Mn604 It Security Management : Assessment Answers

1.For the organization MIT, what are the controls (technical, physical or administrative) that you will implement to make it secure and fulfills the CIA triad within the university and departments and when contacting the internet? (Provide a figure for your controls and explain why using them). Please note that you have to mention technical/physical and administrative controls. 

2.What kind of risks that you might accept (not to implement controls for them) and why? For the risks that you either decided to accept, or for the unexpected risk, how do you plan to handle them?                           

3.Give an example of a duty of the Incident response planning, Disaster recovery planning and Business continuity planning when having an unexpected event.                                                               

4.Refer back to any resource to explain the difference between Host Intrusion Detection System(HIDS) and Network Intrusion Detection System (NIDS)? 

5.Literature review on signature based detection and anomaly based detection?   

Case Study (1): Victim of Social Engineering

Throughout the process, the auditor found countless examples of lax information security throughout the organization. There was a lack of a coordinated security policy, and the policies in place were not being followed. While reviewing the notes, the auditor noticed that a contractor requested the TMS server address over the phone. Further follow up revealed that a system administrator gave out the server address to a contractor because the contractors were in the middle of upgrading servers. The administrator also mentioned that the contractor requested the password, but the administrator didn’t feel comfortable sharing the password on the phone and asked the contractor to stop by the office – but the contractor was a no show. From the description of the events, the auditor felt it was a social engineering attempt. Social engineering is when a hacker attempts to gain access to sensitive information by tricking a person into giving it to them. The immediate recommendation of the auditor was to focus on the contractor’s activity in the organization.

Over the next few weeks the story unfolded and all the pieces of the puzzle were put together. It was eventually proven that the contractor stole the information. The contractor was hired to oversee the upgrade of servers on the storage network. While doing this, she learned about the transaction management system. She knew PII could be sold on the black market and thought the lax security at TKU would enable her to get away with stealing data without any repercussions. Her only obstacle was access. Since she only had access to the storage network, she needed a way to get access to the transaction management server. That’s when she called the system administrator and got the IP address and tried to get his login credentials. Once she got the IP address, she was able to utilize the free tools available on the Internet to scan the system and get the username and password with administrative access. It took her only a matter of minutes to get this information.

The password was only three characters long and didn’t use any numbers or special characters. With her new administrative permissions, she was able to export the PII.

Write a Memo that discusses the serious of the situation and highlight key breaches, including ITSec recommendations.

Case Study (2): Data Breach

Early one morning, Don was ushered into a closed door meeting with the Chief Finance Officer, the CIO, and an external security auditor he hadn’t met before. In the meeting Don learned that large amount of data, including the PII, was exported from the system. The previous day Gary was going through the logs to see if the patch he applied worked correctly, and he noticed that someone in the administrator group had exported a large amount of data at an odd time. Gary reasoned that no one should be accessing the system at 2am, and he was concerned because a large amount of data was exported. After bringing up the issue to management, it was decided that the Finance division would investigate the issue. Therefore, the responsibility to figure out exactly what happened fell on Don. He was asked to work with an auditor to find out exactly what happened.

Don left the meeting feeling overwhelmed and disconcerted; he knew nothing about security practices and he wasn’t happy about working with the auditor. He had recently inherited the system and didn’t know much about it. He did know that he had to find the source of the leak before more student information was lost and he knew his job might be on the line.

Physical and Administration Controls

 MIT University resources like labs and printers are shared by all the visitors, they turn out to be target for security threats. In order to safeguard the confidentiality, integrity, and availability (CIA) triad, the university can implement physical and administration controls.

Physical Controls:

Even though the university has implemented an efficient authentication scheme, developed an effective access control, and installed firewalls, the security is not complete without the deployment of physical controls. The physical control is the security of the authentic networking and hardware constituents that accumulate and convey data resources [2]. To execute physical safety, the university must recognise all the unsafe resources and take steps accordingly. The steps are enlisted below:

• Physical Obtrusion Perception: Sensitive information resources should be monitored and unauthorized access is detected.
• Protected Equipment: The devices must be interlocked to avoid them from being sneaked.
• Monitoring Environments: The university servers should be monitored.
• Provision of training to Students and Visitors

If the stolen resources embedded with biometric readers and security software are connected with the Internet, they can provide physical safety measures.

Fig 1: Physical Controls

Administration Controls:

Apart from the physical controls, the university should apply security procedures based on the steering ethics through administration control [3]. A proper security procedure provides guidelines for the visitors who are accessing resources and offers the remedy in case if the visitor has violated the security policy.

