Security Issues And Risk Assessment For A Prospective Organization, Essay.

Discuss about the security issues of a prospective organization and the related risk assessment.

In the following report, the risk assessment report has been provided by a security consultant of Kestral building company. The report has assessed the risks of the current organization and their risk assessment has been provided along with the risk factors. The recommendations to consider the security risks has been mentioned in the report. The report also takes into account the impact analysis and the response plan. In the report, a risk assessment approach has been conducted by identifying the participants, techniques and risk model conclusively. The system characterization has been evaluated as well by assessing the technology components, physical locations, data and users. The report ends with a statement related to the vulnerability and threat. The result of the risk assessment has been conclusively evaluated in the report.

The purpose of the report is to understand the security issues of a prospective organization and the related risk assessment. The report also provides information about the methods by which those risks can be addressed conclusively.

The scope of the report is to provide other companies with proper knowledge about the risk factors of an organization and the methods by which they can assess and address those issues.

Packet filtering firewalls work at the layer 3 of OSI and are the most fundamental of firewall writes. The idea of parcel sifting includes characterizing which information packets are allowed to go through the firewall in view of various factors. Packet filtering firewalls are ordinarily incorporated with switches and give graphical interface for indicating the rules for filtering (Pettit et al. 2014). The safeguards of these firewalls are thought to be powerless since the companies such as Kestrel can only determine the attacks of the administrators know about from before.

A proxy service firewall is put between the web and an inward PC networks and acts as an intermediary for the two situations. With a proxy service set up in Kestrel Company, the employees laptops won’t be able to connect with other systems from outside Bahr and Nicholas, 2014). Rather they interface with the proxy server which thus associates with the outer system in the interest of the employees system, in this way protecting the inside IP address of the employee of Kestral. Any reactions from the outside users are taken care of by the proxy service which passes them along to the employee that initially asked for the information. These are accessible in two fundamental structures, Circuit-level which operates at the Session layer of the OSI model to check that all sessions are authentic. The second structure is Application level-door which works at the OSI Application layer to control movement of specific protocols like SNMP, FTP and HTTP.

Scope of the report

Stateful-inspection firewalls work at the OSI Network layer and consolidate a few highlights of both bundle sifting and intermediary server firewalls. These dynamic packet filtering firewalls look at the header data of parcels, as well as screens sessions to guarantee that they are authentic and keeps up state tables for every association. Each parcel got by the firewall can be seen inside the setting of going before activity, enabling pernicious information to be caught and blocked by utilizing these state tables (Akiyama et al. 2016).

Kestrel company can also make use of routers which are gadgets used to associate distinctive system portions. These devices work at the OSI Network layer. Routers work by looking at each got bundle and utilizing calculations together with steering tables to decide the ideal way for the information to achieve its definitive goal. They basically frame the foundation of the web that is accessed by Kestrel (Lewis and Ted, 2015). The tables are either refreshed physically by administrator with certain protocols like OPSF or Open Shortest Path First, EIGRP (Enhanced Interior Gateway Routing Protocol), IGRP (Interior Gateway Routing Protocol) and RIP (Routing Information Protocol).

The administrators of Kestrel Company has to take a lot in consideration while figuring out the ways to protect the system from various security threats. As a matter of first importance, the information transmitted over a remote system isn't limited to the links covered under room infrastructure (Lav and Lester, 2015). Rather the information is actually going through the air medium. This shows that an employee using a wireless device can potentially bypass the firewall used by Kestrel company.

Enhanced Wireless encryption and verification standard is called Wi-Fi Protected Access. WPA information is encoded utilizing the RC4 stream figure (128-piece key as well as 48-bit) together with keys which change as the framework is operational (Ksiezopolski et al., 2014). WPA is thought to be impressively more secure than the WEP standard. Most remote access focuses likewise give MAC address separating, tolerating just information from gadgets with a MAC address which checks if the device used in Kestrel cpmpany is present in the trusted list (Haimes and Yacov Y, 2015). The capacity to counterfeit the IP address of numerous frameworks expands the odds that a malicious framework can be made to dupe a secure system.

