Riskassessment can be defined as the process of identifying potentialdangers and analyzing the impact such dangers could have if theyoccurred and furthermore explore the possible remedies for thedanger.
Riskassessment planning requires that one fulfills the core objectives ofa given project or system. These include meeting the user’srequirements, operating within a given schedule and squeezing to fitthe planned budget. Risk assessment is important in the followingaspects:
Saves money-Risk assessments enable a company to invest in viable businesses therefore reducing the probability of making losses.
Legal obligation-It is a requirement by law that risk assessment be carried out on information systems that handle sensitive data in order to see if they are up to date and that owned data has not been corrupted. Future recommendations are a legal obligation too.
Moral and ethical reasons-Risk assessment is important because it helps in identifying possible flaws in a company, for example giving different privilege levels to various members of staff will improve the accountability and reduce a security vulnerability as it will be easy to trace a fault back to its source.
Thispaper is going to focus on securityrisk assessment of information systems. It is going to be dividedinto three reports, Planning,Findings and Recommendations report.
RISK ASSESSMENT PLANNING
Planningis the process of organizing events that are needed to be followed inorder to achieve a given objective.
RiskAssessment Planningofinformation systems involves the purpose of the assessment, itsscope, assumptions, constraints and the risk model and analysisapproach to be used.
Asstated above, risk assessment planning aims is to meet the userrequirements within the stipulated time and within the financialbudget constraints. That notwithstanding, this paper will endeavor tolook dipper into the causes of security vulnerabilities in our recentinformation systems, this is all in order to secure stored data andensure excellent access control.
Thescope of this paper will cover the Information systemsvulnerabilities such as:
Identification and Authentication Controls
End User Security
Asfar as organizational applicability is concerned, it will apply toall employees in the BIR agency. The effectiveness time frame willdiffer according to the vulnerability being explored, for example theencryption vulnerability is unbreakable as there exists encryptionalgorithms that have proved computationally infeasible to decrypt(“The Advanced Encryption Scheme AES”). For architectural andtechnology considerations, there has been a lot of research andinvention of secure algorithms that have so far shown negligibleprobability of being broken, e.g. the AES encryption algorithm andSHA-2 hash functions. Other applications for detecting webvulnerabilities e.g. IBM AppScan have made it easier to assesssoftware products for vulnerabilities.
Theseissues constitute all that this paper will be addressing, in additionto its control, prevention and recommendations.
Themain assumption that it makes is that the current recommendedalgorithms will not be vulnerable to attacks in the near future andthat it is important to note that Information system vulnerabilitiesare invented day by day and that the solutions provided in this papermay not suffice in the near future.
Riskmodelsarebasically assessment approaches that dictate the riskfactors tobe looked into and how they relate amongst themselves.
Riskfactors act as inputs that are used to determine the levels of riskwhen assessing a risk they include threat, vulnerability, impact,likelihood and predisposing condition (NIST-Guide for Conducting Risk Assessments).
SystemDynamics (SD) risk model will be used to bring out the whole pictureof risk factors and their relationships and the major area of focuswill be on the sensitivity of the information systems in the systemdevelopment life cycle.
Theanalysis approach used was the integration approach which involvesbreaking down a problem into manageable and smaller parts for easyanalysis which basically means analyzing a system based on how andwhere it is operating in order to find out all the possible ways if athreat/attack can occur.
RISK ASSESSMENT FINDINGS
Athreat source can be defined as theintent and method targeted at the intentional exploitation of avulnerability or a situation and method that may accidentally exploita vulnerability. Theyinclude the following:-
Athreat event can be defined as anevent or situation that has the potential for causing Undesirableconsequences or impact.
Thefollowing threat events are associated with the threats sourcesabove:
Formal written Policy-If an employee does not perform tasks in accordance to the organization’s policy, then that is a security threat.
Background checks-if personnel performing background checks are not well trained or do not perform in depth checks, they may not be able to uncover a vulnerability which may cause a security breach.
User safety and response training-poorly trained staff may expose the system to various vulnerabilities if they enter wrong input data or if they are unable to perform basic debugging procedures in case of any data breach.
