unit 4 homework
docx
keyboard_arrow_up
School
Columbia Southern University *
*We aren’t endorsed by this school
Course
SEC 4302
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
5
Uploaded by briandjones127
Running head: ASSESSMENT DISCLOSURE
1
IT Assessment Disclosure
Brian Jones
Columbia Southern University
ASSESSMENT DISCLOSURE
2
IT Assessment Disclosure
Lab 4.1a
After reviewing the article, several key points in each of listed sections caught my
attention.
Vulnerability Life Cycle – The relevant point pertaining to the life cycle of a vulnerability
is the death stage. Death of a vulnerability can occur in a number ways. For example, an
older system can be retired and replaced with newer, more secure technology. Also, the
exploit may simply no longer hold the attention of an attacker.
Nondisclosure – As a practice, when it pertains to threats and vulnerabilities,
nondisclosure has a great number of drawbacks. Some individuals believe that by
keeping news of a known vulnerability quiet, they can create a defense or fix for the
vulnerability without alarming anyone. This is a potential problem for a few reasons.
First, there is no guarantee that the information can be contained. Second, by working on
a fix in secret, the vulnerability may have evolved well past what was initially found.
Full disclosure – Acting as a polar opposite to nondisclosure, full disclosure champions
letting as many entities as possible know about found vulnerabilities. Advocates of this
method state that if the information is made public, more entities can protect themselves
faster and avoid attacks.
Limited disclosure – As is the case with nondisclosure, limited disclosure faces some of
the same issues. Companies who attempt to find a patch or a fix for a known vulnerability
will not release full technical details until they have successfully fixed the problem. The
problem with that model is that the vulnerability may have already damaged or crippled
systems by then and much data may have already been lost or stolen.
ASSESSMENT DISCLOSURE
3
Responsible disclosure – Responsible disclosure can be viewed as a mix of full disclosure
and nondisclosure. A vulnerability is found, and while the full details may not be made
public, the information is shared. The main focus of responsible disclosure is ongoing
communication between those who have information to protect and those who are
attempting to fix the vulnerability.
Existing policies and proposals – While most remain divided on which method of
disclosure is best, there are at least five methods which take different approaches to
fulfilling the need of information being shared, each with its own merits and drawbacks
(Shephard, 2003).
Lab 4.1b
The document that was reviewed for this section offers very detailed information
regarding the various attacks, threats, and vulnerabilities that individuals and companies face
every day.
Threat activity trends – Most threats listed in the document were centered around spam
zombies. The document details how this type of threat uses broadband speed internet
connections to remotely take over a machine to send large parcels of spam email which
can contain malicious code.
Vulnerability trends – A major vulnerability that is discussed in the document is Industrial
Control System (ICS) vulnerability. ICS is most commonly used in industries such as
water, gas, and oil. Since these industries deal directly with critical infrastructure,
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ASSESSMENT DISCLOSURE
4
vulnerabilities are a major issue. Vulnerabilities within these industries can present a huge
target for politically or environmentally focused attacks.
Spam and fraud activity trends – Activities related to spam and phishing seem to focus
more on small to medium sized businesses as opposed to larger ones. The reason being
that most smaller businesses do not have security measures as robust as larger companies
and are therefore easier to attack (Symantec, 2016).
Lab 4.1c
Compliance is, by definition, the act remaining within a set order of boundaries, laws,
and guidelines. By periodically conducting assessing the strength of IT security, an entity,
individual, or corporation can increase its chances of remaining in compliance drastically.
Certain compliance laws, such as PCI and HIPAA, are extremely specific when it comes to how
data and information are protected. By conducting security and/or threat assessments, a system
can be fortified if needed (Hashmi, et.al. 2018).
Lab 4.2
In summation, the seven domains of IT infrastructure are an interwoven web of
individuals, machines, and connections (Weiss & Solomon, 2016). Many of the tools that are
used (e.g. the internet) are a huge benefit, but also carry risk. How that risk is handled plays a
vital part of remaining in compliance. Without periodic tests and assessments of the system,
vulnerabilities could go undetected until it is too late. Assessments that run across all seven
domains of the infrastructure will also help to ensure that one or more aspects are not overlooked
and become an even bigger risk.
ASSESSMENT DISCLOSURE
5
References
Hashmi, M., Governatori, G., Lam, H.-P., & Wynn, M. T. (2018). Are we done with business
process compliance: state of the art and challenges ahead.
Knowledge & Information
Systems, 57
(1), 79–133. https://doi-
org.libraryresources.columbiasouthern.edu/10.1007/s10115-017-1142-1
Shephard, S. (2003, April 22). How do we define responsible disclosure? Retrieved from
https://www.sans.org/reading-room/whitepapers/threats/define-responsible-disclosure-
932
Symantec (2016). Internet security threat report. Retrieved from
https://www.insight.com/content/dam/insight-web/en_US/pdfs/symantec/istr-21-2016-
government-en.pdf
Weiss, M. M., & Solomon, M. G. (2016).
Auditing IT infrastructures for compliance
(2nd ed.).
Burlington, MA: Jones & Bartlett Learning