Switches normally work at the layer 2 of Data Link of the OSI framework (in spite of the fact that more up to date models are presently climbing to the Network Layer (Brindley et al. 2015). Each port on a switch is a different cdpmain of collision makes the switches substantially more productive than Hubs where all ports are on a similar impact area (information for a particular system customer is communicated on all center point ports, not only the port to which the goal customer is associated). Routing depends on the MAC ID of gadgets associated with the switch.

Recommendations

Similarly like switches, access (granted by the administrator) to switch gadgets must be controlled utilizing strict passwords and string protocols during accessing remotely.

Routers incorporate some security as Access Control Lists (ACLs) which drop parcels in light of packet filtering, stateful inspection and pre stated rules (Thalmann, Stefan, and Markus Manhart, 2013).

Kestrel company needs to keep in mind that the routers providing Wifi have security flaws as well involving configuration options and remote access. It is thus recommended for Kestral Company to use strict secret key traditions are executed and communication via encryptions are utilized when signing into a remote switch (Rausand and Marvin, 2013).

Kernstel Company can also use Interruption Detection Systems (IDSs) which are intended to check the real time network data and take actions if an unapproved intent is detected (Reed and Melinda, 2015).

Network-based Intrusion Detection is a sort of IDS screens the stream of information parcels on a system and recognizes packets which have snuck past the firewall. They are looked at against databases of known attack marks and the blocked if a match is found. System based IDS has two or three weaknesses. Moreover, an IDS can just screen one fragment of a system, raising the likelihood that unapproved movement might be missed by the framework (Haimes and Yacov, 2015). To maintain a strategic distance from this issue Network based IDSs are commonly set at the purpose of section to a system, for example, simply inside or simply outside the firewall. The IDS relies on the database so it is as good as the database. But, not all dangers can be recognized by a particular mark prompting the likelihood of missed attacks.

Host-based Intrusion Detection includes running special softwares on all servers on a system which serve to assemble use and execution information, for example, circle and record get to, CPU use and activities specific to users. This information is exchanged to the IDS where it is assembled and investigated to recognize action designs that are known to be related with unapproved action (Chen, Yong and Wu He, 2013). Such frameworks can likewise recognize when action goes amiss impressively from the ordinary pattern action levels. At the point when an issue is distinguished an executive is cautioned with the goal that it might be explored. Host construct IDSs function admirably in light of little systems yet for the most part experience issues scaling up to bigger undertakings (Min, 2015).

An extensive variety of apparatuses are accessible for the reasons for checking systems and diagnosing issues. Kernstel Company needs to use such devices like ifconfig/ipconfig, netstat, nslookup, traceroute and ping (Liu, 2016). These apparatuses all help to analyse if an issue exists on a system and the location of the problem.

SNMP or Simple Network Management Protocol works at the Application layer of the OSI model and intended to gather measurements from gadgets associated with a TCP/IP organize. The SNMP foundation contains a suite of three segments comprising of the SNMP oversaw hub, SNMP specialist and the SNMP organize administration station (Alfonsi et al. 2013).

The SNMP user keeps running on arrange gadgets and transmits information to the administration station. SNMP form 1 was viewed as unreliable yet later forms (2 and 3) have presentation more prominent levels of confirmation. Kernstel Company can benefit by taking up the SNMP protocol for collecting statistics regarding the devices present in its network.

Participants 

In the risk assessment, the participants are the prospective employees of the Kestrel Company. The company has five major centers around the country. For properly conducting the risk assessment, the participants of the five separate departments need to be interviewed. The company has several centres in Darwin, Perth, Brisbane, Melbourne and Sydney. Here, the personnel of different departments of the mentioned company needs to be assessed for gaining insight into the risk factors that the company is facing. The participants of the Sydney and Melbourne departments should be given more emphasis due to their heritage designing.  As the centers of Brisbane, Perth and Darwin have adopted the kestrel infrastructure designing, the participants rank lower in the risk assessment approach. Moreover, the members from the general staff, mid-level management and high level management need to be assessed as well for identifying risk factors.

