Академический Документы
Профессиональный Документы
Культура Документы
PURPOSE The purpose of this risk assessment is to evaluate the adequacy of the NETWORK INFRASTRUCTURE and its SECURITY. This risk assessment provides a structured qualitative assessment of the operational environment. It addresses sensitivity, threats, vulnerabilities, risks and safeguards. The assessment recommends cost-effective safeguards to mitigate threats and associated exploitable vulnerabilities.
SCOPE The scope of this risk assessment assessed the systems use of resources and controls (implemented or planned) to eliminate and/or manage vulnerabilities exploitable by threats internal and external to the NETWORK INFRASTRUCTURE OF SCIT. OBJECTIVE
The objective of this risk assessment is to analyse the risks associated with the security controls that are in place and also to identify the additional threats and vulnerabilities and provide a efficient and effective security measure. RISK ASSESSMENT APPROACH This risk assessment methodology and approach was conducted using the guidelines in NIST SP 800-30, Risk Management Guide for Information Technology Systems. The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability. RISK ASSESSMENT PROCESS
This section details the risk assessment process performed during this effort. The process is divided into pre-assessment, assessment, and post-assessment phases.
1. PRE-ASSESSMENT PHASE 2. ASSESSMENT PHASE 3. POST ASSESSMENT PHASE
SENSITIVITY OF DATA
INFORMATION/SENSITIVITY HIGH PASSWORD POLICIES DATA SHARING INFORMATION TRANSFER DOWNLOAD/UPLOAD OTHER MEDIUM LOW
THREAT ACTION HACKING SOCIAL ENGINEERING SYSTEM INTRUSION UNAUTHORIZED SYSTEM ACCESS SOCIAL ENGINEERING PHISHING PIGGYBACKING MALICIOUS CODE TROJAN HORSES TRAPDOORS VIRUSES PROXY SERVER HIJACKING SERVER DENIAL OF SERVICE TO AUTHORIZED USERS MODIFICATION OF DATA UNAUTHORIZED ACCESS HACKING INTO SYSTEMS COMPUTER CRIME FRADULENT ACT INFORMATION BRIBERY SPOOFING SYSTEM INTRUSION ECONOMIC EXPLOITAITON INFORMATION THEFT SYSTEM PENETRATION UNAUTHORIZED SYSTEM ACCESS ASSAULT ON EMPLOYEE BLACKMAIL FRAUDANDTHEFT INFORMATION BRIBERY SYSTEM BUGS
ACCIDENTAL DISCLOSURE
ALTERATION OF SOFTWARES
BANDWIDTH USAGE
STUDENTS
ELECTRICAL INTERFERENCE/DISRUPTION
NATURAL
ALTERATION OF DATA
DESTRUCTION OF INFORMATION
INDUSTRIAL ESPIONAGE
OUTSIDE PERSONNEL
INSIDE ATTACK
CYBER TERRORISM
MALICIOUS CODES MAN IN THE MIDDLE PHISHING HACKING DESTRUCTION OF MACHINES DATA LOSS INFORMATION LOSS PHYSICAL DESTRUCTION
HARDWARE FAILURE
WORKPLACE VOILENCE
VULNERABILITY IDENTIFICATION
VULNERABILITIES No Policies
DESCRIPTION Lack of proper policies can lead to a number of malpractices in the labs Due to non upgradation of already existing application programs there maybe backdoor bugs which might leak the information Unnecessary usage of bandwith may lead to a number of pending web requests, thus dialing down the net speed.
