1.Summarise the case study from Open Source, quoting the source references.
2.Produce a high-level security architecture.
3.Produce a risk assessment of the architecture and system, covering all of the assets, vulnerabilities, threat sources and threat actors.
4.Write a short summary report making recommendations that would have prevented the breach.
5.Exploring the key psychological motivations that could be used to explain the attack, discuss how aspects of Insider Threat could be used to explore/explain this attack. Include the possible Insider Threat ‘type’ that could be at work giving a clear rationale for this choice.
6.Design a security assurance architecture that would have prevented the data breach. Explain your architecture and its components.
7.Present a set of information security policies covering the system, to include overall security policies.
Background and Summary of the Case Study
The case study is on the organization Stasyure.co.uk Limited. This is an organization that works for providing holiday insurance to their customers online. The organization aims at offering best features regarding insurance to their customers. The data controller of the organization is a specialist with great knowledge about online travel insurance. There are multiple insurance products offered by these organization. This includes life, holiday, travel, health, home and car insurance towards the common people. The main problem faced by the organization is that, the organization failed to provide security towards the data of customer. This lead to data breach. In the year 2013, the data controller website detected an attack on JBoss Application Server. This server was the main controlling unit of the organization and thus created a huge problem. Due to the vulnerability within the organizations server the attacker took advantage of this situation and injected malicious java script webpage known as JspSpy within the data controller’s website. This lead to opening the server storing data related to customer by using and modifying web source command. This type of vulnerability was shown in the year 2010 also.
The organization assured that they will take preventive measures for ensuring safety. However the organiztaion failed again and the hackers used the vulnerability present within JBoss Application Server (Jovanovic and Harris 2016). The data controller did not took any measures for applying new updates so that the software working can be predicted. During the time of hacking, the database of data controller contained around 3 million customers record. The records contained specific details of every customer including card number, card CVV, expiry date of the card, postal address, email, date of birth and data regarding medical responses. This all the information needs highest confidentiality as with the use of card details the hacker can attack the customer’s financial condition. The organiztaion seems to be careless regarding the privacy that they need to provide towards their customer data. By the year 2008, the card details of customers were not even encrypted. At the end of 2008 the card details were encrypted. For attackers it became easy to gain details about the card details once after they gain control over data controller (Han et al 2015). The attackers even obtained details about the keys used for encrypting data and then the hackers used this for decrypting the payment card numbers and card credentials. After analysis on certain factors, it was decided by the organizations data controller to remove the CVV number of each customer’s card from the database. In the year 2012, they realised and generated policies fir removing the CVV number as soon as possible. However this task remained incomplete due to human errors. Around 110,096 live card details related to 93,389 customers were at risk in the time of attack. Every details were stored in the database when it got hacked. By the mid of 2012, new system was processed for performing customer transactions. Around 95 percent of total customer’s transaction took place with this new external system.
Importance of High-Level Security Architecture
The newly developed system removed the need of card data (Koeberl et al. 2014). However, the CVV of each card continued to be stored within the database for remaining 5 percent until the breach as being discovered. According to data protection act, it is important to maintain proper confidentiality towards every single data starred within the data controller. This becomes the responsibility of the organization to implement proper measures that will improve the data confidentiality (Dhasarathan, Thirumal and Ponnurangam 2015). ICO fined the organiztaion £175,000 after failing to provide proper IT security and letting the hackers to access the customer records. Around 5000 customer’s credit card was used by hackers. Apart from this the attackers ha the access to the customers medical details. The company failed to protect their customer details moreover according to rules no organization is allowed to store the details regarding card number, signature strips and security number.
With the implementation of high level security architecture the organization can prevent data breaches easily. There are two layers important for security architecture, that is the functional domain layer and the basic security layer. Security architecture helps in designing the artefacts that will ensure proper security controls within the designed system. The security countermeasures are related overall within the system architecture so well that it will serve the proper aim of maintaining the systems quality that incudes proper availability , integrity and confidentiality. It is important to implement a proper security architecture for the organization. As the breaches took place in the case study has effected millions of peoples and moreover the confidential data got effected. Thus, with this architecture the organization will be able to provide a proper security towards the data stored within the organization. The functional domain layer is developed in such a way that will verify the user domain proper before allowing them to access the system. Meter domain will help the organization to process their online transaction properly. Admin domain will help to manage and will keep an eye on each activity performed within the system. This will ensure proper working and will also look after the data stored related to each customer. This is important for the organization to make sure that the CVV and the card details don’t get saved within the system. There is no need of card details, as this will ensure the safety and will not harm the customer in case the company details get hacked in future.
