{"id":15497,"date":"2024-03-16T00:24:00","date_gmt":"2024-03-16T00:24:00","guid":{"rendered":"https:\/\/www.writemyessays.app\/blog\/questions\/aligning-an-it-security-assessment-risks-threats-and-vulnerability-to-achieve-compliance\/"},"modified":"2024-03-16T00:24:00","modified_gmt":"2024-03-16T00:24:00","slug":"aligning-an-it-security-assessment-risks-threats-and-vulnerability-to-achieve-compliance","status":"publish","type":"questions","link":"https:\/\/www.writemyessays.app\/blog\/questions\/aligning-an-it-security-assessment-risks-threats-and-vulnerability-to-achieve-compliance\/","title":{"rendered":"Aligning an IT Security Assessment\u2014Risks, Threats, and Vulnerability\u2014 to Achieve Compliance"},"content":{"rendered":"<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\"><strong style=\"font-weight: bold; font-size: 13.3333px; cursor: auto; color: inherit;\">Introduction<\/strong>&nbsp;<\/div>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\">In general, security assessments are more technical, more focused, and, in the case of penetration testing, more targeted than an audit. Comparatively speaking, the auditor takes the broader,&nbsp;<br style=\"cursor: auto; color: inherit;\">holistic view. Nevertheless, an auditor still needs to gather reliable and relevant evidence to measure compliance. What happens when the auditor lacks the technical skills to gather that&nbsp;<br style=\"cursor: auto; color: inherit;\">evidence? An auditor can employ other experts, given proper permission, to conduct testing, such as a security assessment. &nbsp;If that is the &nbsp;case, it is important that the assessment is&nbsp;<br style=\"cursor: auto; color: inherit;\">aligned with the audit\u2019s objectives.&nbsp;<br style=\"cursor: auto; color: inherit;\">In this homework assignment, you will review the vulnerability life cycle and explain the different types of disclosure to mitigate different risk factors. You will identify the risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have on organizations. You will look at the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP Remote File Include, botnets, and PDF attacks on organizations. You will also look at the practices of vulnerability management to prevent threats from old or&nbsp;<br style=\"cursor: auto; color: inherit;\">previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.&nbsp;<\/div>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\"><strong style=\"font-weight: bold; font-size: 13.3333px; cursor: auto; color: inherit;\">Learning Objectives&nbsp;<\/strong><\/div>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\">Upon completing this homework assignment, you will be able to:<\/div>\n<ul style=\"margin-top: 1em; margin-right: 0px; margin-left: 0px; padding: 0px 0px 0px 40px; font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Review the vulnerability life cycle and explain the different types of disclosure to mitigate different risk factors, such as nondisclosure, full disclosure, limited disclosure, and responsible disclosure.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Identify the risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have for organizations.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Mitigate the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP Remote File Include, botnets, and PDF attacks on organizations.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Align best practices in vulnerability management to prevent threats from old or previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Draft an executive summary explaining how security assessments performed on the seven domains of a typical IT infrastructure can be used to help achieve compliance for an organization.<br style=\"cursor: auto; color: inherit;\"><br style=\"cursor: auto; color: inherit;\"><\/li>\n<\/ul>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\"><strong style=\"font-weight: bold; font-size: 13.3333px; cursor: auto; color: inherit;\">Hands-On Steps<\/strong><\/div>\n<ol style=\"margin-top: 1em; margin-right: 0px; margin-left: 0px; padding: 0px 0px 0px 40px; font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Review the following scenario:<br style=\"cursor: auto; color: inherit;\">Your organization is a governmental agency that serves a vital role in homeland security functions. &nbsp;In fact, your hiring took longer than you would have liked because it seemed&nbsp;<br style=\"cursor: auto; color: inherit;\">as though the organization\u2019s managers wanted to know a lot about you before they gave you clearance to work. After a year &nbsp;at the job, your manager feels &nbsp;your progress has come&nbsp;<br style=\"cursor: auto; color: inherit;\">a long way, so she is &nbsp;giving you more responsibility and has asked &nbsp;you to analyze the benefits of reporting risks, threats, and vulnerabilities in an &nbsp;IT &nbsp;assessment that is under&nbsp;<br style=\"cursor: auto; color: inherit;\">way. Your manager &nbsp;would like for you to conduct &nbsp;research and &nbsp;report &nbsp;your &nbsp;findings about the type of vulnerabilities that require disclosure and when it are lawful or unlawful&nbsp;<br style=\"cursor: auto; color: inherit;\">to conceal information produced by vulnerability assessments. She would also like for you to include some trends on current security threats and the &nbsp;types of &nbsp;responsible&nbsp;<br style=\"cursor: auto; color: inherit;\">disclosure being performed by other organizations.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">On your local computer, open a new Internet browser window.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">In the address box of your Internet browser, type the URL<span style=\"cursor: auto; color: inherit;\">&nbsp;<\/span><a style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto;\">http:\/\/www.sans.org<\/a>&nbsp;and press Enter to open the Web site.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">In the Custom Search box on the Web page\u2019s upper right corner, search for \u201cHow do we define responsible disclosure?\u201d<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">On the search results page, click on the top link labeled \u201cHow do we define responsible disclosure?\u201d to open the PDF article. Read about the following topics:\n<ol style=\"padding: 0px 0px 0px 40px; font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Vulnerability Life Cycle<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Types of Disclosure<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Nondisclosure<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Full Disclosure<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Limited Disclosure<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Responsible Disclosure<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Existing Policies and Proposals<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\"><strong style=\"font-weight: bold; font-size: 13.3333px; cursor: auto; color: inherit;\">Note:<span style=\"cursor: auto; color: inherit;\">&nbsp;<\/span><\/strong>When reading through the different types of disclosure, consider how the consequences differ from type to type. For example, a company\u2019s nondisclosure policy about a vulnerability means little-to-no public knowledge. The consequence might mean the black hat&nbsp; (hacker) community has limited or no knowledge of the vulnerability. Consider also how a company\u2019s reputation changes as it handles disclosure. And lastly, consider how too much or too little disclosure can jeopardize a company\u2019s ability to manage vulnerabilities.