Techniques 

Kestrel Company can adopt the following techniques for properly conducting the risk assessment of the organization. Firstly the company needs to identify the threats and hazards of the organization in particular (Kuo and Jen-Wei, 2015). Next, the hazards related to the infrastructure needs to be assessed. In the case of Kernel Company, the company uses two infrastructures for its business procedures. The departments present in Melbourne and Sydney involve the old heritage infrastructure whereas the department sin Brisbane, Perth and Darwin use the Kestrel latest infrastructural design which has enhanced features. The hazards related to the surrounding areas of Kestrel company needs to be identified as well.  Next, the relative severity of each hazards need to be determined (Wu et al. 2014). The frequency of the threats need to be estimated with their potential impacts. Moreover, Kestrel Company needs to estimate the vulnerability of the threats and hazards. The company needs to assess the effect of the vulnerabilities on the prospective environment, property and operations of the company. Moreover, Kestrel Company needs to develop strategies for properly deal with the identified threats. They need to prepare proper methodologies for recovering, recovering and preparing from threats that can potentially impact the business procedures of the entire organization. If the risks are too much for the company to handle, kestrel company can transfer the risk or accept the risk altogether for risk mitigation purposes. The risks need to be assessed by reviewing department feedbacks from different members of various organizations. Even the technical systems need to be assessed for checking vulnerabilities and whether the third party vendor is providing yearly security updates as promised during the implementation.

Risk model 

To counter the identified risks, Kestrel Company can make use of the loss distribution approach or LDA.  This method is utilized by several companies to compute the risks with the help of typical algorithms (Sadgrove, 2016). This risk model can be used by Kestrel Company to model and consider the operational risk losses separately and quantify their risks. The data from major centers, in the particular case, can be considered under the ILD internal loss data, ELD or external loss data, BEICF or Business internal and control factor and SA or Scenario analysis.  The confidential data is stored in the Linux servers and legacy systems in some offices of the mentioned company. Some of the offices also use laptops which run the Windows 7 operating system that has been discontinued since 2015. Security risk are also evitable as the company uses the basic two process authentication process. The risk model needs to incorporate the operational process changes, the control processes and the risk appetite levels (Stiglitz, Joseph, and Mary Kaldor, 2013). ELDs can be used to assess the risk lines of the business or in estimating the loss experience of potential competitors. ELs however do not provide the appropriate mechanism for determining the risk profile of the organization. Internal and business control factors can be assessed by analysing the management system of Kestrel Company. The method by which it controls five different offices in different cities must have some potential vulnerabilities that can be identified with the LDA risk models (Zhu, Wenzheng and Changhoon Lee, 2016).

Next, event type segmentation needs to be considered. As Kestrel Company has a number of operational activities, the granular risk factor assessment will provide an insight into the product types. Processes, business lines and resources (Wang et al., 2013). The risk types that can be identified with this risk model are internal and external risks, employment practice and workplace safety, client business process and products, disaster and safety of the people, failures due to technology and infrastructure, execution, delivery and processes management and malicious damage.

The risk severity will be then analysed based in the segmentation. The risk severity helps to measure the impact of a risk economically (Brink, 2017). The risk distribution is carried out through four different criteria namely realistic, well specified, flexible and simple.

The loss frequency is then measured and loss interrelationships are then correlated. With this risk model, Kestrel Company will be able to properly evaluate the risks that are associated with the operational structure of the business.