Components of the Security Architecture
The basic security layer contains different components that are important for maintaining the proper security. This components are stored within the security kernel. This will include giving access to authorized people only. Network manager will be connected with each members and will monitor the activity of each customer and employee once they enter the system. Security storage is developed for providing security and will ensure that once the user gets verified than only they will be allowed to get the access. System management will look after the configuration of data and will ensure that proper data gets configured at each stage (Alshammari and Simpson 2018). With the help of a particular resource manager, the program within the system will get scheduled, processed, supervised and the references will get monitored. With the use of high level security architecture the company will be able to track any criminal activity and will increase the security at that instance itself. Thus it will be beneficial for the organization.
Sl. No. |
Risks associated with the security architecture |
Description |
Likelihood |
Impact |
1 |
Schedule Escalation |
In the given case study it can be seen that the need of security architecture |
4 |
5 |
2 |
Budget Escalation |
It is important to develop a proper model within the budget, so that it does not goes out of budget. |
4 |
5 |
3 |
Design Risk |
There are many risks faced while working with an online transaction site. This will affect the organization and also possess the capability of harming the customers associated with the organization (Goode et al. 2017). |
3 |
4 |
4 |
Managing the database |
While storing the information, it becomes important to ensure proper safety so that each details can be stored properly. |
2 |
4 |
5 |
Login validation |
There are chances of using someone else login details without their knowledge (Dhasarathan, Thirumal and Ponnurangam 2015). This possess the capability of harming the organization and will give the power in hacker’s hand. |
4 |
4 |
6 |
Inappropriate communication |
The main failure behind every organization is inappropriate way of communicating among the employees. |
3 |
5 |
7 |
Improper encryption |
This becomes important to have a proper encryption method with all the encrypted saved at a secured place. Giving access to the more people will increase the chances of risk. |
2 |
2 |
8 |
Details displacements |
The details stored within the organization needs to be stored properly in order to avoid unauthorized access (Dhasarathan, Thirumal and Ponnurangam 2015) . |
3 |
3 |
9 |
Proper resource allocation |
The resources stored within the security architecture needs to be properly allocated to different database based on their priority. |
2 |
5 |
10 |
Technical risk |
Technical risks includes failure in storing data or allowing the wrong person to access the system. |
3 |
3 |
Likelihood |
5 |
|||||
4 |
R 5 |
R 1 R 2 |
||||
3 |
R 8 R 10 |
R 3 |
R 6 |
|||
2 |
R 7 |
R 4 |
R 9 |
|||
1 |
1 |
2 |
3 |
4 |
5 |
|
Impact |
It is important to have proper IT policies that will provide better protection towards the data stored. Data breaches occurs due to several reasons. The sources can be someone from the organization or an external attacker. However the results of data breaches are very high and effects a large amount of peoples. In this organiztaion the hacker got the ability to access the customer’s data as the organiztaion failed to manage their vulnerabilities (D'Arcy, Herath and Shoss 2014). This gave them to access data and as the organiztaion stored every single details regarding each employee starting from the health conditions to the card details. In order to overcome this situation, it is important for the organiztaion to implement proper policies and rules that will prevent data breaches. Some ways of protecting the data from security breaches are as follows:
- Reducing the transfer of data: the organiztaion needs to implement measures that will not allow any employee to share their details stored in system to any hardware or other devices. The organiztaion should prevent use of external devices.
- Excluding the need of storing credential details: there is no need for the organization to store card number, or CVV of the card. Once the transaction is done every customers card details should be remove. With implementation of proper policies it becomes important to remove the need of CVV (Manworren, Letwat and Daily 2016). This will allow the system to provide security towards the customers so no one will be able to access the card details.
- Protection towards information stored: it is important to provide protection towards the information stored within the organization. Every details regarding the customers are sensitive. The organization Stasyure.co.uk Limited has stored many sensitive information including medical status, card details and CVV numbers (Cheng, Liu and Yao 2017). This information needs to be saved with highest confidentiality. No one should get the access to these personal information.
- Secure transfer: the organiztaion should provide a secure transfer to the products offered towards the customers.
- Proper password: it is important to have a proper password so that one can protect their details. Moreover the customer should not share their credential or password with other users. This facts are needed to be kept secret with proper security.
- Automate security: with the use of automating system, the password setting, server and firewall configuration will be able to maintain well. This will reduce the risk of effecting the sensitive information.
- Identifying threats: the security team needs to identify the threats at the first stage so that the attack can be minimized. Identifying threats and implementing preventive measures becomes very much necessary for better working of the organization.
- Tracking data: it is important to track each and every data flowing through the organization and have an eye on everyone’s action. Thus it is important to have a proper control over the data shared.
