Risk Assessment
CONVXYZ is an UK-based conveyancing as well as an estate service that has a specific team dedicated to the existing network and connected systems at the organization. In specific terms, the company mainly provides various kinds of services belonging to the field of real estate to all the clients existing at the firm. With respect to this, the company already has the shared existence of a network security architecture that has been entrusted with the responsibility of providing with an appropriate security over the business operations carried out at the firm on a daily basis (Hegde and Rokseth 2020). The primary objective of the security architecture is to carry out appropriate security over data modification, destruction, as well as deletion. In addition to this, the security architecture that has been implemented for the company also ensures to protect the business assets against the recently occurring conveyancing scams having multiple victims already.
With respect to this, the following discussion has been documented to carry out a risk assessment upon the existing Security Network Architecture by identifying the business assets, their owners and the associated vulnerabilities likely to occur in specific terms (Shulman et al. 2018). In addition to this, the document will also identify risks associated to the identified vulnerabilities and propose recommendations to enhance the security in specific terms.
This section of the discussion has carried out the risk assessment for the existing security architecture at CONVXYZ. The following sections of the document has been put forward identifying likely risks to be posed at the business as well as existing vulnerabilities, which need to be fixed to enhance the security at the business organization (Zio 2018). Firstly, an owner specification has been carried out for the business, stating that the risk assessment needs to be carried out only after an appropriate owner permission has been obtained at CONVXYZ.
Figure-1: Risk assessment method
(Source- Created by Author)
CONVXYZ is a real estate business organization, which is solely based in UK and provides their business clients with all necessary business assistance across the field of real estate. The company has the shared existence of multiple business assets that provide with a helping hand in carrying out all kinds of daily business transactions in specific terms (Lyu et al. 2020). In addition to this, the existing IT security architecture at the company also has the shared existence of sensitive forms of business data storage needs and other networking equipment solely focused upon accomplishing the daily business objectives in specific. Some of the main components of the existing security architecture are,
- The architecture contains a website that is hosted by the web server, which is solely focused upon allowing the associated clients to access the company website, browse through properties as well as get in contact with the real estate agents belonging to the company.
- An existing authentication server is primarily responsible of authenticating all kinds of credentials both for the customers as well as the staff that exists at CONVXYZ (Eckhouse et al. 2019).
- An existing mail server on the security architecture helps the employees communicate confidential business information with the clients.
- A configured VPN tunnel provides with a helping hand to the lawyers to stay connected to the network through a VPN tunnel.
- For enhancement of security, the security architecture also contains a firewall at the entry point of the network to keep a constant check upon incoming data from external sources ensuring such data does not contain any specific threats (Stevenson 2018).
As a result, for performing a risk assessment, CONVXYZ being the owner of the existing security architecture and the business assets connected to the network, has provisioned with a permission to move forward with the risk assessment and increase the likely security of the business with appropriate protective measures.
This section of the discussion has appropriately identified some of the major assets that belongs to CONVXYZ and supports the daily business operations occurring at the organization in specific terms. Two main types of business assets have been identified at the business based on the existing security network architecture in specific terms (Lin et al. 2021). Primary assets as well as secondary assets. Primary assets are the business assets, which do not have a direct dependency upon any other components belonging to the respective business organization.
Owner Specification
On the other hand, secondary assets are the ones who have a basic dependency upon any of the primary assets that belongs to the same business organization. With respect to this, all the necessarily identified existing business assets at CONVXYZ has been presented in the following table justifying the type of asset and a brief description of the same.
|
Asset number |
Name of asset |
Type of asset |
Description |
|
CON01 |
Estate Agent PCs |
Secondary Asset |
This has been chosen as a secondary asset, since this asset cannot function until and unless is connected to some other assets such as the Routers as well as Switches (Bao, Lianju and Yue 2019). |
|
CON02 |
Primary asset |
This is a primary asset based on the functionality that is carried out by the Web Server, which mainly hosts the CONVXYZ website and allows all the clients and employees to access the website. |
|
|
CON03 |
Email Server |
Primary asset |
This is also a primary server, since, this allows the real estate agents to get in touch with the clients belonging to the business and carry out effective communication. |
|
CON04 |
Staff Database |
Primary asset |
This is a primary asset due to the fact that this contains sensitive information belonging to all the staffs at CONVXYZ along with their personal details, which needs to be kept confidential at all times. |
|
CON05 |
Customer & Property Database |
Primary asset |
Apart from the employees, the personal information of the customers as well as the properties dealt by the real estate agents of the company also need to be protected (ElMamy et al. 2020). Hence, this has also been considered as a primary asset. |
|
CON06 |
Authentication Server |
Secondary Asset |
The authentication server is referred to as a secondary asset. This is because, the server cannot authenticate unless the credentials have been approved by the database. |
|
CON07 |
Router |
Primary asset |
This is a primary asset since this is the most important component of the network and acts as the gateway for all kinds of communication that occurs at CONVXYZ. |
|
CON08 |
Switch |
Secondary asset |
A switch does not function unless connected to a router, hence is a secondary asset. |
The following table has effectively identified threats likely to be posed at the identified assets in the previous table.
