Identify common risks, threats, and vulnerabilities found throughout the seven domains of a typical IT infrastructure

/in /by

Lab 1: How to Identify Threats & Vulnerabilities in an IT Infrastructure

Learning Objectives and Outcomes

Upon completing this lab, students will be able to:

  • Identify common risks, threats, and vulnerabilities found throughout the seven domains of atypical IT infrastructure
  • Align risks, threats, and vulnerabilities to one of the seven domains of a typical IT infrastructure
  • Given a scenario, prioritize risks, threats, and vulnerabilities based on their risk impact to theorganization from a risk assessment perspective
  • Prioritize the identified critical, major, and minor risks, threats, and software vulnerabilities foundthroughout the seven domains of a typical IT infrastructure

    Required Setup and Tools

    This is a paper-based lab and does not require the use of the ISS “mock” IT infrastructure or virtualized server farm.

    The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is required for this lab. Students will need access to Lab #1 – Assessment Worksheet Part A (a list of 21 risks, threats, and vulnerabilities commonly found in an IT infrastructure) and must identify which of the seven domains of a typical IT infrastructure the risk, threat, or vulnerability impacts.

    In addition, Microsoft Word is a required tool for the student to craft an executive summary for management summarizing the findings and alignment of the identified risks, threats, and vulnerabilities that were found.

    Recommended Procedures Lab #1 – Student Steps:

    Student steps needed to perform Lab #1 – Identify Threats and Vulnerabilities in an IT Infrastructure:

    1. Connect your removable hard drive or USB hard drive to a classroom workstation.
    2. Boot up your classroom workstation and DHCP for an IP host address.
    3. Login to your classroom workstation and enable Microsoft Word.
    4. Review Figure 1 – Seven Domains of a Typical IT Infrastructure.

    Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company

    www.jblearning.com

    All Rights Reserved.

page3image19520

-3-

Current Version Date: 05/30/2011

Student Lab Manual

  1. Discuss how risk can impact each of the seven domains of a typical IT infrastructure: User, Workstation, LAN, LAN-to-WAN, WAN, Remote Access, Systems/Applications Domains.
  2. Work on Lab #1 – Assessment Worksheet Part A. Part A is a matching exercise that requires the students to align the risk, threat, or vulnerability with one of the seven domains of a typical IT infrastructure where there is a risk impact or risk factor to consider. Students may work in small groups of two or three.
  3. Have the students perform Lab #1 – Assessment Worksheet
  4. Answer Lab #1 – Assessment Questions and submit.Figure 1 – Seven Domains of a Typical IT Infrastructure

Deliverables

Upon completion of Lab #1 – Identify Threats and Vulnerabilities in an IT Infrastructure, students are required to provide the following deliverables as part of this lab:

  1. Lab #1 – Assessment Worksheet Part A. Identification and mapping of 21 risks, threats, and vulnerabilities to the seven domains of a typical IT infrastructure
  2. Lab #1 – Assessment Questions and Answers

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All Rights Reserved.

page4image11976

-4-

Current Version Date: 05/30/2011

Student Lab Manual

Evaluation Criteria and Rubrics

The following are the evaluation criteria and rubrics for Lab #1 that the students must perform:

  1. Was the student able to identify common risks, threats, and vulnerabilities found throughout theseven domains of a typical IT infrastructure? – [ 25%]
  2. Was the student able to align risks, threats, and vulnerabilities to one of the seven domains of atypical IT infrastructure accurately? – [ 25%]
  3. Given a scenario in Part A, was the student able to prioritize risks, threats, and vulnerabilitiesbased on their risk impact to the organization? – [ 25%]
  4. Was the student able to prioritize the identified critical, major, and minor risks, threats, andsoftware vulnerabilities? – [ 25%]

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011

www.jblearning.com

All Rights Reserved.

-5-

Student Lab Manual

Lab #1: Assessment Worksheet
Part A – List of Risks, Threats, and Vulnerabilities Commonly Found in an IT Infrastructure

Course Name: _____________________________________________________________ Student Name: _____________________________________________________________ Instructor Name: ___________________________________________________________ Lab Due Date: _____________________________________________________________

Overview

The following risks, threats, and vulnerabilities were found in a healthcare IT infrastructure servicing patients with life-threatening situations. Given the list, select which of the seven domains of a typical IT infrastructure is primarily impacted by the risk, threat, or vulnerability.

page6image5680

Risk – Threat – Vulnerability

Unauthorized access from public Internet

User destroys data in application and deletes all files

Hacker penetrates your IT infrastructure and gains access to your internal network

Intra-office employee romance gone bad
Fire destroys primary data center
Communication circuit outages
Workstation OS has a known software vulnerability Unauthorized access to organization owned Workstations

Loss of production data

Denial of service attack on organization e-mail Server

Primary Domain Impacted

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011

www.jblearning.com

All Rights Reserved.

