MBARARA UNIVERSITY OF SCIENCE AND TECHNOLOGY

FACULTY OF COMPUTING AND INFORMATICS

BACHELOR OF SCIENCE COMPUTER SCIENCE

COURSE NAME: INFORMATION AND CYBER SECURITY

COURSE CODE: CSC2203

LECTURER: DR FRED KAGGWA

Assignment Three-RISK ASSESSMENT

Solutions

(i)Assets Model Identification

Asset Form Location People accountable Valuation

2 Web servers Hardware Physical Server room System Administrators High

3 GPU servers Hardware Physical (John, Mercy) High
2 Firewalls Hardware Physical High
1 Proxy server Hardware Physical High
VoIP system Network infrastructure High
Wireless network Network infrastructure High
Samsung TV Tangible Common Room No specification Medium
Seating Tangible furniture Medium
Microwave Tangible Low
Fridge Tangible Medium
Utensils Tangible Low
3 HP computers Tangible Reception 3 receptionists. High
3 dot matrix printers Tangible High
32-inch LG TV Tangible High
Posh Seating Tangible furniture Medium

valuables Tangible Storage room Store Manager High

1 high-capacity generator Tangible Power Room Company electrician High

3 solar converters Tangible High
3 backup batteries Tangible High

Premium amenities Tangible Restrooms Sherinah, the Low

chief cleaner.
Lenovo computer Tangible Managerial office Joshua High
Multifunction laser jet Tangible High
printer Tangible Medium
Photocopier Tangible High
MacBook laptop Tangible Medium
Luxury furniture Tangible Low
Water dispenser
IBM desktop computer Tangible HR Manager’s HR manager High
HP printer Tangible Office High
File cabinets Tangible Low
Employee records Tangible High
Money safe Tangible Accountant’s Accountant High
IBM desktop computer Tangible Office High
Financial ledgers Cheque Tangible High
books. Tangible Medium
Tangible
15 high-end chairs Tangible Boardroom
office assistant (John) Medium
Company vehicles Tangible Secure Parking
Area security guard High
(Mpuuga)

(ii)Threat Model
ASSET SOURCES OF MOTIVE ACTS RESULTS POSSIBLE
THREAT AND LOSSES SOLUTIONS TO
THREATS
Web Servers Unauthorized Data Theft n Hacking Data Breach Access Control
Access Sabotage Social Engineering Financial Loss
Insider Threats DOS Sabotaging power DOS Authentication
Power outages Accidental supply. System
Equipment failure. Financial Installing malware. downtime Backup Systems
Natural disasters gai Breaking into Data Loss
physical premises
Install locking doors
Accidental (Natural
and limit distribution
Disaster)
of keys.

Install CCTV and

remote-control locks

Install “Authorized
admittance only” signs

Develop and test

disaster recovery plans
to address natural
disasters.

Company vehicles Burglars Financial gain Stealing Vehicle loss Require wearing of
Insider Threats Sabotage equipment. authorized access
Equipment failure DOS badges
Irrational
behavior Post guards at
entrances

GPU Servers Burglars Financial gain Stealing Asset Loss Access Control,
Insider Threats Sabotage equipment. DOS Surveillance
Power outages DOS Sabotaging power Financial loss
Equipment failure. supply Reputation

Installing malware Install CCTV and

remote-control locks

Install “Authorized
admittance only” signs
Firewalls Insider Threat Data Theft Hacking Security Breach Regular Updates
Data breaches Sabotage Installing malware Loss of privacy
Human Error DOS Stealing equipment Modification Proper Configuration
Malware and Management
and viruses.
Equipment failure Deploy robust
Unauthorized access antivirus and firewall
by hackers solutions
Proxy Server Unauthorized access Revenge Hacking System Traffic Filtering
by Hackers Insider Sabotage Stealing equipment downtime
Threat Curiosity Manipulating data Data Loss Rate Limiting
Malware and viruses Political activism Financial loss
Equipment failure Conduct regular
security training for
employees to mitigate
insider threats.

