Select an organization you wish to explore and use throughout the course.
As you make your selection, keep in mind that you will explore the following roles in the organization: Cyber Security Threat Analyst, Penetration Tester, Cyber Security Engineer, Risk Management Analyst, and Software Engineer. You need sufficient knowledge of the organization you select to complete these security assignments.
A Cyber Security Threat Analyst conducts analysis, digital forensics, and targeting to identify, monitor, assess, and counter cyber-attack threats against information systems, critical infrastructure, and cyber-related interests.
Take on the role of a Cyber Security Threat Analyst for the organization you select. Use the Threats, Attacks, and Vulnerability Assessment Template to create a 3- to 4-page assessment document.
Research and include the following:
- REFER TO ADDITIONAL RESOURCES BELOW and to the grading rubric.
- Provide a scope description of the system you are assessing.Provide a network diagram of the system on which you are conducting a risk assessment.(MicrosoftÂ®VisioÂ®or LucidchartÂ®)
- Describe at least 12 possible threat agents and how attacks are accomplished with each (attention to attack paths)
- Describe at least seven exploitable technical and physical vulnerabilities that would enable a successful attack.
- List at least two security incidents that happened to this organization, or within its industry, against similar systems (same data or business process)
- Describe the risks associated with at least five threat/vulnerability sets defined in this document.
This assignment requires careful attention to each step. In this post, I provide resources to help.
- Remember that a system is all devices associated with a business process, including servers, routers, switches, firewalls, user devices, applications, etc. For help on creating your network diagram, see the Lucidchart How to Build a Network Diagram or Creating a Network Diagram with Visio.
- Threat modeling traces attack paths through our infrastructure. This enables us to identify strengths and weaknesses in our controls framework. See A Practical Approach to Threat Modeling.
- There are many threats and vulnerabilities. For a comprehensive list of possible threats and vulnerabilities, see Catalogue of threats & vulnerabilities. Remember that a threat agent is a specific instance of a threat. For example, a threat of social engineering might be implemented by a malicious actor using a link in a an email message. Social engineering alone would not be detailed enough for this assignment. You must use specific threat agents.
- It is necessary for this assignment to pair threats and vulnerabilities for the final risk table. Even if you think you understand the differences between threats and vulnerabilities, I suggest you watch the short video, Threats, Vulnerabilities, and Business Impact.
- When you complete the final risk table, it is important to describe the risk in terms of the threats, vulnerabilities, and business impact as you would to a business manager. After all, that is who will be approving your recommendations. An example of what this might look like is shown in the attachment, below. I adjusted the table columns in the attached version of the template.