6 LAB #1 | Identify Threats and Vulnerabilities in an IT Infrastructure
LAB #1 – ASSESSMENT WORKSHEET
Identify Threats and Vulnerabilities in an IT Infrastructure
Course Name and Number:
Student Name:
Instructor Name:
Lab Due Date:
Overview
The purpose of the seven domains of a typical IT infrastructure is to help organize the roles, responsibilities,
and accountabilities for risk management and risk mitigation. In this lab, you identiied known risks, threats,
and vulnerabilities, and then organized them. Finally, you mapped these risks to the domain that was
impacted from a risk management perspective.
Lab Assessment Questions & Answers
1. Health care organizations must strictly comply with HIPAA privacy and security rules that require organi-
zations to have proper security controls for handling personal information referred to as “protected health
information,” or PHI. This includes security controls for the IT infrastructure handling PHI. Which one of
the listed risks, threats, or vulnerabilities can violate HIPAA privacy and security requirements? List one
and justify your answer in one or two sentences.
2. How many threats and vulnerabilities did you ind that impacted risk in each of the seven domains of a
typical IT infrastructure?
• User domain:
• Workstation domain:
• LAN domain:
• LAN-to-WAN domain:
�Assessment Worksheet 7
1
Identify Threats and Vulnerabilities
• WAN domain:
in an IT Infrastructure
• Remote Access domain:
• Systems/Application domain:
RISK—THREAT—VULNERABILITY PRIMARY DOMAIN IMPACTED
Unauthorized access from public Internet
User destroys data in application and deletes all iles
Hacker penetrates your IT infrastructure and gains access
to your internal network
Intra-ofice employee romance gone bad
Fire destroys primary data center
Communication circuit outages
Workstation OS has a known software vulnerability
Unauthorized access to organization owned workstations
Loss of production data
Denial of service attack on organization e-mail server
Remote communications from home ofice
LAN server OS has a known software vulnerability
User downloads an unknown e-mail attachment
Workstation browser has software vulnerability
Service provider has a major network outage
Weak ingress/egress trafic iltering degrades performance
User inserts CDs and USB hard drives with personal photos,
music, and videos on organization owned computers
VPN tunneling between remote computer and ingress/
egress router
WLAN access points are needed for LAN connectivity within
a warehouse
Need to prevent rogue users from unauthorized WLAN
access
3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
�8 LAB #1 | Identify Threats and Vulnerabilities in an IT Infrastructure
4. What is the risk impact or risk factor (critical, major, and minor) that you would qualitatively assign to
the risks, threats, and vulnerabilities you identiied for the LAN-to-WAN domain for the health care and
HIPAA compliance scenario?
5. Of the three systems/application domain risks, threats, and vulnerabilities identiied, which one requires
a disaster recovery plan and business continuity plan to maintain continued operations during a
catastrophic outage?
6. Which domain represents the greatest risk and uncertainty to an organization?
7. Which domain requires stringent access controls and encryption for connectivity to corporate resources
from home?
8. Which domain requires annual security awareness training and employee background checks for
sensitive positions to help mitigate risks from employee sabotage?
�Assessment Worksheet 9
1
Identify Threats and Vulnerabilities
9. Which domains need software vulnerability assessments to mitigate risk from software vulnerabilities?
in an IT Infrastructure
10. Which domain requires AUPs to minimize unnecessary user-initiated Internet trafic and can be
monitored and controlled by Web content ilters?
11. In which domain do you implement Web content ilters?
12. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the workstation domain,
which domain does WLAN fall within?
13. Under the Gramm-Leach-Bliley-Act (GLBA), banks must protect customer privacy. A given bank has just
implemented its online banking solution that allows customers to access their accounts and perform
transactions via their computers or PDA devices. Online banking servers and their public Internet hosting
would fall within which domains of security responsibility?
�10 LAB #1 | Identify Threats and Vulnerabilities in an IT Infrastructure
14. True or false: Customers who conduct online banking on their laptops or personal computers must use
HTTPS, the secure and encrypted version of HTTP browser communications. HTTPS encrypts Web page
data inputs and data through the public Internet and decrypts that Web page and data on the user’s PC or
device.
15. Explain how a layered security strategy throughout the seven domains of a typical IT infrastructure can
help mitigate risk exposure for loss of privacy data or conidential data from the systems/application
domain.
