Вы находитесь на странице: 1из 20

University of Tampa

Risk Assessment of
Cybersecurity Lab
Patrick Walker
Date: 11/13/2017
ITM 375- Information Security Standards,
Risk Management, and Compliance
University of Tampa Proprietary
Table of Contents
1. Executive Summary 4
2. Introduction 4
2.1. Purpose 4
2.2. Scope 5
2.3. Document Structure 5
3. Risk Assessment Approach/Methodology 6
3.1. Assessment Resources 6
3.2. Risk Assessment Execution 6
3.3. Assumptions and Constraints 6
4. Asset Summary 7
4.1. Personnel 8
4.2. Physical Assets 9
5. Threat Summary 10
6. Vulnerability Summary 12
7. Risk Assessment Results 12
7.1. Risk Analysis Methodology 12
7.2. Risks Identified 14
8. Risk Management Plan 17
8.1. Risk Response Strategies 17
9. Risk Assessment Matrix 18

University of Tampa Proprietary


1. Executive Summary

The purpose of this report is to communicate the results of the risk assessment which includes a
summarization of the key risks identified and the recommendations for the areas upon which the organization
should be focused. Elements of risk are found in every organization; therefore, the organization should be
aware of the risks and be prepared to counter them if at all possible.

The risk assessment evaluates the use of resources and controls to eliminate and/or manage vulnerabilities
that are exploitable by threats internal and external to the University of Tampa. The scope of this risk
assessment effort was limited to the security controls applicable to the cybersecurity labs located in The
Maureen A. Daly Innovation and Collaboration Building. Throughout this risk assessment we conducted
research and interviews to get a better viewpoint of the Cybersecurity lab. An interview with Ryan Burcel the
lab coordinator, gave us more information about the assets of the lab and the security aspects implemented
within the lab. An analysis of the entire lab and the equipment within the lab was necessary to conduct a
successful assessment. Policies, goals and objectives set in place for the cybersecurity program and the
effects that they have on the lab were also equated with the report. The Cybersecurity Major Learning Goals
and Objectives, Physical Assets List, UT Cybersecurity Lab/Network Overview, and the Clear Desk
Standards were provided by the instructor also contributed to the assessment of risk for the lab. The
identified threats are outlined in section 5 of this report. The threats identified pose a risk to the school, the
lab network, and the data stored within the lab.

This risk assessment identified seven vulnerabilities that were present. A vulnerability is defined as a
weakness that may be exploited by a threat or group of threats. Additionally, four risks were identified and
associated with a vulnerability. Risk can be defined as the possibility of an adverse event affecting an
organizations assets. No high rated risks were identified, however, three were rated Moderate and one risk
was rated as Low. The major risks that were found include: open USB ports that can be exploited and also
workstations in both labs are susceptible to theft. A complete discussion of the risks can be found in Section
7 of this report.

Two recommendations were made to mitigate the major risks identified within this report. To mitigate the
open USB ports, it is recommended that the organization creates a group policy setting to prevent users from
installing the device drivers. Also, to mitigate the risk of equipment being stolen in the lab, it is recommended
that the administration install cameras in both labs. A complete discussion of the risk management plan can
be found in section 8 of this report.

2. Introduction
2.1. Purpose
The purpose of this document is to provide an overview of the process involved in performing a threat and
risk assessment. This document is created to identify and mitigate potential problems that may occur within
the University of Tampa Cybersecurity lab and within the entire program. This risk assessment evaluates
issues that could endanger the labs assets (e.g. students, equipment, etc.). The assessment also includes
and explores early risk identification through interviews, policy, and research. Throughout the assessment,
we analyzed external and internal threats/risk source and how they can have an effect on the Cybersecurity
lab. We defined the parameters in order to categorize, evaluate, and prioritize each risk and its
likelihood/impact on the lab.

