IAA202_LAB1_SE140442

Evaluation Criteria and Rubrics

The following are the evaluation criteria and rubrics for Lab #1 that the students must perform:

1. Was the student able to identify common risks, threats, and

vulnerabilities found throughout the seven domains of a typical IT
infrastructure?

AND
2. Was the student able to align risks, threats, and vulnerabilities to
one of the seven domains of a typical IT infrastructure accurately?
</> RISK, Threats and Vulnerabilities.
A• User domain :
 Susceptibility to social engineering
Employees and users are vulnerable to being socially engineered into letting malware and threat
actors into the system.
Phishing, vishing, whaling, pharming, spoofing, and impersonation are the various ways a user
could fall victim to hackers.
 Accidental disclosures
Users due to ignorance or negligence could cause accidental disclosures leading to data leaks,
account compromises, and organizational losses.
Writing down passwords, leaving their systems unlocked, using trivial passwords, sharing too
much information on social media, are all ways that users increase the risk of hacks.
 Malicious behavior
Malicious insiders are a serious threat and pose a huge risk to organizations. Confidentiality data,
copyrighted material, trade secrets, business plans and strategies could be at risk.
Additionally, disgruntled employees can wreak havoc with logic bombs and installing backdoors
into systems.
 Vulnerabilities: These vulnerabilities pose a potential danger to users and
organizations. An attacker can attack a user who breaks into an organization
using an authorized user within the organization. This can lead to dangers
such as: data loss, internal secrets, copying data, exposing important data,
extortion, ...

B• Workstation domain:
 Old operating systems represent a huge vulnerability. They are beyond their end-
of-life and are not maintained with security updates and patches.
 Older and outdated hardware is vulnerable to hackers and data loss through
outdated firmware exploits and the lack of the ability to encrypt the hardware.
 Known remote access vulnerabilities within older OS’s can allow hackers to take
over the workstation and gain access to the corporate network.
 Old hard drives can lead to failure and the data loss of critical business
information.

 Vulnerabilities: These risks have the potential to allow hackers into the
network and also have the potential for data loss of failed hardware
components. These risks can be mitigated by a complete overhaul of old
hardware to ensure everything is up-to-date. Newer OS’s will mean
security holes are closed and new equipment, maintained through sound
backup policies and encryption techniques, will help maintain business
continuity if a hard drive were to fail. This will also protect corporate data
in the event of a data breach. Also, by establishing a strong baseline
system defined by a security policy, each workstation can be ensured to
provide strong local encryption, backup of sensitive information, and
protection from intrusion and compromise by utilizing the latest patched
operating system and antimalware/antivirus protection.
C• LAN domain:
 Flat network designs lack security.
 IT Employees may lack the experience, or the time, in designing and maintaining
a secure network.
 Lack of security policy governing the network.

 Vulnerabilities: These identified risks have the potential to allow

hackers into the corporate network and allow them easy access to
resources once they get in. A flat, or unsegmented, network essentially
allows all workstations and servers to exist on the same LAN. There are
no security features in place, such as firewalls, to restrict access to
different areas of the network. A user on a workstation can connect to a
server, or a DMZ server can connect to the same router as all internal
systems. This is a hacker’s dream. After initial compromise, pivoting
between systems is easier than in a segmented network. The design of
this type of network was either done by inexperienced network
professionals or over-extended professionals without the time or
resources to build out the network properly. Proper training of these
individuals, and the proper amount of them, in conjunction with strong
security policies, will help to mitigate these risks.

D• WAN domain:
 A lack of security policy and trained employees means multiple vulnerabilities
may exist at the perimeter which are unknown, including open ports and
protocols, including FTP and Remote Desktop.
 Lack of firewalls and possibly improperly configured modem at the perimeter
could introduce many possible attacks.
 Vulnerabilities: These identified risks have the potential to allow a
compromise at the network border with the Internet (WAN). These
weaknesses can directly be mitigated by shoring up the LAN-to-WAN
Domain. Verifying and setting up SFTP instead of FTP can help secure
this protocol if it is being utilized at your company. Best practices in
defense in depth should be utilized, as well as penetration testing to
ensure this domain is secure. Solid Incident Response policies should
also be developed and tested to ensure a breach in this domain does not
expose the business to unnecessary risk.
E• LAN-to-WAN:
 No firewall is present, only a simple modem.
 Lack of any defensive perimeter controls.
 Lack of Intrusion Detection/Intrusion Prevention.
 Vulnerabilities: These identified risks have the potential to allow
unrestricted access into the organization’s LAN, and also to introduce
DDoS (distributed denial of service) or other attacks against computers in
the DMZ, which could contain your corporate email and web servers. A
best practice in security is “defense in depth”. This means securing
resources through a variety of controls so that if one control fails, there
are other defenses in place that can provide security and act as backups
to an organization's defense. A firewall should exist between the WAN
(Internet) and the LAN, and another should exist between the DMZ and
the LAN. Access to the DMZ should never come from the LAN because a
breach of the DMZ would allow hackers an internal position to launch
further attacks inside the network. Proper network perimeter design
including multiple firewalls coupled with a strong defense in depth
strategy, would help mitigate these threats.

