1

Vulnerability and Threat Report for Western Digital

Student Name

Institutional Affiliation

Course Name

Instructor Name

Date
 2

Table of Content

Overview....................................................................................................................................3

Scope of Work............................................................................................................................4

Work Breakdown Structure........................................................................................................4

Threats and Vulnerabilities Report............................................................................................7

Lesson Learned..........................................................................................................................9

Appendix A: Network Analysis Tools.....................................................................................11

Appendix B: Vulnerability Assessment...................................................................................12

References................................................................................................................................14
 3

Overview

Credited as one of the largest manufacturers of hard disk drives, Western Digital has

presence in 10 countries and 28 locations worldwide. The corporation offers data storage

devices and network-attached storage solutions for enterprise applications. Founded in 1970

and headquartered in San Jose, California, the second-tier competitor in the electronics

industry designs, markets and distributes innovative storage products that are also used for

consumer applications, USB drives, and memory cards (Western Digital, 2018). Their

offerings include solid state drives, cloud storage solutions and data center systems. Initially,

Western Digital sourced most of its disks from Toshiba and Fujitsu, but has made recent

investments in fabricating its own NAND flash chips that are used to make SSDs.

As with any company, Western Digital is trying to ensure that there are no risks to

operations and that the company is as safe as possible from attack either from inside or

outside the company. In order to help protect themselves, Western Digital is going to evaluate

their protection system and engage in good security practices. The purpose of the

vulnerability assessment is to identify critical points of exposure to risk in the organization's

current processes and to determine the best mitigation measures to protect their information

systems and data used to conduct day-to-day operations. The critical aspects within Western

Digital has been identified as follows: 

 Network Security - Firewalls

 Network Security - Wide Area Network, Local Area Network, and Wireless

Infrastructure

 Network Security - Antivirus, Spyware and Malicious code detection Personnel -

Awareness and Training

 Personnel - Background Checks

 4

 Personnel - Incident and Response Training

 Physical Security - Physical Access; Physical Security - Maintenance Program

 Cybersecurity – Information Systems Processes and Regulations

Scope of Work

This assessment was completed on-site. The assessment team was granted physical

and logical access to specific systems under the supervision of a Western Digital employee.

Companies may choose to allow a third party to remotely assess their data systems and this

process is not uncommon. Risks were identified, classified and priority levels assigned. The

assessment team was given access on a need-to-know basis and was not privy to any

information from other systems or departments outside of their scope. Threats to security

architecture and configurations of the enterprise were determined. Due to external embargo,

some details related to system architecture could not be disclosed in this report. The

following are the tasks and assets under review: external and internal networks, applications,

wireless, voiceover-IP assessments, social engineering assessments, as well as physical

security assessments and penetration tests.

Work Breakdown Structure

The work breakdown structure required to conduct the vulnerability assessment is identified

in the following table. 

Category Task

Internal: employee or contractor, compliance  Test the internal network for penetration

with regulations, guidelines threats

 Examine the current safety procedures

 5

and guidelines

 Analyze existing security awareness

training

External: technology, accessibility, network,  Test the external network for penetration

database threats

 Check web applications for malicious

activities

 Assess wireless networks for exploitation

dangers

 Test VOIP

 Scan for social engineering threats 

Installed security: locks, access control  Monitor physical security mechanisms for

brutal force access

 Determine risks associated with

information systems

 Gauge the safety of financial and asset

management applications

Compliance: state, federal laws  Ascertain conformity with legal

requirements

 Consider adherence to contractual

agreements
 6

 
 7

Threats and Vulnerabilities Report

Internal Threats
Category Threat Prioritization Explanation of Threat Vulnerability Risk (Probability)
Physical access monitored properly and there
Social Engineering 7 Naive people exploited High
are holes that could be exploited
Requirement for there to be software to
advise when unauthorized media is plugged
Low
Data is made available to into network or when large amount of data
Data Leakage 2
untrusted personnel leave the network
Personnel
Spectrum not monitored for unauthorized
High
wireless or Bluetooth connections
No software on network to look for illegal
Low
Illegal activities occurring activity and unauthorized activity
Illegal Activities 6
on the company network Bad/malicious/harmful/illegal sites not
Medium
blocked
Scans are not occurring frequently enough to
Low
look for this type of activities.
Disgruntled or malicious
Some administrators are given higher
Insider Threat 1 employees conducting High
privileges than required.
nefarious activities
Network Security Background checks may not be completed
Low
properly.
Users with escalated No segregation of activities High
Privilege Abuse 5 privileges doing nefarious Proper Controls are not in place to counter
High
acts this threat
Proper monitoring is not in place Low
Potential us of biometrics not in place to
Theft of material by
Physical Security Employee Theft 4 ensure control of material by monitoring
employees High
personnel and ensuring they are authorized to
conduct activities
Policy that is not up to
date for technology and
Outdated Policies and Outdated policy makes it difficult to ensure
Cybersecurity 3 procedures can make it High
procedures user adhere to policy
difficult to hold users
accountable
 8