University of Tampa Proprietary


2.2. Scope
The boundaries of this assessment include the entire Cybersecurity program at the University of Tampa
located in the ICB building on Kennedy Blvd. The overall boundaries include the Cybersecurity labs,
students, staff and faculty, and the equipment used within the program. This assessment specifically
evaluated the Cybersecurity program focusing on the two labs on the first floor of the ICB building. The
specific boundaries were evaluated overall by the students involved in the program. Purposely left out was
outsider opinions of the program as they do not maintain the knowledge that individuals involved in the
program have nor did they complete the risk assessment.

2.3. Document Structure


To initiate the assessment, the polices (Section 3; 3.1-3.2) and goals and objectives set in place for the
cybersecurity program were identifed and the effects that they have on the lab. The Cybersecurity Major
Learning Goals and Objectives, Physical Assets List, UT Cybersecurity Lab/Network Overview, and the
Clear Desk Standards were provided by the instructor and contributed to the assessment of risk for the lab. I
interviewed the lab coordinator, Ryan Burcel. After the interview, I was able to identify the assumptions and
constraints of the risk assessment.

The next step in the document (Section 4.1-4.2), the assets of the lab were identified (personnel & physical).
Provided in section 4.1 is a list of personnel that has a role in the overall operation of the lab and includes
their titles and duties. In section 4.2 is a breakdown of the physical assets (Hardware & Networking), as well
as a breakdown of the pricing of each physical asset. Table 4.4 identifies another important asset, the
students. Included in the table is a count of students in both the graduate and undergraduate program who
are majoring/minoring in cybersecurity.

Table 5.1 is a threat summary that identifies every possible threat and gives an explanation of how they are
threats to the labs. Table 5.2 shows the different type of threat sources and the classification (external or
internal), category (natural, environmental, or human), and the threat agents.

Section 6 is a summary of the vulnerabilities of the labs. After assessing all the risks, threats, and
vulnerabilities, section 7 gives the breakdown of the risk assessment results. Section 7.1 includes the risk
analysis methodology where the risks are classified into categories (high, moderate, or low) based on the
probability of an attack to occur and the impact it would have on the Cybersecurity lab. Table 7.1 shows the
probability percentage to probability score. Table 7.2 shows the risk rating matrix. Section 7.2 include tables
of identified risks that were paired with the identified vulnerability.

Section 8 is the Risk Management plan. Section 8.1 shows the risk response strategies with
recommendations how the administration can respond to the risks. Finally, in section 9, table 9.1, a risk
matrix, is provided including each identified risk, the vulnerability, threat, & risk. Additionally, the risk
summary, likelihood rating, impact rating, overall risk rating, and recommendations are included in the table.

University of Tampa Proprietary


3. Risk Assessment Approach/Methodology
3.1. Assessment Resources
Cybersecurity Major Learning Goals and Objectives (January, 2016)
Provides a background of the University of Tampa Cybersecurity programs goals and
objectives. Outlines what student will accomplish in the next 3 to 5 years. This is used
for the assessment to evaluate the risk of students leaving the University to study
elsewhere.
Physical Asset List
Provides a list of all physical devices, hardware, and software available for use within
the labs. Information includes Manufacture & Model Information, a Description, and
Location. This document was used to assess the risk of possible damage to equipment.
In an interview with Ryan (UT) the lab is constantly being watched and protected against
attacks. One attack that is unavoidable if it occurs is a killer USB, this will damage the
infrastructure of the equipment completely.
UT Cybersecurity Lab/Network Overview
Information includes Server Information, Virtualization Infrastructure, and the Network
Information. This document was use to assess if user data is kept stored on the
equipment, but after conducting an interview, it is concluded that all data is removed
after users logout.
Clear Desk Standards
Provides details on the purpose and standards of maintaining a clear desk from (e.g. food,
drinks, etc.). Includes the standards, procedures, and information in detailed description.
This document help assesses the risk of possible damage to the equipment. It assures that
students will not have food or drinks in the lab that would cause damage to equipment.

3.2. Risk Assessment Execution


While searching for security risks, previously learned and basic security principles were used to pinpoint
threats such as loss of keys, hardware failure, and also natural disasters. The Cyber Security Clear Desk
standard document was used to decipher other threats. In order to gain a better understanding of the lab and
of the controls in place, an interview was conducted with Ryan Burcel, the lab coordinator.

