The Main Vulnerabilities Associated with IT/IS Security - Essay Example

Report on the main vulnerabilities associated with IT/IS Security Table of Contents Table of Contents References 7 Introduction IT/IS Security has recently become a major concern given that the use of information systems has rocketed. For instance, most processes and procedures can now be completed online; wireless and mobile broadband is also increasing in use; as is the adoption of information technology. However, one trend associated with the developments in information technology is also responsible for the introduction of vulnerabilities within the information technology and information systems security. For example, laptops are a development from desktop computers and once can see that they have subsequently become smaller and much more portable. The same can be said for mobile phones and digital storage media, where mobile phones are more than just a calling device, but also function as personal digital assistants with access to the internet and related applications. Likewise, storage media has progressed from floppy discs and compact discs, to USB or flash drives that can be attached to key rings. Van Loggerenberg and Morne (2008) have also stated that our increased use of computers and digital media has increased our dependency on the proper functioning of such devices. This means that as more processes and procedures are carried out using IT/IS systems, we, as users lose our ability to deal with and possibly identify the vulnerabilities associated with these systems. Another possible reason suggested by Van Loggerenberg and Morne (2008) is that we place our trust in these systems, and this demonstrated by the existence of extensive internal intranet and online systems which business and personal users access to send highly sensitive information. It seems that there is a common belief that the systems are safe, and that they cannot be intercepted by any other third parties. However, this unwavering trust is also a potential source of the vulnerabilities that shall be discussed in this report. Vulnerabilities associated with IT/IS security is therefore focussed on the trust placed in these systems by users, and their lack of knowledge on the technical aspects of how this technology works. The development of IT/IS was instrumental in widening the access to knowledge for many individuals, however, this access to knowledge has also proved to be a double-edge sword. For instance, those with the most knowledge on the workings of IT/IS systems are more likely use this knowledge to exploit the vulnerabilities that so many users are unaware of. Therefore the main aim of this report is to introduce and highlight the main vulnerabilities associated with IT/IS security; which will be achieved by examining the meaning of IT/IS, its security and the management of these vulnerabilities. IT and IS security IT/IS security can be defined as "the application of the principles, policies and procedures necessary to ensure the confidentiality, integrity, availability, and privacy of data in all forms of media (electronic and hardcopy) throughout the data lifecycle" (USDHS 2007). This means that IT/IS security is highly dependent on how the principles, policies and procedures are applied within organisations and to individuals. Whilst most organisations will have these in place to protect the broader spectrum of information and data, the application of security can be somewhat difficult when applied to individuals. For example, there have been numerous cases of business laptops going missing or being stolen, or individuals losing their USB or flash sticks which contain very important information. It seems the application of security in these instances is either unknown by individuals or the effect of such vulnerabilities is hugely underestimated. For instance, large organisations fully understand the need for data authentication and privilege systems to protect their systems (USDHS 2007) and as such they pay attention to such systems in order to protect sensitive information and prevent any vulnerability from being exposed. Larger organisations also issue good guidance on how to reduce vulnerability to security in terms of protecting and preventing laptop and other media theft. In order to understand such vulnerabilities it is important to consider the security services and their management. IT/IS security can be categorised into the three main service areas of management, operations and technical (Grance et al 2003). The management service involves the management of the IT/IS security program and the risk within the organisation (Grance et al 2003), which means that the management of security is taken away from the user through the implementation of safety systems such as passwords, login systems and user restrictions. The security of data is obviously important to organisations, and this cannot be placed in the hands of too many individuals, hence the central management of this system. However, in doing this, the management knowledge becomes concentrated to a select few, and also disengages the users from their responsibilities. For instance, even though passwords do exist to access internet pages and other applications, it is still up to the individual to ensure they do not access sites that could compromise the security of their system or that of the organisation. One example of this can be illustrated in the rise of what are known as "phishing emails" where users are tricked into entering their account and other sensitive information to bogus websites. The operational service involves controls implemented and executed by people (Grance et al 2003) and once again, another example from the internet. For example, internet browsers can alter their browser settings, or even computer settings to suit their personal needs. However users may be unknowingly putting their system at risk and therefore exposing themselves to vulnerabilities. This aspect of IT/IS services could potentially prove to be the most difficult to manage given the wide range of user options and users themselves. Finally, technical services look at the security controls the IT/IS system carries out (Grance et al 2003) the purpose of which is to make sure the system still works. This would involve ensuring the systems request passwords and acknowledge user privileges on various systems. Out of these three services, the operational services seem as the likely source of vulnerabilities within an organisation, given the amount of control users have over the system. IT/IS vulnerabilities IT/IS vulnerability can be defined as "a flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy" (Telang and Wattal 2005). This definition clearly refers to the failings of a software system in terms of its security, and thus it