Business Processes & Infrastructure

Questions and Answers

Which of the following adjustments to operational practices would be MOST effective in minimizing key-person dependencies related to legacy systems?

• Outsource the maintenance of legacy systems to specialized firms who can guarantee long-term support despite internal staff turnover.
• Implement rigorous knowledge transfer programs ensuring multiple staff members are proficient in maintaining legacy systems.
• Increase investment in newer technologies, migrating critical functions away from older systems to eliminate the dependencies. (correct)
• Document all maintenance procedures for legacy systems, creating a comprehensive reference guide for existing staff.

An organization is considering adopting a new technology. Which factor would be MOST important to evaluate to understand the scope of the new technology's impact on risk?

• The enhancement to productivity and efficiency expected from the new technology in comparison to the current systems.
• The technology's potential to create obsolescence of current systems, possibly creating integration challenges.
• The level of support and reliability offered by the vendor over the short term, specifically in the first year of deployment.
• The ease with which the technology can be integrated into existing systems, supporting future upgrades and scalability. (correct)

How does an enterprise's compliance record typically impact its overall reputation and market position?

• A positive compliance record uniformly enhances the reputational standing of a firm, but has little tangible impact on its financial metrics
• Enterprises with strong compliance typically spend more on oversight and governance, reducing profitability in the short term
• Strict compliance procedures can severely stifle innovation and market agility, potentially weakening the enterprise's long-term viability.
• Compliance affects reputation–positively or when poor, negatively– in the community and marketplace (correct)

An enterprise has suffered significant reputational damage after senior management failed to address concerns raised by a whistleblower. Which control would prevent similar incidents?

Implement formalized protocols requiring management to acknowledge, investigate, and resolve internal warnings. (D)

An organization is classifying its IT assets based on criticality and sensitivity. What is the MOST important initial step to make sure that this classification is comprehensive and effective?

Ensure the I&T asset inventory is complete and the location of each asset is identified. (D)

Which characteristic distinguishes a critical asset from a noncritical asset in the context of business operations?

Critical assets provide service capability, and their reliability and availability are key to supporting business needs. (A)

An enterprise is implementing COBIT 2019 guidelines for managing I&T assets. Which action aligns with COBIT's recommendations?

Maintaining an current, accurate record of all I&T assets needed to deliver services and owned/controlled by the enterprise. (A)

In which scenario is the valuation of an information asset LEAST likely to be based on its intrinsic informational value?

When regulatory sanctions for exposure are significant, or when trade secrets have been stolen. (D)

What step is crucial when prioritizing information asset valuation efforts within an enterprise?

Linking assets to specific business processes to align valuation (C)

Why is identifying potential threat motivations important in risk assessment?

Motivation dictates the resources an attacker commits, which can define sophistication when assessing vulnerabilities (B)

After implementing a system patch, under which conditions is a virus still considered a threat?

If other systems still have the vulnerability, because lateral movement techniques can compromise unpatched assets (B)

What factor should organizations MOST consider regarding the evolving nature of threats?

The importance of routinely optimizing and customizing security safeguards to adapt to new threats promptly (D)

Which method offers the BEST approach for an enterprise to stay up to date with emerging cyber threats?

Subscribing to threat intelligence services and computer emergency response teams (CERTs) (C)

Why is it more difficult for small businesses to maintain a continuous threat assessment?

These type of businesses lack the resources for a constant evaluation (C)

Which activity is the MOST effective way to validate the accuracy of results from a vulnerability assessment?

Performing a penetration test against a potential vulnerability or attack vector. (A)

How do enterprises typically identify and prioritize their unique vulnerabilities for remediation?

Applying a risk assessment matrix that ranks weaknesses based on potential effect and likelihood of exploitation. (B)

Which objective is MOST aided by performing penetration testing that is covert?

Evaluate how staff detect and respond to intrusion attempts. (A)

Which factor should be evaluated to measure the likelihood of a cyberattack?

How much prior warning an enterprise has between the event’s occurrence and impact. (C)

An expert penetration testing team fails to detect a vulnerability during a zero-knowledge test. What might that result mean?

The team was unable to make up potential attack vectors. (D)

What demonstrates that an enterprise culture values risk awareness?

Risk is a transparent issue, acknowledged and considered throughout the enterprise. (D)

Which of the following is the primary purpose of ensuring I&T-related risk concerns are tied to critical business processes?

To manage all existing risks. (A)

What does a risk taxonomy offer for communicating I&T-related risk to executives?

It facilitates a common language for discussing risk (A)

When should an enterprise use generic risk scenarios as a starting point?

When it is necessary to build more detail where and when required. (A)

What statement is related to scenarios associated with systemic and contagious risk?

They consider something happens with an important associate, affecting others in that industry. (D)

Which interview method increases getting useful information?

Get to understand the business process in readiness for core business functions. (B)

Which action should the enterprise focus on after performing post-incident review?

Remediation activities from earlier incidents, along with whether suggestions were adhered to and answered (C)

What does the use of risk scenarios help?

The risk identification is more conceptual. (D)

An organization uses security software, what kind of vulnerability type is this?

Code is written poorly. (A)

What action does the enterprise typically take to avert conditions which lead to system failure?

Power and environmental controls. (B)

A business has raw materials that may affect the business' ability to function. How can the business properly respond to this issue?

Document business continuity. (A)

Which factor indicates how attacks exploit the network?

Sniffing. (D)

Which of the following statements is most accurate regarding the roles of internal and external teams during penetration testing?

Penetration tests conducted by an internal or external team may be conducted. (D)

How should business integrate risk awareness programs?

Maintain compliance with security regulation. (B)

Where is the IT team located relative to IT infrastructure as a whole?

The provider's facility. (B)

A natural disaster is considered an example of what?

Nonhuman Threat (C)

What happens if the enterprise does not identify a risk?

It is left out of the strategic planning process used by senior management to promote value creation. (B)

What is the major difference between internal contextual factors and external contextual factors?

The degree of control that an enterprise has over them. (A)

In the I&T risk scenario development, what are risk events supposed to affect?

Risk events are required to align to business operations. (A)

What is the MOST critical factor in determining the asset criticality of an IT system component?

The impact on the enterprise if the component is unavailable or compromised. (D)

Which approach is BEST for an enterprise to maintain an accurate and current understanding of its overall threat landscape?

Subscribing to multiple threat intelligence feeds and correlating the data. (D)

When an enterprise is developing I&T risk scenarios, why is it important to involve both IT and business stakeholders?

To ensure that scenarios reflect both technical possibilities and potential business impacts. (D)

Which of the following factors MOST significantly impacts the likelihood component of I&T risk?

the availability of a detailed exploit for a known vulnerability. (A)

Which initiative is MOST effective for enhancing enterprise-wide risk awareness?

Integrating risk discussions into routine operational and management reviews. (D)

When should an enterprise prioritize the use of quantitative risk analysis techniques over qualitative approaches?

When making decisions about high-value assets and critical business processes. (D)

What is the PRIMARY objective of conducting an assessment in a zero-knowledge penetration test?

To simulate the actions of an external attacker with no prior knowledge of the systems. (B)

An organization identifies a critical vulnerability but decides to accept the risk due to the high cost of remediation. What should be the next step?

Implement compensating controls to reduce the potential impact. (D)

During a business process analysis, an enterprise identifies a single point of failure in a critical system. What is the BEST course of action?

Implement redundancy or alternative solutions to eliminate or mitigate the risk. (A)

An enterprise outsources its data storage to a cloud provider. Which aspect requires the GREATEST ongoing due diligence?

The cloud provider's adherence to data protection and privacy requirements. (D)

Flashcards

Business Process

An interrelated set of cross-functional activities or events delivering a specific product or service.

Infrastructure Assets

The physical and IT components (facilities, equipment, hardware, network, etc.) necessary for business operations.

Financial Assets

Assets appearing on a balance sheet, subject to market, credit, and operational risks.

Reputation

The value an enterprise has derived from its past actions. Can be positive or negative.

Asset Classification

Classifying assets to determine their relative sensitivity and criticality.

Asset Criticality

The impact on the enterprise if an asset is lost.

Asset Sensitivity

Potential damage to the enterprise from unauthorized disclosure.

Asset Inventory

A record of all relevant assets, including owner, location, and security classification.

Intellectual Property

Trademarks, copyrights, patents, trade secrets and research that leads to a new product. Failure to protect may result in the loss of competitive advantage.

Asset Value

Value of an asset to the business and its competitors, often assigned a monetary value.

Threat

Anything capable of acting in a manner that can result in loss or harm to an enterprise asset.

Threat Agent

A method or thing used to exploit a vulnerability.

Threat Event

An event during which a threat actor acts against an asset with the potential to cause harm.

Advanced Persistent Threats (APTs)

Attackers who are highly skilled, determined (persistent) to exploit systems and networks.

Threat Intelligence

Organized, analyzed information about potential threats.

Threat Source

Technical, human, facility-based, natural, and environmental events that create a threat

Threat Assessment

Evaluation of the type, scope, and nature of events that can result in adverse consequences.

Vulnerability

A weakness in the design, implementation, or operation of a process that could expose the system to threats.

Vulnerability Scanning

Scanning systems for known security weaknesses.

Penetration Testing

Simulated attacks to identify and exploit vulnerabilities.

Likelihood

The probability of something happening.

Risk Awareness

Awareness, understanding and acknowledgement that risk is an integral part of the business.

Access Risk

The risk that information may be accessed by unauthorized users.

Availability Risk

The risk that a service may be lost or data is not accessible.

Infrastructure Risk

The risk that IT infrastructure and systems may be unable to support business needs.

Integrity Risk

The risk that data may be unreliable due to incompleteness or inaccuracy.

Risk Scenario

A description of an event and its potential impact on the business.

Risk Taxonomy

A classification of sources and categories of risk.

Study Notes

Business Processes

• It is an interrelated set of cross-functional activities or events.
• Delivery of a specific product or service to a customer is the result.
• Can be an intangible asset.
• Policies, procedures, practices, and structures control business processes.
• These factors create value to the enterprise.
• They also provide reasonable assurance that a business process will achieve its objectives.
• An inefficient or ineffective business process may make an enterprise less competitive.
• This can lead to financial, market (customer), and reputational loss.

Infrastructure

• These assets include the physical and IT infrastructure.
  • This covers facilities, equipment, computing hardware, network infrastructure, and middleware.
• IT architecture components include information and applications.
• New and outdated technologies pose a risk to an enterprise.
• When new technology surfaces, enterprises must consider these points:
  • Impact of adopting the technology such as support, reliability, and ease of integration.
  • Risks associated with operating the new technology like security, reliability.
  • Consequences of not adopting the new technology such as obsolescence and lagging behind competitors.
  • Business benefits of the new technology such as support for new business initiatives, effectiveness, and efficiency gains.
• Equipment lacking support or past its mean time between failure (MTBF) may be vulnerable.
• Lack of patching and updating of systems and applications leaves them open to malware or misuse.
• Older systems needing expertise not readily available may increase key-person dependency.

Finances

• These assets typically show up on an enterprise balance sheet such as cash, investments, or accounts receivable.
• The assets receive their value from a contractual claim.
• Financial assets are subject to many types of risk.
  • These include market, credit, and operational risks. -Examples of Market risk includes currency, interest rate or commodity -Examples of Credit risk includes cash flow, regulatory or callable loans -Examples of Operation risk includes inadequate systems/controls, employee error or system failures

Reputation

• An intangible asset, difficult to quantify, represents the value derived from its past actions, positive or negative.
• Various events and decisions impact reputation.
• A shared understanding of I&T-related failures, compromises, mistakes, or events can impact enterprise objectives.
• This can result in the loss of direct (financial) or indirect (customer-sensitive) information, resulting in reputational damage.
• Significant reputational damage or lowered stakeholder expectations can result when senior management is thought to be accountable, but fails to take corrective action or adequately represent it.
• An enterprise's compliance record can significantly affect its reputation in the community and marketplace, whether positively or negatively.

Asset Classification (Criticality and Sensitivity)

• IT assets are determined by relative sensitivity and criticality, sometimes referred to collectively as business value.
• Asset criticality measures the impact on the enterprise due to the loss of an asset.
  • This refers to how important the asset is to the business
• Asset sensitivity is based on the potential damage to the enterprise from unauthorized disclosure.
• Keep the number of information classification levels to a minimum.
• Classifications should be simple designations by differing degrees for sensitivity and criticality.
• First, ensure that the I&T asset inventory is complete and that asset locations are identified.
• This is a necessary step in the risk identification process.
• Enterprises must account for all relevant assets, financial or nonfinancial.
• According to COBIT 2019, enterprises should maintain an up-to-date, accurate record of all I&T assets.
  • These assets are required to deliver services and that are owned or controlled by the enterprise with an expectation of future benefits.
  • These include resources with economic value, such as hardware or software.
• An asset inventory or register records all relevant assets.
• An I&T asset inventory differs from enterprise to enterprise, but typically includes:
  • Owner.
  • Designated custodian.
  • Specific asset identification.
  • Relative value to the enterprise.
  • Loss implications and recovery priority.
  • Location either physical or logical.
  • Security/risk classification.
  • Asset group, where the asset forms part of a larger IT system, as well as the type of information the asset stores or processes.
• Common methods to build the initial inventory include consulting the purchasing system, reviewing contracts, and reviewing the software currently installed.
• Many assets are critical to business operations, while others are conveniences.
• Determine the importance of assets in the context of enterprise activities.
  • Prioritize protecting the most important assets first and addressing less significant assets as time and budget allow.
• Assets may be prioritized as critical where others may not be as critical or may be critical at certain times.
• COBIT 2019 states that an enterprise should identify assets that are critical in providing service capability.
  • It should also maximize their reliability and availability to support business needs.
• It takes skill, experience, and understanding of business or mission importance to understand the difference between the critical and noncritical asset.
• Critical assets can include many types of assets, including intellectual property.
• Intellectual property, treated with special care, represents the future earnings potential of the enterprise.
• Trademarks, copyrights, patents, trade secrets, and research are examples of intellectual property.
• Failure to protect intellectual property may result in losing a competitive advantage.
• Trademarks are sounds, colors, logos, sayings, or distinctive symbols closely associated with a company and are sometimes registerable.
• Copyrights protect any work captured in tangible form.
• Patents protect research and ideas that led to the development of a new, unique, and useful product.
• Trade secrets are business information that provide a competitive advantage to the organization that possesses the information.
• Other critical assets include financial data and information, proprietary processes, and products.
• IT must determine specific assets critical to achieving business goals and objectives.

Asset Valuation

• This is the asset's value to both the business and competitors.
• An asset's value may be what another person would pay for it, or measured by its value to the enterprise.
• Done by assigning a quantitative (monetary) value; relating values in a common financial form.
• Asset valuation is straightforward for some assets, but not for all.
  • Hardware is easily valued based on replacement costs.
• Information value can be the cost of recreating or restoring it or its contribution to generating revenues.
• Value is related to consequential costs, potential regulatory sanctions from exposure of confidential information, or loss of trade secrets.
• Breaches of Personally Identifiable Information (PII) can result in regulatory sanctions.
• Identity theft loss victims may file lawsuits for damages and class-action lawsuits.
• Another consequence is potential reputational damage, often resulting in loss of share value.
• Valuation cannot be based on the intrinsic value of information, which may be low or zero.
• Instead, valuation must be based on the total range of potential losses and other impact.
• Effective valuation protects an enterprise from paying more in protection than the asset's net worth.
• Many enterprises use a quantitative approach that assigns a monetary value.
• Quantifying value is difficult when considering intangibles like confidence, morale, or market perception.
• If poor quality, environmental negligence, or fraudulent activity is associated with an enterprise, region, or product, a high-quality product may be perceived as substandard.
• Negative perception may persist for years before recovery.
• Contributing factors to calculating asset value:
  • Financial penalties for legal noncompliance.
  • Impact on business processes.
  • Damage to reputation.
  • Additional costs for repair/replacement.
  • Effect on third parties and business partners.
  • Injury to staff or other personnel.
  • Violations of privacy.
  • Breach of contracts.
  • Loss of competitive advantage.
  • Legal Costs.

Information Asset Valuation

• Assets have value because of the business or mission purpose they serve.
• By itself, an I&T asset may be easily replaceable because it's highly susceptible to vulnerabilities such as software, or server hardware.
• Understating I&T assets' criticality is not possible without the business or mission context.
• An enterprise may find it difficult to value information assets.
• As a result, some businesses lack an accurate list of their information assets.
• Placing an exact value on assets such as PII or trade secrets is difficult, though a high degree of accuracy is unnecessary.
• Information asset valuation is best based on loss scenarios, recorded into a matrix to make valuation manageable and understandable.
• In these matrixes, values can vary (in USD$) depending on the type and size of information loss.
• Precision of the valuation is not as critical as having an approach to prioritize efforts + link assets to business processes.
• Therefore, IT assets value is intrinsically linked to the business value it provides.
• Values in the same order of magnitude as the actual loss (should it occur) are sufficient for planning purposes.
• Media reports contain well-documented loss scenarios and loss amounts for basing a valuation.

Threats

• The risk identification process seeks to improve confidence that the enterprise recognizes and understands any risk.
• A threat is anything with the potential to act and cause loss or harm to an enterprise asset.
• Threats exploit enterprise vulnerabilities and are initiated by a threat agent.
• A threat exploits a vulnerability.
• A threat agent's often referred to as a threat actor.
  • This is any person, thing, or entity that carries out a threat and is responsible for a threat event.
• A threat event is carries out a threat against an asset with the potential to harm.
• Related I&T threat examples:
  • Improper disclosure of information
  • Improper modification or use of data
  • Interruption of a system or project
  • Internal or external theft
• Threat actors can be internal or external, as well as human or nonhuman.
  • e.g. staff, contractors
• External actors are outsiders, competitors, regulators, hackers, and the market.
• Not each threat requires an actor such as failures or natural causes.
• No threat means no risk just as properly protected assets that are not vulnerable to threats being issued present no risk.
• An unpatched virus impacts a vulnerable system, whereas the system has no threat from a patch.

Threat Types

• Knowledge of threats and perpetrator motivations are important to risk management.
• Enterprises must know their weaknesses, strengths, and vulnerabilities.
• Protections should be built into each business process, system, and operational procedure.
• The threat landscape is always changing.
• Threats can be external or internal, intentional or unintentional, as well as emerging from new tech.
• It is important to identify the types of threats that apply or may be used to compromise or affect an enterprise.
• External threats to IT systems can originate from anywhere.
  • Espionage
  • Theft
  • Sabotage
  • Terrorism
  • Criminal acts
  • Software errors
  • Hardware flaws
  • Mechanical failures
  • Lost assets
  • Data corruption
  • Facility flaws
  • Fire
  • Supply chain interruption
  • Industrial accidents
  • Disease
  • Seismic activity
  • Flooding
  • Power surge or utility failure.
• Natural events, such as floods, storms, earthquakes, or tornadoes, are unpredictable and damaging.
• Government data and weather monitoring services may identify threats associated with natural events.
• External include hackers, criminals, nation states, or hacktivists.

Advanced Persistent Threats (APTs)

• Highly skilled attackers attempt to exploit systems and networks.
• Increased hacker skills and effective tools make comprise risk significant.
• APTs may be sponsored by competitor, organized crime, or government parties.
• The National Institute of Standards and Technology (NIST) defines an APT as one that possesses sophisticated levels of expertise.
• APTs use significant resources to achieve objectives using multiple attack vectors.
• APT objectives include establishing and extending footholds within the IT infrastructure.
• Goals are disrupting critical ops, exfiltrating information, and undermining organizations, or positioning itself to carry out these objectives in the future.
• The advanced persistent threat (i) pursues its objectives over time, (ii) adapts to defender efforts, (iii) is determined to maintain the level of interaction needed to execute its objectives.
• Typical APT attacks are staged as such:
  • First compromise—Attackers use social engineering and spear phishing via email, using zero-day viruses. They may plant malware on a website that the victimized employees are likely to visit.
  • Establish a foothold—Attackers may plant remote administration software.
  • They create back doors and tunnels that allow stealth access to network infrastructure.
  • Escalation of privileges—APTs use exploits and password cracking to acquire administrator privileges.
• Internal reconnaissance—Attackers collect information on surrounding infrastructure, trust relationships and Windows domain structure.
• Move laterally—They expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
• Maintain presence—APTs ensure continued control over access channels and credentials acquired in previous steps.
• Complete mission—Attackers exfiltrate stolen data from the victim’s network.
• Common API sources include intelligence agencies and organized crime

Internal Threats

• Employees are among the most important assets.
• Under-trained or mistreated employees can lead to discontentment.
• Disheartened and resentment leads to higher error risk.
• Key staff may be drawn to other enterprises or leave serious gaps in knowledge and skills.
• Employees cause significant business impacts that can be unintentional or intentional.
• Disgruntled staff might compromise systems or release data to expose the enterprise to legal or reputational risk.
• Employees may be bribed, threatened or convinced to disclose data for ideological or economic reasons.
• The solution to the employee problem lies in need-to-know and least privilege.
• The typical malicious insider is a current or former employee, contractor or other business partner.
• They have authorized access to the network, system, or data.
• The first step to addressing personnel threats is to start with hiring and reviewing of the candidate qualifications.
• Applicants may submit incorrect information on job applications and claim education, certification, or experience.
• The employee must sign a nondisclosure agreement and be advised of the ethics and policies at the time of hiring.
• References and performance of background checks are worthwhile.
• Employees should be reminded of responsibilities and enterprise policies through management reviews.
• Employee-based controls should be used to address frustrations or concerns.
• Employees are more likely to be a risk during layoff, relocation, reorganization, or strike.
• An employee bypass or demoted is also a risk.
• Employees must return all enterprise assets including, keys, mobile phones, laptops, and access cards upon employment end.
• Systems, network, and facility access must be removed immediately upon employment departure.

Emerging Threats

• Technology innovation is important.
• Each emerging technology offers different IT solutions with its own risks and rewards.
• Indications of emerging threats can include, but may not be limited to:
  • Unusual activity on a system
  • Repeated alarms
  • Slow system or network performance
  • New or excessive activity in logs
• An IT system may have threat logs well in advance of the actual compromise.
• New technology tends to be a source of new vulnerabilities and a threat agent.

Threat Intelligence

• Threat intelligence describes how a service provider has analyzed, refined and organized information about potential threats and CERTs.
• Emphasis focuses on attacks likely to affect enterprise including:
  • Zero-day threats
  • APTs (Advanced Persistent Threats)
  • exploits.
• Threat Intelligence is based on the internal/external collection of information.
• The process includes an understanding of threat actors and potential threat events.
• Examples of external sources include open-source intelligence (OSINT); and IoC provided by an external entity or intelligence gathered from the deep and dark web (e.g., enterprise information or credentials are being offered for sale.)

Threat Assessment

• It evaluates events or actions nature, scope and type that could result in consequences; identification of threats against enterprise assets.
• It seeks to understand motivation of threat actors in attempting to create adverse effects.
• Threat assessments generally exclude natural events, but may include accidental threat actors.
• Enterprises may determine what the threat actor is trying to do based on the observed action(s).
• Then leverage that knowledge to identify more vulnerabilities and use that for treatment.

Threats can evolve as such:

• Implementation of new tech
• Granting broader access for partners and customers
• Attackers' advance capabilities
• These factors warrant a periodic assessment of the threat landscape that an enterprise is exposed to.
• This activity is particularly important for SMB businesses that are too small or have issues to do with the adoption of a continuous assessment approach to threat management.
• Assess can be done annually by reviewing any recent changes to the tech environment.
• Internal factors representing where threats may rise includes new or upgraded technology.

Vulnerabilities

• Control conditions are deficient relative to requirements of threat levels being faced.
• Vulnerabilities are design, implementation, operation or internal control weaknesses.
  • They expose the system to adverse threats from threat events.
• IT-related conditions exist in IT systems, needing to be identified and addressed.
• The purpose of vulnerability identification is to find the problems before they are found and exploited by the adversary.
• Regular vulnerability assessments and penetration tests are important and can also validate/classify them.
• When and where vulnerabilities exist, the potential for risk exist.
• The 2 most common techniques for identification are vulnerability scanning and penetration testing.

Vulnerability Types

• These can exist within IT systems such as:
  • Networks
  • Physical access
  • Apps and web-facing services
  • Utilities
  • Supply chain
  • Processes
  • Equipment
  • Cloud computing services
  • Big data
  • Cybersecurity

Networks

• Network vulnerabilities are often related to misconfiguration of equipment, poor architecture, or traffic interception.
• Misconfiguration is a common problem with network equipment that is not properly installed, operated, or maintained.
• Open services are a potential attack vector used by the adversary to gain access to the target asset.
• Network equipment should be hardened by disabling all unneeded services, ports, or protocols.
• Transmitting and receiving data are being incorporated into devices whose primary purposes are not of a data processing or regulatory nature creating new vulnerabilities.
• The IoT is emerging both as an opportunity and a target for thread agents.

Physical Access

• Incidents relate to equipment loss.
• Being able to gain physical access to a system has potential to bypass the most other types of controls.
• With physical access comes:
  • Server rooms
  • Network cabling
  • Info equipment and buildings
• Attackers have the ability to circumvent passwords, install skimmers, and take ownership of systems or devices.
• There is clear need for a strong physical security due to insiders.

Applications and Web-facing Services

• Applications on the web are common vulnerabilities, entry points that are currently used by attackers.
• Supporting business functionality should be balanced by security requirements of applications and may be subject to common vulnerabilities:
  • Buffer overflows
  • Logic flaws
  • Injection attacks
  • Bugs
  • Incorrect control over user access