Increasing Vulnerability of Organizational Information Assets - Assignment Example

?Business Information System Table of Contents Internet Vulnerabilities 4 Wireless Security Challenges 4 Malicious Software: Viruses, Worms, Trojan Horses, and Spyware 5 Hackers and Cybervandalism 5 Unintentional Threats 6 Device Loss 6 Temporary Hires 6 Deliberate Threats 7 Identity Theft 7 Data Theft 7 Virus 7 Worm 8 Phishing 8 Spear Phishing Attacks 8 Approach to mitigate these risks 9 Question 4: Define and contrast - risk acceptance, risk limitation, and risk transference. 9 Risk-avoidance, transference, acceptance, mitigation, deterrence 9 Bibliography Reference List: 14 Assignment – Part A Question 1: Identify and discuss the factors that are contributing to the increasing vulnerability of organizational information assets. There are many factors that are contributing to the increasing vulnerability of organizational information assets. Given below are some of the important factors that play significant role in making the organizational assets vulnerable (Prentice Hall, 2010; KingCounty, 2009; Turban et al., 2005): Internet Vulnerabilities The research has shown that open or public networks such as the Internet are more vulnerable than internal networks for the reason that they are virtually open to everyone. Hence, when the Internet turns out to be an important part of the business network, and the most of the business tasks are supported by this network then the organization’s information arrangements also become open for attacks from outsiders. Wireless Security Challenges Wireless networks based on radio technology are also vulnerable to security penetration for the reason that radio frequency bands are easy to scan and detect for the attackers. These days Wi-Fi technology is extensively available and offering great deal of support for connectivity and information sharing. However, these networks always remain the major target of attackers which can cause problems for the organizations and attacks against information system. Malicious Software: Viruses, Worms, Trojan Horses, and Spyware A malicious software program can cause a variety of threats for example worms, computer viruses and Trojan horses. These threats can cause massive destruction to organizations’ resources in the forms of theft of organizational information, personal data theft and huge danger to corporate and personal information. Hackers and Cybervandalism A hacker is a person who aims to obtain illegal access to an information system. However, in the hacking community, the term cracker is normally employed to demonstrate a hacker with criminal objectives, though in the public press, the terms cracker and hacker are employed interchangeably. These hackers can get access to an organization’s network and launch a variety of security attacks such as: (Prentice Hall, 2010; KingCounty, 2009; Turban et al., 2005): Spoofing and sniffing Denial of service attacks Identity theft Question 2: Contrast unintentional and deliberate threats to an information resource. Provide two (2) examples of both. Information systems are vulnerable and in danger due to a number of possible threats and hazards. However, there are two major types of threats known as deliberate threats and unintentional threats. Given below are acts with no malicious determination and with malicious determination (Rainer, 2009; Safari Books Online, 2013; E.Whitman, 2004): Unintentional Threats Device Loss Human errors or mistakes are the major causes of un-intentional threats that can happen due to human error or due to negligence of human. For example, a person who has lost his device, mobile or laptop which be misused by an attacker for carrying out illegal activities. Temporary Hires Temporary hires are also major type of unintentional threats. In this scenario, temporary workers including contract labor, janitors, consultants, and guards can also create serious security loss for the organizations. Contract labor, for example temporary hires, can be ignored in information security policy. Though, these staff members can unintentionally access the information or data and distribute data without intention and care. This can be really dangerous for an organization. Deliberate Threats Identity Theft In this kind of threat a person intentionally makes use of someone’s personal information as his own personal use. For instance, a person can use his friend’s or colleagues’ personal information such as credit card number or some other bank based details to perform certain tasks. In fact, through this way a large numbers of frauds are yet done leading to millions of dollar loss to businesses and people. Data Theft A staff member, friend or member of organization can steal business data and can make use of data for negative purposes. For instance, an unsatisfied employee can do this to cause harm the business organization. This can be extensively dangerous for business and organizational information system. Question 3: Explain each of the following types of remote attacks: virus, worm, phishing, and spear phishing. What approach could you use to mitigate these information security risks within an organisation? Describe