Information Security Risk Analysis and Management free essay sample

Information security refers to the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. An ideal organization usually comprises of the following layers of security put in place to safeguard its operations:- physical, operations, communications, networks, personnel, and information security. A risk can be defined as the probability that something unwanted will happen. Risk analysis and management therefore refers to the process of identifying risks to an organization’s information assets and infrastructure, and taking steps to reduce these risks to an acceptable level. Threats are dangerous actions that can cause harm. The degree of threat depends on the attackers Skills, Knowledge, Resources, Authority, and Motives. Vulnerabilities are weaknesses in victims that allow a threat to become effective. Risk management comprises of three major steps as shown in the figure below. Risk identification, risk assessment/analysis and risk control. Risk identification involves the examination and identification of the security status of the organization’s technology and the risk it faces. Risk assessment is the process of determining the extent to which the organization’s information assets are exposed or are at risk. Risk control involves putting controls in place to reduce the risk to an organisation’s data and information systems. The process of risk identification is broken down into stages. First the information security team identifies organization assets which include people, procedures, data, software, and hardware. Next the assets are classified and prioritized. Finally, threats are identified and prioritized. This final stage of threat identification is important because it helps the information security team to know and understand the possible risks out there in order to devise appropriate controls of mitigating against them. These potential threats include though not limited to the following. 1. Compromise of intellectual property: This occurs when attackers gain access to sensitive material that the organization considers integral to their day-to-day functions. 2. Information extortion: This occurs when an attacker is able to access packets of data before they reach their final destination. This threat is made possible by absence of secure systems of data transmission where encryption is implemented on all data coming in and going out of the organization. 3. Deviations in quality of service from service providers: Any form of attack in an organization in any of its key areas of operation can cripple its very existence. 4. Forces of nature: fire, floods, earthquakes are some of the calamities that an organization can face. Human error: This threat comes as a result of mistakes by employees or any other person that has direct access to the organization. This could also be caused by an accident or failure of an employee to follow procedure. 6. Technology obsolescence: The lack of up-to-date systems in an organization acts as a vulnerability that attackers can use to create attacks. Software vendors are aware of the threat and ensure they release frequent updates to the software to counter any new attacks present. This is a physical threat that comes about primarily from not ensuring proper physical security in an organization. . Technical hardware failures or errors: an organization is exposed when equipment is not maintained in proper working condition. 9. Technical software failures of errors: Both custom built and off shelf software are prone to attacks if measures are not put into place to defend them. Bugs, errors in codes are some of the vulnerabilities that lead to attacks whereby malicious code can be inserted into this code to carry out a specific act 10. Software attacks: these include viruses, worms, macros or denial of service. These attacks can be either internal (where a case of either a former employee makes an attack) or external where an attack is sent in from outside. By identifying the threats that pose potential danger to the organization, the organization saves time later when formulating controls be ensuring only potential threats are considered. After identifying the potential threats, they are ranked accordingly in order to quantify the level of effort required to defend against the said threat, that is, 1-5, with 5 representing a most dangerous threat. After identifying the potential threats to the organisation’s security, a risk assessment process is undertaken wherein an evaluation is carried out on each of the vulnerabilities. Each of the threats mentioned above is boosted by certain vulnerabilities within the organization. Therefore on completion of the risks identification stage it is easier for the security team to look at the assets in the organization and find out what vulnerabilities exist within the system that would bring about the threats. For example, technological obsolescence is identified as threat; the organization would need to understand that the assets need to be periodically reviewed to ensure it is up to date. The process of risk assessment comprises of a number of stages starting from assessing likelihood of the attack up to the point where possible controls are devised to mitigate against the attacks. In order to fully equip itself with necessary skills to fight attacks and threats, the security team needs to also understand the types of attacks it would be up against in the ideal organization setting. Some of these attacks include; †¢Malicious code – this refers to software designed to damage, destroy or deny service to the target system †¢Back door – is an electronic hole in software that is left open by accident or on purpose to give an attacker access to a system. †¢Brute force attack – This refers to the process of applying computing and network resources to try to crack a password using all possible combinations of the said password. †¢Denial of service attack refers to an attack where in an attacker sends a large number of connections to overwhelm a target with the aim of crippling it. Spoofing is a technique used to gain unauthorized access to a computer where an intruder sends messages to a computer indicating that the message is coming from a trust source. †¢Sniffing refers to design of a program or a device that can monitor data travelling over a network. †¢Social engineering – this is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker. This can be done through media sites including Facebook and twitter. Man-in-the-middle attack is a method of attacking a system that relies on knowledge of some or all of the plain text that was used to generate