List of assets at risk
The major aim of this document is to identify some of the vulnerabilities and threats which are associated with cybersecurity. The report will perform a risk assessment approach to the identified vulnerabilities. This risk assessment has issued guidelines on how an organization can identify and evaluate the current existing controls associated with cyber-security. There are five key areas that this report will major in which are; risk management, cyber controls, cyber incident management and resilience, cybersecurity tools, risk management approach, and risk Model
3.0 List of assets at risk
- Database
- Support and operational procedures
- System software
- Application software
- Routers
- Modems,
- Routers
- IP telephones
- Servers
- Firewalls
- USB
- External hard-drives
- Data communication
- Wide area network
- Voice communication
4.0 Risk management approach
Risk management is the process of identifying, responding and assessing to a risk. To manage a cyber-risk is the act of assessing the likelihood of a risk occurring. It is the potential impact of an event. This is then followed by determining the best deal with the identified risks which can either be to mitigate, transfer, and accept to avoiding. To mitigate risks it means to determine the types of security controls that one can apply. It is important to note that not all risks can be eliminated or even has an unlimited budget. Risk management is the act of managing the effects of uncertainty. A risk management plan is created by the lead Consultant.
5.0 Risk Assessment based on threats and vulnerabilities
Table 1: Personnel
|
Role |
Responsibly |
|
Lead Consultant |
Overseeing the process of risk assessment |
|
Database administrator |
Identifying confidential data |
|
Network manager |
Identifying network-based attacks |
|
Security manager |
Identifying security measures |
The techniques used to correct evidence are:
A risk assessment questionnaire
- Vulnerability sources
- Assessment tools
- Interviews
- Risk identification workshops
5.1 Risk model
So as to determine some of the risks that are associated with cyber-security, the team utilized a model aiming at classifying risks
The model that was utilized is
Risk which was the likelihood of risk occurring multiply by the magnitude of impact. (RISK= LIKELIHOOD OF RISK OCCURRING * MAGNITUDE OF IMPACT)
Table 2: The definitions associated with the model
|
Likelihood |
Definition |
|
Low |
This was a threat which there is a lot of controls in place to prevent the attack. It prevents the weaknesses from being carried out |
|
Medium |
This is a type of attack which source is motivated and capable but there are controls which are in place to prevent the attack |
|
High |
This is a type of attack which is highly motivated and there are not enough controls to prevent the attack |
Impact or Magnitude
|
Low |
Loss of integrity, availability, and confidentiality could be expected to have very minimal adverse effects to the operations of the organization or its assets (An event that is unlikely to occur and even if the event occurs then it can cause very small or no cost i.e. it can be absorbed by the organization) Examples Minor financial loss Minimal damage to some of the organization assets Human error |
|
Medium |
Loss of availability, confidentiality and integrity could be expected to have a serious adverse effect on the organization assets. (An event that has 50-50 chances of occurring and if the event occurs then it can be noticed) It is advised that this type of risk be revised regularly Example: Is a significant financial loss due to a loss of confidential information Significant damage to the some of the organizational assets |
|
High |
Loss of confidentiality is said to be very severe (An event that is very likely to occur and if it cost it is likely to cause the organization to to lose a lot of monetary value Example: A severe degradation of the organizational mission A major damage to the organizational assets The downfall of the organization network |
Table 3: Vulnerability statement
|
Vulnerability |
Description |
|
People (Low) |
This was a first low link for General Motor organizations when it comes to cybersecurity. This was rated from phishing emails, social engineering, and clicking of links which turns out to be malware. The organization then turns out to be a victim of organization email comprise. This usually ends up to the company losing some of its secrets. Tackling this issue can be very tricky but educating employees on some of the related cyber-crimes is the best method to tackle this issue. If employees are reluctant to change, then the General Motor organization can find means of accommodating them without interfering with the normal organization process |
|
Passwords |
Most of the organizational employees are unable to keep their password safe. |
|
Patch management |
Some of the General Motor organizations are unable to keep some of their software and hardware up to date. Most of the IT managers in General Motor organizations are being hit by the eternal blue weakness |
|
Missing data encryption |
The organizational software is unable to encrypt critical information before it is transmitted or stored. I.e. lack of proper data encryption and which results in lack of integrity, accountability, and confidentiality |
