Identifying Threats and Vulnerabilities to Computer - Report Example

Assessment Computer Security Program Matriculation number Word Count: 1526 words Contents 3 Introduction 4 Identifying Threats and Vulnerabilities 4 Examination of the Security Principles Broken 4 Recommendations 5 References 7 Abstract Computer security refers to the minimization of vulnerabilities to assets and resources. There is no such thing has 100% security, although one can get close to it. The case study provides an example of how security lapses can occur and expose the system’s vulnerabilities. This paper looks into the threats and vulnerabilities that the event exposed and examines the security principles that were broken. It also provides recommendations for them. Threats to the system include the absence of multilayered protection. The ease with which the junior officer accessed the DRS is suggestive of implies threats too. The backup copies were not functional and the ease of access meant that the information is at a greater risk. There were also a number of security principles that were broken. These include the need for professionals to have knowledge about their profession, lack of responsibility by the duty manager etc. The recommendations encompass the development of multifactor authentication, a risk management system, introducing firewalls etc. Introduction One of the oldest definitions for security is that it is the process whereby steps are taken to minimize vulnerabilities of assets and resources. Security encompasses the elements of keeping information confidential and of upholding the integrity and availability of resources; these three elements are often used to describe computer security goals (Stallings 2009). It is often associated with the three As: authentication, authorization and accountability. Security does not entail the elimination of every threat or vulnerability to the system; rather security implies that there is no such thing has 100% security, although one can get close to it. Computer security gives rise to the notion of protecting systems from a technological point of view, as well as making systems more secure on the basis of human factor (Trček 2006). When securing data, the link between security and accessibility comes into limelight. The more accessible data is made, the lower will its security be, making it more vulnerable to threats. On the other hand, security will be high if the data is secured tightly, causing obstacles in accessibility (Cross & Shinder 2008). Computer security is also regarded as a compromise; it is seen that the greater the security, the difficult it is for users to work with the system (Salomon 2006). The case study provides an example of how security lapses can occur and expose the system’s vulnerabilities. This paper looks into the threats and vulnerabilities that the event exposed and examines the security principles that were broken. It also provides recommendations for buttressing the security of the computer systems based on the identified threats and vulnerabilities. Identifying Threats and Vulnerabilities Threat to a computing device is referred to as any potential happening, either unintentional or malicious, that may cause undesirable effects on the asset (Newman 2009). One of the main security issues that the event brought into limelight was the ease with which a junior employee was able to change the keys for the encryption on the database. There was no layered security protocol and a simple password provided the user access to valuable information. Moreover when the junior officer had logged into the system using the password of the duty manager, a message came up asking the officer to change the crypto keys on the DRS. Giving away the password to a junior officer and allowing him access to company files and other information which constitute a large value of the company gives rise to threats to the security of the computer. The junior officer did not know much about the application that launched to change the keys. The application could have been a malicious software too and could have corrupted the entire system if the junior officer simply ‘pressed a few buttons’, causing the application to disappear. The junior officer did not know about the right tape to be used for backing up the information. He used the wrong tape, causing important information from the past two weeks to be rewritten and hence lost. This also entails that anyone who has the password could use the backup tapes to wipe out the information stored. There were not sufficient backup copies of the information, and there was also doubt regarding their reliability since it was the last backup tape that finally worked and reset the system. Examination of the Security Principles Broken One of the blunders that occurred was the changing of the keys before the database was backed up. This resulted in the backup to be accessible by the old key only. When need arose to reset the system by using a backup, the procedure failed to come through because the backup was protected by the old key. The event also showed that the there was little know-how regarding restoring the backing tapes. The backing tapes had to be restored three times before they finally worked and the process was a learning experience for everyone. The staff was not adequately trained enough to deal with such situations and to reset systems from backup copies. This shows that sufficient and comprehensive integration of the security program with system operations was not present. This principle states that the people who are in charge of the security program should be able to comprehend it, its mission, its technology and the environment in which it functions (Swanson & Guttman 1996). The event also highlights that there are little or no steps taken for risk management by Attica. Risk management is important in