Module 3: Course Project

In this module, you will use the course project data and the vulnerability data analysis from module 2.

Use the Attack Scenario model to create an initial estimate of risk for the New York office and the CVE-2024-21413 Outlook vulnerability. Use 85% as the mid-point value and +/- 10% for an estimate of the likelihood of compromise since there are known exploits available.

Answer the following questions to complete the analysis:

  1. How many code execution vulnerabilities are in the New York office data?
  2. For the New York office, how many of the code execution vulnerabilities are Microsoft?
  3. For the New York office, CVE-2024-21413 is an Outlook vulnerability with exploits available, making it an elevated risk. There are 25 users in the New York Office. How many findings are identified for CVE-2024-21413?
  4. For the New York office, what percentage of users have code execution vulnerabilities CVE-2024-21413?
  5. For the New York office, using the percentage of users who have code execution vulnerabilities as the basis for an estimate of threat (weakness), what is a suitable 3-point range to use?
  6. For financial impact, use the following ranges: Very Low 0-$25K, Low $25K—$40K, Moderate $40K—$80K, High $80K—$100K, Very High $100K—$2M. Next, use the $50K estimate provided by Ms Kowalsk as the impact. What is the resulting risk rating?
  7. For the San Franciso office, what is the percentage of users who have the vulnerabilities CVE-2024-21413? Following the same steps as for the New York office, what is that percentage?
  8. For the Miami office, what is the percentage of users who have the vulnerabilities CVE-2024-21413? Following the same steps as for the New York office, what is that percentage?
  9. Which offices are affected by vulnerability ID 190473 Exchange Server update, for which known exploits are available?
  10. Which office has the highest number of Outlook-related findings?

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Cybersecurity Risk Quantification Copyright © 2024 by Charlene Deaver-Vazquez is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.