Standards Of Good Practice For Information Security And Evaluation Of Attack Trees In The Essay.

Part – A 
The ISF – Information Security Foundation, has developed SOGP – Standards of Good Practice (2011) Information Security model to support organizations in designing their approach to addressing information security and to give them a basis for identifying the key aspects of an information security programme. The ISF provides insights, best practice standards and tools, which address each aspect of the model to aid organizations in enhancing their information security environment.

Select an area / sub domain of controls from SOGP 2011.
Develop policy statements to capture above selected controls.
Propose strategic and execution plans (without timeline) to implement above policy in an organization.

Part – B 
Attack Trees are useful in understanding the security risk and vulnerabilities. Attack Tree is the graphical representation of possible security attacks. Assuming that you are designing your security infrastructure, draw the Attack Tree for securing your data against both stealing and destruction.
Briefly explain two possible attacks you have depicted in your Attack Tree. 

Selecting the sub-domain and area of controls from SOGP 2011

Analyzing the Information Security Foundation:

The Information Security Foundation has created Standards of Good Practice or SOGP. The model of Information Security has been supporting various companies to design the approach towards the denoting information security and provide the basis to identify the primary aspects of programs of information security (Safa, Von Solms & Furnell, 2016). Moreover, it has been providing insights and various practices if tools and standards are addressing every issue of the model to aid the business. This is to enhance the environment of information security.

2.1. Selecting the sub-domain and area of controls from SOGP 2011:

SOGP 2011 helps  to identify, manage, record and analyze the threats or incidents of securities in real-time. This has been seeking to provide the comprehensive and robust view of security issues under IT infrastructure. This has been ranging from identifying active threats to attempted intrusion and successful compromise or various data breaches (Moody, Siponen & Pahnila, 2018). The unauthorized access and policy violations to data like socials security numbers, financial, health and personally recognizable records the instances of security incidents. For the current task two sub-domains are selected. They are as follows.

• Security Awareness Messages
• Security Education / Training

2.2. Policy statements for capturing the above controls: 

2.3. Strategic and execution plans to deploy the policies for an organization: 

Security Awareness Messages:

The communications of security awareness has been including primary messages. This must include definition of information life-cycle. Instances of this include destruction, transmission, storages, processing and creation. This must also include risks to handle of various formats of data at various stages of the lifecycle. Further differences of various crucial data that requires integrity and availability must only be disclosed to different authorized individuals (Jouini & Rabai 2016). Apart from this threats related to users and the technologies and physical locations are included here. This also comprises of leakage of information, attacks of social engineering and corrupting of applications of information in desktop. Different behaviors and actions needed for users to address those threats has included rules of using blogging and social networking sites and becoming of social engineering attacks is a motive in this strategy.

Security Education / Training:

The training and education must be providing business users having skills required to be used correctly. The business applications have included enterprise software, commercial-off-shelf software and various desktop applications. The computer equipments and special necessities must include scanning devices, bar code readers, data capture appliances and monitoring tools. This must also include conferencing and telephony tools including videoconference and teleconference facilities along with online web-based collaboration (Andress, 2014).

Security Awareness Messages

The training and education to be provided to business users with skills require applying information security controls related to protecting. This has also included protection and creation of electronic files, classification and labeling data, eradicating unnecessary metadata from electronic documents, deleting unneeded information as not needed and separating personal data and business data. Various business applications like using templates apart from current documents for creating electronic documents and using validation routines to develop application related to spread-sheet are also included here. This has also included equipments and various access control mechanisms. This is also helpful to understand business environment, run projects that are security related, make communication effectively and undergo specialist security activities.

3. Evaluation of Attack Trees: 

Attack Trees are useful in understanding the security risk and vulnerabilities. Attack Tree is the graphical representation of possible security attacks. Assuming that you are designing your security infrastructure, draw the Attack Tree for securing your data against both stealing and destruction. Briefly explain two possible attacks you have depicted in your Attack Tree. The following diagram of Attack Tree provides a methodical process to describe the system security, from varying attacks (Al-Anzi, Yadav & Soni, 2014). Here, one primarily represents attacks against the system under a tree structure having their goals as the root node and various ways to achieve goals as the leaf nodes.

                                  Figure 1: “Attack model to understand information security as virus attacks a file”

                                                         (Source: Chechulin & Kotenko, 2015, page no: 701-704)

In the above tree diagram, two distinct attacks are identified. The first one is the risk the virus has been running as the administrator. Under this two circumstances can take place. The virus can exploit the root hole, or an admin can run this. As an administrator executes the virus, it can infect various programs. Besides, it can affect the install package. Apart from this the admin can download and run the infected coding (Shameli-Sendi,  Aghababaei-Barzegar & Cheriet, 2016).

