Management of Information Security - Literature review Example

Heading: Security Plan Your name: Course name: Professors’ name: Date Table of Contents Testing the efficacy of the plan 13 Conclusion 15 References 17 Introduction There have been numerous recent cases of security threats to business information holdings inhuman, electronic, and physical form. These threats need effective management to prevent firms from undergoing heavy losses in terms of valuable assets and information. This paper intends to describe some of the human, electronic, and physical holdings under threat and what these possible threats are. It also outlines a security plan to counteract the aforementioned threats, as well as measures to be used to evaluate the plan’s effectiveness. Physical information holdings Some of the physical information properties in a firm include, but are not limited to, computers, telephones, internet cables, and hardware. Human information holdings These include employees, shareholders, and customers, among others. Electronic information holdings These include, but are not limited to, customer private details, business sensitive information, software and credit card details. Physical threats Bidgoli (2006) contends that various physical threats exist to an organization’s information holdings, including water, theft, and fire among others. One particular category of threat is natural threats like floods, earthquakes, and wildfires, among others. Within this category, floods definitely constitute a serious risk to information holding in a firm. This is because water may shortcircuit a computer’s operating system, and thus, destroys its hardware. This may get even worse depending on the geographical location of a firm, as located on hilltops are more secure than those in flatter areas. Other physical threats to informational holdings include liquid leakage, environmental failure, tornados, ice, chemicals, lightning, and wind (Lindstrom, 2003). In addition, Lindstrom (2003) explains that wildfires may bring about a catastrophic effect on information systems in a given organization if they fully or partially destroy the buildings in which computers are stored. Moreover, areas with powerful seismic waves experience frequent earthquakes, thus causing substantial threat to information systems in these areas. In addition to earthquakes, organizational information systems may be threatened by the temperature levels of a location. Certainly, the performance of computers seems to deteriorate under specific temperature levels. Besides this, the amount of humidity in the air may result in corrosion to computer circuits and hardware. Power outages and electricity spikes resulting from thunderstorms may also cause damage to computer systems, especially when there is no regular testing of backup generators (Bidgoli, 2006). Human threats Human error presents a serious threat to a firm’s information systems. Besides, human errors are subdivided into insider threats versus outsider threats, and accidental versus deliberate threats. Insider versus outsider human threats Insider threats are those facilitated by individuals within a firm, such as, employees, and other persons in the organization. For instance, there have been reported cases involving janitorial staff unplugging mainframes in order to clean them, and plugging them back once things were in order (Theoharidou et al., 2005). On the other hand, outsider threats are those caused by people originating outside the firm. For instance, people holding grudges with a company may steal its vital information either within, or in a cyber outside the firm. Theft is another human threat to information holdings in a business whereby criminals might break into a business facility and steal computers and information devices, causing major loss to a business. Vandalism is another form of outsider human threat to information holdings (Corporation, 2011). Accidental versus deliberate human threats Accidental threats are those that happen unintentionally, for instance, there are human errors like resetting a computer by mistake and knocking computers off shelves or desks (Bidgoli, 2006). On contrast, deliberate threats are those that happen intentionally. Information holdings may also face sabotage, whereby an individual deliberately steals, alters or destroys informational resources. For instance, anybody with a grudge against a firm, such as a former or current disgruntled employee, might pose the threat of sabotage against its critical systems. Another form of human threat to information holdings is vandalism, which causes huge losses to a business (Ray, 2004). Electronic threats The electronic threats that an organization’s information property may face are classified into a number of categories. These divisions are based on the manner in