Unformatted Attachment Preview
Risk Assessment
In this assignment, you will perform a qualitative risk assessment, using a template that has been provided below. Your last assignment in the
course will be to take one of these risks and develop a section for your Incident Response Plan or Disaster Recovery Plan that address that risk.
1.
Groups will work on a risk assessment using one of the agencies as assigned, below:
Organization
National Aeronautics and
Space Administration (NASA)
Veterans Administration (VA)
Securities and Exchange
Commission (SEC)
USPS
Office of Personnel
Management (OPM)
FTC
Link to Audit Reports
http://oig.nasa.gov/audits/reports/FY10/IG-10-018-R.pdf
https://oig.nasa.gov/audits/reports/FY14/IG-14-023.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-002A.pdf
http://www.va.gov/oig/pubs/VAOIG-12-01712-229.pdf
http://www.va.gov/oig/pubs/VAOIG-11-01823-294.pdf
https://www.va.gov/oig/pubs/VAOIG-13-01391-72.pdf
https://www.va.gov/oig/pubs/VAOIG-16-01949-248.pdf
Groups
1, 8, 15
2, 9, 7
3, 10
http://www.sec.gov/about/offices/oig/reports/audits/2013/512.pdf
https://www.uspsoig.gov/sites/default/files/document-library-files/2015/usps_cybersecurity_functions.pdf
https://www.uspsoig.gov/document/mobile-system-review
https://www.uspsoig.gov/sites/default/files/document-library-files/2017/IT-AR-17-007.pdf
https://www.uspsoig.gov/sites/default/files/document-library-files/2015/usps_cybersecurity_functions.pdf
https://www.opm.gov/our-inspector-general/reports/2016/federal-information-security-modernization-act-auditfiscal-year-2016-4a-ci-00-16-039.pdf
https://www.opm.gov/our-inspector-general/reports/2015/federal-information-security-modernization-act-audit-fy2015-final-audit-report-4a-ci-00-15-011.pdf
https://www.opm.gov/our-inspector-general/reports/2016/federal-information-security-modernization-act-auditfiscal-year-2016-4a-ci-00-16-039.pdf
https://www.ftc.gov/system/files/documents/reports/oig-fy-2016-independent-evaluation-federal-trade-commissionsinformation-security-program-practices/oig_fisma_evaluation_fy_2016_redacted.pdf
https://www.oversight.gov/sites/default/files/oig-reports/OIG%20FISMA%20FY%202017%20%20FINAL%20REDACTED%203-8-2018.pdf
4, 11
5, 12,
14
6, 13
You will read through the report and look for findings and recommendations from the GAO’s audit of the agency’s security practices. Your
job will be to develop a risk assessment from these findings to assess the likelihood and impact. A listing of threats has been prepopulated for
you. These threats have been categorized by type as shown below:
Threat Origination Category
Threats launched purposefully
Threats created by unintentional human or machine errors
Threats caused by environmental agents or disruptions
Type Identifier
P
U
E
Purposeful threats are launched by threat actors for a variety of reasons and the reasons may never be fully known. Threat actors could be
motivated by curiosity, monetary gain, political gain, social activism, revenge or many other driving forces. It is possible that some threats could
have more than one threat origination category.
Some threat types are more likely to occur than others. The following table takes threat types into consideration to help determine the
likelihood that vulnerability could be exploited. The threat table shown in Table 2-2 is designed to offer typical threats to information systems
and these threats have been considered for the organization. Not all of these will be relevant to the findings in your risk assessment, however
you will need to identify those that are.
Threat Name
ID
T-1
T-2
Type
ID
Description
Typical Impact to Data or System
Confidentiality
Alteration
Audit Compromise
U, P, E
P
Alteration of data, files, or records.
An unauthorized user gains access to the audit trail
and could cause audit records to be deleted or
modified, or prevents future audit records from
being recorded, thus masking a security relevant
event. Also applies to a purposeful act by an
Administrator to mask unauthorized activity.
Integrity
Availability
Modification
Modification or
Destruction
Unavailable
Accurate Records
Threat Name
ID
Bomb
T-4
Communications
Failure
T-5
Compromising
Emanations
T-7
T-8
Description
Typical Impact to Data or System
Confidentiality
T-3
T-6
Type
ID
Cyber Brute Force
Data Disclosure
Data Entry Error
T-9
Denial of Service
T-10
Distributed Denial
of Service Attack
P
U, E
An intentional explosion.
