Cyber Security Risk Assessment And Protection For Gigantic Corporation

The Importance of Cyber Security

The computer security or cyber security is the basic security or protection of the computerized systems from any type of theft as well as damage to the respective software, hardware or the electronic data (Von Solms & Van Niekerk, 2013). This cyber security is also effective from the misdirection and disruption of these services that are being provided. The reliance on the computers are subsequently incrementing and the wireless networks like wireless fidelity and Bluetooth as well as the Internet connectivity are becoming quite popular. The proper growth of the smart devices such as smart televisions and smart phones or the several tiny devices together constitutes the technology of Internet of Things. There are some of the major threats and vulnerabilities within this cyber security and hence these threats should be properly mitigated on time to avoid all types of complexities and issues (Wang & Lu, 2013)). The following report will be outlining the basic description about Gigantic Corporation Company as well as their project. The risk assessment will be eventually done for each and every identified risk or the consequences of these risks as per the framework of IT control. Moreover, several mechanisms of protection would also be provided here.

The cyber security is the processes, practices and technologies that are designed for the protection of the networks, programs, devices as well as data from any type of threat or attack, unauthorized access or even damages (Hahn et al., 2013). It is also referred to as the security of information security. The cyber security is extremely important since the corporate, financial as well as the government organizations eventually collect, process, manipulate and finally store the unprecedented data amount within the computer systems or any other devices. The major elements of cyber security solely includes network security, application security, end point security, data security, cloud security, identity management, database security, infrastructure security, disaster recovery, mobile security, BCP or business continuity planning and many more (Amin et al., 2013). The organization of Gigantic Corporation might be facing some of the major risks and threats related to their area of cyber security. The most significant and vital threats and risks to this specific area of cyber security are given below:

i) Phishing: The first and the foremost threat to cyber security within the company of Gigantic Corporation is this phishing. This is the fraudulent attempt for the purpose of obtaining any sensitive information like the usernames, credentials of credit cards or passwords for the purpose of spreading malicious activities (Buczak & Guven, 2016). The hacker disguises himself as the most trustworthy entity within an electronic communication.

Major Threats and Vulnerabilities

ii) Trojan Horses: This Trojan horse is the specific malicious program, which present itself as the most legal software in front of the users. This particular computer program is responsible for hiding malware as a normal program.

iii) Ransomware: Another important and significant threat or issue for the cyber security for Gigantic Corporation organization is the ransomware or ransom malware (Elmaghraby & Losavio, 2014). It is the kind of malware, which eventually prevents the users from subsequent accessing of the systems as well as personal files. Next, he demands for ransom payment for the purpose of regaining their authorized access.

iv) Distributed Denial of Service Attacks: The DDoS or distributed denial of service attack is the fourth significant cyber attack, where this perpetrator could seek into the machine as well as network resources for making it absolutely unavailable for all the authorized and intended users wither by indefinitely or by temporarily disrupting the services of that host that is being connected to the connectivity of Internet.

v) Man in the Middle Attacks: The next vital and noteworthy threat within the cyber security is the man in the middle attack, in which the hacker or the attacker secretly or stealthily relays the private message between two authorized parties (Ning, Liu & Yang, 2013). This attacker even alters the messages and hence a modified message reaches to the receiver. The best example of this type of attack is the eavesdropping, where the attacker intercepts the messages and then inject the new and the modified versions of messages.

vi) Botnets: Another important and significant threat for the cyber security is the botnet threat. This botnet is the number of the Internet connected devices; each of these devices is running one or more bots (Dunn Cavelty, 2013). The botnets are the major requirements for utilizing to perform the DDoS or distributed denial of service attack or send spam messages and stealing the data. The attacker gets the scope to access these Internet connected devices as well as the connectivity.

vii) Data Manipulation: The next significant threat or issue that this specific organization of Gigantic Corporation will be facing in their area of cyber security is the significant manipulation of the confidential or sensitive data or information (Sou, Sandberg & Johansson, 2013). This is the procedure of changing the data for making it much easier to be read and even to be more organized.

viii) Advanced Persistent Threats: This is the set of continuous and stealthy procedures of computer hacking by the hackers for the purpose of targeting a typical entity. Gigantic Corporation is often vulnerable to this type of threat.