F• Remote Access domain:

 Weak passwords can lead to unauthorized entry into the network from external
locations.
 Weak Group Policy on Domain Controller which does not enforce account
lockouts, complex passwords, or password history.
 Improper set up of VPN, FTP, or other remote access protocol.
 Vulnerabilities: These identified risks have the potential to allow an
external threat actor to gain access, potentially full access, to the internal
LAN at your business. Additionally, weak FTP can allow an entity to
introduce malicious applications, including malware, to the network.
Allowing remote access to a corporate system is extremely important to
configure correctly. Additionally, proper auditing and logging of attempts
to gain access will help IT identify if a threat is growing and if an intruder
has gained access. By creating solid controls and policies surrounding
remote access and utilizing best practices like auditing and logging, your
business can secure this domain.

G• System/Application domain:
 Unpatched operating systems and software existing on the network.
 End-users lack of security mindedness and unrestricted workstation access can
lead to additional unsupported software being introduced to the network.
 An email that is not scanned for viruses.
 Employees that are not trained in social engineering schemes can unwittingly
open infected files.
 Lack of antimalware/antivirus software to protect company assets.
 Vulnerabilities: These identified risks have the potential to allow an
external threat actor to gain access to the internal LAN through spyware
or trojan horse virus variants downloaded through email or from a
compromised website. Antimalware and antivirus software can help stop
these infections from getting released into the company network.
Additionally, unpatched OS’s and software have many known
vulnerabilities that can be exploited if discovered by a hacker. A solid
policy to maintain systems and software can mitigate this risk. This would
call for the use of antimalware and antivirus software on workstations and
servers, including the webserver and email server. All email can be
scanned and secured through an email gateway or Unified Threat
Management (UTM) device installed at the network perimeter. Proper
security and awareness training to help employees spot social
engineering schemes would be a huge factor in mitigating these threats
as well.

3. Given a scenario in Part A, was the student able to prioritize risks,

threats, and vulnerabilities based on their risk impact to the
organization?
I will take the "User Domain" situation: in this section we will do the following to
minimize the risk and threat to a user or an organization: first, I think users
should use a password. high authenticity (special letters, punctuation marks,
uppercase letters, numbers). Second, decentralize access rights for those with
the right to support in the system and security. Third, to increase high
authenticity, it is necessary to use key codes to access internal devices. Avoid
hackers easily attack the internal network and attack services,...

4. Was the student able to prioritize the identified critical, major, and
minor risks, threats, and software vulnerabilities?
Unauthorized access from public Internet
User destroys data in application and deletes all files
 Hacker penetrates your IT infrastructure
and gains access to your internal network
Intra-office employee romance gone bad
Fire destroys primary data center
Communication circuit outages
Workstation OS has a known software vulnerability
Unauthorized access to organization owned
Workstations
Loss of production data
Denial of service attack on organization e-mail
Serve
Remote communications from home office
LAN server OS has a known software vulnerability
User downloads an unknown e –mail attachment
Workstation browser has software vulnerability
Service provider has a major network outage
Weak ingress/egress traffic filtering degrades
Performance
User inserts CDs and USB hard drives with personal photos, music, and videos on organization
owned computers
VPN tunneling between remote computer and ingress/egress router
WLAN access points are needed for LAN connectivity within a warehouse
Need to prevent rogue users from unauthorized WLAN access

Lab Assessment Questions

1. Healthcare organizations are under strict compliance to HIPPA privacy
requirements which require that an organization have proper security
controls for handling personal healthcare information (PHI) privacy data.
This includes security controls for the IT infrastructure handling PHI privacy
data. Which one of the listed risks, threats, or vulnerabilities can violate
HIPPA privacy requirements? List one and justify your answer in one or
two sentences

 Just like anything else, HIPPA faces potential threats that are identified
as "risks" that can be further segmented: Human Intentional Risk:
Hackers, disgruntled employees, terrorists. Human Unintentional Risk:
Unknowing employees, human error. Non-Human Technical Risk:
Corrupt computer code or viruses.

