Information Technology Security Risk - Research Paper Example

1 Evaluating Risk Analysis 1.1 Threats Threats are defined as the probable network security breach which may occur in the future and will harm the network, as well as Information systems. The current trends in technology advancement have enabled the networks to be prevalent. People are connected at home, offices, as well as when they are travelling either via laptop or mobile phones. The evaluation is conducted to identify the severity of each information system, which deserves priority due to the value of data which needs to be protected. Both threats and vulnerabilities need to be considered concurrently. Threats can provide damage to the confidentiality, availability and integrity of information present in the information systems. They explore opportunities for security breaches to cause confidential data invasion via unauthorized access, amendment of data, removal of information from information systems. Threats can hit the network from various sources. Threats are confidential on the parameters of different capabilities and approach including external approaches by cyber criminals, hackers, terrorists. For handling threats of different nature different risk mitigation and control methodologies are required in the context of protecting the prioritized information systems. 1.2 Vulnerabilities Vulnerabilities are the weaknesses which are present in the system against the current threats. Vulnerabilities can be distinguished as security loop holes in the system. If hackers find these loop holes in the system, results are devastating including unauthorized access, amendment or complete deletion of the system. A recent example is the hacking of wiki leaks website which impacted the whole world and also affected strategic and economic relations between countries as various confidential documents were leaked out from the website. On “www.bbc.co.uk” news article illustrates as “Whistle-blowing website Wikileaks says it has come under attack from a computer-hacking operation, ahead of a release of secret US documents”. Vulnerabilities are successful due to policy weaknesses, inadequate implementation of security infrastructure, and information of personal issues. For identifying any possible threats, testing of the security infrastructure including network components, hardware and software is essential which may occur in the future. 1.3 Risk The risk is defined as the likelihood of different threats via different circumstances, which are affecting the network and information systems. The circumstances should consider the strategy, security measures, environmental measures, own experience and the experience of other connected entities in the context of information security failure. The impact calculation is also required in terms of data integrity, availability; confidentiality and the cost associated with the fixing systems, lost availability and other related issues which are of prime concern to the network and information system operations. Measurements consist of Cost which is used to protect the information and systems Value of the information and information systems Threat probability and occurrence Effectiveness of Controls 1.4 Hazards Hazards determine the identities and quantities of any chemicals or harmful substances present as pollute causes in the environment. There are different type of hazards required for cleaning and maintenance of the office furniture and items. Hazards may masquerade to human health or the network and information systems when spilled out accidentally by mistake. They also require flammable characteristics which may occur in severe threats and help to increase fire or other incidents. 1.5 Assets Assets are the components serving internally, as well as externally, within the network. Assets can be divided in to several different information technology environments. The physical infrastructure contains Servers, workstations, data centers, switches, routers etc. The core infrastructure contains virtual private networks, Microsoft active directory, domain controllers, email servers etc. The Internet infrastructure contains public cryptographic keys, training manuals, emails etc. 2 Risk Analysis Methodology The ‘www.businessdictionary.com’ defines risk analysis as “Relative measure of risk or asset value based on ranking or separation into descriptive categories such as low, medium, high; not important, important, very important; or on a scale from 1 to 10”. Numeric values are assigned for measurements that can be analyzed to determine risk priorities. For performing risk analysis for the enterprise network, stages are divided in order to focus specific stage precisely. The objective is to make the system secure from threats and vulnerabilities. The methodology will illustrate decisions as outputs for each stage. The first step will be to analyze borders of the network and information system resources and exchange of information within the enterprise network. The first step is to gather information which lays the foundation for conducting risk analysis. The system related information includes hardware, software, data, IT support staff, processes performed on the network, mission critical systems, data sensitivity. The operational environment of the enterprise network includes