CS 3473 - Assignment 1

"People who live in glass houses shouldn't throw stones."

As cybersecurity professionals, we throw a lot of stones, by judging the cybersecurity posture of our employers or organizations we help secure. It is important to have one's own house in order. 

In this assignment you will conduct an asset inventory as well as a preliminary risk assessment, for your home network.

Steps

Network Inventory

• Document all devices connected to your home network, including computers, smartphones, tablets, smart home devices, routers, and any other internet-connected devices. You may be able to use a service on your router which provides these details, or a separate tool which gathers some of this data for you.

• For your network devices, indicate how many internet access points (i.e. things which offer some form of connectivity to another device) exist, both wired and wireless, and their security configuration. You will likely be surprised how many devices have some form of connectivity.

• For each device include details such as device name, type of connectivity, manufacturer, model, operating system, and firmware version.

• Note: In order to not make your assignment submission an exploitable document, do not provide any identifying information about your network, such as physical location, IP addresses, etc. :)

Asset Inventory

• Document the assets which are accessible from your home network, such as the types of documents stored, local and cloud application/ services used, and the "physical" features of your home which are accessible via your network (for example, perhaps your garage door, your lights, etc.). What processes do you execute through your network? (these are "assets" too).  Think from the perspective of information, people, processes, or technology. List these in a column in spreadsheet.

• Classify these assets according to their importance to you and other users of your network. Think in terms of what would happen if the asset was made public, was damaged or inaccurate, or if it became unaccessible. Pick an asset value scale that works for you: low, medium, high or a numerical range like 1-5. List these in another column in your spreadsheet.

• Assess the impact of loss, damage, or inaccessibility of the asset. Assign these at either low, medium, or high.

Threat Identification

• Identify an as comprehensive as possible list of potential threats to your home network. Consider external threats (e.g., malware, hacking attempts) and internal threats (e.g., unauthorized access by family members or guests). Think creatively - if you were the perpetrator, how would you get at those assets you care about, given what you know about your configuration? You may find some online research with respect to threats to home networks informative and useful.

• Classify threats based on their likelihood and potential impact.

Your spreadsheet should now look somewhat like this (yours should be much longer and more detailed though):

Risk Assessment and Action Identification

Compare your impact and likelihood scores.  Assets with high impact and/or likelihood scores should be assigned a top priority. Identify your priorities.

Then identify potential things you could do to reduce risk for your highest priority items. Develop a checklist of things to implement, in order of priority.

Deliverables

Prepare a complete, but concise, report that includes the findings from each step of the assessment.

• Use appropriate headings and describe what you did, discovered, and concluded.

• Use clear and concise language, providing detailed information and explanations where necessary.

• Include diagrams, or any other visuals that enhance the understanding of your assessment.

• Include your inventory and risk assessment spreadsheet. 

Grading Criteria

• Thoroughness of the network and asset inventory.

• Completeness and effectiveness of the threat assessment.