The Protection of the Information in BioMed Company - Case Study Example

Title: Researching and reporting on the protection of the information in BioMed Company Unit code Name Student number Submission date Table of Contents Table of Contents 2 Executive summary 2 Introduction 3 The scope 5 Assessment of GSM and 3G+ wireless usage in BioMed Company 5 Information associated with mobile and wireless networks 5 Classification of information 7 Vulnerability of using GSM and Smart phone during data transfer and storing 10 Countermeasures to heighten the protection of confidential information in GSM phones 11 Action plan 13 References 16 Executive summary Of late, GSM network is the hotspot target of the attackers. GSM is the most used phones in the current technology environment having about 85% usage in the world. BioMed Company like other enterprises have corporate cell phones that uses GSM network. GSM has different encryptions and BioMed Company is using A5/3 encryption (Zahoransky, 2014). The weakness of GSM encryption is that phone calls and othere service done through the phone can be intercepted and accessed by attackers. This report is custom-built to evaluate the risks associated with the usage of GSM network in implementing the new product by the company. The report identified the information associated with the new product and found that it includes sensitive, system and explicit information. This information was placed into classification schema which has four labels-public, limited/unclassified, restricted, protected and highly protected/critical. The report examines the vulnerabilities associated with this information when GSM network is used to conduct project activities. An action was developed to cater for effective protection of information being subjected to GSM network. The action plan is applicable at any time of the three months period of product before the product release. Introduction BioMed Device Company should decide the extent in which the information security system developed needs to be applied to protect the information of the company. The company is coming up with a breakthrough technology in the market which is considered the valuable product asset to the company. The information attached to the new product should be protected since there are a lot of ‘hunters’ outside there in the market who are in the mission of stealing BioMed’s information. Regarding the security of information, the use of GSM phones by the CEO of BioMed Company will turn into a critical danger to the new product since the usage of mobile networks are extreme in the contemporary information society. The protection of this information system by the company should meet both company’s and operational needs. Therefore, the success of the new product should be refined through risk assessment process and the impact analysis (Whitman & Mattord, 2012). According to An international journal for mass communication studies (1988), it is important for every company to develop classification labels of information and incorporate them into the business processes in order to protect the information from; Unauthorized access, Unauthorized use, Modification, or Destructions. Every Company needs to maintain high level of performance and interoperability when it comes to information protection. It should be noted that today’s environment have various types of mobile and wireless networks. Each of these networks have their own specific standards which include digital cellular, GSM, 3G+, cellular and multiple accesses. Basically, security in mobile networks is very important since the users of the mobiles may create much vulnerability that will be the genesis of information risks (Van Kerkhove et al., 2004). The creates danger observed from the CEO is that he perceive the entire structure, plus the new product which is hunted, as secure and as trusted the partner by conveying the confidential information of the company. This paper examines the risks associated with the use of GSM and 3G+ network in transferring and sharing company’s information. The paper will also look at the countermeasures of these risks and develop an information security plan to mitigate these risks. The scope This report examines the vulnerability attacks to the information transferred using mobile and wireless networks. In order to achieve this, the report has identified the information associated with these vulnerabilities and classified information to 4 schemas which include published, limited, restricted and critical. After examining these risks the paper recommends appropriate countermeasures to address these vulnerabilities. Lastly, the paper will develop an action plan that will be used to protect information within the three months during the deployment of the new product. Wireless technology has been proven to be complex especially during the initial stages of implementation. Since BioMed is a technology company, the whole system of the security should be blended. However, the process of ‘blending’ assumes that the security procedures are sophisticated enough to detect all the attacks and vulnerability situations. Also, the system assumes that the upgraded of security procedure are done whenever there is a emergence of a new threat. Assessment of GSM and 3G+ wireless usage in BioMed Company Information associated with mobile and wireless networks The report identifies and examines four types of information in the system that needs to be protected. All the four types can be accessed through the mobile phone at any location. This