network design and topology, security architecture, system users, functionality of the network, methodologies for protecting the data in parallel with availability, confidentiality and integrity, input and outputs of the network, management controls, security controls, physical security, and environmental security controls. The outputs for this stage are system boundaries, System functionality, Criticality of the system and data, Sensitivity of the system and data. The second step is to analyze any potential threats for the network. While analyzing threats, is it essential to consider all possible, potential threats and sources which may disrupt or harm the network and information systems. The common threats related to natural disasters are floods, tornadoes, earthquakes etc. The common threats related to human includes hacking, cyber crime, viruses, malicious software attack, un authorized access to organization’s critical data, and deliberate actions. The environmental threats include substantial power failure, any chemical leakage, liquid spilled on any computing component etc. The output of this step is the identification of potential threats, which may disrupt the network and information systems in the future. The third step is to analyze any possible vulnerability within the network. This step concludes the weaknesses and flaws which are currently present in the network security architecture. The assessment of possible vulnerabilities is not an easy task as some previous history is required to perform vulnerability assessment. If the network is operational, a thorough analysis of the network security features and controls is conducted. It will also include technical and procedural elements for protecting the network. The previous reports of risk assessment, audit reports, system anomaly reports, network evaluation reports, network testing reports are considered. Some support is also considered from the vendor advisories, vulnerability bulletins from military networks and also by reviewing the history of previous security breaches within the network. Other methods are also used to breach the security infrastructure including penetration testing, which is an attempt to breach the network compromising the current security infrastructure. The method is used to test the current security measured for any possible vulnerability. This process is conducted by network security professionals for identifying any vulnerability which may become a gateway for the hackers in the future. The output of this step is the list including possible identified potential vulnerabilities. The fourth step is to identify and evaluate controls along with the likelihood against these controls of the network which are implemented by the organization. The controls are divided in to two categories. Technical control consists of software or hardware for protecting the network. For example, intrusion detection system, firewall, identification and authentication software etc. Technical controls require technical expertise. However on the other hand, non technical controls consist of management and security controls. For example, security policies, management policies, personal and physical security. The output of this step is the list of current and planned controls. The list is used to validate security compliance and non compliance. It is constructed by the security requirement check list. It is essential to update the list of technical and non technical controls to ensure the validity of current and planned controls. The fifth step is to rate the probability of potential vulnerability by evaluating the source and capability of threats, nature of vulnerability and efficiency of current controls. The rating is categorized in high, medium and low priorities. High priority means, that the threat is highly capable and the current controls are not sufficient. Medium priority means, that the threat is highly capable and current controls are implemented to eliminate the vulnerability. Low priority means, that the threat is incapable and lacks capability. Controls are implemented to eliminate the threat from exercising the network. The outputs of this step include the likelihoods of vulnerabilities on three levels i.e. high, medium, and low. The sixth step is the undesirable impact which is the output of successful threat analysis of potential vulnerabilities. The impact analysis is conducted by considering current processes of the enterprise network, mission critical data and systems, data and system sensitivity. The information can be extracted from previously impact analysis reports or existing documentation of the enterprise network. Impact analysis prioritizes the impact levels linked with the conciliation of the organizations assets. The impact analysis is based on the assessment of data integrity, availability and confidentiality. The outputs of this stage are the ratings and prioritization of impacts. The threats of impact analysis are Loss of data integrity Loss of data availability Loss of data confidentiality The seventh step is to establish the risk for each specific threat and vulnerability. The process involves the likelihood of a threat source challenging to exercise a specific vulnerability, degree of the impact of vulnerability and the sufficient planning of current security