IST 623
Risk Assessment Outline
Risk 1: Web Server & Database Server Vulnerability (SQL Injection & Unauthorized Access & Data Breach)
● Severity Rating: High
● Reasoning: The web server (www.araris.com) enables external users to access company data and place orders. This web server is directly connected to the database server (wwwdb.araris.com) containing detailed information about the company, customers, and suppliers. The system is highly vulnerable to unauthorized access, SQL injection attacks, data breaches, and privilege escalation without appropriate security measures.
Risk 2: FTP Server Allowing Anonymous Access
● Severity Rating: High
● Reasoning: The company uploads software updates and patches to an FTP server that permits anonymous access. This vulnerability can be exploited by attackers to substitute files with malware or to alter company software.
Risk 3: Lack of Network Monitoring Between External Internet and Core Router
● Severity Rating: Medium
● Reasoning: There is no firewall or monitoring system between the external internet and the Core Router (CoreR). This absence leaves the network susceptible to DoS/DDoS attacks.
Risk 4: Outdated Operating Systems Across Corporate Devices
● Severity Rating: Medium
● Reasoning: Several devices across Araris Inc. are running outdated operating systems like Windows Vista and Windows 7, which no longer receive security updates. This exposes the company to known vulnerabilities that can be exploited for unauthorized access, data breaches, or malware infections. Since these systems are used by employees handling sensitive information, the risk is widespread and affects the overall security posture of the organization.
Risk 5: Use of Unencrypted Services (Telnet & FTP & TFTP)
● Severity Rating: Medium
● Reasoning: The network scan report indicates that Telnet and FTP are actively running, which transmit data in plaintext, making them vulnerable to eavesdropping and MITM attacks.
Risk 6: Access to the company's wireless network using personal devices
● Severity Rating: Low
● Reasoning: Unprotected personal devices (e.g. President’s Smartphone, VP’s Tablet) can be affected by malware that can spread viruses or Trojans once connected to the company’s wifi network. Plus, attackers can compromise personal devices and use them as a pivot to launch attacks on the corporate internal network.
Risk 7: Open and Unsecured Ports
● Severity Rating: Low
● Reasoning: Multiple open ports were detected that may not be in active use. Unused or unnecessary open ports increase the attack surface.
Risk 8: Weak Password Policy (Policy_Password-Account.docx)
● Severity Rating: Low
● Reasoning: The password policy allows passwords as short as 4 characters, making them easily crackable via brute force attacks.
Risk 9: Unsecure Policy Exception Handling (Policy_Exception.docx)
● Severity Rating: Low
● Reasoning: All exception requests are sent to the CIO’s personal Gmail account. This lacks security monitoring and control. Once compromised, exception requests can be leaked or falsely approved.