ISUP ITRG - Yield More

Get Started. It's Free
or sign up with your email address
Rocket clouds
ISUP ITRG - Yield More by Mind Map: ISUP ITRG - Yield More

1. Threats

1.1. Remote Access Domain

1.1.1. Hackers

1.1.1.1. VPN is very low security level

1.1.1.2. if it's on the internet, it's not private

1.2. LAN-to-WAN Domain

1.2.1. Firewalls can be attacked

1.3. Workstation Domain

1.3.1. Computers need to be patched

1.4. User Domain

1.4.1. Social Hacking can be a threat

1.4.2. Human error in typing in orders

1.4.2.1. Technical control: input masks

1.4.3. Employee turnover

1.4.3.1. Ensure that the processes are not owned by one person

1.4.3.1.1. Cross-training

1.4.3.1.2. Hiring additional people

1.4.3.1.3. Job-rotation

1.4.3.2. Manual/Written records of processes

1.4.4. Failing to follow procedures

1.5. System Application Domain

1.5.1. fire can destroy servers (all are at one place)

1.5.2. Unauthorized access to data

1.5.2.1. Access control for different types of data (Proprietary, Private, Public data)

1.5.3. Threat to integrity of data

1.5.3.1. Back-ups

1.6. WAN Domain

1.6.1. provider can have an outage

1.7. LAN Domain

1.7.1. worm can spread

2. Vulnerabilities

2.1. lack of updates

2.2. Windows 7 is the worst

2.2.1. Verify availability of Software patches

2.3. External ISP

2.3.1. Low security

2.3.2. Fully dependable on that company

2.3.2.1. what if the internet connection drops ?

2.3.2.2. what if somebody cuts the cable? ( T-1 )

2.3.3. The ISP has access to what is being shared through it's network

2.4. One firewall

2.5. threes servers is too little

2.6. Different systems on each servers

2.6.1. Linux for an improvised ERP system

2.6.2. Oracle for database

2.7. the seven domains

2.7.1. User domain

2.7.1.1. If people don't know about the dangers of social engineerin

2.7.2. System / application domain

2.7.2.1. Database injection

2.7.2.2. Access control for database

3. Threat/vulnerabilitiy pairs

3.1. Hackers can access the remote access domain

3.2. SQL injection / Inserted data is not verified

3.3. data breach / no business continuity plan

4. Risk mitigation

4.1. organization owned Intranet

4.2. Train employees for social engineering

4.3. Make sure workstations and servers are patched and up to date

4.4. Introduce two factor authentication for VPN

4.5. Have backup for data

4.6. Access control for data in database

4.7. Automation for orders to mitigate errors in typing in orders