a cipher text. †¢Dictionary attack – this is a form of brute force attack on passwords that uses a list of commonly used passwords instead of random combinations. †¢Virus attacks – a virus is one of two forms of malicious code or malware. It requires a host software environment in which to execute withou t which it cannot function. Risk control involves identifying measures that can be put into place to prepare the organization not just to respond to any imminent attack but also to prepare for its recovery to be able to function again optimally. There are three main mitigation plans that an organization needs to put in place when planning risk control mechanisms; a)Incident response plan- This plan comprises of actions that the organization expects all employees to adhere to during the time the attack is being experienced. An ideal incident response plan should include clear guidelines on steps to take during the incident, information gathering strategy during the incident and it is only valid for the period wherein the attack is experienced. b)Disaster recovery plan – This is a plan prepared to be executed in the event that the organization is hit by a threat however unlikely it is. As an entity, the organization is expected to perform at least at optimum level, so immediately after that an attack occurs, the priority should immediately be damage control to recover what can be recovered immediately as quickly as possible. The disaster recovery plan includes procedures for recovery of lost data (especially sensitive data required for the organization to operate), procedures for the reestablishment of lost services to enable the organization get back to operation as fast as possible, and shutdown procedures that may be deemed protective of data and systems (e. g. shutdown of power immediately after a tsunami to avoid further catastrophe). c)Business continuity plan – in the event that the disaster recovery plan is not sufficient to bring back the organization to optimal operation, there must be another plan that will take effect at that point. The business continuity plan is activated when the infrastructure is totally unable to perform hence relocation of operations to an alternative location. Information technology over time has evolved drastically to a point where companies no longer look to technological advancement as a means to be ahead of the competition but endeavor to improve their assets so that they do not get greatly affected by looming threats to a point where they cannot provide their clients with services they have got used to. It would be extremely costly even for a very big organization to put together resources (funds and personnel) to prepare strategies for every conceivable threat. 5 major strategies have been identified to guide organizations in addressing threats with depending on the level of the danger presented by the particular threat; 1. Defend this strategy assumes and expects the worst when preparing for threats. It looks at attempting to remove vulnerabilities from assets and adding protective safeguards; it should be noted, however, that it is nearly impossible to completely remove a threat. An example of this strategy is where an organisation purchases antivirus software and puts in place policies to ensure it is up to date to prevent virus attacks. By putting this measure into place, it is deflecting the threat hence minimizing the risk of a possible attack. 2. Transfer – In this strategy, the organisation shifts risk to other organisations and focuses on what it does best. This helps keep the organisation concentrated on their operations and not have to worry about information and asset security. An example if banks in Uganda which instead of taking up the cumbersome responsibility of ensuring ATM machines are always functioning properly, have outsourced this activity to formidable IT companies whose primary role is to ensure the machines are functional at all times at whatever cost. 3. Mitigate – Mitigation involves creation of the 3 plans mentioned earlier – incident response plan, disaster recovery plan and business continuity plan. This strategy was successfully implemented in Mitsubishi Heavy Industries in September 2011 where 48 servers and 38 computers in 11 locations, including headquarters, where affected by a virus attack. To counter this attack in future, Mitsubishi set up inbound measures by putting in place secure antivirus systems to stop internal attacks and ensure a threat free internal environment, and also instituted at outbound measure by putting strong checks on all external communication. This meant that even if one computer was attacked it would not spread the effect to other computers within the company. Another example of execution of this strategy was when Japan was hit by an earthquake in March 2011; the effects of the catastrophe were so big that 38% of businesses were hugely affected. A total of 3 nuclear reactors had meltdowns causing many electrical generators to be taken down. In this occurrence, an organisation had to immediately activate the business continuity plan in order to remain in operation. 4. Accept: The accept control strategy is where an organisation/company decides to do nothing about a threat either because risk assessment showed that the threat is not so much of a risk, or the costs of putting structures to protect the asset are much higher than costs of recovery in case of an attack. An example of this strategy can be seen in the mobile platform where smartphones have been developed almost to the level of a mini computer. For instance android applications, unlike apple and blackberry, can be distributed by anyone anywhere online without having to use Google play whereas distribution of blackberry and apple apps must be done through blackberry appworld and itunes respectively. The most a consumer can do is ensure their phone is updated with security software but one may not be able to totally mitigate against malicious applications. Terminate: This strategy involves an organisation terminating activities for which development of preventive measures would be too costly or that have uncontrollable risks. 90000 domains were affected by at attack on an open-source software for ecommerce called OsCommerce. An organisation could terminate this activity on their website completely due to the negative exposure it gets especially if customers were directly affected by the attack.  Determining the suitable strategy to pursue involves a number of factors including nature of vulnerability, costs of prevention, costs of recovery, and magnitude of risk. Every vulnerability can have a specific strategy.