Beruflich Dokumente
Kultur Dokumente
Risk Assessment of
Cybersecurity Lab
Patrick Walker
Date: 11/13/2017
ITM 375- Information Security Standards,
Risk Management, and Compliance
University of Tampa Proprietary
Table of Contents
1. Executive Summary 4
2. Introduction 4
2.1. Purpose 4
2.2. Scope 5
2.3. Document Structure 5
3. Risk Assessment Approach/Methodology 6
3.1. Assessment Resources 6
3.2. Risk Assessment Execution 6
3.3. Assumptions and Constraints 6
4. Asset Summary 7
4.1. Personnel 8
4.2. Physical Assets 9
5. Threat Summary 10
6. Vulnerability Summary 12
7. Risk Assessment Results 12
7.1. Risk Analysis Methodology 12
7.2. Risks Identified 14
8. Risk Management Plan 17
8.1. Risk Response Strategies 17
9. Risk Assessment Matrix 18
The purpose of this report is to communicate the results of the risk assessment which includes a
summarization of the key risks identified and the recommendations for the areas upon which the organization
should be focused. Elements of risk are found in every organization; therefore, the organization should be
aware of the risks and be prepared to counter them if at all possible.
The risk assessment evaluates the use of resources and controls to eliminate and/or manage vulnerabilities
that are exploitable by threats internal and external to the University of Tampa. The scope of this risk
assessment effort was limited to the security controls applicable to the cybersecurity labs located in The
Maureen A. Daly Innovation and Collaboration Building. Throughout this risk assessment we conducted
research and interviews to get a better viewpoint of the Cybersecurity lab. An interview with Ryan Burcel the
lab coordinator, gave us more information about the assets of the lab and the security aspects implemented
within the lab. An analysis of the entire lab and the equipment within the lab was necessary to conduct a
successful assessment. Policies, goals and objectives set in place for the cybersecurity program and the
effects that they have on the lab were also equated with the report. The Cybersecurity Major Learning Goals
and Objectives, Physical Assets List, UT Cybersecurity Lab/Network Overview, and the Clear Desk
Standards were provided by the instructor also contributed to the assessment of risk for the lab. The
identified threats are outlined in section 5 of this report. The threats identified pose a risk to the school, the
lab network, and the data stored within the lab.
This risk assessment identified seven vulnerabilities that were present. A vulnerability is defined as a
weakness that may be exploited by a threat or group of threats. Additionally, four risks were identified and
associated with a vulnerability. Risk can be defined as the possibility of an adverse event affecting an
organizations assets. No high rated risks were identified, however, three were rated Moderate and one risk
was rated as Low. The major risks that were found include: open USB ports that can be exploited and also
workstations in both labs are susceptible to theft. A complete discussion of the risks can be found in Section
7 of this report.
Two recommendations were made to mitigate the major risks identified within this report. To mitigate the
open USB ports, it is recommended that the organization creates a group policy setting to prevent users from
installing the device drivers. Also, to mitigate the risk of equipment being stolen in the lab, it is recommended
that the administration install cameras in both labs. A complete discussion of the risk management plan can
be found in section 8 of this report.
2. Introduction
2.1. Purpose
The purpose of this document is to provide an overview of the process involved in performing a threat and
risk assessment. This document is created to identify and mitigate potential problems that may occur within
the University of Tampa Cybersecurity lab and within the entire program. This risk assessment evaluates
issues that could endanger the labs assets (e.g. students, equipment, etc.). The assessment also includes
and explores early risk identification through interviews, policy, and research. Throughout the assessment,
we analyzed external and internal threats/risk source and how they can have an effect on the Cybersecurity
lab. We defined the parameters in order to categorize, evaluate, and prioritize each risk and its
likelihood/impact on the lab.
The next step in the document (Section 4.1-4.2), the assets of the lab were identified (personnel & physical).
Provided in section 4.1 is a list of personnel that has a role in the overall operation of the lab and includes
their titles and duties. In section 4.2 is a breakdown of the physical assets (Hardware & Networking), as well
as a breakdown of the pricing of each physical asset. Table 4.4 identifies another important asset, the
students. Included in the table is a count of students in both the graduate and undergraduate program who
are majoring/minoring in cybersecurity.
