Se578 Course Project - Logistix Inc Risk Assessment Report

| Logistix Inc. Risk Assessment Report | SE578 - Practices for Administration of Physical & Operations SecurityKeller Graduate School of ManagementPREPARED BY: PREPARED ON: APRIL 9, 2011 | | Over the past several weeks an assessment of Logistix Information Security posture has been under review from the perspective of both an insider looking out hoping to protect the organizations information assets and as an outside looking in attempting to gain unauthorized access to the organizations information assets. The overall objective of this assessment is to get a clear and concise picture of the organizations security posture and determine where any and all potential vulnerabilities lie, determine who might exploit the vulnerability, the likelihood that these vulnerabilities would be exploited, the impact that the organization would suffer as a result of these vulnerabilities being exploited and the recommended courses of actions that the organization could take to mitigate these risks. This document outlines some of the most significant vulnerabilities that Logistix Inc. faces from the perspective of a hacker attempting to gain unauthorized access as well as outlines some recommended courses of action that the organization can take to mitigate those risks. In addition, this document also contains a simple Risk Assessment Matrix that summarizes the identified risks, their threat to the organization and the related courses of action that will need to be taken to mitigate the exposure of the risk. The first risk to Logistix that has been identified is the use of an unsecure FTP server. Through the uses of an unsecure FTP all information that is transmitted is sent in clear text. This includes any usernames and passwords that are used for authentication. Since this information is allowed to be transmitted over the public Internet anyone attempting to gain unauthorized access to the organization can use free utilities to intercept traffic between the FTP

References: Bayles, A., Butler, K., Collins, A., Meer, H., Miller, E., Phillips, G. M., et al. (2007). Penetration Tester 's Open Source Toolkit (Vol. II). Burlington, MA: Syngress Publishing Inc. F.Tipton, H. (2010). Official (ISC)2 Guide to the CISSP CBK, Second Edition. Boca Raton, FL: Auerback Publications. Harris, S. (2010). CISSPAll-in-One Exam Guide, Fifth Edition. New York, NY: McGraw-Hill. Mallery, J., Zann, J., Kelly, P., Noonan, W., Seagren, E., Love, P., et al. (2005). Hardening Network Security. New York, NY: McGraw-Hill. McClure, S., Scambray, J., & Kurtz, G. (2009). Hacking Exposed 6: Network Security Secrets & Solutions. New York, NY: McGraw-Hill. Miller, L., & Gregory, P. H. (2010). CISSP for Dummies. Hoboken, NJ: Wiley Publishing.