|
Asset number |
Name of asset |
Type of asset |
Threat |
Description |
|
CON01 |
Estate Agent PCs |
Secondary Asset |
Malware |
PCs that have been allocated to the real estate agents are always connected to an active internet connection at CONVXYZ (Popkova and Gulzat 2019). This might attract malware to enter the PCs and successfully affect the normal functioning of the installed applications by altering the backend codes. |
|
CON02 |
Web Server |
Primary asset |
Phishing |
The web server at CONVXYZ has been mainly implemented to allow the real estate agents and the business clients to access the website of the company. However, phishing is a threat that can be carried out by a potential hacker tending to send a phishing link to a spoof website to the clients. Furthermore, the clients tend to provide their personal information on the fake website and become victims to this threat. |
|
CON03 |
Email Server |
Primary asset |
SQL Injection |
Email server allows specific email communication occurring between the agents and the clients at CONVXYZ on a daily basis (Tsiknas et al. 2021). Confidential information is a part of such emails and might be posed with SQL injections tending to steal confidential data without authorization. |
|
CON04 |
Staff Database |
Primary asset |
Ransomware |
Hackers might tend to pose ransomware threats upon the databases, activate a block and prevent the employees at CONVXYZ to access the same. The block will only be deactivated once a ransom is paid by the business to the hackers as demanded. |
|
CON05 |
Customer & Property Database |
Primary asset |
Denial-of-Service |
This database contains all kinds of sensitive data belonging to the organization in specific terms (Narwal, Mohapatra and Usmani 2019). DoS attacks tend to gain unauthorized access to the database, activate a block and readily steal available information belonging to the business in specific terms. |
|
CON06 |
Authentication Server |
Secondary Asset |
Eavesdropping |
Authentication server carries out specific authentication based on a pre-defined set of authentication policies. Eavesdropping might cause damage to the configuration and eventually affect the authentication process at the business. |
|
CON07 |
Router |
Primary asset |
Unauthorized access |
Unauthorized access to the router present on the existing security architecture at CONVXYZ might alter configuration codes and eventually impact the normal business operation at the security architecture (Steingartner and Galinec 2021). |
The following table has clearly identified vulnerabilities associated to the identified assets and aligned the same to CVE numbers.
|
Asset number |
Name of asset |
Type of asset |
CVE Number |
Vulnerability |
|
CON01 |
Estate Agent PCs |
Secondary Asset |
CVE-2018-7335 |
Existing flaws in terms of the computer security, which might specifically lead to a significant effect caused upon the stored data at the allocated PCs to the real estate agents at CONVXYZ (Sarker et al. 2020). |
|
CON02 |
Web Server |
Primary asset |
CVE-2020-28970 |
Inefficient forms of speed for data transmission might slower the access to the CONVXYZ website for the clients and the real estate agents. |
|
CON03 |
Email Server |
Primary asset |
CVE-2012-29454 |
Inability to detect phishing or spam emails might victimise the clients belonging to CONVXYZ. |
|
CON04 |
Staff Database |
Primary asset |
CVE-2020-13493 |
Inexistence of database security measures will allow unauthorized access to the stored confidential business data in specific terms (Corallo, Lazoi and Lezzi 2020). |
|
CON05 |
Customer & Property Database |
Primary asset |
CVE-2020-5679 |
Inappropriate usage of passwords to protect this database might allow the unauthorized and open access to all kinds of sensitive information of the clients belonging to CONVXYZ and have a major impact upon the daily business proceedings at the firm. |
|
CON06 |
Authentication Server |
Secondary Asset |
CVE-2019-13543 |
Inexistence of security configurations might tend to allow unauthorized users gain access to the business systems, when the authorization is granted by this server due to malfunctions. |
|
CON07 |
Router |
Primary asset |
CVE-2008-23740 |
Specific issues might occur at the telnet configuration, which might slow down the specific access to the network and eventually affect the normal operation of the network architecture at CONVXYZ. |
This section of the document has clearly highlight the likelihood of the identified threats, their impacts and the overall risk rating for every individual threat that has been identified in the previous sub-section (Li et al. 2019).