VoIP System Data Theft Eavesdropping Data Loss, Encryption

Hackers Sabotage Hacking System
Insider Threat Stealing equipment compromise Access Control
Power outages Sabotaging power Financial loss
supply
Use UPS systems and
surge protectors to
safeguard against
power issues
Wireless Network Hackers Data Theft Hacking Data Loss Access Control
Insider Threat Sabotage Social Engineering Financial,
Equipment failure Eaves dropping Reputation Authentication
Data breaches Privacy
Power outages compromise
Deploy robust antivirus
and firewall
solutions

Use UPS systems and

surge protectors to
safeguard against
power issues
Samsung TV 32- Burglars Financial Stealing equipment Asset Loss Install mantrap double
inch LG TV Insider Threat gain, Sabotaging power Denial of access doors or turnstile with
Equipment failure Sabotage supply electronic locks
Power outages Vandalism. DOS

Install CCTV for

Surveillance
Microwave Insider Threat Financial Negligence Asset Loss. Install Intrusion alarms
Fridge Power outages Gain, Theft, Stealing Financial loss
Utensils Equipment failure Sabotage equipment Install CCTV for
Vandalism. Sabotaging power Surveillance
supply
Burglar proofing

HP Computers Hackers Data Theft Hacking Data Loss Access Control

Lenovo Computer Insider Threat Sabotage Social Engineering Data
MacBook Laptop Power outages Vandalism. Stealing equipment Manipulation Deploy robust antivirus
IBM Desktop Unauthorized access Installing malware Financial loss and firewall
Computer by hackers Manipulating data solutions
Malware and viruses
Install locking doors
and limit distribution of
keys

Use UPS systems and

surge protectors to
safeguard against
power issues

Dot Matrix Printer Burglars Financial gain, Theft Stealing Asset Loss Access Control
HP Printer Insider Threat Sabotage equipment Denial of use
Laser jet printer Sabotaging power Financial loss Install CCTV for
Photocopier supply Surveillance

Regular security
awareness campaigns

Generator Natural Disaster, Negligence System Regular Maintenance

Solar Converters Human Error Financial Theft Stealing Downtime
Backup Batteries Insider Threat Gain, equipment Productivity Install CCTV for
Burglars Sabotage reduction Surveillance
Equipment failure Vandalism. Financial loss
Asset loss

Financial Ledgers Burglars, Insider Financial Theft Asset Loss, Access Control
Cheque Books Threat Gain, Manipulating data Financial loss
Money Safe Sabotage Privacy breach Install CCTV for
Surveillance

Install Intrusion alarms

Posh Seating Burglars, Insider Financial Gain, Theft, Vandalism Asset Loss, Install CCTV
Luxury furniture Threat Sabotage Surveillance
High-end chairs
Install Intrusion alarms

(ii) Tangible (Server room) Asset Model

- Key considerations: Servers, Computers, Network infrastructure Security measures:

Access controls (e.g., passwords, authentication)
Encryption
Firewalls and intrusion detection/prevention systems
Regular software updates and patching
Backup and disaster recovery plans
Network segmentation and isolation
- Physical barriers and fencing
- Regular maintenance and inspections
Personnel Model

Focuses on role of personnel in safeguarding assets and mitigating threats

Key considerations: Employee responsibilities, accountability, Training, awareness programs,
Access controls and authorization -Security measures:
- Employee orientation and training programs
- Regular security awareness campaigns
- Access control policies and procedures

References

Balachandra, R.; Ramakrishna, P.; and Rakshit, A. “Cloud Security Issues.” Proceedings, 2009
IEEE International Conference on Services Computing, 2009.
BARK91 Barker, W. Introduction to the Analysis of the Data Encryption Standard (DES). Laguna
Hills, CA: Aegean Park Press, 1991.
BARK05 Barker, E., et al. Recommendation for Key Management—Part 2: Best Practices for Key
Management Organization. NIST SP800-57, August 2005.
BARK09 Barker, E., et al. Recommendation for Key Management—Part 3: Specific Key
Management Guidance. NIST SP800-57, December 2009.
BARK12a Barker, E., et al. Recommendation for Key Management—Part 1: General. NIST
SP800-57,
June 2012.