Vulnerability of an Organizations Information System - Research Paper Example

? Vulnerability of an Organization’s Information System Introduction: In the present times, the dependency on the internet and the use of information technology, within organizations, has largely increased with significant developments in the field. However, while organizations get connected to the cyber world for their purposes of work and business, there are other people in the surroundings whose intentions are negative intending to steal important information. Thus cyber security has become an essential part of every organization considering the vulnerability of the information that is dealt with through the use of information systems (Kim & Solomon, 2010, pp.2-5). Vulnerability in regard to organizational information systems can be defined as “a weakness that allows a threat to be realized or to have an effect on an asset” (Kim & Solomon, 2010, p.6). Thus it can be realized that a threat is not capable of affecting an information system unless the system is weak or vulnerable not to survive an attack (Kim & Solomon, 2010, p.6). Thus the vulnerabilities of an organization’s information systems reflect that the organization’s control over the systems has either become lost or ineffective (Whitman & Mattord, 2011, p.65). In the present times, the cyber world has taken a significant position in both organizational as well as personal lives. The most critical factor that has been obtained as making the information systems vulnerable to cyber threats and attacks is the human element. The information technology (IT) managers of today’s business organizations are thus encountered with severe challenges in regard to such vulnerabilities (Platsis, 2012). The present study focuses on the vulnerabilities those organizational information systems presently challenging the IT managers, with over viewing the most important cyber security vulnerability and considering measures that might protect organizations from such vulnerabilities. Organizational Information Systems: The Vulnerabilities: When vulnerabilities to information systems in organizations are concerned, they include vulnerabilities of the hardware and software systems, the transmission media, the local area networks, the wide area networks, the enterprise networks, the intranets, and the organization’s use of the internet, and most importantly the human element. All these media, if vulnerable, can lead to cyber intrusions causing cyber threats or attacks, thus affecting the entire information system of the organization. Hardware and Software: Information systems viruses and other malwares have the capability to destroy the software system of computers, or they might affect the security functions of the system. Thus this makes the software vulnerable allowing outsiders to steal information and use their commands on the organizations’ computers and information devices to manipulate information as per their need. This initiates the need for an organization to consider the use of antivirus tools essentially as well as update the system’s functions on a regular basis to detect any vulnerability, in advance (Kazmeyer, 2013). Considering the vulnerabilities of the hardware, it is of major concern since the unsecured terminals can be taken advantage of by outsiders along with the help of network access points, using which they might get access to systems that are otherwise protected. Security functions may be circumvented by an intruder if they get access to server rooms or floors where the computer systems are placed for work. Thus in order to prevent this, organizations need to have strict control over the access of any individual to the hardware such that such vulnerabilities may not be taken advantage of (Kazmeyer, 2013). Transmission Media: The media of transmission in organizations include both cabling as well as wireless communication media. In case of cabling, wires are used for transmission, that in many cases pass through the walls and channels of the organization eventually terminating the plugs of the walls or switches or hubs. The twisted cable and coaxial wires are easy to access and hence make such media highly vulnerable to external sources, more because these wires eventually need to run from inside of the organization to the external surroundings. Considering the wireless communication media, the use of radio frequencies, laser or infrared have although removed the concerns of wire uses proving it to be strengths for the information systems. Yet, on the other hand, this is also vulnerable since such a medium of transmission becomes accessible to anyone within a particular range of broadcast. Also, the location of the sources of these media is easy, allowing intruders to take advantage of such vulnerabilities of the system (Janczewski & Colarik, 2008, p.xxii). Local Area Networks: The local area networks (LANs) enable organizations to meet the needs of processing and communication of data. However, along with its benefits, there are certain security problems also associated with the LANs thus making them vulnerable for the organizations. Access protection is provided only to the level of the directory thus enabling a user to have access to all the files present in the directory. Moreover, the protection