3.3. Assumptions and Constraints


Assumptions
Assumed all possible threats in table 5.1 are credible realistic threats.
In the absence of concrete evidence, the building was assumed as not being hurricane
proof (i.e. no verification specifics on window strength is not public knowledge).
Constraints
I do not have prior building expertise or knowledge.
I did not oversee the contractors building the ICB building, specifically in this case the
labs.
I did not have unlimited resources (i.e. time and people) to work on the assessment.

University of Tampa Proprietary


4. Asset Summary

An asset can be defined as an item or a collection of items that has quantitative and/or qualitative value to
the university. Tables 4.1 through 4.4 show the physical assets of the cybersecurity program. Identifying the
assets of the university plays an important role of the risk assessment. By identifying the assets of the lab,
the university is made aware of what to protect. Identifying assets can also be helpful in identifying
equipment that may be unbeknownst to the administration. For example, there may be a ghost server on
the network that hasnt been updated or patched, making it the Achilles heel in the network. Additionally, for
the purpose of the assessment, identifying the assets also allows us to recognize what assets will be
included in the assessment. All numbers are accurate to the best of our knowledge as of Fall 2017.

University of Tampa Proprietary


4.1. Personnel

Table 4.1 Cybersecurity Lab Key Personnel


Cybersecurity Program Physical Equipment
Name Title Duties Name Title Duties
Responsible for guiding Enforces procedures for the use of
Professor & Chair, the laboratory area and the use of
the ITM department's
Dr. Farouq Information and equipment, supplies, materials,
strategic planning process Ryan Burcel Lab Coordinator
Alhourani Technology Management software, and hardware; Responsible
and articulating the goals
Department for Troubleshooting and diagnosing
of the department
basic problems with computer
equipment; Performs maintenance
and repair on equipment

Responsible for aiding in Enforces procedures for the use of


curriculum development the laboratory area and the use of
Dr. Kenneth Director, Cyber Security and insuring that all levels equipment, supplies, materials,
Knapp Programs of curriculum meet the software, and hardware; Responsible
department and program for Troubleshooting and diagnosing
learning goals basic problems with computer
equipment; Performs maintenance
and repair on equipment

University of Tampa Proprietary


Table 4.2: Cybersecurity Faculty
Name Title

Kenneth Knapp, Ph.D., CISSP, CEH Director, Cyber Security Programs

Miloslava Plachkinova Ph.D, CISSP, CISM, PMP Assistant Professor of Cybersecurity

Hwee-Joo Kam, Ph.D., CISSP, GIAC Assistant Professor of Cybersecurity

Deanna House, Ph.D. Assistant Professor of Cybersecurity

4.2. Physical Assets

Table 4.3 summarizes the physical assets used to run the cybersecurity lab network with the asset valuation.
All assets are maintained by the lab coordinator, Ryan Burcel. It should be noted that I do not have access to
the exact price the university paid for the equipment, therefore, all prices are approximations.

Table 4.3: Lab Physical Asset Summary


Lab Physical Equipment Qty Hardware Networking
DellOptiplex 7020 33 $24,717.00
Viewsonic VA 1917 33 $2,969.67
Extron 1 $1,930.00
Samsung Blu-Ray player 1 $199.99
Sharp TV 2 $2,498.00
Dell Optiplex 9030 24 $34,183.20
CyberPower BP48V75ART2U 4 $1,756.00
CyberPower PR1500LCDRTXL2U 4 $2,063.80
Tripp-lite B020-V08-19KTAA 1 $1,319.99
Dell PowerEdge R820 2 $3,144.64
EMC2 DD200 1 $10,124.00
Dell EqualLogic PS6100E 1 $22,699.00
Palo Alto PA-500 2 $10,037.98
Cicsco Catalyst 3560 1 $58.95
Systimax 3 $266.52
Cisco Catalyst 3850 3 $24,587.97
Percentage of Total 75.5% 24.5%
Sub Total $107,605.29 $34,951.42
Grand Total $142,556.71

University of Tampa Proprietary


Table 4.4: Cybersecurity Students
Undergraduate Minors Undergraduate Majors Graduate Total

29 202 11 242

* All numbers are current as of Fall 2017 from the Registrars office

5. Threat Summary
The purpose of the threat summary component of the risk assessment is to establish threats to UTs
cybersecurity lab. Table 5.2 contains possible, credible threats. A threat can be deemed credible if it has the
potential to exploit a vulnerability within the lab. The threats identified pose a risk to the school, the lab
network, and the data within the lab.