- Breach responses: it becomes important to have proper responses towards the problems faced by data breaching. The steps involves plan regarding each steps and how this can be prevented from next times.
- Define accessibility: accessibility are used to define the company’s sensitive information properly.
- Monitoring the point of data leakage: it becomes important to find the vulnerability within the system so that one can understand and repair the damages happened.
With the implementation of this strategies the organization Stasyure.co.uk Limited can overcome the problems. Data breaches is a major issue and needs to be solved on an urgent basis. This has the capability of harming a lot of people together (McIlwraith 2016). Thus with this strategies it will become easier to manage the data breaches activity within an organiztaion.
Behind every attacks taking place within an organization there is a reason that is related to psychological. Sometimes the employees within an organization seeks for revenge on the behaviour performed by their organisation against them. Attacks are performed with the aim to harm the organizations integrity and profit. However researches confirms that attacks are generally done in order to seek revenge or to satisfy the personal demands. In the given study a lot of people got effected with the data breaches that took place (Carlos Roca et al. 2013). The one who caused this breach was probably someone who wants to take a revenge by harming this organization. The main of every hacker is to harm the company as much as possible they never bother about the people associated with the organization. In order to take revenge they harm the common people associated with the organization. Even in this case study same happened, around 100,000 card live details were accessed by the hackers. However sometimes it is noticed that these attacks turns to be an insider attack. This is considered to be one of the biggest problem faced by an organization as it someone within the organization is involved in this attacks. Similarly in the given case study it can be seen that every card details including the CVV got viral. Thus, in such a situation it becomes important to identify the main intruder and eradicate such person from the system. Basically an insider is defined to someone who has the legitimate access towards the resources. This are someone who are being trusted completely and without any second thought. The company relies on an insider, thus it becomes difficult to understand and identify such insider (Bechler et al. 2014). It becomes important for an organization to have an insider who will be helpful towards the organization and will help in motivating the organization and will share knowledge that will be beneficial for the organization. The insider threats are important to understand this includes having a proper access towards the system role, threats from naïve insiders and traitors.
Risk Assessment of the Security Architecture
There are five types of insider threats are mainly responsible for 64 percent. Human risks are defined as more complex that simple mistakes. The type of insider treats are as follows:
Nonresponders: this are referred to the small percentage of employees that becomes careless at the time of awareness training. This type of people are generally gets attracted by the phishing campaigns and tends to harm the organization. Around 4.2 percent of people in every organization falls under such campaigns and harms the system (Siponen et al. 2014).
Insider conspiracy: this is referred t the act in which a group of people within an organization plans for an attack with someone external. This are rarest form of risks that involves insider. This will harm the organization as an insider has the full access over documents. 37 percent of incidents involved fraud cases. More than 24 percent of occurrences involved intellectual property theft (Soller et al. 2018). About 6 percent of incidents involved combined fraud and theft.
Careless insiders: one of the common threats takes place due to simple negligence and costs a huge risk. According to the analysis around 38 percent of insiders tried to impact the organization by using malicious links (Soomro, Shah and Ahmed 2016). Around 35 percent of risks are from external attempts by middle man.
Dissatisfied Employees: some employees are there who intentionally harms the theft to an intellectual property. The unhappy employees in an organization seek or revenge and start digging information.
This type of insider’s threats possess the capability of haring the organization. Thus, every organization should keep on motivating their employees and praise them for their handwork. Appreciation is the only key to keep the employees happy and satisfied. It becomes important to identify the psychology of every person needs to motivate them in a way that will bring growth towards the organization.
Information system security assurance architecture is important for preventing data breaching within the system. The important component of the security assurance architecture are security categorization, security control selection, security control documentation, refinement, monitoring, implementation, security control assessment and system authorization. In the security categorization stage the security categories are defined within the information system based on the potential impacts that are likely to have. Once the security category are defined it is transferred to security control selection where the minimum number of security controls are selected and are implemented within the system in order to provide protection. After these the control is passed on to the security control refinement. In this stage the risk assessment are used to adjust the minimum control based on the requirements and threats. Security control documentation is used further for planning the security within the system. This is used to provide an overview of the requirements needed for performing the security towards the developed system. Security controls get implemented in a new system and the configuration is being checked in the security control implementation stage. Security control assessment is for determining to which the security controls can be implemented within a system accurately. With the implementation of this architecture data breaching can be prevented within the organization. System authorization is used for determining the risks associated to the agency operations, assets or to an individual. In case the authorization is acceptable the system can be processed further without any problem. Security control monitoring will help in tracking the changes within an information system and this will affect the security controls.