Integrity
Availability
Modification or
Destruction
Denial of Service
Cut of fiber optic lines, trees falling on telephone
lines.
Denial of Service
Disclosure
P
Eavesdropping can occur via electronic media
directed against large scale electronic facilities that
do not process classified National Security
Information.
Disclosure
P
Unauthorized user could gain access to the
information systems by random or systematic
guessing of passwords, possibly supported by
password cracking utilities.
Disclosure
P, U
An attacker uses techniques that could result in the
disclosure of sensitive information by exploiting
weaknesses in the design or configuration. Also
used in instances where misconfiguration or the
lack of a security control can lead to the
unintentional disclosure of data.
U
Human inattention, lack of knowledge, and failure
to cross-check system activities could contribute to
errors becoming integrated and ingrained in
automated systems.
Denial of Service
P
An adversary uses techniques to attack a single
target rendering it unable to respond and could
cause denial of service for users of the targeted
information systems.
Denial of Service
P
An adversary uses multiple compromised
information systems to attack a single target and
could cause denial of service for users of the
targeted information systems.
Modification or
Destruction
Denial of Service
Modification
Threat Name
ID
Type
ID
Description
Confidentiality
E
T-11
Earthquake
Seismic activity can damage the information
system or its facility. Please refer to the following
document for earthquake probability maps
http://pubs.usgs.gov/of/2008/1128/pdf/OF081128_v1.1.pdf .
T-12
Electromagnetic
Interference
E, P
Disruption of electronic and wire transmissions
could be caused by high frequency (HF), very high
frequency (VHF), and ultra-high frequency (UHF)
communications devices (jamming) or sun spots.
T-13
Espionage
P
The illegal covert act of copying, reproducing,
recording, photographing or intercepting to obtain
sensitive information .
T-14
Fire
T-15
Typical Impact to Data or System
Floods
Integrity
Availability
Destruction
Denial of Service
Denial of Service
Disclosure
Modification
Fire can be caused by arson, electrical problems,
lightning, chemical agents, or other unrelated
proximity fires.
Destruction
Denial of Service
Destruction
Denial of Service
E
Water damage caused by flood hazards can be
caused by proximity to local flood plains. Flood
maps and base flood elevation should be
considered.
Modification or
Destruction
Unavailable
Accurate Records
E, P
T-16
Fraud
P
Intentional deception regarding data or
information about an information system could
compromise the confidentiality, integrity, or
availability of an information system.
T-17
Hardware or
Equipment Failure
E
Hardware or equipment may fail due to a variety of
reasons.
T-18
Hardware
Tampering
P
An unauthorized modification to hardware that
alters the proper functioning of equipment in a
manner that degrades the security functionality the
asset provides.
Disclosure
Denial of Service
Modification
Denial of Service
Threat Name
ID
Type
ID
Description
Typical Impact to Data or System
Confidentiality
Integrity
Availability
Denial of Service
Hurricane
E
A category 1, 2, 3, 4, or 5 land falling hurricane
could impact the facilities that house the
information systems.
Destruction
T-19
T-20
Malicious Software
P
Software that damages a system such a virus,
Trojan, or worm.
Modification or
Destruction
Denial of Service
Modification or
Destruction
Denial of Service
P
Adversary attempts to acquire sensitive
information such as usernames, passwords, or
SSNs, by pretending to be communications from a
legitimate/trustworthy source.
Typical attacks occur via email, instant messaging,
or comparable means; commonly directing users to
Web sites that appear to be legitimate sites, while
actually stealing the entered information.
E
Power interruptions may be due to any number of
reasons such as electrical grid failures, generator
failures, uninterruptable power supply failures (e.g.
spike, surge, brownout, or blackout).
An error in procedures could result in unintended
consequences. This is also used where there is a
lack of defined procedures that introduces an
element of risk.
Disclosure
Modification or
Destruction
Denial of Service
Violations of standard procedures.
Disclosure
Modification or
Destruction
Denial of Service
T-21
Phishing Attack
T-22
Power
Interruptions
T-23
Procedural Error
U
T-24
Procedural
Violations
P
T-25
Resource
Exhaustion
U
T-26
Sabotage
P
T-27
Scavenging
P
Disclosure
Denial of Service
An errant (buggy) process may create a situation
that exhausts critical resources preventing access
to services.
