Question 2:
Avoidance attempts to prevent the
exploitation of the vulnerability. This the preferred approach, as it seems to
avoid risk in it’s entirely rather than dealing with it after it has been
realized. Accomplish through countering threats, removing vulnerabilities in
assets, limiting access to assets or adding protective safeguards.
There
are three points that support controlling process:
1. Policy
2. Training and education
3. Technology
This strategy avoids as much
as possible the risk that leads to being hacked, for example to protect user
account it would be better if users renew their passwords at least once every
90 days, because old passcode may be known by other people, so that a user’s
information will be protected by the system and accessible.
Also, verifying actual
account user such as sending SMS’s code to user’s cell phone to ensure that
actual user who is attempting to access to the system. That can be verified by
comparing between entering data at system accessing time and stored date that was entered during
registration time.
Transference is the control approach that
attempts to shift the risk to other assets, other process, or other
organization. In case the organization does not already have a quality security
management and administration experience, it should hire individuals or firms
that provide such expertise.
There are many companies that
can provide an organization with high level of security that helps to work
securely and protect their customers and business of being hacked. Examples of
big and experienced security provider such as McAfee, Kaspersky and Norton
these companies have various products can fit with individual and business
needs as well as security system can be customized to meet business type,
service requirements and size of business. Otherwise, the organization can hire
experts in order to provide better security management which that will save
time and money by hiring experienced people have solved many cases related to their
needs.
This allows the organization
to transfer the risk associated with the management of these complex systems to
another organization with established experience in dealing with those risks.
Mitigation attempts to reduce the
impact of exploitation through planning and preparation. Three types of plans
used in this strategy:
1. Disaster recovery planning
(DRP)
2. Business continuity planning
(BCP)
3. Incident response planning
(IRP).
The most common of the
mitigation procedures is the DRP. The actions to take while the incident is in
progress defined in the IRP. Longer term issues are handled in the BCP.
Acceptance of risk is doing nothing to
close vulnerability and to accept the outcome of its exploitation
· Acceptance is valid only
when:
· Determined the level of risk
· Assessed the probability of
attack
· Estimated the potential
damage
· Performed a thorough cost
benefit analysis
· Evaluated controls using each
appropriate feasibility
· Decided that the particular
function, service, information, or asset did not justify the cost of protection.
Risk appetite describes the
degree to which an organization is willing to accept risk as a trade-off to the
expense of applying controls.
Residual risk is
the risk or danger of an action or an event, a method or a
(technical) process that, although being abreast with science, still conceives
these dangers, even if all theoretically possible safety measures would be
applied. Therefore, the relationship between residual risk and control
strategies is that control strategies can be helpful to determine or avoid residual
risk before the system or organization been affected. As discussed above how
each strategy can work and benefits that can be delivered to information
security management through these strategies.
Question 3:
Authentication
Authentication verifies system
users. For example, the user can login into the server using the SSH client, or
access email server using the POP3 and SMTP client. Usually, PAM (Pluggable
Authentication Modules) is used as low-level authentication schemes into a
high-level application programming interface (API), which allows programs
that rely on authentication to be written independently of the underlying
authentication scheme.
Authorization
Authorization verifies what
users are authorized to do. For example, user allowed login into the server via
SSH client, but user not authorized to browser /data2 or any other file system.
Authorization occurs after successful authentication. Authorization can be
controlled at file system level or using various application level
configuration options.
Usually, the connection
attempt must be both authenticated and authorized by the system. You can easily
find out why connection attempts are either accepted or denied with the help of
these two factors.
Example: Authentication And
Authorization
A user called Zayer87 is
allowed to login to www.cyberciti.biz server securely using the Open SSH
client/server model. In this example, authentication is the mechanism whereby
system running at www.cyberciti.biz may securely identify user Zayer87. The
authentication systems provide the answers to the questions:
- Who is the user Zayer87?
- Is the user Zayer87really who he represents himself to be?
The server
running at www.cyberciti.biz depend on some unique bit of information
known only to the Zayer87 user. It may be as simple as a password, public key
authentication, or as complicated as a Kerberos based system. In all cases Zayer87
needs some sort of secret to login into www.cyberciti.biz server via the ssh client. In order to verify the
identity of a user called Zayer87, the authenticating system running at
www.cyberciti.biz will challenges the Zayer87 to provide his unique information
(his password, or fingerprint, etc.) -- if the authenticating system can verify
that the shared secret was presented correctly, the user Zayer87 is considered
authenticated. Is Zayer87 Authenticated? What Next?
