IT Security Risk Assessment For Gigantic Corporation

Importance of IT security

Question:

Write a IT Risk Assessment report.

The fundamental aim of the information security is to maintain the mission and vision of the organization in an adequate manner. There are various risks which is not easy to handle. It would not be possible that limited resources and ever-changing landscape of threats are not able to explain the risk widely. Therefore, it is necessary for the security professional to have the toolset to assist them in defining a common view which should be understood by the team. The toolset should be compatible with the risk and cost effective so that the risk of the assessment can be reduced. I have been appointed as the IT Risk Assessment lead consultant for Gigantic Corporation. My role in the risk management is to be the interface between technologists and business stakeholders. My specialization in the cyber security area which is very important for the company because the technology has advanced in today’s world. The threat of cyber attack has increased which can unbalance infrastructures such as control over the financial and air traffic and generates influence with matching the terrorist attack in the physical space (McNeil, Frey & Embrechts, 2015). Cyber attackers are able to steal the information about the company’s detail, personal information, intellectual property information and financial information which are very important for the company and due to loss of this information; company can lead into adverse situation.

Risk is considered as the potential harm that may rise from some current procedure or can be raised from any potential event. The presence of risk is available in every aspect of lives and many rules observe the risk as it applies to them. In the context of the IT security, risk management is the procedure of understanding and responding to elements that may lead to the zone of failure in the integrity, confidentiality or availability of an information system.  IT security risk is the mischief to a procedure of the important information from accidental event that may put negative influence on the process or the related information (Godfrey, Merrill & Hansen, 2009).

The threat is the potential for the exercise of the certain vulnerability. Threats are not an action in the term of IT security. As a Consultant I would like to define the impact of threats in the cyber security. Threats must be coupled with threat sources to become hazardous. It is considered as the vital distinction when managing the risks because each threat has a different likelihood which influences the risk assessment and risk management (Rejda, 2011). Gigantic Corporation can be influenced by various cyber attacks such as reverse deception tactics, phishing campaigns, strategic use of information system, alternative Crypto Currencies and DDos for Hire services. Reverse deception tactics is the set off tool which is being used in the organization to hide the stolen data. Data of every company is important and confidential and the leak information can lead the company into hazardous situation. Phishing has been introduced as the biggest risk of the system integrity. There are various examples of it which affect the integrity of the company. In 2016, the FACC AG’s CEO, Mr. Stephan give way to the attempt of phishing after he acknowledged an email. It has been found that the Cyber Criminal could be a senior member of the organization and forced the CEO to transfer the approximately £39 million from the company accounts. Strategic use of information is a threat to attain the political disruption. DDOS is the part f the hacking which is the major threat for the Gigantic Company. It contains six steps in it such as perform Reconnaissance, scanning and enumeration, infiltrate, maintain control, privilege escalation and covering tracks and backdoors (Manuj & Mentzer, 2008). The threat of cyber security is the more complex situation that cut across numerous domains and demands for multi layer initiatives. It has been done so many times that the damage by cyber attackers to the corporate world cannot be identified immediately and even in some case, may even more unobserved. Intentional alternation of data is a form of threat which comprises the insertion or deletion of data, whether by user used or not.

Role of risk assessment

Figure 1: IT Security Control framework

Source: (Hoyt  & Liebenberg, 2011).

The above image has been reflected the IT Security control frameworks which identify the threats within an organization. The role of control framework in the Gigantic Corporation is vital because it contributes in the decision making process of stakeholders in the favor of an organization. the major principles of IT control is risk based, focus on end state and comprehensive that work on three level in the Gigantic corporation. These three levels are entity level controls, business process controls and informational Technology general controls (Bebbington, Larrinaga & Moneva, 2008).

