Select an organization you wish to explore and use throughout the course.
As you make your selection, keep in mind that you will explore the following roles in the organization: Cyber Security Threat Analyst, Penetration Tester, Cyber Security Engineer, Risk Management Analyst, and Software Engineer. You need sufficient knowledge of the organization you select to complete these security assignments.
A Cyber Security Threat Analyst conducts analysis, digital forensics, and targeting to identify, monitor, assess, and counter cyber-attack threats against information systems, critical infrastructure, and cyber-related interests.
Take on the role of a Cyber Security Threat Analyst for the organization you select. Use the Threats, Attacks, and Vulnerability Assessment Template to create a 3- to 4-page assessment document.
Research and include the following:
REFER TO ADDITIONAL RESOURCES BELOW and to the grading rubric.
Provide a scope description of the system you are assessing.Provide a network diagram of the system on which you are conducting a risk assessment.(MicrosoftÂ®VisioÂ®or LucidchartÂ®)
Describe at least 12 possible threat agents and how attacks are accomplished with each (attention to attack paths)
Describe at least seven exploitable technical and physical vulnerabilities that would enable a successful attack.
List at least two security incidents that happened to this organization, or within its industry, against similar systems (same data or business process)
Describe the risks associated with at least five threat/vulnerability sets defined in this document.
This assignment requires careful attention to each step. In this post, I provide resources to help.
Remember that a system is all devices associated with a business process, including servers, routers, switches, firewalls, user devices, applications, etc. For help on creating your network diagram, see the Lucidchart How to Build a Network Diagram or Creating a Network Diagram with Visio.
Threat modeling traces attack paths through our infrastructure. This enables us to identify strengths and weaknesses in our controls framework. See A Practical Approach to Threat Modeling.
There are many threats and vulnerabilities. For a comprehensive list of possible threats and vulnerabilities, see Catalogue of threats & vulnerabilities. Remember that a threat agent is a specific instance of a threat. For example, a threat of social engineering might be implemented by a malicious actor using a link in a an email message. Social engineering alone would not be detailed enough for this assignment. You must use specific threat agents.
It is necessary for this assignment to pair threats and vulnerabilities for the final risk table. Even if you think you understand the differences between threats and vulnerabilities, I suggest you watch the short video, Threats, Vulnerabilities, and Business Impact.
When you complete the final risk table, it is important to describe the risk in terms of the threats, vulnerabilities, and business impact as you would to a business manager. After all, that is who will be approving your recommendations. An example of what this might look like is shown in the attachment, below. I adjusted the table columns in the attached version of the template.