Authorization
The server running at
www.cyberciti.biz determines what level of access a particular authenticated
user called Zayer87 should have. For example, Zayer87 can compile programs
using system dashboard but not allowed to upload or download files. So
- Is
user Zayer87 authorized to access resource called ABC?
- Is
user Zayer87 authorized to perform operation XYZ?
- Is
user Zayer87 authorized to perform operation P on resource R?
- Is
user Zayer87 authorized to download or upload files?
- Is
user Zayer87 authorized to apply patches to the system?
- Is
user Zayer87 authorized to make backups?
In this example server used
the combination of authentication and authorization to secure the system. The
system ensures that user claiming to be Zayer87 is the real user Zayer87 and
thus prevents unauthorized users from gaining access to secured resources
running on the server at www.cyberciti.biz.
Without one of these
processes above the access to the system will not be accepted or it can be
verified at all. Because without authentication system will not be able to
ensure if a user that trying to access to system is registered in this system
or not.
Also, without authorization,
the system will not be able to determine the level of access and what data it
can be viewed to that user as well as will be hard to know what allowances that
user can practice them during when user accessed to system.
Question 5:
Security policy is a
definition of what it means to be secure for a system or organization. The security policy addresses constraints
on functions and flow among them, constraints on access by external systems and
adversaries including programs and access to data by people. Laws are
rules adopted and enforced by government to codify expected behavior in modern
society. Laws are largely drawn from the ethics of a culture, which define
socially. The key difference between policy and law is that ignorance of policy
is viable defense, and therefore policies must be:
· Distributed
to individuals who are expected to comply with them
· Readily
available for employee reference
· Easily
understood, with multilingual translations and translations for visually
impaired or law-literacy employees
· Acknowledged
by the employee, usually by means of a signed consent from
Only
when all of these conditions are met does the organization have the reasonable
expectation that policy violations can be appropriately penalized without fear
of legal retribution.
It
is responsibility of information security personnel to deter unethical
and illegal acts, using policy, education and training and technology as
controls or safeguards to protect the information and systems. Many security
professionals understand the technological means of protection, but many
underestimate the value of the policy. Deterrence is the best method for
preventing an illegal or unethical activity. Laws, policies, and technical
controls are all examples of deterrents. However, laws and policies and their
associated penalties only deter if three are present:
1.
Fear of penalty: Threats of informal reprimand or
verbal warnings may not have the same impact as threat of imprisonment or
forfeiture of pay.
2.
Probability of being caught: There must be a
strong possibility that perpetrators of illegal or unethical acts will be
caught.
3.
Probability of penalty being administered: the
organization must be willing and able to impose the penalty.
Question
6:
Project
integration management: Project integration management includes the
processes required to ensure that effective coordination occurs within and
between project’s many components, including personnel. Major elements of
project management effort that require integration include:
· Development
of initial project plan
· Monitoring
of progress as the project plan is executed
· Control
of revisions to project plan
· Control
of changes made to resource allocations as measured performance causes
adjustments to project plan.