Vulnerabilities refer as a weakness in the procedure of security system, implementation, designs or internal controls that could be applied and outcome in the form of breach or violation of the security policy of the system. Simply, vulnerabilities are not considered as the weakness in the technical protections provided by the system. Standing operating procedures are shown the significant vulnerabilities that system administrators often perform; there can be the process in the company to reset the passwords or inadequate log reviews (Cleveland, 2008). Another area is the policy level in where vulnerabilities can be recognized. For example, lack of testing policy of security may be unswervingly responsible for the lack of vulnerability scanning. The cyber security vulnerabilities for the Gigantic are injection vulnerabilities, buffer overflows, sensitive data exposure, broken authentication and session management and security misconfiguration.

Injection vulnerabilities happen every time an application and sends entrusted data to an interpreter. Injection vulnerabilities are common and influence the wide range of solutions. There is various injection vulnerabilities can influence the SQL, LDAP, XPath, XML parsers and program arguments. The impact of injection vulnerabilities can put on the various software and their influence are reliable on the level of diffusion of the application of vulnerable (Yan, Qian, Sharif & Tipper, 2012).

A buffer overflow vulnerability situation presents when an application endeavors to put more data in a buffer than it can hold. The attack by buffer overflow is common and it cannot be discovered easily, but in the context of injection attacks they are hard to utilize. It is essential for the attacker to know about the management of the targeted application and the technique to alter the content to run the attack. The decision making process should be clear between technologists and various stakeholders and for this IT team should have knowledge about the several types of buffer overflow but Heap buffer overflow and the Format string attack is the most popular buffer overflow (Von Solms & Van Niekerk, 2013). The attack of buffer overflow are more dangerous because it can be targeted the particular area such as web servers, web applications and desktop applications. The Gigantic Corporation can be affected due to the buffer overflow because an attacker can develop the buffer overflow to target a web application and implement an arbitrary code.

The data of the corporation can be stored in the system or conveyed between two entities. Due to lack of sensitive data protection, the reason of sensitive data exposure occurs in entity. The cyber attackers have number of options like hacking of data storage, for instance, with the help of malware based attack or by tricking a web application to do number of things such as by amending the content of a cart. Sensitive data exposure attacks can be done by various attackers, involving cyber criminals, hacktivistis and state sponsored hackers (Liu, Xiao, Li, Liang  & Chen, 2012).

Threats and risks for Gigantic Corporation

The broken authentication and session management can be occurred in the Gigantic Corporation due to lack of safety of sensitive information such as exposed accounts, session IDs and passwords (Wang & Lu, 2013). This kind of attack is general and many attackers use the leak information to get benefitted in their criminal activities. Unfortunately, the misuse of broken authentication and session management cannot be mitigated due to huge range of authentication schemes executed by victim. It has been analyzed that the all authentication and session are not equal which is being the reason of not identifying the reason behind misuse (Hahn, Ashok, Sridhar & Govindarasu, 2013). There are various techniques to bypass authentication mechanism which involves the “Brute Forcing” the focused account, regaining the session from an URL and reusing an already utilized session.

It has been found that there are various security misconfigurations for the Gigantic Corporation. These can be outdated software, running unnecessary services on the system, no amendments in the factory setting, use of default accounts and incorrect exception management. The impact of security misconfiguration can have a dramatic when system of the company are focused by the hackers are hugely adopted (Yan, Qian, Sharif & Tipper, 2012). For instance, the availability of the market of routers with major credentials using default SSH keys that permit an attacker to create an unauthorized connection to the device. These kinds of the vulnerabilities could have rigorous influence for the new paradigm of the internet of things. The security misconfiguration is dangerous for the Gigantic Corporation and reason incident hard to moderate that can have the influence of disastrous.

It is vital for the repeatability; consequences are best defined in terms of influence upon the availability, integrity and confidentiality. Confidentiality, Integrity and availability are the major cause of the consequences. The stakeholders are the major people for the growth of the company and technologists are the ladder of the success. Without technologists, company cannot attain the benefits, the support of technologists is necessary to run the business. The below table are described the impact or consequences on the Gigantic Corporation.