information include, sensitive information associated with the new product (transferrable), information about office Information management system (used in the process of ensuring security), explicit knowledge from executives (this information is important in making decisions) and information about the governance knowledge. a) Sensitive information This is the information that cannot be accessed unless it is required (Azari, 2003). The new electronic device is what will boost the image of the company in the market. Therefore, displaying any crucial information associated with the new product will harm the company especially during the 3 months of implementation. b) Information about information management system This is a system that contains all the information regarding the product. Exposing this information to the hands of the competitors will threaten its effectiveness in the market (Anon, 1988). Also, 3 months is enough for competitors to interfere with the stakeholders that are there in support of the new product. c) Explicit knowledge from executive Explicit knowledge is information obtained from committees responsible in the implementation of the new product (Schneier, 2000). Exposure of this information may interfere with management decisions. Management papers are normally shared through emails and this subject the information to cyber-attacks. d) Information about the organization This information is obtained from the findings after examining the conditions affecting the security system (Boyel, DeSantis & Herring, 2014). It is normally used to give make decisions on the strategies to counter the problem encountered in the information system. This information will be obtained in the process of implementing the new project of the company. Classification of information The four types of information will fit in the following classification schema: The classification schema/plan has five labels and it is described below: Public The information in this scheme can be authorized by the company to be accessed by the public and circulation can be done to everyone as well (Erbschloe & Vacca, 2001). This is a new product in the market and it has to be communicated to the customers. Therefore, using mobile network (in this case GSM) phone may not pose high vulnerability to attackers. Also, the information in this category includes those of informing the customers about the functionality of the new product. However, information about marketing strategy may be deemed sensitive and therefore it should not be placed in to this label. It is important that the company maintain the availability of the information until it is authorized. This will only be done with the guideline of the company’s policy. Limited/unclassified The information in this label is based on what is expected to be communicated to specific recipients. James, the CEO is concerned about vulnerabilities brought by the usage of phones with GSM. The use of GSM networks in conducting transactions and call meetings about the new product should be done only within the Company. This label in the schema will help the company know the kind of information to share and to whom specifically (Chang Lee, 2014). Also, the sharing of information will be done only after the authorization from the committee. Mobile phones will be rarely used in transferring this information. In case the phone containing this type of information, attackers can easily crack the phone and retrieve all the information regarding the new product. Restricted This label in the schema incorporates the information that should be accessed through GSM phones. The information security manager should demonstrate what need to be transferred or resident in the smartphones with GSM networks (Van Kerkhove et al., 2004). This label has the information identified with limited markers for example, personal or legal. This section of the plan has a lot of security elements put in place since it contains sensitive information regarding the new product to be implemented. Also, information regarding management information system is placed in the restricted label of the schema. This information contains passwords and usernames of the company’s information system. The use of GSM phones may subject the new product to vulnerability of being attacked. Explicit knowledge from executives also is important information that is placed in this label of the schema. This information shows the decision making process that is associated with the new product to be launched. The use of GSM phones, which in some cases it does not support security elements as antivirus and firewalls can be easily hacked by the attackers. Therefore, the use of restrictive measures in this label will help in ensuring that information is protected. Protected This label of the schema is used when there is a possibility of information being highly compromised by the users of the information system. This compromised situation may be through a deliberate action by the users or lack of the required skills to use the system. The fake stations may be able to capture the GSM network and hack the information that is transferred or resided in the network (Whitman & Mattord, 2012). The open nature of the phone operating system would allow the attackers to develop a discrete operating application that is capable of capturing the IME of the phone using GSM network. As a result, attackers will create a phone that has the ability to intercept the calls and monitor the transfer of data. Therefore, the information of the company could