|
OS command injection |
Command injection is a type of attack which its major aim is to execute some of the arbitrary commands on the host OS through a vulnerable application The common injection vulnerabilities were: SQL, LDAP, XML, and XPath |
|
Buffer overflow |
This is a type of attack where an application or a process tries to write one or more data so as to a fixed length block of buffer or memory. When an attack exploits buffer they are able to crash processes |
|
Cross-site scripting |
This is the type of an attack which can be used as a mechanism to transport an attack by the end user. By successfully exploiting this type of attack a hacker can be able to disclose end-user session |
|
Downloading of codes without security checks |
By user downloading codes from the internet with checking the cross-checking the source, they can download malware to the General Motor network |
|
Integrity check |
Most of the General Motor systems do not perform integrity check sufficiently on to the data that is inputted into the system |
|
Lack of documentation |
Some of the General Motor organizations lacked documentation of their systems and those systems that had documentation it was not well done in accordance to the laid standards |
|
Sensitive data exposure |
This is the act of accessing data at rest or data that is transit. The data that usually accessed is that in back-ups or that user-browsing data. |
|
Broken authentication and session management |
This is where an attacker exploits a session management and authentication flaw |
|
Security misconfiguration |
This is a type of attack which is very dangerous. Some security misconfiguration is: Ø Running software which is out of date Ø Running services which are unnecessary Ø Not changing the factory setting Ø Incorrect exception management Ø By using default accounts |
Table 4: Threat list and its description
|
Threat |
Description |
|
Un-patched software |
This is a software is that is not up to date. The most common type of an attack is the client-side software that remains unpatched |
|
Social engineering Trojans |
Social engineering is a type of manipulating people so that they can give their confidential information which can later be used to case an attack. (The confidential information that could be given could be user passwords or usernames) |
|
This is a set of computer hacking processes that is usually orchestrated by a certain entity |
|
|
Network traveling worms |
|
|
Phishing |
This is a type of attack where an attacker tries to entice person so as they can provide sensitive information |
|
Malware |
This a type of attack which is designed to harm the computer system |
|
Clone phishing |
This is a type of phishing attach where one creates an identical email that contains similar content and attachment to send malware attacks |
|
Denial of Service attacks (DoS) |
This is a type of attack to which the victim’s software overloads the computing resources. |
Table 5: Threat statement
|
Threat-source |
Threat actions |
|
Hacker |
Ø Social engineering Ø System break-in Ø DoS Ø Unauthorized system access Ø Phishing |
|
Computer criminal |
Ø System intrusion Ø Identity theft Ø Spoofing |
|
Insiders |
Ø Clicking of unknown links Ø Unauthorized system access Ø Malicious code such as virus Ø Browsing of personally identifiable information |
|
Environment |
Ø Fire Ø Natural disaster |
6.0 An IT Control framework and any existing industry risk recommendations for the project
6.1 Policy Procedures
The following are policy procedures for an online system:
- Securing user authentication protocols which includes
- Controlling of data security passwords
- Restricting access to active user accounts
- Blocking access to user identification
- Training and education of employees
- Restrict access to files and records that contains confidential information
- Controlling of user identifiers and IDs
- Email policy
- Mobile device policy
6.2 Best recommended practice
It is evident that cyber-security is the responsibility of each and every employee in the organization so as to protect the organization staff and customers. The best recommended practices are:
- Keeping operating and software systems up-to-date: Both application software and operating system should be up to date so as to minimize emerging threats and vulnerabilities
- Setting-up firewall and other security
- Securing access to the organization computers and devices: In here an organization should ensure that the server room and other organizational devices are safe with a remote kind of tracking. It is important to encrypt devices such as DVDs, organization laptops, and USB keys
- Educating employees on cyber safety: In here one is required to train their workers on some of the treats that the organization face when on the internet and accessing their emails
6.3 Current evidence supporting the discussion
Data breaches have occurred several types against online systems. Some of the systems that have been breached yahoo which happened in August 2013, Equifax; this caused the organization to loose over 140 million records, TJX companies has lost 94 million records which happened in 2006 and timeshop which lost over 20 million records in July this year. This means that the targeted are online systems.
