Assessing and Exploiting Internal Security †Free Samples to Students

Question: Discuss about the Assessing and Exploiting Internal Security. Answer: Introduction The objective of this report is to understand the security risk in teh IT space and explore various mitigation strategies to gain a professional experience of risk management field. The report includes the critical analysis of the various IT security risks and risk mitigation approaches such as detection systems, firewalls and vulnerability scanners(Marinos, 2012). The security risks are evaluated in terms of the vulnerabilities of the systems while mitigation strategies are evaluated on the basis of their potential to reduce these vulnerabilities. The report would also explore the feasibility of using cyber-insurance as a risk mitigation strategy. The report is divided into three sections that include discussions of the concept of IT security in technology space, exploration of IT security and access control models and assessment of threat. Cyber security is crucial to every organization in the connected world today. Daily occurrences of exposures and risks raise concerns with increasing number of cyber attackers. They utilize new and advances strategies to launch attacks leaving organizations vulnerable to threats. While technologies provide support for core business processes of the organization, the focus on it is not sufficient to get an organization secure such that an informed business vulture has to be created that is both aware of security risks and is capable of dealing with them when exposed(Barlock, Buffomante, Rica, 2014). Organizations build security management capabilities in three areas that include prevention, detection and response. Prevention is achieved by implementing governing procedures which involves creation of awareness of security risks in staff through training and building accountability as well as responsibility in them to operate in a secure manner(NIST, 2014). Detection involves monitoring of events and incidents that suggest risks with strange patterns of usage caused by cyber attackers. When an evidence of attack is received, a pre-planned response is used for responding to attacks through deactivation of exploited technologies and use of a recovery procedure(Stephanou, 2001). At this stage, management may use forensic analysis skills to understand attacks and respond to them(Marinos, 2012). Some common cyber security mistakes that companies can do leaving their systems insecure and unprotected were observed in the study of IT security and these included: Companies want to gain 100% protection which is not feasible in reality but this tendency makes them do mistakes as they implement all possible solutions and assume that security is achieved. Instead organizations need to develop a defensive posture and work on each of the areas including prevention, detection, and response sufficiently(Intuit QuickBooks, 2014). Companies investing in best technology solutions often assume that they are also protected but cyber security actually does not depend on the technology used and thus, they need to still use sufficient protective measures(CenturyLink Solutions Consulting, 2014). With advanced security measures implemented, companies assume that they have better tools than the hackers or attackers which may not be the actual case and thus, can put the companies to risk(Bayne, 2002) When it comes to compliance with the cyber security procedures, companies usually assume that it is only about monitoring but the actual motive behind these procedures is not to just monitor but help companies achieve a better level of protection which is only possible when the companies use the procedures to understand the evolution of threats and ensure that appropriate lessons are learnt from their evaluation(Barlock, Buffomante, Rica, 2014). IT Security Models Access Controls IT security involves dealing with prevention, detection and response to the security risks. Access control mechanisms are the methods that are used for prevention of security threats. The objective behind implementing access control mechanism is to take care of three categories of security categories including confidentiality, integrity, and availability(ISC, 2010). The information of the users has to be kept private to maintain confidentiality. This information must also be protected such that it can only be used by authoritative people to maintain integrity. The information has to be made available sufficiently and on time to the users(IBM Global Technology Services , 2011). Access control deals more with the preservation of confidentiality and integrity and it provides protection against information disclosures and internal attacks(DHS, 2009). There are several access control models that are used by organizations to establish access control mechanisms in their organizations such as Lampsons Matrix and Discretionary access control, Bell-LaPadula, Lattice-Based and Mandatory Access Control, and Role-based access control (RBAC)(JIRA Security and Privacy Committee (SPC) , 2007). Lampsons Matrix: In this model, a matrix of operations and resources is created and whether they should have the read or write control over specific resources is determined. The matrix contains a list of capabilities in rows and permissions in columns. This is a very basic model that serves as a foundation for other models(Office of the