the exploit assessment will provide information:

• exploit identification findings, • how to mitigate exploits using gap analysis and remediation plan, • updating the mitigated configuration for change management, • mitigation of the validated and verified exploit(s), and • exploit assessment best practices (Gibson, 2015).

Controls

The safeguarding of controls was covered in Unit III and is represented in Figure 4.4 below for illustration purposes.

SEC 4301, IS Disaster Recovery 5

UNIT x STUDY GUIDE Title

Figure 4.4: Safeguard Controls

(Gibson, 2015) The above controls are important since the in-place controls determine which controls are in place for operational assets. The planned controls are those assets that are physically on hand but not as yet implemented as determined by management (Gibson, 2015). The control categories are governed by certain categories or security initiatives such as the National Institute Standards and Technology (NIST) that provide controls that need to be implemented in operational systems (Gibson, 2015). These security initiatives are covered in the Unit II lesson. The procedural controls are the administrative controls that are administered by personnel, such as supervisors and managers, who develop the security policies and plans. Administrators that fall in the role as system, database, firewall, and email administrators are responsible for the technical controls of the assets within the organization (Gibson, 2015). These controls also include software such as the use of encryption and/or public key infrastructure (PKI), and the physical controls, which include hardware such as locks, gates, closed-circuit TV, and fire suppression equipment, or biological, such as security guards and guard dogs (Gibson, 2015).

Scanning Applications There are several types of scanners that can be used to identify vulnerabilities; two will be mentioned here: Nessus and Zenmap applications. The Nessus application is a security vulnerability assessment scanner, while the Zenmap is a graphical user interface for the Nmap Security Scanner. Both of these scanners are easy to use and will help identify the vulnerabilities of organizational assets.

Summary Before knowing what threats, vulnerabilities, and exploits are needed to protect a typical IT infrastructure, the assets must be identified. Remember, assets are not just the hardware and software but people as well. Once the identification process has been completed, security controls must be put into place for those assets already approved for immediate operational use, and approved controls are set to be implemented. The initiatives to use for the risk management assessment will be determined by the business strategy that has been deployed by the organization. For instance, a medical facility would use HIPAA, or a financial institution would consider the Gramm-Leach-Bliley Act. The organization should use all the safeguard risks as mentioned here to ensure all risks have been identified and can be mitigated in a timely manner.

SEC 4301, IS Disaster Recovery 6

UNIT x STUDY GUIDE Title

Reference Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning.

https://online.vitalsource.com/#/books/9781284107753 Suggested Unit Resources In order to access the following resources, click the links below. The following presentations will summarize and reinforce the information from Chapters 7, 8, and 9 in your textbook. Chapter 7 PowerPoint Presentation PDF Version of Chapter 7 PowerPoint Presentation Chapter 8 PowerPoint Presentation PDF Version of Chapter 8 PowerPoint Presentation Chapter 9 PowerPoint Presentation PDF Version of Chapter 9 PowerPoint Presentation Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. The following learning activities provide additional information that will assist you with the mastery of the learning objectives for this unit. Go to the CSU Online Library, and use the Discovery Search feature. Utilize the Discovery Search feature in the CSU Online Library, and type in the following phrases: “security controls, network vulnerabilities, business continuity planning, disaster recovery planning, NIST.” Select and read two articles. Use the criteria of peer-reviewed article (scholarly) and less than 5 years old. Here is a link straight to the CSU Online Library Discovery Search. The internet can provide you with a wealth of information concerning the topics in this unit. For example, the following video is from CSU Films on Demand database and provides additional information about Internet security. Cambridge Educational (Producer). (2008). Problems with internet security (Segment 1 of 6) [Video]. In

CyberSecurity. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPla ylists.aspx?wID=273866&xtid=38815&loid=50327

The transcript for this video can be found by clicking the “Transcript” tab to the right of the video in the Films on Demand database.

SEC 4301, IS Disaster Recovery 7

UNIT x STUDY GUIDE Title

Check Your Knowledge These questions will help you assess whether or not you have mastered the unit content. Can you answer them without looking in the textbook?

• Answer the Chapter 7 Assessment questions at the end of Chapter 7 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 7 Answer Key.

• Answer the Chapter 8 Assessment questions at the end of Chapter 8 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 8 Answer Key.

• Answer the Chapter 9 Assessment questions at the end of Chapter 9 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 9 Answer Key.

Word Search Some of this unit’s key terms and phrases (written as one word) have been hidden in the word search puzzle. Access the Unit IV Word Search puzzle, and see if you can find them.