Information Security Risk Management Assignment
For this exercise, read the provided case study about AcmeHealth, and rate the risk exposure for each finding related to the following assets:
1. Code Repository
2. QA Server
3. Production Application Server
You will need to assess the severity of each violation and also the likelihood that it would cause a breach of security. Use the severity and likelihood scales from Appendix B in the book (Tables 6.11 and 6.12) to evaluate each finding. A mapping table is provided (Figure 6.2) to calculate the Risk Exposure value for each severity/likelihood pair without taking sensitivity into account for now.Along with the ratings, describe in words why you rated the severity and likelihood this way. Review the provided example as a guideline.
Next, write down 3-5 questions for each finding that you might ask the resource owner or SME to further qualify the risk. If you don't understand the technical details of any of the findings, ask the instructor to clarify.
You can turn in the assignment electronically through Blackboard.
Use this worksheet to capture each critical asset and describe the business value (see examples in the first row below):
Table 1 - Initial Finding Ratings
|
#
|
Resource
|
Finding
|
Severity
|
Likelihood
|
Exposure
|
|
1
|
Code Repository
|
Resource administrators don't verify the integrity of the information resource patches through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch.
|
High
|
Low
|
Moderate
|
|
If malicious code is allowed onto the system through an application patch, this could compromise that application potentially allowing backdoor access to attackers or allow sensitive data to be sent from the application to the attackers. The malicious code may also cause the application to be unstable, causing it to crash periodically.
Although it is possible for attackers to place fake application patch updates on sites that look legitimate, for most commercial software this would be more difficult and the attacker would have to be very motivated and have a high level of skill.
|
|
2
|
Code Repository
|
Network connections from the offshore developers' workstations to the code repository server are not encrypted.
|
High
|
Moderate
|
Moderate
|
|
If the network connection from the external workstation to the code repository is not encrypted.It is possible that someone may monitor the sniff or port packets. We might be use the protocols which are TCP or FTP. An attacker could fake a packet to steal the source code of our application.
|
|
3
|
QA Server
|
Client data is copied from production servers to this server regularly for QA testing.
|
High
|
Low
|
Moderate
|
|
Should test QA before the customer use the application. If there are some bugs or unknown errors, the customer might be notice it first. An attacker could find a way to break through a firewall based on those bugs and errors. Therefore, the client data must be tested before updating to the application server.
|
|
4
|
Production Application Server
|
No one notifies the Help Desk of terminations for support personnel in order to ensure that their access is disabled.
|
Moderate
|
High
|
Moderate
|
|
The connection between the Help Desk of terminations and customers' PDA is from outside to the application server. This means that if the attacker has access, hemayhave time to break the firewall and get advanced permissions. It would be dangerous if there is no one to notifies the supporter.
|
Next write down your follow up questions for each finding using the space provided below. These questions should include the information you would need to better rate each of the findings:
Finding 1:
1. Are updates tested in a non-production environment prior to implementation?
2. Where are updates downloaded from?
3. Are systems scanned for vulnerabilities post-update?
4. Will the system install a corrupted update?
5. Is there a back-out procedure for bad updates?
Etc.
Record your follow up questions to further qualify each finding here:
Finding 2:
1. Does the network security group create any of the security policies for this?
2. Does the network security grouphas been encryptedfor this finding?
3. Have these policies been effective in ensuring security on connection?
Finding 3:
1. Did we test QA before the customer use the application?
2. How often perform QA tests on a regular basis?
3. Are QA tests automatic or manual?
Finding 4:
1. Does the security group create any policies to ensure that the supporter is notified?
2. Is there any division of responsibilities and duties?
3. What access control systems are installed in the network?