Information Security - the Difficulty in Estimating the Probability of a Threat or Attack Occurring - Assignment Example

ICT Management and Information Security Student’s Name: Institutional Affiliation ICT Management and Information Security Standard of due care in information security in relation to due diligence. Information security is the aspect of keeping and protecting information from unauthorised access, presentation, modification and even destruction, which would attribute to huge losses mostly in organisations. The qualities of information security are confidentiality, integrity and availability. Confidentiality assures access of information by only authorised users, hence keeping information by themselves. Integrity enhances withholding of the right information for the right purpose and by the right persons. Availability is meant to ensure that the authorised users have easy access to whatever information they are supposed to access at any time. Standard of due care is a term used in information security where it means that an organisation has taken up the responsibility through various activities to protect its data and information both internally and externally (Harris, 2003). This is by adopting certain measures and practices to be followed by employees in accessing whatever information they want to. To observe due care in information security, an organisation should make sure all the qualities of information security are implemented together with Authentication and Authorisation, Data privacy and Non-repudiation. All these information security qualities are achieved through the organisation putting the necessary security mechanisms such as access control, firewalls in their networks, cryptography and other minor security practices. Due diligence is a term related to due care, whereby, it shows the continual implementation of information security activities over time. This is through commitment in ensuring protective access of information in organisation by making sure that the security mechanisms are operational, and achieving the intended goals. Both standard of due care and due diligence in information security, are relational in that by showing due care there is a need to show due diligence to achieve information security. They both work together, following each other on how they are implemented. They are implemented by reasonable and prudent people who show qualities of being mindful, attentive and enduring. Prudent people make sure that all necessary measures are implemented to ensure information security in organised ways that are ethical to the business and the legal entities (Harris, 2003). Question 2: Discuss the difficulty in estimating the probability of a threat or attack occurring. What are some methods that can be used to make these estimates? Threats to information security are either propagated by certain individuals or they happen accidentally. It is difficult to ascertain when an attack will take place based on how much information security mechanisms are implemented. The probability is based on the likelihood of a threat to occur, which can be estimated by looking at the frequency of how other attacks has been happening (Garcia, 2006). It becomes more complex to understand the basis to which a threat can occur especially when the counter measures to information security are properly implemented. With more information being produced in an organisation, the rise to threats also rises due to the diversity of this information that brings about business development daily. The frequency of particular information access and the amount of personnel who have the rights to access it can be a determinant to the probability of information security threat. Change of technology results to new ways being introduced, on how to launch an attack (Alberts & Dorofee, 2002). This is done by hackers who never sleep to see that they have a solution to pose a threat and out do a certain security mechanism. To assess the probability to information security threat especially by people there has to be an identified motive, the means or ways of launching the threat and the opportunity that is a potential vulnerability existing in the organisation. One method used to estimate a threat occurrence is the OCTAVE method. This method is based on various steps that form an analysis to a potential attack. First, the probability of threats to critical assets is assessed. This entails a study of the information assets and how they have been performing over the years, as well as any threats recorded in the past. The possible motives, means and vulnerabilities are highlighted to every user of the information. Any unusual behaviour or situations that are threatening are captured. Secondly, is the creation of probability evaluation criteria which is based on coming up with cases of high, medium and low threats situations and their impacts. Possible measures are also highlighted on each case of a threat. Lastly is that you evaluate the probability of threats to critical assets. This is done by taking each critical asset and assigning it the here cases of threats to gauge on their occurrence (Alberts & Dorofee, 2002). Other methods such as assets identifications, manual listings and consequences of analysis and consequence of loss are used to estimate the threat probability (Garcia, 2006). Others like logical diagrams come up with various ways to which attacks can occur by identifying potential vulnerabilities in the information systems, and the physical infrastructure. Question 3: Using the Internet, research the following items when implemented by a firm with 1000 employees and 50 servers (included virtual servers, SQL, VPN, Remote services, Fileserver, Stream services). List and briefly describe two: Operating Systems robust in security and suitable cost that independently reviewed and recommended by industry that you could apply to the above case. Operating systems serve a major role in ensuring information security, when it comes to large organisations with great Information Technology infrastructure that enhance their daily operations. UNIX systems are known to