-6-

Student Lab Manual

Risk – Threat – Vulnerability

Remote communications from home office
LAN server OS has a known software vulnerability

User downloads an unknown e –mail attachment

Workstation browser has software vulnerability Service provider has a major network outage

Weak ingress/egress traffic filtering degrades Performance

User inserts CDs and USB hard drives
with personal photos, music, and videos on organization owned computers

VPN tunneling between remote computer and ingress/egress router

WLAN access points are needed for LAN connectivity within a warehouse

Need to prevent rogue users from unauthorized WLAN access

Primary Domain Impacted

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011

www.jblearning.com

All Rights Reserved.

-7-

Student Lab Manual

Lab #1: Assessment Worksheet
Identify Threats and Vulnerabilities in an IT Infrastructure

Course Name: _____________________________________________________________ Student Name: _____________________________________________________________ Instructor Name: ___________________________________________________________ Lab Due Date: _____________________________________________________________

Overview

One of the most important first steps to risk management and implementing a risk mitigation strategy is to identify known risks, threats, and vulnerabilities and organize them. The purpose of the seven domains of a typical IT infrastructure is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation. This lab requires students to identify risks, threats, and vulnerabilities and map them to the domain that these impact from a risk management perspective.

Lab Assessment Questions

Given the scenario of a healthcare organization, answer the following Lab #1 assessment questions from a risk management perspective:

  1. Healthcare organizations are under strict compliance to HIPPA privacy requirements which require that an organization have proper security controls for handling personal healthcare information (PHI) privacy data. This includes security controls for the IT infrastructure handling PHI privacy data. Which one of the listed risks, threats, or vulnerabilities can violate HIPPA privacy requirements? List one and justify your answer in one or two sentences.
  2. How many threats and vulnerabilities did you find that impacted risk within each of the seven domains of a typical IT infrastructure?
    User Domain:
    Workstation Domain:LAN Domain: LAN-to-WAN Domain: WAN Domain:

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All Rights Reserved.

page8image15152 page8image15312

-8-

Current Version Date: 05/30/2011

Student Lab Manual

Remote Access Domain: Systems/Application Domain:

  1. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
  2. What is the risk impact or risk factor (critical, major, minor) that you would qualitatively assign to the risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for the healthcare and HIPPA compliance scenario?
  3. Of the three Systems/Application Domain risks, threats, and vulnerabilities identified, which one requires a disaster recovery plan and business continuity plan to maintain continued operations during a catastrophic outage?
  4. Which domain represents the greatest risk and uncertainty to an organization?
  5. Which domain requires stringent access controls and encryption for connectivity to corporate resources from home?
  6. Which domain requires annual security awareness training and employee background checks for sensitive positions to help mitigate risk from employee sabotage?
  7. Which domains need software vulnerability assessments to mitigate risk from software vulnerabilities?
  8. Which domain requires AUPs to minimize unnecessary User initiated Internet traffic and can be monitored and controlled by web content filters?

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011

www.jblearning.com

All Rights Reserved.

-9-

 

Student Lab Manual

  1. In which domain do you implement web content filters?
  2. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the Workstation Domain, which domain does WLAN fall within?
  3. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer privacy has just implemented their online banking solution allowing customers to access their accounts and perform transactions via their computer or PDA device. Online banking servers and their public Internet hosting would fall within which domains of security responsibility?
  4. Customers that conduct online banking using their laptop or personal computer must use HTTPS:, the secure and encrypted version of HTTP: browser communications. HTTPS:// encrypts webpage data inputs and data through the public Internet and decrypts that webpage and data once displayed on your browser. True or False.
  5. Explain how a layered security strategy throughout the 7-domains of a typical IT infrastructure can help mitigate risk exposure for loss of privacy data or confidential data from the Systems/Application Domain. 

    SUBMIT ONLY YOUR 15 ASSESSMENT QUESTIONS AND RESPONSES FOR GRADING

Using Microsoft® Word, write a 1- to 2-page communication to the CIO of the organization. Provide an overview of the following in your letter:

/in /by

The Chief Information Officer (CIO) of the organization you chose in the Week 1 discussion, “Key Components of an Information System as Related to the Cyber Domain,” is looking for more information on the cyber domain in hopes of determining the organization’s cybersecurity needs. As a cybersecurity consultant, you believe you can provide the CIO with the information he needs.

Using Microsoft® Word, write a 1- to 2-page communication to the CIO of the organization. Provide an overview of the following in your letter:

  • A definition of the cyber domain and its key components or aspects. The cyber domain encompasses cybersecurity, a discipline that involves the following:
    • Securing computer information, communications systems, networks, infrastructures, assets
    • Protecting them against damage, unauthorized use, modification, exploitation
  • The components of an information system, elaborating on the similarities to the cyber domain
  • An approach to implementing information security for the organization you chose and how that approach could be expanded to the larger cyber domain
  • The systems development life cycle compared to the cyber domain life cycle
  • The components of the threat environment for the organization you chose, including an argument that a threat to the organization is also a threat to the larger domain

Include citations as necessary in APA format.

Select the Assignment Files tab to submit your assignment.

How suitable do you think the chart type choice(s) are to display the data? If they are not, what do you think they should have been?

/in /by

 

Complete the “Forensic Design Assessment” exercise located at:Data Representation

• On this page, click the “Exercise” tab

• Complete: (1) Forensic Design Assessments exercise, then

• Click the “Write Submission” link below to paste your results.

