Student Lab Manual

Lab #1: Assessment Worksheet

Part A – List of Risks, Threats, and Vulnerabilities

Commonly Found in an IT Infrastructure

Course Name: IAA202

Student Name: Trần Tiến Nam - HE150623

Instructor Name: Hoàng Mạnh Đức

Overview
The following risks, threats, and vulnerabilities were found in a healthcare IT infrastructure servicing
patients with life-threatening situations. Given the list, select which of the seven domains of a typical IT
infrastructure is primarily impacted by the risk, threat, or vulnerability.

Risk – Threat – Vulnerability Primary Domain Impacted

1/ Unauthorized access from public Internet Remote Access Domain

2/ User destroys data in application and deletes System/Application Domain

all files

3/ Hacker penetrates your IT infrastructure and LAN-to-WAN Domain

gains access to your internal network

4/ Intra-office employee romance gone bad User Domain

5/ Fire destroys primary data center System/Application

6/ Communication circuit outages WAN

7/ Workstation OS has a known software vulnerability Workstation

8/ Unauthorized access to organization owned Workstations Workstation

9/ Loss of production data System/Application

10/Denial of service attack on organization e-mail LAN-to-WAN

Server

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Current Version Date: 05/30/2011
Company
www.jblearning.com
All Rights Reserved.
-6-
 Risk – Threat – Vulnerability Primary Domain Impacted

1/ Remote communications from home office Remote Access

2/ LAN server OS has a known software vulnerability LAN Domain

3/ User downloads an unknown e–mail attachment User Domain

4/ Workstation browser has software vulnerability Workstation Domain

5/ Service provider has a major network outage WAN Domain

6/ Weak ingress/egress traffic filtering degrades LAN-to-WAN Domain

Performance

7/ User inserts CDs and USB hard drives

with personal photos, music, and videos User Domain
on organization owned computers

8/ VPN tunneling between remote LAN-to-WAN Domain

computer and ingress/egress router

9/ WLAN access points are needed for LAN Domain

LAN connectivity within a warehouse

10/ Need to prevent rogue users from LAN Domain

unauthorized WLAN access
 Lab #1: Assessment Worksheet

Identify Threats and Vulnerabilities in an IT Infrastructure

Course Name: IAA202

Student Name: Trần Tiến Nam -HE150623

Instructor Name: Hoàng Mạnh Đức

Overview
One of the most important first steps to risk management and implementing a risk mitigation strategy is to
identify known risks, threats, and vulnerabilities and organize them. The purpose of the seven domains of
a typical IT infrastructure is to help organize the roles, responsibilities, and accountabilities for risk
management and risk mitigation. This lab requires students to identify risks, threats, and vulnerabilities
and map them to the domain that these impact from a risk management perspective.

Lab Assessment Questions

Given the scenario of a healthcare organization, answer the following Lab #1 assessment questions from a
risk management perspective:

1. Healthcare organizations are under strict compliance to HIPPA privacy requirements which require
that an organization have proper security controls for handling personal healthcare information (PHI)
privacy data. This includes security controls for the IT infrastructure handling PHI privacy data.
Which one of the listed risks, threats, or vulnerabilities can violate HIPPA privacy requirements? List
one and justify your answer in one or two sentences.
- User inserts CDs and USB hard drives with personal photos, music, and videos on organization owned
computers: this action from user can make computer vulnerable to outside attacker who can inject
virus or malware on user’s CDs, USB. Or that user may dump the organization’s data and take it
to outside.

2. How many threats and vulnerabilities did you find that impacted risk within each of the seven
domains of a typical IT infrastructure?
User Domain: 3
Workstation Domain: 3
LAN Domain: 3
LAN-to-WAN Domain: 4
WAN Domain: 2
Remote Access Domain: 2
Systems/Application Domain: 3

3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
- LAN-to-WAN Domain
4. What is the risk impact or risk factor (critical, major, minor) that you would qualitatively assign to the
risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for the healthcare and
HIPPA compliance scenario?
- Workstation OS has a known software vulnerability: Major, as it can impact on all of computers in
Workstation domain, but it can be mitigated by updating new patches.
- Hacker penetrates IT infrastructure and gains access to your internal network : Critical, as it may impact
on all of Organization’s information systems.
- Unauthorized access from public Internet: Minor, as it can be denied or stricted.

5. Of the three Systems/Application Domain risks, threats, and vulnerabilities identified, which one
requires a disaster recovery plan and business continuity plan to maintain continued operations during
a catastrophic outage?
- Fire destroys primary data center

6. Which domain represents the greatest risk and uncertainty to an organization?

- User Domain: People is considered the weakest link in the security chain and are chronically responsible
for the failure of security systems.

7. Which domain requires stringent access controls and encryption for connectivity to corporate
resources from home?
- Remote Access Domain due to the risk of sniffing attack and the integrity while transfering

8. Which domain requires annual security awareness training and employee background checks for
sensitive positions to help mitigate risk from employee sabotage?
- User Domain: People is considered the weakest link in the security chain and are chronically
responsible for the failure of security systems

9. Which domains need software vulnerability assessments to mitigate risk from software
vulnerabilities?
- Workstation Domain (workstation, corporate-issued mobile devices)
- LAN Domain (regarding the network devices)
- System/Application Domain (servers, storage area network (SAN), network attached
storage (NAS), backup devices)

10. Which domain requires AUPs to minimize unnecessary User initiated Internet traffic and can be
monitored and controlled by web content filters
- System/application domain requires AUP to minimize unnecessary internet traffic

11. In which domain do you implement web content filters?

- LAN-to-WAN Domain

12. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the Workstation
Domain, which domain does WLAN fall within?
- LAN Domain
 13. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer privacy has just
implemented their online banking solution allowing customers to access their accounts and perform
transactions via their computer or personal digital assistant (PDA) device. Online banking servers
and their public Internet hosting would fall within which domains of security responsibility?
- Online banking servers: System/Application Domain

- public Internet hosting: LAN-to-WAN Domain

14. Customers that conduct online banking using their laptop or personal computer must use HTTPS: the
secure and encrypted version of HTTP: browser communications. HTTPS:// encrypts webpage data
inputs and data through the public Internet and decrypts that webpage and data once displayed on
your browser. True or False.
- True

15. Explain how a layered security strategy throughout the 7-domains of a typical IT infrastructure can
help mitigate risk exposure for loss of privacy data or confidential data from the Systems/Application
Domain.
- In short, the idea of a layered security is that any single defense may be flawed, and the most
certain way to find the flaws is to be compromised by an attack -- so a series of different defenses should
each be used to cover the gaps in the others' protective capabilities.
- Firewalls, intrusion detection systems, malware scanners, integrity auditing procedures, and local
storage encryption tools can each serve to protect your information technology resources in ways the others
cannot.
For example:
- Security in User Domain can prevent some attack like social engineering, … that steal
passwords of authorized users…
- Security in Workstation Domain can prevent attackers exploit know vulnerability to
penetrate the organization’s system…