Denial of Service
Underhand interference with work.
Searching through disposal containers (e.g.
dumpsters) to acquire unauthorized data.
Modification or
Destruction
Disclosure
Denial of Service
Threat Name
ID
T-28
Type
ID
Description
Typical Impact to Data or System
Confidentiality
Severe Weather
E
Naturally occurring forces of nature could disrupt
the operation of an information system by freezing,
sleet, hail, heat, lightning, thunderstorms,
tornados, or snowfall.
Integrity
Availability
Destruction
Denial of Service
T-29
Social Engineering
P
An attacker manipulates people into performing
actions or divulging confidential information, as
well as possible access to computer systems or
facilities.
T-30
Software
Tampering
P
Unauthorized modification of software (e.g. files,
programs, database records) that alters the proper
operational functions.
Modification or
Destruction
Modification or
Destruction
T-31
Terrorist
P
An individual performing a deliberate violent act
could use a variety of agents to damage the
information system, its facility, and/or its
operations.
T-32
Theft
P
An adversary could steal elements of the hardware.
P
An attacker exploits weaknesses in timing or state
of functions to perform actions that would
otherwise be prevented (e.g. race conditions,
manipulation user state).
E
Transportation accidents include train derailments,
river barge accidents, trucking accidents, and
airlines accidents. Local transportation accidents
typically occur when airports, sea ports, railroad
tracks, and major trucking routes occur in close
proximity to systems facilities. Likelihood of
HAZMAT cargo should be determined when
considering the probability of local transportation
accidents.
T-33
T-34
Time and State
Transportation
Accidents
Disclosure
Denial of Service
Denial of Service
Disclosure
Modification
Denial of Service
Destruction
Denial of Service
Threat Name
ID
Type
ID
T-35
Unauthorized
Facility Access
P
T-36
Unauthorized
Systems Access
P
Description
Typical Impact to Data or System
Confidentiality
Integrity
Availability
An unauthorized individual accesses a facility which
may result in comprises of confidentiality, integrity,
or availability.
Disclosure
Modification or
Destruction
Denial of Service
An unauthorized user accesses a system or data.
Disclosure
Modification or
Destruction
Analyze Risk
The risk analysis for each vulnerability consists of assessing security controls to determine the likelihood that vulnerability could be exploited and
the potential impact should the vulnerability be exploited. Essentially, risk is proportional to both likelihood of exploitation and possible impact.
The following sections provide a brief description of each component used to determine the risk.
Likelihood
This risk analysis process is based on qualitative risk analysis. In qualitative risk analysis the impact of exploiting a threat is measured in relative
terms. When a system is easy to exploit, it has a High likelihood that a threat could exploit the vulnerability. Likelihood definitions for the
exploitation of vulnerabilities are found in the following table.
Likelihood
Low
Medium
High
Description
There is little to no chance that a threat could exploit vulnerability and cause loss to
the system or its data.
There is a Medium chance that a threat could exploit vulnerability and cause loss to
the system or its data.
There is a High chance that a threat could exploit vulnerability and cause loss to the
system or its data.
Impact
Impact refers to the magnitude of potential harm that could be caused to the system (or its data) by successful exploitation. Definitions for the
impact resulting from the exploitation of a vulnerability are described in the following table. Since exploitation has not yet occurred, these
values are perceived values. If the exploitation of vulnerability can cause significant loss to a system (or its data) then the impact of the exploit is
considered to be High.
Impact
Low
Medium
High
Description
If vulnerabilities are exploited by threats, little to no loss to the system, networks, or
data would occur.
If vulnerabilities are exploited by threats, Medium loss to the system, networks, and
data would occur.
If vulnerabilities are exploited by threats, significant loss to the system, networks, and
data would occur.
Risk Level
The risk level for the finding is the intersection of the likelihood value and impact value as depicted the table depicted below. The combination
of High likelihood and High impact creates the highest risk exposure. The risk exposure matrix shown in the table below presents the same
likelihood and impact severity ratings as those found in NIST SP 800-30 Risk Management Guide for Information Technology Systems.
