User Account

All Pages

Lab- vulnerability assessment

Assignment Help Computer Network Security
Reference no: EM13843360

Lab: Vulnerability Assessment

Probably the most overlooked process in any type of security system is the vulnerability assessment. Vulnerability assessments are incredibly useful (and necessary) tools. They provide a structured method for determining what assets need to be protected, what threats against the assets exist, what security vulnerabilities currently exist, the cost of losing the asset, and mitigating the risk to the asset. In a nutshell, a vulnerability assessment done properly will form the basis of your entire security plan(s) for your organization.
If vulnerability assessmentsare so important, why are they often only partially completed (if they are even completed at all)? The answer is simple, they take time, and require the identification and fixing of current security problems (two things that most people would rather just ignore). For this lab, you will conduct your own vulnerability assessment. Your finished assessment will be a multi-page written document containing the following sections.

Part 1: Asset Identification

Although this course concerns IT security, I find it is much easier to learn the vulnerability assessment process using physical items instead of things like computer network assets. Your first step in this lab is to identify the ten most important personal assets you own. These assets could be anything from your laptop or television, to your car or motorcycle. Also, do not simply pick the ten items you own which are worth the most amount of money. It is very possible that your top ten asset inventory might include items which hold a great deal of sentimental value instead of only monetary value. Think about what you own, and pick the top ten items which mean the most to you. For this section of your assessment document, provide your ten asset inventory listing your most prized possession first, second most prized possession second, and so on.

Part 2: Threat Evaluation

The best way to determine what threats against your assets exist is to create an attack tree. An attack tree is a visual representation of how a given asset might be attacked. In the case of this lab, attacked most likely means stolen or destroyed. On the following page, I have included an attack tree for one of my most prized assets. I only included theft based attacks for this particular attack tree because the destruction route was just a little too morbid!

 

951_image.png


To complete this section of your assessment, pick the number one item from your asset inventory and build your own attack tree. Take your time and try to think of, and document, every possible attack that could result in the theft of your most prized possession. While my example attack tree looks pretty good, I can think of a few more potential attack routes for stealing my cat. If necessary, break your attack tree into multiple pages to cover all potential attacks. Part of your grade for this lab will depend on the thoroughness of your attack tree.

Part 3: Vulnerability Appraisal

Now that you have completed your attack tree, you can move onto identifying your current security vulnerabilities. In order to determine how you can better secure your asset, you need to identify the weaknesses which allow attacks to take place. To begin, number the potential attacks from your attack tree from left to right starting with one. For my example attack tree, the attack beginning with "Break Basement Window" would be attack #1. After you have created a numbered list of all the attacks from your attack tree, determine what current security weakness(s) allows each attack to take place. For example, in my list for attack #1, the security weakness might be a large ground-level basement window with no bars or other security feature. For attack number two, I can think of at least two vulnerabilities; parking my truck on the street at night, and keeping a garage door opener in my truck. For this section of your assessment, list the security vulnerabilities for each of your numbered attacks. Part of your grade will depend on your identification of the possible vulnerabilities relating to the attacks shown in your attack tree.

Part 4: Risk Assessment

At this point you probably have a pretty long list of attacks, and associated vulnerabilities which allow those attacks to be carried out. The next step is to categorize the different security vulnerabilities (risks) you identified in Step 3. Some of these attacks and corresponding vulnerabilities will have the potential to be much more harmful than others. This section is where you rank the possible attacks and vulnerabilities.

Risk factors (or what makes some attacks/vulnerabilities worse than others) depend on several factors. How likely is the attack to succeed (the more likely, the worse the risk)? How damaging is the actual attack (the more damage caused, the worse the risk)? How damaging will it be if the asset is actually stolen (the more expensive or irreplaceable the asset, the worse the risk)? The highest risk attack/vulnerability combination are those which include an attack which is easy to execute, causes a lot of damage, and succeeds in stealing or destroying an asset which is extremely valuable.

Looking at my example attack tree, I would rank the first attack as high risk. It is easy to break the basement window, and the result is not only the theft of an irreplaceable asset (my cat), but a house which is now unsecure until the attack is noticed. I would rate the last attack in the tree low risk. While obtaining a key to my house is very damaging, and my cat would still be stolen, the chance of someone picking my pocket and stealing my keys without me noticing is low. It's not that I think it would be impossible for a professional pick-pocket to steal my keys, but rather that I really doubt anyone is going to hire a professional pick-pocket just so they can steal my cat. In addition, my key chain includes not only my house key, but my office and car keys...I'll notice they are gone quickly even if they are stolen. For this section of the assessment, work through your numbered list from Part 3 and designate each attack/vulnerability combination as high, medium, and low risk. Include a descriptive sentence for each item in your list describing why you assigned the high, medium, or low risk rating.

Part 5: Risk Mitigation

The final step in a vulnerability assessment is to decide what to do about any of the major security risks you have developed through the proceeding steps. While the ultimate goal would be to attempt to address all risks you identified in Step 4, due to difficulty or expense, this is rarely accomplished (or even attempted). Most organizations will certainly attempt to address the high risk items on the list from Step 4. If enough organizational resources (money, time, expertise, etc.) is left after addressing the high level risks, then medium level risks are addressed. Often times low level risks might not be addressed at all, or might be partially addressed (putting a fake alarm system sticker on a window for example).

