Assessing and Treating IT Security Risks, Assignments of Information Technology

This document proposes a method to assess and treat it security risks within an organization. It covers various types of security risks, including network vulnerabilities, malicious attacks, and security negligence. Identifying the origins of security risks, assessing risk events, and implementing organizational policies and security measures to protect critical data and equipment. It also explores the use of tools like firewalls, intrusion detection systems (ids), and network monitoring systems to enhance security. The document aims to provide a comprehensive approach to identifying, assessing, and mitigating it security risks, with the goal of training junior staff members on the tools and techniques associated with this process.

Typology: Assignments

2021/2022

Uploaded on 02/05/2023

duc-anh-mai-1
duc-anh-mai-1 🇻🇳

5

(2)

19 documents

1 / 50

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ASSIGNMENT FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st
submission
Re-submission Date
Date Received 2nd
submission
Student Name
Mai Duc Anh
Student ID
BH00056
Class
IT0501
Assessor name
Le Van Thuan
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P1
P2
P3
P4
M1
M2
D1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32

Partial preview of the text

Download Assessing and Treating IT Security Risks and more Assignments Information Technology in PDF only on Docsity!

ASSIGNMENT FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5 : Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Mai Duc Anh Student ID BH

Class IT0501 Assessor name Le Van Thuan

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that

making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P1 P2 P3 P4 M1 M2 D

Contents

I. Introduction

  • A person works as a trainee IT Security Specialist for a leading Security consultancy in Vietnam

called FPT Information security (FIS).

  • FIS works with medium sized companies in Vietnam, advising and implementing technical

solutions to potential IT security risks. Most customers have outsourced their security concerns

due to lacking the technical expertise in house. His manager Jonson has asked him to create an

engaging presentation to help train junior staff members on the tools and techniques associated

with identifying and assessing IT security risks together with the organizational policies to protect

business critical data and equipment

II. TYPES OF SECURITY RISKS TO THE ORGANIZATION

Every organization is aware of the importance of security risks. Hackers can use a variety of

methods to access databases and steal important information, which can lead to the collapse of

an entire organization. An organization's data network is the lifeblood that employees rely on to

do their jobs.

  1. Define threats

A network security threat is exactly that: a threat to your network and data systems. Any attempt

to breach your network and obtain access to your data is a network threat.

There are different kinds of network threats, and each has different goals. Some, like distributed

denial-of-service (DDoS) attacks, seek to shut down your network or servers by overwhelming it

with requests. Other threats, like malware or credential theft, are aimed at stealing your data.

Still others, like spyware, will insert themselves into your organization’s network, where they’ll lie

in wait, collecting information about your organization.

  • Threat can be anything that can take advantage of a vulnerability to breach security and

negatively alter, erase, harm object or objects of interest.

  • Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe

that malware, virus, worms, bots are all same things. But they are not same, only

similarity is that they all are malicious software that behaves differently.

  1. Threat Agents

A, Malware

Malware is a combination of 2 terms- Malicious and Software. So, Malware basically means

malicious software that can be an intrusive program code or anything that is designed to perform

malicious operations on system.

o Infection Methods

o Malware Actions

Malware on the basis of Infection Method is following:

  • Virus – They have the ability to replicate themselves by hooking them to the program on

the host computer like songs, videos etc. and then they travel all over the Internet. The

Creeper Virus was first detected on ARPANET. Examples include File Virus, Macro Virus,

Boot Sector Virus, Stealth Virus etc.

Figure 1 :Virus computer

  • Worms – Worms are also self-replicating in nature but they don’t hook themselves to the

program on host computer. Biggest difference between virus and worms is that worms

are network-aware. They can easily travel from one computer to another if network is

available and on the target machine, they will not do much harm, they will, for example,

consume hard disk space thus slowing down the computer.

Figure 3 : Trojan

  • Bots: can be seen as advanced form of worms. They are automated processes that are

designed to interact over the internet without the need for human interaction. They can

be good or bad. Malicious bot can infect one host and after infecting will create

connection to the central server which will provide commands to all infected hosts

attached to that network called Botnet.