which the threat is carried out against the information holdings. Some of these threats include access attacks, reconnaissance (reckon), malware, and Denial of Service (DoS) attacks (Colwill, 2009). Denial of Service (DoS) Attacks As Schneider (2012) explains it, in this type of attack, a hacker attempts to deny legitimate users and traffic access to a particular resource, or lowers the service quality in this category. Some of the DoS attacks include flood attack, application attack, email bomb, and CPU hogging (Basagiannis et al, 2009). Malware This is a category of malicious code, which comprises viruses, worms, Trojan Horses, spyware, rootkits, and riskware among others. Here, a destructive malware employs common approaches in order to multiply, and these include the use of virus-infected documents, worms, Trojan Horses from various sites (Wiles et al., 2012). Access attacks According to Choo (2011), this involves a hacker trying to access illegally a particular system, or resources, such as, files, servers, and e-mail. Here, a hacker tries to employ password-cracking systems in order to enter password documents, or to inspect a system’s traffic to detect any problems in operating systems, such as buffer overflows, thus facilitating a hacker’s accessibility without validation. Some sub-classes of these access attacks include unauthorised, session, and data manipulation attacks (Onwubiko & Lenaghan, 2007). Recon (reconnaissance) According to Khan and Mustafa (2009), this happens when attackers investigate a system to plot the user’s system for prospect attacks. Such techniques are prevalent in and achievable through scanning systems for available ports, by using certain commands, such as ping and trace route to plot a way through the system. Some examples of reconnaissance attacks include eavesdropping, and scanning (Xenakis & Merakos, 2004). Security plan An information security plan is tailor made to safeguard the critical resources and information from a broad variety of threats to facilitate business continuity, reduce business risks, as well as to capitalise on business opportunities and return on investment. Security of information holdings may be attained through the implementation of appropriate controls, which include procedures, policies, processes, hardware and software functions, and organizational structures. These controls must be established, executed, managed, evaluated, and developed, where essential, in order to facilitate the realisation of organizational business and security objectives (Whitman, 2010). In addition, Herold (2011) says that a security plan is responsible for governing security, privacy, as well as the confidentiality of information holdings, particularly the most sensitive information. It is also designed to govern the roles of individuals and departments for the most sensitive information. The IT security precautions are meant to safeguard information holdings and conserve privacy of a business employees, clients, shareholders, and suppliers among other stakeholders. Notably, unsuitable utilisation of the information may expose the business information holdings to high risks, which include virus attacks; hence compromising its network services and systems, as well as its legal matters. A security plan is also aimed at ensuring integrity, confidentiality, and data availability. It is also meant for the definition, development, and documentation of information procedures and policies that aid the business objectives and goals, as well as to enable the business to meet ethical and legal responsibilities regarding its information resources (Whitman, 2010). Physical countermeasures To prevent losses due to physical destruction of information system, a firm should have backups for telephone and power. Additionally, the firm should put in place fire detectors and alarms to check fire outbreaks. It should also use a HVAC system, fire and water protection systems, as well as power protection system in order to minimise physical threats to information holdings. In combatting temperature issues, air conditioners are important in checking extreme temperatures that may threaten a system’s performance. Quakeproof installations and fireproof installations are also vital in reducing damage to the information holdings of an organization (Whitman, 2012). Human countermeasures Regarding countermeasures to human threats, a firm should put in place effective detection and monitoring systems to prevent theft and vandalism of its information holdings. Additionally, it is essential that a firm install an appropriate lighting system on its premises to help in checking intrusion and theft of its property (Lindstrom, 2003). A business must also put in place proper gates and doors with locks, fence, cameras, and barriers in order to help prevent the entry