Risk Identification in Information Security Thesis
- Length: 15 pages
- Sources: 15
- Subject: Business
- Type: Thesis
- Paper: #53239879
Excerpt from Thesis :
Phishing Spear Phishing and Pharming
The following is intended to provide a very brief overview of examples of some the most dangerous and pervasive security risks in the online and networked world. One of the most insidious of identity theft is known as phishing. The term 'phishing' refers to the practice of "fishing for information." This term was originally used to describe "phishing" for credit card numbers and other sensitive information that can be used by the criminal. Phishing attacks use "…spoofed emails and fraudulent websites to deceive recipients into divulging personal financial data, such as credit card numbers, account usernames and passwords, social security numbers etc." (All about Phishing) . Thompson ( 2006) clearly outlines the basics of a phishing attack.
A typical phishing sends out millions of fraudulent e-mail messages that appear to come from popular Web sites that most users trust, such as eBay, Citibank, AOL, Microsoft and the FDIC. According to the Federal Trade Commission, about 5% of recipients fall for the scheme and give information away. Phishers wish to irrationally alarm recipients into providing sensitive information without thinking clearly about the repercussions. Victims might be told someone has stolen their PIN and they must click on the provided link to change the number. (Thompson, 2006. p. 43)
Bielski (2005) illustrates the reality of identity theft and techniques of phishing. He refers to this pervasive threat to major American commercial institutions; "…. The Bank of America's & #8230;loss of government worker data and & #8230; Choicepoint's "data leaks" (Bielski, 2005, p.7). This study also the discuses the risk of phishing to smaller intermediate companies. (Bielski, 2005, p.7)
There are numerous studies that point to the increasing cost of phishing, not only the individual but also to the commercial institutions that are negatively affected.
Phishing costs victims and financial institutions money and time. Victims must correct credit records and repair other phishing-related damage, while financial institutions must absorb customer losses, as well as costs from issuing new credit cards, answering calls and shutting down fraudulent websites. (Wetzel, 2005, p. 46)
Spear phishing is a relatively new and extremely effective form of phishing. A useful definition of this type of ID fraud is as follows;"Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source" ( Spear Phishing). Furthermore, spear phishing attempts are most likely to be conducted by "…sophisticated groups out for financial gain, trade secrets or military information." spear phishing" ( Spear Phishing).
In essence the difference between spear phishing and ordinary phishing is that the former is more directed and does not contact hundreds or thousands of potential victims but focuses on a single company or enterprise. The central problem with this form of identity theft is that it appears to be genuine in that the request to provide information comes from known and trusted sources within company, enterprise or institution. The central factor in this form of phishing is that the phishing e-mails appear to be sent from organizations or individuals that the potential victim recognizes and from whom he or she would normally receive email. This makes it as very deceptive type of identity theft and one that is often very difficult to combat.
Another disconcerting aspect of this form of spear phishing is that it can also be used to trick the victim into downloading malicious codes or malware. This can take place easily if the recipient clicks on the false web site and is unknowingly led to a site that automatically downloads the malware or spyware. This software can hijack or take over the user's computer and gain access to personal files and information, often with devastating consequences for the individual.
Pharming is another form of common identity theft which refers to the redirection of legitimate Web sites to false online addresses. Pundits claim that pharming can even foil experienced computer users and could become one of the most insidious privacy and security threats yet. Experts claim that pharming attacks are on the increase.
Pharming works in the following manner: when a user correctly enters a web address to access online information about his bank and credit cards, chances are the web site that appears may be a sham and operated by scammers. The user assumes that the site on which he or she is entering the data is authentic, as it is a perfect replica of the legitimate site. The user then enters his or her credit card details or other sensitive information, with obvious consequences.
The process of risk identification
Risk identification is a step in a process which includes asset identification and vulnerability assessments. In the light of the type of threats to information security discussed above, it is obvious that the process of security management would not be possible or effective without the clear identification of the risks posed and the way that these risks effect the particular assets of the company to institution. As one commentary notes;
Asset identification is the first step towards a secure organization. Too many companies are too eager to implement the most expensive technology with strong encryption and state-of-the-art authentication systems, without first thoroughly identifying all their assets. (Security+ TechNotes - Risk Identification)
In other words, the link between risk identification and asset identification is that the company should be very clear about the assets that are at risk in order to implement the most effective counter-measures and security strategies to combat these risks. Risk identification is therefore to a large extent dependent on the evaluation of assets. For example, …a company implements a firewall for their 2 Mbps shared Internet connection, but disregards the backup dial-up connection some distinguished employees have in their office. Also laptops including removable media from remote users, such as frequently traveling sales personnel, are too often 'forgotten' when a formal asset identification is not performed prior to developing the company's security program. (Security+ TechNotes - Risk Identification)
Once the assets are identified, a vulnerability assessment usually follows to determine the most vulnerable areas of security concern. This in turn leads to a threat assessment and to a risk identification. Following the logic of this process, risk identification refers to"…the likeliness of a threat actually leading to an incident" (Security+ TechNotes - Risk Identification).
Risk Identification and its importance
As Frame ( 2003) states, "Risk identification is the first step in the risk assessment process: "Its purpose is to surface risk events as early as possible, thereby reducing or eliminating surprises" (p. 49). The importance of risk identification in the process of security management is mainly to develop a sense of the sources of the security problems and issues. Once the possible impact or effect of the risk to the assets of the company has been established then, "… the risk analysts, working with managers and employees in the enterprise, engage in risk response planning to develop strategies" (Frame, 2003, p. 49). In essence, the important aim and rationale of risk identification is "…to avoid surprises" (Frame, 2003, p. 49).
The importance of the risk identification phase in security management is reiterated in a number of studies. Prybylski, (2008) state that;" Effective risk management is dependent on identification. Many risk stakeholders say, 'It's not the risks that I know about that concern me; it's the ones that we have not identified' " (Prybylski, 2008, p. 56).
The importance of the identification process is also underlined by modern concerns that this process should be 'rethought" and improved in the light of the continuing and developing threat to informstion security.
Institutions must reinvent the process of risk identification. They must eliminate "groupthink" situations in which viewpoints that differ from the majority are dismissed without adequate analysis and be mindful of unfocused debates that can skew the view of risk and create additional, unintended risk exposures. (Prybylski, 2008, p. 56)
The Human Element and Other Problematic Areas
Among the criteria that relates to the topic of risk, certain studies have stressed is the human element as being important in risk identification sand assessment. As Lineberry ( 2007) states: "Few companies properly address the human element of information security " ( p. 44 ) A security consultant, Debra Murphy, also notes that the human element in the identification of risk is often of cardinal importance. "There are times when the human element is the leaky faucet" that spills sensitive information…" (Lineberry, 2007, p. 44).
This also relates to the importance of the e-training gap. E-training refers to the training within the organization that enables staff to identity and deal with possible risks and security threats. As one study on this aspect notes, there is generally a lack of this type of training and that this is a possible…