Risk Assessment

ix) Unpatched Software: This could also bring out some of the major issue within this particular organization if the software is not upgraded properly (Cavelty, 2014).

x) Spyware or Malware: The spyware or malware is the malicious software that brings vulnerabilities within the information system.

Figure 1: Percentages of Major Cyber Threats

(Source: Wells et al., 2014)

The significant risk assessment for each and every identified risk within the area of cyber security is as follows:

Serial Number	Identified Risks	Level of Risk
1.	Phishing	Moderate
2.	Trojan Horses	High
3.	Ransomware	High
4.	Distributed Denial of Service Attacks	High
5.	Man in the Middle Attacks	High
6.	Botnets	Low
7.	Data Manipulation	Moderate
8.	Advanced Persistent Threats	Low
9.	Unpatched Software	Low
10.	Spyware or Malware	Moderate

Table 1: Risk Assessment of the Identified Risks in the Cyber Security

This above given table has eventually assessed each and every identified risks for this area of cyber security and these must be mitigated within time to stop the enhancement of the vulnerabilities (Sommestad, Ekstedt & Holm, 2013).

Figure 2: Cyber Security

(Source: Abawajy, 2014)

The information technology control framework or the IT control framework, which is the data structure, is solely responsible for organizing as well as categorizing the internal controls of the company (McGraw, 2013). There are certain practices or procedures that are established for the proper creation of the business value and then minimizing the threats and risks. This particular framework is subsequently designed for providing a specific model, which could be used by the corporations for running the efficient or well controlled financial environment. The major components of this framework are internal control environment, setting of objectives, event identifications, risk assessment and response, the control actions and many more (Cherdantseva et al., 2016).

The various consequences of all the identified risks according to the IT control framework are as follows:

i) Phishing: The consequence for the threat of phishing is moderate as per the control framework as the risk can be mitigated by undertaking some counter measures.

ii) Trojan Horses: The consequence for the threat of Trojan horse is major as the policies and procedures could not stop this risk (Amin et al., 2013).

iii) Ransomware: The consequence for this threat of ransomware is major since procedures or policies of IT control framework cannot resist the risk.

iv) Distributed Denial of Service Attacks: The consequence for this threat of DDoS attack is major as this framework cannot resist the risk.

v) Man in the Middle Attacks: The consequence for this threat of man in the middle attack is major since the policies and procedures will not be resisted.

vi) Botnets: The consequence for this threat of botnet is minor as it is easier to stop this threat (Knowles et al., 2015).

IT Control Framework

vii) Data Manipulation: The consequence for the threat of data manipulation is moderate as per the control framework as the risk can be mitigated by undertaking some counter measures.

viii) Advanced Persistent Threats: The consequence for this threat of APT is minor as it is easier to stop this threat (Hong, Liu & Govindarasu, 2014).

ix) Unpatched Software: The consequence for this threat of unpatched software is minor as it is easier to stop this threat.

x) Spyware or Malware: The consequence for the threat of spyware or malware is moderate according to the control framework as the risk can be mitigated by undertaking some counter measures.

The significant recommendations for this project of cryptography within the organization of Gigantic Corporation, so that it could easily mitigate the identified problems of cyber security are given below:

i) Using Asymmetric Key Algorithms: The first and the foremost recommendation for the project in Gigantic Corporation is utilizing the asymmetric key algorithm (Luiijf, Besseling & De Graaf, 2013). This is considered as one of the major and the most secured algorithm of cryptography. The decryption keys are produced with the help of this particular algorithm. The most widely utilized algorithm of the asymmetric key is the RSA or Rivest Shamir Adleman. This is being embedded within the protocol of SSL and TLS for the purpose of providing the communication security within the computer network. This is the public key cryptography that utilizes the public as well as the private keys for the encryption or decryption of the confidential and sensitive data. All of these keys are larger numbers, which are paired together. One of this key within the pair is shared with all the members and hence is known as public key (Fielder et al., 2016). The next key within the pair is kept secret and is termed as private key.

