Identify at least two vulnerabilities on your home computer and share them with your peers

SEC 4301, IS Disaster Recovery 1

Course Learning Outcomes for Unit I Upon completion of this unit, students should be able to:

2. Develop an asset ranking report. 2.1 Categorize the seven domains of a typical information technology (IT) infrastructure. 2.2 Classify the different U.S. laws and regulations for IT industries. 2.3 Research the confidentiality, integrity, availability (CIA) triad on how these elements protect

information.

3. Analyze an impact assessment for organization threat analysis. 3.1 Differentiate between risks and mitigation in reference to the information technology (IT)

infrastructure. 3.2 Generalize the risks and mitigations of IT components and entities.

Required Unit Resources Chapter 1: Risk Management Fundamentals Chapter 3: Understanding and Maintaining Compliance Unit Lesson

What Is Risk? Risk has been a challenge since the beginning of humankind. For example, early cave dwellers had to make decisions of when to hunt for food. This might seem a very simple task; however, elements such as time of day (daytime or nighttime), number of hunters in the party, weather conditions, and food rationing need to be taken into consideration. Let’s take a look at some of these examples involving risks. If early cave dwellers went hunting during the day, it will depend on the weather conditions and visibility. The ability to see the animals is important, but the animals can also see the hunters. During the night, visibility is poor and worse with weather conditions; the hunters will not be able to see the animals, and some animals have the ability to see at night. How many or how large of an animal will determine how much food will be needed for the group and food rationing. The size of the animal will determine the number of hunters needed, but at the same time, there is a need to have people at home to protect the caves from intruders. Torches at night could be used to find the animals, but the light can be seen by the animals. You can see from this example that there are many risk variables to consider as well as possible solutions or mitigations (reducing the strictness based on the risks) for the cave dwellers. Consequently, one does not just go out to hunt, one must consider the risks and mitigations of all elements that are part of the act of hunting. Therefore, what is risk and mitigation? In simplistic terms, risk is the act of relating oneself to danger, and mitigation is the act of reducing that danger. Similarly, there are many risks that individuals in information technology (IT) need to be aware of and need to prepare for. In this course, we will learn how to plan for risks and to take preventative measures that will lessen the impact of a disaster.

Anatomy of the Seven IT Domains According to Gibson (2015), risk is the possibility that some sort of loss will happen, and mitigation is the ability to reduce the effects of loss from the risk(s) involved. Let’s examine the risks and mitigation with the seven domains of a characteristic IT infrastructure. The seven domains are shown below in Figure 1.1.

UNIT I STUDY GUIDE Overview of Risk Fundamentals and Managing Compliance Laws

SEC 4301, IS Disaster Recovery 2

UNIT x STUDY GUIDE Title

Figure 1.1: The Seven Domains (Gibson, 2015, p. 7)

The User Domain identifies all individuals who are users either within the organization or outside the organization. Human error will always be humankind’s nemesis; consequently, major risks are password maintenance, social engineering, and security policy awareness (Gibson, 2015). These are threats and vulnerabilities that impact the User Domain. Remembering passwords can be easy if the password is not complex, and that is a problem. Passwords need to be complex in order to prevent pre-hacking attempt(s). Writing passwords down and leaving them to be found is like an Easter egg hunt; they will be found. Speaking with friends or co-workers and accidently mentioning your source of your password or how you created it can occur within earshot of others. Giving your password away because you were told to do so for whatever reason is a bad practice. Most importantly, ignoring the organizational security policies that must be followed by everyone in the organization can be detrimental. The Workstation Domain is comprised of computers and internal devices that users are authorized to use. Notice in the previous sentence, the words users are authorized. There are users who are authorized or not authorized to use certain workstations within the domain. This is known as need- to- know, which is emphasized in the security management policy. All workstations should use an anti-virus protection application, as this helps eliminate or detect malicious software attacks or malware that can damage the Workstation Domain’s applications and or the operating system (Gibson, 2015). Applying patches and fixes to the operating system or applications is one of the most ignored mitigation steps to protect the workstation. When possible, patches and fixes need to be applied as soon as they are available in order to prevent vulnerability attacks (Gibson, 2015). The local area network (LAN) Domain is all about the different devices and services that make up the local area trusted network. Such devices as the hub, switches, routers, and firewalls are located on the LAN but are behind the firewall (Gibson, 2015). Data traffic transverses over the LAN between these devices allowing certain data traffic to pass. Vulnerability exists when the attacker can physically plug into the devices, such as a switch, to gain information. Protocol analyzers can be used by the perpetrator to capture data by sniffing the LAN. Most importantly, these devices need to be secured in a restricted area for authorized personnel only. LAN-to-WAN (wide area network) Domain has a dual function, which is to connect the LAN to the WAN and permit remote access to the LAN or WAN Domain. This domain contains routers that pass authorized data traffic from the LAN-to-WAN and vice versa. The firewall protects the LAN from intruders who try to attack the LAN and prevents unwanted traffic from leaving the LAN to the WAN. The LAN-to-WAN is known as the