preventing the occurrence of adverse events and reducing the risk to a minimal level. Another security principle that was not followed was that the duty manager did not inform the junior official about the application that caused the keys to be changed. The lack of knowledge of the junior officer regarding the tape set to be used is also representative of poor conformation to security principles. The backup tapes were not functional since it took three tries to reset the system. In the end, it was the final backup tape that worked and caused the system to be reset. This shows a breach of the security principle that computer security should be periodically reevaluated (Swanson & Guttman 1996). The designation of the junior officer to perform such important work as backing up the system was an expression of lack of responsibility by the duty manager. The duty manager was given higher status and entrusted with greater responsibility than the junior officer. One of the security principles is that the responsibility of the employees should be made explicit (Swanson & Guttman 1996). The event shows a breach of this principle with the attitude of the duty manager representing lack of responsibility. Moreover, a password to important and valuable information of the company needs to remain the knowledge of a selected group of authorized personnel. Giving away the password to a junior officer takes away the meaning and purpose of setting a password in the first place. Recommendations I propose the following recommendations to improve the security of the computer systems and to minimize the threats and vulnerabilities. One of the foremost recommendations is to install a multilayered security system. This would prevent any unauthorized person from gaining access to valuable information regarding the company if he or she has acquired a password. Multilayered security involves installing multifactor authentication. There are many proposals in the market that provide two or three factor authentication. Multifactor authentication requires that three aspects are addressed, i.e. something that you know (like a password), something that you possess (such as a USB flash) and something that you are (includes biometric qualities); passwords also need to be different as well as using the same password everywhere would be a potential mistake (Dekart 2011). This would not only ensure that there is a high degree of protection available for the information you have stored in the DRS but also requires that only certain authorized individuals can access the database. Multifactor authentication is believed to take security to a whole new level. Attica already uses encryption to store important information. However, keeping in mind the ideal security protocol, there is a need to regularly update the security measures. A lot of factors can have an influence on computer security such as technological advancements, linkages to external environments, modifications in the worth or utility of information and the occurrence of a new threat. This follows that the security system should be upgraded on a regular basis. The organization should take steps for the development of a risk management system. No organization is risk proof; however the adoption of certain protocol and development of risk management systems can help the organization to decrease the probability of occurrence of an adverse event. Risk assessment compromises determining the scope and procedure needed to carry out the assessment, assimilating and interpreting data and interpreting the results of the risk assessment. Interpretation of data requires asset valuation, consequence assessment, likelihood assessment, and safeguard and vulnerability assessment (Swanson & Guttman 1996). Risk mitigation is the process whereby steps are taken to reduce risk and to manage it effectively. Selection of protection methods, acceptance of residual risk and implementation of controls and monitoring effectiveness form the various stages of the risk mitigation process. Furthermore there is a need to explicitly differentiate the roles of the employees and to stress upon the importance of maintaining secrecy of protected information and carrying out their duty responsibly. The employees should be given adequate training of the events that are not very likely to occur and they should have in-depth academic knowledge of their tasks. In this case, Attica needs to spend time developing functional copies of the information. Computer security personnel and other professionals should be aware of the consequences of security breaches, which may result in huge financial losses for the organization. Introducing firewalls can also prove to be effective in regulating the information that users can access from other computers. Thus, following the guidelines for protecting computers such as installing security software, using software patches, using software from reliable sources and avoiding opening emails and websites that are not safe can prove to be effective in building baseline security (Parsons & Oja 2008). References Cross & Shinder 2008, Scene of the Cybercrime, 2nd edn, Syngress, Burlington, MA. Dekart 2011, Main principles of computer security – learn how to protect your PC, Dekart, retrieved 16 February 2011, Newman, RC 2009, Computer Security: Protecting Digital Resources, Jones & Bartlett Learning,Sudbury, MA. Parsons, JJ & Oja, D 2008, Computer Concepts Illustrated Introductory, Cengage Learning, Boston, MA. Salomon, D 2006, Foundations of computer security, Springer, Berlin. Stallings, W 2009, Operating Systems: Internals And Design Principles, 6/E, Pearson Education India, Delhi. Swanson, M & Guttman, B 1996, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST, retrieved 16 February 2011, Trček, D 2006, Managing information systems security and privacy, Springer, Berlin. Read More