Lab #4: Assessment Worksheet

Perform a Qualitative Risk Assessment for an IT Infrastructure

Overview
The following risks, threats, and vulnerabilities were found in an IT
infrastructure. Your Instructor will assign you one of four different scenarios
and vertical industries each of which is under a unique compliance law.
1. Scenario/Vertical Industry:
 Healthcare provider under HIPAA compliance law
 Regional bank under GLBA compliance law
 Nationwide retailer under PCI DSS standard requirements
 Higher-education institution under FERPA compliance law
2. Given the list, perform a qualitative risk assessment by assigning a risk
impact/risk factor to each of identified risks, threats, and vulnerabilities
throughout the seven domains of a typical IT infrastructure that the risk, threat,
or vulnerability resides
Risk-Threat- Primary Domain Risk Impact/Factor
Vulnerability Impacted
Unauthorized access Internet Remote Access 1
from public
User destroys data in Systems/Application 3
application and
deletes all files

Hacker penetrates your LAN-to-WAN 1

IT infrastructure and
gains access to your
internal network

Intra-office employee User 3

romance gone bad
Fire destroys primary Systems/Application 1
data center
Service provider SLA is WAN 3
not achieved
Workstation OS has a Workstation 2
known software
vulnerability
Unauthorized access to Workstation 1
organization owned
workstations
Loss of production data Systems/Application 2
Denial of service attack LAN-to-WAN 1
on organization DMZ e-
mail server
Remote Remote Access 2
communications from
home office
LAN server OS has a LAN 2
known software
vulnerability

User downloads and User 1

clicks on an unknown
Workstation browser Workstation 3
has a software
vulnerability

Mobile employee needs Remote Access 3

secure browser access to
sales order entry system

Service provider has a WAN 2

major network outage
Weak ingress/egress LAN-to-WAN 3
traffic filtering degrades
performance
User inserts CDs and User 2
USB hard drives with
personal photos, music,
and videos on
organization owned
computers

VPN tunneling between LAN-to-WAN 2

remote computer
and ingress/egress router
is needed
WLAN access points LAN 3
are needed for LAN
connectivity within a
warehouse
Need to prevent LAN 1
eavesdropping on
 WLAN
due to customer privacy
data access

DoS/DDoS attack from WAN 1

the WAN/Internet

3. For each of the identified risks, threats, and vulnerabilities, prioritize

them by listing a “1”, “2”, and “3” next to each risk, threat, vulnerability found
within each of the seven domains of a typical IT infrastructure. “1” = Critical,
“2” = Major, “3” = Minor. Define the following qualitative risk impact/risk
factor metrics:
a. “1” Critical – a risk, threat, or vulnerability that impacts compliance
(i.e., privacy law requirement for securing privacy data and implementing
proper security controls, etc.) and places the organization in a position of
increased liability.
b. “2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an
organization’s intellectual property assets and IT infrastructure.
c. “3”Minor – a risk, threat, or vulnerability that can impact user or
employee productivity or availability of the IT infrastructure.
User Domain Risk Impacts: (refer to previous chart):
1) User downloads and clicks on an unknown e-mail attachment.
Explanation: This error occurs when the user downloads and opens a file
Email attachments of unknown origin. This is possible lead to infection with
malware or other malicious software and create risks to the system and user
data.
Example: User receives a strange email with attachment "invoice.zip" and do
not know the source of this email. They download and extract the attachment
without checking. However, the file contains a malicious program that is
activated when the user open it. This can damage the system and steal personal
information user's kernel.
2) User inserts CDs and USB hard drives with personal photos, music,
and videos on organization ownedcomputers.
 Explanation: This risk occurs when a user inserts a CD or USB hard drive
stores personal data such as photos, music, and videos onto computers owned by
the organization. This can create security holes and threaten information
security, because data individuals may contain malware, malicious code, or
other unsafe files.
3) Intra-office employee romance gone bad
Explanation: This risk occurs when an emotional relationship between
individuals employees in the office become worse. This may affect digestion
harmful to the work environment, causing distraction, conflict, and even
affect job performance and organizational stability.
Workstation Domain Risk Impacts: (refer to previous chart):
1) Unauthorized access to organization owned workstations.
Explanation: This risk occurs when there is unauthorized access to
workstations owned by the organization. This may lead to information
disclosure sensitive, violates privacy, and harms systems and organizational data
office.
2) Workstation OS has a known software vulnerability.
Explanation: This risk occurs when the workstation's operating system has
a hole known software vulnerabilities. This can create conditions for attackers
publicly exploit the vulnerability to penetrate the workstation, causing harm to
the system and information theft.

3) Workstation browser has software vulnerability.

Explanation: This risk occurs when the browser on the workstation has a
hole software vulnerability, which is a weakness in browser software, can be
exploited by attackers to get into machines station and harm the system and data.
Example: A computer on an organization's network uses a certain web
browsers, and this version of the browser has a hole known software
vulnerabilities. Attackers exploit this vulnerability by taking advantage of
security holes in the browser, for example such as cache errors, to perform
remote attacks. This may lead to the installation of malicious software on the
computer, steal personal information or take control of your computer remotely.
LAN Domain Risk Impacts: (refer to previous chart):
 i. Need to prevent eavesdropping on WLAN due to customer privacy data
access.
Explanation : This risk occurs when it is necessary to prevent
eavesdropping on the WLAN (wireless local area network) to protect customers'
private data. This is especially important when transmitting sensitive data over a
WLAN, as the information can be expose and harm the privacy and reputation
of customers.
ii. LAN server OS has a known software vulnerability.
Explanation: This risk occurs when the LAN server operating system has
a hole known software vulnerabilities. This makes it possible for the attacker to
openly exploit the vulnerability to penetrate the LAN server, causing harm to the
system, image affect the performance and security of the LAN.
iii. WLAN access points are needed for LAN connectivity within a
warehouse.
Explanation : This risk occurs when WLAN access points are required to
connect LAN in a warehouse. This creates a security hole, because the WLAN
access point can become a potential weakness and be vulnerable to an attacker
exploit to infiltrate LAN and cause harm.
LAN-to-WAN Domain Risk Impacts: (refer to previous chart):
1) Denial of service attack on organization DMZ and e-mail server.
2) VPN tunneling between remote computer and ingress/egress router is
needed.
3) Weak ingress/egress traffic filtering degrades performance
WAN Domain Risk Impacts: (refer to previous chart):
1) DoS/DDoS attack from the WAN/Internet.
2) Service provider has a major network outage.
3) Service provider SLA is not achieved.
Remote Access Domain Risk Impacts: (refer to previous chart):
1) Unauthorized access from public Internet.
2) Remote communications from home office.
 3) Mobile employee needs secure browser access to sales order entry
system
Systems/Applications Domain Risk Impacts: (refer to previous chart):
1) Fire destroys primary data center.
2) Loss of production data.
3) User destroys data in application and deletes all files.