mechanisms are not sufficient to protect all the necessary information of organizations. The authentication system not being adequate, remote servers and applications are also capable of getting access to these networks. With recent topologies and protocols being in place, the information is available on several nodes that might enable wiretapping. The messaging services not being effectively protected through these networks; messages can be hacked and manipulated quite easily. Some of the other vulnerabilities of the LANs include insufficient management and security systems of the LANs, lack of necessary training of the users of the LAN and its security, too little mechanisms of security in the workplace, and insufficient protection throughout communication (Guideline for The Analysis Local Area Network Security, 1994, pp.5-8). Wide Area Networks: With the use of the Wide Area Network (WAN), the greatest vulnerability of the information systems of organizations arise because it allows the controlled area to be under the charge of the organization. Hence, it eventually becomes unrestrained and freely reachable over a wide range of area. It is not only the cables used in the network that make the system vulnerable. Rather, the data that is transmitted also become public making it easy for anyone to interpret the meaning of the information being transmitted. Thus the physical structure of the network and the information that can be transmitted over the WAN make it vulnerable to attacks (Fuhs, 1996). Enterprise Networks: Some of the vulnerabilities associated with the enterprise networks as have been obtained include: erroneous or imperfect use of IPS/IDS; malfunction to find out and investigate all parts of a network with tools of vulnerability management; failing to notice contemporary devices that are IP-enabled; making use of default recommendations on devices used by the network; and illegal wireless right of entry points or wireless access points (WAPs). It has been observed that in most cases, the segments of network are not secured by IPS or IDS. Most organizations do not make the ultimate use of the vulnerability management tools instead neglecting all parts of the network that needs control and management. Credentials need to be exploited unlike the present scenario in the organizations where default credentials are only being used. Unauthorized WAPs are the most significant factor leading to the enterprise networks become vulnerable to cyber threats or attacks, along with the other factors as mentioned (Lumeta, 2010). Intranet: Intranet refers to the internal network that is used by the organizations for their functions and operations. Vulnerabilities are also associated with the use of the intranet since often there are attackers internal to an organization. Also, business associates or partners may be the ones who might attack the systems, since they would have access to the internal information systems of the organizations. Moreover, internally the systems are vulnerable to viruses and worms that can destroy the systems if they are not protected effectively (Whitman & Mattord, 2011, p.556). it can thus be realized that the information systems in terms of the intranet used within organizations are vulnerable since they can easily be accessed by the internal members and associates, who if plan to harm the organizations, can easily hack information and manipulate them. Internet: The internet makes the information system within an organization vulnerable since the use of the internet makes it possible for the organization to easily connect and communicate to the outside world. Based on the support of the internet the organizational members communicate important messages and information and it is the responsibility of the routers to perform the task. If the security measures lack, then this process makes the entire system vulnerable allowing outsiders to get access to internal information enabling cyber attacks (Gregory, 2009, p.370). The Most Important Cyber Security Vulnerability in Organizations: After an overview of all the vulnerabilities related to the information systems in an organization as discussed above, it can be said that the most important vulnerability is the human element. It is the human or the organizational individuals who are in charge of handling the information systems. The security and control measures are in their hands. Hence, if they are not properly trained or lack responsibilities in regard to effective security, then the system is bound to be vulnerable considering all the elements of the information system. The weakness or vulnerability of human element is thus widespread, with the entire system being dependent on the human activities and measures. More importantly, the human element is “independent of hardware, software, platform, network, age of equipment, etc.” (Tipton & Krause, 2003, p.151). Business organizations are known to make huge expenditures on securing their information which are considered as the primary assets for any organization. However, with lack of responsibilities and reluctance of the organizational members, bypassing the security measures and getting access to organizational information has become a common and major issue in the present times (Tipton & Krause, 2003, p.151). Considering