Accidental Disclosure
Bandwith usage
Denial of Service
Unauthorised access
Destruction of information
Unauthorised personnel entering into the system can alter sensitive data as well as delete important information stored on the network
Disgrunted Employee
Inside Attack
A disgruntled employee can fiddle with the data thus leading to data loss or corruption
Terminated/ Exemployee
Inside attack
An ex-employee can share the information from the student database, as well as disclose the various policies of the college to outside parties
Cyber terrorism
IDENTIFYING CONTROLS
Softwares
Microsoft Products
Hardware
People
6 person team
Firewall
Access Points
D-Link 2100
Subnetting
255.255.0.0 (Class A)
Password Policies
ISP
Databases used
DETERMINING LIKELIHOOD RATING LOW LIKELIHOOD 0-25% chance of successful exercise of threat during a one-year period 26-75% chance of successful exercise of threat during a one-year period 76-100% chance of successful exercise of threat during a one-year period
MEDIUM
HIGH
The following table shows the priority of the RISKS and their Likelihood. RISKS Loss/leakage of data Leakage of sensitive information Denial of Service corruption of data Alteration of data, leakage of college information to non-trustedsources LIKELIHOOD MEDIUM HIGH MEDIUM MEDIUM MEDIUM
Loss of information, alteration of data Unauthorized use of previous employees ID Denial of Service Attack Exploitation of un-patched application security flaws Exploitation of Passwords Compromise of Unchanged/Unexpired passwords Remote Accessibility Compromised Unencrypted Passwords
MEDIUM LOW
MEDIUM MEDIUM
MEDIUM LOW
HIGH MEDIUM
DETERMINING THE IMPACT CONFIDENTIALITY Loss of confidentiality leads to a limited effect on the organization. Loss of confidentiality leads to a serious effect on the organization. Loss of confidentiality leads to a severe effect on the organization. INTEGRITY Loss of integrity leads to a limited effect on the Organization. Loss of integrity leads to a serious effect on the organization. Loss of integrity leads to a severe effect on the organization. AVAILABILITY Loss of availability leads to a limited effect on the organization. Loss of availability leads to a serious effect on the organization. Loss of availability leads to a severe effect on the organization.
LOW
MEDIUM
HIGH
Loss/leakage of data Leakage of sensitive information Denial of Service corruption of data leakage of college information to nontrustedsources Loss of information, alteration of data Unauthorised use of Previous employee id Exploitation of unpatched Application security laws
Confidentiality breach
Unavailability
High
Medium
Medium
Confidentiality compromised
Low
Integrity issues
High
Authentication breach
Medium
Medium
Exploitation of unauthorised employee passwords Compromise of unchanged Unexpired password Remote accessibility compromised passwords Unencrypted passwords
Medium
High
High
MEDIUM (50) MEDIUM 50X1.0 =50 MEDIUM 50X0.5 =25 MEDIUM 50x0.1 =5
RISK
MEDIUM
HIGH
High
HIGH
MEDIUM MEDIUM
Medium
MEDIUM
Medium
MEDIUM
MEDIUM
Low
LOW
Loss of information, MEDIUM alteration of data Unauthorised use of Previous employee id Exploitation of unpatched LOW
High
HIGH
Medium
MEDIUM
MEDIUM
Medium
MEDIUM
Application security laws MEDIUM Exploitation of unauthorised employee passwords Compromise of unchanged Unexpired password Remote accessibility compromised passwords Unencrypted passwords MEDIUM
High HIGH
Medium
MEDIUM
LOW
High
HIGH
HIGH
High
HIGH
RISK RECOMMENDATION
RISK RISK RATING MEDIUM RECOMMENDATION Data should be kept in secure conditions under proper monitoring Data should be properly encrypted and passwordprotected Limit the number of requests per user/ per system Proper backup of data should be done Physical security measures should be in place to prevent unauthorised access to data
Loss/leakage of data
Leakage of sensitive information Denial of Service corruption of data leakage of college information to nontrustedsources Loss of information, alteration of data Unauthorised use of Previous employee id Exploitation of unpatched Application security laws
HIGH
MEDIUM
MEDIUM
LOW
HIGH
Data should be backed up on regular intervals Immediate removal of old ids from the database Application softwares should be updated from time-to-time Anti-Piggytailing policies should be in place.
MEDIUM
MEDIUM
HIGH
MEDIUM
Password policies must be in place. Automated messages should prompt the change of passwords on regular periods Security firewalls should be functional even during remote connections. Strict encryption policies must be implemented for security of passwords and other sensitive data
HIGH
HIGH
No Policies
MEDIUM
Bugs in Software Programs Network Clogging/Slow Net Speed Unauthorised access Disgrunted Employee
Accidental Disclosure
HIGH
High
Bandwith usage
MEDIUM
Medium MEDIUM
corruption of data
MEDIUM
Medium MEDIUM
Low
LOW
Loss of information, alteration of data Unauthorised use of Previous employee id Exploitation of unpatched Application
MEDIUM
High
HIGH
Cyber terrorism
LOW
Medium MEDIUM
MEDIUM
Medium MEDIUM
MEDIUM
Medium MEDIUM
Password policies must be in place. Automated messages should prompt the change
of passwords on regular periods 10 NO PROPER TOOLS MAINTAINED FOR MANAGING REMOTE ACCESS POLICIES NO PROPER ENCRYPTION TECHNIQUES USED ILLEGAL ACCESS TO INFORMATION
LOW
High
HIGH
11
Unencrypted passwords
HIGH
High
HIGH
Strict encryption policies must be implemented for security of passwords and other sensitive data
THANK YOU..!!!