Technology components 

The technology components are situated in Melbourne where the IT team is situated. High level desktop workstation and servers are used. Moreover, the employees of the organization are provide with their own laptops. Dell is responsible for providing the hardware and the mentioned company has an agreement with them for replacing all the existing systems with newer infrastructure every three years with enterprise level upgrades every four years. Windows server version 2003 is used by Kestrel. The company uses FEDORA, REDCHAT, CENTOS, UBUNTU AND SUSE versions of Linux servicers. FEDORA, UBUNUTU, Mac OSX, Windows 8 and 7 are used in the workstations of Kestrel. The laptops that are used by the employees all run the Windows 7 and 8 OPERATINS YSTEMS. Macbooks which are personally purchased are also used by the organization. With keypad mechanism, the server rooms are secured and the personal information are stored in level. In level 3, other information are stored preferably in Melbourne and Sydney offices. The confidential data of the company are stored in Level 8. All the critical data of the company are stored in the Brisbane data centers.

Wi-Fi networks are provided in Sydney and Melbourne data centers to mimic the wired connections. Guests who are visiting the data center are provided with limited Wi-Fi access. A token is provided to the user that allows access for a maximum of 24 hours (Rhodes-Ousley and Mark, 2013). The secretary staff of the company is responsible for providing the tokens. Every member of the managerial team has an IP camera and mobile that is used for communication purposes between the office members. The company manages the websites locally but the homepage of the company is maintained by a third party which provides regular updates for more functionality and content.

Physical locations 

Kestral Company has over five centres in Australia. Two centers which are situated in Melbourne and Sydney are heritage buildings and are the oldest of the lot. The Brisbane, Perth and Darwin centers are much recent and uses the infrastructure that is designed by Kestrel.  

In the Melbourne and Sydney centers, the office is divided into four departments: The local food supplier, the customer service and finance department, the design department and the construction department. A card activation and security check is consulted in the ground floor where all the details of the visitor are checked. The departments present in the second, third and fourth floor are all managed with the help of an IP based mobile. Air conditioning is present in the third and fourth floors where all the servers are present. In the second floor, the customer and service department is present. On the third floor, the design department is present and the construction department is present in the fourth floor.

Data 

At level 4 in the Sydney and Melbourne offices, the confidential data are secured. The other informations are secured safely in level 3. The data are secured safely in the server room with the help of keypad mechanisms. The data backups are kept in the Brisbane centres and other data centres. The data is transferred and accessed through a Wi-Fi service in the company. Even the guest users are provided with the accessibility to use the data for a period of 24 hours which is provided as a token. The website data of the company are mentioned in the company’s server in house but the data of the homepage are accessed by a third party service provider. The service provider is also responsible for providing the company with monthly updates with functionality and content.

Users 

The users of the organizations are the high level management users who comprise about 10%, the mid-level management users which comprise around 20%, IT staff which comprise around 10% and the general staff which comprise around 60%. In the Melbourne and Sydney offices, the users comprise from the finance and customer service department, design department and construction department. In the Brisbane, Darwin and Perth offices, the users belong from the finance department, construction department and customer service department. The IT team is situated in Melbourne and they fall under the category as well. The central data is stored in Brisbane which has its own set of users. The users also constitute the members from the HR department that conducts the recruitment processes. The users who manage the websites of the company also fall under this category.

Vulnerability statement 

As Kestrel Company uses the two process authentication method to authenticate server usage in the offices of Melbourne, the company lies on a constant vulnerability of data misuse through stolen identity or cyber-attacks. With the growth in technology, cyber criminals can now make bots that can figure out the two way authentication code of token and passwords (Harrop, Wayne and Ashley Matteson, 2015. The company needs to provide physical security properly in the server areas to keep this venerability under control. The Wi-Fi network in the area is another vulnerability that needs to be assessed. The company needs to prevent guest users from accessing the network. The token that is provided to guest uses stays active for around 24 hours. This is enough time for a cyber-attacker to conduct his malicious intents. The keyword logins and passwords can be taken by cyber attackers in demonstrated research tests. Proper data security is still not present in the company which is a big vulnerability (Banti et al. 2016).

