The Importance of Information Security - AAN Limited - Essay Example

? AAN case study Table of Contents Table of Contents 2 0Introduction 3 2.0Information Security and devices 4 2.1Highly Secretive Organizations 4 2.2Human factors in security 7 2.3Technical security 10 2.4Physical Security 13 3.0Conclusion 15 List of References 16 1.0 Introduction The importance of information security cannot be overemphasized. Many efforts have been put in place to protect personal and private data from infringement and theft for intellectual purposes or simply destruction by people considered enemies of the state. As such, many governments all over the world are in pursuit of reliable data monitoring, investigation and other intelligence driven motives electronics that will guarantee such an achievement (Barkan, et al., 2008, pp.392-429). Many countries, especially those in the Asian continent have appreciated the need for information security and they are now facing a very steep learning curve as they have embarked on evaluation and assessment of the new technologies in use and those in the market in order to establish their viabilities, vulnerabilities threats of security and their strength in ensuring that security threats are minimized or eliminated (Faisal, et al., 2007, pp.667-699). Various strategies have been put forward to help tackle security problems in India and the government has seen the need to indulge international firms that could be contracted to provide these monitoring and investigation electronic devices. AAN Limited is a company that deals in small electrical products that do have minimal intellectual property value compared with other companies that design the same. The company has sought markets within the Asian region in the past three years. Following this marketing campaign, AAN needs to bid for a contract that is highly ambitious able to impact the organization in a massive scale. This contract is owned by the Indian government where the contractor will have to design a variety of cutting edge electronic products that would be made use of in the secret services of India. The use of these products will be put to use in the monitoring and investigating those people who are a threat to the national security of India. The contract will be worth 144 million sterling pounds in the first two years and an additional sum of 134 million for the next three years after the first phase bringing the total contract to a value of 278 million sterling pounds per year. This report aims to address various issues related to security as far as the audit done on AAN case study is concerned. 2.0 Information Security and devices 2.1 Highly Secretive Organizations Highly secretive organization means being a firm that does not expose its dealings to the public. In this case, what happens within the organization is little known to people who are not selected to know. Such organizations deal with top secret or confidential information most especially that relating to the state security and other government machineries. Highly secretive organizations have been known to exist in the minds of many without necessarily having a name or label to identify them a factor which makes it even hard for non-involved party to discuss or even know anything about them in real life and what they do. Most of these secretive organizations are related to the states in which they operate and in their operations, they use high technology devices to track information, monitor movement of people and goods, and make various investigations with the aim of establishing more information that could be used for security purposes (Challa & Pradhan, 2007, pp.87-96). They also use cryptographic modules which do conform to high set standards that form what might be called approved security standards entailing cryptographic algorithms, key management techniques by use of cryptography, and techniques of authentication with the objective of protecting the government’s sensitive information or their own from the public and people considered threats to security (Garg & Verma, 2009; Sahin & Robinson, 2002, pp.505-536). If AAN was to be part of this highly secretive organization or achieve this extreme degree of secrecy, then it will have to do various things which form the basics of these secretive organizations. First of all, they will have to access electronic devices that are able to fully protect their information, track and monitor movement and relay this information back to AAN, and be able to use it for investigation purposes. Secondly, they will have to learn how to keep secrets by closing loopholes from within which could be used to leak information to the threats and this should entail a thorough scrutiny of the agents they employ before engaging them in employment contracts. Oaths are important so that failure to meet the oath taken, repercussions abound which need to be very extreme. Thirdly, they have to employ the various techniques of coding information which could be done by the electronic devices acquired by using the cryptographic modules such as cryptographic algorithms, key management techniques that require user keys in order to access certain places and data, and authentication techniques. Thirdly, since AAN