Updating-during data updating, the new data should leave the database in a consistent state, if the new data is corrupted, then the database becomes corrupted and is therefore needed to be restored.
Secure Software Configuration
Backups-If that backed up information is corrupted and is then introduced into an information system, it will corrupt the whole system.
Log File Analysis-Log files are used to store data transaction in case of a bad transaction that may render the transaction not obey the ACID properties.
Physical & Environmental Security-Environmental hazards like earthquakes and floods destroy the assets of a company hence rendering the company handicapped. This should not mean that the data stored should be lost, replication of this data over various stations would solve the problem.
Authentication & Access
Biometrics-Biometric systems should be configured to monitor the attendance of employee and record their entry and exit time, these systems are effective in ensuring that employees are working for the required amount of time. However, if this system in corrupted, then it may have far reaching consequences on the organization more so those that use these system to pay their employees.
Passwords and Tokens
Database Access Control-Access to sensitive data should be restricted to the authorized personnel only. Privileges are given to various levels of employees, thus enforcing accountability.
Server/Segment Access Control-Password to servers should be restricted to authorized trained personnel.
Firewalls / Router Security-Firewall is a layer that is responsible for preventing malware form running in your computer. A router is a device responsible for channeling data from a source to a destination by choosing the most effective route.
Intrusion Detection Systems-Intrusion detection systems like the IBM AppScan should be kept up to data so that they are able to detect and prevent new web vulnerabilities.
Integrity Checking-Integrity checking involves inspecting data to ensure that it is accurate and consistent.
Antivirus Protection-Installation of Antivirus software such as Kaspersky will protect the computer from potential malware.
Digital Certificates-A digital signature is a technique used to validate the originality of a document or message.
Virtual Private Networks (VPNs)-VPNs are used to provide Internet security using encryption over the Internet.
Database Encryption-Database encryption involves the encryption of data using encryption algorithms such as Advanced Encryption Scheme (AES).
Wireless Equivalency Protocol (WEP)-WEP is a wireless security method, it is however not recommended for use nowadays.
Pretty Good Privacy (PGP) E-mail-PGP is a program that provides security for emails through encryption and decryption of data using public and private keys.
Adequate Budget-A well-planned software product with adequate finances to maintain it is less vulnerable to attacks due to the frequent tests performed on it.
Effective Personnel Function-A united stuff with well-trained expertise is more productive and effective.
Contingency Planning-Any good plan must have a contingency plan. This is necessary for emergencies and in case of any eventuality or disaster, this make it a necessity, it is also essential for software maintenance continuity.
System Audit & Vulnerability Analysis-software products such as IBM AppScan have made vulnerability testing of web pages easy (SANS: READING ROOM, 2015).
Basedon the threat events and sources, the following findings arepresented:-
Insecure Direct Object Reference
Thisis the possible vulnerability that might have been exploited to allowthe attackers to access sensitive intelligent information used tosupport U.S diplomats. This application attack occurs when adeveloper exposes a reference to an internal implementation objectsuch as a directory or database key. Without an access control checkor other protection, attackers can manipulate these references toaccess unauthorized data (UNITEDSTATES COMPUTER EMERGENCY READINESS TEAM).
Theaspect of the chief of the bureau using his personal e-mail systemfor both official business purposes and for his own individual use istrying to repudiate himself from future evidence because he candelete official messages without being traced easily. (NIST.COMPUTER SECURITY DIVISION).
Sensitive Data Exposure
Sensitivedata deserves extra protection such as encryption at rest or intransit, as well as special precautions when exchanged with thebrowser. The software defect in BRI’s human resource system thatallowed users to view personal information of all employees is calledSensitive data exposure (CSOSecurity News).
Theteleworker who brought home a laptop containing classifiedintelligence information which was stolen during a burglary and neverrecovered had neither backed up his data on an online server or ahard disk, this vulnerability can be addressed by frequent backing upof important data and replication of the data at different sites soas to eliminate the chance of losing all the data at once, that is,spreading the risk.
