RISK ASSESSMENT REPORT

PURPOSE The purpose of this risk assessment is to evaluate the adequacy of the NETWORK INFRASTRUCTURE and its SECURITY. This risk assessment provides a structured qualitative assessment of the operational environment. It addresses sensitivity, threats, vulnerabilities, risks and safeguards. The assessment recommends cost-effective safeguards to mitigate threats and associated exploitable vulnerabilities.

SCOPE The scope of this risk assessment assessed the systems use of resources and controls (implemented or planned) to eliminate and/or manage vulnerabilities exploitable by threats internal and external to the NETWORK INFRASTRUCTURE OF SCIT. OBJECTIVE

The objective of this risk assessment is to analyse the risks associated with the security controls that are in place and also to identify the additional threats and vulnerabilities and provide a efficient and effective security measure. RISK ASSESSMENT APPROACH This risk assessment methodology and approach was conducted using the guidelines in NIST SP 800-30, Risk Management Guide for Information Technology Systems. The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability. RISK ASSESSMENT PROCESS

This section details the risk assessment process performed during this effort. The process is divided into pre-assessment, assessment, and post-assessment phases.
1. PRE-ASSESSMENT PHASE 2. ASSESSMENT PHASE 3. POST ASSESSMENT PHASE

1. PRE-ASSESSMENT PHASE SYSTEM CHARACTERIZATION

ASSETS MAIN LAB 1 MAIN LAB 2 SAP LAB POC LAB SERVERS LAPTOPS STAFF/CLASSROOM PCS TOTAL QUANTITY 24 27 24 34 7 3 44 163

SENSITIVITY OF DATA
INFORMATION/SENSITIVITY HIGH PASSWORD POLICIES DATA SHARING INFORMATION TRANSFER DOWNLOAD/UPLOAD OTHER MEDIUM LOW

2. ASSESSMENT PHASE THREAT IDENTIFICATION

THREATS UNAUTHORIZED ACCESS

THREAT SOURCE HACKER CRACKER

THREAT ACTION HACKING SOCIAL ENGINEERING SYSTEM INTRUSION UNAUTHORIZED SYSTEM ACCESS SOCIAL ENGINEERING PHISHING PIGGYBACKING MALICIOUS CODE TROJAN HORSES TRAPDOORS VIRUSES PROXY SERVER HIJACKING SERVER DENIAL OF SERVICE TO AUTHORIZED USERS MODIFICATION OF DATA UNAUTHORIZED ACCESS HACKING INTO SYSTEMS COMPUTER CRIME FRADULENT ACT INFORMATION BRIBERY SPOOFING SYSTEM INTRUSION ECONOMIC EXPLOITAITON INFORMATION THEFT SYSTEM PENETRATION UNAUTHORIZED SYSTEM ACCESS ASSAULT ON EMPLOYEE BLACKMAIL FRAUDANDTHEFT INFORMATION BRIBERY SYSTEM BUGS

ACCIDENTAL DISCLOSURE

STUDENTS, FACULTY, LAB ASSISTANTS STUDENTS, DISGRUNTLED EMPLOYEE

ALTERATION OF SOFTWARES

BANDWIDTH USAGE

STUDENTS

ELECTRICAL INTERFERENCE/DISRUPTION

NATURAL

ALTERATION OF DATA

STUDENT FACULTY STUDENTS

DESTRUCTION OF INFORMATION

INDUSTRIAL ESPIONAGE

OUTSIDE PERSONNEL

INSIDE ATTACK

DISGRUNTLED EMPLOYEES TERMINATED EMPLOYEES PAST STUDENTS DISHONEST STUDENTS OR EMPLOYEES

SYSTEM INTRUSION SYSTEMSABOTAGE UNAUTHORIZED SYSTEM ACCESS

CYBER TERRORISM

EX STUDENTS UNTRUSTED EMPLOYEES

MALICIOUS CODES MAN IN THE MIDDLE PHISHING HACKING DESTRUCTION OF MACHINES DATA LOSS INFORMATION LOSS PHYSICAL DESTRUCTION

HARDWARE FAILURE

UNINTENTIONAL NATURAL CALAMITY

WORKPLACE VOILENCE

STUDENTS LAB TEAM NATURAL NATURAL NATURAL

EARTHQUAKE FIRE FLOODING/WATER DAMAGE

LOSS OF ASSETS LOSS OF ASSETS LOSS OF PHYSICAL INFRASTRUCTURE

VULNERABILITY IDENTIFICATION

VULNERABILITIES No Policies

THREAT UNAUTHORIZED ACCESS

RISK Loss/leakage of data

DESCRIPTION Lack of proper policies can lead to a number of malpractices in the labs Due to non upgradation of already existing application programs there maybe backdoor bugs which might leak the information Unnecessary usage of bandwith may lead to a number of pending web requests, thus dialing down the net speed.