ii) Hybrid Encryption: The second recommendation for their project of cryptography is hybrid encryption. It is the method of encryption, which merges two and more encryption techniques. It hence incorporates the combination of symmetric and asymmetric encryption or providing advantages from the encryption technique (Bada & Sasse, 2014). It would be extremely safe and secured for Gigantic Corporation to provide security from cyber threats.

i) Implementation of Firewalls: The next important technique to mitigate the identified risks of cyber security is the proper implementation of the firewalls. These threats are easily detected as well as prevented by undertaking the help of firewalls as the incoming or outgoing traffic of the network security system is monitored and controlled as per the previously determined security rules (Ashok, Hahn & Govindarasu, 2014). Network firewalls are the best type of firewalls that would be effective for the proper detection of untrusted external network and internal network.

Consequences of Identified Risks

Figure 3: Firewall Implementation

(Source: Choucri, Madnick & Ferwerda, 2014)

ii) Implementation of the Antivirus Software as well as Proper Updates: This is a major mitigation technique to reduce the identified risks within cyber security is the proper implementation of antivirus software as well as the significant up gradations of the software (Abomhara & Køien, 2015). This particular software is a computer based program, which is being utilized to subsequently prevent, detect and even remove the respective malware. The software of antivirus was developed to detect and remove the computer virus and malware. The several other threats are also detected and prevented within this particular software. Moreover, the malicious browser is also required to be identified properly.

Figure 4: Types of Antivirus Software

(Source: Luiijf, Besseling & De Graaf, 2013)

The protection is required from various types of cyber threats with the help of various cryptographic functions and algorithms. When this protection is not provided within the organization of Gigantic Corporation, the information would be vulnerable for various types of threats and attacks (Knowles et al., 2015). The cyber security is the collection of various techniques that could be effective for protecting against the network integrity, data and programs from the unauthorized accesses, attacks or damages.

The two protection mechanisms of cryptography that are needed to secure the information for reducing the cyber threats are given below:

i) Using Asymmetric Key Algorithms: This protection mechanism is responsible for using asymmetric key algorithm for cryptography. There are two distinct keys for this particular algorithm (Abawajy, 2014). One of these keys is used for encryption, while the other is used for decryption. Hence this is extremely safe and secured. The attacker does not get any idea about the confidential data.

Figure 5: Asymmetric Key Encryption

(Source: Wells et al., 2014)

ii) Hybrid Encryption: This is the amalgamation of private and public key algorithms and hence is another important protection mechanism for Gigantic Corporation. It is extremely effective and efficient in terms of other mechanisms.

Figure 6: Hybrid Encryption

(Source: Cavelty, 2014)

Conclusion

Therefore, from this above report, conclusion can be drawn that this cryptography is the methodology to protect the information as well as communications by undertaking the utilization of various c odes so that the confidential data is being accessible by only authorized and the intended users. Cryptography majorly means to keep the data and information absolutely hidden and encoded by involving some major algorithms. The technique of cryptography refers to the factor of securing the information as well as communication techniques that are being derived from the set of rule based calculations and mathematical concepts for the core purpose of transforming the messages in few methods that are quite tough for deciphering. All of these deterministic algorithms are hence utilized for the cryptographic key generation or digital signing as well as digitalized verification for the protection of the data privacy, confidential communication like electronic mails or credit card transactions and web browsing over the Internet connection. This cryptography is closely related to few disciplines of cryptanalysis and cryptology. Various techniques like microdots, merging words and several other methods are being included here for hiding the information within transit or storage. Encryption and decryption are the most basic processes of this technology, which helps to transform the plain text into cipher text. The above provided report has perfectly outlined the various aspects related to the case study of Gigantic Corporation Company. There are various risks related to the cyber security and all of these risks are identified as well as assessed in these risks. Moreover, importance of their project of cryptography is also provided in this report to help to mitigate all of these risks within cyber security. The final part of the report has also described about the major consequences of these risks as per the framework of IT control.