A good example of security strategy is web use policy implemented in Harvard University’s “Computer Rules and Responsibilities” policy. Moreover, the security policy should be able to meet any government regulations. The university should be familiar with Family Educational Rights and Privacy Act (FERPA) that limits the acquirement of student information.

The security policies are implemented mainly by fulfilling the CIA since there are many ways to shatter the security of Internet of Things (IoT) devices [1]. The more utilization of these devices will result in high risk of confidential information within the university.

Fig 2: Figure Depicting Administration Controls

Accepted Risk Assessment

Some categories of risks that are logical, instinctive, and easily applicable can be accepted [10]. The accidental and non-malicious risks are given in the figure below:

Fig 3: Categorization of Accepted Risks

Example for Duty of Incidence Response, Disaster Recovery, and Business Continuity Planning

The primary aim of Major incident team is to safeguard the confidential information of the students/staff/visitors, and to make sure that the recovery is possible earlier from other impacts of incidents [4].

The DR and business continuity alludes to the university capability to recuperate from the unexpected events and recommence the operations.

The successful DR plan clearly provides their actual organizational objectives like site allocation, data backup and key personnel backup in the assessment plan [9].

Example:

The incidence response will be administered by the Incident response team of the department.

• The Heads of impacted Department of their possession of the situation are instructed to initiate the Business Continuity Plan (BCP).
• The team ensures that the heads of the department monitor and report possible incidents to the major incident team.
• The duty of BCP is to craft systems for avoidance and recovery to handle potential security attacks encountered in the university. The negative events affecting the operations like damage to hardware or virtual network resources are also proffered in the plan.

Difference between Host Intrusion Detection System (HIDS) and Network Intrusion Detection System (NIDS)

HIDS	NIDS
It is inexpensive	The implementation is more expensive
The Trojan or backdoor attacks cannot be tracked	It can track and terminate such obtrusion attacks
It contains software agents that are installed on individual systems [1]	They are standalone hardware containing network obtrusion monitoring ability
It needs comparative less management and instructing	It needs more training and administration
The network traffic can be analyzed to and from the designated system on which the obtrusion monitoring software is installed	The data packets are analyzed both inbound and outbound and proffers monitoring at real-time [2]

Literature Review on Anomaly Based and Signature Based Detection Systems

This presents a review on the anomaly based and signature based detection systems approaches and advantages.

Signature Based Detection

It includes discerning the network traffic for a sequence of malevolent packets or byte sequences. The benefit of this method is that the signatures can be easily developed and interpreted if we are aware of the network behaviour [5].

Anomaly Based Detection

It depends on the definition of network performance. If the network characteristics conform to the specified behaviour, it is accepted otherwise an event will be activated in the anomaly detection.

Case Study 1

Memorandum on key Breaches

MEMO FOR HEADS OF EXECUTIVE DEPARTMENTS

FROM: XXX

Security Manager

SUBJECT: Preparing and Reacting to a Personally Identifiable Information (PII)

Introduction

This memo is intended to assist stability in the manner organization arrange for and make a response to an encountered breach by demanding general processes and standards. While assisting stability, this memo also offers organizations with the ability to customize their feedback to the breach depending on the situations of each breach and investigate on risks that are created to affect the individuals.

The main audience for this memo is Senior Agency Official for Privacy (SAOP) and other security officials who help to mitigate the risks.

Evolving Security Breach

The contractor after accessing the servers by using the IP acquired from administrator, can either sells the stolen PII on the black market or utilizes the PII for other malevolent activities. They can use the stolen credit card numbers to apply credit in other individual’s name or to open a new bank account. From the years 2013-2015, 27% of increases in the security threats are reported [6]. This incident has the ability to straddle the confidentiality of the information and poses threats to individuals and the important assets of the organization.

Scope

PII

The notion PII relates to the data that can be employed to differentiate or stole an identity of individuals, when alone or when merged with some other data that is connected to the designated person. In order to recognize whether the data is PII, the organization can perform evaluation of the risk.

Training Campaigns

Each organization should draft training for all the staff on how to recognize the identity and make a response to breach involving the internal business processes without disclosing any confidential information to the attackers. In addition to that, they must send reminders by means of email  and organize realization campaigns.

Reporting reckoned or established breach

Each organization require all the staff having access to storage network to announce the reckoned or established breach to the organization immediately, un-deviated with the organization’s incident administration security procedures.

