Aligning an IT Security Assessment—Risks, Threats, and Vulnerability— to Achieve Compliance

March 16, 2024March 16, 2024 Discipline: Computer science
Introduction 
In general, security assessments are more technical, more focused, and, in the case of penetration testing, more targeted than an audit. Comparatively speaking, the auditor takes the broader, 
holistic view. Nevertheless, an auditor still needs to gather reliable and relevant evidence to measure compliance. What happens when the auditor lacks the technical skills to gather that 
evidence? An auditor can employ other experts, given proper permission, to conduct testing, such as a security assessment.  If that is the  case, it is important that the assessment is 
aligned with the audit’s objectives. 
In this homework assignment, you will review the vulnerability life cycle and explain the different types of disclosure to mitigate different risk factors. You will identify the risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have on organizations. You will look at the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP Remote File Include, botnets, and PDF attacks on organizations. You will also look at the practices of vulnerability management to prevent threats from old or 
previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure. 
Learning Objectives 
Upon completing this homework assignment, you will be able to:
  • Review the vulnerability life cycle and explain the different types of disclosure to mitigate different risk factors, such as nondisclosure, full disclosure, limited disclosure, and responsible disclosure.
  • Identify the risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have for organizations.
  • Mitigate the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP Remote File Include, botnets, and PDF attacks on organizations.
  • Align best practices in vulnerability management to prevent threats from old or previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.
  • Draft an executive summary explaining how security assessments performed on the seven domains of a typical IT infrastructure can be used to help achieve compliance for an organization.

Hands-On Steps
  1. Review the following scenario:
    Your organization is a governmental agency that serves a vital role in homeland security functions.  In fact, your hiring took longer than you would have liked because it seemed 
    as though the organization’s managers wanted to know a lot about you before they gave you clearance to work. After a year  at the job, your manager feels  your progress has come 
    a long way, so she is  giving you more responsibility and has asked  you to analyze the benefits of reporting risks, threats, and vulnerabilities in an  IT  assessment that is under 
    way. Your manager  would like for you to conduct  research and  report  your  findings about the type of vulnerabilities that require disclosure and when it are lawful or unlawful 
    to conceal information produced by vulnerability assessments. She would also like for you to include some trends on current security threats and the  types of  responsible 
    disclosure being performed by other organizations.
  2. On your local computer, open a new Internet browser window.
  3. In the address box of your Internet browser, type the URL http://www.sans.org and press Enter to open the Web site.
  4. In the Custom Search box on the Web page’s upper right corner, search for “How do we define responsible disclosure?”
  5. On the search results page, click on the top link labeled “How do we define responsible disclosure?” to open the PDF article. Read about the following topics:
    1. Vulnerability Life Cycle
    2. Types of Disclosure
    3. Nondisclosure
    4. Full Disclosure
    5. Limited Disclosure
    6. Responsible Disclosure
    7. Existing Policies and Proposals
Note: When reading through the different types of disclosure, consider how the consequences differ from type to type. For example, a company’s nondisclosure policy about a vulnerability means little-to-no public knowledge. The consequence might mean the black hat  (hacker) community has limited or no knowledge of the vulnerability. Consider also how a company’s reputation changes as it handles disclosure. And lastly, consider how too much or too little disclosure can jeopardize a company’s ability to manage vulnerabilities. 
  1. In  the address box of your Internet browser,   type  the URL https://docs.broadcom.com/doc/istr-14-april-volume-19-en and   press Enter  to  open  the document “Internet 
    Security Threat Report”.
  2. Review the Highlights section of the document that discusses the main concepts in each section. Then, review the following topics in the document:
    1. Executive Summary
    2. 2014 in Numbers
    3. Targeted  Attacks
    4. Appendix
Note: The “Internet Security Threat Report” contains several items that discuss zero-day vulnerabilities. As the name “zero-day” suggests, you have little lead time to be proactive. Even so, you can go on the offense by properly managing your company’s assets and possibly subscribing to an alerting service.
  1. In the address box of your Internet browser, type the URL http://www.zerodayinitiative.com/ and press Enter to open the Web site.
  2. Review the site to understand the purpose of this initiative.
  3. Research other available resources (Internet resources, your textbook, and so on) to validate how performing periodic security assessments throughout the seven domains of a 
    typical IT infrastructure can help an organization achieve compliance.
Overview
In this homework assignment, you reviewed the vulnerability life cycle and explained the different types of disclosure to mitigate different risk factors. You identified risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have on organizations. You looked at the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP remote file inclusion, botnets, and PDF attacks on organizations. You also looked at the practices of vulnerability management to prevent threats from old or previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.
Please answer the following questions:
  1. What is a PHP Remote File Include (RFI) attack, and why are these prevalent in today’s Internet world?
  2. What country is the top host of Structured Query Language (SQL) injection and SQL Slammer infections? Why can’t the U.S. government do anything to prevent these injection attacks and infections?
  3. What does it mean to have a policy of nondisclosure in an organization?
  4. What is phishing? Describe what a typical phishing attack attempts to accomplish.
  5. What is the Zero Day Initiative? Do you think this is valuable, and would you participate if you were the managing partner of a large firm?
  6. What is a Server Side Include (SSI)? What are the ramifications if an SSI exploit is successful?
  7. What is a zero-day attack, and how does this relate to an organization’s vulnerability window?
  8. How can you mitigate the risk of users and employees clicking on an embedded URL link or e-mail attachment from unknown sources?
  9. When auditing an organization for compliance, what role do IT security policies and an IT security policy framework play in the compliance audit?
  10. When performing a security assessment, why is it a good idea to examine compliance in separate compartments, such as the seven domains of a typical IT infrastructure?
  11. True or false: Auditing for compliance and performing security assessments to achieve compliance require a checklist of compliance requirements.

Ace Your Assignments! 🏆 - Hire a Professional Essay Writer Now!

Why Choose Our Essay Writing Service?

  • ✅ Original writing: Our expert writers will write each paper from scratch, ensuring complete originality, zero plagiarism and AI free content.
  • ✅ Expert Writers: Our seasoned professionals are ready to deliver top-quality papers tailored to your needs.
  • ✅ Guaranteed Good Grades: Impress your professors with outstanding work.
  • ✅ Fast Turnaround: Need it urgently? We've got you covered!
  • ✅ 100% Confidentiality: Customer privacy is our number one priority. Your identity is anonymous to our writers.
🎓 Why wait? Let us help you succeed! Our Writers are waiting..

Get started

Starts at $9 /page

Login Register Reset

How our paper writing service works

It's very simple!

  • Fill out the order form

    Complete the order form by providing as much information as possible, and then click the submit button.

  • Choose writer

    Select your preferred writer for the project, or let us assign the best writer for you.

  • Add funds

    Allocate funds to your wallet. You can release these funds to the writer incrementally, after each section is completed and meets your expected quality.

  • Ready

    Download the finished work. Review the paper and request free edits if needed. Optionally, rate the writer and leave a review.

Place order now