A Threat Analysis to Enterprise Computer Networks and How to Mitigate Them - Research Proposal Example

A Threat Analysis to Enterprise Computer Networks and how to mitigate them I. II. Introduction The problem of IT security can be compared toa building that needs fast and effective service to serve its inhabitants. If security is not well in place, service cannot be dispensed with effectively. Managers, employees and individuals working for and in organisations should be involved with information systems and the required security because they tend to be less functional without this knowledge. Knowledge of IT and IT security should not just be left to IT professionals or technical people; it should be the concern of everyone in the organization. Information systems are operational tools that hasten success of organizational objectives. Information systems perform countless tasks for an organization. The tasks include capturing, storing, processing, exchanging, and using information for the organization. Network security encompasses areas pertaining to risks and threats and how to conduct risk management and protect IT infrastructure from threats of viruses, worms, and different types of malware. Security is an expensive commodity when speaking in terms of technology and network. The reason is primarily because it involves safety and the organization’s future. It is a challenging task that requires a lot of creativity and painstaking efforts requiring skill in software programming. Checks and audits for possible threats and risks must be done very now and then. III. Literature Review Employees’ security awareness is significant in information systems’ security management. Employees of an organization can be risk or assets to information security. Some commentators consider the employees of an organization as the weakest link to information security. But some studies have found that employees can be assets in reducing risk to information security. Most organizations depend on technology-based solutions in reducing risks to information security (Earnst & Young as cited in Bulgurcu et al., 2010, p. 524). This should not be the ultimate solution in reducing network security risks. Organizations have to rely on people. Some studies reported that risks pertaining to IT have been increasing even if organizations spend much for the protection of their company network. Security success can be achieved through a coordinated effort involving technical and socio-organizational factors. Employees, who are considered insiders in an organization, can pose a security challenge because their ignorance and laxity, and conscious acts can put the organization in danger. Employees who have the tendency to abuse and misuse information systems can jeopardize security. Bulgurcu et al.’s (2010) study focused on preventing inappropriate behaviors of employees in their use of information systems. Organizations should provide a punishment mechanism for erring employees who abuse organizations’ information systems. This can serve as deterrent to others with the same behavior. (Straub & Nance as cited in Bulgurcu et al., 2010, p. 525) Kinds of risks Security risks pertain to unauthorized access to information. This is also linked to data leakage, privacy and fraud, and other forms of security risks. Computer virus is a security risk. A virus attack can spread so rapidly over the Internet and can destroy files and maliciously collect private and confidential information and data. Security risks have caused about $17 to $28 million for every occurrence of attack, according to a study by Ernst and Young. (Suduc et al., 2010) Physical risks Physical risks and logical risks are two problematic areas in IT infrastructure. Physical risks refer to the equipment which has to be protected from natural disasters like earthquakes, hurricanes or floods. Man-made disasters include bombings, theft, power surges, etc. The equipment can be protected through controls like locks, insurance coverage, performing daily backups of the information system and data, disaster recovery procedures, and so forth. (Suduc et al., 2010, p. 43) Misuse of information There has also been an increase of misuse in Information Systems practice in organizations. A study in a university in Romania found a great percentage of misuse of information system, a notable 46%. Motivation of misuse ranged from curiosity to intellectual challenge to personal gain. Network security: Key types of incidents SOURCE: Audit for Information Systems Security, by Suduc et al., 2010 According to surveys, approximately 90% of organizations face information security investigation almost annually (Siponen et al., 2007, p. 133). To counter these security threats, there have been recommendations to improve information management systems and policies. Many of these organization managements seldom comply with information security processes and techniques. Organizations’ IT infrastructure, both physical and virtual, is jeopardized. Physical assets are also at risk. There is also the concern of privacy. Information technology was only used as an aid or tool in business, but now it is the mainframe because of the complexity and interconnectedness of businesses and organizations. But hackers and programmers with malicious intent continue to find ways to illegally penetrate vulnerable websites. There is no ‘safe’ or ‘trusted’ network in organizations. The ‘untrusted’ network which refers to the external connection of organizations will continue to expose the privacy of peoples and organizations. (Kelly Rainer & Cegielski, 2011, p. 83) Another security issue is a scenario known as ‘downstream liability’. This particular situation occurs between organizations using Information Systems that are attacked by criminals or skilful hackers. For example, if Organization A’s software has been attacked and used to attacked another, say Organization B’s information system, under the law Organization B has the right to file for damages against Organization A. Also under the law, plaintiff B has to prove that A’s information systems had been used to attack B’s information systems. The rationale behind this law is that any organization has the duty to keep its information systems secure so that they cannot be used by criminals or hackers. (Kelly Rainer & Cegielski, 2011, p. 85) Cyber criminals are of various types. Classification is enumerated below. Viruses, worms and malware or malicious codes In 2011, a twitter account reported the death of President Obama. Fox News, who owned the account, immediately acknowledged that it was a hack and informed the public that it was a ‘false tweet’. After some investigation, it was found that the hack was perpetrated by a group of youths, known as script kiddies, who hacked kiddies using simple scripts. (Bisaerts, 2011) A computer virus is a malicious code, a piece of software programming disguised as good programming but actually it causes unexpected events in the network with legitimate programming. A virus is usually attached to a file or document when spread by its owner. When the file is opened, the virus penetrates the computer’s memory and inflicts damage. A virus executes an act like displaying a certain message on the computer monitor, delete documents, or copy files and passwords. Most viruses propagate through emails and spread easily and fast. (Reynolds, 2010, p. 219) Terms relating to network security Hacktivists are those who conduct politically motivated attacks on websites and servers. Information warfare specialists work to develop information programs and strategies to fight cyber terrorism. Insiders are disgruntled members of organizations, who have access to restricted information; they become a source of cybercrimes when they pass on information like passwords and other confidential data or trade secret that might be of potential use by other organizations or competitors. Malicious code writers are those who program secret codes for critical infrastructures. They seriously pose a serious threat to enterprise IT infrastructure. (Erbschloe, 2005, p. 2) IV. Hypothesis i. Identify risks ii. Identify triggers iii. Categorize risks iv. Assumptions analysis v. Diagramming inputs to other processes V. Research Methodology and Design VI. Summary and Conclusion References Bulgurcu, B., Cavusoglu, H., & Benbasat, I. ( 2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. Retrieved from MIS Quarterly Vol. 34 No. 3 pp. 523-548/September 2010 Bisaerts, D. (2011). President Obama is dead, says Fox News through their (hacked) twitter account. Retrieved from http://www.itsecurity.be/president-obama-is-dead-says-fox-news-through-their-hacked-twitter-account Kelly Rainer, R. and Cegielski, C. (2011). Introduction to information systems: enabling and transforming business. United States of America: Quebecor World Versailles Reynolds, G. (2010). Information technology management. Singapore: Cengage Learning. Siponen, M., Pahnila, S., & Mahmood, A. (2007). Employees’ adherence to information security policies: an empirical study. In H. Venter, M. Eloff, L. Labuschagne, J. Eloff, & R. von Sohns (Eds.), New approaches for security, privacy and trust in complex environments (pp. 133-134). United States of America: Springer. Suduc, A., Bîzoi, M., & Filip, F. G. (2010). Audit for information systems security. Informatica Economica vol. 14, no. 1/2010. Retrieved from: Business Source Complete database. Read More