IT 549 Scenario Assignment Module Six Guidelines and Rubric

Overview

For the Module Six assignment, you will assume an IT consultant role performing a risk assessment. As a consultant, your role is to evaluate an organizations security posture. Once the organizations security risk posture has been analyzed, you will use the analysis to provide insight into the likelihood of specific threats occurring. Skills gained from this assignment are beneficial for the final stages of the information assurance plan.

Directions

Review the prompts and provide your responses in a Microsoft Word document. In answering each prompt, be sure to defend your answers and explain how you have come to your solution. Use research-based evidence to support your responses.

Specifically, you must address the following rubric criteria:

1. In your consultant risk assessment role, you receive from the organization a List of Possible Threats and Vulnerabilities that is provided in the Supporting Materials section. You are asked to provide qualitative and quantitative data to measure the likelihood that any of the identified threats will occur to the clients information assets.
2. Conduct research and describe resources you found that might provide insight into determining the likelihood that the threats would occur.
3. Specify a trend in resources that might indicate a specific industry is particularly involved in gathering this kind of data.
4. In the submission, evaluate any trends identified in your review of the provided threats and vulnerabilities.

What to Submit

Your responses for each prompt must be submitted as two to three paragraphs and as a Microsoft Word document with double spacing, 12-point Times New Roman font, one-inch margins, and at least three sources cited in APA format.

Supporting Materials

The following resource supports your work on this assignment:

Resource:

IT 549 List of Possible Threats and Vulnerabilities

Spoofing is attempting to gain access to a system by using a false identity. This can be accomplished using stolen user credentials or a false IP address. After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.

Tampering is the unauthorized modification of data, for example, as it flows over a network between two computers.

Repudiation is the ability of userslegitimate or otherwiseto deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove.

Information disclosure is the unwanted exposure of private data. For example, users viewing the contents of a table or file that they are not authorized to open or users monitoring data passed in plain text over a network. Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in webpages that contain database connection strings and connection details, and weak exception handling that can lead to internal system-level details being revealed to the client. Any of this information can be very useful to the attacker.

Denial of service is the process of making a system or application unavailable. For example, a denial of service attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process.

Elevation of privilege occurs when users with limited privileges assume the identity of a privileged user to gain privileged access to an application. For example, attackers with limited privileges might elevate their privilege level to compromise and take control of a highly privileged and trusted process or account.

Use the List of Possible Threats and Vulnerabilities to respond to the prompts.

Scenario Assignment Module Six Rubric

CriteriaExceeds Expectations (100%)Meets Expectations (85%)Partially Meets Expectations (55%)Does Not Meet Expectations (0%)ValueQualitative and Quantitative DataExceeds expectations and the qualitative and quantitative data is substantiated with research-based evidenceProvides qualitative and quantitative data to measure the likelihood that any of these threats will actually occurAttempts to provide qualitative and quantitative data; however, the data requires more substantial evidence to prove the likeliness of the threats occurring or notDoes not provide any qualitative and quantitative data20InsightExceeds expectations and explanation uses content-based vocabulary and research-based evidence to support the answerExplains and provides insight into measuring the likelihood that some of the threats would occurProvides insight into measuring the likelihood that some of the threats would occur but does not explain the likelihood of the threatsDoes not provide insight into measuring the likelihood that some of the threats would occur20Trend in ResourcesExceeds expectations and the trend that is identified is substantiated with research-based evidenceSpecifies a trend in resources that might indicate a specific industry is particularly involved in gathering this kind of dataSpecifies a trend in resources that might indicate a specific industry is particularly involved in gathering the data but does not use content-based vocabulary to support the conclusionDoes not specify a trend in resources20EvaluationExceeds expectations and the evaluation uses content-based vocabulary and research-based evidence to support the answerEvaluates trends identified in the review of the provided threats and vulnerabilities and provides an explanationEvaluates trends identified in the review of the provided threats and vulnerabilities but does not explain the evaluationDoes not evaluate trends identified in the review of the provided threats and vulnerabilities20Clear CommunicationExceeds expectations with an intentional use of language that promotes a thorough understandingConsistently and effectively communicates in an organized way to a specific audienceShows progress toward meeting expectations, but communication is inconsistent or ineffective in a way that negatively impacts understandingShows no evidence of consistent, effective, or organized communication20Total:100%