Missing Function Level Access Control
The disgruntled employee of a contractor for BRI who disclosedclassified documents through the media and furthermore provided themedia with, among other things, confidential correspondence betweenU.S. diplomats and the President, that were very revealing exploitedthe missing function level access control vulnerability. This isbecause the system did not seem to have good personnel privilegesallowing unauthorized employees to access classified information.
Cross site scripting(XSS)
TheMalware that infected all of the computers in several foreignembassies causing public embarrassment, security risks for personneland financial losses to individuals, businesses and governmentagencies including foreign entities was as a result of Cross sitescripting XSS flaws occur whenever an application takes untrusteddata and sends it to a web browser without proper validation orescaping. XSS allows attackers to execute scripts in the victim’sbrowser which can hijack user sessions, deface web sites, or redirectthe user to malicious sites (Category:OWASP Top Ten Project).
Inaddition to the above possible vulnerabilities, the following wereextra findings:-
Identificationand Authentication Controls-Thepasswords were set to less than 8 characters in length, the useraccounts had no expiry dates and they had a single authenticationrealm.
AuthorizationControls-The agency configured multiple databases operating on a server to rununder one account,the use of one authentication credentials made the system vulnerablebecause anyadministrator with access to the account would have access to all ofthese databases potentially exceeding his/her job duties.
DataSecurity-Thedata stored in the Oracle databases was not encrypted hence making isreadable by anyone able to breach the security and access thedatabase entities. The data in transit too was protected by VPN butthat is not enough. Secure Socket Layer (SSL) security would havemade it more secure.
SystemSecurity-Wireless systems use the Wired Equivalent Privacy (WEP) standard forensuring secure transmission of data, this security system has provento be vulnerable and no longer recommended for wireless connections.System developers involved with financial systems are allowed todevelop code and access production code making it vulnerable toattacks. The less frequent scanning of devices also reduces theurgency with which vulnerability could be detected. Every softwareproduct needs maintenance but to the surprise, it was noted that theprocesses for the servers had not been documented. These managerswill not live forever and that someday the software would need to beupdated or debugged (SECTOOLS.ORG).
Physical Security- An unauthorized personnel was observed “tailgating” or closely following an official employee while entering a secure data center, this is dangerous both to the employees and the information system, the organization should have an eye detector with sophisticated automatic face recognition software that should be able to detect every person’s face at intervals and run them against those in its database for a match upon which it should flag an alarm if it fails to find one.
End User Security-The use of cloud system to store company data making it hard to access company data. Interval between which BRI has performed background investigations on employees who operate its intelligence applications. Actually, it has been conducted once upon initial employment. It was strange to also discover that they had no policy regarding the handling of unclassified information.
Thetable below shows the likelihood of occurrence of the vulnerabilitiesdiscussed above (NIST-Guide for Conducting Risk Assessments).
Table1 DETERMINATION OF LIKELIHOOD
LIKELIHOODOF THREAT EVENT INITIATION (ADVERSARIAL)
Table2 LIKEHILOOD OF THREAT EVENT INITIATION (ADVERSARIAL)
LIKELIHOODOF THREAT EVENT OCCURRENCE (NON-ADVERSARIAL)
Table3 LIKELIHOOD OF THREAT EVENT OCCURRENCE (NON-ADVERSARIAL)
LIKELIHOODOF THREAT EVENT RESULTING IN ADVERSE IMPACTS
Table4 LIKELIHOOD OF THREAT EVENT RESULTING IN ADVERSE IMPACTS
Table5 OVERALL LIKELIHOOD
Thetable below shows the possible magnitude of impact of thevulnerabilities discussed above.
Table6 DETERMINATION OF IMPACT
IMPACTOF THREAT EVENTS
Table7 IMPACT OF THREAT EVENTS
Riskisa measure of the extent to which an entity is threatened by apotential circumstance or event.
Beloware the tables that support my findings on risk determination.
Table8 ADVERSARIAL RISK
Table9 NON-ADVERSARIAL RISK
RISK ASSESSMENT RECOMMENDATIONS
Followingthe above findings on the vulnerabilities facing BRI, the followingwere the recommendations.