the reality of the 21st century with the development and use of information technology in organizations, human element has been obtained to be the most vital element leading to information systems becoming vulnerable. The problem more arises since this issue is not considered effectively or seriously by the organizations or the public. With the wide accessibility of the WANs like the internet, damage to a large extent can be done to the information systems if proper alleviation strategies are not followed by the organizations. There is significant lack of knowledge and understanding among the humans in regard to the ability of an attacker to access information of anybody at any point of time once the intruder is inside the network. This happens because a single point of entry allows several information and communications to get transmitted from several locations at the same time (Platsis, 2012). Some of the human vulnerabilities include negligence, fear from authority, inadequate training of security, unmotivated and discontented organizational employees, and natural tendencies to be helpful to others (EL?Harmeel, 2009, pp.6-7). The Importance of ‘Human Element’ as the Vulnerability: Considering the capability of the attackers to access, hack and manipulate important organizational information, it can be realized that the security and control measures need to be effectively considered by the humans, or the organizational members. It is important because their minute misuses or errors would be taken advantage of by the intruders. The significance of the vulnerabilities is not understood or realized by most humans causing greater damage to the information systems. This makes human element the most critical vulnerability that IT managers in the present times are encountered with. If the user does not realize the implications of their mistakes or improper use of the systems, then even the highest form of security measures would not be able to make the information systems of organizations safe and secure. Unless the humans understand the nature of the threats and attacks on information systems, they would remain the most important vulnerability for the information systems in organizations (Platsis, 2012). Impact of Human Vulnerabilities on Organizations: The impacts of the human vulnerabilities on organizations arise mostly due to the fact that the use of the information systems depends entirely on the human factor. Thus considering the fact that there are external sources trying to manipulate and damage the internal information and performances of organizations, the humans need to be careful, and strict in terms of their responsibilities and handling of the systems. For instance, the misuses by users might at many times lead to loss or destruction of important information. Since there are external factors that can easily affect the information systems of an organization, it would be necessary to have backups of all necessary organizational information. This is the responsibility of the organizational members. If they do not consider such responsibilities effectively, in case of any damage or cyber attack, the organization would suffer from significant losses (Chaudhary, 2010). It has to be kept in focus, that the information systems can be affected by external sources only when the internal members are not strict in their control measures. This can lead to cyber threats and attacks damaging not only the information but also the overall performance of the organizations. Addressing the Potential Impacts of Human Vulnerabilities by Organizations: With the human vulnerabilities being a matter of significant concern in the present day organizations and their information systems, particularly encountered by the IT managers, it can be realized that the organizations need certain preventive measures to ensure that the human vulnerabilities do not eventually lead the organizations to encounter cyber threats or attacks. Understanding the risk or the vulnerability is the most essential step in this regard. In order to prevent such vulnerabilities, organizations need to build up their information security management systems that would plan for a systematic approach towards managing the security of the information systems within organizations. Employees need to be trusted. There should be trust in between the security designers and the organizational employees. Particularly when technology is involved, trust needs to be present in between the humans to ensure proper enthusiasm and functioning (Sasse et al, n.d). This would enable the organizational members to be further motivated in learning about the vulnerabilities and hence improve their status based on needs. The information systems need to be designed more securely. Involvement of the stakeholders in the process would enable better understanding and cooperation towards the decision making of eliminating vulnerabilities and ensuring secured information systems. Most importantly, the organizational employees as well as the public needs to be given proper training, education and awareness intending to alter their behavior towards effectively gaining knowledge on correct usage of the information systems and hence perform effectively reducing errors. This would be further motivated with a