Due Date: May 19th, 2024 at 11:59 PM
For this assignment you will identify potential or actual security risks that you have encountered or observed in your own experience with using technology and/or working with information and data.
Think about the technology and data you work with every day. Also, you can think about scenarios or issues your friends, family, or classmates have experienced. Threats need not be specific to computers or the Internet; any practice or policy that poses a threat to the CIA principles is fine. For this assignment you will identify eight (8) instances of potential or realized information security threats.
The security threats you identify should be at least somewhat specific to the situation at hand. Examples of good topics include:
- A poor practice on a website that you use that could present opportunity for a threat. (Identify the website and the interaction that poses the threat, and why.)
- An in-person or phone interaction that exhibits strong potential to be spoofed. (Describe the interaction and why spoofing is easy.)
- A friend or family member practicing poor security hygiene. (You need not call out anyone specifically, but do describe the poor practice and why it poses a threat.)
- A security practice at your company, which is intended to increase security, actually has the potential to reduce or impair security. (Describe what goal the practice is intended to fulfill, and why it also reduces overall security.)
For each security threat:
- Describe the threat in reasonable detail. Explain the circumstances and scenario behind the threat, how the threat might manifest into an actual attack, and the potential (or actual) consequences of the attack.
- Briefly explain how the threat could be mitigated, and any caveats or considerations for that mitigation. For example, if the mitigation you propose would degrade the user experience, explain why this is justifiable given the threat.
- Assign a risk score between 0 and 10 to each threat, with 0 being no possible impact to 10 being the most severe conceivable impact. Justify and explain your score.
If you cannot think of eight examples you have witnessed personally, you may search for news articles surrounding security incidents within the past three months. (You may use situations that are older than three months if you have evidence that the problem still exists within the last three months - for example, if a vulnerability was discovered and reported one year ago, but the organization announced last month that they have chosen not to address it, that is a valid scenario.) If you choose to use news articles, you must include working links to, or copies of, the articles in question.
To protect others' confidentiality, you may choose to remove or mask any personally identifiable information from your documentation. You may remove or alter any information that could be used to identify the target of the threat. However, please include sufficient detail to explain the vulnerability, score it and suggest mitigations.
Write up your eight threats, their scores and your suggested mitigations into a Word or PDF document and upload it to the D2L Dropbox.
This is an individual assignment. All class members must submit an original, independently created submission.
This assignment is worth 100 points. Points are assigned as follows:
| Item | Points | Penalties |
|---|---|---|
| Provided detailed information on eight (8) realized or potential security vulnerabilities. | 40 | 5 points lost per missing vulnerability. |
| All security vulnerabilities are accompanied with a risk assessment. | 20 | 4 points lost per vulnerability without a score. Minimum score for this item is 0. |
| All vulnerabilities are accompanied with strategies for mitigation. | 20 | 4 points lost per vulnerability without strategies for mitigation. Minimum score for this item is 0. |
| Document is well written with correct spelling, grammar and appropriate language | 15 | Point loss depends on severity of errors. |
| Document is in the correct file format. | 5 | Points lost if document is in incorrect format but can be converted to proper format by instructor. Entire assignment will be a 0 if document format cannot be converted! |
Late submissions will receive a total loss of percentage of earned points based on the syllabus's Late Work policy. Submissions 3 days late or later will receive 0 points.