Wednesday, December 4, 2019

Cyber Threat Vulnerabilitie Place Federal â€Myassignmenthelp.Com

Question: Discuss About The Cyber Threat Vulnerabilitie Place Federal? Answer: Introduction Information System has become a very important infrastructure in any company across the world. The survival of most companies today is based on the security of their information system. However, there has never been an integrated model that has the capacity to access the possible security risks and effectively protect the information as well as the assets. Information systems such as emails, messengers, e-commerce, chatting, and m-commerce via the internet, are increasingly exposed to cyber security accidents (Bagchi, 2017). In order to ensure effective performance of any information System, a company must invest in securing the system. In addition, a proper risk management system must be put in place. This can only be done through the employment of several distinct measures. It is indisputable that there is a continued need to secure information systems (IS) (Anton, Anderson, Mesic, Scheier, 2004). There have been increased incidences of IS security and risks (Kaschek, Kop, Claudia, 2008). Information system security and risk management require continuous assessment of any risk that may be exposed to the system. Discovery of any risk should be prevented within the shortest time possible. The major component of Information system security is risk management process (Pfleeger Pfleeger, 2012). The process should be incorporated alongside risk assessment. The process of risk management should be done through the installation of preventive measures of future security problems to the system. SI risk assessment practice is in compliance with the security standards that have been set by HIPAA as well as CEISP. Risk assessment enables organizations to determine risk levels that are acceptable to them. They are then able to set appropriate security requirements. Investigation, tools, and techniques According to Information System (IS) security experts, one of the main techniques of risk management process is a risk assessment. The assessment should be done by professionals who are well trained and can easily identify risks in the information system before the system becomes vulnerable. Risk management refers to continuous a process that involves analysis, planning, monitoring and implementation of security measures of an information system (Kovacich, 2003). The process has since become a policy in most organizations across the world. Risk assessment which is a type of risk management process is executed in an interval of time. It can be done on yearly basis or on demand, based on the security requirement of the given Information System. It is important to note that risk management is a process that entails a sequence of events and activities. There are structuring and re-configuration processes that are involved in risk management. Organizations often tend to generate instantiations that are favorable to them. It is necessary to conduct an assessment of an organizations IS the security controls from time to time. However, the continuous assessment cannot fully secure an information system (Tipton Nozaki, 2012). A fully secure system demands for continuous monitoring of the system. A development life cycle of the system should also be put in place to monitor the effectiveness of the system over time. One technique that Hewlett-Packard Company uses for securing the system is through continued monitoring of the systems security details. In addition, all the changes that are made to the system are documented so that there is a reference whenever there is a security threat to the system. Reference can also be made when a risk is discovered in the information system (Jones Ashenden, 2005). Based on the result of security assessment report, remediation actions would be conducted at a later stage. The final security status is reported to the officials who are in charge of the system. HP company management has made effort and ensured that there is periodic review of the information systems security status. The security techniques are based on the guidance of NIST SP800-37. The company has come up with their own approaches that they use in managing their information systems and the possible changes that may be associated with them. Responsibilities of an owner of the information system would be greatly reduced if configuration management is done so that there is only one common security control. However, HP is a multinational company and has the financial capacity to employ enough personnel who can effectively manage their systems. In addition, Hewlett-Packards information system administrators have accorded priority to volatile security controls in the system since they h ave a greater impact in any organization (Alberts Dorofee, 2002). Risk analysis matrix and control It is almost impossible to develop an integrated security model that can be used to address all the risks associated with an information system (Bidgoli, 2016). The proposed risk analysis matrix is through adaptation of software risk management. One of the attributes of software quality is the software itself. The security risk should, therefore, be investigated in terms of the software risk. Security risk refers to the damage or attacks that are made towards an information system. According to the risk analysis matrix, damages that are made on the assets of any organization as a result of