Bugs in Software Programs

Accidental Disclosure

Leakage of sensitive information

Network Clogging/Slow Net Speed

Bandwith usage

Denial of Service

Unauthorised access

Destruction of information

Loss of data, corruption of data

Unauthorised personnel entering into the system can alter sensitive data as well as delete important information stored on the network

Disgrunted Employee

Inside Attack

Loss of information, alteration of data

A disgruntled employee can fiddle with the data thus leading to data loss or corruption

Terminated/ Exemployee

Inside attack

Loss of information, alteration of data

An ex-employee can share the information from the student database, as well as disclose the various policies of the college to outside parties

Improper security protocol on SCIT website

Cyber terrorism

Alteration of data, leakage of college information to non-trusted sources

IDENTIFYING CONTROLS

Softwares

Microsoft Products

Hardware

163 workstations (including 10 servers)

People

6 person team

Firewall

Fortigate 200A model

Access Points

D-Link 2100

Access control lists

Mac address binding

Subnetting

255.255.0.0 (Class A)

Password Policies

Passwords changed every 3 months.

ISP

Vsnl ( 8mbps leased line)

Databases used

CMIE, ebesco, SQL2005

DETERMINING LIKELIHOOD RATING LOW LIKELIHOOD 0-25% chance of successful exercise of threat during a one-year period 26-75% chance of successful exercise of threat during a one-year period 76-100% chance of successful exercise of threat during a one-year period

MEDIUM

HIGH

The following table shows the priority of the RISKS and their Likelihood. RISKS Loss/leakage of data Leakage of sensitive information Denial of Service corruption of data Alteration of data, leakage of college information to non-trustedsources LIKELIHOOD MEDIUM HIGH MEDIUM MEDIUM MEDIUM

Loss of information, alteration of data Unauthorized use of previous employees ID Denial of Service Attack Exploitation of un-patched application security flaws Exploitation of Passwords Compromise of Unchanged/Unexpired passwords Remote Accessibility Compromised Unencrypted Passwords

MEDIUM LOW

MEDIUM MEDIUM

MEDIUM LOW

HIGH MEDIUM

DETERMINING THE IMPACT CONFIDENTIALITY Loss of confidentiality leads to a limited effect on the organization. Loss of confidentiality leads to a serious effect on the organization. Loss of confidentiality leads to a severe effect on the organization. INTEGRITY Loss of integrity leads to a limited effect on the Organization. Loss of integrity leads to a serious effect on the organization. Loss of integrity leads to a severe effect on the organization. AVAILABILITY Loss of availability leads to a limited effect on the organization. Loss of availability leads to a serious effect on the organization. Loss of availability leads to a severe effect on the organization.

LOW

MEDIUM

HIGH

RISK IMPACT ANALYSIS

RISKS IMPACT Server/people confidentiality Compromise IMPACT RATING Medium

Loss/leakage of data Leakage of sensitive information Denial of Service corruption of data leakage of college information to nontrustedsources Loss of information, alteration of data Unauthorised use of Previous employee id Exploitation of unpatched Application security laws

Confidentiality breach
Unavailability

High

Medium

Data integrity breach

Medium

Confidentiality compromised

Low

Integrity issues

High

Authentication breach

Medium

Bugs in software application Execution

Medium

Exploitation of unauthorised employee passwords Compromise of unchanged Unexpired password Remote accessibility compromised passwords Unencrypted passwords

Information leakage of sensitive High data

Data integrity error

Medium

Unauthorised usage of data

High

Vulnerable to user account thefts

High

PHASE 3: POST ASSESSMENT RISK DETERMINATION

RISK LIKELIHOOD HIGH (1.0) MEDIUM (0.5) LOW (0.1)

LOW (10) LOW 10x1.0 = 10 LOW 10x0.5 = 5 LOW 10x0.1 = 1

MEDIUM (50) MEDIUM 50X1.0 =50 MEDIUM 50X0.5 =25 MEDIUM 50x0.1 =5

HIGH (100) HIGH 100x1.0=100 HIGH 100x0.5=50 HIGH 100x0.1=10

OVERALL RISK RATING TABLE

RISK

RISK LIKELIHOOD RATING

RISK IMPACT RATING Medium

OVERALL RISK RATING MEDIUM

Loss/leakage of data Leakage of sensitive information Denial of Service corruption of data

