SOLUTION: CSCI 310 Northlake College Foundations of Information Security & Risk Management PPT

CSCI 351, Foundations of Information Security
Assignment # 2
Due: Friday Feb. 12th 11:59PM, 2021
Q1. Risk Management (4 points)
Consider the risk assessment report posted on the course D2L titled: “DETAILED RISK
ASSESSMENT REPORT”. Read the report and answer the following questions.
a. What is the system in scope of the risk assessment included in the report? And what does
that system do (functionality)?
b. What techniques were used in performing the risk assessment? Elaborate on how each of
the techniques helps in the assessment?
c. What is the risk model the report adopted for evaluating risks, and what scales were
used?
d. Considering the flow diagram provided in section 3.5, list two good network security
controls that are included in the design?
e. Consider the vulnerability statements (risk scenarios) listed in section 4. Reflect on the
password related statement, and possible mitigations?
f. Given the risks assessment results listed in the table in Section 5. Construct a risk
register, adding the risk response column and populate with what you think is an
appropriate risk response action (e.g. accept, mitigate, etc.)
Q.2 Access Control Matrix (3 points)
Explain the following file permissions in UNIX
a. -rw-r–r–
b. drwxr-xr-x
c. 0400
Q3. NetworkMiner and asset identification (3 points)
Once you download and install the free version of NetworkMiner, use the program to load and
study the PCAP file uploaded with the assignment on D2L.
a. Print a screenshot of what you see under the Hosts tab
b. List 4 observations you can make about the network from this PCAP analysis.
DETAILED RISK ASSESSMENT REPORT
Executive Summary
During the period June 1, 2004 to June 16, 2004 a detailed information security
risk assessment was performed on the Department of Motor Vehicle’s Motor
Vehicle Registration Online System (“MVROS”).
The MVROS provides the ability for State vehicle owners to renew motor vehicle
registrations, pay renewal fees, and enter change of address information.
The assessment identified several medium risk items that should be addressed
by management.
This is sample data for demonstration and discussion purposes only
Page 1
DETAILED ASSESSMENT
1. Introduction
1.1
Purpose
The purpose of the risk assessment was to identify threats and vulnerabilities
related to the Department of Motor Vehicles – Motor Vehicle Registration Online
System (“MVROS”). The risk assessment will be utilized to identify risk mitigation
plans related to MVROS. The MVROS was identified as a potential high-risk
system in the Department’s annual enterprise risk assessment.
1.2. Scope of this risk assessment
The MVROS system comprises several components. The external (customer)
interface is a series of web pages that allow the user to input data and receive
information from the application. The online application is a web-based
application developed and maintained by the DMV. The application is built using
Microsoft’s Internet Information Server and uses Active Server Pages. The
application has an interface with the motor vehicle registration database and with
Paylink – an e-commerce payment engine provided by a third party vendor. DMV
IT department hosts the application. The application components are physically
housed in the DMV’s data center in Anytown.
The scope of this assessment includes all the components described above
except for Paylink. The Paylink interface – the component managed by DMV IT –
is in scope. Also in scope are the supporting systems, which include: DMZ
network segment and DMZ firewalls. The web application, DMV database and
operating systems supporting these components are all in scope.
This is sample data for demonstration and discussion purposes only
Page 2
2. Risk Assessment Approach
2.1 Participants
Role
System Owner
System Custodian
Security Administrator
Database Administrator
Network Manager
Risk Assessment Team
Participant
John Smith
Mary Blue
Tom Sample
Elaine Ronnie
David Slim
Eric Johns, Susan Evans, Terry Wu
2.2 Techniques Used
Technique
Risk assessment questionnaire
Assessment Tools
Vulnerability sources
Description
The assessment team used a customized
version of the self-assessment questionnaire
in NIST SP-26 “Security Self-Assessment
Guide for Information Technology Systems”.
This questionnaire assisted the team in
identifying risks.
The assessment team used several security
testing tools to review system configurations
and identify vulnerabilities in the application.
The tools included nmap, nessus, AppScan
The team accessed several vulnerability
sources to help identify potential
vulnerabilities. The sources consulted
included:
• SANS Top 20 (www.sans.org/top20/)
• OWASP Top 10
(www.owasp.org/documentation/topte
n.html)
• NIST I-CAT vulnerability database
(icat.nist.gov)
• Microsoft Security Advisories
(www.microsoft.com/security)
• CA Alert service
(www3.ca.com/securityadvisor)
This is sample data for demonstration and discussion purposes only
Page 3
Technique
Transaction walkthrough
Review of documentation
Interviews
Site visit
Description
The assessment team selected at least one
transaction (use case) of each type and
walked each transaction through the
application process to gain an understanding
of the data flow and control points.
The assessment team reviewed DMV
security policies, system documentation,
network diagrams and operational manuals
related the MVROS.
Interviews were conducted to validate
information.
The team conducted a site visit at the Data
Center and reviewed physical access and
environmental controls
2.3 Risk Model
In determining risks associated with the MVROS, we utilized the following model for classifying
risk:
Risk = Threat Likelihood x Magnitude of Impact
And the following definitions:
Threat Likelihood
Likelihood (Weight Factor)
High (1.0)
Medium (0.5)
Low (0.1)
Definition
The threat-source is highly motivated and sufficiently capable,
and controls to prevent the vulnerability from being exercised
are ineffective
The threat-source is motivated and capable, but controls are in
place that may impede successful exercise of the vulnerability.
The threat-source lacks motivation or capability, or controls are
in place to prevent, or at least significantly impede, the
vulnerability from being exercised.
This is sample data for demonstration and discussion purposes only
Page 4
Magnitude of Impact
Impact (Score)
High (100)
Definition
The loss of confidentiality, integrity, or availability could be
expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
Examples:
• A severe degradation in or loss of mission capability to
an extent and duration that the organization is not able
to perform one or more of its primary functions
• Major damage to organizational assets
• Major financial loss
• Severe or catastrophic harm to individuals involving
loss of life or serious life threatening injuries.
Medium (50)
The loss of confidentiality, integrity, or availability could be
expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals.
• Significant degradation in mission capability to an
extent and duration that the organization is able to
perform its primary functions, but the effectiveness of
the functions is significantly reduced
• Significant damage to organizational assets
• Significant financial loss
• Significant harm to individuals that does not involve
loss of life or serious life threatening injuries.
Low (10)
The loss of confidentiality, integrity, or availability could be
expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals.
Examples:




Degradation in mission capability to an extent and
duration that the organization is able to perform its
primary functions, but the effectiveness of the functions
is noticeably reduced
Minor damage to organizational assets
Minor financial loss
Minor harm to individuals.
This is sample data for demonstration and discussion purposes only
Page 5
Risk was calculated as follows:
Impact
Low
Medium
(10)
(50)
High (1.0)
Low Risk
Medium Risk
(10 x 1.0 = 10)
(50 x 1.0 = 50)
Medium (0.5)
Low Risk
Medium Risk
(10 x 0.5 = 5)
(50 x 0.5 = 25)
Low (0.1)
Low Risk
Low Risk
(10 x 0.1 = 1)
(50 x 0.1 = 5)
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)
Threat Likelihood
High
(100)
High Risk
(100 x 1.0 = 100)
Medium Risk
(100 x 0.5 = 50)
Low Risk
(100 x 0.1 = 10)
3. System Characterization
3.1 Technology components
Component
Description
Applications
In-house developed uses Microsoft Active Server Pages
running under Microsoft Internet Information Server 4.0
Databases
Microsoft SQL Server 2000
Operating Systems Microsoft Windows NT version 4.0 SP 2
Networks
Checkpoint Firewall
Cisco Routers
Interconnections
Interface to PayLink
Protocols
SSL used for transmission between client web browser
and web server
3.2 Physical Location(s)
Location
Description
Data Center
260 Somewhere Street, Anytown
Help Desk
5500 Senate Road, Anytown
NOC
1600 Richmond Avenue, Anytown
This is sample data for demonstration and discussion purposes only
Page 6
3.3 Data Used By System
Data
Description
Personally
identifiable
information
Includes:
• Name
• Address (current and previous)
• Phone Number
• SSN #
• DOB
Vehicle information Includes
• Vehicle identification number
• Tag #
• Date of last emissions test
Financial
information
Tax






