The InnoSensors Technology Company - Case Study Example

Topic: Information Security Name Student Number Unit Code Unit Title Date Table of Contents Table of Contents 2 Executive Summary 3 Introduction 3 Problem Statement 5 Background of the Problem 6 Potential Vulnerabilities 6 Possible Threats 7 Impact of Information Security Breach 8 Risks 10 Counter Measures 11 Action Plan 14 Recommendations 14 References 15 Information Security Case Study: InnoSensors Technology Company Executive Summary This research is about information security and specifically narrows down to the InnoSensors technology company that is about to launch a new health monitoring device and the aim of the research is to develop a security mechanism that is appropriate for the company. The paper will address the information behind this device, the vulnerabilities that it is about to face such as intellectual property theft, the threats and how these threats can be curbed through employing various techniques for safeguarding the intellectual property. The major concern will be enhancing cyber security where the information will be safe through the network restricting the number of people who are able to access the sensitive and private information whose compromise may damage the reputation of the company and cause a great deal of loses. Introduction Information security is a fundamental requirements in all the organizations whose data is very sensitive when handled by the wrong people. Information security especially for software development must develop techniques for dealing with information security whereby strategies are developed and systems are monitored in form of intellectual property with an aim to ensure that this information is only accessible by the relevant developers and employees, protected against any updating or interfering with this information and ensuring that no unauthorized personnel can access this information. (Anderson, 2001) Security of any kind ensures that a strong barrier is built around the important computer assets to prevent them from falling into the wrong hands. In the past when computers were mainly mainframes, security was very strict because no information could be accessed anywhere. Today, due to the development of networks, information is becoming more and more vulnerable and hence the need for security. This has resulted in the need for patents and copy rights for intellectual property to ensure that this information is protected from theft among other protection mechanism. Information of a company is very important even more than the physical property. This is because intellectual property when interfered with may cause tremendous financial loss, it may expose the privacy of the company and destroy the reputation of the officials and the company as a whole. (Pfleeger & Pfleeger, 2011) Although information needs to be secure, the employees should be in a position to access the data relevant to them with ease. This implies that securing the company’s information should not become a bottleneck in terms of retrieval and access. Basically it means that people should be in a position to access the information that they need without realizing the restrictions otherwise it is easier for a cryptanalyst to identify the loopholes in the security system. The information security manager at InnoSensors and his team is the one responsible to ensure that information concerning the integrated monitoring device is protected especially from competitors and the other suspicious people. This can be conducted when special measures are deployed that are able to prevent the malicious exposure from happening, there should be techniques put in place to detect any kind of compromise if it occurs and lastly if such data compromise occurs, there should be algorithms that are supposed to disable any ability to copy or modify this data.(Alberts & Dorofee, 2002) Information breach takes various forms. For instance, some people may login to the network with an aim of monitoring the data without modifying the data. Such hackers are very difficult to recognize because they appear as if they are part of the organization but they are collecting the design and algorithms used to implement the monitoring device. As a result, the information security individuals should be very keen to realize any kind of data monitoring. There are various ways through which a cryptanalyst can impersonate himself and access the data. However, through the current technology, it has become possible for the security algorithms to detect such kind of security breach. Problem Statement The issue being addressed in this paper is how InnoSensors Technology Company can protect the newly developed device. The reason why this device poses a high level of interest is because it is an integrated system being able to offer all the home health monitoring services in one embedded software. Therefore, the information concerning the design and implementation of this software product should not be visible to any unauthorized person especially the competing companies. When the source code is available, then this has a financial repercussion to the company and this may lead to tremendous loses. As a result, strategies should be developed through which the vulnerabilities should be determined and counter measures that are able to deal with this problem. Background of the Problem In order to determine the nature and the impact of the problem stated above, it is important to analyze the monitoring program from its operations, vulnerabilities and measures to counter the possible threats that are reliable, robust and effective for the future of the company and the product. The first step in protecting a