cyber security

Q1. Risk Management (4 points)

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Consider the risk assessment report posted on the course D2L titled: “DETAILED RISK ASSESSMENT REPORT”. Read the report and answer the following questions.

a. What is the system in scope of the risk assessment included in the report? And what does that system do (functionality)?

b. What techniques were used in performing the risk assessment? Elaborate on how each of the techniques helps in the assessment?

c. What is the risk model the report adopted for evaluating risks, and what scales were used?

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

d. Considering the flow diagram provided in section 3.5, list two good network security controls that are included in the design?

e. Consider the vulnerability statements (risk scenarios) listed in section 4. Reflect on the password related statement, and possible mitigations?

f. Given the risks assessment results listed in the table in Section 5. Construct a risk register, adding the risk response column and populate with what you think is an appropriate risk response action (e.g. accept, mitigate, etc.)

Q.2 Access Control Matrix (3 points)

Explain the following file permissions in UNIX

a. -rw-r–r—

b. drwxr-xr-x

c. 0400

Q. 3) Read the following article

and construct a one slide summarizing the following:

– End-point security domains and main risks 

– Security approach

– Some common myths about end-point security. 

This is sample data for demonstration and discussion purposes only

Page 1


Executive Summary

During the period June 1, 2004 to June 16, 2004 a detailed information security
risk assessment was performed on the Department of Motor Vehicle’s Motor
Vehicle Registration Online System (“MVROS”).

The MVROS provides the ability for State vehicle owners to renew motor vehicle
registrations, pay renewal fees, and enter change of address information.

The assessment identified several medium risk items that should be addressed
by management.

This is sample data for demonstration and discussion purposes only

Page 2


1. Introduction

1.1 Purpose

The purpose of the risk assessment was to identify threats and vulnerabilities
related to the Department of Motor Vehicles – Motor Vehicle Registration Online
System (“MVROS”). The risk assessment will be utilized to identify risk mitigation
plans related to MVROS. The MVROS was identified as a potential high-risk
system in the Department’s annual enterprise risk assessment.

1.2. Scope of this risk assessment

The MVROS system comprises several components. The external (customer)
interface is a series of web pages that allow the user to input data and receive
information from the application. The online application is a web-based
application developed and maintained by the DMV. The application is built using
Microsoft’s Internet Information Server and uses Active Server Pages. The
application has an interface with the motor vehicle registration database and with
Paylink – an e-commerce payment engine provided by a third party vendor. DMV
IT department hosts the application. The application components are physically
housed in the DMV’s data center in Anytown.

The scope of this assessment includes all the components described above
except for Paylink. The Paylink interface – the component managed by DMV IT –
is in scope. Also in scope are the supporting systems, which include: DMZ
network segment and DMZ firewalls. The web application, DMV database and
operating systems supporting these components are all in scope.

This is sample data for demonstration and discussion purposes only

Page 3

2. Risk Assessment Approach

2.1 Participants

Role Participant
System Owner John Smith
System Custodian Mary Blue
Security Administrator Tom Sample
Database Administrator Elaine Ronnie
Network Manager David Slim
Risk Assessment Team Eric Johns, Susan Evans, Terry Wu

2.2 Techniques Used

Technique Description
Risk assessment questionnaire

The assessment team used a customized
version of the self-assessment questionnaire
in NIST SP-26 “Security Self-Assessment
Guide for Information Technology Systems”.
This questionnaire assisted the team in
identifying risks.

Assessment Tools The assessment team used several security
testing tools to review system configurations
and identify vulnerabilities in the application.
The tools included nmap, nessus, AppScan

Vulnerability sources The team accessed several vulnerability
sources to help identify potential
vulnerabilities. The sources consulted

• SANS Top 20 (
• OWASP Top 10


• NIST I-CAT vulnerability database

• Microsoft Security Advisories

• CA Alert service

This is sample data for demonstration and discussion purposes only

Page 4

Technique Description
Transaction walkthrough The assessment team selected at least one

transaction (use case) of each type and
walked each transaction through the
application process to gain an understanding
of the data flow and control points.