of anyone intending to sabotage or steal business information property. The use of escorts and badges is also critical in the prevention of human threats to a business’s information property. This is because it ensures that genuine visitors are allowed in the premises, and that visitors go to the intended offices and they do not wander aimlessly within the firm. Moreover, a business must focus on the establishment of confidentiality agreements between clients and company employees and the removal of invalid accounts once employees have left an organisation (Pfleeger, 2012). Lindstrom (2003) states that businesses should also put into place a team of security consultants who specialise in providing security systems, as well as clear procedures for incident reporting. It is critical to carry out security audits and conduct occasional security training and education. Personnel should also be trained on operational procedures to bar human threats to information property in a firm. Electronic countermeasures To prevent electronic threats to business information systems, a firm must employ certain countermeasures. To start with, Gandotra, Singhal, & Bedi (2012) maintain that firms should prevent threats to software by using a scanner, multi-user system, user entrance logs, as well as system recovery methods. Automatic testing and debugging is also critical in securing a system’s software. Trojan code and covert channels should be installed as well as ensuring that system modification is authenticated. With respect tohardware protection, firms should use entrance limitation, use of surveillance system, and remote mirroring. It is also imperative to check disks periodically and use UPS (Emergency Power Source) (Meier et al., 2006; Andress, 2011). As regards the protection of its data, Lindstrom (2003) holds that firms should have information backups, event logging, and enforced paths. There must also be well-defined and documented procedures for handling information, as well as proper monitoring of removable media. Businesses must emphasise authentication and other data access regulations, and appropriate media disposal. Levels of authorisation, or the rights of a user in accessing data, are also vital in the protection of information holdings (Beal, 2005). In relation to network protection of business information systems, Meier et al. (2006) say that various countermeasures can be used including encryption, firewalls, digital signatures, alternative circuit, user verification, anti-virus software, and instruction detection systems (Vacca & Ellis, 2005). Restriction of connection period is also effective in the protection of information systems of a company. In addition, firms should also create and enforce security policies, which manage business continuity. In addition, it is imperative that organizations encourage its personnel to comply with legal conditions, including rights of intellectual property, and personal information privacy (Furnell, Bryant & Phippen, 2007). Comprehensive Information Security Education andAwareness To protect information holdingsfrom unauthorized access threats, it is imperative to use techniques that match and counteract those used by hackers to sneak into a user’s network. For example, users may utilize double authentication which as Cisco IOS routers, which comprise of two aspects: authentication proxy and Lock-and-Key access control lists (ACLs). In this case, the administrator first verifies the user via CHAP, and then uses a lock-and-key. Moreover, lock-and-key also works on non-dialup connections. Prevention of eavesdropping is also possible with the utilization of a switched infrastructure called SPAN (switched Port Analyzer) invented by CISCO which supplies each device with individual control port connections. The design allows the attacker to observe only the traffic regulated at the compromised PC, broadcast, or multicast traffic. To prevent spoofing user identity threats, Flick&Morehouse (2011) argue that it is critical that system users employ powerful authentication. They should also desist from storing secret information, such as usernames and passwords in plain texts. In addition, this threat can be managed by avoiding the passing of credentials in clear text over wire, as hackers might detect them. Besides, firms should avoid this threat by protecting verification cookies using cookies that have Secure Sockets Layer. To enhance the protection of information against tampering, firms, contractors, and employees should apply digital signatures, data signing and hashing, as well as strong authorization (Andel &Yasinsac, 2008). This is also made possible by using tamper-resistant procedures in all communications connections. Additionally, securing communication connections with procedures that offer message integrity is critical in