Exercise 1: If an organization has three information assets to evaluate for risk management purposes, as shown in the list below, which vulnerability should be evaluated for additional controls first? Which vulnerability should be evaluated last?
- A CRM-Server that is connected to the Internet. It has two vulnerabilities:
- susceptibility to hardware failure, with a likelihood of 8, and
- susceptibility to ransomware attack with a likelihood of 4.
The CRM-Server has been assigned an impact value of 10. Assume that there are no current controls in place to protect it, and there is a 75 percent certainty of the assumptions and data.
- An E-commerce server hosts the company Web site and supports customer transactions. It runs a server software that is vulnerable to a buffer overflow attack, with the likelihood of such an attack estimated at 6. The server has been assigned an impact value of 8. Assume that there are no current controls in place to protect the server, and there is a 70 percent certainty of the assumptions and data.
- A Control-Console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show that the likelihood of misuse is 2. There are no controls in place on this asset, which has an impact value of 5. There is a 90 percent certainty of the assumptions and data.
Exercise 2: Using the list of threats to InfoSec presented in Chapter 6 identify and describe three instances of each that were not mentioned in the chapter.