Credit card #
Verification code
Expiry date
Card type
Authorization reference
Transaction reference
Registration fee
3.4 Users
Users
Description
State Vehicle
Owners
Access the system via a web browser. Can renew
vehicle registration provided they have a valid credit
card. Can also enter change of address information.
DMV IT Personnel
Manage the MVROS system including firewalls and
networks. Maintain security configuration of system.
DMV Operations
Utilize information contained in the MVR database for
management reporting. Generate reports and database
queries.
DMV Offices
Utilize the MVR application for in-person renewals.
This is sample data for demonstration and discussion purposes only
Page 7
3.5 Flow Diagram
The following diagram shows the in-scope technology components reviewed as
part of the MVROS.
Interface to
PayLink
MVR
Database
Internet
Border
Router
Internet
Firewall
MVR Website
Internal
Firewall
MVR Application
Server
4. Vulnerability Statement
The following potential vulnerabilities were identified:
Vulnerability
Description
Cross-site scripting The web application can be used as a mechanism to
transport an attack to an end user’s browser. A
successful attack can disclose the end user’s session
token, attack the local machine, or spoof content to fool
the user.
SQL injection
Information from web requests is not validated before
being used by a web application. Attackers can use
these flaws to attack backend components through a
web application.
Password strength
Passwords used by the web application are
inappropriately formulated. Attackers could guess the
password of a user to gain access to the system.
Unnecessary
services
The web server and application server have
unnecessary services running such as telnet, snmp and
anonymous ftp
This is sample data for demonstration and discussion purposes only
Page 8
Vulnerability
Description
Disaster recovery
There are no procedures to ensure the ongoing
operation of the system in event of a significant
business interruption or disaster
Lack of
documentation
System specifications, design and operating processes
are not documented.
Integrity checks
The system does not perform sufficient integrity checks
on data input into the system.
5. Threat Statement
The team identified the following potential threat-sources and associated threat
actions applicable to the MVROS:
Threat-Source
Hacker
Computer criminal
Insiders (poorly trained,
disgruntled, malicious,
negligent, dishonest, or
terminated employees)
Environment
Threat Actions
• Web defacement
• Social engineering
• System intrusion, break-ins
• Unauthorized system access
• Identity theft
• Spoofing
• System intrusion
• Browsing of personally identifiable
information
• Malicious code (e.g., virus)
• System bugs
• Unauthorized system access
• Natural disaster
This is sample data for demonstration and discussion purposes only
Page 9
5. Risk Assessment Results
{Note: Only partial list included in this example}
Item
Number
1
Observation
User system passwords
can be guessed or
cracked
Threat-Source/
Vulnerability
Hackers/ Password
effectiveness
Existing
controls
Passwords
must be
alphanumeric and
at least 5
characters
None
Likelihood
Impact
Medium
Medium
Risk
Rating
Medium
Medium
Medium
Medium
2
Cross site scripting
Hackers/ Cross-site
scripting
3
Data could be
inappropriately
extracted/modified from
DMV database by
entering SQL
commands into input
fields
Hackers + Criminals /
SQL Injection
Limited
validation
checks on
inputs
High
Medium
Medium
4
Web server and
application server
running unnecessary
services
All / Unnecessary
Services
None
Medium
Medium
Medium
This is sample data for demonstration and discussion purposes only
Page 10
Recommended controls
Require use of special
characters
Validation of all headers,
cookies, query strings, form
fields, and hidden fields (i.e.,
all parameters) against a
rigorous specification of what
should be allowed
Ensure that all parameters are
validated before they are
used. A centralized
component or library is likely
to be the most effective, as the
code performing the checking
should all be in one place.
Each parameter should be
checked against a strict format
that specifies exactly what
input will be allowed.
Reconfigure systems to
remove unnecessary services
Item
Number
5
Observation
Disaster recovery plan
has not been
established
Threat-Source/
Vulnerability
Environment /
Disaster Recovery
Existing
controls
Weekly
backup only
Likelihood
Impact
Medium
High
Risk
Rating
Medium
This is sample data for demonstration and discussion purposes only
Page 11
Recommended controls
Develop and test a disaster
recovery plan

Purchase answer to see full
attachment

Order a unique copy of this paper
(550 words)

Approximate price: $22

Our Basic features
  • Free title page and bibliography
  • Plagiarism-free guarantee
  • Unlimited revisions
  • Money-back guarantee
  • 24/7 support
Our Options
  • Writer’s samples
  • Expert Proofreading
  • Overnight delivery
  • Part-by-part delivery
  • Copies of used sources
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

AcademicWritingCompany guarantees

Our customer is the center of what we do and thus we offer 100% original essays..
By ordering our essays, you are guaranteed the best quality through our qualified experts.All your information and everything that you do on our website is kept completely confidential.

Money-back guarantee

Academicwritingcompany.com always strives to give you the best of its services. As a custom essay writing service, we are 100% sure of our services. That is why we ensure that our guarantee of money-back stands, always

Read more

Zero-plagiarism tolerance guarantee

The paper that you order at academicwritingcompany.com is 100% original. We ensure that regardless of the position you are, be it with urgent deadlines or hard essays, we give you a paper that is free of plagiarism. We even check our orders with the most advanced anti-plagiarism software in the industry.

Read more

Free-revision guarantee

The Academicwritingcompany.com thrives on excellence and thus we help ensure the Customer’s total satisfaction with the completed Order.To do so, we provide a Free Revision policy as a courtesy service. To receive free revision the Academic writing Company requires that the you provide the request within Fifteen (14) days since the completion date and within a period of thirty (30) days for dissertations and research papers.

Read more

Privacy and Security policy

With Academicwritingcompan.com, your privacy is the most important aspect. First, the academic writing company will never resell your personal information, which include credit cards, to any third party. Not even your lecturer on institution will know that you bought an essay from our academic writing company.

Read more

Adherence to requirements guarantee

The academic writing company writers know that following essay instructions is the most important part of academic writing. The expert writers will, therefore, work extra hard to ensure that they cooperate with all the requirements without fail. We also count on you to help us provide a better academic paper.

Read more

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2020 at 10:52 AM
Total price:
$26
The price is based on these factors:
Customer Academic level
Number of pages required
Urgency of paper