Key Psychological Motivations and Insider Threats
Information security policy is referred to a set of rules that are needed to be followed by an organiztaion. This policy ensures that all information technology stored within an organization follows guidelines related to the security issues. This contains a statement or collection of statements regarding security. It is important to have a proper security guidelines that will protect the assets, company data, IT systems and many more. Information security should have the capability of reflecting the risk appetite and manages the executive association within the organization (Alzomai, AlFayyadh and Jøsan 2015). The aims is to provide proper security policies that will provide proper direction and values to the individuals within an organiztaion. Information security policies covers all the appropriate guidelines that will help the organisation to provide proper security. While implementing an information security policy it is important to keep in mind some rules. The policy needs to be implemented based on the organizations need. Once the main aim of security policy is identified within the organization it is necessary to implement them. With the help of security policies the organiztaion can protect the intellectual property by setting the guidelines for each employee’s responsibility (Xinlan, et al. 2016). Each employee must know the reason behind implementing this rules and should strictly follow these rules. The main motive behind security policies is to support the mission of organiztaion security. The security professional needs to be careful about the information shared within the organiztaion. Thus it is important to prepare guidelines based on the organizations missions. A sensitive approach is important so that it can fit into employee’s expectation. With a less sensitive security approach chances of risk increases. The key elements of an information system are scope of the implemented information system, the purpose of having this information system, the objectives of information security, proper classification of the data stored within the information system, access policy of this information system and session related to security awareness.
While implementing a proper information system policy it becomes important to have a clear objective of having the policy. The main purpose of creating an ISP is to have a proper approach towards handling the information system. This also ensures that all the rights and working done by the organization are ethically and legally correct. The three main objective that ensures proper implementation of information security , this are confidentiality towards the assets stored in the information systems and restricting the access to only authorized people, proper integrity will ensure accurate and intact storage of data, availability of the information system (Angst et al. 2017). The scope of having an ISP is to allow and address all the programs, data, facilities, systems and other tech infrastructure given to an organization by third party. With the implementation of ISP it is important to have a proper restricted set of users who will be allowed to access the business information. Moreover it becomes important to maintain a process that will help in detecting and will react towards the attacks faced by a server and will provide a possible remedy for overcoming this situation. Data classification is used for classifying each information stored within the system for better organization. This are divided into three parts, high risk class, confidential class and class public. High risk class includes the data that are protected by state and federal legislation and this are important to be taken a good care. Confidential class includes a class that does not comes under any law, however it becomes the responsibility to ensure their safety so that they can’t be accessed by unauthorized person. The public class contains the information that can be accessed by anyone freely and are allowed to be shared among group of people within an organization. The general data protection requires a proper firewall for protecting the system, proper encryption with proper authorized members, updated anti malware protection (Barman 2014). Once the policy is implemented it becomes important to aware each member with the security policy so the staffs can enjoy their working and acknowledge them for proper work in future. Appropriate utilization of IT system will help the usage of social networking.
Recommendations and Information Security Policies
The ISP that will help in proper management of the policies. This are as follows:
- Acceptable Use Policy [AUP]
- Access Control Policy [ACP]
- Information Security Policy
- Change Management policy
- Remote Access policy
- Incident response Policy
- Policy for disaster recovery
- Communication policy
- Business continuity plan
References
Alshammari, M. and Simpson, A.C., 2018. Towards an effective PIA-based risk analysis: An approach for analysing potential privacy risks.
Alzomai, M., AlFayyadh, B. and Jøsang, A., 2015, November. Display security for online transactions. In The 5th International Conference for Internet Technology and Secured Transactions (ICITST-2010
Angst, C.M., Block, E.S., D'arcy, J. and Kelley, K., 2017. When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches. Mis Quarterly, 41(3).
Barman, S., 2014. Writing information security policies. New Riders Publishing.
Bechler, M., Hof, H.J., Kraft, D., Pahlke, F. and Wolf, L., 2014, March. A cluster-based security architecture for ad hoc networks. In INFOCOM 2004. Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies (Vol. 4, pp. 2393-2403). IEEE.
Carlos Roca, J., José García, J. and José de la Vega, J., 2013. The importance of perceived trust, security and privacy in online trading systems. Information Management & Computer Security, 17(2), pp.96-113.
Cheng, L., Liu, F. and Yao, D., 2017. Enterprise data breach: causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), p.e1211.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), pp.285-318.
Dhasarathan, C., Thirumal, V. and Ponnurangam, D., 2015. Data privacy breach prevention framework for the cloud service. Security and Communication Networks, 8(6), pp.982-1005.
