Factors Contributing to the Increasing Vulnerability of Business Information Assets - Assignment Example

MIS101 – Assignment Template – Trimester 2, 2013 Your Name: Insert your name here Student Number: Insert you MIBT student ID number here Deakin Email: Insert you MIBT email address here Assignment – Part A Question 1: Identify and discuss the factors that are contributing to the increasing vulnerability of organisational information assets. (~250 Words) One of the reasons why defence mechanisms fail to adequately protect information assets is because they do not anticipate threats from all networks. Most organisations cite their internet connection as the most frequent point of attack. Further, security experts argue that information security is often ignored by senior and middle managers (Honan, 2010). Research indicates that most IT executives do not treat information security as critical to their functions. As a result, information assets are increasingly exposed to security breaches than is necessary. Experts recommend that those responsible for information assets must understand the threats the information is exposed to. They must also examine the vulnerabilities inherent to the systems that process, transmit and store data. Another problem is lack of organisational vigilance in updating security mechanisms such as anti-viruses and media backups, and this negates the benefits of all security initiatives. Research indicates that only 50% of all organisations have a consistent security policy. Even among those with a security policy, there is lack of ethics training through a security education and awareness program. Most security compromises involve human failures such as accidental activation of viruses and worms and insider abuse of internet access (Honan, 2010). Research indicates that most organisations invest heavily in security systems such as firewalls and anti-viruses yet over 80% of all security breaches are caused by people and processes. The lack of a security culture within the organisation negates the advantages of advanced security systems. Organisations increasingly invest in technology yet initiatives such as risk analysis and proactive intelligence gatherings have more profound effects on information security (Honan, 2010). Question 2: Contrast unintentional and deliberate threats to an information resource. Provide two (2) examples of both. (~250 Words) Unintentional threats are acts committed without malicious intent and include human errors. Such errors do not enforce a serious threat to information resources. Human errors present the greatest unintentional threat to the security of organisational information. The employees of an organization especially those in the human resource and the management of information systems have access to sensitive information. HR staff has access to sensitive personal data while MIS staff control the means of creation, storage, transmission and modification of data (Cohen, 2009). Human errors include careless handling of computing devices, opening suspicious e-mails, careless internet surfing and poor password selection. Other unintentional threats include social engineering tactics such as tailgating where intruders access high-security areas and shoulder surfing where an attacker watches the screen of another person over his shoulder. Social engineering results from unintentional human error on the part of the employee being tricked by the attacker into revealing confidential information (Cohen, 2009). Deliberate threats, on the other hand, aim at tampering with an organisation’s information resources. Methods of deliberate attack include espionage or trespass, information extortion, identity theft, software attacks and compromising intellectual property. Spyware gathers users individual information without their permission. Spyware can be in the form of keystroke loggers, which record a user’s keystrokes and web browsing history or screen scrapers that record a continuous movie of what an user does on the screen (Cohen, 2009). Spam-ware is alien software designed to use a computer as a launch pad for spammers. Spammers then use the computer to attack other computers in the system. Question 3: Explain each of the following types of remote attacks: virus, worm, phishing, and spear phishing. What approach could you use to mitigate these information security risks within an organisation? Describe a scenario. (~250 Words) Phishing attacks use deception to acquire sensitive information through imitations of official e-mail and instant messages. Spear phishing uses e-mail fraud to get unauthorized access to confidential information resources the aim is to steal trade secrets or financial gain such as senior manager unlike in phishing where they come from trusted companies such as EBay. E-mail messages appear to come from a trusted source. A virus is a computer code that performs malicious actions to an information system by attaching to another program (Wilhelm, 2013). A worm is a computer code that performs malicious actions without needing to attach to another computer program. One method of mitigating these risks is the use of communication controls. Firewalls regulate service controls between two networks. Anti-malware systems are software packages that identify and eliminate worms, viruses, and all other forms of malicious software. White-listing is where an organisation allows software that is not perceived as malicious to run. Blacklisting allows only software that has not been blacklisted to run. Encryption converts a message into a form that cannot be read by any other person apart from the intended receiver. Employee monitoring systems monitor employee computers, internet surfing and e-mail activities with an aim of mitigating security risks (Kim and Solomon, 2012). For example, the colonel effect is a spear phishing tactic used to trick employees into clicking a link that downloads a spyware or other forms of malware. A person impersonates a senior official and uses an address similar to that of the senior official to trick subordinates into downloading the malware. To mitigate such risks security drills should conducted regularly in the organisation to warn employees against responding to unexpected requests for confidential information (Wilhelm, 2013). Question 4: Define and contrast - risk acceptance, risk limitation, and risk transference. (~250 Words) Risk acceptance is the act of accepting a potential risk, operating without control of the risk and absorbing all the consequences of the risk. Acceptance is often applied in risks that involve extremely high costs to mitigate. Risk managers should always ensure that risk acceptance is in the form of writing by the managers making the decision. Risk acceptance is also considered when the risk is low or the asset involved is of low value and the probability of risks affecting the asset is low (Snedaker ‎& McCrie, 2011). In other instances, the cost of accepting the risk is lower than the cost of mitigation or transfer. Risk limitation is an attempt to mitigate a risk by implementing controls that minimize the impact of the threat. Risk limitation involves fixing a flaw or providing some form of compensation to lower the impact associated with a risk. For instance, IT managers can install a security parch provided by the software vendor as a way of mitigating the consequences of the risk (Snedaker ‎& McCrie, 2011). Risk transference is the transfer of the consequences of a risk so as to compensate for the loss for instance an organisation might insure its information system. Unlike acceptance and limitation, transference involves allowing another party to accept the risk thus lowering the impact of the risk on the organisation. When risk is transferred, it is shared with a third party either wholly or in part. A practical method of risk transfer is use of third party web hosting to host an organisation’s website (Snedaker ‎& McCrie, 2011). This transfers part of the risk to the vendor. Bibliography Cohen, EB 2009, Growing Information: Part 2, Informing Science: New York. Honan, B 2010, ISO27001 in a Windows environment, Governace Publishing: Canbridgeshire. Snedaker, S ‎& McCrie, R 2011, The best damn IT security management book period, Syngress Publishing, Inc.: Washington DC. Kim, D & Solomon, M 2012, Fundamentals of information systems security, Jones & Bartlett Learning Sudbury, MA. Wilhelm, T 2013, Professional penetration testing: Creating and learning in a hacking lab, Elseiver: Waltham MA. Read More