Project
plan development Process of integrating all project elements into cohesive plan
with goal of completing project within allotted work time using no more than
allotted project resources Work time, resources, and project deliverables are
core components used in creation of project plan. Changing any one element
usually affects accuracy and reliability of estimates of other two and likely
means that project plan must be revised. When integrating disparate elements of
a complex information security project, complications are likely to arise:
· Conflicts
among communities of interest
· Far-reaching
impact
· New
technology
Project
scope management: ensures that project plan includes only those
activities necessary to complete it. Scope is the quantity or quality of
project deliverables expanding from original plan Includes:
· Initiation
· Scope
planning
· Scope
definition
· Scope
verification
· Scope
change control
Project
time management: Project time management ensures that project is
finished by identified completion date while meeting objectives. Failure to
meet project deadlines is among most frequently cited failures in project
management. Many missed deadlines are rooted in poor planning Includes
following processes:
·
Activity definition
· Activity
sequencing
· Activity
duration estimating
· Schedule
development
·
Schedule control
Project
cost management: Project cost management ensures that a project
is completed within resource constraints. Some projects are planned using only
a financial budget from which all resources must be procured, Includes
following processes:
·
Resource planning
· Cost
estimating
· Cost
budgeting
·
Cost control
Project
quality management: ensures that project adequately meets project
specifications. If project deliverables meet requirements specified in project
plan, project has met its quality objective. Good plan defines project
deliverables in unambiguous terms against which actual results are easily
compared Includes:
· Quality
planning
· Quality
assurance
· Quality
control
Project
Human Resource management ensures personnel assigned to project
are effectively employed. Staffing project requires careful estimates of
required effort. In information security projects, human resource management
has unique complexities, including:
· Extended
clearances
· Deploying
technology new to organization
· Organizational
planning
· Staff
acquisition
· Team
development
Project
communication management conveys details of activities associated with
project to all involved. Includes creation, distribution, classification,
storage, and ultimately destruction of documents, messages, and other
associated project information Includes:
·
Communications planning
· Information
distribution
· Performance
reporting
·
Administrative closure
Project
risk management: assesses, mitigates, manages, and reduces impact of adverse
occurrences on the project. Information security projects do face risks that
may be different from other types of project Includes:
· Risk
identification
· Risk
quantification
· Risk
response development
· Risk
response control
Project
procurement management acquires needed resources to complete the
project. Depending on common practices of organization, project managers may
simply requisition resources from organization, or they may have to purchase
Includes:
· Procurement
planning
· Solicitation
planning
· Solicitation
· Source
selection
· Contract
administration
· Contract
closeout
The Change Management
procedure controls any additions, deletions, or modifications to the department
configuration of desktops, servers and network hardware and/or software.
Any
changes (including patches) could have an impact on the security posture of the
department environment, due to rules used to establish the systems, especially
on servers (this can be more important on critical systems). Staff members
assigned to the Change Management Process must approve any changes. When a
change request is received, it should be evaluated using the following
criteria:
· Budget
· Schedule
· Resources
· Security
All
requests for changes must be evaluated and approved (or disapproved) in order to
recognize and control security and access. Use a change request form that can
record submissions, investigation, review, and approval. All requests should be
recorded on a change request log where their status should be tracked.
As
project management activities were explained in details above as well as
explained the mission for each activity how it important to be completed before
start next activity which are as chain in order to create powerful security
system.
Question
7:
It
is hard to explain the future especially in technological field which is very
fast growing field, people expecting new improvements in the future, but in
fact what people expecting may not be the right solution or it already tested
but not approved because it not serving full requirements for the business
community, employees or system users. As might people noticed that big
companies such as Facebook, Sony, Microsoft and Saudi Aramco were hacked and
lost very important data related to business or customers. In my opinion, these
big companies were hacked through their network. Therefore, what needs to be
focused on in the future is how the network can be protected, which in past
hackers were hacking an Internet user personal computers through as well known
hackers can access to computer data via sending files to victim device that
happen while browsing the Internet unsecured web pages. However, as
anti-viruses software prevented this type of hacking and allows users to use
the Internet safely as the user’s P.C is already protected.
These
big companies were attached by accessing to users’ passwords or old passwords,
which means even if the user left job with these companies but user account and
password still active so that’s why these companies were hacked the reason was
the high number of network users and that will be very to find out active
users. That’s what was shown in media may be the reason be something else.
The
future of information security should focus on how this kind of hack be
prevented as happen to user devices with installs security software that’s
taking care of virus that might be downloaded during browsing the Internet.
Access control ways need to be change to verify the access attempt is by the actual
and authorized user. As global network has a huge number of users so it should
be secured. Typing passcode became not the safest way to ensure who is trying to
access it should be verified through unique way such as via fingers touch, eyes
scan or user’s voice that will be safer than passcode can be entered by anyone
who knows this passcode.
Basically,
the expected information security it should be about improving network security
and ensuring about the level of access control to the system that using by many
users and have very important data.
References
Whitman,
M. E., & Mattord, H. J. (2010). Management of information security. Boston, MA:
Course Technology, Centage Learning.
Brewer,
D. C. (2006). Security controls for Sarbanes-Oxley section 404 IT
compliance: Authorization, authentication, and access.
Kendrick,
T. (2009). Identifying and managing project risk: Essential tools for
failure-proofing your project.
Smith,
P. G., & Merritt, G. M. (2002). Proactive risk management:
[controlling uncertainty in product development].
Wheeler,
E. (2011). Security risk management: Building an information security
risk management program from the ground up.
Whitman,
M. E., & Mattord, H. J. (2011). Roadmap
to information security: For IT and InfoSec managers.
No comments:
Post a Comment