Security Education / Training

The virus can block the rights of administrators, managing user accounts, disabling system restores and different kinds of misconfigurations and many more. For this reason, the antivirus becomes unable to run. This can happen in safe mode also. Moreover, the DDS utility cannot even be run. Here, the pop-ups can be absent. However, one can switch from guest account, and here all the changes get ignored or get denied. For this various symptoms can be there. The multiple windows services, internet sharing firewall security essentials, resorting of system and windows update can stop working. This can be seen as the user account is the only administrator account  no more widespread access to administrative service is found (Shropshire, Warkentin & Sharma, 2015). Moreover, the users become unable to download the files through internet browsers such as Firefox, Chrome, IE10. Here the virus check fails and then the file gets deleted. More the signing in option gets been unable to online accounts into YouTube, webmail, Facebook, Twitter. Moreover, the cookies are not accepted. The Google Chrome has been detecting malware and suggesting cleaning with essentials of Microsoft security (Kim, Yang & Park, 2014).  Besides, one cannot burn their DVD error messages, and the windows might be unable to get completely formatted.

However, the solutions tried are through scanning of a virus with Malwarebytes, Kaspersky and AVG antivirus that never avail. Each of them has been detecting and finding issues that are discussed above. Besides, the RDSSkiller scanned and seemed fixed cookies that are issued currently. Apart from this, the system restore has always been failing to replace those files (Gadyatskaya et al., 2016).

Secondly, as the virus is run as a regular user, it can be included in various infected programs and the user downloads and executes the infected open binary. As any bug occurs, in operating system and browser this kind of incident to takes place. Here the vulnerabilities never allow any non-admin processes for gaining rights of an admin (Pieters & Davarynejad, 2015). This is also assumed that the browser is a complicated part and not obtaining any reasons for the admin. Moreover, here the only right for the user has been for the user running the browser.

Further, as the user never root that in more profound, they might tick people through bypassing User Account Control or UAC or can use various exploits enabling them to break out of the attack vector of choice like OS, Java or Flash vulnerability (Chechulin & Kotenko, 2015). This is to run the shellcode having admin rights. Besides, a buffer overflow might also take place or any stick spray to run codes with system rights. It might be noted that the vulnerable code has been needed to run as system or service, admin and is merely possessing a vulnerability that never has any end run across the security.

Evaluation of Attack Trees

Conclusion:

The business contract of the given organization has possessed confidential information clause inserted to secure data. This is deemed to be sensitive and proprietary from any disclosure to third parties, which are unauthorised. The above report demonstrated the way in which information security can be laid out. It has addressed the complexities of securities. The study helps in encouraging a balance between business and protection. The attack tree illustrated and described provides the communication mechanism for analyzing security.

The information security model supports organizations to design the approach to address information security. Attack trees, on the other hand, are used to understand vulnerabilities and security risks.

The report has selected the sector of controls from SOGP 2011. Here, policy statements are developed for capturing above chosen controls. An execution and strategic plan are suggested here for deploying the policy for the organization.

Further, an attack tree is drawn here for securing data against destruction and stealing. Here two possible attacks are explained from the depicted Attack Tree.

References:

Al-Anzi, F. S., Yadav, S. K., & Soni, J. (2014, September). Cloud computing: Security model comprising governance, risk management and compliance. In Data Mining and Intelligent Computing (ICDMIC), 2014 International Conference on (pp. 1-6). IEEE.

Andress, J. (2014). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.

Chechulin, A. A., & Kotenko, I. V. (2015). Attack tree-based approach for real-time security event processing. Automatic Control and Computer Sciences, 49(8), 701-704.

de Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., & Costa, A. P. C. S. (2016). Information security risk analysis model using fuzzy decision theory. International Journal of Information Management, 36(1), 25-34.

Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., & Trujillo-Rasua, R. (2016, August). Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In International Conference on Quantitative Evaluation of Systems (pp. 159-162). Springer, Cham.

Hong, J. B., & Kim, D. S. (2016). Assessing the effectiveness of moving target defenses using security models. IEEE Transactions on Dependable and Secure Computing, (1), 1-1.

Hu, J., & Vasilakos, A. V. (2016). Energy big data analytics and security: challenges and opportunities. IEEE Transactions on Smart Grid, 7(5), 2423-2436.

Jouini, M., & Rabai, L. B. A. (2016). Comparative Study of Information Security Risk Assessment Models for Cloud Computing systems. Procedia Computer Science, 83, 1084-1089.

Kim, S. H., Yang, K. H., & Park, S. (2014). An integrative behavioral model of information security policy compliance. The Scientific World Journal, 2014.

Law, Y. W., Alpcan, T., & Palaniswami, M. (2015). Security games for risk minimization in automatic generation control. IEEE Transactions on Power Systems, 30(1), 223-232.

McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151-156.

Moody, G. D., Siponen, M., & Pahnila, S. (2018). TOWARD A UNIFIED MODEL OF INFORMATION SECURITY POLICY COMPLIANCE. MIS Quarterly, 42(1).

Pieters, W., & Davarynejad, M. (2015). Calculating adversarial risk from attack trees: Control strength and probabilistic attackers. In Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance (pp. 201-215). Springer, Cham.

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82.

Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & security, 57, 14-30.

Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers & Security, 49, 177-191.

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), 217-224.