The individuals procuring access to high valuable information systems should not interlude for the confirmation on the occurrence of breach, since even such a time delay can affect the capability of the enterprises to take remedial measures for securing PII.

Breach Feedback Strategy

The breach feedback strategy constitutes the following elements:

• Breach response team
• Requirements for reporting
• Risk assessment
• Risk Mitigation
• Breach Awareness

Case Study 2

Investigation Report on Data Breach

This investigation report is intended to present the incident patterns, attackers who cause them, activities of the attacker, assets targeted by hackers, time in which these malicious activities are occurred, and provide recommendations to foil them.

Analysis and Results:

The data breaches in educational or professional information systems are due to Insider misuse, miscellaneous errors, and cyber-espionage.

Cyber-Espionage

This includes a phishing crusades utilized to offer complicated malware.

What can we do?

Patching on time and regular update of anti-virus software will work. The system and activity on network applications are logged on for providing base on incident feedback and announce remedies.

Insider and Privileged Access Misuse

The potential attackers can be from every stage of the organization from front line employees to senior executives. Around 40% of the breaches are triggered for attaining monetary gains [7]. And the employees utilizing unauthorized defeat strategy also can produce damage to the sensitive information.

What can we do?

The major solution is to be aware of the data possessed by employees, data sources, and their access privileges. Then the places where extra auditing and fraud detection is mostly required is identified. The devices of the employees who left the company are also examined to determine the weaknesses in organization’s defence techniques.

Miscellaneous Errors

Previously the employees are the main actors in many incidents. There are three major divisions in fraudulent incidents:

1. Conveying the confidential information like student details to arbitrary recipients.
2. Disseminating the private and sensitive information to public servers
3. Illegitimate Disposition of personal and medical information

What can we do?

In order to protect the information, data loss prevention software tool must be implemented. This will not permit the individuals to transmit confidential information. Moreover, the employees are to be retrained about information security and disposition method for confidential data.

Recommendations:

Be Alert: The log files can provide earlier warning on breaches.

Only maintain information on “Require knowing”: Only restricted access should be provided to the staff for doing their corresponding jobs.

Patch Correctly: If the IT environment is configured well, you can safeguard against many threats.

Encode Sensitive Information: The encryption will not fully avoid the stolen of data but it make it harder for the criminals.

Employ Dual-Factor Authorization: It can restrict the destruction of poached credentials.

References:

[1] U. Lindqvist and E. Jonsson, “How to systematically classify computer security intrusions,” IEEE Symposium on Security and Privacy, vol. 15, no. 2, pp. 154-163, Mar. 1997.

[2] J.Tang , D. Wang, L. Ming and X. Li, “A Scalable Architecture for Classifying Network Security Threats,” Science and Technology on Information System Security Laboratory, vol. 35, p. 475, Apr. 2012.

[3] S. Geric and Z. Hutinski. “Information system security threats classifications,” Journal of Information and Organizational Sciences, vol. 3, pp. 31-51, Jan. 2007.

[4] F. Swiderski and W. Snyder, “Threat Modeling”, Microsoft Press, 2004.

[5] M. Alhabeeb, A. Almuhaideb, P. Le, and B. Srinivasan, “Information Security Threats Classification Pyramid, “ 24th IEEE International Conference on Advanced Information Networking and Applications Workshops, pp. 208-213, Jun. 2010.

[6] F. Farahmand, S. Navathe, G. Sharp, and P. Enslow, “A Management Perspective on Risk of Security Threats to Information Systems,” Information Technology and Management archive, vol. 6, pp. 202-225, Feb 2005.

[7]K. Loch, H. Carr, and M, Warkentin. “Threats to Information Systems: Today's Reality, Yesterday's Understanding,” Management Information Systems, vol. 16, no. 2, pp. 110-120, Mar. 1992.

[8] A. McCue (2008, May 11). Beware the insider security threat, CIO Jury[online]. Available: https://www.silicon.com/management/cio-insights/2008/04/17/beware-theinsider-security-threat-39188671/.

[9] M. Rasmi, and A. Jantan, “Attack Intention Analysis Model for Network Forensics,” Software Engineering and Computer Systems, pp. 403-411, Jun. 2011.

[10] L. Rabai, M. Jouini, A. Aissa, and A. Mili, “An economic model of security threats for cloud computing systems,” International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), vol. 15, no. 3, pp. 100-105, Jul. 2012.