Threat statement 

The company faces an impending threat from the age old legacy system that it uses. The accounting system is already outdated and with the rise in module and single dashboard accounting softwares, Kestrel Company needs to upgrade its system to prevent unnecessary competition. Just like the Brisbane servers, the company needs to put the servers of its Melbourne and Sydney offices on a higher level or foundation  (Takagi et al., 2015. The data that the company is dealing with are confidential and must be kept away from normal employee access as much as possible. Internal threat is a real issue and Kestrel Company has to understand it. The company needs to separate its employee departments from its core IT departments. Moreover, to prevent threats from malwares and malicious apps, the Windows 7 laptops shouldn’t be upgraded to Windows 8 as soon as possible. The latest firmware is necessary after the vulnerabilities of Spectre and Meltdown were recently discovered  (Pearce et al., 2013. Also, the company needs to screen the Macbooks of employees who are allowed to bring them from outside. A lot of cyber threats can be minimized with these implication.

 Risk assessment results

After assessing the risks, it can be stated that Kestrel Company has to manage its technical issues properly. The company is using the technologies properly but the implementation of the technology is far from perfect. The company has to look after the risks that the Wi-Fi network and guest users possess. The company needs to leave its age old legacy system to integrate its different offices under one control (Bojanc, Rok, and Borka Jerman-Blaži?, 2013. Business modules are necessary for Kestrel Company. Moreover, the company needs to implement the same infrastructure to its old offices situated in Sydney and Melbourne. The risk assessment also revealed several flaws with the authentication system which needs to be analysed by Kestrel. The assessment also revealed the flaws with the operating systems that was used and the threat from external pc systems. The risks from external recruitment is also possible and the company needs to select an insider to conduct the final placement in the IT department of the company (Hoffmann et al. 2016. The assessment also revealed the threats that can come from third party service providers who Kestrel uses for rendering its main webpage.

Conclusion 

To conclude the report, it can be stated that the mentioned risk model need to be adopted by Kestrel Company to initiate appropriate procedures for addressing the issues. The risk assessment approach has been conducted by mentioning the participants, risk models and techniques. The technological components, physical location, data and the users of the mentioned scenario has been assessed to determine the risk factors associated with it. Finally, a vulnerability statement has been proposed and a threat statement has been provided as well. The results of the risk assessment has been conclusively mentioned at the end of the report.

Kestrel Company need to follow the recommendations that are mentioned in the report to properly address the vulnerabilities and threats that it is facing. The company needs assess and identify the risks properly to appropriately manage them in the future

References

Akiyama, Kazuhito, Akira Ohkado, Yukihiko Sohda, Masami Tada, and Tadashi Tsumura. "Anomaly detection to implement security protection of a control system." U.S. Patent 8,726,085, issued May 13, 2014.

Alfonsi, A., C. Rabiti, D. Mandelli, J. Cogliati, and R. Kinoshita. "Raven as a tool for dynamic probabilistic risk assessment: Software overview." In Proceeding of M&C2013 International Topical Meeting on Mathematics and Computation. 2013.

Bahr, Nicholas J. System safety engineering and risk assessment: a practical approach. CRC Press, 2014.

Banti, Edward T., Frank Byrum, Mayerber L. Carvalho Neto, James R. Knibb, Palash Biswas, and Christopher Barnes. "Protecting content from third party using client-side security protection." U.S. Patent 9,756,080, issued September 5, 2017.

Bojanc, Rok, and Borka Jerman-Blaži?. "A quantitative model for information-security risk management." Engineering Management Journal 25, no. 2 (2013): 25-37.

Brindley, Clare, ed. Supply chain risk. Taylor & Francis, 2017.

Brink, Charlotte H. Measuring political risk: risks to foreign investment. Routledge, 2017.

Chen, Yong, and Wu He. "Security risks and protection in online learning: A survey." The International Review of Research in Open and Distributed Learning 14, no. 5 (2013).