External Threats
Category Threat Prioritization Explanation of Threat Vulnerability Risk (Probability)
Gaining sensitive
Phishing 6 information by appearing Unaware users High
to be a legitimate source
Storing more data than
High
needed for job
Personnel Sensitive or confidential Not safeguarding data Medium
data viewed stolen or Not destroying data properly Low
Data Breaches 2
utilized by personnel who Outdated policy and procedures for sensitive
High
do not have authorization data
Unaware Users High
Portable media not controlled properly Medium
Unaware users High
Insufficient training for security personnel Medium
Physical Security Social Engineering 7 Naive people exploited
Processes and processes and procedures
High
either misunderstood or out of date
Software intended to Outdated or not installed anti-virus Low
provide access to Outdates or not installed malware software Low
Malicious Threats 1
unauthorized personnel; or
Outdates or not installed spyware software Low
damage to networks
Spectrum not scanned to identify
Unknown or unauthorized High
unauthorized users
listening to
Network Security Eavesdropping 4 Spectrum not scanned to identify
electronic/radio Medium
unauthorized users
communications
Anomalies not monitored on network Low
No monitoring for DDOS Medium
Making network
No method to throttle traffic to counter
DDOS 5 unavailable through Low
DDOS
malicious attacks
Firewall not configured to counter DDOS Low
Policy that is not up to
date for technology and
procedures can make it
Outdated Policies and Outdated policy makes it difficult to ensure
Cybersecurity 3 difficult to hold users Medium
procedures user adhere to policy
accountable and to ensure
network is functioning
safely.
 9

Lesson Learned

Pervasive flaws in the way information is handled can lead to a data breach which

may result in serious business disruptions. A vulnerability is a flaw in the design or

implementation of a computer system or computer network that allows an attacker to gain

unauthorized access to the system or network (Yeboah-Ofori & Islam, 2019). On the basis of

their impact, threats are classified into low, medium, high and critical levels. Critical threats

are those that pose a risk to employees and can potentially cause disruption to the

organization's day-to-day operations. The confidentiality and integrity of data should be

priority considerations when data are handled. What this means for Western Digital, is that

their data should not be vulnerable to any threat and they should take precautionary steps in

safeguarding it.

Technical and non-technical controls should be used to protect the organization's

assets. The personnel and policies that are employed should be managed in a way that

protects and secures the organization's intellectual properties, intellectual assets and

technology. Additional measures should be taken to ensure that the physical access of data is

limited to only those people who have business purposes behind it. Likewise, physical

security should be maintained in the premises where information is stored to prevent any

unintended or malicious physical access. Sufficient and appropriate protection involves

constant monitoring of the network and endpoints.

Another lesson learnt is that it is extremely important to be able to articulate the

identified risk to leadership in a manner which they understand and that is not very technical

in nature. The risk needs to be quantified in terms of how it affects the operations of Western

Digital and how taking the necessary action will help to mitigate the risk and protect the

operations of Western Digital. Documenting the risks is also very important so that it can be a
 10

part of the overall cyber security risk management plan and to recommend a course of action.

The status of the risk management exercise should be updated at regular intervals to ensure

that it is not slipping through the net for any reason. When this does happen, it is important

enough to report and also make it known to the board so that they will have a better

understanding of what is going on.

It is critical to have a detailed plan, be thoughtful and utilize available data. Even

though the risk is not ongoing and should not be kept for too long, it is important to establish

an action plan that can be used as a template model. In order to determine whether there are

any known vulnerabilities that might be exploited by a threat agent, information should be

obtained from the source. The details of the vulnerability should be reviewed and if there are

any recently published vulnerabilities, they should be incorporated into the plan. This helps to

guide resource allocation, set priorities and to get leadership buy in and support for the plan.

It is critical to have leadership buy in or the vulnerability assessment will be doomed from the

beginning.

Vulnerability management must be ingrained within the operations of an organization

(Talbot & Jakeman, 2011). A vulnerability assessment cannot just be conducted and shelved.

The recommendations must be put in place or the organization will remain vulnerable. It is

important to first identify the threats that could be exploited. The vulnerability assessment

must be conducted in a manner that does not disclose any sensitive information while

identifying weaknesses inherent in the information systems, personal or physical security and

within the processes and policy that could be exploited leading to an attack from within or

outside the organization. After that, it is time to assign a level of probability to each

prospective danger, such as "high," "medium," or "low." This helps to provide a method to

tackle the issue or risk and how to apply resources within the organization to mitigate the

threat to the organization.

 11

Finally, remediation plans are to be put in place. This involves the implementation of

measures that would remove the vulnerability or mitigate its impact or impact it less. The

implementation of a plan does not immediately mitigate the risk and is not an end-all solution

for all. An organization should monitor the progress of remediation on a regular basis and

take corrective action if corrective measures have not been taken within a specified time of

time. This is extremely important and requires the leadership to decide on which measure to

put in place first and to approve the implementation plan of the mitigation measures.