positive organizational behavior within the organization. The humans associated with any organizations needs to realize the significance of the matter and hence be allowed to think and act in a positive way towards secured information systems. It has to be noted here that on one hand, while human vulnerabilities might be increasing in present day organizations; on the other hand, these vulnerabilities can also be tracked and effective measures be taken in advance to secure an organization’s information systems (Sasse et al, n.d.). Conclusion: From the above study, it can be realized that considering the present day organizations, with increasing dependence on the use of information systems, it is essential that the vulnerabilities associated with them be effectively considered in control measures of the organizations. The information systems, involving the hardware and the software, the transmission media, the local area networks, the wide area networks, the enterprise networks, the intranet, and the internet, open up significant opportunities for the external powers to intrude into the systems trying to damage the information and performance of the organizations. However, a cyber threat or an attack cannot be successful unless the system is vulnerable or weak by itself. This leads to the focus on the factor of human element that from the study could be obtained to be the most important vulnerability concerning the information systems in organizations. Since the use and handling of these systems are entirely in the hands of the human beings, they need to be more careful and strict in regard to their control measures and their individual responsibilities towards making the correct usage of the systems. Their slightest mistakes would otherwise be taken advantage of by the intruders. However, with increased knowledge, and proper training of all the humans associated with an organization, prevention and security of the information systems might be achieved to a large extent. Hence, organizations need to realize and make humans realize the significant and impacts of human vulnerabilities and accordingly consider preventive measures as discussed in the study. References Chaudhary, N. (2010). How to manage Vulnerabilities of Information Systems to Security Incidents. Techgenie, Retrieved on April 7, 2013 from: http://www.techgenie.com/latest/how-to-manage-vulnerabilities-of-information-systems-to-security-incidents/ EL?Harmeel, M. (2009). Human…The Overlooked Asset. SANS, Retrieved on April 7, 2013 from: http://www.sans.org/reading_room/whitepapers/honors/humans-overlooked-asset_33257 Fuhs, H. (1996). Security Problems in Wide Area Networks. Fuhs, Retrieved on April 5, 2013 from: http://www.fuhs.de/en/pub/wansecurity.shtml Gregory, P.H. (2009). Cisa All-In-One Exam. Gd W/Cd. New York: Tata McGraw-Hill Education, Retrieved on April 7, 2013 from: http://books.google.co.in/books?id=42VfVVwDf3YC&printsec=frontcover&dq=Cisa+All-In-One+Exam.+Gd+W/Cd&hl=en&sa=X&ei=eThmUYCqMo_NrQeH6YHoAg&ved=0CDIQ6AEwAA Guideline for The Analysis Local Area Network Security (1994), Federal Information Processing Standards Publication 191, CSRC, Retrieved on April 5, 2013 from: http://csrc.nist.gov/publications/fips/fips191/fips191.pdf Janczewski, L.J. & A.M. Colarik (2008). Cyber warfare and cyber terrorism. Pennsylvania: Idea Group Inc (IGI), Retrieved on April 5, 2013 from: http://books.google.co.in/books?id=6CJ-aV9Dh-QC&printsec=frontcover&dq=Cyber+warfare+and+cyber+terrorism&hl=en&sa=X&ei=wThmUcGCMo6NrgeD_ID4Aw&ved=0CDIQ6AEwAA Kazmeyer, M. (2013). Kinds of Computer Vulnerability. eHow, Retrieved on April 5, 2013 from: http://www.ehow.com/info_10003394_kinds-computer-vulnerability.html Kim, D. & M. Solomon (2010). Fundamentals of Information Systems Security. Massachusetts: Jones & Bartlett Learning, Retrieved on April 6, 2013 from: http://books.google.co.in/books?id=-agjhFspvFMC&printsec=frontcover&dq=Fundamentals+of+Information+Systems+Security&hl=en&sa=X&ei=AzlmUdeoHMHVrQe-noCICw&ved=0CDIQ6AEwAA#v=onepage&q=Fundamentals%20of%20Information%20Systems%20Security&f=false Lumeta (2010). Top 5 undiscovered vulnerabilities found on enterprise networks. Net-security, Retrieved on April 6, 2013 from: http://www.net-security.org/secworld.php?id=9689 Platsis, G. (2012). The Real Vulnerability of the Cyberworld: You and I. Nationaldefensefoundation, Retrieved on April 4, 2013 from: http://usa.nationaldefensefoundation.org/?p=159 Sasse, M.A. et al (n.d.). Human Factors Working Group White Paper. UCL, Retrieved on April 8, 2013 from: http://hornbeam.cs.ucl.ac.uk/hcs/publications/HFWG%20White%20Paper%20final.pdf Tipton, H.F. & M. Krause (2003). Information Security Management Handbook, Fifth Edition. United Kingdom: CRC Press, Retrieved on April 8, 2013 from: http://books.google.co.in/books?id=96BbTjHBpOQC&printsec=frontcover&dq=editions:SWgpRVJerdsC&hl=en&sa=X&ei=WzlmUfWxMYb3rQeksICADw&ved=0CE8Q6AEwBg#v=onepage&q&f=false Whitman, M.E. & H.J. Mattord (2011). Principles of Information Security. Connecticut: Cengage Learning, Retrieved on April 8, 2013 from: http://books.google.co.in/books?id=L3LtJAxcsmMC&printsec=frontcover&dq=Principles+of+Information+Security&hl=en&sa=X&ei=izlmUYrtDIvyrQfqloDYBQ&ved=0CDIQ6AEwAA#v=onepage&q=Principles%20of%20Information%20Security&f=false Read More