The threats and vulnerabilities can impact the organization and the running process of the organization. As it is mentioned above that there can be three kinds of effects such as limited effect, serious effect and severe effect. These effects can hamper the mission capability of the Gigantic Corporation. Limited effect can have the temporary loss of one or more than mission capabilities which can hamper the organizational assets up to under $5000 which can influence the minor harm on human life (Ericsson, 2010). Serious effect can have the long term loss of one or more than mission capabilities which can obstruct the organizational assets up to under $5000- $100,000 which can influence the significant harm on the organization. Severe effect can have the long term loss of one or more the primary mission capabilities which can obstruct the organizational assets up to under over $100,000 which can influence the significant harm on the organization.

IT security control framework for Gigantic Corporation

Along with the decision making process in the favor of the organization can hamper due to lack of protection of the sensitive data. The stakeholders and technologist should be active in the term of protection of data and cyber attack. There are number of malware available in the market that is utilized by many criminals to crack the information of the company (McNeil, 2013). For instance, Botnet is a network that has been spread by cyber criminals into firm’s servers and these bots have the feature to involve the system of others for the purpose of hacking the details of the company. These kinds of risks can lead the company into hazardous situation and the progress of the company may criticize.

Threat agents are being used to define an individual or group that can apparent a threat. It is a form of the fundamental to recognize who would want to take advantages of the company and in what way they can use techniques in against of the company. The key threat agents for the cyber security can be the Trojon, worms, virus, scareware, spyware, keylogger, adware, exploit botnet, phising, dropper and mouse trapping. These key threat agents hamper the position of the company (Luiijf, Besseling & De Graaf, 2013).

Trojan: it is one of the complicated threats among all because it has the special features such as it can hide itself from the antivirus detection and snatch the important and confidential detail of the back account of the employee of the company. It may hamper the position the company and the risk of this software can be protected by increasing the confidentiality of the documents (Von Solms & Van Niekerk, 2013).

Worms: it is one of the most harmless threats which have the ability to transfer the data from one computer to another within a network or even the internet. It increases the computer security risk and use up the system hard disk space because of the replication (Obama, 2010).

Spyware: spyware is the malware which is intended to discover on the computer of victim. It is the threat which is able to detect the daily activity so that the attackers can observe the daily activity of the operation and attack as per gaining information.

Along with that there are number of key threats such as scareware, keylogger, adware, exploit, botnet, phishing, dropper and mouse trapping. These key agents threats also bring the risk and impact the growth of the company. These attacks enhance the challenges of cyber security for Modern Corporation and make them vulnerable towards the cyber attack. To protect from these kinds of cyber attacks, company can execute the cyber security policy to make sure that their data is prevented against the cyber attacks.

The risk and the impact of it on system could be mitigated by protecting the sensitive data. The corporation can implement the mitigation plan. The company could implement the cyber security policy, plans and procedures which should be the shared input and efforts of stakeholders of various departments of the corporation (Covington and Carskadden, 2013). There could be responsibility to each employees and technologists for developing the security policies and procedures. The cleared role and responsibility of the employee would have been helpful about the decision making authority along with the liability at each level. The high level policy statements define major three things such as the commitment of organization management to the program of cyber security. It also expresses the upper level of requirements for plan and procedures (Rowe & Gallaher, 2006).

Vulnerabilities in Gigantic Corporation

The potential impact of inadequate security training and programs can come out in the form of cyber attack. For instance, due to lack of training and awareness, corporation would be failed to answer to someone detaining wireless network traffic. The mitigation for this concept can be described to make ensure that the training and awareness program should be addressed the risk which come out from insecure behaviour of employees (Luiijf, Besseling, Spoelstra & De Graaf, 2011).

Protection mechanism is the way to secure the data of the company and the sensitive information. There are various security risks in the form of threat agent for the company but company can reduce those risks by following some methods. These methods can comprise the firewalls and secure socket layer, standards adherence.

