Factors that Are Contributing to the Increasing Vulnerability of Organisational Information Assets - Assignment Example

MIS101 – Assignment Template – Trimester 2, 2013 Your Name: Insert your name here Student Number: Insert you MIBT student ID number here Deakin Email: Insert you MIBT email address here Assignment – Part A Question 1: Identify and discuss the factors that are contributing to the increasing vulnerability of organisational information assets. Internet usage Organizations are increasingly using the internet as a business tool to accomplish many functions. There exist a lot of threats to organizations assets on the internet. If the people working for the organization are not well informed and trained on internet usage, they might not be aware about threats such as spyware and malicious programs thereby making the organization vulnerable to attacks from such mentioned sources (Harrington, 2005). System complexity and Connectivity As organizations increase in size or operations, the nature of its activities is also complex. If the organization adopts an information system, its information assets will be more vulnerable than those of a small organization (Foltz, 2004). This is because the more complex a system is, the more the possibility of there being a flaw in the system. The system can also be accessed from different points which may be an unintentional design flaw in the system which may not have been recognized. In the efforts to ensure efficiency in operations or in doing business, an organization may have a system that is way too connected such that sensitive resources can be accessed remotely from the internet or via physical connections. The many accesses, privileges and portals increase the vulnerability of the organization’s assets (Skoularidou & Spinellis, 2003). Password management Weak passwords and weak systems that may not be able to guard against intrusion make it possible for intruders and unauthorized people in the organization to access information assets upon which they may misuse it for their personal gain (Foltz, 2004). Question 2: Contrast unintentional and deliberate threats to an information resource. Provide two (2) examples of both. Unintentional threats to an information resource occur when an action or inaction results in an intended breach of systems security and integrity (Huang & MacCullum, 2010). They include: Software failures: this is usually noticeable whenever the software behavior is not in harmony with the intended system behavior. This is common whenever data is lost or expected performance upon issuance of command. The causative factor is poor software development or software testing. This kind of a scenario may result in unintentional security lapse in the system of system failure that can affect core activities of a system. Natural factors: these are factors that may be not in control of the management and thus cause threat to the system unintentionally. They include such factors as fire, humidity, water, heat and even dust. The factors may result in the system failing to perform as expected or getting totally destroyed. Deliberate threats on the other hand are as a result of actions committed by humans knowingly to take advantage of information systems vulnerability (Huang & MacCullum, 2010). They include: Unauthorized disclosure whereby a person who is not authorized to access a system is able to gain access through deliberate exposure, scavenging, or taking advantage of system weakness. It may also be a deception threat action where the authorized person receives data and believes it to be true whereas it is false. It is made possible through masquerade where unauthorized person gains access to a system and misuses it. It can also be through spoofing or malicious logic (Foltz, 2004). Question 3: Explain each of the following types of remote attacks: virus, worm, phishing, and spear phishing. What approach could you use to mitigate these information security risks within an organisation? Describe a scenario. Viruses are computer programs capable of penetrating into a computer system and attaching to the computer’s files through transfer of infected documents or programs in a network platform, it is then able to replicate multiple times without any instructions. Virus attacks can result into massive loss of data, programs corruption and destruction of hardware (Kaufman & Speciner, 2002). Worms: these are computer programs which are capable of penetrating a network system without the owners’ knowledge and then propagate by themselves. They enter a system through exploiting the vulnerability of the system or tricking a user into executing the malicious program. Their implication is similar to viruses (Mouratidis & Jahankhani, 2008). Phishing: this is a cyber crime that attempts to acquire sensitive or confidential information such as passwords and credit card information through fraud. Cyber criminals usually send millions of emails hoping some recipients will respond to one of their messages (O'Beirne, 2002). In spear phishing Fraudsters first gather your information by hacking websites or accessing social network profiles. They then masquerade as legitimate organizations or people you know inquiring for personal information through email by convincing you to enter details at a fake website (Puuronen & Seleznyov, 2003). Viruses and worms usually take advantage of the vulnerability of a system. This can be guarded against by having the computer’s firewall on and installing powerful antivirus software. To protect an organization against phishing internet security and phishing filter should be in place. A policy should be in place. For example sensitive information should not be shared upon request without efforts to authenticate the identity of the person requesting the information. Question 4: Define and contrast - risk acceptance, risk limitation, and risk transference. There is risk in every aspect of our lives and in doing business as well, risk is rarely eliminated in it entirety but there are several ways and approaches to risk management in Information Systems as explained below. Risk acceptance Acceptance is to simply an approach to managing risk whereby the system is allowed to