&nbsp;<\/div>\n<ol style=\"margin-top: 1em; margin-right: 0px; margin-left: 0px; padding: 0px 0px 0px 40px; font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">In &nbsp;the address box of your Internet browser, &nbsp; type &nbsp;the URL<span style=\"cursor: auto; color: inherit;\">&nbsp;<\/span><a style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto;\">https:\/\/docs.broadcom.com\/doc\/istr-14-april-volume-19-en<\/a>&nbsp;and &nbsp; press Enter &nbsp;to &nbsp;open &nbsp;the document \u201cInternet&nbsp;<br style=\"cursor: auto; color: inherit;\">Security Threat Report\u201d.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Review the Highlights section of the document that discusses the main concepts in each section. Then, review the following topics in the document:\n<ol style=\"padding: 0px 0px 0px 40px; font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Executive Summary<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">2014 in Numbers<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Targeted &nbsp;Attacks<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Appendix<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\"><strong style=\"font-weight: bold; font-size: 13.3333px; cursor: auto; color: inherit;\">Note:<span style=\"cursor: auto; color: inherit;\">&nbsp;<\/span><\/strong>The \u201cInternet Security Threat Report\u201d contains several items that discuss zero-day vulnerabilities. As the name \u201czero-day\u201d suggests, you have little lead time to be proactive. Even so, you can go on the offense by properly managing your company\u2019s assets and possibly subscribing to an alerting service.<\/div>\n<ol style=\"margin-top: 1em; margin-right: 0px; margin-left: 0px; padding: 0px 0px 0px 40px; font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">In the address box of your Internet browser, type the URL<span style=\"cursor: auto; color: inherit;\">&nbsp;<\/span><a style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto;\">http:\/\/www.zerodayinitiative.com\/<\/a><span style=\"cursor: auto; color: inherit;\">&nbsp;<\/span>and&nbsp;press Enter to open the Web site.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Review the site to understand the purpose of this initiative.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">Research other available resources (Internet resources, your textbook, and so on) to validate how performing periodic security assessments throughout the seven domains of a&nbsp;<br style=\"cursor: auto; color: inherit;\">typical IT infrastructure can help an organization achieve compliance.<\/li>\n<\/ol>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\"><strong style=\"font-weight: bold; font-size: 13.3333px; cursor: auto; color: inherit;\">Overview<\/strong><\/div>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\">In this homework assignment, you reviewed the vulnerability life cycle and explained the different types of disclosure to mitigate different risk factors. You identified risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have on organizations. You looked at the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP remote file inclusion, botnets, and PDF attacks on organizations. You also looked at the practices of vulnerability management to prevent threats from old or previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.<\/div>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\">Please answer the following questions:<\/div>\n<ol style=\"margin-top: 1em; margin-right: 0px; margin-left: 0px; padding: 0px 0px 0px 40px; font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">What is a PHP Remote File Include (RFI) attack, and why are these prevalent in today\u2019s Internet world?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">What country is the top host of Structured Query Language (SQL) injection and SQL Slammer infections? Why can\u2019t the U.S. government do anything to prevent these injection attacks and infections?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">What does it mean to have a policy of nondisclosure in an organization?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">What is phishing? Describe what a typical phishing attack attempts to accomplish.<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">What is the Zero Day Initiative? Do you think this is valuable, and would you participate if you were the managing partner of a large firm?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">What is a Server Side Include (SSI)? What are the ramifications if an SSI exploit is successful?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">What is a zero-day attack, and how does this relate to an organization\u2019s vulnerability window?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">How can you mitigate the risk of users and employees clicking on an embedded URL link or e-mail attachment from unknown sources?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">When auditing an organization for compliance, what role do IT security policies and an IT security policy framework play in the compliance audit?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">When performing a security assessment, why is it a good idea to examine compliance in separate compartments, such as the seven domains of a typical IT infrastructure?<\/li>\n<li style=\"font-weight: inherit; font-size: 13.3333px; cursor: auto; color: inherit;\">True or false: Auditing for compliance and performing security assessments to achieve compliance require a checklist of compliance requirements.<\/li>\n<\/ol>\n<div style=\"margin-bottom: 1em; cursor: auto; color: inherit;\"><br style=\"font-size: 13.3333px; cursor: auto; color: inherit;\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction&nbsp; In general, security assessments are more technical, more focused, and, in the case of penetration testing, more targeted than an audit. Comparatively speaking, the auditor takes the broader,&nbsp;holistic view. Nevertheless, an auditor still needs to gather reliable and relevant evidence to measure compliance. What happens when the auditor lacks the technical skills to gather [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":[],"disciplines":[63],"paper_types":[],"tagged":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/questions\/15497"}],"collection":[{"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/questions"}],"about":[{"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/types\/questions"}],"author":[{"embeddable":true,"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/comments?post=15497"}],"version-history":[{"count":0,"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/questions\/15497\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/media?parent=15497"}],"wp:term":[{"taxonomy":"disciplines","embeddable":true,"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/disciplines?post=15497"},{"taxonomy":"paper_types","embeddable":true,"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/paper_types?post=15497"},{"taxonomy":"tagged","embeddable":true,"href":"https:\/\/www.writemyessays.app\/blog\/wp-json\/wp\/v2\/tagged?post=15497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}