Malware on the basis of Actions:

  • Adware – Adware is not exactly malicious but they do breach privacy of the users. They

display ads on a computer’s desktop or inside individual programs. They come attached

with free-to-use software, thus main source of revenue for such developers. They monitor

your interests and display relevant ads. An attacker can embed malicious code inside the

software and adware can monitor your system activities and can even compromise your

machine.

Figure 4 : Adware

  • Spyware – It is a program or we can say software that monitors your activities on

computer and reveal collected information to an interested party. Spyware are generally

dropped by Trojans, viruses or worms. Once dropped they install themselves and sits

silently to avoid detection.

Figure 5 : Spyware

  • Ransomware – It is type of malware that will either encrypt your files or will lock your

computer making it inaccessible either partially or wholly. Then a screen will be displayed

asking for money i.e. ransom in exchange

o Buffer overflow attacks - The most common DoS attack. Buffer overflow can cause the

machine to consume all available hard disk space, memory or CPU time. This often

causes sluggish behavior, causes system crashes, etc., leading to a denial of service.

o CMP Flood - Taking advantage of misconfigured network equipment. First, send spoof

packets to ping every computer on the target network, and then amplify network

traffic. This attack is also known as a smurf attack or ping of death.

o SYN flood - Usually called a three-way handshake but only connects host and server.

The server receives the request to handshake, but the handshake is never completed.

Continue until all open ports are saturated with requests and there is no room left for

legitimate users.

Figure 7 : How DDos work

C, Network vulnerabilities

Enterprise networks are becoming increasingly complicated implying that the number of potential

vulnerabilities within them is growing. Issues such as zero-day attacks, SQL injections and advanced

persistent threats are all aimed at taking advantage of code vulnerabilities that can enable hackers to

access the network in order to plant malware, exfiltrate information or harm systems.

Figure 8 :SQL injection

In order to protect from many types of these threats, one of the key methods that hackers do this is

taking advantage of obsolete and unpatched software, so ensuring that all systems are up-to-date is very

essential. Yet it's something many corporations are also struggling to do. For example, the 2018 Data

Breach Investigation Report by Verizon found that 99 percent of exploited vulnerabilities were.

D, Careless employees of organization

  • Employees are the biggest security risk to any organization, since they know everything about

organizations, such as where secret documents is kept and how to access it. In addition to

malicious attacks, careless workers are other forms of cyber security risks to organizations.

  • Security risks can occur when employees use very simple passwords to memorize their minds

and also share passwords. Another common problem is that employees open suspicious email

attachments, click on links or visit malicious websites, which can introduce malware into the

system.

Figure 10 : How MITM work

  1. Data breach Zoom (2020)
    • It has been estimated that more than half a million Zoom account login credentials have been

sold and some of the accounts' credentials have been given free of charge. The specifics of

the leaked accounts belonged to financial institutions, banks, colleges and various

organizations. In addition to the account login credentials, the victim's personal meeting URLs

and Hotkeys were also available.

  • Initially, dark web databases with previously compromised login credentials dating back to

2013 were searched by hackers. This gave them instant access to a swathe of active Zoom

accounts because passwords are typically recycled. A series of password stuffing attacks to

compromise the remaining accounts were then launched.

  • As part of the proposed comprehensive information security program, Zoom must take

specific measures aimed at addressing the problems. For example, it must assess and

document on an annual basis any potential internal and external security risk and develop

ways to safeguard against such risks; implement a vulnerability management program.

Following that, it is its responsibility for deploying safeguards such as multi-factor

authentication to protect against unauthorized access to its network; instituting data deletion

controls; and taking steps to prevent the use of known compromised user credentials. In

addition, Zoom’s personnel will be required to review any software updates for security flaws

and must ensure the updates will not hamper third-party security features.

III. DESCRIBE ORGANISATIONAL SECURITY PROCEDURES

  • A security procedure is a set sequence of necessary activities that performs a specific security

task or function. Procedures are normally designed as a series of steps to be followed as a

consistent and repetitive approach or cycle to accomplish an end result. Once implemented,

security procedures provide a set of established actions for conducting the security affairs of

the organization, which will facilitate training, process auditing, and process improvement.