be compromised and could lead to: Endangering the stakeholders responsible for the execution of the new product in 3 months’ time,, Threaten the information of the organization involving finance and commercial interests, Facilitates serious crimes to the system which will in turn lead to loss or damage of information, Hinder the actions of major information system policies that could have been used to protect elements in the system. Highly restricted/critical This label of the schema is used when the information needs a considerable degree of restriction as any compromise of information pertaining the new product will seriously damage the Company as a well as the investors. James, the CEO is using the GSM phone to send emails to stakeholders and individuals associated with the new product. In this case, there is high risk of hacking the information from the phone he is using. For example, there is a possibility of the information being hacked with the use of HDMI port from the fake base organization. Through this, the attackers can hear and intercept the transferable information conveyed through the GSM phone. Highly restricted measures therefore should be put in place to ensure that the critical information should not be passed through GSM phone since attackers can gain access to the transferred information of which it is critical to the new product (Jaeger, 2008). Also, the critical information regarding the new product may come across mobile interceptors created by the attackers. Attackers have created an interceptor that link to the near base station and have the ability to access the data being transferred through the GSM phones. The transferred data is diverted to the fake base where speech and IMEI of the phone is captured (Mansfield-Devine, 2013). This classification schema shows the possible labels to which the information regarding the new product may be subjected into. If an attacker, who can be a competitor, get access to the information pertaining the product in any of the label, it could compromise the plan of the company in implementing the product in 3 months’ time. Also, the leak of information through the system users perhaps will strengthen the attackers’ efforts in accessing the information of the new product. Vulnerability of using GSM and Smart phone during data transfer and storing The vulnerabilities associated with using GSM and Smartphone technology on this new product include: 1. SMS services: Like any other phone, the message system of the GSM phones can be hacked and he information in the message stolen. 2. Emails: The fake base can hack the IME of the phone and direct the reception to the base center where the information is accessed. 3. WIFI connectivity: The wireless connection of GSM phones can be hacked and the information transferable accessed. 4. Multithreaded Operating System: GSM phones allow multiple requests from more than one user. In this case, the attackers may create a user which looks legit in order to access the network. 5. Storage capacity: It has a high storage capacity which can accommodate all the information regarding the new product. In case of a successful hacking by the attackers, they will access all the information of the product to be launched. 6. Inside connections: GSM phones are portable and employees in BioMed Company can use USB ports to transfer the data regarding the new product. Countermeasures to heighten the protection of confidential information in GSM phones The main risk associated with GSM phones reflects on the end user. The greater risk stands out to be capturing and decrying of information of the wireless signals. These signals have the content of cell phone data (SMS, Emails, calls). The counter measures include; 1. BioMed Company should come up with a phone usage policy and guidelines which include the prevention of GSM phone usage when it comes to transferring or storing of confidential information about the product (Nuredini, 2014). 2. The company should come up with security awareness in the origination before the commencement of the 3 months of device implementation. The security awareness package should contain the following: Always having in mind that GSM phones activities like emails, SMS and call conversation are vulnerable to snooping and interception. Treating SMS exactly like email messages to avoid a considered access by unauthorized persons. The usage of complex passwords (PIN) on the cell phones as well as other accounts in the phone. Avoid leaving the cellphones unintended since an attacker can take few minutes to install malicious software. Avoid opening unsolicited SMS or embedded links. 3. Bluetooth should be turned off when not in use: It is not recommendable to use Bluetooth in discussing sensitive information. According to Nuredini (2014) Bluetooth wireless is easily sniffed. Attackers can use their malicious software to listen to the call conversations without bypassing the encryption. It is thus recommendable to use code words during the conversation as well as engaging other channels as texts, emails and voice. This will break the information and cannot be easily connected. 4. Use of emails conversation since it is more secure than calling or texting. 5. Switching to different cell phone providers. 3G phones are developed based on Universal Mobile Telephone Systems (UMTS) and it uses subscriber identity module. The important of using 3G phones is that it stores more healthy encryption procedures and authentication. Action plan The action plan developed is intended to protect and secure the information about the new device form being damaged, manipulated or stolen by the attackers. The action plan will guide the course of actions in 3 months. 