Human Intentional Risk: Hackers, disgruntled employees, terrorists

Human Unintentional Risk: Unknowing employees, human error

Non-Human Technical Risk: Corrupt computer code or viruses

Non-Human Natural Risk: Fires, floods, etc.

2. How many threats and vulnerabilities did you find that impacted
risk within each of the seven domains of a typical IT infrastructure?
• User Domain: 4
• Workstation Domain: 5
• LAN Domain: 4
• LAN-to-WAN Domain: 4
• WAN Domain: 3
•Remote Access Domain: 5
•Systems/Application Domain: 6
3. Which domain(s) had the greatest number of risks, threats, and
vulnerabilities?

> The User Domain represents the greatest risk and uncertainty because human
behavior is unreliable and influenced by factors uncontrolled by policy.

4. What is the risk impact or risk factor (critical, major, minor) that you
would qualitatively assign to the risks, threats, and vulnerabilities you
identified for the LAN-to-WAN Domain for the healthcare and HIPPA
compliance scenario?

> Hacker penetrates IT infrastructure and gains access to your internal network: Critical,
PHI can be compromised Denial of service attack on organization's e-mail server:
Minor, can be mitigated Weak ingress/egress traffic filtering degrades performance:
Minor, can be mitigated VPN tunneling between the remote computer and
ingress/egress router: Major, if electronic protected health information (ePHI) is being
accessed remotely

5. Of the three Systems/Application Domain risks, threats, and

vulnerabilities identified, which one requires a disaster recovery plan
and business continuity plan to maintain continued operations
during a catastrophic outage?
 The risk of "Fire destroys primary data center"

6. Which domain represents the greatest risk and uncertainty to an

organization?
 The User Domain represents the greatest risk and uncertainty because
human behavior is unreliable and influenced by factors uncontrolled by
policy.
 7. Which domain requires stringent access controls and encryption for
connectivity to corporate resources from home?
 The Remote Access Domain requires stringent access controls and
encryption because of risks inherent in connectivity from home.

8. Which domain requires annual security awareness training and

employee background checks for sensitive positions to help mitigate risk
from employee sabotage?
> User Domain

9. Which domains need software vulnerability assessments to mitigate risk

from software vulnerabilities?

> Workstation Domain (workstation, corporate-issued mobile devices) LAN Domain

(regarding the network devices) System/Application Domain (servers, storage area
network (SAN), network attached storage (NAS), backup devices)

10. Which domain requires AUPs to minimize unnecessary User initiated

Internet traffic and can be monitored and controlled by web content
filters?

> User Domain

11. In which domain do you implement web content filters?

> LAN-to-WAN Domain

12. If you implement a wireless LAN (WLAN) to support connectivity for
laptops in the Workstation Domain, which domain does WLAN fall within?

> LAN Domain

13. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer

privacy has just implemented their online banking solution allowing
customers to access their accounts and perform transactions via their
computer or PDA device. Online banking servers and their public Internet
hosting would fall within which domains of security responsibility?

> System/Application Domain & LAN-to-WAN Domain

14. Customers that conduct online banking using their laptop or personal
computer must use HTTPS, the secure and encrypted version of HTTP:
browser communications. HTTPS:// encrypts webpage data inputs and
data through the public Internet and decrypts that webpage and data once
displayed on your browser. True or False.

> True

15. Explain how a layered security strategy throughout the 7-domains of a

typical IT infrastructure can help mitigate risk exposure for loss of privacy
data or confidential data from the Systems/Application Domain.

> By examining where privacy data and confidential data reside and are accessed,
organizations can design a layered security solution, providing multiple security
countermeasures and security controls at key points throughout the entire IT
infrastructure. By implementing proper security controls within the User Domain and
Workstation Domain, users and their point-of-entry are granted access to systems and
data according to their access control requirements. Within the IT infrastructure,
additional security countermeasures and security controls in the LAN Domain and LAN-
to-WAN Domain can provide access controls to servers, drives, folders, and data to
authorized users. Finally, by ensuring servers, operating systems, and application
software are patched with the latest software updates, risks, threats, and vulnerabilities
can be mitigated within the System/Application Domain.