• After pasting your results (when finished), remember to click Submit

APA Style Formatting

DATA REPRESENTATION

(1). FORENSIC DESIGN ASSESSMENTS

This task relates to a sequence of assessments that will be repeated across Chapters 6, 7, 8, 9 and 10. Select any example of a visualisation or infographic, maybe your own work or that of others. The task is to undertake a deep, detailed ‘forensic’ like assessment of the design choices made across each of the five layers of the chosen visualisation’s anatomy. In each case your assessment is only concerned with one design layer at a time.

For this task, take a close look at the data representation choices:

1. Start by identifying all the charts and their types

2. How suitable do you think the chart type choice(s) are to display the data? If they are not, what do you think they should have been?

3. Are the marks and, especially, the attributes appropriately assigned and accurately portrayed?

4. Go through the set of ‘Influencing factors’ from the latter section of the book’s chapter to help shape your assessment and to possibly inform how you might tackle this design layer differently

5. Are there any data values/statistics presented in table/raw form that maybe could have benefited from a more visual representation?

Develop a closure checklist that the project team will use to ensure that the project has been closed properly.

/in /by

Task

based on the Virtucon/Globex scenario,

You are required to develop a charter for the Project including:

Include the Project description and overview you developed as part of Assessment 2.

Part One:
MOV – Measurable Organisational Value
(This is the goal of the project and is utilised to define the value that your team project will bring to your client)
•Identify the desired area of impact – Rank the following areas in terms of importance: Strategy / Customer / Financial / Operational / Social
•With reference to your project, identify one or two of the following types of value:

  • Better – is improving quality important to your client?
  • Faster – does your client want to increase efficiency?
  • Cheaper – is cutting costs important?
  • Do more – does your client want to continue its growth?

•Develop an appropriate metric – this sets the target and expectation of all the stakeholders. It is important to determine a quantitative target that needs to be expressed as a metric in terms of an increase or decrease of money.
•Determine the timeframe for achieving the MOV – ask yourselves, when do we want to achieve this target metric?
•SUMMARISE THE MOV IN A CLEAR CONCISE STATEMENT OR TABLE

(Note: the MOV should inform everyone what the project will achieve, not how it will be achieved. It should also focus on the organisation, not on the technology that will be used to build or support the information system).

Part Two:
Define Scope and produce a Scope Management Plan
Define the scope of the project and detail how the scope will be managed.
Provide a list of Resources
Identify and detail the resources for the project using MS Project where appropriate, including:

  • People (and their roles), plus any extra personnel that is required for the project.
  • Technology – any hardware, network and software needs to support the team and your client.
  • Facilities – where will most of the teamwork be situated?
  • Other – for example, travel, training etc.

Part Three: 

Using MS Project, develop a schedule using a high level Work Breakdown Structure (WBS). It should include:

  • Milestones for each phase and deliverable
    • This will tell everyone associated with the project that the phase or deliverable was completed satisfactorily.
  • Activities / Tasks
    • Define a set of activities / tasks that must be completed to produce each deliverable.
  • Resource Assignments
    • Assign people and resources to each individual activities.
  • Estimates for Each Activity / Task
    • Develop a time estimate for each task or activity to be completed.
  • Project Budget
    • Develop a budget using the time and resources estimated for each task or activity

A summary of the WBS should be clearly provided in the report. Your MS Project (or Project Libre) file must also be submitted for marking.

Part Four: 

Project Risk Analysis and Plan

  • Document any assumptions you have made about the project
  • Using the Risk Identification Framework outlined in your text as a basis, identify five risks to the project – one for each of the five phases of the methodology.
  • Analyse these risks, assign a risk to an appropriate member, and describe a strategy for the management of each specific risk.

Part Five: 

Quality Management Plan. It should include:

  • A short statement that reflects your team’s philosophy or objective for ensuring that you deliver a quality system to your client.
  • Develop and describe the following that your project team could implement to ensure quality;
    • A set of verification activities
    • A set of validation activities

Part Six: 

Closure and Evaluation

Researching for the closure checklist and project evaluation

a. To prepare for this task, you will be required to provide an annotated bibliography. (550 words)

Write an Annotated Bibliography for three (3) relevant texts or readings around project evaluation. The Annotated Bibliography is a critical examination of the most relevant, recent and scholarly research on the topic area that is not just a summary of the articles you have read.

You will submit this as an appendix to your project evaluation documentation.

Ensure that the AB submitted by you is your own work and has not been submitted elsewhere and comply with the University’s requirements for academic integrity.

Use the following resource to guide you around the research tools:

b. Develop a closure checklist that the project team will use to ensure that the project has been closed properly.

c. Develop a project evaluation –outline and discuss how your project’s MOV will be evaluated.

Rationale

This assessment task will assess the following learning outcome/s:

  • be able to research and critically evaluate how a practising IT project manager applies IT project management techniques, project management skills, methods and software tools in the IT industry.
  • be able to understand and apply appropriate communication practices within a project management context.
  • be able to research and apply established IT project management principles, skills and techniques to a case study