Table 5.1 Threat Summary


Threat Description

Hurricanes are a common occurrence in Florida. The lab, being built on the first floor, is
Hurricanes
vulnerable to flooding and wind damage.

Technical error Hardware and/or software could fail on equipment in the lab leaving the workstations useless.

A new administration could come into office and lower the budget for the NSF, a federal
New administration
agency that funds research and education in non-medical fields such as computer science.

Due to the doors in the lab not being fireproof, fire could spread into the lab. The fire itself or
Fire
extinguishing the fire could damage equipment in the lab.

University of Tampa Proprietary


Student With the prevalence of other cybersecurity programs and UTs high price tag, students could
Attendance leave UT and study cybersecurity at another school.

Students can either intentionally or unintentionally, execute malicious software that could
Unauthorized use
damage the computers and/or the network by violating the schools policies. Additionally,
of computers or
students could steal equipment from the lab. Malicious hackers on the external environment,
equipment
could execute malicious software that could damage the computers and/or the network.

Key staff members could leave the university impacting the operation of the cybersecurity
Staff could leave
program.

Table 5.2: Potential Threats to the Lab


Threat Source Classification Category Threat Agents

Natural Threat External Natural Hurricane, tornado, flood, electrical


Source storm/thunderstorm

Technological Internal Environmental Technical error, hardware/software failure


Threat

Political External Environmental New administration makes changes to policies (NSF)

Fire Internal Environmental Damage done to the lab from a fire or from
extinguishing the fire

Student Internal Environmental Students abandon cybersecurity program, students


Attendance attend cybersecurity program at another university

Human-Caused External Human Hackers, malware, viruses, unauthorized use


Threat Source

Staff Internal Human Loss of key staff members

Human-Caused Internal Human Violation of school policy, deliberate acts, human


Threat Source error, physical damage to lab or theft
\

University of Tampa Proprietary


6. Vulnerability Summary

A vulnerability can be defined as a weakness that could be exploited by a threat or group of threats. In order
to identify a list of vulnerabilities for the UT Cybersecurity lab, many characteristics had to be evaluated.
Some of the characteristics included possible weather in the area, types of possible natural occurrences, and
also the possibility of a problem occurring.
Turnover of staff - Staff has the ability to leave the school
Proximity to water - The school is very close to water in the event of a storm in the area
Physical Location - The school is located in Florida, which is known for hurricanes
Location of lab - The lab is located on the first floor contained with full glass walls on the exterior
Fire - Fire is a possibility due to the parking garage above and also the restaurant inside the building
Theft- Workstations are unlocked leaving them open to theft
USB Ports- USB ports are open

7. Risk Assessment Results


7.1. Risk Analysis Methodology

The purpose of this section is to classify risks into categories high, moderate, or low based on the probability
of an attack to occur and the impact the attack would have on the cybersecurity lab at UT. Risk can be
defined as the possibility of an adverse event affecting an organizations assets. Each occurrence of risk is
expressed as a correlation of the likeliness to occur and impact rating. The risk will then be assigned a rating
from 1- 25. The rating will allow UTs administration to rank the risks in order of severity and prioritize them
based on the severity.

The likelihood of a risk occurring is given a numerical value to represent the probability of a given threat is
capable of exploiting a given vulnerability. Initially, the likelihood is calculated based on percentage ranging
from .01-1.0. Once the percentage is assigned to the threat, it is classified into a likelihood score where .01-
.2 (Very Unlikely), .21-.40 (Unlikely), .41-60 (Possible), .61-.80 (Likely), and .81-1.0 (Very Likely). The
likelihood score ranges from 1-5 with 1 (low), 2 (unlikely), 3 (possible), 4 (likely), and 5 (very likely). This can
be summarized in table 7.1.