Table 5.1 is a threat summary that identifies every possible threat and gives an explanation of how they are
threats to the labs. Table 5.2 shows the different type of threat sources and the classification (external or
internal), category (natural, environmental, or human), and the threat agents.
Section 6 is a summary of the vulnerabilities of the labs. After assessing all the risks, threats, and
vulnerabilities, section 7 gives the breakdown of the risk assessment results. Section 7.1 includes the risk
analysis methodology where the risks are classified into categories (high, moderate, or low) based on the
probability of an attack to occur and the impact it would have on the Cybersecurity lab. Table 7.1 shows the
probability percentage to probability score. Table 7.2 shows the risk rating matrix. Section 7.2 include tables
of identified risks that were paired with the identified vulnerability.
Section 8 is the Risk Management plan. Section 8.1 shows the risk response strategies with
recommendations how the administration can respond to the risks. Finally, in section 9, table 9.1, a risk
matrix, is provided including each identified risk, the vulnerability, threat, & risk. Additionally, the risk
summary, likelihood rating, impact rating, overall risk rating, and recommendations are included in the table.
An asset can be defined as an item or a collection of items that has quantitative and/or qualitative value to
the university. Tables 4.1 through 4.4 show the physical assets of the cybersecurity program. Identifying the
assets of the university plays an important role of the risk assessment. By identifying the assets of the lab,
the university is made aware of what to protect. Identifying assets can also be helpful in identifying
equipment that may be unbeknownst to the administration. For example, there may be a ghost server on
the network that hasnt been updated or patched, making it the Achilles heel in the network. Additionally, for
the purpose of the assessment, identifying the assets also allows us to recognize what assets will be
included in the assessment. All numbers are accurate to the best of our knowledge as of Fall 2017.
Table 4.3 summarizes the physical assets used to run the cybersecurity lab network with the asset valuation.
All assets are maintained by the lab coordinator, Ryan Burcel. It should be noted that I do not have access to
the exact price the university paid for the equipment, therefore, all prices are approximations.
29 202 11 242
* All numbers are current as of Fall 2017 from the Registrars office
5. Threat Summary
The purpose of the threat summary component of the risk assessment is to establish threats to UTs
cybersecurity lab. Table 5.2 contains possible, credible threats. A threat can be deemed credible if it has the
potential to exploit a vulnerability within the lab. The threats identified pose a risk to the school, the lab
network, and the data within the lab.
Hurricanes are a common occurrence in Florida. The lab, being built on the first floor, is
Hurricanes
vulnerable to flooding and wind damage.
Technical error Hardware and/or software could fail on equipment in the lab leaving the workstations useless.
A new administration could come into office and lower the budget for the NSF, a federal
New administration
agency that funds research and education in non-medical fields such as computer science.
Due to the doors in the lab not being fireproof, fire could spread into the lab. The fire itself or
Fire
extinguishing the fire could damage equipment in the lab.
Students can either intentionally or unintentionally, execute malicious software that could
Unauthorized use
damage the computers and/or the network by violating the schools policies. Additionally,
of computers or
students could steal equipment from the lab. Malicious hackers on the external environment,
equipment
could execute malicious software that could damage the computers and/or the network.
Key staff members could leave the university impacting the operation of the cybersecurity
Staff could leave
program.
Fire Internal Environmental Damage done to the lab from a fire or from
extinguishing the fire
A vulnerability can be defined as a weakness that could be exploited by a threat or group of threats. In order
to identify a list of vulnerabilities for the UT Cybersecurity lab, many characteristics had to be evaluated.
Some of the characteristics included possible weather in the area, types of possible natural occurrences, and
also the possibility of a problem occurring.
Turnover of staff - Staff has the ability to leave the school
Proximity to water - The school is very close to water in the event of a storm in the area
Physical Location - The school is located in Florida, which is known for hurricanes
Location of lab - The lab is located on the first floor contained with full glass walls on the exterior
Fire - Fire is a possibility due to the parking garage above and also the restaurant inside the building
Theft- Workstations are unlocked leaving them open to theft
USB Ports- USB ports are open
The purpose of this section is to classify risks into categories high, moderate, or low based on the probability
of an attack to occur and the impact the attack would have on the cybersecurity lab at UT. Risk can be
defined as the possibility of an adverse event affecting an organizations assets. Each occurrence of risk is
expressed as a correlation of the likeliness to occur and impact rating. The risk will then be assigned a rating
from 1- 25. The rating will allow UTs administration to rank the risks in order of severity and prioritize them
based on the severity.