product is to ensure that are the components are well understood and their integrations and connections. The software part of the device should have a logical view of the device and this would make it easier to realize any kind of breach on its security. Potential Vulnerabilities After identifying the individual components of the developed product, the information security team at InnoSensors should determine the vulnerabilities of this monitoring device. Such vulnerabilities include the weaknesses in the technology that is applied, the configuration and the policy laid out for the aim of security. The advantage of identifying the vulnerabilities of the product is to ensure that potential threats can be identified prior to their occurrence. These are the vulnerabilities that are attached to the device. Copying Being an electronic device, it is vulnerable to copying because a skilled individual may be in a position to determine the components used and this would take a short time before figuring out the connection behind these components.(Nowotny, Scott, & Gibbons, 2003) Design consideration Another vulnerability of this device is that it is an improved product of the existing monitoring program. This poses vulnerability because if similar technology is applied to this new device, then the competitors may be in apposition to figure out the configuration of this device considering the company was able to produce an almost similar device to the one InnoSensors had produced. Security policy Another vulnerability is on the security policy. Since the security policy was breached in the past, it is also vulnerable to be breached once the electronic monitor is produced. As a result, the security policy should be strengthened by ensuring that the missing links are identified and patched. Configuration also poses a certain level of vulnerability because electronic devices have certain common components and thus cracking their arrangement may not be a detailed task. Possible Threats A threat refers to an unfortunate occurrence that may result from a certain vulnerability and lead to the exposure of information regarding the integrated monitoring device. As a result, it is important to identify the threats than InnoSensors is likely to face once their new product is released to the market. The only way to deal with threats is to ensure that the vulnerabilities mentioned above are fixed. One of the threats is that the competing company can use this device as a blueprint and try to modify it to provide almost the same functionality or one that is slightly different. In addition to this, the information regarding the logical design of the monitoring device may be accessed either by physically acquiring it through an inside crime or through the network by accessing the private keys or the hashing algorithms that are used to protect the private keys. Another major problem is that the threats are always evolving and thus determining new threats as they emerge may be very difficult. The security policy also needs to keep changing which may be very expensive and sometimes impractical. Impact of Information Security Breach Information security breach is very costly to an organization not only in terms of finances but information forms the crucial component of a company’s existence. For instance, if information about the monitoring device by InnoSensors is compromised, then the company loses not only the resources that were used in developing this product but also the privacy of the organization which is catastrophic and may lead to an untimely failure.(Green, 2002) The various threats are explained below: 1. Reputation One of the impacts of the security breach is that it leads to a damaged reputation for the organization. When information is hacked concerning the organization and in this case the design procedure of the newly created monitoring device, the information is made public and this nullifies the amount of effort used in its design not mentioning that the organization is likely to fall. This means that a lot of resources should be deployed to ensure that all the private information in the organization remains private. 2. Vandalism The second impact of information security breach is that it may lead to vandalism. Eliminating the competing companies in this scenario, some people may maliciously access the information regarding InnoSensors and use it to paint a negative image of the organization this occurrence may damage the reputation of the organization and reduce the sales significantly. 3. Information Theft Another impact is that the exposure of private information may lead to theft. Some people may not be interested in the monitoring device but on the financial gain that the product brings to the institution. If a hacker is able to access the private information is an organization, then this person will likely be in a position to access the financial information of the organization. This may lead to tremendous loss for the organization for example the case that happened to Citibank which caused great losses. This is the reason why the organization’s network should be secure enough to ensure that although the concentration is on the monitoring device information, there are other dimensions of this endeavor that need to be addressed. This impact is connected to revenue loss where when a hacker modifies the program a lot money and skills are needed to fix this problem. During this process, the company may make a lot of losses reducing the overall revenue. This especially affects the case where these devices are controlled remotely. When a security breach occurs, the devices may produce wrong results regarding the health of the users which is not desired.