RISK ASSESSMENT REPORT (RAR)

CyberSec Cloud Enterprises


Cloud Web Database Application

RISK ASSESSMENT REPORT (RAR)

CyberSec Cloud Enterprises


Cloud Web Database Application

Click here to order this assignment now

<Your Name>

COP 610 Risk Assessment Project 1

  1. 1.      System Description

<Describe the system here from the information your provided. Note, you don’t really know more than what was described in the scenario.>

The scope of this risk assessment is focused on the system’s use of resources and controls to mitigate vulnerabilities exploitable by threat agents (internal and external) identified during the RMF control selection process, based on the system’s categorization.

This initial assessment will be a Tier 3 or “information system level” risk assessment. While not entirely comprehensive of all threats and vulnerabilities to the IS, this assessment will include any known risks related to the incomplete or inadequate implementation of the NIST SP 800-53 controls selected for this system. This document will be updated after certification testing to include any vulnerabilities or observations by the independent assessment team. Data collected during this assessment may be used to support higher level risk assessments at the mission/business or organization level.

This initial risk assessment was conducted using the guidelines outlined in the NIST SP 800-30, Guide for Conducting Risk Assessments. Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and consequences/impact to mission.

The following table is provided as a list of sample threat sources. Use this table to determine relevant threats to the system.

To complete this table, look closely at the broad threat categories listed in the scenario of the project. There are three categories of threats listed including technological threats, physical and environmental threats, and organizational/people threats. Compare the examples listed in the scenario to the type of threat listed in Table D-2 of the NIST Guide to Risk Assessment document and list the type of threat and description in the table below based on the scenario.

For example, user/operator errors in the scenario would most likely map to Accidental for both regular and privileged users. So this Accidental row would be one of the threat sources in Table 1. The first row is completed. You should fill in the remaining threat sources based on the scenario and this process. Add rows as needed to the table.

Table 1: Threat Sources

TYPE OF THREAT SOURCEDESCRIPTION
ACCIDENTAL – User – Privileged User/AdministratorErroneous actions taken by individuals in the course of executing their everyday responsibilities.
  
  
  
  

The following tables from the NIST SP 800-30 were used to assign values to likelihood, impact, and risk:

Table 2: Assessment Scale – Likelihood of Threat Event Initiation (Adversarial)

Qualitative ValuesSemi-Quantitative ValuesDescription
Very High96-10010Adversary is almost certain to initiate the threat event.
High80-958Adversary is highly likely to initiate the threat event.
Moderate21-795Adversary is somewhat likely to initiate the threat event.
Low5-202Adversary is unlikely to initiate the threat event.
Very Low0-40Adversary is highly unlikely to initiate the threat event

Table 3: Assessment Scale – Likelihood of Threat Event Occurrence (Non-adversarial)

Qualitative ValuesSemi-Quantitative ValuesDescription
Very High96-10010Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times per year.
High80-958Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times per year.
Moderate21-795Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times per year.
Low5-202Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more than once every 10 years.
Very Low0-40Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years.

Table 4: Assessment Scale – Impact of Threat Events

Qualitative ValuesSemi-Quantitative ValuesDescription
Very High96-10010The threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation.
High80-958The threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.A severe or catastrophic adverse effect means that, for example, the threat event might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
Moderate21-795The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation.A serious adverse effect means that, for example, the threat event might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
Low5-202The threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A limited adverse effect means that, for example, the threat event might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
Very Low0-40The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation.

Table 5: Assessment Scale – Level of Risk

Qualitative ValuesSemi-Quantitative ValuesDescription
Very High96-10010Threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation.
High80-958Threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Moderate21-795Threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Low5-202Threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Very Low0-40Threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.

Table 6: Assessment Scale – Level of Risk (Combination of Likelihood and Impact)

Likelihood (That Occurrence Results in Adverse Impact)Level of Impact
Very LowLowModerateHighVery High
Very HighVery LowLowModerateHighVery High
HighVery LowLowModerateHighVery High
ModerateVery LowLowModerateModerateHigh
LowVery LowLowLowLowModerate
Very LowVery LowVery LowVery LowLowLow

Determine relevant threats to the IS. List the risks to the IS in the Risk Assessment Results table below and detail the relevant mitigating factors and controls. Refer to NIST SP 800-30 for further guidance, examples, and suggestions.

Table 7. Risk Assessment Results

Threat EventVulnerabilities / Predisposing CharacteristicsMitigating FactorsLikelihood (Tbl 2 or 3)Impact (Table 4)Risk (Tbls 5 & 6)
 HurricanePower OutageBackup generatorsModerateLowLow
      
      
      
      

* Likelihood / Impact / Risk = Very High, High, Moderate, Low, or Very Low

Explain how the Risk value was determined for each row in Table 7. Be sure to provide any assumptions or other resources you made to determine the Likelihood and Impact values.

<Your row by row explanations here>

Appendix A – Reconnaissance of CATIMES.COM

The following table lists the contact information available on CATIMES.com for the publisher, editor and senior web designer.

Table 1. CyberApolis CATIMES.COM Employee Identity Information

TitleFirstnameLastnamePhoneEmail
Publisher    
Editor    
Senior Web Designer    

Appendix B – Zenmap Scanning Results.

Answer the following questions related to ZenMap scan results of catimes.com

  1. What is the IP address of catimes.com?

Appendix C – OWASP ZAP Scanning Results

Review the ZAP output and answer the following questions:

  1. How many alerts were found?

Table 1. ZAP Alerts, Risks, Descriptions and Solutions

Alert NameRiskDescriptionSolution