Risk management approach
List threat agents
- Hackers
- Thieves
- Competitors
- Hackvists
- Script Kiddies
- Terrorists
- Spies
- Political Pressure groups
- National interests
7.1 Issues
The table 6 below shows some of the issues related to the threat agents
|
Threat agent |
Security |
Privacy |
|
Terrorists |
Attack on the organization building |
N/A |
|
Hackers |
Attack on the organization network so as to gather information like confidential credentials |
Jam the organization communicating devices so as to chaos |
|
Thieves |
Attack the organization alarm system with an intention of taking away organization devices |
Attack the organization hub |
|
Competitors and organized crimes |
Attach organization appliances so as to help grow a criminally funded botnet |
Attack sensors like IP phones to snoop on the organization private conversation |
|
Nation states |
Attack the communication device such a router so as to disrupt the organization services |
Attack sensors such as cameras so as to eavesdrop communication |
|
Activists |
Attack the organizational network together with the gather information |
7.2 Consequences
The threat agents are clearly differentiated by their ability to execute attacks. We observe that online systems such as that of General motors have three broad consequences levels which are mow, moderate, and high. At a low level it means that the threat agent has relatively meek resources and capabilities. Some of these agents include amateur hackers, commercial rivals, and political pressure groups. Moderate levels are competent individuals. High threat agents are those individuals who have that capability and have significant resources.
8.0 Risk impact and mitigation strategies for General motors online system
|
Item s/no |
Vulnerability/threat source |
Existing controls |
Likelihood of occurrence |
Impact |
Risk rating |
Observation |
Mitigation |
|
1 |
Password effectiveness |
Most of the organizations had a password which contained alpha-numeric |
medium |
Medium |
Medium |
User applications password can be cracked |
Use of special character combination with alphanumeric |
|
2 |
Social engineering |
Most organizations Train their employees on the usage of internet |
Medium |
Medium |
Medium |
The user can be tricked into clicking on a link |
Employee awareness of the various current cybersecurity threats |
|
3 |
Unpatched software |
No controls |
Medium |
Medium |
Medium |
Lack of updating organization software |
Updating software on a quarterly weekly basis where applicable |
|
4 |
Advanced persistent attacks |
Firewalls |
High |
High |
High |
Hackers perform intelligence gathering from well-known public areas such as Facebook |
Ensuring all the security patches are installed and making sure that organization systems are up to date A layered series of controls so as to achieve defense-in-depth network security |
|
5 |
Denial of Service |
Installing of anti-virus in the organization systems |
High |
High |
High |
The rise of botnets where an attacker get thousands of computers to launch DoS type of attacks |
Deploying reverse proxy Over-provisioning bandwidth: having more bandwidth in one web-server Employing a DOS specialist who can help in dealing with large DoS type of attacks |
|
6 |
Phishing |
Keeping informed about phishing techniques |
Medium |
Medium |
Medium |
Users are tricked into clicking links that have malware |
Installing anti-phishing toolbar Thinking before clicking |
9.0 Brief summary (Literature Review)
As we all know cyber-attacks in the General Motor organization is rising at a very high rate. This cyber-security risk assessment report is designed to help General Motor organizations remedy cyber-related risks. This can be done by proving a detailed in-depth analysis of cyber-related attacks and risk mitigation strategy that can be adopted by General Motor organizations. Three of the major benefits of this cyber-security assessment report is that it provides a very clear understanding security paradigm. Second, the report provides a clear understanding of cyber-related attacks and provides a risk mitigation plan.