(Branstetter, Fisman, & Foley, 2005) 4. Intellectual Property Damage Lastly, information security breach leads to destruction of the intellectual property. Information security should start before the production of a production, during production, its distribution and for the future operation. In the case where the information is hacked concerning the design plans, the blueprints and implementation ideas, then the organization loses credibility because people are not able to trust the produced device. The company should therefore invest wisely into the security procedures because the damages that are likely to be experienced are more than the ignorance that the security policy is unnecessary. Hackers will always look for loopholes in any program to identify areas where they can breach the programs for their own malicious reasons. As stated earlier, the security policy should be changed with time to make sure that at any one time, the systems are being monitored and corrective measures are deployed. Risks Intellectual property is the most risky part of an organization’s assets. This is because this information carries the weight revenue contribution of the organization as a whole. The intellectual property is one that distinguishes one organization from another. It is also the main reason why the customers want to purchase the products produced by the organization. Having complete protection for this data is therefore very challenging because some people are on the lookout for ways to compromise this data and tarnish the organization. The vulnerabilities are numerous and the threats are also clearly identified. The major risk that an intellectual property is subjected to is spying. It is to be noted that some people can steal intellectual property without necessarily hacking into the system. They can access the information that is needed just by listening to people speaking. As a result, the employees and all the analysts in the organization are supposed to be warned against discussing important and private issues in public. It is important to note that in some situations vulnerabilities may be risks and in the security operation, the most important thing is to offer remedies for the vulnerabilities by fixing the areas that are accessible by potential thieves or other people whose aim is the destruction of the organization. In some cases, some risks are not associated with theft but it is in cases where the device fails to operate as needed and becomes hazardous to the users. In such cases, there must be laid out rules that govern the course of action in such cases. (Smarzynska Javorcik, 2004) Counter Measures In order to reduce the occurrences of the identified risks, it is important for the organization to adopt certain measures that will ensure improved security and reduce the possible threats for the information sensitive to the company. These measures include: i. Patents and Copyrights The first security step to acquire the right documentation pertaining patents and copyrights. The company should hold legal documents showing that it totally owns the device being produced and any intellectual property associated with it. This ensures that when a person tries to copy this product then they are supposed to face the law because it means stealing someone else’s intellectual property.(Kean, 2002) ii. Design Process In addition to this, the electronic device should be designed in such a way that when a person analyzes, the physical components, they are not able to make a replica of the gadget. This would be achieved by ensuring that the parts are not labelled nor are their manufacturers’ information exposed in the device. This becomes very difficult for anyone to copy this data and make a copy of the device. iii. Password protection Another counter measure is to ensure that the information concerning the monitoring device is protected with strong passwords. Only the authorized personnel are supposed to access these passwords to reduce the chances of sharing these keys. To make the passwords breach free, they should be generated randomly once a person tries to login to the database. This means that after any session the password expires and is generated when the same person wants to access the data for a second time. In such a case, sharing the passwords does not pose any threats because the same credentials cannot be used more than once.(Grainger, Boyer, & Snyder, 2002) iv. Network Detectors There should be detectors all over the network that are able to detect any foreign data being input or being added into the data already flowing in the network. This can be achieved by employing cyber security mechanisms that are able to detect the data packets flowing in a network and if any irregularities is detected in this flow, then an alarm is raised for the security personnel to handle this irregularity. This technique ensures that no person can copy or modify any information in the organization. v. Data Storage Another method applicable in this case is ensuring that the data is stored in form of a ciphers. This means that when one accesses the data, they need a hashing algorithm to decipher this message to view the plain text. When data is stored in form of ciphers, then even after accessing the data, decryption becomes necessary to see this information. The hashing functions should also be protected and only the authorized people should be in a position to access it. In case a person copies the data without being noticed, then this buys more time for the company before the person is able to copy the hashing functions or other decrypting algorithms and chances are they will be detected before completing this task.