Module 5: Threats
Student teams continue to build descriptions of the operating environment for their sector-based organizations. They review the different threat possibilities using the Government Accountability Office (GAO) table, “Sources of Emerging Cybersecurity Threats.” Teams identify the different threats that would be likely to impact their sector-based organizations, providing a rationalization for their selections.
Team Activity Objectives
- Define threats and threat agents, and explain how risk assessment relates to understanding threats.
- Identify how different threats—including hijacking, denial-of-service attacks, malicious software, SMTP spam engines, Man-in-the-Middle (MITM) attacks, and social engineering—would apply to critical infrastructure.
- Identify different types of malware and their intended payloads.
- Describe overflow attacks and provide examples of the impact on CI systems.
- Provide examples of malware attacks, such as Flame, Stuxnet, BlackEnergy, Havex, and Duqu, and discuss their functionality and impact on critical infrastructure systems.
Review the Required Reading text, GAO-12-92, Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use.
Also read the table below, which is a reproduction of Table 1 from the U.S. Government Accountability Office (GOA) report Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, May 2005.
Look at other resources, like the page “Cyber Threat Source Descriptions” on the ICS-CERT website (https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions). Research the operation of at least one of the following malware attacks: Flame, Stuxnet, BlackEnergy, Havex, and Duqu.
How does your review affect the confidentiality, integrity, and availability scores? In addition, are there any organizational concerns that might stem from security incidents that go beyond the impact analysis?
Based on your team’s investigation of your chosen sector and created fictitious organization, select standards from the CSET list “Risk Assessment Standards” (available for download or online viewing below).
Option 1: Submit a detailed written explanation of how you selected appropriate risk assessment standards for your fictitious organization.
Option 2: Prepare 2–3 presentation slides explaining your justification for selecting those particular risk assessment standards.
Grading Criteria Rubric
- Evidence of teamwork
- Use of American Psychological Association (APA) style in writing the assignment
Grade Points 100