enhancing the information systems of an organization (Choo, 2011). It is also worth noting that it is possible to prevent repudiation threats by using digital signatures as well as creating powerful audit trails. Moreover, Farmer (2005) holds that DoS threats can be managed by using bandwidth and resource throttling methods. Indeed, filtering and validating input works well in the prevention of DoS threats. To safeguard information holdings from information disclosure, management, contractors, and staff may apply powerful authorization, and powerful encryption (Azad, 2008). It is also imperative to safeguard communication connections using protocols, which give messages confidentiality. In addition, it is crucial to avoid storing secrets like usernames and passwords in clear texts (Norman, 2012). In order to avoid eavesdropping, it is essential to employ certain forms of encryption on the user’s packets. Virtual Private Networks (VPN) allows a user to employee Data Encryption Standard (DES), 3DES, and AES encryption algorithms to preserve information. Regarding terminal access, the user must utilize Secure Shell (SSH) measures, which comprise an encrypted Telnet form (Rountree, 2011). Imperatively, it is critical to encrypt various information forms, which include credit card data, passwords and usernames, financial transactions, telephone numbers, personal information, such as medical information, driver’s license numbers, business fundamental information, and trade secrets (Kritzinger & von Solms, 2010). As stated by Hunter (2002), prevention of unauthorized access threats requires the use of methods in accordance with the ones applied by hackers to access into a user’s system. For example, if an attacker utilizing a system’s remote access (dialup) server, he or she may execute a solution such as utilize a Challenge Handshake Authentication Protocol (CHAP), or Point-to-Point Protocol (PPP), whereby the login details are not conveyed through wire, but are fixed on a given user and confirmed by a security server (Colling & York, 2010). Protection of information holdings from data manipulation attack requires the enforcement of a strong and centralized verification and permission system, such as Cisco Secure ACS. This solution not only restricts users’ accessibility, and what they may do on the system, but it also documents events for security objectives (Stallings, 2009). Concerning file servers, there are apparatus available taking snapshots of files, which might then be stored in protected places. To employ these snapshots effectively, users ought to compare files occasionally on their servers with previous snapshots. Whenever there is dissimilarity between them, users can be regarded as victims of a data-manipulation attack. Users can then employ security techniques, such as Tripwire to facilitate the detection of the compromised files and fix them (Korper & Ellis, 2001). In addition, Wheeler (2011) claims that to avoid ActiveX and Java attacks on firm servers, it is imperative to apply a filtering solution to filter ActiveX and Java scripts fixed in HTNL pages. There are numerous solutions available, which include the use of PIX firewall and Cisco IOS routers. Furthermore, to bar hackers from abusing known weaknesses in accessing a certain system, it is important to apply contemporary safety patches on operating systems. Notably, security patches involve software pieces aimed at updating or solving issues in computer systems or programs (Durbin, 2011). To prevent human threats and physical threats to information holdings, firms should train, and educate employees on the importance of security of information systems. It should also advocate for compliance with legal regulations regarding intellectual property, and privacy, among other cyber ethics. Moreover, it is imperative to install waterproofs, quakeproofs, detectors, alarms, sensors, cameras, locked gates and doors, escorts, and badges (Bidgoli, 2002). Testing the efficacy of the plan To test the effectiveness of the security plan, it is essential to use certain control measures. To begin with, the security plan should be universal which implies that its principles are applicable regardless of the code, architecture, system or interface conditions. A solution is universal if it consists of explicitly defined variables, which are useful in any kind of ISMS to which a user wants to employ the measurement (Pelaez, 2010). Secondly, an effective security plan should yield substantial outcomes relating to the matter being measured (Pelaez, 2010). This means that the plan should give rise to relevant results. For instance, this plan should ensure information security, and nothing else unrelated to security of information holdings. Thirdly, the security plan must be precise and represent what information security personnel