(Chow, Kutten, & Yung, 1997) vi. Reduced Number of People Accessing the Information In addition to this, the number of people who are able to access the information should be minimized to make sure that the sensitive information is only in the hands of countable individuals. This process helps in tying responsibility to a particular person and also ensures that chances of compromising the information is reduced. The same number of people should be the ones protecting the passwords and designing the algorithms for encrypting and decrypting the data. In extreme cases, the company can hire a third party certification company to generate the private and public keys for accessing the data. vii. Restrictive Access Lastly, the other counter measure would be creating a restrictive access system. Although this security design is very complicated to develop and implement, it is very effective because no person who is unauthorized can access this data. Firewalls are installed in this system with accustomed hardware and software that is designed to make sure that the data is protected. Restrictive access means that even the manager is not able to access the information without the correct input of credentials. This reduces the chances of inside crimes where the employees may compromise the data or share any links to the information. This is in cases where the existing system proves not to be useful with time in accordance with the changes. Action Plan The security activities are aimed at starting from the design and implementation of the health monitoring device, during distribution process and future checkups. (Catteddu, 2010)To ensure that the information is secure separate teams should be appointed at each step of the design process. They are supposed to operate in a chain such that the output produced by one team becomes the input of another team. In this situation no single person knows the full details concerning the design procedure. This reduces vulnerability and any leakage is done away with. During the distribution face, all the networks must be monitored and any spies detected. In future, the device should be monitored from time to time to detect new loopholes that are discovered with time. Recommendations It is recommended that InnoSensors should deploy resources in the information security department because as discussed earlier, intellectual property is very sensitive and deserves the best protection. When the resources are available, then the company can acquire the needed personnel with appropriate expertise and knowledge of computer security. If possible, information sensitive to the organization should only be shared at the work premises. In some cases the spies visit the institution as potential customers but their aim is to gather as much information as they can. It is very difficult to suspect information spies and it becomes difficult to know that they are actually intellectual property thieves. As a result, the sales people should also filter the kind of information they give to the customers by making sure that the only information availed to potential customers is entirely operational not concerning the design.(Ruth M. Corbin, 2002) References Alberts, C. J., & Dorofee, A. (2002). Managing Information Security Risks: The Octave Approach. Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc. Anderson, R. (2001). Why information security is hard - an economic perspective. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual (pp. 358–365). http://doi.org/10.1109/ACSAC.2001.991552 Branstetter, L., Fisman, R., & Foley, C. F. (2005). Do Stronger Intellectual Property Rights Increase International Technology Transfer? Empirical Evidence from U.S. Firm-Level Data (Working Paper No. 11516). National Bureau of Economic Research. Retrieved from http://www.nber.org/papers/w11516 Catteddu, D. (2010). Cloud Computing: Benefits, Risks and Recommendations for Information Security. In C. Serrão, V. A. Díaz, & F. Cerullo (Eds.), Web Application Security (pp. 17–17). Springer Berlin Heidelberg. Retrieved from http://link.springer.com/chapter/10.1007/978-3-642-16120-9_9 Chow, C.-S., Kutten, S., & Yung, M. M. (1997, December 16). Method to deter document and intellectual property piracy through individualization. Retrieved from http://www.google.com/patents/US5699427 Grainger, J., Boyer, S., & Snyder, C. (2002, May 16). Computer-implemented method for securing intellectual property. Retrieved from http://www.google.com/patents/US20020059076 Green, S. P. (2002). Plagiarism, Norms, and the Limits of Theft Law: Some Observations on the Use of Criminal Sanctions in Enforcing Intellectual Property Rights (SSRN Scholarly Paper No. ID 315562). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=315562 Kean, T. (2002, December 26). Method of protecting intellectual property cores on field programmable gate array. Retrieved from http://www.google.com/patents/US20020199110 Nowotny, H., Scott, P., & Gibbons, M. (2003). Introduction: `Mode 2’ Revisited: The New Production of Knowledge. Minerva, 41(3), 179–194. http://doi.org/10.1023/A:1025505528250 Pfleeger, C. P., & Pfleeger, S. L. (2011). Security Blanket or Security Theater? Retrieved from http://www.informit.com/articles/article.aspx?p=1749173&seqNum=2 Ruth M. Corbin. (2002, January). MANAGING RISK AND PROTECTING INTELLECTUAL PROPERTY | Ivey Business Journal. Retrieved from http://iveybusinessjournal.com/publication/managing-risk-and-protecting-intellectual-property/ Smarzynska Javorcik, B. (2004). The composition of foreign direct investment and protection of intellectual property rights: Evidence from transition economies. European Economic Review, 48(1), 39–62. http://doi.org/10.1016/S0014-2921 (02)00257-X  Read More