Security Awareness and Training Program
Asrealized earlier, security appears to be taken for granted, it isonly remembered when a security breach has occurred. This is notsupposed to be the case. Security should be incorporated at earlystages of system development and not treated as an afterthought, thiscan be achieved by creating security awareness and training programsthat aim at educating the public common users and even the employeeson the importance of security and the best practices that should beemulated to achieve the same. The system managers should also undergotraining to keep them up to date with the recent technologies andvulnerabilities that have come up so that they can be able to updatethe BRI system appropriately. They should also be made to understandthat they are expendable and should therefore document their work forfuture use when they will not be around. The training should also inenforcement of data and system security.
Privacy Protection Program
Theemployees, especially the system managers responsible for developingand maintaining the BRI system should be enlightened on theimportance of maintaining data privacy and made to understand that ifprotected data is leaked, then the consequences would be severe. Forinstance, the disgruntled employee of a contractor for BRI whodisclosed classified documents through the media this breach wouldhave been curbed by enforcing stringent Authorization Controls, theyshould always test their systems for defects in order to detect andprevent attacks like sensitivedata exposure(Category:OWASP Top Ten Project).
Business Continuity/Disaster Recovery Program
Everybusiness must have a contingency plan, this is what keeps businessesrunning. System managers should be able to develop systems that arerobust and easy to replicate and recover. There already existscompanies that offers such services like the Amazon Cloud Services,this is important because there is need for assurance that in case ofdata loss in one station there is a backup somewhere. It is alsoimportant that the sensitive data be backed up in secure servers soas to avoid third party service provider vulnerabilities. They shoulddevelop sophisticated systems that automatically save data at certainintervals and which are able to propagate updates to all the otherreplicas at different sites in real time. The managers should alsohave the habit of commenting their codes so as to make it easier forfuture reference for other developers to understand. They shouldalso, at every update, be able to document their work for futurereferences too.
Theserecommendations are crucial because currently, Internet is becomingmore and more popular, more and more transactions are being carriedout via the Internet, almost all of these transactions carryimportant information that would interest attackers/hackers. Thistherefore, calls for the use of the latest technology to securesensitive data. The recommendations are sufficient for the problemsaffecting the company’s information system security and the worldat large.
Youcan earn your customer’s trust if you are able to assure him theprivacy and security of his transactions, this therefore implies thatsecurity is at the heart of any business and agency success.
ADynamic Risk Model for Information Technology Security in a CriticalInfrastructure Environment. Retrieved23rdNov, 2015 fromhttp://www.johnsaunders.com/papers/riskcip/riskconference.htm
Category:OWASP Top Ten Project. Retrieved23rdNov, 2015 fromhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CSOSecurity News. Retrieved 22ndNov, 2015 from http://www.csoonline.com/
HomelandSecurity News Wire. Retrieved 23rdNov, 2015 fromhttp://www.homelandsecuritynewswire.com/topics/cybersecurity
InfoSecurityWhite Papers Retrieved23rdNov, 2015 from http://www.infosecurity-magazine.com/white-papers/
InformationSecurity and Policy.Retrieved 23rdNov, 2015 fromhttps://security.berkeley.edu/services/ibm-appscan-web-application-vulnerability-scanning
ITAssessment Report – BRI Works
Retrieved23rdNov, 2015 fromhttps://bri.works/download/BRI_Works_IT_Assessment_Report_Sample.pdf.
NIST“Guide for Conducting Risk Assessments”Retrieved 22ndNov, 2015 fromhttp://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf.
NIST.COMPUTER SECURITY DIVISION (Oct 2015). Retrieved 22ndNov, 2015 from https://www.us-cert.gov/security-publications
Most-Common-WebSecurity-Vulnerabilities.Retrieved 23rdNov, 2015 fromhttp://www.toptal.com/security/10-most-common-websecurity-vulnerabilities
SANS:READING ROOM (2015). Retrieved 22ndNov, 2015 from http://www.sans.org/reading-room/
SECTOOLS.ORG.Retrieved 23rdNov, 2015 from http://sectools.org/tool/appscan/
UNITEDSTATES COMPUTER EMERGENCY READINESS TEAM. Retrieved 22ndNov, 2015 from http://csrc.nist.gov/publications/PubsSPs.html