1. Collection of information inventory This is the first step in the action plan. The committee appointed by the information security manager should sit down and come up with the all the information that is contained in the company. The BioMed Company has sensitive information which includes account records, transaction and financial information. All these information are associated to the new device. This plan determines how this information will be handled. Since the countermeasures have been identified, then it will ensure that employees are equipped with appropriate skills in order ensure effective protection of passwords and usernames of the system (Wood, 1983). The plan also will state who are supposed to access the information at what time. In this case, there will be more transferable and resident information. Only the CEO will be using GSM to transfer and reside the information of the new product. 2. Development of privacy policy The information handling policy is important for both the customers and the business. The policy developed should address the following information associated with the new product: Sensitive information: Access of Information regarding transactions between the facilitators and the company. This should be done and conducted only by the CEO and account officer. Stakeholders’ information: BioMed company has many stakeholders associated with the new product. The policy will ensure that information regarding billing, email addresses, phone calls, texts, credit and debit cards are not transferred through the GSM phones. 3. Information protection strategies This will be done in four steps; Gathering of intelligence Since the company have known the vulnerabilities associated with the usage of GSM phones, it will be important to gain on how employees are using these phones within the organization. Close monitoring of information transferred should be done regularly by the manger through checking on the number of access to the information system (Whitman & Mattord, 2012). Policy on the point of entry The point of entry of attackers include cell phones through SMS services, fake base, call interception, and emails. Adoption of policies at this area is important in order to prevent and protect the point of entry for the attackers. Crosswise movement The information system manager should constantly check areas of breaches and move along the information security network system to find out the possible sensitive information that may be captured by the attackers. For instance, when there is call interception, that transaction should be monitored and protected firmly. Information exfiltration: The objective of the attacker is to obtain information from the vulnerable point of the organization one of which is the usage of GSM network (Nuredini, 2014). In this case, custom defense will be undertaken where employees are informed on the risks associated with the usage of GSM phones. Employees are expected to adhere to the policies intended to protect the device information. 4. Creating of security layers The security layers will include inventorying information, information classification (sensitive, public, confidential), access control, information security (PIN, passwords and usernames) and information back up (Costa, 2001). The manager should ensure that all the layers are followed and policies put in place to provide comprehensive protection of device information. References Anon, K. (1988). Access control. Security Surveyor Journal, 1, 12-35. Azari, R. (2003). Current security management & ethical issues of information technology. Hershey: IRM Press. Boyel, V., DeSantis, P., & Herring, M. (2014). Protect information outmanoeuvre Cyber Adversaries.Information And Computer Security, 13(2), 87-105. Chang Lee, M. (2014). Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method. International Journal Of Computer Science And Information Technology, 6(1), 29-45. doi:10.5121/ijcsit.2014.6103 Costa, C. (2001). Information technology outsourcing in Australia: a literature review. Information Management & Computer Security, 9(5), 213-224. doi:10.1108/eum0000000006068 Cruz-Cunha, M., & Portela, I. (2014). Handbook of research on digital crime, cyberspace security, and information assurance. Jaeger, T. (2008). Operating System Security. Synthesis Lectures On Information Security, Privacy, And Trust, 1(1), 1-218. doi:10.2200/s00126ed1v01y200808spt001 Mansfield-Devine, S. (2013). Computer Fraud & Security. Computer Fraud & Security Bulletin;, 1(11), 1-20. Nuredini, A. (2014). CHALLENGES IN COMBATING THE CYBER CRIME. Mediterranean Journal Of Social Sciences. doi:10.5901/mjss.2014.v5n19p592 Security Gazette: An international journal for mass communication studies. (1988). International Communication Gazette, 42(2), 139-141. doi:10.1177/001654928804200206 Van Kerkhove, M., Erdreich, L., Shum, M., McNeely, M., Chan, N., Barraj, L., & Kelsh, M. (2004). VARIABILITY OF RADIOFREQUENCY POWER OUTPUT OF GSM MOBILE PHONES.Epidemiology, 15(4), S115. doi:10.1097/00001648-200407000-00292 Whitman, M., & Mattord, H. (2012). Principles of information security. Boston: Thomson Educational. Wood, C. (1983). Effective information system security with password controls. Computers & Security,2(1), 5-10. doi:10.1016/0167-4048(83)90028-7 Zahoransky, R. (2014). Localization in GSM Mobile Radio Networks. Saarbrücken: AV Akademikerverlag. Read More