Cybersecurity: Managing Risk in a Small Business Environment

This activity requires you to fulfill the role of a cybersecurity professional in a small business tasked with identifying threats, vulnerabilities, and threat/vulnerability pairs; estimate the likelihood of these threats occurring; and present this information to IT management.
Managing risks within a firm, cybersecurity professionals within the CISO organization conduct research to identify threats, vulnerabilities, and threat/vulnerability pairs. They then determine the likelihood of each threat/vulnerability coalescing and, in coordination with the IT system or data owner, ascertain the potential impact to the firm. This risk information is presented to management. Management is charged with determining and recommending approaches to manage these risks. Management then presents these recommendations to executives, whose role is to allocate resources to prepare for and respond to the identified threats and vulnerabilities.
This activity places you in a small business’ cybersecurity organization, tasked with identifying threats, vulnerabilities, and threat/vulnerability pairs, estimating the likelihood of these threats occurring, and presenting this information to management.
Scenario
CarParts2U is a small auto parts reseller that wholesales exotic automobile parts. The company headquarters is in a small town in Michigan. Outside its headquarters, there are two large warehouse facilities—one in Virginia and the other in Nevada. Furthermore, CarParts2U employs salespersons across the United States to serve its regional customers.

The company has three servers located at its headquarters—an active directory server, a Linux application server, and an Oracle database server. The application server hosts CarParts2U’s primary software application, which is a proprietary program managing inventory, sales, supply chain, and customer information. The database server manages all data stored locally with direct-attached storage.

All three sites use Ethernet-cabled local area networks (LANs) to connect the users’ Windows 7 workstations via industry-standard managed switches.

The warehouse facilities connect to headquarters via routers over business Internet connections provided by an external Internet service provider (ISP), and they share an Internet connection through a firewall at headquarters.

Individual salespersons throughout the country connect to CarParts2U’s network via virtual private network (VPN) software through their individual Internet connections, typically in a home office.

Instructions
As the cybersecurity risk analyst for CarParts2U, prepare a 3- to 4-page, double-spaced report (750 to 1100 words) of findings for management to review, including the following:

Identify threats to the seven domains of IT within the organization.
Identify vulnerabilities in the seven domains of IT within the organization.
Identify threat/vulnerability pairs to determine threat actions that could pose risks to the organization.
Estimate the likelihood of each threat action. [MO1.1, MO1.2]