The table below summarizes the components that will be affected with the online system attack
Brief over of the components affected
- Databases: Example of database affected are the MS SQL server 2012
- Protocols: Due to attacks listed some of the protocols affected are the SLL used for transmission between the web-server and then client web browser
- Organization networks
- Operating system
- Interconnections: Some of the affected interconnection caused due to attacks are an interface to paylink
- Organizations applications: This is applications used by organizations to carry out their day to day activities example the Microsoft Internet Information Server0
A summary of common attacks to the General motors online system are;
- Un-patched software
- Social Engineering Trojans
- Advanced Persistent Threats
- Network travelling Threats
- Phishing
- Malware
- Clone Phishing
- Denial of Service type pf attacks
The techniques used to correct the evidence of the above attacks
- A risk assessment questionnaire: The team utilized this tool which was a customized version of NIST SP-26. The tool was used to identify some of the risks encountered in cyber-security
- Vulnerability sources: The cybersecurity team utilized several vulnerability sources to assist in identifying some of the potential weaknesses in General Motor organization Some of the vulnerability sources included:
- SANs Top 20
- CA Alert service
- NIST I-CAT
- OWASP Top 10
- Assessment tools: The cyber security team utilized several assessment testing tools aiming at reviewing gig antic’s system configurations. The team also used the assessment tools so as to identify some of the vulnerabilities in General Motor applications some of the tools used here are
- Nessus
- Appscan
- nmap
- Interviews: The cybersecurity team also conducted face to face interviews with General Motor system administrators, review General Motor security policies to know how well General Motor organization are equipped with cybersecurity
- Risk identification workshops: The cybersecurity team carried out a workshop in several General Motor organizations aiming at identifying cyber-related risks
Security policies that General Motor organizations need to develop into their security policy
- Organizations need to always conduct a periodic penetration testing: This type of testing helps organizations in identifying some of the security vulnerabilities
- Organizations need to ensure a very strong system configuration management
- Organizations need to always make their employees are aware of the existing cybersecurity threats
- General Motor organizations need to implement a patch management program
10.0 Summary of protection mechanism that one would deploy
Guidance software, on the other hand, recommends that General Motor organizations need to use new technologies which can find and at the same time map data across the organization. Once the organization is able to map data, it can then go ahead to make decisions on how they can reduce cyber-related risks and they can govern data. Deloitte firm recommends that when dealing with cyber-security, risk management processes follows a capability maturity model approach. According to Deloitte the model have five levels which are initial, repeatable, defined, managed, and optimizing.
There are about seven considerations for risk management which are culture, information sharing, resilience, priorities, cyber hygiene, and threat environment. Under culture is where the organization leaders are required in establishing a culture of risk management and cyber-security. Information sharing is where the General Motor shareholders are aware of the risks especially the shared. Priorities is where an organization is required to determine the potential impact of each and every risk. Cyber hygiene of the other hand is the practice of focusing on some of the basic activities so as to secure organization infrastructure, reduce risks, and prevent attacks.
10.1 Others protection mechanism
- Developing policies for cyber electronic devices: In this year the UK there were over 7 million victims of cyber-crimes in January this year. This can only be minimized by developing cyber-security best cyber-security policies and practices (Shacklett, 2018). By building security policy it ensures that one organization stands at its best chance of protecting its assets. A security policy helps an organization to define its information assets. When developing an organization security policy, it should be approached in an umbrella manner where one need to build a strong IT team to develop the security policies. In here one starts with the basic elements of IT which are workstations and mobile devices.
- Implementing a cyber-training program for all employees
- Developing a cyber-security incident response plan: An incident response plan is a group of individuals who are mandated in responding to a certain security incident. It defines the roles and responsibilities of each participant. The document also communicates security risks to the organization stakeholders.
- Implementing measures for detecting comprises
- Involving the organization executives in cyber-security
- It is also important to evaluate the organizations residual and inherent risks so as to determine integrity, availability, and confidentiality (Cleveland, 2008).
9.0 Conclusion
One of the components that this report has recommended to General Motor organizations is setting up a risk management system which is done after assessing the organization assets. As Citrix recommends General Motor organizations need to have a fully implanted and documented procedures for each and every activity that it creates for cyber-related risks. These procedures should be based in the industry leading practices. Some of the procedures that General Motor organizations can take advantage are software and hardware implementations.
References
Cleveland. (2008). Cybersecurity issues for advanced metering infrastructure. In Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century, 2008 IEEE, 1-5.
Shacklett, M. (2018, April 3rd). 10 ways to develop cyber security policies and best practices.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