  • The purpose of security procedures is to ensure consistency in the implementation of a

security control or execution of a security relevant business process. They are to be followed

each time the control needs to be implemented or the security relevant business process

followed. In addition, security procedures also guide the individual executing the procedure

to an expected outcome.

  1. Acceptable use procedures
    • This policy extends to all data generated or residing on the organization's systems. Before it is

electronically transmitted, all data containing non-public personal information must be

secured. In other words, non-public personal information and other confidential information

shall, in all other cases, be properly encrypted.

  • For the purposes of this regulation, the property of the company is considered to be all

information residing on its systems and networks. The organization may track or audit at any

time for any reason, any information, including data files, emails and information stored on

issued company computers or other electronic devices, at any time, with or without notice,

for the purpose of checking and monitoring compliance with certain security procedures.

A, Password rules

  • Encryption helps businesses secure information in case of theft. However, a new password is

a step towards protecting information directly from hackers. Many businesses know but they

often take this lightly. The standards for passwords should be substantially similar to the

following criteria:

o Not only use letters in lower case (a - z) are included but also letters in upper case (A -

Z), numbers (1 - 9) and characters (for example (! @ # $% ^ & * )) are included too.

o Not based on personal information: family names, pets, …

o Not to be written down, saved or kept online.

B, Password protection standards

  • It is suggested that passwords chosen for the organization’s accounts shall not be the same as

passwords chosen by the employee or third party for non-organization accounts.

  • All passwords are to be treated as sensitive, confidential information. Passwords are not be

shared with anyone, including administrative assistants or secretaries.

  • If an account or password is suspected to have been compromised, immediately report the

incident to the employee’s immediate supervisor or the Information Security Officer.

  1. Physical security procedures
    • All exterior doors of the building must be kept locked at all times, except where specific

procedures have been created to leave the door unlocked. Doors are only left unlocked or

opened whenever the staff member is in a position to control access through the doorway.

No one actually gives or allows access to any building or room to anyone who is not known to

them to be an employee with permission to work in that area, or to an approved visitor or

vendor. Employees are encouraged to challenge, in a non-offensive way, anyone in the

building or room they do not know. Any person who is suspicious or is unable to provide

identification shall be informed to the management.

  • Individual workstations can be located in a single office or in a larger room with multiple

workstations. Users must monitor physical access to their office and thus to their computer.

All rooms will be kept locked unless the staff member is in the room or within sight of the

room (in a position to control access to the room) or specific procedures have been defined to

allow the room to be left unlocked. Employees can select not to lock a room for a short period

of time during regular working hours because the room contains confidential information.

Employees are instructed, however to lock all rooms at any time that no one is in position to

control access.

  • All rooms containing allocated systems, production servers and related equipment will be

kept locked with restricted access to authorized employees.

  • All windows shall be closed unless the employee is in a room or in a position to control access

to the room. It is very important that windows are closed and locked in rooms on the lower

floors.

  • Equipment assigned to the employee is the responsibility of the individual employee. If any

equipment is moved, broken, or replaced, the Information Technology staff or vendors must

be notified. In the event that any equipment is to be upgraded in accordance with the

organization policy, the Information Technology staff must give prior approval to the upgrade

and perform the upgrade. Any non-mobile equipment taken off-site will require authorization

in accordance with the organized written policies and procedures. Laptops, PDA’s and other

mobile devices specifically assigned to an employee may be taken off-site by that employee

without such specific authorization. The employee is responsible for the physical security of

any company equipment to which he or she is entrusted.

  • If the device - issued equipment becomes lost or stolen, the individual with responsibility for

the equipment must immediately report this to the Information Security Officer.

Figure 12 : Physical Security IV. Propose a method to assess and treat IT security risks.

  1. Method required to assess IT security threat
    • Protecting sensitive data is a crucial concern. Risks and threats to an organization are rising

day after day. In order to safeguard all safe confidential data, an IT risk assessment helps to

assess areas of weakness, system loopholes and the appropriate measures that organizations

need to take to protect themselves.