Review of documentation The assessment team reviewed DMV
security policies, system documentation,
network diagrams and operational manuals
related the MVROS.

Interviews Interviews were conducted to validate

Site visit The team conducted a site visit at the Data
Center and reviewed physical access and
environmental controls

2.3 Risk Model

In determining risks associated with the MVROS, we utilized the following model for classifying

Risk = Threat Likelihood x Magnitude of Impact

And the following definitions:

Threat Likelihood

Likelihood (Weight Factor) Definition
High (1.0)

The threat-source is highly motivated and sufficiently capable,
and controls to prevent the vulnerability from being exercised
are ineffective

Medium (0.5)

The threat-source is motivated and capable, but controls are in
place that may impede successful exercise of the vulnerability.

Low (0.1)

The threat-source lacks motivation or capability, or controls are
in place to prevent, or at least significantly impede, the
vulnerability from being exercised.

This is sample data for demonstration and discussion purposes only

Page 5

Magnitude of Impact

Impact (Score) Definition
High (100)

The loss of confidentiality, integrity, or availability could be
expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.


• A severe degradation in or loss of mission capability to
an extent and duration that the organization is not able
to perform one or more of its primary functions

• Major damage to organizational assets
• Major financial loss
• Severe or catastrophic harm to individuals involving

loss of life or serious life threatening injuries.

Medium (50)

The loss of confidentiality, integrity, or availability could be
expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals.

• Significant degradation in mission capability to an
extent and duration that the organization is able to
perform its primary functions, but the effectiveness of
the functions is significantly reduced

• Significant damage to organizational assets
• Significant financial loss
• Significant harm to individuals that does not involve

loss of life or serious life threatening injuries.

Low (10)

The loss of confidentiality, integrity, or availability could be
expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals.


• Degradation in mission capability to an extent and
duration that the organization is able to perform its
primary functions, but the effectiveness of the functions
is noticeably reduced

• Minor damage to organizational assets
• Minor financial loss
• Minor harm to individuals.

This is sample data for demonstration and discussion purposes only

Page 6

Risk was calculated as follows:

Threat Likelihood Low



High (1.0) Low Risk
(10 x 1.0 = 10)

Medium Risk
(50 x 1.0 = 50)

High Risk
(100 x 1.0 = 100)

Medium (0.5) Low Risk
(10 x 0.5 = 5)

Medium Risk
(50 x 0.5 = 25)

Medium Risk
(100 x 0.5 = 50)

Low (0.1) Low Risk
(10 x 0.1 = 1)

Low Risk
(50 x 0.1 = 5)

Low Risk
(100 x 0.1 = 10)

Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)

3. System Characterization

3.1 Technology components

Component Description
Applications In-house developed uses Microsoft Active Server Pages

running under Microsoft Internet Information Server 4.0

Databases Microsoft SQL Server 2000

Operating Systems Microsoft Windows NT version 4.0 SP 2

Networks Checkpoint Firewall
Cisco Routers

Interconnections Interface to PayLink

Protocols SSL used for transmission between client web browser
and web server

3.2 Physical Location(s)

Location Description
Data Center 260 Somewhere Street, Anytown

Help Desk 5500 Senate Road, Anytown

NOC 1600 Richmond Avenue, Anytown

This is sample data for demonstration and discussion purposes only

Page 7

3.3 Data Used By System

Data Description

• Name
• Address (current and previous)
• Phone Number
• SSN #

Vehicle information Includes
• Vehicle identification number
• Tag #
• Date of last emissions test


• Credit card #
• Verification code
• Expiry date
• Card type
• Authorization reference
• Transaction reference

Tax Registration fee

3.4 Users

Users Description
State Vehicle

Access the system via a web browser. Can renew
vehicle registration provided they have a valid credit
card. Can also enter change of address information.