Privacy Commissioner of Canada, 2015). Discretionary access control: It is similar to the Lampsons matrix but it also identifies ownership relationships between subjects such that permissions are granted at discretion. However, this model has some drawbacks. Users can at times opt for insecure rights like 777 if they are given these description rights. Further, a discretionary user can copy the data of another user(ESET, 2016). Bell-LaPadula, Lattice-Based and Mandatory Access Control: This mechanism is designed to work with classified documents in the computer systems. In this system, access is given based on a classification that is done considering object classification and users clearance. These classifications are categorised into unclassified, confidential, secret, and top-secret. This mechanism is most effective in maintaining confidentiality of a system as it involves effective user classification(MYOB, 2016). Role-based access control (RBAC): RBAC provides a family of classification which associates permissions with roles. Permissions are not directly assigned to users. This model is very useful in overcoming administrative difficulties of the organization. It can reduce complexity as well as cost to the company. An interesting feature of this model is that roles are hierarchical which means that they can inherit permissions from their parents. The model identifies core concepts, role hierarchy, and constraints between concepts. All models have different ways of classification of access controls and have different benefits and thus, appropriate model may be chosen based on individual requirement of an organization(Thion, 2007). IT Security Threat and Risk assessment There are several risk and threat assessment methodologies that exist today. Some of them are open source while others are proprietary technologies. All these technologies have similar objectives to fulfil and that is to identify what requires protection, what are the threats, what are vulnerabilities, what are implications of exploitation of these vulnerabilities, and what can be done to minimize the impact or loss. The outcome of any risk assessment process must be recommendation of methods that can increase the level of protection concerning availability of data, integrity and confidentiality of systems while at the same time maintaining usability and functionality of the systems intact(Xero, 2016). Scope: The assessment scope is identified at the beginning of the assessment process to help an analyst understand what is needed to be covered in the assessment, what needs protection, and what the level of protection required is. The scope would also help an analyst identify systems or applications that can be used in the assessment. The scope must have both internal and external perspective presented and the level of details should be provided based on the needs of the intended recipient of the assessment. Data Collection: Once the scope is determined, the next step is to collect data on all procedures and policies used in an organization for risk management. Surveys or interviews maybe used in addition to direct data collection from organization documentations at this point involving the users to collect data about the systems. The information that is collected at this stage may include details of service levels, running services, wireless leakages, operating systems, intrusion detection systems, port scanning, phone systems, network applications, firewall tests, physical system locations, access control mechanisms, and identified vulnerabilities of network. Policies and Procedures Analysis: The policies and procedures of the company are reviewed and analysed to understand if they comply with the security baselines defined by the IT industry such as ISO 17799, BSI 7799 and ISO 15504. Any non-compliance must be reported at this stage if the company is needed to comply with it to ensure required level of protection(Engine Yard, Inc., 2014). Vulnerability Analysis: Vulnerability analysis involves detection of false positives, penetration testing, and grading of vulnerabilities for severity and exposure. The objective of vulnerability analysis is to understand if the organization has the right protection measures for the current level of exposure to risks such that confidentiality, availability and integrity of IT systems are safeguarded. There are a variety of tools that can be used for carrying out this analysis such as Nessus, Sara, Whisker, and SAINT. With these applications used, companies are able to identify false positives in their security risk assessments. However, before selecting any tool for vulnerability analysis, it is important the reliability of the tool is accurately determined(Forrester Consulting, 2015). The table presented below illustrate how the grading system of risk assessment works at this stage: Severity of Risk Risk rating Exposure Minor Severity Risks with small loss if exploited 1 Minor exposure which does not cause additional vulnerabilities Moderate Severity Risks which causes moderate loss if exploited 2 Moderate exposure can affect more than one system components if exposed High severity risks that can cause major damage(HP Enterprise, 2015) 3 High exposure can put major components of the system to risk(Herzog, 2001) Based on the considerations given in the table above, risks are graded in the assessment in the following ways: A minor exposure with