cybersecurity can be categorized according to the vulnerability and threats to the assets. The security analysis matrix shows four steps involved in the security risk analysis. In the first step, assets, vulnerabilities, and threats of a given organization are identified. They are then evaluated. The resultant outputs are finally used to carry out security risk analysis. Finally, risk mitigation measures are put in place to reduce, and where possible eliminate threats that the assets may be exposed to. The mitigation measures, therefore, play a very crucial role in minimizing security risks. Domain analysis which is the first step of customizing security risk analysis is meant to improve the accuracy of the model. The threats, assets, and vulnerabilities are therefore analyzed based on their domains (Kramer, 2013). For example, information systems of a financial institution are completely different from those of a financial institution or a learning institution. The analysis that follows is that of classification of the assets, vulnerability and the threats. Assets can be classified as data, documents, software, hardware, and circumstances. Threats may be classified as human or non-human, network or physical, accidental or deliberate and technical or environmental (Dacey, 201 0). The vulnerability may also be classified based on administration, personnel, physical circumstances, technical hardware, and software. Based on these arguments, the product of loss or damage and the probability is equal to security risk (Dacey, 2010). Loss x probability = Risk The risk in this scenario is the reduction in value of an asset when the asset becomes vulnerable. Probability refers to the chance of occurrence of a threat. Security risk matrix Likelihood of risk Extremely high Medium Generally low Risk impact High Failure to secure the password to the companys server Failure to audit the companys information system Missing security indicators on the server Moderate Failure to secure the companys wireless internet from unauthorized use Usage of un-updated antivirus and firewalls Failure to back up the companys external servers Low Failure to frequently change the password to the server Failure to secure the servers backup Provision of weak passwords to third parties Analysis of relevant threats and vulnerabilities The first step of any analysis of threats and vulnerabilities is the identification of threats that could expose vulnerabilities of an information system. The identification can be done through consideration of the connections and dependencies of the system. In addition, inherited risks, software faults, controls, incorrect file permissions and personal changes must also be closely monitored. Possible vulnerabilities that are associated with every threat are then considered. There is the possibility of a vulnerability being associated with a series of threats if not just one threat. Inputs are then collected from past risk assessments, security advisories, security test results, audits among many others. Disaster Recovery (DR) plan The success of any disaster recovery plan is determined by how well the design is. It is, therefore, necessary to ensure efficient operations during disaster recovery (Kim Solomon, 2016). The recovery should start with a strong defense that provides border protection. The defense should be provided by an external firewall that borders the services of VPN and the router (Velliquette, 2004). Hewlett-Packard has installed an external firewall to their VPN and all their routers. All the three have configurations that have the capacity to transverse all the boundaries of the organization or company (Swanson, 2011). Firewall is the main component of the security infrastructure of any information system. Computer security network should incorporate firewall that incorporates hardware specifications as well as software specifications. Issues of redundancy and physical security should also be taken into account. There should then be an approach plan for fulfilling the primary needs of the or ganization or company in the course of disaster recovery (Velliquette, 2004). Meanwhile, the management of the company should certain their prioritized services so as to secure their systems further. In addition, companies should sign against the limited functionalities during disaster recovery (Velliquette, 2004). The management of HP has equally made that as a rule to be followed by its staff in charge of information system management. Any recovery approach that has been agreed upon should be configured with the perimeter defense such that the perimeter defense would automatically shift to the state of pre-disaster just before any normal operation. The current policy of the company should be considered during the development of the firewall contingency plan. Security modules such as A CERT can be used to test the disaster policy of many firewalls. A method should be implemented to monitor traffic that moves from pre-disaster state to post-disaster state. The method can be tested with the use of relevant data from the very company. A border router that has packet filtering can be used in non-application type of vulnerabilities. Proposal for a contingency plan Information System plays a very important role in the world today. It should, therefore, be in a position to operate without any disruption (Khosrowpour, 1996). A contingency plan is intended to set back the system back into operation whenever there is a disruption. Most