|
Asset number |
Name of asset |
Threat |
Likelihood (1-5) |
Impact (1-5) |
Risk Rating (1-25) |
|
CON01 |
Estate Agent PCs |
Malware |
3 |
4 |
12 |
|
CON02 |
Web Server |
Phishing |
2 |
4 |
8 |
|
CON03 |
Email Server |
SQL Injection |
3 |
3 |
9 |
|
CON04 |
Staff Database |
Ransomware |
4 |
5 |
20 |
|
CON05 |
Customer & Property Database |
Denial-of-Service |
3 |
5 |
15 |
|
CON06 |
Authentication Server |
Eavesdropping |
3 |
2 |
6 |
|
CON07 |
Router |
Unauthorized access |
4 |
4 |
16 |
|
Likelihood |
Consequences |
||||
|
Insignificant (Easy mitigation) |
Minor (Delays up to 10%) |
Moderate (Delays up to 30%) |
Major (Delays of 50%) |
Catastrophic (Business halt) |
|
|
Certain |
Denial-of-Service |
Ransomware |
|||
|
Likely |
Phishing |
Eavesdropping |
Unauthorized access |
||
|
Moderate |
SQL Injection |
||||
|
Unlikely |
Malware |
||||
|
Rare |
Conclusion:
CONVXYZ is a real estate firm based in UK and provides business clients with assistance in terms of real estate as well as conveyancing services with the lawyers that have been recruited. The above discussion has been carried out to perform a risk assessment upon the existing security architecture by identifying the existing business assets, associated vulnerabilities as well as threats to be posed at such business assets. A proper risk assessment has been carried out and placed in a Boston Grid to put forward a better understanding of the necessary threats, which are probable to occur at the business.
With respect to the identified risks at CONVXYZ, the following recommendations have been made to increase the security upon the existing security architecture at the business.
- Installing security software solutions on the allocated PCs belonging to the real estate agents at the organization.
- Upgrading firewall policies to increase the check upon the incoming data from external sources.
- Scheduling training programs for the clients and the employees to increase their knowledge in terms of cybersecurity and help them identify cyber-threats in a better manner.
References:
Bao, W., Lianju, N. and Yue, K., 2019. Integration of unsupervised and supervised machine learning algorithms for credit risk assessment. Expert Systems with Applications, 128, pp.301-315.
Corallo, A., Lazoi, M. and Lezzi, M., 2020. Cybersecurity in the context of industry 4.0: A structured classification of critical assets and business impacts. Computers in industry, 114, p.103165.
Eckhouse, L., Lum, K., Conti-Cook, C. and Ciccolini, J., 2019. Layers of bias: A unified approach for understanding problems with risk assessment. Criminal Justice and Behavior, 46(2), pp.185-209.
ElMamy, S.B., Mrabet, H., Gharbi, H., Jemai, A. and Trentesaux, D., 2020. A survey on the usage of blockchain technology for cyber-threats in the context of industry 4.0. Sustainability, 12(21), p.9179.
Hegde, J. and Rokseth, B., 2020. Applications of machine learning methods for engineering risk assessment–A review. Safety science, 122, p.104492.
Li, L., He, W., Xu, L., Ash, I., Anwar, M. and Yuan, X., 2019. Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, pp.13-24.
Lin, S.S., Shen, S.L., Zhou, A. and Xu, Y.S., 2021. Risk assessment and management of excavation system based on fuzzy set theory and machine learning methods. Automation in Construction, 122, p.103490.
Lyu, H.M., Sun, W.J., Shen, S.L. and Zhou, A.N., 2020. Risk assessment using a new consulting process in fuzzy AHP. Journal of Construction Engineering and Management, 146(3), p.04019112.
Narwal, B., Mohapatra, A.K. and Usmani, K.A., 2019. Towards a taxonomy of cyber threats against target applications. Journal of Statistics and Management Systems, 22(2), pp.301-325.
Popkova, E.G. and Gulzat, K., 2019, April. Contradiction of the digital economy: public well-being vs. cyber threats. In Institute of Scientific Communications Conference (pp. 112-124). Springer, Cham.
Sarker, I.H., Kayes, A.S.M., Badsha, S., Alqahtani, H., Watters, P. and Ng, A., 2020. Cybersecurity data science: an overview from machine learning perspective. Journal of Big data, 7(1), pp.1-29.
Shulman, H.B., D’Angelo, D.V., Harrison, L., Smith, R.A. and Warner, L., 2018. The pregnancy risk assessment monitoring system (PRAMS): overview of design and methodology. American Journal of Public Health, 108(10), pp.1305-1313.
Steingartner, W. and Galinec, D., 2021. Cyber threats and cyber deception in hybrid warfare. Acta Polytechnica Hungarica, 18(3), pp.25-45.
Stevenson, M., 2018. Assessing risk assessment in action. Minn. L. Rev., 103, p.303.
Tsiknas, K., Taketzis, D., Demertzis, K. and Skianis, C., 2021. Cyber threats to industrial IoT: a survey on attacks and countermeasures. IoT, 2(1), pp.163-188.
Zio, E., 2018. The future of risk assessment. Reliability Engineering & System Safety, 177, pp.176-190.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