The likelihood of a risk occurring is given a numerical value to represent the probability of a given threat is
capable of exploiting a given vulnerability. Initially, the likelihood is calculated based on percentage ranging
from .01-1.0. Once the percentage is assigned to the threat, it is classified into a likelihood score where .01-
.2 (Very Unlikely), .21-.40 (Unlikely), .41-60 (Possible), .61-.80 (Likely), and .81-1.0 (Very Likely). The
likelihood score ranges from 1-5 with 1 (low), 2 (unlikely), 3 (possible), 4 (likely), and 5 (very likely). This can
be summarized in table 7.1.
The risk impact represents the severity of impact to the organization and its stakeholders if the risk is
exploited. The impact score ranges from 1 (Negatable), 2 (Low), 3 (Moderate), 4 (Significant), and 5
(Severe). The overall risk rating is calculated by multiplying the risk impact and risk likelihood then given a
score from 1-25; 1-5(Low), 6-15 (Moderate), and 16-25 (High). Table 7.3 gives a description of each of the
risk ratings. It should be noted that determination of the probability and impact are subjective and were
estimated to the best of our knowledge. Table 7.2 summarizes the risk matrix.
High The loss of confidentiality, integrity, or availability could have a catastrophic, adverse effect
on lab operations, lab assets, or individuals.
Moderate The loss of confidentiality, integrity, or availability could have a severe, adverse effect on lab
operations, lab assets, or individuals.
Low The loss of confidentiality, integrity, or availability could have limited, adverse effect on lab
operations, lab assets, or individuals.
The following tables identified risks that were identified paired with the identified vulnerability. The tables also
show what assets are affected by the risks, the source of the threat, what controls are in place, the impact to
the organization, the likelihood of occurrence, and the calculated risk rating,
Reference N/A
Impact 5 A USB can be plugged into a machine to run exploits such as USB Kill overheating
the motherboard of the workstation. This can have catastrophic effect on a single
machine but a relatively low impact on the lab being that the network is segmented.
Vulnerability The classroom and lab are built on the first floor with many windows where it can be
damaged from a flying object or flood
Impact 3 Damage by a hurricane can have a moderate impact on the ability to use the
classroom.
Likelihood 3 Existing controls provide a reasonable level of protection and it is not likely that a
major hurricane will hit the area that will cause damage beyond the controls in place.
Reference N/A
Existing Controls Students sign an agreement for terms of use of lab equipment, networking equipment
and server are locked in a closet.
Impact 3 With workstations stolen, students will be unable to utilize the lab.
Likelihood 2- It is fairly unlikely that equipment will be stolen. Controls are in place such as the lab
being locked and an employee is to be present when students are in the lab.
Reference NFPA-75
Impact 5 A fire and/or suppression system could destroy electrical equipment in the lab. This
can have a reasonable impact on the ability to use the lab for classroom instruction.
Likelihood 1 It is possible, but not highly likely that a fire will occur in the lab.
Risks are prioritized by the appropriate risk rating determined by the risks composite score. Risks are then
prioritized by their respective composite score and arranged in descending order. Recommendations are
based off the interview we had with the lab coordinator, Ryan, and financial feasibility.
The Risk Assessment Matrix shown in Table 9.1 serves as the basis for the official report in documenting the
risk assessment results. The risk assessment matrix helps key faculty members make informed decisions on
policy, procedural, budget, and system operational changes.
1 Desktop Unauthorized Compromise A USB can be Unlikely Severe Moderate It is recommended that UT avoid
workstation use of confidentiality, plugged into a this risk by creating a group
USB ports are computers or integrity, and machine to run policy setting that prevents users
from installing the device drivers.
open equipment availability of exploits such as
Additionally, the setting that
machine USB Kill allows the administrator to
overheating the override the various settings that
motherboard of the prohibit device driver installation
workstation. should be employed. This will
allow to administer to use a USB
storage device on a workstation
for maintenance purposes.
4 Computer Fire Compromise Fire would activate Very Severe Low None. Replacing the wet pipe
equipment is availability of lab sprinkler system Unlikely extinguishing system has been
susceptible to causing water determined cost prohibitive.
damage damage & Therefore, it is recommended
caused by fire compromising the that UT accept this risk.
and/or water availability of the
lab.