of the disruptions are as a result of security risks. The plan simply revolves the acronym of the system and then sets the information system back into operation. A robust contingency plan should incorporate ISCOs and other disaster recovery plans (Kovacich, 2003). Hewlett-Packard company has recovery disaster plans which is in accordance with International security management Acts. The company has incorporated a disaster recovery that can be used to retrieve its information systems acronym in the event of any disruption An established plan that consists of the recovery phase, activation phase, and reconstitution phase should be maximized (Kovacich, 2003). Thereafter, resources and procedures should be identified. They would assist in maximizing the effectiveness of the operation. Responsibilities should be assigned to facility personnel. They would provide further advice that would be of great benefit in the recovery process. Finally, there should be cooperation among all the persons who are involved in the Contingency planning (Swanson, 2011). There should also be a coordination of external points and associated vendors. Furthermore, the owners of an Information system must support the development of a proper ISCPs. The developed ISCOs would be meant for those Information Systems that are ranked much higher. Hewlett-Packard, being a renowned world leading electronics company, the company management has taken all these measures in securing and managing their information systems. Analysis and report on Controls How tools are used in the organization with reference to OSI layers The very first step that should be considered when securing information is the elimination of any information leakage. The information resources should never be compromised at any cost. The physical layer of OSI model explains that obvious things should never be considered as being obvious. In many occasions, technologists have failed to realize that simple measures are equally very important in life (Pace, 2004). Hewlett-Packard Company for an instant has put in place stringent measures to secure leakage of information from the company. Simply obtaining a clue of a resource is enough to declare it as one that has been compromised. There should a proper plan for recovering information in the event that the information data is compromised. A good recovery plan is judged based on its success in the event that information resource has been compromised. There are some harmful tools towards OSI model. However, the problem can be eliminated through an analysis. The network layer of an OSI model is where routers and firewalls operate. The layer provides the best path that links a destination to the source. It is also within the layer that IP addresses are provided so that variables or systems can be uniquely identified. A system that is connected to the internet has an IP address. The address provides a way such that there is contact between the outside world and the system. In order to find a system on the internet, it is a requirement that one has to know the specific public IP address of the system. The same applies to applications. Security of the system is therefore increased through the configuration of the IP addresses such that one cannot easily compromise. Just like other world leading companies, Hewlett-Packard Company has configured their IP address. In addition, they have encrypted all their services to further enhance the security of their information system. The encryption service symbolizes the presentation layer of OSI layer. The technique scrambles all the available content. Encryption provides a sophisticated special code. One must, therefore, reveal the code before h e or she can access the system. The application layer of OSI points towards applications that are based on end-user products. The layer supports authentication and use of other applications (Pace, 2004). The commonly used authentication at the level is a password which is assigned to a unique ID. An individual must key in the unique ID alongside a password in order to access information data. Failure to present the unique ID and a correct password mean that the individual would not have access to the system. It, therefore, reinforces the security of the system since it eliminates people who are not supposed to access the system. An account can be redesigned so that it adheres to a policy. For example, it can specify the length of the password, a combination of letters, digits and or even special characters. The duration over which one can use a password can equally be altered. Such move would simply increase the security level of the system network (Pace, 2004). Organizational units covered by the security policy The information system has security policies that must be observed in every company. At Hewlett-Packard Company, there are users who have been assigned appropriate policy rights. The users are the only ones who are able to modify the security policy of the company. If a new computer if brought into the company domain, then the security policy of the domain would apply to the new computer (Brotby, 2009). The policy of the domain overrides any change that an individual may make to the system at the level of computer desktop (Syngress, 2003). Security policy is a preserve of computers. There are also security groups which are in use in the company by many employees. Security policy enables an individual to apply a given security profile to several computers that are