Unit4casestudy
docx
keyboard_arrow_up
School
Columbia Southern University *
*We aren’t endorsed by this school
Course
4320
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
6
Uploaded by briandjones127
Running head: UNIT IV CASE STUDY
1
Unit IV Case Study
Brian Jones
Columbia Southern University
UNIT IV CASE STUDY
2
Unit IV Case Study – Likelihood of Occurrence and Impact
Vulnerabilities are often viewed as a commonplace item in the process of doing business.
Some of these vulnerabilities can be prevented or at least controlled and performing a risk
assessment is a good way to identify these vulnerabilities. One challenging aspect of a risk
assessment is addressing the likelihood of occurrence and the impact of the occurrence.
Likelihood of occurrence is assessed by determining if a threat can exploit the vulnerability or
set of vulnerabilities. These threats are divided into two subsets, adversarial and non-adversarial.
Adversarial threats are those that are launched or initiated by an attacker. Non-adversarial threats
are those which occur such as a natural disaster or unintentional human error. Given the fact that
the threat will be successful in exploiting the vulnerability, the impact to the system or operations
can then be calculated (Santos, 2019).
Threat Sources
Adversarial Threat
As stated above, an adversarial threat is launched or initiated with the goal of
intentionally causing harm or disruption. Most people would consider this to be classified as an
attack. One issue facing most organizations or companies is the disgruntled employee. Often,
these individuals feel slighted by their company, or may have been terminated for a variety of
reasons. Unfortunately, they have access to the system and may use that access to attack.
Non-adversarial Threat
Non-adversarial threats can be viewed as a wild card when assessing vulnerabilities and
the threats that can exploit them. They are unintentional actions or natural disasters. These
threats are extremely hard to plan for and can literally happen with little to no warning. While
UNIT IV CASE STUDY
3
these threats may not be carried out with malicious intent, they can still cause major disruptions
to operations.
Discussion
Adversarial Threat
The threat, in this case, is unauthorized access to the system. The source of this threat is a
disgruntled employee who has malicious intent toward the company or organization. The
employee may feel slighted by the company or may have been terminated for any number of
reasons. This threat is adversarial as the intention is to take revenge on the company. Governance
would help mitigating this threat by having a clear process outlined as to the best way handle the
removal of an employee’s credentials from the system, thereby eliminating the employee’s
access to the system. The vulnerability in question is based upon how much data the employee
had access to. If the employee had access to network settings or configuration, the damage that
could be done could be catastrophic. As stated by Talamantes (n.d.),” A network engineer for oil
and gas company EnerVest found out he was going to be fired and sabotaged the company’s
systems by returning them to original factory settings.”. How successful the attack is depends on
how fast the employee’s access is removed. One issue with this scenario is the missing
communication between IT and human resources. An employee may have been terminated for
some time before the IT department is notified to remove credentials and login information
(Rayome, 2017). If the threat is successful, the damage done could be untold. The employee has
at least a basic knowledge of the system and may have access to critical information. The
resulting breach of data could lead to stiff penalties for the company if a law such as HIPAA is
violated. At the very least, the attack could lead a loss of confidence in the company which will
lead to loss of revenue.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
UNIT IV CASE STUDY
4
Non-adversarial Threat
One major non-adversarial threat is the natural disaster. Threats associated with naturals
disasters include loss of power, destruction of physical location, and loss of personnel.
Dependent upon what area of the world your company or organization resides in, the source of
the threat could be a multitude of natural disasters that could affect operations. In the
Southeastern United States, there is a high occurrence rate of hurricanes yearly. When a
hurricane hits, power could be knocked out for days on end. Buildings and other structures may
be heavily damaged or destroyed. Employees and other personnel could be cut off from their
jobs, injured, or worst of all, killed. The likelihood of one of these threats occurring and
succeeding is based on the severity of the storm. Using historical data, a company can make an
estimation on how severely they will be affected by the storm based on storm strength. A
significantly strong storm will most likely disrupt power for several days at a minimum.
Governance can help to overcome a threat of this variety by having a plan in place for storm
response. Another best practice is to have as complete a back up of all systems as possible to be
used if the system needs to be rebuilt in the case of property damage or destruction. Another
avenue that could be explored would be the creation of an alternate warm site to cut down on
time lost if the primary facility is damaged or destroyed.
Combination of Threats
While both adversarial and non-adversarial threats can have far reaching consequences,
there have been instances of individuals being hit with both types of attacks almost at once. As
reported by Freed (2018), after Hurricane Florence hit the Eastern half of North Carolina there
were a large number of individuals who lost almost everything. To make matters worse, around
24 hours after the event, those same individuals began to receive emails, texts, and phone calls
UNIT IV CASE STUDY
5
offering relief funds. The caller or email sender would ask for the individuals to provide personal
information. Unfortunately, this was a scam designed to dupe those individuals out of their credit
card and banking information.
Answering Questions
One individual very rarely conducts these types of assessments alone. It takes an entire
team of people to gather the data, research historical evidence, and formulate the information
into a viable report. If the need arises to host a workshop or meeting to address the topics
covered here, it would be wise to include other members of the team who have experience with
the data being presented. By having been exposed to the data in question, all members of the
team would have a broad overview of the material, more importantly they would have
experience with specific area that they themselves took part in. Therefore, the team as whole,
would be able to handle any question posed to them.
Conclusion
In conclusion, it is a given that vulnerabilities and threats exist. The risk that comes along
with a vulnerability being exploited by a threat is also a given. However, there are steps that can
be taken to prevent or mitigate these instances. By having firm controls in place and policies to
support them, most of these threats can be dealt with. Even such threats as the ones listed above,
which can often blindside a system, can be at least managed.
References
UNIT IV CASE STUDY
6
Freed, B. (2018, September 14). Natural disasters bring cyberthreats small and large. Retrieved
from https://statescoop.com/natural-disasters-bring-cyberthreats-small-and-large/
Rayome, A. (2017, August 2). Why ex-employees may be your company's biggest cyberthreat.
Retrieved from https://www.techrepublic.com/article/why-ex-employees-may-be-your-
companys-biggest-cyberthreat/
Santos, O. (2019).
Developing cybersecurity programs and policies
(3rd ed.). Upper Saddle
River, NJ: Pearson
Talamantes, J. (n.d.). Danger in your ranks: 7 times employees caused damaging data breaches.
Retrieved from https://www.redteamsecure.com/blog/danger-ranks-7-times-employees-
caused-data-breaches/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help