controls for minimizing risks. The output of this step involves likelihood of threats, degree of impact and sufficient planning of current controls. The result is the associated risk along with risk levels, which can be prioritized by severity and criticality of their impact on the network and systems. Step eight provides the processes and controls to eliminate the threats which are vulnerable to the organizations operations. The objective is to eliminate the levels of risks to the network and systems to an adequate level. The elements, which are involved for eliminating risks, are; Efficiency of recommended options Legislation and regulation Policies of organizations Impact of organization Dependability and safety The output of this step is the recommended controls. The recommended controls must be implemented in order to secure the network and systems for any possible potential threats and vulnerabilities. 3 Evaluating Risks by Qualitative Risk Analysis A comprehensive definition of qualitative risk analysis is illustrated on ‘www.searchmidmarketdictionary.com’ which says” Qualitative risk analysis, which is used more often, does not involve numerical probabilities or predictions of loss. Instead, the qualitative method involves defining the various threats, determining the extent of vulnerabilities and devising countermeasures should an attack occur”. Qualitative risk analysis can be performed on computerized data analysis, as well as manually. The objective is to identify only the most significant risk factors which are related to intrusion detection and cyber crime prevention. Qualitative risk analysis also provides evaluation of the potential damage in the context of security controls. Ineffective quantitative analysis involves unreliable and unproductive information on threat occurrence and probability along with the prospect reliability and performance of controls related to intrusion detection and cyber crime prevention. Fig 1.1 demonstrates quantitative analysis and the identified threats along with the occurrence and severity levels. Occurrence Risk Severity Identified Risks Highly likely to occur High risk 1) Network Monitoring Medium likely to occur High risk 2) Information Leakage Not likely to occur Medium/low risk Highly likely to occur Medium risk 3) IT Security Framework Medium likely to occur Medium/low risk 4) System and Network Administration Not likely to occur Low risk Highly likely to occur Low risk 5) Integration of data between systems Medium likely to occur Low risk Not likely to occur Low risk Fig1.1 3.1 Network monitoring(High Risk / Occurrence high ) Network monitoring is the prime responsibility of the organization after implementation. There are so many threats inventing on a daily basis. They adopt new ways of attacking networks. The constant and efficient monitoring of the network identifies any breach to the network at an initial stage. The early identification of any security breach helps the organization to quarantine the threats or minimize the impact of these threats on the network and systems. Alerts can be triggered for any unusual activity on the network. If the network monitoring is compromised, no malicious activity will be detected resulting in serious damage to the network components, as well as the information systems. 3.2 System and Network Administration(Medium Risk / Occurrence Low) System administration risk involves issues such as Ant virus software are not up to date Latest system security patches are not installed Forgot to Security software not installed on every critical system Employees who have already resigned, user accounts still not deleted If the system administration policies are not implemented efficiently, threats are more likely to be conducted within the organization. Internal threats may occur. For example, unauthorized access, breaching in to highly classified information systems etc. 3.3 Information Leakage(High Risk / Occurrence Medium) The information leakage can result in transmitting highly classified data to the hacker. The hackers can also send a malicious code to breach in the network. The small software can be installed on any system of the network and is not detectable. The small software then tries to establish a connection with mission critical information systems to either damage the data or transmit the data to the hacker. 3.4 IT security framework (Medium Risk/ Occurrence High) An efficient design of the security infrastructure is necessary focusing on the potential threats and vulnerabilities. All the process and functions are performed on the security framework of the network and information systems. If the framework or the security infrastructure is not adequate, organizations may face severe threats and vulnerabilities in the future. 3.5 Integration of data between systems (Low Risk / Occurrence High) The transmission of data internally and externally is unsafe. The connections to the external system are the gateways for hackers to enter the network. Encryption protocols need to be implemented for encrypting the data between the internal and external systems. 