Security Assessment Report
Information Systems and Operations System Overview
An information system (IS) is defined as an organization system that helps organize and analyze data. This collection of information is composed of five main elements: software, data, networks, people, and process. (Bourgeois, 2014)
Within an information system, operating systems (OS) fall under software, and play a crucial part in building a foundation in having a functional computer. With the use of an OS, a user is given an interface, called the graphic user interface (GUI) so that users may interact with hardware and build additional applications that can allow the system to conduct key tasks. People, also known as users, can navigate through this interface to use additional applications that can be installed, called software, or create new software programs. Popular operating systems, such as Microsoft’s Windows or Apples Mac IOS dominate the mainstream market today.
The kernel of the OS is the connection between the hardware and the software of your computer. The kernel loads first and remains in memory until the operating system is shut down and is responsible for low level tasks such as disk, memory and task management. (“Techopedia”, n.d.) This application is distinctly different from other applications, which are much more specialized in nature. Application software that is installed by an organization or user can be used for productivity or utility purposes. Productivity software, such as Microsoft Word, allows users to conduct word processing. Utility software allows for computer modification, such as installing an Antivirus to protect against malicious actors.
An embedded operating system is a system that is directly built into the hardware of a system, with a compulsory task built in, such as within the wash setting within a washing machine or the anti-brake system within a car. They are designed to be efficient and reliable, but not versatile, as they usually are programmed with one function or task in it’s coding.
Many threats are present within information and operating systems. It is important to take these threats seriously within the information infrastructure as decisions to choose types of software can be critical in business decision making. Choices in choosing open source (free source code) or proprietary (licensed) software can have huge implications on several factors, such as cost, functionality, reliability and security concerns. Cloud computing, where hosted services are delivered over the internet via the use of remote servers, are also an emerging distributed computing network architecture that can have its own set of advantages and disadvantages.
In choosing an operating system, we must review the different types of vulnerabilities and intrusions in each type of resource. We will take a closer look into three different providers: Windows, Linux, and Mac. Windows over time has become a popular program used within businesses, which means that they can have far more reaching consequences for their use. Windows has a Firewall Bypass Vulnerability that allows its operating system to be bypassed. popularity leads for more people to look for vulnerabilities in their program than other platforms, while Linux operating systems create an opposite problem. Not everyone is familiar with Linux operating systems, and support is limited to volunteer developers. Linux vulnerabilities are unique and create a challenge as they are more commonly used on servers than individual desktop PC’s, resulting in a higher risk in vulnerability. An example of a Linux vulnerability includes open problems within the Linux Kernel. An example of this includes different programing mistakes developers make that can be exploited in several attack classes. One of them, called Memory mismanagement, results in extraneous memory consumption, memory leaks, and other memory corruption may be possible.
Many have believed that Mac operating systems are inherently secure, but this was in part to the scarcity of its operating system of being in use. With a much smaller user base, there were less individuals looking for vulnerabilities. Because of its “inherent security”, people have taken less precaution in securing their system. Mobile devices, such as the Apple iPhone, display vulnerabilities that can show difficulties between law enforcement and the privacy of smart phone users. During an investigation, Apple was asked to exploit a vulnerability in its security to assist in penetrating a suspected criminal’s phone after a San Bernardino, California shooting. When Apple refused to cooperate, the government was able to employ a different company to hack the phone, and never revealed the vulnerability to Apple. (Radek, 2016)
Different types of intrusions, such as SQL, PL/SQL, and XML injections, are attacks that manipulate access routes in which data input is expected routinely to add malicious code into an application. Attackers trick the interpreter of a program to execute unintended commands. An entry field is the most common access route, and information can be transmitted into the application to “spoof” or fake an identity to access an account, or even shut down access to a system.
When evaluating vulnerabilities in system, it is helpful to take a closer look at which types of organizations would be affected. Corporate and government systems are targets as a result of different groups with different motivations. Industrial espionage and employees summarize some of the biggest groups that attack industrial targets in hopes of stealing trade secrets or smuggling information out of an organization to cause damage to the organization. Terrorist organizations, and enemy nation states use technology to organize real world, cyber, or government infrastructure attacks to further their groups goals.
Preparing for the Vulnerability Scan
Many tools and methodologies are available for testing which focus on identifying and analyzing potential vulnerabilities. Possibilities include tools such as the Microsoft Baseline Security Analyzer (MBSA) that scans systems on a network for missing security updates and other vulnerabilities. Nessus is another popular scanner that can offer differing functionalities, such as identifying weak system passwords or vulnerabilities in sensitive data access.
Methodology that should be used in a vulnerability assessment consists of a four-step process that includes determining the scope, establishing a focus, creating an assessment, and acting with a response. (Vulnerability Assessment and Management, 2016) Using these steps proactively can ensure that a business is not affected by vulnerabilities and can help create an active plan towards security precautions. The first step is to determine which system needs to be assessed, to define the scope. For the focus step, the assessment should be conducted at an appropriate time to not interfere with other business operations. During the assessment step, the systems are tested for vulnerabilities to get a better understanding of where the company’s assets currently stand. Lastly, the fourth step is to empower management to decide the next action to take in securing the systems. A similar methodology is broken down into three steps by the National Institute of Standards and Technology (NIST), which include Planning, Execution, and Post Execution. (Scarfone, et al., 2008) This type of assessment should be done in a repeatable and documentable format to ensure consistency and structure.
On a technical level, two methods can be employed: examination and testing. Examination includes taking a closer look at the target environment on a process level, by delving into policies, operating procedures, and other necessary security requirements. Testing, on the other hand, includes a manual execution of tests on either specific systems or network wide security systems to identify vulnerabilities. While the tools that can be implemented can reveal a lot of information, there are some limitations to these security assessments. The potential of the security assessment to have an effect depends on the types of techniques being used. Resources such as time, staff, hardware, software, and other resource availability can become resource challenges. A mixture of both testing and examination techniques are recommended to provide a more thorough view of security.
Passwords are another critical component of determining security, as password cracking can be used to authenticate users. Passwords must be complex as many target validation techniques can be used to crack a password, such as a dictionary attack, which uses all the words in a text file to guess the password. (Scarfone, et.al., 2008)
Patches are a significant part of maintaining security management. Processes should be clearly defined and managed in order to confirm the successful implementation of a patch. There are many methods that can be employed and should be chosen to fit your organization in a custom manner. First, initial priorities should be set to determine the target of what should be managed, such as either the server, PC, Mobile Device, or Applications. Next, the initial discovery should show what needs to be protected. Then, a test and proof of concept should be developed to ensure the solution solves more problems than creates them. (Rothman, n.d.)
Bourgeois, D. T. (2014). Information Systems for Business and Beyond. Retrieved from https://content.umuc.edu/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://content.umuc.edu/file/bdc11414-d57e-4ab1-9d88-5d28c3543f2c/1/InformationSystemsforBusinessandBeyondChapter1Chapter3.pdf
Scarfone, Karen, Murugiah, Cody, Amanda, & Angela. (2008, September 30). Technical Guide to Information Security Testing and Assessment. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-115/final.
Rothman, M. (n.d.). Retrieved from Implementing and Managing Patch and Configuration Management: Preparation
Vulnerability Assessment and Management. (2016, August 8). Retrieved from https://content.umuc.edu/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://content.umuc.edu/file/2161cc61-d42c-44f6-9919-80157504985f/1/VulnerabilityAssessmentandManagement.pdf.
What is Kernel? - Definition from Techopedia. (n.d.). Retrieved from https://www.techopedia.com/definition/3277/kernel.