DMV IT Personnel Manage the MVROS system including firewalls and
networks. Maintain security configuration of system.

DMV Operations Utilize information contained in the MVR database for
management reporting. Generate reports and database

DMV Offices Utilize the MVR application for in-person renewals.

This is sample data for demonstration and discussion purposes only

Page 8

3.5 Flow Diagram

The following diagram shows the in-scope technology components reviewed as
part of the MVROS.

MVR Website

Router Internet


MVR Application


Interface to

4. Vulnerability Statement

The following potential vulnerabilities were identified:

Vulnerability Description
Cross-site scripting The web application can be used as a mechanism to

transport an attack to an end user’s browser. A
successful attack can disclose the end user’s session
token, attack the local machine, or spoof content to fool
the user.

SQL injection Information from web requests is not validated before
being used by a web application. Attackers can use
these flaws to attack backend components through a
web application.

Password strength Passwords used by the web application are
inappropriately formulated. Attackers could guess the
password of a user to gain access to the system.


The web server and application server have
unnecessary services running such as telnet, snmp and
anonymous ftp

This is sample data for demonstration and discussion purposes only

Page 9

Vulnerability Description
Disaster recovery There are no procedures to ensure the ongoing

operation of the system in event of a significant
business interruption or disaster

Lack of

System specifications, design and operating processes
are not documented.

Integrity checks The system does not perform sufficient integrity checks
on data input into the system.

5. Threat Statement

The team identified the following potential threat-sources and associated threat
actions applicable to the MVROS:

Threat-Source Threat Actions


• Web defacement
• Social engineering
• System intrusion, break-ins
• Unauthorized system access

Computer criminal
• Identity theft
• Spoofing
• System intrusion

Insiders (poorly trained,
disgruntled, malicious,
negligent, dishonest, or
terminated employees)

• Browsing of personally identifiable

• Malicious code (e.g., virus)
• System bugs
• Unauthorized system access

Environment • Natural disaster

This is sample data for demonstration and discussion purposes only

Page 10

5. Risk Assessment Results
{Note: Only partial list included in this example}


Observation Threat-Source/


Likelihood Impact Risk

Recommended controls

1 User system passwords
can be guessed or

Hackers/ Password

must be
numeric and
at least 5

Medium Medium Medium Require use of special

2 Cross site scripting Hackers/ Cross-site

None Medium Medium Medium Validation of all headers,
cookies, query strings, form
fields, and hidden fields (i.e.,
all parameters) against a
rigorous specification of what
should be allowed

3 Data could be
extracted/modified from
DMV database by
entering SQL
commands into input

Hackers + Criminals /
SQL Injection

checks on

High Medium Medium Ensure that all parameters are
validated before they are
used. A centralized
component or library is likely
to be the most effective, as the
code performing the checking
should all be in one place.
Each parameter should be
checked against a strict format
that specifies exactly what
input will be allowed.

4 Web server and
application server
running unnecessary

All / Unnecessary

None Medium Medium Medium Reconfigure systems to
remove unnecessary services

This is sample data for demonstration and discussion purposes only

Page 11

Observation Threat-Source/
Likelihood Impact Risk
Recommended controls

5 Disaster recovery plan
has not been

Environment /
Disaster Recovery

backup only

Medium High Medium Develop and test a disaster
recovery plan

Calculate your order
Pages (275 words)
Standard price: $0.00
Client Reviews
Our Guarantees
100% Confidentiality
Information about customers is confidential and never disclosed to third parties.
Original Writing
We complete all papers from scratch. You can get a plagiarism report.
Timely Delivery
No missed deadlines – 97% of assignments are completed in time.
Money Back
If you're confident that a writer didn't follow your order details, ask for a refund.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.
Power up Your Study Success with Experts We’ve Got Your Back.

Order your essay today and save 30% with the discount code ESSAYHELP