MEDIUM

HIGH

High

HIGH

MEDIUM MEDIUM

Medium

MEDIUM

Medium

MEDIUM

leakage of college information to nontrustedsources

MEDIUM

Low

LOW

Loss of information, MEDIUM alteration of data Unauthorised use of Previous employee id Exploitation of unpatched LOW

High

HIGH

Medium

MEDIUM

MEDIUM

Medium

MEDIUM

Application security laws MEDIUM Exploitation of unauthorised employee passwords Compromise of unchanged Unexpired password Remote accessibility compromised passwords Unencrypted passwords MEDIUM
High HIGH

Medium

MEDIUM

LOW

High

HIGH

HIGH

High

HIGH

RISK RECOMMENDATION
RISK RISK RATING MEDIUM RECOMMENDATION Data should be kept in secure conditions under proper monitoring Data should be properly encrypted and passwordprotected Limit the number of requests per user/ per system Proper backup of data should be done Physical security measures should be in place to prevent unauthorised access to data

Loss/leakage of data

Leakage of sensitive information Denial of Service corruption of data leakage of college information to nontrustedsources Loss of information, alteration of data Unauthorised use of Previous employee id Exploitation of unpatched Application security laws

HIGH

MEDIUM

MEDIUM

LOW

HIGH

Data should be backed up on regular intervals Immediate removal of old ids from the database Application softwares should be updated from time-to-time Anti-Piggytailing policies should be in place.

MEDIUM

MEDIUM

Exploitation of unauthorised employee passwords Compromise of unchanged Unexpired password

HIGH

MEDIUM

Password policies must be in place. Automated messages should prompt the change of passwords on regular periods Security firewalls should be functional even during remote connections. Strict encryption policies must be implemented for security of passwords and other sensitive data

Remote accessibility compromised passwords Unencrypted passwords

HIGH

HIGH

RISK ASSESSMENT MATRIX

Risk No VULNERABILITIES THREAT RISK RISK LIKELIHOOD RATING RISK IMPACT RATING Medium OVERALL RECOMMENDATION RISK RATING MEDIUM Data should be kept in secure conditions under proper monitoring HIGH Data should be properly encrypted and passwordprotected Limit the number of requests per user/ per system Proper backup of data should be done Physical security measures should be in place to prevent unauthorised access to data

No Policies

UNAUTHORIZED Loss/leakage ACCESS of data

MEDIUM

Bugs in Software Programs Network Clogging/Slow Net Speed Unauthorised access Disgrunted Employee

Accidental Disclosure

Leakage of sensitive information Denial of Service

HIGH

High

Bandwith usage

MEDIUM

Medium MEDIUM

Destruction of information Inside Attack

corruption of data

MEDIUM

Medium MEDIUM

leakage of MEDIUM college information to nontrustedsources

Low

LOW

Terminated/ Ex- Inside attack employee

Loss of information, alteration of data Unauthorised use of Previous employee id Exploitation of unpatched Application

MEDIUM

High

HIGH

Data should be backed up on regular intervals

Improper security protocol on SCIT website

NO PROPER SOFTWARE UPDATATION

Cyber terrorism

LOW

Medium MEDIUM

Immediate removal of old ids from the database

MODIFICATION OF SOFTWARE PROGRAMS

MEDIUM

Medium MEDIUM

Application softwares should be updated from timeto-time

NO PROPER POLICIES CONFIGURED

ACCESS TO SENSITIVE INFORMATION

Compromise of unchanged Unexpired password

MEDIUM

Medium MEDIUM

Password policies must be in place. Automated messages should prompt the change

of passwords on regular periods 10 NO PROPER TOOLS MAINTAINED FOR MANAGING REMOTE ACCESS POLICIES NO PROPER ENCRYPTION TECHNIQUES USED ILLEGAL ACCESS TO INFORMATION

Remote accessibility compromised passwords

LOW

High

HIGH

Security firewalls should be functional even during remote connections.

11

DATA LOSS/ INFORMATION LOSS

Unencrypted passwords

HIGH

High

HIGH

Strict encryption policies must be implemented for security of passwords and other sensitive data

THANK YOU..!!!