Firewall: it is an application that can be installed easily by the company on the web server of the company. It has the ability to check all the communication from all over side to make sure that it follows the set of security. Firewall application can block the piece of data which has taken the form of breaching the rules and prevent it from getting access to the server. For instance, if the hacker sends the spyware security risk, the firewall application would identify this because it is only set on the server to allow access to web traffic. In that case firewall block the request automatically which prevent the data of the company from the long term damage.

Secure socket layer: it is the major procedures to stop recognize theft online. It has been analyzed that the secure websites uses the HTTP in their link which shows that the relationships between clients and customers are secure. The information can be encrypted by using the public and private keys and one the web server which has installed SSL certificate will be able to decrypt the information. It is being used in the organization to transmit personal information such as credit card numbers, account details while buying goods and services online. It defines that the hacker does interrupt the data and they are not able to read it due to encrypted data (Crowe, 2016).

Standards Adherence: it ensures that the website and the web server of the company adhere to the guidelines of the standard security. It is vital for this to have the strong password. Weak passwords can be hacked by many hackers because it is easy to recognize for them. They can access the server and upload the virus which can hamper the sensitive information of the company. The protection mechanism for this is only to keep the strong password which cannot be accessed by hackers and it will prevent hackers from being able to upload the virus on the software of the company (Liebenberg & Hoyt, 2003).

It is vital for the company to set the principles of the Data Protection Act which comprises the major principles in it. Data must be adequate and accurate and processed lawfully. It has been analyzed that there is Ransomware software is a malware that take information and ransom money from the users and does not provide the guarantee that the data back after paying the ransom money. There are number of multinational companies that are affected due to Ransomware software such as Nissan and FedEx (Kelly, 2012). It has been researched that the growth in the technology leads to upsetting innovations that amends the existing use of services as well as products. In such case, machine learning is one of the innovations in IT Company. Many companies such as Facebook and Google have promoted this innovation to improve the services and products of the company. For instance, Google integrates machine learning on their smart phone in which online services will gather the data of users and provide the recommendation as per the learning. It has been stated by Lenhart, Purcell, Smith  and Zickuhr, (2010), that it is the responsibility of the IT Company to utilize their data in the time of transmitting since it would be hard to the cybercriminals to get access to encrypt data. There are various corporations that are liable to provide the end to end facility of the encryption to its users for making sure about the safety of the information. As per the Sridhar, Hahn and Govindarasu (2012), third party is being the reason of cyber attacks and for preventing from those attacks companies that have number of system in their company should ensure that they are physically secured from the access of the third party. Proper security system should be included in the company procedures to ensure that the employees could not get access to hackers into their system. In that case, organization can use security cameras, ID checks, scanners and biometric locks to ensure that their computer systems and servers are prevented from third party access. Dourado and O’Sullivan, (2015), stated that modern firm should be built a separate budget dedicated to cyber security investment and it is considerably vital for the security of the company. If the company has not sufficient security, it will hamper the financial condition of the company and may lead the company into reputational loss for the organization, hence, firewalls and antivirus is needed by the organization. There are number of companies that have faced the cyber-attacks due to lack of security such as Yahoo, DYN, BBC, Sony and many others. It is vital for the company to execute the effective cyber security measure to handle the issues like the use of the encryption to protect data at the time of transmitting (Grace, Leverty, Phillips & Shimpi, 2015). Strong passwords should be created by the company that cannot access by hackers easily and for this company should use symbol, number and alphabet in their passwords. Along with that the corporation should understand value of the cyber security and execute appropriate measure to make sure that they are prevented against the cyber attacks (Kanishk, 2017).

Injection vulnerabilities

Conclusion

In the limelight of above discussion, it has been concluded that cyber attack harm the sensitive information of the company. As the IT Risk Assessment lead consultant, number of information has been provided in the term of taking decision for the Gigantic Corporation. It has been discussed in the report that the threat of cyber attack has increased which can unbalance infrastructures such as control over the financial and air traffic and generate influence with matching the terrorist attack in the physical space. The discussion has been made on the key threat agents that may lead the company into hazardous situation. A brief summary has been made on the protection mechanism for the website security.