a scenario. Virus A computer virus link itself to an application or file allowing it to spread from one system to another, offering infections as it moves onward. Similar to a human virus, a digital virus is able to vary in harshness: several can cause simply mildly annoying influences as others are able to damage our software, hardware or files. Additionally, almost all kinds of a virus are linked to an executable file. In this scenario, a virus can exist on our system for a long time however it will not infect our system unless we execute or open the malicious application (Beal, 2013; Shelly et al., 2005). Worm A worm is like a virus and it is recognised as a sub-class of a virus. In addition, worms go out from system to system, however as compared to a virus; it has the capability of travelling without interacting with humans. A worm gets benefits of file or information transmission characteristic on our system that is what permits it to travel unaided (Beal, 2013; Shelly et al., 2005). Phishing Phishing is analogous to fishing in a lake; however instead of attempting to catch a fish, phishers try to steal our personal data and information. In this scenario, they transmit e-mails that seem to come from authentic websites for example PayPal, eBay or other banking organization. The e-mails state that our data requires to be validating or updating and request that we enter our password and username, after clicking a link comprised in the e-mail. In this scenario, a web site looking similar to a real web site can hack our personal information (TechTerms, 2013; Kay, 2004; Shelly et al., 2005). Spear Phishing Attacks Spear-phishing is a more specialized phishing approach. It allows a hacker to get private information regarding a user by making use of fake methods. It is basically aimed at targeting a precise employee so as to obtain access to a business’s information (PC Tools, 2010; Microsoft, 2013; Shelly et al., 2005). Approach to mitigate these risks An organization should take certain security measures in order to secure its data and information resources. First of all, an organization should train its employees and provide them with the latest knowledge on security threats and risks. They should keep and maintain record of their employees. Their employees should be given a password protected access to organization resources. In addition, all the systems should have an updated version of antivirus program (Shelly et al., 2005). Question 4: Define and contrast - risk acceptance, risk limitation, and risk transference. Risk-avoidance, transference, acceptance, mitigation, deterrence Risk avoidance is the process of recognizing a risk as well as formulating a decision to no longer involving in the activities linked with that risk. If risk is outside, as well as the level of risk is believed to be fairly high, then a great deal of attention should be paid to stopping or escaping to assume those tasks. If the tasks are fragment of the fundamental business, then recognize if there is another method of performing things that will escape or minimize the risk or loss (NeoKobo, 2012; Federal Highway Administration, 2013; Melissa, 2013). In addition, the risk avoidance should be foundational on a well-versed decision that the preeminent course of act is to diverge from what would/could take to experience to the risk. One of the major issues regarding risk avoidance is that we are navigating clear tasks we can take advantage from. This is the best and highly efficient method, however often not probable because of organizational needs (NeoKobo, 2012; Federal Highway Administration, 2013; Melissa, 2013). In risk transference, we do not just shift the risk totally to some other object, but also we share lots of burden of the risk someone else, for example an insurance corporation. A distinctive policy would recompense us a cash amount if all the steps were established to minimize risk as well as a system still was damaged (NeoKobo, 2012; Federal Highway Administration, 2013; Melissa, 2013). Risk mitigation is proficient anytime we take steps to minimize the risk. In this scenario, steps comprise installing antivirus application, educating clients regarding probable monitoring the network traffic and threats, incorporating a firewall (NeoKobo, 2012; Federal Highway Administration, 2013; Melissa, 2013). Assignment – Part B A case study critical thinking analysis using Toulmin’s Model of Argument: Claim Sensitive FBI data is not secure from attack Data Data and information stored in FBI’s computers is at danger. It is assessed that some criminal mind people got access to data of FBI and made use of that data in a wrong way. Afterward, that data was placed on website for open access. It is a serious crime and data theft led to huge damage to private information and data. Warrant Due to human negligence the system or laptop was accessed by any illegal person and data was misused afterward. In this situation this attack is done deliberately to access the secret stuff of a security firm. This also led to huge damage to security characterises of such organizational staff. Backing This security breach is a basic flaw of overall