Keep in mind that there may be several ways to address the vulnerabilities. For example, there are a few different ways to address attack 3 in my example attack tree. I could buy a metal front door (much more secure than the wood door I have now). I could install an alarm system (this might address many potential attacks in the tree, but would be expensive). I could train my friendly dog to be an attack dog. I could install a locking door between main level of the house and the basement. I could buy a comfortable cage for my cat, bolt the cage to the floor, and lock the cat in the cage whenever I leave the house (effective, but not very nice for the cat, and I'd probably forget to put the cat in the cage anyway).

To complete this section of your vulnerability assessment, list your high risk level items from Step 4, and describe how they could be addressed as demonstrated above. If you have fewer than three high risk items, explain how you would address your medium risk items.

Finally, provide a short summary which describes the best possible way in which you think your asset should be secured. This summary should address why you decided on this particular course of action, and should consider things like cost or time necessary to implement your decision. Keep in mind that the best possible plan might be too costly, or just not realistic in terms of time commitment (I'm not going to hire a body guard for my cat, or take the time to physically secure my cat in a panic room every time I leave the house no matter how secure that makes my cat).

When your vulnerability assessment is complete (I would also like it to be professionally formatted), submit it on the Lab 2 assignment page.As mentioned during several steps above, your grade will depend heavily on the completeness and comprehensiveness of your assessment.

Reference no: EM13843360

Questions Cloud

Change and present a plan to transform the organization : Think of an organization you have worked for or one with which you are very familiar. Diagnose the need for change and present a plan to transform the organization, utilizing Kotter's 8-Step Approach
Construct brandywines 2011 income statement : Construct Brandywine's 2011 income statement - what were Brandywine's net income, total profit margin, and cash flow?
What is the present value of the final : What is the present value of the final $101.75 cash flow (that is 28 years from now). Choice Properties REIT equity is a candidate for a "bond surrogate" because it pays a stable dividend supported by collecting rent on grocery stores.
Interfacing a transducer to an analog-to-digital convertor : Interfacing a Transducer to an Analog-to-Digital converter
Lab- vulnerability assessment : Lab: Vulnerability Assessment, Probably the most overlooked process in any type of security system is the vulnerability assessment. Vulnerability assessments are incredibly useful (and necessary) tools
Find an arbitrage investment strategy : Consider a market with a risk-free bond B, for which Do = 50, = 55, Primer on Pricing Risky Securities 81 and 82 = 60, and a risky stock with the spot price So = 50. Suppose that the stock price at times t = 1 and t = 2 can follow four possible sc..
Us energy administration : Open the file Coal_Consumption containing data from the U.S. Energy Administration.
What is partitioning and why is it useful : What is partitioning? Why is it useful? Give two methods of partitioning. Manage workloads, Mark, update, and remove recommendations
About employ packers and movers : About Employ Packers and Movers

Reviews

Write a Review

Computer Network Security Questions & Answers

  Discuss the difference between hmac and mac

The Message Authentication Code (MAC) is a widely used technique for performing message authentication, and one MAC algorithm has emerged as the Internet standard for a wide variety of applications: Hash-Based Message Authentication Code (HMAC)

  It infrastructure management what to do for task 2a

what to do for task 2a 15 ltbrgt ltbrgtsubmit your enterprise architect blog as a single page with the web address of

  Network security question

What are the predominant electronic and physical threats to communications networks?

  Decrypt cipher-text by using secret key

Decrypt the cipher-text c = 12 by using secret key sk = (p, q) = (11, 13), where te corresponding public key is pk = (N, e) = (143, 13).

  What are some benefit of a feistel structure

How would you protect the passwords on your system using some of the mechanisms we have studied? Discuss implementation strategies and explain your decisions.

  Dos attackers use zombies to attack victims

Why do you think DoS attackers use zombies to attack victims instead of sending attack packets directly to victims? Come up with two reasons.

  Cisco firewall

Using the Web, research the costs associated with the following items when implemented by a firm with 1,000 employees and 100 servers, Managed antivirus software (not open source) license for 500 workstations, Cisco firewall

  Design a security plan that describes counter-measures

Design a security plan that describes counter-measures that will manage the threats that put the organisation's information assets at risk. The security plan should cover a full range of protection measures

  Investigating case in employee allegedly sending photos

You are investigating a case involving an employee who is allegedly sending inappropriate photos via e-mail in attachments that have been compressed with a zip utility.

  Explaining asymmetric encryption algorithms

Using only asymmetric encryption algorithms, describe a process that would allow Alice to send a message that can only be read by Bob. You should include any steps taken by Bob that allow him to read the message.

  How must one-s privacy be legally protected or secured

What does privacy mean to you? Is privacy a right or a privilege? How should one's privacy be legally protected or secured, especially when using the Internet?

  Financial organization managing routine administrative

An organization managing public information on its Web server and a law enforcement organization managing extremely sensitive investigative information.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd