OS A3 Task 1

  

Threat 

Vulnerability 

Asset 

Impact 

Likelihood 

Risk 

Action 

Control Type 

Gate is left unlocked for the purpose of convenience 

This allows intruders to access the building with ease 

Physical data stored on premises  

 

 

 

 

 

 

 

Confidential data could be accessed by the attackers and stolen 

 

 

 

 

Medium 

Gates are always left unlocked for convenience and visitors 

 

 

 

 

High 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

High 

Provide users with passcodes to enter the building and implement a security system at the gate to identify and authorise access buildingAudit logs of gate access stored securely and reviewed weekly. 

Preventative 

 

Ensures only authorised users again entry, provides audit trail, and supports incident investigation. 

Additional entrance for remote workers which leads to hot desk area  

Bypass main entrance, without facing reception 

Physical data stored on premises 

 

 

 

 

 

 

 

Confidential data could be accessed by the attackers and stolen 

 

 

 

 

Medium 

Since all entrances are kept unlocked it allows them to bypass the entrance  

 

 

 

High 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

High 

Keep gates locked and provide one entrance to the building, this will allow the company to monitor all people entering the building and leaving 

Preventative 

 

Locking the gates at whole times 

Computer at the reception is left logged in 

Allowed access to outsiders, bypassing passwords and logins 

Costumer data is stored on the computer 

 

 

 

 

 

 

 

Confidential data could be accessed by the attackers and stolen 

 

 

 

 

 

High 

 

If computer is left unattended, all data is accessible to anyone. Due to being at the reception, it is at the front. 

 

Medium 

 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

 

High 

 

Make sure that reception staff are provided with training on importance of password training. Reinforce passwords on the computer and make sure they lock the screen before leaving it unattended 

Preventative 

 

Staff training and passwords are reinforced. 

All servers are stored in an unlocked room 

All files, web, general data is at risk, as they can be altered and stolen 

Servers & Hardware, Data stored on servers 

High 

Medium 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

High 

Secure access to the server, passkey or passcode used to authorise access to the server room 

Preventative 

 

Removes access to unauthorized users 

 

Users are using the public Wi-Fi  

Chances of man-in-the-middle attacks, eavesdropping, or rogue devices connected to the network  

Information assets 

Medium 

Medium 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

High 

Secure access to the internet by using protected Wi-Fi. End-to-end encryption. Use of VPN tunnelling to compensate for insecure Wi-Fi 

Compensating 

 

Alternative pathway for secure connection 

 

All staff has access to all data; there are no role-based access control. 

Risk of insider threat which can lead to spread of data 

Company data 

High 

High 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

High 

Implement role-based access control to minimize the access that each employees have.  

Corrective 

 

Removes access to data from staff that shouldn’t be accessible to them 

One server room will all the critical systems 

Risk of data downtime as all systems relay in one location. 

Organisation’s Network 

High 

Medium 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

High 

Move critical systems onto different locations in order to reduce critical systems danger. 

Preventative 

 

Removes likelihood of whole critical systems being corrupted 

Rogue device on hot desk ethernet 

32 (GF) + 12 (FF) open ports. The vulnerability is uncontrolled physical and logical access to the corporate network, which puts network infrastructure and sensitive information at immediate risk. 

Organisation’s network infrastructure 

High 

Medium 

Data is exfiltrated from the company with potential to damage company reputation, breach of GDPR with financial implications and potential for customers becoming victims of identity theft 

 

High 

Most hot-desk ports will not be in constant use. Any unused port should be administratively disabled on the switch. This eliminates the possibility of a rogue device connecting and instantly reduces the attacks surface. 

Preventative 

 

Removes any access to the network for unauthorised users 

Excessive privileges on laptops 

All employees have local admin rights 

Endpoints/Data 

High 

High 

Critical 

Remove local administrator rights from all users and enforce standard user accounts on all company laptops. 

Corrective 

 

Account restrictions  

 

Cloud access from unmanaged devices 

Home access allowed without device checks 

Cloud data 

 

 

High 

High 

Critical 

Restrict all cloud access to company-managed, compliant devices using Conditional Access policies. Require device compliance checks before granting access. 

Preventative 

 

Restricts company cloud access 

No formal training 

Only informal awareness, the human layer becomes the weakest link, exposing information and technology assets to preventable mistakes and attacks 

Human Error Risk 

Medium 

High 

Critical 

Introduce mandatory cybersecurity training for all staff, including training for new starters and annual refresher modules. 

Directive 

 

Providing training to staff 

ID cards not enforced 

Policy exists but not used. Not enforcing ID cards undermines physical security, exposing both technology infrastructure and information assets to unauthorised access, while cascading into financial, regulatory, and reputational damage. 

Physical Access 

Medium 

Medium 

Medium 

Introduce a mandatory ID badge policy requiring all staff, contractors and visitors to always wear visible identification while on site. Implement access card checks at entry points and create visitor badges with time-bound access. 

Deterrent 

 

Prevents unauthorised access 

No formal incident response plan 

Prolonged systems downtime in case of cyberattacks 

All Critical Assets 

High 

High 

Critical 

The organisation should formalise its response structure, invest in monitoring tools, train staff, and establish communication protocols. This ensures incidents are handled quickly, effectively, and with minimal damage. 

Corrective 

 

Implementing a formal incident response plan 

Reliance on staff competence instead of layered security 

Relying solely on staff competence can lead to human error, even skilled staff can misconfigure systems. 

Major Assets are exposed including; information, technology, financial, human, reputation, regulatory. 

High 

High 

High 

Staff competence is valuable, but it must be reinforced with technical, administrative, and physical layers of defence. This way, if one layer fails, others will protect the organisation. 

Directive 

 

Adding a layer of security  

Company phones with no restrictions 

This leaves open doors for hackers and lead to data leakage, possibility for cyberattacks and unauthorised access. 

Major Assets are exposed including; information, technology, financial, human, reputation, regulatory.   

High 

Medium 

High 

Unrestricted company phones are a direct pipeline for attackers into sensitive data and systems. A layered mobile security policy, technical, administrative, and user-level controls, should be implemented to protect organisational assets. 

Corrective 

 

 

Layer of restrictions added on the device 

Weak default passwords 

Most common and dangerous vulnerabilities include unauthorised access, privilege escalation, and data breaches. 

Major Assets are exposed including; information, technology, financial, human, reputation, regulatory.   

High 

High 

High 

Default credentials must be changed immediately upon deployment, and password policies should require complexity, length, and regular rotation to reduce predictability. Multi-factor authentication should be introduced wherever possible to add an additional layer of protection beyond passwords alone. 

Preventative 

 

Enforce a password policy to keep strong passwords 

 




Threats: 

  • Main Entrance is situated on a busy public street  

  • Shared PIN for entry to the office 

  • Server room heats up with high temperature 

  • Windows are always kept unlocked 

  • Connectivity issue on the ground floor 

  • Fire door located within the server room 

  • Fire alarm disabled on the first floor 

  • No receptionist  

  • Shared Workstations that can be reserved online 

  • All server-based infrastructure  

  • Some policies are in place but not tailored to the organisation/sector 

  • Inconsistent procedures for onboarding and offboarding 

  • No cloud-based services due to concerns 

  • Full system backups are stored on a USB drive 

  • USB drive is taken home by a member of IT 

  • 20 VPN Licenses 

  • Unenforced policy for password management 

  • All users have full administrative access 

  • Employees are encouraged to use their personal device 

  • Smart ID cards are in place but not supported 

  • The network passphrase is posted on a noticeboard at the front desk 

  • Visitors connect to the same network  

  • Majority of the content on the file server is accessible to all employees 

  • Calls are manually logged by apprentices on spreadsheets 

  • Pre-recorded training presentation created four years ago 





AI Threats:

  • Disgruntled employee previously damaged company infrastructure

  • Same four‑digit PIN used for all staff

  • Same PIN used for server room and main entrance

  • Windows kept unlocked at all times

  • High temperatures in server room

  • High temperatures in shared workstation area

  • Fire exits permanently locked

  • Fire alarm disabled on first‑floor lift door

  • No receptionist to monitor visitors

  • Staff responsible for monitoring visitors

  • Lift door used as shortcut by staff

  • Poor wireless performance in shared workstation area

  • Server room located on ground floor

  • Office located on busy public street

  • Cloud services not used

  • Cloud not used for storage

  • Cloud not used for backup

  • Weekly backups only

  • Backups stored on external USB drives

  • Backup drives transported manually

  • VPN licence limit (30 users)

  • Staff encouraged to download files locally

  • Staff encouraged to disconnect VPN to free licences

  • Default password “password1” for all new users

  • Password changes not required

  • Predictable username format

  • All users granted full admin rights

  • Personal mobile phones used for work communication

  • ID cards issued but features not used

  • Single wireless network for entire office

  • Wi‑Fi passphrase posted publicly on a noticeboard

  • Wireless colour printer often unavailable

  • Majority of file server content accessible to all employees

  • IT support requests logged via email

  • IT support calls manually aggregated in a spreadsheet

  • Staff training limited to short videos

  • Shared workstation area used by multiple staff

  • Poor wireless connectivity on first floor

  • No receptionist but visitor logbook still used

  • Server room contains duplicated “remote access” systems (documentation error)

  • Growing number of cybersecurity threats (not addressed)

  • Organisation questioned on preparedness

  • Budget limitations affecting cybersecurity

  • Obsolete infrastructure management

  • Critical network processes needing assessment

  • Wireless-only connectivity in shared workstation area

  • Wireless printer availability issues

  • Hybrid working with no mentioned security controls

  • Shared workstations with no access control

  • No enforcement of password policy

  • No enforcement of ID card functionality

  • No monitoring of visitors

  • No mention of MFA

  • No mention of encryption

  • No mention of RBAC

  • No mention of incident response plan

  • No mention of cybersecurity management plan

  • No mention of offsite backups

  • No mention of network segmentation

  • No mention of asset tracking

  • No mention of secure remote‑work controls

  • No mention of logging or monitoring beyond spreadsheets

  • Wireless network issues causing staff to rely on wired ports

  • Shared access to intellectual property

  • Risk of secondary data loss (handwritten note)

  • ID verification issues (handwritten note)

  • Poor connectivity (handwritten note)

  • Human error / poor evidence (handwritten note)

  • Outdated processes (handwritten note)

  • Serious security compliance implications (handwritten note)

  • Danger (handwritten note)

  • High risk of accidental damage (handwritten note)


 

Comments

Popular posts from this blog

OS A3 Task 2