have good properties that enhance information security in organisations. They have long operation time using minimal memory compared to other operating systems like windows and Mac OS. Linux operating systems are able to inactivate viruses making them unable to mutate or spread to the system files. They uniquely identify the viruses making it easy for users to get rid of them. Linux operating systems are scalable and compatible with relational database management and virtualization of servers (unix.org). Servers running on Linux systems are much secure due to the strict access controls and network configurations corresponding to them. Windows operating systems especially the Network operating systems have improved administration configurations that make them appropriate in securing servers, and the rest network in an organisation. The Network operating systems are able to host the firewalls and administer access controls by keeping trail of everything happening in a network. Security devices or services that possible to detect and block a username with an external IP address source have failed more than three attempts to the network from remote access. By the use of intelligent devices such as routers, it is able to configure networks to certain IP address ranges, where, in case of any external IP trying to get through the network, it is scrutinised before being allowed. Routers are configured with the Denial of Service settings whereby any access is denied by default until verifications are made that the source is secure. Further settings are done to the number of times an un-succeeding login trial is made with the final configuration being to block the users trying to login in unauthorised systems (cisco.com). The Denial of Service by the routers is meant to set the login trials in few seconds to avoid the use of dictionary login attacks whereby attackers use thousands of usernames to try accessing a network. This service is achieved by using the Cisco routers, which are much intelligent and offer these configuration settings. Question 4: Discuss the security considerations for temporary or contract workers differ from those of regular employees? Information security revolves around those that interact with the information systems in an organisation. Human beings are known to be the biggest threats to information security. During the staffing process of employees working in an organisation, measures are taken to identify their responsibilities, thus allowing the systems administrator to issue them varying systems access rights based on the sensitivity of what they handle (National Institute of Standards and Technology). Based on temporary or contract workers, their roles in the organisation is under certain terms; hence they have no guarantee of fully working with the organisation for long periods. Their authorisation to the systems is greatly monitored especially in cases where they have access to sensitive data. These employees are always comparing their working conditions with those of others in similar organisations whereby they can decide to resign and transfer to other organisations. Those working under contract might be externally based such that they have also signed other contracts with competing organisations; hence their rights to access more information are less. They are mostly pertained to the relevant information based on what they offer for the organisation. Mostly the temporary and contracted workers of an organisation are entitled to frequent audits that review what they have been doing over certain periods of time (National Institute of Standards and Technology). The regular workers of an organisation are entitled to more information access based on their permanent and guaranteed stay in the organisation. They are entitled to greater responsibilities than the temporary employees, making them busy always to avoid any idle moments that would make them think of doing the unexpected. Regular workers are given more rights to access information in the organisations systems due to their trust, which have seen them work that far. Employees are the major threat to information security in an organisation. They pose a great risk by their ability to commit sabotage to certain information carrying great impacts to an organisation for the purpose of getting away with huge amounts from the organisation. Senior employees who are aware of certain transactions may take advantage to alte,r with information, to commit fraud. When employees are not busy doing their work, they are tempted to computer abuse whereby they start visiting sites that are susceptible to malicious attacks either by viruses, and other spyware or by hackers who commit most of the cybercrimes. The opinion is that all employees are contributors to risks in the organisation, especially the temporary and contractual workers, who mostly share organisations information with others in the process of trying to compare their working conditions. Another issue is the existence of criminal minds within an organisation thus posing threats at anytime. Unable to withhold organisations data privacy greater risks are able to originate from the inside than from the outside of the organisation. References Alberts C. & Dorofee A. (2002). Managing Information Security Risks: The OCTAVE (SM) Approach. Essex, UK: Addison-Wesley Professional Cisco Systems, Inc. (2011). Cisco IOS Login Enhancements (Login Block). (2011). Retrieved from http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance_ps6922_TSD_Products_Configuration_Guide_Chapter.html Garcia M. L. (2006). Vulnerability Assessment of Physical Protection Systems. New York; USA: Elsevier Inc. Harris, S. (2003). All-in-one CISSP Certification Exam Guide (2nd Ed.). Emeryville, California: McGraw-Hill. National Institute of Standards and Technology. (1993). Security Issues in Public Access Systems. Computer Systems Laboratory Bulletin. Retrieved from http://csrc.nist.gov/publications/nistbul/csl92-02.txt unix.org. (n.d). The UNIX Operating System: Mature, Standardized and State-of-the-Art. Retrieved from http://www.unix.org/whitepapers/wp-0897.html Read More