enjoys the government’s protection, it would be able to bar export of these electronic devices so that they do not fall in the hands of their enemy. This could be done through export control measures to protect the intellectual property rights of the products. The fourth way was to engage the Indian government in providing certain security standards for other people that would want to import or make such security devices. Their devices should not be much encrypted to the extent that the government agency cannot track their activities since this will be considered a security threat. Such kind of measure gives AAN an upper hand in ensuring that all internal activities within the country by people and organizations are well monitored and investigated when need be (Kenekayoro, 2010, pp.267-269). The main security standards that these devices have to conform to are classified into different levels. Level 1 security standard gives the lowest limit of providing security where fundamental requirements for security are stipulated for any cryptographic module and this include the need to have at least one algorithm that has been approved. These requirements are related to the production-grade component of these electronic devices (NIST, 2001). Security level 2 does enhance the physical mechanisms of security that have been set in level 1. This is done by adding the standard of having tamper evidence where tamper evidence coating or pick-resistant locks or seals are used. At this level, the minimum threshold for security encompasses role-based authentication where a cryptographic module is able to authenticate any form of authorization of any operator to perform some roles and needed services in AAN. A trusted system might also be used (National Institute of Standards and Technology, 2001). Security level 3 standards are aimed at locking out threats to security from accessing the AAN premises and data that is held in cryptographic module. These physical security measures are aimed at providing a high probability of AAN to detect and give an immediate response to attempts sensed in accessing, using or even making modifications to the cryptographic module in place. This standard demands availability of identity-based mechanisms for authentication, which enhances the level of security that is given by the role-based mechanisms for authentication that have been noted in level two. This standard demands that there be input or output of plaintext Critical Security Parameter (CSP) including those with split knowledge procedures which only operates under the trusted paths tied to other interfaces. At this point, high levels of cryptography are employed (Allagui & Lemoine, 2008, pp.24 – 30). The use of trusted paths between interfaces assists in ensuring that the plaintexts CSPs and other software and firmware are protected from those firmware or software that are untrusted or which might get executed in the AAN’s system (National Institute of Standards and Technology, 2001). The level 4 standards give the most concrete security that could be defined for AAN. The physical security devices should be able to give a very complete envelope that has the capacity to give protection of the cryptographic module with the main objective of detecting, monitoring, and responding adequately and fast to any form of unauthorized attempts to gain entry either by foreign software execution or simply physical entry. In this case, any penetration of the enclosure given to the cryptographic module coming from any direction should be able to be detected, a process that results into an immediate zeroization of any available plaintext CSPs. This standard would allow for these electronic devices to be used in areas within India that do not have enough physical protection (Bellare & Rogaway, 1994, pp. 92-112). This standard is also meant to give protection to the cryptographic module against any form of breach on security as a result of conditions within the environment or fluctuations that occur outside the operating ranges of the module by an enemy who attacks the cryptographic modules with the aim of thwarting its functionalities. All these standards also demand that the security devices should be able to be executed on a general purpose computing system by use of an operating system that is trusted or meets other standard requirements (National Institute of Standards and Technology, 2001). 2.2 Human factors in security Changing organizational culture towards employees becoming more information security aware is very important for a highly secretive organization to be effective in what it does. Management for this kind of organizations are faced with very high complexities in the management of their organization’s security and AAN is not an exception. This approach to security is aimed at ensuring that attacks are prevented from occurring even when they seem to be very sophisticated (Salisbury, et al., 2001, pp.165-176). Employees in AAN will be subjected to huge amounts of data and most of which is very sensitive and thus a culture that ensures the security of these data and devices used is very critical in AAN. In order to shift the paradigms related to culture within an organization so as to achieve a mode in which security