Goode, S., Hoehle, H., Venkatesh, V. and Brown, S.A., 2017. USER COMPENSATION AS A DATA BREACH RECOVERY ACTION: AN INVESTIGATION OF THE SONY PLAYSTATION NETWORK BREACH. MIS Quarterly, 41(3).
Han, L., Song, Y., Duan, L. and Yuan, P., 2015. Risk assessment methodology for Shenyang Chemical Industrial Park based on fuzzy comprehensive evaluation. Environmental Earth Sciences, 73(9), pp.5185-5192.
Jovanovic, V. and Harris, J.K., 2016, May. Systems and software assurance—A model Cyber Security course. In Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2016 39th International Convention on (pp. 923-927). IEEE.
Koeberl, P., Schulz, S., Sadeghi, A.R. and Varadharajan, V., 2014, April. TrustLite: A security architecture for tiny embedded devices. In Proceedings of the Ninth European Conference on Computer Systems (p. 10). ACM.
Lowry, P.B. and Moody, G.D., 2015. Proposing the control?reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), pp.433-463.
Manogaran, G., Thota, C. and Kumar, M.V., 2016. MetaCloudDataStorage architecture for big data security in cloud computing. Procedia Computer Science, 87, pp.128-133.
Manworren, N., Letwat, J. and Daily, O., 2016. Why you should care about the Target data breach. Business Horizons, 59(3), pp.257-266.
McIlwraith, A., 2016. Information security and employee behaviour: how to reduce risk through employee education, training and awareness. Routledge.
Miyazaki, A.D. and Fernandez, A., 2014. Consumer perceptions of privacy and security risks for online shopping. Journal of Consumer affairs, 35(1), pp.27-44.
Norman, T.L., 2016. Risk analysis and security countermeasure selection. CRC press.
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. and Jerram, C., 2014. Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 42, pp.165-176.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Prakash, M. and Singaravel, G., 2015. An approach for prevention of privacy breach and information leakage in sensitive data mining. Computers & Electrical Engineering, 45, pp.134-140.
Ralston, P.A., Graham, J.H. and Hieb, J.L., 2007. Cyber security risk assessment for SCADA and DCS networks. ISA transactions, 46(4), pp.583-594.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Slovic, P., Finucane, M.L., Peters, E. and MacGregor, D.G., 2004. Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality. Risk analysis, 24(2), pp.311-322.
Soller, J.A., Eftim, S.E. and Nappier, S.P., 2018. Direct potable reuse microbial risk assessment methodology: Sensitivity analysis and application to State log credit allocations. Water research, 128, pp.286-292.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Wang, J., Gupta, M. and Rao, H.R., 2015. Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS quarterly, 39(1).
Wood, A., He, Y., Maglaras, L. and Janicke, H., 2017. A security architectural pattern for risk management of industry control systems within critical national infrastructure.
Xinlan, Z., Zhifang, H., Guangfu, W. and Xin, Z., 2016, December. Information security risk assessment methodology research: Group decision making and analytic hierarchy process. In Software Engineering (WCSE), 2010 Second World Congress on (Vol. 2, pp. 157-160). IEEE.
To export a reference to this article please select a referencing stye below:
My Assignment Help. (2021). Case Study On Stasyure.co.uk Limited: Security Architecture And Risk Assessment Essay.. Retrieved from https://myassignmenthelp.com/free-samples/ctec5802-cyber-threat-intelligence/online-travel-insurance.html.
"Case Study On Stasyure.co.uk Limited: Security Architecture And Risk Assessment Essay.." My Assignment Help, 2021, https://myassignmenthelp.com/free-samples/ctec5802-cyber-threat-intelligence/online-travel-insurance.html.
My Assignment Help (2021) Case Study On Stasyure.co.uk Limited: Security Architecture And Risk Assessment Essay. [Online]. Available from: https://myassignmenthelp.com/free-samples/ctec5802-cyber-threat-intelligence/online-travel-insurance.html
[Accessed 22 November 2024].
My Assignment Help. 'Case Study On Stasyure.co.uk Limited: Security Architecture And Risk Assessment Essay.' (My Assignment Help, 2021) <https://myassignmenthelp.com/free-samples/ctec5802-cyber-threat-intelligence/online-travel-insurance.html> accessed 22 November 2024.
My Assignment Help. Case Study On Stasyure.co.uk Limited: Security Architecture And Risk Assessment Essay. [Internet]. My Assignment Help. 2021 [cited 22 November 2024]. Available from: https://myassignmenthelp.com/free-samples/ctec5802-cyber-threat-intelligence/online-travel-insurance.html.