minor severity would be reflected by the rating 1 A minor exposure with moderate severity or minor severity with moderate exposure would be counted as 2 Highly exposed systems with minor severity or high severity with minor exposure would make it to the grade 3 High exposure with moderate severity or moderate exposure with high severity would be given a rating of 4 Risks that pose highest exposure and highest severity to the IT system are given highest rating of 5(Bayne, 2002) Threat Analysis: Next, a threat analysis would follow in which various types of possible threats that can cause damage to the IT system of an organization are analysed. Threats to IT systems can be split into human and non-human elements. Human elements include physical theft, hacking, and accidental mistakes, inadequate training on security aspects, backup operators posing risks, and other human interventions from technicians or electricians. Non-human elements include natural disasters like floods, earthquakes and lightning strikes, viruses, fire, electrical issues, heat control problems, dust, and plumbing(Symantec, 2002). Acceptable Risks: A final assessment step is to analyse risks on the basis of their acceptability without suffering a significant loss. The decisions are not taken at the assessment level for the acceptability but what level of risks can be acceptable to the organization can be highlighted such that the level of protection needed by the organization can be gauged without risking over-protection which can waste resources(Stephanou, 2001). From the steps, it can be concluded that risk assessment is not a solution that would end the risks to the company but it is only a source for understanding threats and implementing protective mechanisms. The assessment is not a one-time process but has to be continually reviewed by the organization to understand change security requirements of the organization(Herzog, 2001). However, the security assessment techniques identified here are sufficient to assess the risks and explore solutions for prevention, detection or response to the threats to IT systems(Ferraiolo, Kuhn, Chandramouli, 2003). Conclusion This report was made to explore the security risk in the IT space and explore various mitigation strategies to understand how companies use security systems and mitigation measures and to assess their potential in providing protection to the company using security risk management strategies. It was found that protection is dealt with at three levels that include prevention, detection and response. The security majorly deals with protection of confidentiality, availability and integrity. Some models of access control were identified that provided support for integrity and confidentiality. Different models had different benefits and thus, can be used selectively based on individual requirements of an organization. It was found that security risk assessment is used by organizations for assessment and planning risk control measures. A few steps were identified in the risks assessment that were effective in dealing with the need for identifying threats, assessing risk potential and identi fying possible areas that need to be protected. References Barlock, S., Buffomante, T., Rica, F. (2014). Cyber security: its not just about technology. KPMG. Bayne, J. (2002). An Overview of Threat and Risk Assessment. SANS Institute. CenturyLink Solutions Consulting. (2014). CenturyLink Assessments: seCurity,infrAstruCture And disAster reCovery. CenturyLink Technology Solutions. DHS. (2009). A Roadmap for Cybersecurity Research. DHS. Engine Yard, Inc. (2014). Security, Risk, and Compliance. Engine Yard. ESET. (2016). Trends 2016 (IN) Security Everywhere. ESET. Ferraiolo, D. F., Kuhn, R., Chandramouli, R. (2003). Role-based access control. Artech House. Forrester Consulting. (2015). Security: The Vital Element Of The Internet Of Things. Cisco. Herzog, P. (2001). Open-Source Security Testing Methodology Manual. OSSTMM. HP Enterprise. (2015). Cybersecurity Challenges, Risks, Trends, and Impacts: Survey Findings. MIT. IBM Global Technology Services . (2011). Security and high availability in cloud computing environments. IBM Corporation. Intuit QuickBooks. (2014). Security you can trust7 reasons to believe. Intuit QuickBooks. ISC. (2010). The Pursuit of Integrity, Honor and Trust in Information Security. ISC. JIRA Security and Privacy Committee (SPC) . (2007). Information Security Risk Management for Healthcare Systems . MITA (Medical Imaging Technology Alliance) . Marinos, L. (2012). Consumerization of IT: Risk Mitigation Strategies. Enisa. MYOB. (2016, September 13). Protecting your confidential information. Retrieved from MYOB: https://myob.com.au/myob/australia/myob-security-recommendations-1257829253909 NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology. Office of the Privacy Commissioner of Canada. (2015). Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?: Privacy and Security Risks of a BYOD Program. Office of the Privacy Commissioner of Canada. Stephanou, T. (2001). Assessing and Exploiting the Internal Security of an Organization. Sans Institute. Symantec. (2002). Vulnerability Assessment Guide. Symantec. Thion, R. (2007). Access Control Models. France: University of Lyon. Xero. (2016, September 13). Your data is safe with multiple layers of security. Retrieved from Xero: https://www.xero.com/accounting-software/security/