Week 4 – Assignment: Identify Security, Risk, and Privacy: Threats and Vulnerabilities
For this assignment, you must write a persuasive report for technologists and managers to increase awareness leading to improved focus and resource allocation to cybersecurity needs.
For this assignment, you must write a persuasive report for technologists and managers to increase awareness leading to improved focus and resource allocation to cybersecurity needs. You will consider risks and privacy exposures by analyzing threats and vulnerabilities within cybersecurity and justifying formal consideration of threats and vulnerabilities to improve the risk, security, and privacy posture of your organization.
Be sure to organize the content carefully to create a logical response that can support your Week 8 Signature Assignment.
Be sure your paper includes the following:
Careful identification of vulnerabilities and threats relating to:
identity and access management
applications including web applications
Length: 5 to 6-page persuasive report, not including title and reference pages
References: Include a minimum of 3 scholarly resources in addition to those provided within the course.
The completed assignment should address all of the assignment requirements, exhibit evidence of concept knowledge, and demonstrate thoughtful consideration of the content presented in the course. The writing should integrate scholarly resources, reflect academic expectations and current APA standards, and adhere to the Northcentral University’s Academic Integrity Policy.
The words “threats,” “vulnerabilities,” and “exploits” are often confused. The distinction between threats, vulnerabilities, and exploits is critical. It is important to remember that the weakest link in the chain effectively determines the security posture for defense, so you must recognize and address those weak links. When confronted with a threat, you must compile a list of properties that must be safeguarded against it.
An asset inventory enables you to conduct a threat analysis on those items. After that, you can figure out what kind of negative effect an asset could have. A weakness is a vulnerability. It might be at the hardware level, for example, when you are using outdated firmware on a wireless router with established bugs, or it could be a lack of physical security controls. Perhaps the servers are hidden behind a locked door. A vulnerability could be revealed at the software level before software updates are implemented. Software updates often address this form of problem. However, a software misconfiguration may sometimes expose a vulnerability that a malicious user can exploit. Even using the default settings in some applications will expose your organization to vulnerabilities in some cases.
Exploitation takes advantage of a flaw or vulnerability. Now, as you perform penetration testing to find specific weaknesses that can be abused, you can honestly do so and then mitigate them somehow. However, if you do not have a security control in place to mitigate a known vulnerability, malicious users can exploit it. Zero-day vulnerabilities are those that vendors and the general IT security community are unaware of (NIST, 2020).
Malicious users recognize vulnerabilities and may exploit them. In certain situations, zero-day vulnerabilities can be discovered inadvertently by an intrusion detection or prevention device. The lack of data availability is an example of a threat. That may be for various reasons, such as a server crash or files that have been encrypted by ransomware. A weakness may be a lack of user knowledge in training, which could lead to ransomware if a user opens an email and finds a file attachment they did not ask for or were not expecting.
Risk and its corresponding vulnerability are combined to form a risk. Before a situation presents a threat to an organization’s security, all of these factors must be present.
National Institute of Standards and Technology. (2020). Security and privacy controls for information systems and organizations. NIST Special Publication 800-53, Revision 5.
Weekly Resources and Assignments
Review the resources from the Course Resources link, located in the top navigation bar, to prepare for this week’s assignments. The resources may include textbook reading assignments, journal articles, websites, links to tools or software, videos, handouts, rubrics, etc.
Week 4 Resources
Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management
Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I. (2020). Multicriteria decision framework for cybersecurity risk assessment and management. Risk Analysis: An International Journal, 40(1), 183–199.
In this paper, the proposed framework bridges the gap between risk evaluation and risk management, allowing analysts to choose risk management alternatives in a standardized and transparent manner. This approach is demonstrated in a conceptual, yet practical case study that demonstrates assessing and rating five cybersecurity enhancement strategies.
Internet of Things (IoT) Cybersecurity: Literature Review and IoT Cyber Risk Management
Lee, I. (2020). Internet of Things (IoT) cybersecurity: Literature review and IoT cyber risk management. Future Internet, 12(9), 1Q.
This paper examines IoT cybersecurity technologies and mechanisms for managing cyber danger. After that, a four-layer IoT cyber risk management system is presented in this paper. In addition, a linear programming approach is used to allocate financial resources to various IoT cybersecurity projects in this article.
Risk and the Five Hard Problems of Cybersecurity
Scala, N. M., Reilly, A. C., Goethals, P. L., & Cukier, M. (2019). Risk and the five hard problems of cybersecurity. Risk Analysis: An International Journal, 39(10), 2119–2126.
This article discusses risk in cyber protection and suggests ways to apply risk analysis principles to the area of cybersecurity. The National Security Agency’s Science of Security (SoS) program aims to advance and encourage interdisciplinary cybersecurity research.
Answer preview for this assignment, you must write a persuasive report for technologists and managers to increase awareness leading to improved focus and resource allocation to cybersecurity needs.