Haimes, Yacov Y. Risk modeling, assessment, and management. John Wiley & Sons, 2015.

Haimes, Yacov Y. Risk modeling, assessment, and management. John Wiley & Sons, 2015.

Harrop, Wayne, and Ashley Matteson. "Cyber resilience: A review of critical national infrastructure and cyber-security protection measures applied in the UK and USA." In Current and Emerging Trends in Cyber Operations, pp. 149-166. Palgrave Macmillan, London, 2015.

Hoffmann, Romuald, Maciej Kiedrowicz, and Jerzy Stanik. "Risk management system as the basic paradigm of the information security management system in an organization." In MATEC Web of Conferences, vol. 76, p. 04010. EDP Sciences, 2016.

Ksiezopolski, Bogdan, Tomasz Zurek, and Michail Mokkas. "Quality of protection evaluation of security mechanisms." The Scientific World Journal 2014 (2014).

Kuo, Jen-Wei. "Security protection apparatus and method for endpoint computing systems." U.S. Patent 8,938,799, issued January 20, 2015.

Lave, Lester B., ed. Risk assessment and management. Vol. 5. Springer Science & Business Media, 2013.

Lewis, Ted G. Critical infrastructure protection in homeland security: defending a networked nation. John Wiley & Sons, 2014.

Liu, Joseph K., Kaitai Liang, Willy Susilo, Jianghua Liu, and Yang Xiang. "Two-factor data security protection mechanism for cloud storage system." IEEE Transactions on Computers65, no. 6 (2016): 1992-2004.

Min, Kyoung-Sik, Seung-Woan Chai, and Mijeong Han. "An international comparative study on cyber security strategy." International Journal of Security and Its Applications 9, no. 2 (2015): 13-20.

Pearce, Michael, Sherali Zeadally, and Ray Hunt. "Virtualization: Issues, security threats, and solutions." ACM Computing Surveys (CSUR) 45, no. 2 (2013): 17.

Pettit, Timothy J., Keely L. Croxton, and Joseph Fiksel, 2014. "Ensuring supply chain resilience: development and implementation of an assessment tool." Journal of Business Logistics 34, no. 1 (2013): 46-76.

Rausand, Marvin. Risk assessment: theory, methods, and applications. Vol. 115. John Wiley & Sons, 2013.

Reed, Melinda. "System security engineering for program protection and cybersecurity." In Proc. 18th Annu. NDIA Syst. Eng. Conf., pp. 26-29. 2015.

Rhodes-Ousley, Mark. Information security: the complete reference. McGraw Hill Education, 2013.

Sadgrove, Kit. The complete guide to business risk management. Routledge, 2016.

Stiglitz, Joseph, and Mary Kaldor, eds. The quest for security: Protection without protectionism and the challenge of global governance. Columbia University Press, 2013.

Takagi, Hitomi, Takahito Morita, Masafumi Matta, Hiroki Moritani, Takashi Hamaguchi, Sun Jing, Ichiro Koshijima, and Yoshihiro Hashimoto. "Strategic security protection for industrial control systems." In Society of Instrument and Control Engineers of Japan (SICE), 2015 54th Annual Conference of the, pp. 986-992. IEEE, 2015.

Thalmann, Stefan, and Markus Manhart. "Enforcing organizational knowledge protection: an investigation of currently applied measures." In Seventh (pre-ICIS) Workshop on Information Security and Privacy (WISP), Milan, Italy. 2013.

Wang, Peter S., Louis J. Guccione, and Stephen E. Terry. "Method and apparatus for security protection of an original user identity in an initial signaling message." U.S. Patent 8,412,157, issued April 2, 2013.

Wu, Desheng Dash, Shu-Heng Chen, and David L. Olson. "Business intelligence in risk management: Some recent progresses." Information Sciences 256 (2014): 1-7.

Zhu, Wenzheng, and Changhoon Lee. "A Security Protection Framework for Cloud Computing." Journal of Information Processing Systems 12, no. 3 (2016