4 Cyber Crime Prevention The computer fraud and abuse act (CFAA) which was launched in 1984 before it was amended in 1986. This act has a restriction because it requisite evidence of the person who has accessed the computer without authorization. In 1994, this act was modified again due to the emergence of “Malicious code” including viruses, Trojans etc. the national information infrastructure act (NIIA) was passed in 1996 to expand the capability of CFAA. It is known as Title 18 U.S.C Section 1030 (SANS InfoSec reading room - legal issues). Cyber Security Enhancement Act (CSEA) was passed collectively with the Homeland Security Act in the year 2002. It settled to encompass powers to the law enforcement organizations and amplify punishments that were placed out in the Computer Fraud and Abuse Act. Prior to the passage of CSEA, ISPs were prohibited by the ECPA from deliberately exposing private particulars and facts of customers. For example, to gain the contents of an email stored on internet service provider’s servers. The government required a search warrant. CSEA reduced the privacy of stored data and it agrees for an internet service provider to freely share the precise and specific personal information about suspected customers to a government representative, not just law enforcement officials, and permit law enforcement representatives to grant data access without a warrant that they would have required in the past. The computer fraud and abuse act (CFAA) law is related to the unauthorized access of the computer system which is acceptable as far as risk controls are concerned. This act relates to the physical security threat which can be performed by any employee of the organization. The CFAA is totally unacceptable in high profile environment as any act of stealing critical data from mission critical systems which include milestones and objectives which are of immense significance for any competitor or possible terrorist to attack. 5 Risk Standards ‘www.Businessdictionary.com’ defines it as: “Pure risk that is common or normal and insurable at standard premium rates. Non-standard risks are given plus or minus (credit or debit) points on the basis of their departure from a standard risk in that class for computing their insurance premium rates” 5.1 Acceptable Risk Standards Cyber security has an enormous impact when the security of the country’s critical infrastructure is compromised. The act is acceptable to provide information for the suspected victim because the service providers can be the source as they lack security as compared to a strong compliance based secure enterprise systems. The intruder may attack from one of systems which are connected externally to the enterprise networks. As the transmission from service providers is active, the hacker can easily broadcast any viruses or Trojans for possible attacks. 5.2 Un Acceptable Risk Standards The unacceptable act is to arrest a person on proposed jurisdiction. As time is required to track the cyber criminal, the proposed criminals will be in government jurisdiction until the trace for the authentic criminal is completed. 6 Cyber Crime Prevention Strategy Information technology strategy is defined as “An IT strategy is typically a long-term action plan for achieving a goal, set in the context of a rapidly changing technology environment” (IT strategy definition and review • IT strategy definition and review • oakleigh consulting). To eliminate cyber crime, a collaborative strategy is recommended. It includes partnership linking the law enforcement agencies and the private sector by knowledge-sharing and synchronization on investigation methods and trends to eliminate cyber crime. As cyber crime is also called an organized crime, structured approach is required for combat. The implementation of cyber crime investigation systems will motivate the partners to respond promptly to information requests, route to remote searches, and can conduct cyber patrolling for online tracks of cyber criminals. The implementation of an emergency response team is mandatory to conduct operations related to cyber activities. The teams can be established from the legacy ICT enabled organizations. The response will also be responsible to communicate with the government and business on cyber security related activities in a safe environment. The implementation of a centralized security center is required to control and maintain the cyber security threats. The security center needs to be equipped with enhanced security technologies, process and methodologies to eliminate utmost cyber security threats. Bibliography BBC news - wikileaks 'hacked ahead of secret US document release' Retrieved 12/13/2010, 2010, from http://www.bbc.co.uk/news/world-us-canada-11858637 Qualitative risk analysis definition Retrieved 12/13/2010, 2010, from http://www.businessdictionary.com/definition/qualitative-risk-analysis.html What is risk analysis? - definition from whatis.com Retrieved 12/23/2010, 2010, from http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci1182538,00.html SANS InfoSec reading room - legal issues Retrieved 12/13/2010, 2010, from http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446 Standard risk definition Retrieved 12/23/2010, 2010, from http://www.businessdictionary.com/definition/standard-risk.html IT strategy definition and review • IT strategy definition and review • oakleigh consulting Retrieved 12/23/2010, 2010, from http://www.oakleigh.co.uk/page/121/Services/Technology/Articles/IT-strategy-definition-and-review Read More