actually want and need to learn. In this case, I will conduct a practice run by doing a pretend malware attacks on some of the information holdings a particular business premise. If the security plan is effective, it will protect the information holdings of the firm from the threat because all the assets will be fitted with security devices including anti-virus software, and firewalls (Theoharidou et al., 2005). Besides, the effectiveness of the security is determined by the ability of the information holdings to withstand various threats, such as, DoS, Reconnaissance attacks, and malwares and access attacks. This implies that the information assets will remain protected because the security plan entails installation of firewalls, and other relevant security measures. Moreover, it is effective because if it ensures that virus protection is installed and regularly updated. What is more, the plan will involve the creation of powerful password policies, appropriate backup of the local business information, storage of copies of sensitive documents offsite, and regular testing of backups by conducting a restore (Andress, 2011). To test whether the employees know about the plan, I will conduct a study within the organization based on the security plan. The responses of the employees will determine their awareness of the security plan in the firm. To achieve this, I will issue out questionnaires to the employees, and conduct interviews to collect information on the security plan (Herold, 2011). Upon determining the employees’ awareness of the security plan, I will focus on officially informing them of its existence through a variety of ways. Firstly, I will arrange for training sessions, and seminars to equip the employees on availability and use of the security plan to safeguard business information holdings. The training sessions will enable the employees to attain knowledge and skills on various security measures including installation and updating of virus protection, password usage, and creation of backups (Yeh & Chang, 2007). Moreover, the seminars will facilitate constructive discussions on the importance of the plan, the implementation, and testing of the plan. Besides, these seminars will address the importance of safes, locks, badges, escorts, alarms, cameras, and doors, in the protection of information holdings of a business (Stallings, 2009). In addition, manuals will be critical in making the security plan available to the firm’s employees. In these manuals, employees will find appropriate guidelines on how to protect the firm’s information holdings. For instance, the manuals will have information on the policies and usage of passwords, installation of anti-virus devices, firewalls, creation of backups, and regular updating of malware protection. These manuals will incorporate all the measures necessary for ensuring physical, human, and electronic security of the firm’s information holdings (Theoharidou et al., 2005). Conclusion Recently, it has become evident that the level of information security threats in firms has grown considerably. Various organizations face different forms of security threats to their information holdings, which include human, electronic, and physical threats. Some of the human assets include personnel, clients, and shareholders, while physical assets under threat include computers, and hardware. Regarding electronic assets, there are softwares, data, personal and business information under security threat. Some areas of human threat include theft, error, and sabotage, while physical threats include liquid leakage, floods, earthquakes, power outages, temperatures, and other environmental interruptions. Electronic threats include DoS, access attacks, and reconnaissance attacks. Some of the suggested counteractive measures in the security plan outlined in this essay include use of strong authentication, encryption, safe audit trails, digital signatures, tamper-resistant protocols, and firewalls among others. Use of waterproofs, quakeproofs, lighting, sensors, cameras, detectors, badges, lockable gates, and doors helps in the prevention of these aforementioned security threats. Furthermore, an effective security plan should be universal, objective, accurate, and reproducible as well as made available to staff through continuous training. Such a plan needs to be subjected to testing protocols on a regular basis to ensure its efficacy. References Andel, T.R. &Yasinsac, A. (2008).Adaptive Threat Modeling for Secure Ad Hoc Routing Protocols.Electronic Notes in Theoretical Computer Science, 197 (2), 3-14 Andress, J. (2011).Chapter 1 - What is Information Security? The Basics of Information Security. Pp. 1-16 Azad, T.B. (2008). Chapter 1 - Introduction to Security.Securing Citrix Presentation Server in the Enterprise. Pp. 1-67 Basagiannis, S., et