is inherent part of the working of an organization needs serious changes in the whole cultural structure of the organization. There are needed to be in place control systems, various staff security policy measures, good organizational structures that are adjusted in order to fit within the context of security through cultural change, and evidence must be present to qualify the claim that actually cultural change is happening. To this extent, it is very essential to change the individual staff behaviours throughout the whole organization in order for them to be able to provide adequate support to the new policies in place, procedures and the organizational structures (Berritella, et al., 2007). A more applicable approach for AAN is by incorporating the employees within many decision-making processes, training and general creation of awareness. Failure to integrate security measures in the whole organizational practice is detrimental to the functioning of AAN. All the people and staff of AAN must be in a position to practice the security measures on a daily basis and adapt to them. Policies and practices related to security must be built on the structures and frameworks for the organization with the aim of promoting good security practices (Linkov, et al., 2004, pp.15-54). The organization needs to promote and increase the level of self-awareness of security needs by each and every employee. Promoting an environment that considers security to be its main core of operation is important to ensure a security sensitive culture. As mentioned, training and practice based on policies and procedures being implemented are very important. Understanding the process of decision-making within the organization could also be a very important factor in enhancing change in organizational culture (Hodgkinson & Sparrow, 2002, pp.34-45). Developing a social media policy that covers (amongst other points) data leakage is very important in AAN. Social media offers many opportunities to AAN organization but could also pose serious risks to security through leaks during social interactions. Social media like twitter and Facebook have influenced the way people do things and interact and could be used as avenues for sharing sensitive information since minimum controls are enforceable due to matters related to privacy of personal information and the fact that people could still communicate in anonymity. The policy to control security over social media at AAN should put into consideration the controls on authentication. This would entail putting limits into the extent at which information can go. Administrative user accounts need to have enough security in order to protect data leaks. A policy regarding, when to use social media networks by employees and what to put across in such platforms need to be put in place. One of the main policies of AAN could be that no employee is allowed to share AAN’s information in whatever form to an outside party or even internal agents when not authorized to do so. Things such as cross site scripting or XSS should not be used within the AAN environment. There must be a clear distinction between the AAN’s lines and the personal lines of employees so that information is not traversed with intentions of sharing information. Communication within AAN on its social media should be within trusted paths in order to avoid leakage. Use of public social media to communicate should only be allowed outside the premises of the organization and that employees will be aware of the need to keep separate personal life and AAN’s operations. Certain security measures need to be employed such as desktop security, password usage where minimum password requirements are set to avoid easy hacking, awareness should be created on phishing attacks to enable employees notice them whenever they occur, different malwares should be well defined and security precautions made, and internet security needs to be put in place. However, changing the behaviour of all employees towards being sensitive on what information they can share is very important (Forman & Gass, 2001, pp.469-486; Venkatesh & Davis, 2000, pp.186-204). Developing organizational procedures that help with the recruitment and management of staff are very important. AAN should take advantage of the various methods of recruitment and evaluation of employees. Job analysis would come in handy in order to find best qualified candidates who meet the requirements of AAN given that security is an important asset for AAN. Among the necessary procedures in recruitment and management of staff should be the thorough training on handling security issues and the need to always keep them secretive without leaking any information to the public or even closer friends (Grandzol, 2005, pp.2-13). Job description will also help manage the staff in terms of who is to know what and who is not supposed to know within the AAN. An organization like this thus demands that policy and procedures based on chain of command are important in order to know who had what information, who did he or she reveal to, and who leaked it in case leakage occurs since if everyone within AAN accesses information, it would be hard to establish who might have leaked in case that occurs (National Security Agency, 2000; Garrett, 2004, pp.1-18). 