Impact
Likelihood
High
Medium
Low
High
High
Medium
Low
Medium
Medium
Medium
Low
Low
Low
Low
Low
Risk Assessment Results
This section documents the technical and non-technical security risks to the system. Complete the following risk assessment table,
ensuring that you have addressed at least 10 risks. You will be graded on your ability to demonstrate knowledge that the risks are relevant
to the company you have identified, as well as that the security controls are appropriate to the controlling the risks you have identified.
The following provides a brief description of the information documented in each column:
▪
▪
▪
▪
▪
▪
▪
▪
▪
Identifier: Provides a unique number used for referencing each vulnerability in the form of R#-Security Control ID.
Source: Indicates the source where the vulnerability was identified (e.g., System Security Plan or Audit.)
Threat: Indicates the applicable threat type from the table of threats..
Risk Description: Provides a brief description of the risk.
Business Impact: Provides a brief description of the impact to the organization if the risk is realized.
Recommended Corrective Action: Provides a brief description of the corrective action(s) recommended for mitigating the
risks associated with the finding.
Likelihood: Provides the likelihood of a threat exploiting the vulnerability. This is determined by applying the
methodology outlined in Section 3 of this document.
Impact: Provides the impact of a threat exploiting the vulnerability. This is determined by applying the methodology
outlined in Section 3 of this document.
Risk Level: Provides the risk level (high, Medium, low) for the vulnerability. This is determined by applying the
methodology outlined in Section 3 of this document.
Your deliverables, as a team, will consist of the following 2 documents (and presentation):
1. You will complete and submit the following completed table for grading.
Organization/Agency Selected:
Organization/Agency Mission:
Identifier
R-01.
R-02.
R-03.
R-04.
Source
Audit
Threat
ID
Risk Description
Business Impact
Recommended
Corrective Action
T-1,
T-8, T23, T24,
T-36
Notification is not
performed when account
changes are made.
The lack of notification
allows unauthorized
changes to individuals
who elevate
permissions and group
membership to occur
without detection.
Enable auditing of all
activities performed
under privileged
accounts in GPOs and
develop a process to
allow these events to be
reviewed by an
individual who does not
have Administrative
privileges.
Likelihood
Impact
Risk
Level
Medium
Medium
Medium
Organization/Agency Selected:
Organization/Agency Mission:
Identifier
R-05.
R-06.
R-07.
R-08.
R-09.
R-10.
R-11.
R-12.
R-13.
R-14.
Source
Threat
ID
Risk Description
Business Impact
Recommended
Corrective Action
Likelihood
Impact
Risk
Level
Organization/Agency Selected:
Organization/Agency Mission:
Identifier
R-15.
Source
Threat
ID
Risk Description
Business Impact
Recommended
Corrective Action
Likelihood
Impact
Risk
Level
Incident Response Paper
Using NIST’s SP 800-61 “Computer Security Incident Handling Guide), develop an Incident Response Plan
(IRP) that will address one or more of your security risks that you identified in your Risk Assessment. Google
and find other actual IRPs on the Internet and review to see what type of information is included. At a
minimum, your plan should include the following sections:
•
•
•
•
•
•
•
Roles: who will respond to the incident and notification/escalation procedures? Who is responsible
for writing the IRP?
Training: specify a training frequency
Plan testing: How (and how often) will you test the plan?
Incidents: What defines an “incident”? Define some security incidents that you may encounter on
your network.
Incident Notification: What happens when an incident is detected?
Reporting/tracking: How will you report and track incidents? What about capturing “lessons
learned”?
Procedures: Select one of your security risks identified in your Risk Assessment. Prepare procedures
for addressing the incident in the event that the incident actually happens. In this section, address the
following subsections specific to your risk that you are identifying.
o Preparation
o Detection and Analysis
o Containment
o Eradication
o Recovery and Post-Incident Activity (see Appendix A)
Note: there are several scenarios in the appendix of the NIST document. You can use, for instance, Scenario
11: Unknown Wireless Access Point to help develop the response procedures for wireless access, as an
example. Use any of these to help flesh out your procedures but the procedure you agreed to use must be one
that addresses a risk you identified in your Risk Assessment.
Grading Criteria
Criteria
Document is at least 5 - 7 double-spaced pages. Paper is well-written with minimal typing, spelling, or
grammatical errors. 10%
Required sections (above) are appropriately addressed. 25 points (5 each), 50 points for the Procedures
Section. 75%
Procedures provide sufficient information to enable recovery and mission restoration. 15%