Choose 5 techniques used by attack groups as identified in the Attack Trees worksheet you turned in for Project Part 3. Perform a risk assessment to rank the risk of these five techniques. You will need to be subjective in assigning the values for likelihood and impact, but consider using the Planning Poker numbers from agile software development: 1, 2, 3, 5, 8, 13, 20, 40, 100. Turn in (1) a table comparing the risk [Risk = Likelihood x Impact]; (2) a justification for your subjective choices; and (3) five recommended risk treatment actions the organization should take based upon this risk assessment.
Justification:
Technique 1:
Likelihood: ....
Impact: ....
Technique 2:
....
Five recommended risk treatment actions:
1.
2.
3.
2. NIST Cybersecurity Framework: Choose two controls from the NIST Cybersecurity Framework and collect a summary of the "Informative References" for that control. For example, for the ID.RA-3 control (page 27), look up the informative references CIS CSC, CORBIT 5, ISA 62443-2-1:2009, etc. Summarize what is found at each reference.
Control: ID.RA-3: Threats, both internal and external, are identified and documented
CIS CSC 4:
COBIT 5
APO12.01
AP012.02
....
Watch the Piazza post for references that are not freely available. Please contribute there if you find a reference that is not freely available. If you can't get a hold of a standard, provide a couple of sentences on the organization who produces the standard and what the standard is on.
For each of two controls individually (not comparing them), comment on how much the references agree or disagree with each other. Do any conflict? The key lessons here are (1) there's lots of guidance available to organizations; and (2) sometimes the guidance produced by one document is not consistent with another document -- and sometimes organizations have to comply with both of them and they struggle.
3. CVSS: For the two most recent OpenMRS CVEs, provide the following (a table would probably be a good way to organize):
Provide the vulnerability description.
Provide the NIST CVSS scores:
Base score
Vector (by component)
Impact score
Exploitability score
Also provide a brief discussion on the severity comparison between these two vulnerabilities.