References

Bebbington, J., Larrinaga, C., & Moneva, J. M. (2008). Corporate social reporting and reputation risk management. Accounting, Auditing & Accountability Journal, 21(3), 337-361.

Cleveland, F. M. (2008). Cyber security issues for advanced metering infrasttructure (AMI). In Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century, 2008 IEEE (pp. 1-5). IEEE.

Covington, M.J. and Carskadden, R., (2013). Threat implications of the internet of things. In Cyber Conflict (CyCon), 2013 5th International Conference on (pp. 1-12). IEEE.

Crowe, J.,(2016). Phishing by the Numbers: Must-Know Phishing Statistics 2016. [Online] Barkly. Available at: https://blog.barkly.com/phishing-statistics-2016 [Accessed on 10/12/2017]

Dourado, E. and O’Sullivan, A., (2015). Federal Cybersecurity Breaches Mount Despite Increased Spending. [Online] Mercatus Center. Available at: https://www.mercatus.org/publication/federal-cybersecurity-breaches-mount-despite-increased-spending [Accessed on 10/12/2017].

Ericsson, G. N. (2010). Cyber security and power system communication—essential parts of a smart grid infrastructure. IEEE Transactions on Power Delivery, 25(3), 1501-1507.

Godfrey, P. C., Merrill, C. B., & Hansen, J. M. (2009). The relationship between corporate social responsibility and shareholder value: An empirical test of the risk management hypothesis. Strategic management journal, 30(4), 425-445.

Grace, M. F., Leverty, J. T., Phillips, R. D., & Shimpi, P. (2015). The value of investing in enterprise risk management. Journal of Risk and Insurance, 82(2), 289-316.

Hahn, A., Ashok, A., Sridhar, S., & Govindarasu, M. (2013). Cyber-physical security testbeds: Architecture, application, and evaluation for smart grid. IEEE Transactions on Smart Grid, 4(2), 847-855.

Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. Journal of risk and insurance, 78(4), 795-822.

Kanishk., (2017). What Businesses In India Can Learn From Recent DDoS Attacks. [Online] HaltDos Blogs. Available at: https://blogs.haltdos.com/2017/02/22/businesses-india-can-learn-recent-ddos-attacks/ [Accessed on 10/12/2017]

Kelly, B.B., (2012). Investing in a centralized cybersecurity infrastructure: Why hacktivism can and should influence cybersecurity reform. BUL Rev., 92, p.1663.

Lenhart, A., Purcell, K., Smith, A. and Zickuhr, K., (2010). Social Media & Mobile Internet Use among Teens and Young Adults. Millennials. Pew internet & American life project.

Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk Management and Insurance Review, 6(1), 37-52.

Liu, J., Xiao, Y., Li, S., Liang, W., & Chen, C. P. (2012). Cyber security and privacy issues in smart grids. IEEE Communications Surveys & Tutorials, 14(4), 981-997.

Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security strategies. International Journal of Critical Infrastructures 6, 9(1-2), 3-31.

Manuj, I., & Mentzer, J. T. (2008). Global supply chain risk management. Journal of business logistics, 29(1), 133-155.

McNeil, A. J. (2013). Enterprise Risk Management. Annals of Actuarial Science, 7(1), 1.

McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts, techniques and tools. Princeton university press.

Obama, B. (2010). National security strategy of the United States (2010). Diane Publishing.

Rejda, G. E. (2011). Principles of risk management and insurance. Pearson Education India.

Rowe, B. R., & Gallaher, M. P. (2006, March). Private sector cyber security investment strategies: An empirical analysis. In The fifth workshop on the economics of information security (WEIS06).

Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.

Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.

Wang, W., & Lu, Z. (2013). Cyber security in the Smart Grid: Survey and challenges. Computer Networks, 57(5), 1344-1371.

Yan, Y., Qian, Y., Sharif, H., & Tipper, D. (2012). A survey on cyber security for smart grid communications. IEEE Communications Surveys & Tutorials

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order