57 % of internet users in 2010 indicated that they got spam through social media which was an increase of 70% from the year 2009. 36% reported having received malware through social media sites which was a 69.8% rise from the previous year. 24 % of businesses surveyed in 2009 indicated that they had experienced compromise from employees using social media sites, 25% for peer to peer sites, and 325 of their employees did download harmful software from the internet. Over 60% of companies reported having received successful antivirus attacks. Spyware accounted for 57% while phishing was 47%. This shows the extent at which information security breach can go (Garrett, 2004, pp.1-18). 2.3 Technical security Table 1: the technical problems relating to the current network and site set up Problem Priority Solution The network lines at AAN have not been fully secured and this will create big problem because information can easily be leaked (Alghamdi, 2007, pp.36-44). High Various recommended security software need to be made use of and the lines encrypted in order to create a trusted path of information relay. Priority Description High i. Password security issues which result from poor use of passwords. Minimum requirements for setting passwords should be put in place. Sharing passwords should be discouraged. ii. Phishing is another issue and this includes the suspicious messages sent on screens. The users should disregard the suspicious messaged and report to IT immediately iii. Malware related security issues include viruses, worms, and spyware, among others. Training should be given to employees with emphasis given on prevention measures, identification of malware, containment, and their eradication. Updated antivirus and antispyware devices should be used. iv. Cultural change is needed in order to shape the employee and the organization towards practices that ensure security. v. Maintenance of the network to ensure it is up to date. The network at AAN does not have enough maintenance program yet this is supposed to be done on a regular basis (Garrett, 2004, pp.1-18). Medium vi. Internet privacy at AAN is another issue and concerns information that is shared over the internet. Employees should be prohibited from sharing any information related to AAN and should always remain confidential when using the internet. Low vii. Desktop security is one of the major security issues. The aim of this security issue being addressed is to keep internal and external attacks at bay. This should be handled by educating the users how to best use desktops and keep screens password protected. Timeouts should also be put in place. viii. Internal security breaches are also an issue to be addressed. This is because many employees have been known to leak company data and thus measures need to be put in place to prevent this from occurring. Policies and procedures on security matters and what to share with others as an employee of AAN would be most appropriate. 2.4 Physical Security Problem Priority Solution Establishing a very secure and trusted voice and data network that is able to operate on a single line yet give the required security. High Put in place necessary network architecture that is able to relay the two without giving room for leakage. Separate voice and data by use of logical networks that are different. Gateways should be controlled to ensure that the interfaces are well in line with security requirements. Priority Description High i. Putting in place two separate lines for VOIP is a technical issue that affects the security of AAN. The system should thus be made in a way that data and voice do not overlap causing security breaches. The overlap might cause a security breach due to leakage of data or voice information from one interface to the other and this could be tapped by an enemy (Alghamdi, 2009, pp.1075-1081). ii. High-technology needs of the electronic devices are another issue. The devices in use need to have met all the four standards of cryptographic modules and be able to allow for inaccessible coded data to be passed across the organization. A thorough development design and creativity will need to be employed in the electronic devices to be supplied to AAN (Alghamdi & Siddiqui, 2010, pp.538-542: 24-26). iii. Points of installing the security devices to ensure that they are sufficiently protective of the AAN’s data or information. iv. There is physical access to the servers and gateways. This is serious because it might give an attacker a chance to analyse traffic within AAN while he or she is out. Restriction to the servers is needed. Barriers, access controls, guards, and locks need to be put in place. Medium v. There are no state packet filters which can track the connection status and ensure that the packets are denied access if they are not part of the original VOIP. vi. There is no use of Secure Shell or SSH. This is supposed to be used in all management and auditing of the system. vii. Power backups are not in place and this means that security could be breached in case a blackout hits the area. Automatic power generators should be installed and power savers also put in place such as UPS. viii. There is no Wi-Fi Protected Access in place. The Wired Equivalent Privacy devices being used are not secure enough and therefore the WPA should be employed. ix. The data wires are more exposed and can easily be accessed by an outsider so they need to be hidden (Balitanas, et al., 2009; Siddiqui & Alghamdi, 2010, pp.16-18). Low x. Overreliance on physical wired communication is not good and should be reduced by use of wireless encrypted communication devices (O-Reilly Media, et al., 2007). 