security based system’s authentication procedures which caused a number of serious issues and aspects regarding secure management of such data. The information that was accessed is really classified that can lead to huge damage to someone’s personal credibility and worth. The FBI is still denying such details however this sensitive information can only be taken from security organization using high level hacking techniques. Rebuttal There number of other criminal activities happen in past where critical and sensitive information was accessed using a variety of illegal ways. For example stealing approximately 2 million credit card numbers is one of the biggest examples of data thefts cases in American history that cost various companies more than $US300 million. In this case such huge amount of records are taken and abused. In such cases the major problem lies at the core security of organization that needs to be managed effectively in order to ensure the privacy and security of organizations’ data (ABC, 2013). Qualifier In this situation the main guilty seems to be FBI security management system that has implemented a poor security authentication mechanism that caused such a huge damage and serious issues regarding management of security and privacy of the security firm. Your Opinion In this overall analysis it is assessed that data security and privacy are most important aspects of any organization that can play a significant role in the success or failure of an organization. Application of effective security parameters and procedures can offer us a great deal of support for managing the security of corporate. In the context of FBI we have seen both kinds of security issues, human negligence (un-intentional security problem) and data theft (intentional security problem). These both factors can be seen at any huge organizational security breach or data theft event. In this situation the only need is application of better security management procedures and systems. Security management is a complex task while application of new and more smart layered approach of technology offers better solution of security management inside a firm. In addition, organizations should manage new technology based bio-informatics system for the effective management of security and privacy at the corporate. These all initiatives are aimed to present better solution for corporate security management and data safety. Without such initiatives the future of information system is in danger. Bibliography Reference List: ABC, 2013. Russian-Ukrainian syndicate hit major companies targeted in biggest credit card fraud in US history. [Online] Available at: http://www.abc.net.au/news/2013-07-26/6-charged-over-largest-ever-credit-card-fraud-in-us-history/4844814 [Accessed 14 August 2013]. Beal, V., 2013. The Difference Between a Computer Virus, Worm and Trojan Horse. [Online] Available at: http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp [Accessed 15 August 2013]. E.Whitman, M., 2004. In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(2004), pp.43-57. Federal Highway Administration, 2013. 5. Risk Mitigation and Planning. [Online] Available at: http://international.fhwa.dot.gov/riskassess/risk_hcm06_05.cfm [Accessed 18 August 2013]. Kay, R., 2004. QuickStudy: Phishing. [Online] Available at: http://www.computerworld.com/s/article/89096/Phishing [Accessed 13 August 2013]. KingCounty, 2009. lnformation Technology Governance Policies, Standards and Guidelines. Vulnerability Assessment and Management Policy. Off?ce of Informat?on Resource Management. Melissa, 2013. Four Types of Risk Mitigation. [Online] Available at: http://mha-it.com/2013/05/four-types-of-risk-mitigation/ [Accessed 19 August 2013]. Microsoft, 2013. How to recognize phishing email messages, links, or phone calls. [Online] Available at: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx [Accessed 12 August 2013]. NeoKobo, 2012. 2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence. [Online] Available at: http://neokobo.blogspot.com/2012/01/216-risk-avoidance-transference.html [Accessed 20 August 2013]. PC Tools, 2010. What are Spear Phishing Attacks? [Online] Available at: http://www.pctools.com/security-news/spear-phishing-attacks/ [Accessed 10 August 2013]. Prentice Hall, 2010. Management Information Systems. [Online] Available at: http://iauec.net/MDF/ch10/chpt10-1main.htm [Accessed 20 August 2013]. Rainer, R.K., 2009. An Overview of Threats to Information Security. [Online] Available at: http://www.irma-international.org/viewtitle/14016/ [Accessed 16 August 2013]. Safari Books Online, 2013. 7.2 | Unintentional Threats to Information Systems. [Online] Available at: http://my.safaribooksonline.com/book/-/9780470889190/7-information-security/navpoint-46 [Accessed 20 August 2013]. Shelly, Cashman & Vermaat, 2005. Discovering Computers 2005. Boston: Thomson Course Technology. TechTerms, 2013. Phishing. [Online] Available at: http://www.techterms.com/definition/phishing [Accessed 13 August 2013]. Turban, E., Leidner, D., McLean, E. & Wetherbe, J., 2005. Information Technology for Management: Transforming Organizations in the Digital Economy. New York: Wiley. Read More