Recommendations for Gigantic Corporation

References

Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3), 237-248.

Abomhara, M., & Køien, G. M. (2015). Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security, 4(1), 65-88.

Amin, S., Litrico, X., Sastry, S. S., & Bayen, A. M. (2013). Cyber security of water SCADA systems—Part II: Attack detection using enhanced hydrodynamic models. IEEE Transactions on Control Systems Technology, 21(5), 1679-1693.

Amin, S., Litrico, X., Sastry, S., & Bayen, A. M. (2013). Cyber security of water SCADA systems—Part I: Analysis and experimentation of stealthy deception attacks. IEEE Transactions on Control Systems Technology, 21(5), 1963-1970.

Ashok, A., Hahn, A., & Govindarasu, M. (2014). Cyber-physical security of wide-area monitoring, protection and control in a smart grid environment. Journal of advanced research, 5(4), 481-489.

Bada, M., & Sasse, A. (2014). Cyber security awareness campaigns: Why do they fail to change behaviour?.

Buczak, A. L., & Guven, E. (2016). A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys & Tutorials, 18(2), 1153-1176.

Cavelty, M. D. (2014). Breaking the cyber-security dilemma: Aligning security needs and removing vulnerabilities. Science and engineering ethics, 20(3), 701-715.

Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & security, 56, 1-27.

Choucri, N., Madnick, S., & Ferwerda, J. (2014). Institutions for cyber security: International responses and global imperatives. Information Technology for Development, 20(2), 96-121.

Dunn Cavelty, M. (2013). From cyber-bombs to political fallout: Threat representations with an impact in the cyber-security discourse. International Studies Review, 15(1), 105-122.

Elmaghraby, A. S., & Losavio, M. M. (2014). Cyber security challenges in Smart Cities: Safety, security and privacy. Journal of advanced research, 5(4), 491-497.

Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86, 13-23.

Hahn, A., Ashok, A., Sridhar, S., & Govindarasu, M. (2013). Cyber-physical security testbeds: Architecture, application, and evaluation for smart grid. IEEE Transactions on Smart Grid, 4(2), 847-855.

Hong, J., Liu, C. C., & Govindarasu, M. (2014). Integrated anomaly detection for cyber security of the substations. IEEE Transactions on Smart Grid, 5(4), 1643-1653.

Knowles, W., Prince, D., Hutchison, D., Disso, J. F. P., & Jones, K. (2015). A survey of cyber security management in industrial control systems. International journal of critical infrastructure protection, 9, 52-80.

Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security strategies. International Journal of Critical Infrastructures 6, 9(1-2), 3-31.

McGraw, G. (2013). Cyber war is inevitable (unless we build security in). Journal of Strategic Studies, 36(1), 109-119.

Ning, H., Liu, H., & Yang, L. (2013). Cyber-entity security in the Internet of things. Computer, 1.

Sommestad, T., Ekstedt, M., & Holm, H. (2013). The cyber security modeling language: A tool for assessing the vulnerability of enterprise system architectures. IEEE Systems Journal, 7(3), 363-373.

Sou, K. C., Sandberg, H., & Johansson, K. H. (2013). On the exact solution to a smart grid cyber-security analysis problem. IEEE Transactions on Smart Grid, 4(2), 856-865.

Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.

Wang, W., & Lu, Z. (2013). Cyber security in the smart grid: Survey and challenges. Computer Networks, 57(5), 1344-1371.

Wells, L. J., Camelio, J. A., Williams, C. B., & White, J. (2014). Cyber-physical security challenges in manufacturing systems. Manufacturing Letters, 2(2), 74-77.