The risk impact represents the severity of impact to the organization and its stakeholders if the risk is
exploited. The impact score ranges from 1 (Negatable), 2 (Low), 3 (Moderate), 4 (Significant), and 5
(Severe). The overall risk rating is calculated by multiplying the risk impact and risk likelihood then given a
score from 1-25; 1-5(Low), 6-15 (Moderate), and 16-25 (High). Table 7.3 gives a description of each of the
risk ratings. It should be noted that determination of the probability and impact are subjective and were
estimated to the best of our knowledge. Table 7.2 summarizes the risk matrix.

University of Tampa Proprietary


Table 7.1: Probability Percentage to Probability Score
Probability Probability Score

0.01-0.20 Very Unlikely (1)

0.21-.0.40 Unlikely (2)

0.41-0.60 Possible (3)

0.61-0.80 Likely (4)

0.81-1.00 Very Likely (5)

Table 7.2 Risk Rating Matrix


Risk Likelihood Negatable Low Moderate Significant Severe

Very Likely Low Moderate Moderate High High

Likely Low Moderate Moderate High High

Possible Low Moderate Moderate Moderate Moderate

Unlikely Low Low Moderate Moderate Moderate

Very Likely Low Low Low Low Low

* Risk Scale: Low (1-5), Moderate (>6-15), High (>16-25)

University of Tampa Proprietary


Table 7.3 Risk Classifications
Risk Level Description

High The loss of confidentiality, integrity, or availability could have a catastrophic, adverse effect
on lab operations, lab assets, or individuals.

Moderate The loss of confidentiality, integrity, or availability could have a severe, adverse effect on lab
operations, lab assets, or individuals.

Low The loss of confidentiality, integrity, or availability could have limited, adverse effect on lab
operations, lab assets, or individuals.

7.2. Risks Identified

The following tables identified risks that were identified paired with the identified vulnerability. The tables also
show what assets are affected by the risks, the source of the threat, what controls are in place, the impact to
the organization, the likelihood of occurrence, and the calculated risk rating,

Risk IT-1 open USB ports can be exploited on Dell workstations

Vulnerability Desktop workstation USB ports are open

Reference N/A

Affected Assets All Dell workstations in the labs

Threat Source(s) Internal human users

Existing Controls Network is segmented, Deep Freeze installed on all machines

Impact 5 A USB can be plugged into a machine to run exploits such as USB Kill overheating
the motherboard of the workstation. This can have catastrophic effect on a single
machine but a relatively low impact on the lab being that the network is segmented.

Likelihood 2 It is fairly likely that the open USB


ports can be exploited but the controls in place provide adequate
mitigation.

Composite Score 10 (Moderate)

University of Tampa Proprietary


Risk PS-1 Hurricane causing damage to lab

Vulnerability The classroom and lab are built on the first floor with many windows where it can be
damaged from a flying object or flood

Reference ASCE 7-98

Affected Assets All assets in labs

Threat Source(s) External environmental

Existing Controls Building is built to code with a raised floor

Impact 3 Damage by a hurricane can have a moderate impact on the ability to use the
classroom.

Likelihood 3 Existing controls provide a reasonable level of protection and it is not likely that a
major hurricane will hit the area that will cause damage beyond the controls in place.

Composite Score 9 (Moderate)

Risk IT-2 Theft of Equipment in Lab

Vulnerability Workstations are susceptible to theft

Reference N/A

Affected Assets All Dell workstations in the labs

Threat Source(s) Internal human users

Existing Controls Students sign an agreement for terms of use of lab equipment, networking equipment
and server are locked in a closet.

Impact 3 With workstations stolen, students will be unable to utilize the lab.

Likelihood 2- It is fairly unlikely that equipment will be stolen. Controls are in place such as the lab
being locked and an employee is to be present when students are in the lab.