is safe to deduce that, IT/IS vulnerabilities are associated and consist of failing within the security policy. This means that security policies have to be subjected to regular testing and maintenance to identify such vulnerabilities. The effects of failing to identify and rectify these vulnerabilities can include huge financial costs, if one looks at organisations. Vulnerabilities for organisations such as banks that use complex software systems can result in the loss of customer data, the loss of customer funds and most of all loss of trust which will result in the demise of the business and/or organisation. Studies by Campbell et al (2003) have further supported this, as they found that that the exposure of vulnerabilities had an impact on the customer perception of the organisation. On a personal level, vulnerabilities can also leave individuals exposed to crime such as identity theft and possibly bodily harm. Examples of vulnerabilities include viruses which most if not all computer users are exposed to. Viruses can cripple machines and wipe out valuable data; however, there is software to manage these vulnerabilities. However, most organisations are prepared and ready for software breaches, but the more common types of vulnerabilities seem to be associated with the loss of information and data theft through the loss of laptops. Despite the somewhat increasing frequency of such cases in the media, the detection of vulnerabilities can also be viewed as an opportunity to further increase and improve on IT/IS security (Meier et al 2004). For instance, the internet's main vulnerability involves hacking attempts, which could be considered as exposing security flaws in the software. This is further supported by research conducted by Evans (2004) which found that most instances and incidences of vulnerabilities stemmed from repeat episodes of well known problems. This indicates that vulnerabilities of IT/IS systems are often known in advance, but for some reason, are difficult to rectify. This could be a result of a variety of factors, some of which may include the input of individual users as stated in the earlier section of this report. These vulnerabilities may also be well known because they may be considered minor issues and possibly of not greater importance than others. Therefore it would seem that the prevention vulnerabilities of these systems are likely to involve closely recording the occurrence of all instances, as well as the action taken. Recommendations This report has provided a brief, but informative background of vulnerabilities with IT/IS systems, as well as the nature of some of these vulnerabilities. This is obviously of concern to major corporations, organisations and individuals whose livelihoods depend on the seamless working of these systems. It is therefore appropriate to discuss the methods available to reduce the effect of these vulnerabilities and/or possibly the eradication of such issues. For instance, one common preventative method used by most organisations and familiar to most users is that of restricted access, and a defined pathway to undertaking a certain task. This is best described by Evans (2004) who states that this involves limiting what software applications can do by modifying key technical properties of the software. This may include the use of password and log in systems to restrict access to certain parts of an application, or to gain access and entry to certain parts of an application. This reduces the risk of data ending up in the hands of individuals not authorised to view this information or edit it. The use of such systems will also enable the organisation to trace the possible sources of any attacks that may compromise the system. Just as the organisation's systems need managing, so do the individuals using the systems that are likely to be compromised. Evans (2004) also suggests testing the systems; however this can be time consuming process which may not necessarily find any vulnerability, as some do not arise from the recommended or standard use of the application. Another common system that is used is one that is present in Microsoft Office applications, where the user receives a warning when they could potentially carry out an action which could leave their system vulnerable to attacks. Whilst this may be effective at limiting the number of vulnerabilities associated with a particular programme, it also does not educate and inform the individual on the nature of vulnerability and what it means to IT/IS security. The danger in this is that individuals can ignore such warnings, especially if the systems allow them to be disabled with such ease. Conclusion To conclude this report, it set out to introduce and highlight the main vulnerabilities associated with IT/IS security; and the management of these vulnerabilities. This was achieved by briefly exploring definitions of IT/IS systems and vulnerabilities, which would contribute in understanding the nature of vulnerabilities and their management. The report also demonstrated that most vulnerability is well known and common, which suggests that they are not complex issues. This means that management of the main vulnerabilities associated with IT/IS systems are those which will have to focus on making the information on this issue very accessible and comprehensible. References Evans, D. (2004). "Finding Security Vulnerabilities Before Evil Doers Do." University of Virginia, Department of Computer Science Charlottesville, Virginia USA. http://www.cs.virginia.edu/evans/pubs/evildoers.pdf Grance, T., Hash, J., Stevens, M., O'Neal, K., Bartol, N. (2003). "Guide to Information Technology Security Services." Recommendations of the National Institute of Standards and Technology - The National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf Josang, A., Al-Fayyadh, B., Grandison, T., Al-Zomai, M., McNamara, J. (2007). "Security Usability Principles for Vulnerability Analysis and Risk Assessment." http://www.acsac.org/2007/papers/45.pdf Kolodgy, CJ., Ryan, R. (2005). "Worldwide Security and Vulnerability Management Software 2005.2009 Forecast and Analysis: Taking Control of the Security Environment." IDC #34604, December 2005 Meier, M., Flegel, U., and Konig, H. (2004). "Reactive Security - Intrusion Detection, Honeypots, and Vulnerability Assessment." K.G. Saur Verlag, Mnchen. Telang, R. And Wattal, S. (2005), "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an empirical investigation." http://archive.nyu.edu/bitstream/2451/14996/3/Infosec_Book+Wattal+Telang.pdf.txt United States Department of Homeland Security. (2007). "Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development." National Cyber Security Division. Van Loggerenberg and Morne (2008). "Computer vulnerability risk analysis" http://hdl.handle.net/10210/517 Read More