3.0 Conclusion Information security is important for AAN to succeed in its operations. Use of sophisticated security devices is important because the threats to security are many and enemies keep updating their knowledge on how to breach security. As a top secret organization, AAN need to thoroughly evaluate the provider of security devices and ensure that they meet the required set standards in order to avoid any form of breach due to defective or dysfunctional devices. Organizational culture change is very essential if security measures are to be realized since the human factor in policy and procedures implementation process is very critical. Technical security issues and those related to physical conditions need to be addressed so that gaps are not left in the system. List of References Alghamdi A (2007). “Evaluating automated web engineering methodology environments using AHP”. J. Comp. Sci., pp. 36-44. Alghamdi A (2009). “Evaluating Defence Architecture Frameworks for C4I Systems using Analytical Process”. J. Comp. Sci., 1075-1081. Allagui A. & Lemoine J (2008). Web interface and consumers' buying intention in e-tailing: results from an online experiment. Adv. Consum. Res. Eur. Conf. Proc., 8: 24 – 30 Alghamdi A, Siddiqui Z (2010). “Common Information Exchange Model for Multiple C4I Architectures”. 12th Int. Conf. Comp. Model. Simul. (UKSim), 538-542: 24-26. Balitanas M, Robles RJ, Kim N, & Kim T, (2009). "Crossed Crypto-scheme in WPA PSK Mode." Proceedings of BLISS 2009, Edinburgh, GB, IEEE CS. Barkan E, Biham E, & Keller N (2008). Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. J. Cryptol., 21(3): 392-429. Bellare M & Rogaway P (1994). Optimal Asymmetric Encryption Padding, How to Encrypt with RSA. In Advances in Cryptology-Eurocrypt, 94, pp. 92-112 Berritella M, Certa A, Enea M, & Zito P (2007). “An Analytical Hierarchy Process for the evaluation of transport policies to reduce climate change impacts”, Fondazione Eni Enrico Mattei, Working Papers 2007.12, December. Challa N & Pradhan J (2007). Performance Analysis of Public key Cryptographic Systems RSA and NTRU. IJCSNS Int. J. Comput. Sci. Netw. Security, 7: 87-96. Faisal MN, Banwet DK, & Shankar R (2007). Information risks management in supply chains: An assessment and mitigation framework. J. Enterp. Inf. Manag., 20(6): 667-699 Forman EH, & Gass SI (2001). “The Analytical Hierarchy process – An exposition”. Oper. Res., 49: 469-486. Garg D & Verma S (2009). Improvement over Public Key Cryptographic Algorithm. Patiala: Advance Computing Conference, IACC. IEEE International. Garrett Chris (2004). Developing a Security-Awareness Culture - Improving Security Decision Making, SANS Institute InfoSec Reading Room, 1-18 Grandzol JR (2005). “Improving the faculty selection process in higher education: A case for Analytical Hierarchy Process”. Assoc. Inst. Res., 6(24): 2-13. Hodgkinson G. P., Sparrow P. (2002), The Competent Organization: A Psychological Analysis of the Strategic Management Process (Managing Work and Organizations) London, McGraw Hill, 34-45 Kenekayoro PT (2010). The data encryption standard thirty four years later: An overview. Afr. J. Math. Comput. Sci. Res., 2(10): 267-269. Linkov I, Seager T, & Kikers G (2004). “Mutli-Criteria Decision Analysis: A Framework for Structuring Remedial Decisions at Contaminated Sites”. Comparative Risk Assessment and Environment Decision Making, Kluwer, pp. 15-54 National Institute of Standards and Technology (2001). Security Requirements for Cryptographic Modules Federal Information Processing Standards Publication (Supersedes FIPS PUB 140-1, 1994 January 11) NIST (2001). Announcing the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication National Security Agency (2000), Defence in Depth –A practical Guide for achieving Information Assurance in today’s highly networked environments O-Reilly Media, June. Demed L, & Berry D (2007). “Oracle Enterprise Service Bus: The Foundation for Service-Oriented Architecture”, Presentation, September 26th CDT. Sahin F & Robinson EP (2002). Flow coordination and information sharing in supply chain: Review, implications, and directions for future research. Decision Sci., 33(4): 505-536. Salisbury WD, Pearson RA, Pearson AW, & Miller DW (2001). Perceived security and World Wide Web purchase intention. Indust. Manag. Data Syst., 101(4): 165-176. Siddiqui Z & Alghamdi A, (2010). “CIFD: A Common Interoperability Framework for Defence Architectures: A Web Semantics Approach”. 16th International Conference on Distributed Multimedia Systems, DMS 2010, Hyatt Lodge at McDonald’s Campus, Oak Brook, Illinois, USA, 149-152: 16-18. Venkatesh V, & Davis FD (2000). A theoretical extension of the technology acceptance model: four longitudinal field studies. Manag. Sci., 46(2): 186-204 Read More