Appendix A: Network Analysis Tools

Network analysis tools are a must for performing vulnerability assessment and

penetration testing (Lamba, 2014). The use of these tools helps an "attacker" to identify

network services, protocols, CMS in use and host names. This information is then used to

gain further access and expose more vulnerabilities within the organization. If Western

Digital's employees are trained on accountability and proper policies are formulated, these

tools will help secure critical elements of the organization. There are a number of tool sets

that are required during the vulnerability assessment of Western Digital.

A network audit ensures all the components of the network are understood and that no

unauthorized components join the network. An example of such a tool is Network Mapper

(Nmap), which can also be used to monitor network traffic, host or service uptime, and to

detect unauthorized communication (Husák et al., 2021). Packet analysis tools identify live

hosts, firewall used, operating systems and network devices on a network. Wireshark is fit for

this job and can sniff data contained in packets that traverse the network. Another tool that

must be used is port scanning. This helps identify ports that are open or closed on the network

and whether firewalls are in place to prevent unauthorized access to private networks. Port

scanning can help with the discovery of CMS applications, or web services in the case of a
 12

private cloud system. The most common port scanners are Nmap and Hydra (Arhami &

Hidayat, 2019).

It is required to scan the entire corporate Western Digital network and to determine

the vulnerabilities that exist within the network. These tools can be used to identify missing

patches, misconfigurations and the presence of known vulnerabilities. A very popular and

respected tool that is widely available is Nessus (Kott & Arnold, 2013) and this will be used

by the team. A password cracking tool called John the Ripper can be used to audit passwords

against a database of previously cracked or leaked passwords. Western Digital must ensure

that the password committed by its employees is not in their database.

Appendix B: Vulnerability Assessment

Internal Threat and Vulnerability Matrix

Threat/Vulnerability Classification Priority Analysis Tool Used Remediation Plan
Unsecured workspace Physical Security Medium Threat detection software Require a password re-entry after a pre-
determined amount of time
Out-of-date rules and Personnel Security Medium Check to see whether they Initiate or revise processes and policies
regulations meet current requirements Annual Guidelines and Regulations Review
Use of FTP sites to Network Security High Network discovery too Develop a policy that ensures that
transport massive and network analysis tool unauthorized FTP sites are no longer used at
amounts of data Western Digital and monitor the network to
between networks ensure they remain off the network
Weak Passwords Personnel High Vulnerability scanner Develop a policy that ensures that
unauthorized FTP sites are no longer used at
Western Digital and monitor the network to
ensure they remain off the network
Uniformed Employees Network traffic analysis When it comes to phishing and social
and Disgruntled and personnel security engineering schemes, employees who are not
employees process aware with the company's security
procedures or confidentiality provisions are
easy prey. User training, background checks,
and network traffic audits are necessary
because disgruntled workers are more
inclined to misuse or sell company
information for personal benefit

External Threat and Vulnerability Matrix

Threat/Vulnerability Classification Priority Analysis Tool Used Remediation Plan
Unrestricted internet Network Security High Vulnerability scanner and Whitelist or Blacklist sites for use from
access vulnerability exploit tool Cypher X computers to ensure sites that are
assessable are safe
Phishing Personnel High Vulnerability scanner and Configure SPAM filter and system to detect
vulnerability exploit tool anomalies in the email header, as well as the
content of the email
Outdated OS or Network Security High Vulnerability scanner and Automatic patching and updates pushed to all
Applications with vulnerability exploit tool clients on the network to ensure the
vulnerabilities vulnerabilities from unpatched software does

Social Engineering Personnel High Vulnerability scanner and
vulnerability exploit tool
13
not exist on the network
Provide training and user awareness training
to ensure they understand social engineered
attacks and ensure that the data available to
socially engineer e-mails or other types of
phishing attacks are not available publically
 14

References

Arhami, M., & Hidayat, H. T. (2019, June). Analysis and implementation of the Port

Knocking method using Firewall-based Mikrotik RouterOS. In IOP Conference

Series: Materials Science and Engineering (Vol. 536, No. 1, p. 012129). IOP

Publishing.

Husák, M., Laštovička, M., & Tovarňák, D. (2021, August). System for continuous collection

of contextual information for network security management and incident handling. In

The 16th International Conference on Availability, Reliability and Security (pp. 1-8).

Kott, A., & Arnold, C. (2013). The promises and challenges of continuous monitoring and

risk scoring. IEEE Security & Privacy, 11(1), 90-93.

Lamba, A. (2014). Cyber Attack Prevention Using VAPT Tools (Vulnerability Assessment &

Penetration Testing). Cikitusi Journal for Multidisciplinary Research, 1(2).

Talbot, J., & Jakeman, M. (2011). Security risk management body of knowledge. John Wiley

& Sons.

Western Digital. (2018). Western Digital. Western Digital. https://www.westerndigital.com/

Yeboah-Ofori, A., & Islam, S. (2019). Cyber security threat modeling for supply chain

organizational environments. Future internet, 11(3), 63.