al (2009). Probabilistic model checking for the quantification of DoS security threats.Computers & Security, 28(6),2009, 450-465 Beal, B. (2005).IT security: the product vendor landscape.Network Security, 2005, (5), 9-10 Bidgoli, H (2006). Handbook of information security. Hoboken, N.J: John Wiley. Pp. 18-50. Bidgoli, H. (2002). Chapter 11 - Security Issues and Measures: Protecting Electronic Commerce Resources. Electronic Commerce. Pp. 363-398 Choo, K.R. (2011). High tech criminal threats to the national information infrastructure. Information Security Technical Report, 15(3), 104-111 Choo, K.R. (2011). The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719-731 Colling, R.L, & York, T.W. (2010).Chapter 3 - Security Risks and Vulnerabilities.Hospital and Healthcare Security. Pp. 51-84 Colwill, C. (2009). Human factors in information security: The insider threat – Who can you trust these days? Information Security Technical Report, 14(4), 186-196 Corporation, M. (2011).Improving Web Application Security Threats and Countermeasures. Sebastopol: Microsoft Press. Pp. 1-30. Durbin, S. (2011).Tackling converged threats: building a security-positive environment.Network Security, 2011 (6), 5-8. Farmer, M.C. (2005). Environmental consequences of social security reform: a second best threat to public conservation. Ecological Economics, 53(2), 191-209 Flick, T., &Morehouse, J. (2011). Chapter 2 - Threats and Impacts: Consumers Securing the Smart Grid. Pp. 19-33 Furnell, S.M., Bryant, P. &Phippen, A.D. (2007).Assessing the security perceptions of personal Internet users.Computers & Security, 26, (5), 410-417 Gandotra, V., Singhal, A., &Bedi, P. (2012).Threat-Oriented Security Framework: A Proactive Approach in Threat Management. Procedia Technology, 4(2), 487-494 Herold, R. (2011). Managing an information security and privacy awareness and training program. Boca Raton: CRC Press. Pp. 1-30. Hunter, P. (2002). VOIP the latest security concern: DoS attack the greatest threat. Network Security, 2002(11), Pp. 5-7 Khan, R.A., & Mustafa, K. (2009).From threat to security indexing: a causal chain. Computer Fraud & Security, 2009(5), 9-12. Korper, S., &Ellis, J. (2001).10 - Secure Your Investment: Security threats and Solutions. The E-Commerce Book.Pp.189-210. Kritzinger, E., & von Solms, S.H. (2010).Cyber security for home users: A new way of protection through awareness enforcement.Computers & Security, 29(8), 840-847 Lindstrom, P. (2003). Let’s Get Physical: The Emergency of the Physical Threat. A Spire Research Report. Pp. 1-10. http://www.netbotz.com/library/Physical_Threat_Security.pdf Meier, J.D., et al. (2006). Improving Web Application Security: Threats and Countermeasures. Retrieved on September 15, 2012 from http://msdn.microsoft.com/en- us/library/ff648641.aspx Norman, T. (2012).19 -Security System Integration.Electronic Access Control. Pp. 263-279 Onwubiko, C. &Lenaghan, A.P. (2007).Managing Security Threats and Vulnerabilities for Small to Medium Enterprises.IEEE International Conference on Intelligence and Security Informatics. Pp. 1-6. Pelaez, M.H.S. (2010). Measuring effectiveness in Information Security Controls. Pp. 1-19. http://www.sans.org/reading_room/whitepapers/basics/measuring-effectiveness- information-security-controls_33398 Pfleeger, C. (2012). Analyzing computer security: a threat/vulnerability/countermeasure approach. Upper Saddle River, NJ: Prentice Hall. Pp. 100-150. Ray, A. (2004). Information technology: principles and applications. New Delhi: Prentice-Hall of India. Pp. 310-320. Rountree, D. (2011). 4 - System Security. Security for Microsoft Windows System Administrators. Pp. 109-134 Schneider, D. (2012). The state of network security.Network Security, 2012( 2), 14-20 Stallings, W. (2009). Chapter 36 - Physical Security Essentials.Computer and Information Security Handbook. Pp. 627,629-643 Theoharidou, M., et al. (2005).The insider threat to information systems and the effectiveness of ISO17799.Computers & Security, 24(6), 472-484 Vacca, J.R. & Ellis, S.R. (2005).14 - Internal IP Security Threats: Beyond the Firewall. Firewalls. Pp.231-248 Wheeler, E. (2011). Chapter 11 - Threat and Vulnerability Management.Security Risk Management. Pp. 215-237 Whitman, M. (2010). Management of information security. Boston, MA: Course Technology, Centage Learning. Pp. 1-30. Whitman, M. (2012). Principles of information security. Boston, MA: Course Technology.Pp. 300-400. Wiles, J., et al (2012).Chapter 2 – Low tech vulnerabilities: Physical security. Low Tech Hacking. Pp. 31-49 Xenakis, C., & Merakos, L. (2004). Security in third Generation Mobile Networks. Computer Communications, 27 (7), 638-650. Yeh, Q. &Chang, A.J. (2007) .Threats, and countermeasures for information system security: A cross-industry study. Information & Management, 44(5), 480-491 Read More