This document contains instructions and data for an exercise to evaluate three information assets in an organization for risk management. The three assets are:
1. Switch L47, which has the highest potential risk due to two vulnerabilities with no controls and a 90% impact rating. It should be evaluated first.
2. Server WebSrv6, which has implemented controls that reduce the impact of its vulnerability by 75% and has an impact rating of 100.
3. MGMT45 control console, which has the lowest potential risk with a vulnerability likelihood of 0.1 and lowest impact rating of 5. It should be evaluated last.
This document contains instructions and data for an exercise to evaluate three information assets in an organization for risk management. The three assets are:
1. Switch L47, which has the highest potential risk due to two vulnerabilities with no controls and a 90% impact rating. It should be evaluated first.
2. Server WebSrv6, which has implemented controls that reduce the impact of its vulnerability by 75% and has an impact rating of 100.
3. MGMT45 control console, which has the lowest potential risk with a vulnerability likelihood of 0.1 and lowest impact rating of 5. It should be evaluated last.
This document contains instructions and data for an exercise to evaluate three information assets in an organization for risk management. The three assets are:
1. Switch L47, which has the highest potential risk due to two vulnerabilities with no controls and a 90% impact rating. It should be evaluated first.
2. Server WebSrv6, which has implemented controls that reduce the impact of its vulnerability by 75% and has an impact rating of 100.
3. MGMT45 control console, which has the lowest potential risk with a vulnerability likelihood of 0.1 and lowest impact rating of 5. It should be evaluated last.
This document contains instructions and data for an exercise to evaluate three information assets in an organization for risk management. The three assets are:
1. Switch L47, which has the highest potential risk due to two vulnerabilities with no controls and a 90% impact rating. It should be evaluated first.
2. Server WebSrv6, which has implemented controls that reduce the impact of its vulnerability by 75% and has an impact rating of 100.
3. MGMT45 control console, which has the lowest potential risk with a vulnerability likelihood of 0.1 and lowest impact rating of 5. It should be evaluated last.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 2
Raygeena Franchesca Ashley K.
Fernandez BSIT 3B IAS101: Information, Assurance, and Security 101
Learning Activity 4: Instructions: If an organization has three information assets to evaluate for risk management, as shown in the accompanying data, which vulnerability should be evaluated for additional controls first? Which one should be evaluated last? Data for Exercise: • Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data. • Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data. • Operators use an MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.
Every organization is always given to be prone at risks and it is also important to
respond with these risks encountered. It is very vital to have risk management to protect client’s/user’s interests and assets which they put on trust of the organization’s hands. As shown in the data for exercise by the organization, Switch L47 is the one with the highest potential in risks. Switch L47 has the highest risk of attack due to its subject of having two vulnerabilities. As they say, check first the ones with tons of problems. Switch L47 is prone to hardware failure and SNMP buffer overflow attack. Once these occurrences are exploited, it can cause a dangerous and significant impact on the organization. As compared to Server WebSrv6 who still reduced its impact of vulnerability to 75%, Switch L47, who has a 90% impact-rating, is an inferior when it comes to ways of reduction due to the absence of current controls. Therefore, it is a high-risk vulnerability that requires additional controls. On the contrary, no password and unlogged misuse of MGMT45 control console are the one with the lowest potential in risks and should be the last vulnerability to evaluate. It is like Switch L47 with no controls in place, but it only has 5% impact-rating, which is relatively the lowest among three data. It still needs to be evaluated with additional controls but due to its lower impact-rating and likelihood, it is less more of a priority compared to others which are associated with much more vulnerabilities.