Composite Score 6 (Moderate)

University of Tampa Proprietary


Risk PS-2 Fire or extinguishing fire causing damage to the lab and equipment

Vulnerability Computer equipment is susceptible to damage caused by fire and/or water

Reference NFPA-75

Affected Assets All assets in labs

Threat Source(s) Internal environmental

Existing Controls Fire suppression and extinguishers are in place

Impact 5 A fire and/or suppression system could destroy electrical equipment in the lab. This
can have a reasonable impact on the ability to use the lab for classroom instruction.

Likelihood 1 It is possible, but not highly likely that a fire will occur in the lab.

Composite Score 5 (Low)

University of Tampa Proprietary


8. Risk Management Plan

Risks are prioritized by the appropriate risk rating determined by the risks composite score. Risks are then
prioritized by their respective composite score and arranged in descending order. Recommendations are
based off the interview we had with the lab coordinator, Ryan, and financial feasibility.

8.1. Risk Response Strategies

Table 8.1 Recommendations


Risk
Risk No Risk Summary Rating Recommendations
It is recommended that UT avoid this risk by
creating a group policy setting that prevents users
from installing the device drivers. Additionally, the
Open USB ports can be setting that allows the administrator to override the
1 Moderate
exploited on Dell workstations various settings that prohibit device driver
installation should be employed. This will allow to
administer to use a USB storage device on a
workstation for maintenance purposes.

It is recommended that cameras be installed in


both labs to mitigate this risk. Cameras can act as
2 Theft of Equipment in Lab Moderate
both a deterrent and as detective device that will
aid in the identification of individuals unauthorized
use of the lab.

None. Moving the cybersecurity lab to another


Hurricane causing damage to
3 Moderate location or to another floor of ICB would be cost
lab
prohibitive. Therefore, it is recommended that UT
accept this risk.

None. Replacing the wet pipe extinguishing


Fire or extinguishing fire
system has been determined cost prohibitive.
4 causing damage to the lab and Low
Therefore, it is recommended that UT accept this
equipment
risk.

University of Tampa Proprietary


9. Risk Assessment Matrix

The Risk Assessment Matrix shown in Table 9.1 serves as the basis for the official report in documenting the
risk assessment results. The risk assessment matrix helps key faculty members make informed decisions on
policy, procedural, budget, and system operational changes.

University of Tampa Proprietary


Table 9.1: Risk Matrix
Risk Vulnerability Threat Risk Risk Summary Risk Risk Overall Recommendations
No. Likelihood Impact Risk
Rating Rating Rating

1 Desktop Unauthorized Compromise A USB can be Unlikely Severe Moderate It is recommended that UT avoid
workstation use of confidentiality, plugged into a this risk by creating a group
USB ports are computers or integrity, and machine to run policy setting that prevents users
from installing the device drivers.
open equipment availability of exploits such as
Additionally, the setting that
machine USB Kill allows the administrator to
overheating the override the various settings that
motherboard of the prohibit device driver installation
workstation. should be employed. This will
allow to administer to use a USB
storage device on a workstation
for maintenance purposes.

2 Workstations Unauthorized Compromise With workstations Unlikely Moderate Moderate


are use of availability of stolen, students will It is recommended that cameras
susceptible to computers or machine be unable to utilize be installed in both labs.
theft equipment the lab Cameras can act as both a
deterrent and as detective device
that will aid in the identification of
individuals unauthorized use of
the lab.

University of Tampa Proprietary


3 Hurricane Compromise Damage to the lab Possible Moderate Moderate None. Moving the cybersecurity
The classroom availability of lab from a hurricane lab to another location or to
and lab are will prevent normal another floor of ICB would be
built on the operation of lab cost prohibitive. Therefore, it is
first floor with and/or damage lab recommended that UT accept
many windows equipment this risk.
where it can
be damaged
from a flying
object or flood

4 Computer Fire Compromise Fire would activate Very Severe Low None. Replacing the wet pipe
equipment is availability of lab sprinkler system Unlikely extinguishing system has been
susceptible to causing water determined cost prohibitive.
damage damage & Therefore, it is recommended
caused by fire compromising the that UT accept this risk.
and/or water availability of the
lab.

University of Tampa Proprietary