meant to be secured. On the other hand, security group provides standardized rights that are to be adhered to by all the members of a given group. Organizational units can be regrouped to form logical units that are to be used by the users, resource objects and groups as well. The adjustment is always done through a hierarchy which is nested within a domain (Johnson, 2014). Organizational units that are based on a given domain operate independently. Every domain, therefore, has the capacity to fulfill the demands of its own hierarchy. Similarly, domains that are coordinated from one central authority can employ common organizational unit hierarchies. Business Contingency Plan (BCP) based on the risk plan It is sound superfluous for a company to plan for disaster when all its systems are smoothly functioning. Despite that, some degree of care must be undertaken. Hewlett-Packard Company uses logic manage and cloud based tools as its business continuity tools. The tools are able to retrofit all the companys data in case of disaster and then load it back to the system. All gaps would hence be eliminated. The business continuity plan hence foster confidence among the managers of the companys information system. In addition it increases their efficiency and encourages them to embrace innovation. Best practices in security risk management Best practices are necessary for ensuring that the information system of a company is completely secured. Some of the best practices include; Expertise should be considered when choosing the individuals in charge of managing the companys information system. The chosen personnel should avoid access to the companys security controls. The individuals should also have been certified by international associations in charge of privacy such as CIPM or CIPP among others (Brotby, 2009). Business associates of the company must adhere to security and privacy requirements of the same level. They must also comply with HIPAA The management of information system of the company must regularly provide an audit report of the system and recommendations. The report should be detailed detailing all possible vulnerabilities. Conclusion Effectiveness in the performance of a given information system is based on its management. There are several security risks that Information systems are exposed to. Managers of organizations and companies must, therefore, invest in securing the information systems. A completely secure system is free from threats and vulnerabilities. There is no process that has the capacity to shield an information system from all possible security risks. As such, every organization must employ a contingency plan. In addition, there must be a recovery plan that can be used in case the information system is attacked. References Alberts, C. J., Dorofee, A. J. (2002). Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Professional. Anton, P. S., Anderson, R. H., Mesic, R., Scheier, M. (2004). Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology. Rand Corporation. Bagchi, N. (2017). Management Information Systems. Vikas Publishing House, Bidgoli, H. (2016). Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management. John Wiley Sons. Brotby, K. (2009). Information Security Governance: A Practical Development and Implementation Approach. John Wiley Sons. Dacey, R. F. (2010). Federal Information System Controls Audit Manual (FISCAM). DIANE Publishing. Johnson, R. (2014). Security Policies and Implementation Issues. Jones Bartlett Publishers. Jones, A., Ashenden, D. (2005). Risk Management for Computer Security: Protecting Your Network and Information Assets. London, UK: Butterworth-Heinemann. Kaschek, R., Kop, C., Claudia, S. (2008). Information Systems and e-Business Technologies: 2nd International United Information Systems Conference, UNISCON 2008, Klagenfurt, Austria, April 22-25, 2008, Proceedings. New York: Springer Science Business Media. Khosrowpour, M. (1996). Information Technology Management and Organizational Innovations: Proceedings of the 1996 Information Resources Management Association International Conference, Washington. Idea Group Inc (IGI),. Kim, D., Solomon, M. G. (2016). Fundamentals of Information Systems Security. Jones Bartlett Publishers. Kovacich, G. L. (2003). The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program. Butterworth-Heinemann. Kramer, J. (2013). The CISA Prep Guide: Mastering the Certified Information Systems Auditor Exam. John Wiley Sons. Pace, K. A. (2004). Global Information Assurance Certification Paper. SANS Institute. Pfleeger, C. P., Pfleeger, S. L. (2012). Analyzing Computer Security: A Threat/vulnerability/countermeasure Approach. Chicago: Prentice Hall Professional. Swanson. (2011). Contingency Planning Guide for Federal Information Systems. DIANE Publishing. Syngress. (2003). MCSA/MCSE Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (Exam 70-291): Study Guide and DVD Training System. Syngress. Tipton, H. F., Nozaki, M. K. (2012). Information Security Management Handbook, Sixth Edition, Volume 6. CRC Press. Velliquette, D. (2004). Computer Security Considerations in Disaster Recovery Planning.Retrieved from https://www.sans.org/reading-room/whitepapers/recovery/computer-security-considerations-disaster-recovery-planning-1512. GIAC Security Essentials Certification. Wilshusen, G. C. (2009). Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk: Congressional Testimony. DIANE Publishing.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.