SEC 4301, IS Disaster Recovery 3

UNIT x STUDY GUIDE Title

untrusted network; therefore, the demilitarized zone (DMZ) is located in this domain. The DMZ prevents information from leaving or entering until the information has been authorized from the router and firewall configurations. The ongoing system administration as well as auditing are very important and must be monitored in a regular basis. The WAN Domain is known as the World Wide Web, internet, or cyberspace as we recognize it today. The WAN today is serviced by internet service providers (ISP), where security is dependent on the ISPs. Therefore, organizations need to use virtual private networks (VPN) to ensure secure transmission of data or the use of leased lines. Users who are remote from the organization’s network will utilize the Remote Access Domain. This use is very similar to how users are mentioned in the User Domain, however, with stricter security controls since these users must negotiate through the internet to the LAN-to-WAN Domain. These security rules would include a two-factor authorization that consists of the user’s password and application password to enter the Remote Access Domain (Gibson, 2015). The risk and vulnerabilities for the Remote Access Domain exist in the user’s password and remote authentication device. The System and Application Domain security protocol requires that the user must have the need to know to access certain applications, servers, databases, or devices. Such authorization allows the access to information data that the user needs to process information for the organization. Consequently, the user must have his or her password or other forms of authentication to access databases and to send and receive email (Gibson, 2015). Authorization of who accesses what systems and applications should be dictated in the organization’s security policy.

The Confidentiality, Integrity, and Availability Triad Each of the above-mentioned domains are susceptible to the risks and mitigations from both inside and outside threats and vulnerabilities, and each jeopardizes the security triad of confidentiality, integrity, and availability. As illustrated in Figure 1.2, confidentiality, integrity, and availability, or the CIA triad, affect each other and are vulnerable to risks and mitigation threats.

Figure 1.2: CIA Triad (Risks & Mitigation)

(Adapted from Gibson, 2015) All information encapsulated within the domains must be protected by the triad in simplistic terms.

• Confidentiality: These are rules that limit the access to information by the user. • Integrity: The ongoing maintenance of information in a consistent and accurate state. • Availability: The organization information is readily available to authorized users by the organization.

SEC 4301, IS Disaster Recovery 4

UNIT x STUDY GUIDE Title

Regulatory Laws and Compliances The organizational IT systems will go amok without compliance. Compliance in the IT infrastructure can be summed up as those guidelines, specifications, or processes by which the IT infrastructure must abide within the organization’s business entity (Gibson, 2015). These compliances are generally in the form of a U.S. law and/or regulation. As an example, if an organizational IT infrastructure is to primarily support medicine, then it is appropriate to follow the Health Insurance Portability and Accountability Act (HIPAA) in order to protect the health information data of all patients. If an organization is responsible for financial information, then the organization must follow the Gramm-Leach-Bliley Act. These two examples are, of course, related to U.S. laws that must be followed. However, there are different regulations that help aid in U.S. laws. The majority of these regulations relate to the federal government. The Federal Deposit Insurance Corporation (FDIC) is a regulation by which your money in the U.S. banking system is protected and guaranteed. This, along with the Gramm-Leach-Bliley Act, protects your information privacy and how information is collected and shared with other entities. Customers today rarely use cash; credit cards are the mainstream money flow. Various credit card companies must provide protection for your credit card in addition to the protection you provide. The Payment Card Industry Data Security Standard (PCI DSS) provides standardizations for credit card companies to protect customer’s private information, such as name, card number, security code, and date of expiration of the card. It is the hope that such standards and protection would eliminate theft of cards and credit card fraud. However, there is a rise in credit card fraud.

Summary Risks, mitigations, and compliance must be understood to combat the possible vulnerabilities in which the seven domains could be attacked by potential intruders. The different laws and regulations will aide in the protection of information in which the CIA triad must be enforced. In the next unit, we will look at how risks and mitigations are managed to reduce the threats, vulnerabilities, and exploits.

Reference Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning.

https://online.vitalsource.com/#/books/9781284107753 Suggested Unit Resources In order to access the following resources, click the links below. The following presentations will summarize and reinforce the information from Chapters 1 and 3 in your textbook. Chapter 1 PowerPoint Presentation PDF Version of Chapter 1 PowerPoint Presentation Chapter 3 PowerPoint Presentation PDF Version of Chapter 3 PowerPoint Presentation Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. The following learning activities provide additional information that will assist you with the mastery of the learning objectives for this unit.

SEC 4301, IS Disaster Recovery 5

UNIT x STUDY GUIDE Title

Go to the CSU Online Library, and use the Discovery Search feature. Utilizing the Discovery Search feature, type in the following phrases: “computer domains, seven domains, confidentiality, integrity, and availability, computer laws, HIPAA.” Select and read two articles. Use the criteria of peer-reviewed article (scholarly) and less than 5 years old. Here is a link straight to the CSU Online Library Discovery Search. Check Your Knowledge These questions will help you assess whether or not you have mastered the unit content. Can you answer them without looking in the textbook?

• Answer the Chapter 1 Assessment questions at the end of Chapter 1 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 1 Answer Key.

• Answer the Chapter 3 Assessment questions at the end of Chapter 3 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 3 Answer Key.

Word Search Some of this unit’s key terms and phrases (written as one word) have been hidden in the word search puzzle. Access the Unit I Word Search puzzle, and see if you can find them.