operate within a known risk. The risk is accepted either because its implication is not so much harmful. It can also be accepted due to the high cost to mitigate the risk. Acceptance can be viewed as a practice of playing down the occurrence of an information systems risk (White & Pearson, 2001). The effect maybe disastrous if an intrusion or security threat materializes. Risk limitation This is a very common approach to risk management that organizations adopt in managing the security of their information systems and assets. It involves the search and fixing of security flaws or provision of a control strategy and infrastructure to reduce the potentiality of the risk occurring in case of a security incident involving the system frailty. Risk limitation is different from risk acceptance since the management takes an action to mitigate the risk and don’t simply allow it to be (White & Pearson, 2001). Risk transference This is simply allowing another party to carry the information system risk. It is not a common phenomenon in Information Technology systems but has been practiced especially where financial implication of a risk can be quantified. Transference does not reduce or mitigate risk occurrence but rather reduces the risk occurrence impact on the organization (Bishop, 2004). Assignment – Part B A case study critical thinking analysis using Toulmin’s Model of Argument (~600 WORDS) Use the Table provided for your answers. Claim Sensitive FBI data is not secure from attack Data The FBI officials contacted argue that the data being held by the hacker group Antisec which they claim is apple unique device identifiers information was not in possession of the FBI neither had they asked for such information. The FBI also says that no FBI agent’s computer was confiscated or hacked into. The FBI officials however agree that it is impossible to protect against data theft from every avenue of attack. The FBI says through its officials that data leaks is a reality and it is all about mitigating the impact to the organisation and individuals meaning the information is actually very much accessible by high profile hacker groups The nature of FBI’s work means they use unconventional methods to obtain information which might actually put sensitive FBI data at risk of leaking. In one hacking incident the FBI arrested several hackers and revealed that a Sabu who is the leader of a group associated with high profile hacking cases was an FBI informant Warrant The possibility of data in possession of FBI being stolen is confirmed by their admission on protection difficulty and further by the admission that the FBI and other federal agencies are targets for attacks by hacker groups on almost a daily basis. The sites are therefore reviewed regularly to update their security features. The FBI also admits that only mitigation on data theft impact can be done. Mitigation or risk limitation is the common approach adopted to secure IT systems in many organisations FBI agents and informants such as Sabu can be as well be having links with criminal organisations and can use the privileges to access to information to steal and disseminate sensitive data. Backing The FBI through some of its officials confirmed the vulnerability of the data in their possession by saying it is difficult to protect the data from every possible attack source. The FBI can only mitigate the impact of data breach. The fact that the FBI may be infiltrated means it is possible that data may find its way out of the agency through rough agents and informants Rebuttal The FBI claims that data in their possession is safe since the validity of the disclosed UDIDs cannot be determined. Apple also confirmed it has never supplied the information to FBI. Many users didn’t find their UDIDs in the released information and thus the argument by FBI may hold true if at all the hacker group does not prove the information they have as valid Qualifier The claim may be limited in that data from the FBI is not easily leaked in such massive amounts from the agency judging from the prevalence rate in the past. The claim by Antisec cannot also not be authenticated and as such it is not clear where the sourced the data they claim to be having. Apple refused having released the data to any third party not even the government agencies The possibility that such data maybe in the wrong hands is a possibility and as such apple or FBI should not claim the group is only causing excitement and fear. Apps developers can leak the data to malicious groups intentionally or unintentionally through system flaws Your Opinion The data under FBI custody is not very much safe from intruders judging from the high profile attacks aimed at the agency. There is a possibility that it can be accessed since the agency officials say they do mitigate the impact. The fact that humans with diverse interests in the bureau can access the data puts it at an even higher risk of leaking to fraudsters. References Bishop, M. 2004., Computer security: art and science. Addison-Wesly Professional. Foltz, B. 2004., Cyber-terrorism, computer crime and reality. Information Management and Computer Security Journal , 12 (2), pp.12-23. Harrington, J. 2005., Network security: A practical approach. Academic Press. Huang, S., & MacCullum, D., 2010. Network security. Prentice Hall. Kaufman, C., & Speciner, M., 2002. Network security: Private communication ina public world. Prentice Hall. Mouratidis, H., & Jahankhani, H., 2008. Management versus security specialists: an empirical study on security related perceptions. Inoformation Management & Computer Security Journal, 16 (2), pp.1-9. O'Beirne, R., 2002. Computer network security and cyber ethics. Library Review , 51 (9), pp.12-19. Puuronen, S., & Seleznyov, A., 2003. Using continuous user authentication to detect masquaraders. Information Management & Computer Security Journal, 11 (3), pp.7-15. Skoularidou, V., & Spinellis, D., 2003. Security architechures for network clients. Information Management & Computer Security Journal , 22 (2), pp.23-45. White, G., & Pearson, S., 2001. controlling corprate email, PC use and cmputer security. Information Management and Computer Security Journal , 9 (2), pp.23-32. Read More