Security Program Network Risk Assessment

¶ … Security Program

Network risk assessment should include four phases: discovery, device profiling, scanning, and validation. During the first phase of the assessment, specific controls must be implemented to ensure that there is constant formal monitoring (by trained it staff) and self-monitoring (by all employees) for when and how an attack is likely to take place.

Device profiling requires an analysis of how attacks might occur, regarding the specific computer systems and hardware used by the organization. For example, in some organizations, classified research and development might be of greatest interest to hackers. In others, sensitive information about employees might be the priority. In organizations that use wireless technology, the security needs may be different than an organization where most data is still stored on paper.

Scanning requires constant auditing of the organization for new threats. For example, it is not enough to merely have a password-protected system: security staff must monitor potentially unusual user activity, such as repeated log-in attempts. It staff must keep abreast of new threats posed by viruses and Malware circulating on the Internet.

Finally, validating requires constantly testing the system, and determining if it is vulnerable to hackers. As well as creating mock attacks to test the security system, all employees should also be quizzed to ensure that they know appropriate behavior to guard themselves against Malware threats, and to avoid common luring scams through email and websites.

Q2. Risk management

Risk management "is the process of identifying vulnerabilities and threats to information resources, and deciding what countermeasures to take to reduce risk to an acceptable level" (Week 3, Slide 4). Every system has some inherent level of risk: a perfectly secure system would be an impenetrable system, and one which would be useless to use in the pursuit of information. However, there must be a balance between the risks of allowing the system to be more open to the 'outside world,' versus the rewards gained from more information.

Not all risks are deliberately malicious, it must be stressed. "Risks may vary from an unintentional accounting error to a malicious SQL injection attack" (Week 3, Slide 10). Unintentional as well as intentional risks must be anticipated and planned for. "Risk management in a nutshell" is about the acceptance of a constant level of risk and a systematization of the "identification, analysis, control, and communication of risks" to maximize the effectiveness of the strategy deployed by the organization (Week 3, Slide 12). Risk management is ongoing because its focus must always be on prevention as well as dealing with security breaches after they occur.

The goals of risk management are to "identify assets and their values, identify vulnerabilities and threats, quantify the probability and business impact of these potential threats," and finally to "provide an economic balance between the impact of the threat and the cost of the countermeasure" (Week 3, Slide 12). Economics, which is the science of scarcity, will place limits upon the degree to which risk management can be deployed -- while risk management can be expensive, the costs of a security breach must also be considered.

Q3. Defense-in-Depth

A Defense-in-Depth approach entails seven central components. The foundation of a Defense-in-Depth strategy is the commitment to security made by the CEO and by employees on every level of the company hierarchy. This commitment must not merely be verbal; rather it should be backed up by the creation of a formal information security team that is in charge of keeping a constantly evolving, responsive, and vigilant watch over possible security compromises. There must be a formalized security-policy framework for the company, and the members of the company must understand the nature of existing risks and ways to enact controls to mitigate potential risks in the future. Ideally the security strategy should possess a two to three-year roadmap of planned projects; otherwise it will be constantly playing 'catch up' with the efforts of hackers.

Finally, even for non-it personnel there should be a security awareness program to ensure that employees undertake proper precautions during their daily tasks. Everyday policies must be user-friendly enough so that even a neophyte can implement them. And there must be metrics in place to demonstrate the effectiveness of security infrastructure and policy, to justify the security program's continued existence and target areas of critical weakness that are in need of improvement (Week 1, Slide 29).

Q3.B: Security controls that may be employed in a Defense-in- Depth strategy

Two categories of security controls exist. The first include physiological aspects of validating the user, such as fingerprints, eyes, or voice-related user aspects. Behavioral patterns focusing on what the user does, including signature dynamics and keyboard typing patterns can also reveal potential compromises of identity. Of the two types, behavioral/biometric controls are more secure but also more expensive than passwords, the other common method. Passwords yield fewer false alarms regarding breaches, and are less likely to shut authorized users out, but they are less secure. In summary:

Type 1 -- Physiology and behavior (Biometrics)

Example 1.1 -- Fingerprints or voice

Example 1.2 -- Signature and keystroke

Type 2 - Passwords

Example 2.1 -- User-generated passwords

Example 2.2 -- System-generated passwords

Q3.C: Passwords are probably the most commonly-used form of security control. However, user-generated passwords are often not sufficiently complex to ensure they cannot be hacked by outside users. When users are forced to generate highly secure passwords, they may be forgotten and written down in easily-revealed locations.

Password encryption and hashing is one way to prevent passwords being read surreptitiously by malicious software and other threats. Password security questions and having 'cognitive' questions in ADDITION (not as a replacement to conventional passwords) also add extra levels of security. Constantly changing passwords, or having 'one time' passwords adds further levels of protection.

Perhaps the best method is to combine physically-related aspects of the biometrics approach with passwords. For example, having a user physically insert a Smart Card and then type a password is far more secure. However, this limits remote access and also adds additional expenses to the protection system. As always, cost must be weighed against the need for security.

Regardless of the funds available, user education is an important component of protection: teaching users how to avoid password 'phishing,' for example, is just as vital as having complex, validating passwords. Users must know how to deploy security features in an effective fashion

Q4. Security incident

Assigning responsibility for remediation is an essential component of dealing with a security breach: When the confidentiality, integrity, and availability (CIA) of an information system is compromised, customers and employees have a right to know what has occurred and to know what security procedures are being taken to ensure that their data is protected. They should also know what actions they can take to mitigate damage due to identity theft or other types of fraud. Ideally, someone in authority, such as the CEO, should address the affected parties and explain to them what steps are being undertaken (Week 3, Slide 42).

However, the event must be viewed as a teaching incident, and used to inform the necessary personnel what must be done to improve standard operating procedures. Rather than finger-pointing, the questions of who was involved and what occurred should be used to implement a more effective security (and training) strategy overall. If user error is at fault, a more intensive education of it and non-it staff must be embarked upon. If the system was revealed to be technically vulnerable, either this must be 'patched' or a replacement to the system as a whole may need to be considered.

Q5. Marge and physical and process protection

On a physical level, the files in question should be secured in a room with restricted access. Only individuals who show proper identification to a security guard should be allowed into the file room. The files presumably have sensitive information such as employee Social Security numbers, so this is a worthwhile precaution, given the current storage set-up. File cabinets and the room itself should be locked, except when Marge opens them, after seeing proper identification and a request form that is signed by the required personnel.

In terms of process improvements, there should be a specific process to apply for access to records. Depending on the security of the information being requested, the signature of the employee, HR staff, and another relevant supervisor should all be required to obtain access to the information.

Ideally, records should be digitized so only employees who are authorized HR personnel can access records, other than the individuals themselves. This would also be less expensive, as the computers would hold the sensitive information, and the file room could be used as 'backup' and kept locked at all times. Information could be accessed from all computers, or specific computers, depending on the level of security required, and encrypted passwords and password questions would restrict access.

Q6. Validate that the information security program at YGT is working

Simply because there is no detected threats to a system does not necessarily mean that the system is safe. Tracking normal activity patterns of users is essential to enable abnormal activity to be flagged. Also, unintentional user errors such as logging onto unsecure websites and opening up potentially infected documents must be flagged. Sending an email from an odd-looking address and seeing if employees open the email is one way to gage the relative wariness of employees. If employees open up the email, it staff can include a message warning them that this is just the kind of message employees should delete.