In this report various aspects for information security management has been examined to understand the various components including working mechanism of ransomware and ways to deal with them. Also types of threat for routers, switches, web servers and email servers have been taken into account and proper remedial actions have been examined to understand risk management approaches and solutions that can prevent from security issues. All these components have been discussed in context to Altova which is IS service provider firm operating in US and Austria.
Ransomware malwares threads against organization Information systems.
Working mechanism of ransomware
According to Paytal, Sampalli & Rahman (2017) ransomware is a kind of malware that gets installed in PC and starts running without user’s awareness. These are not hidden like malwares that steals vital information. Ransomware after attacking device of user locks the device and/or encrypts the files and alerts users of its existence to ask ransom. Ransomware works on either of these mechanisms i.e. spam and social engineering, direct drive by download or malvertising or malware installation tools and botnets. The most general working mechanism is phishing spams attachments or emails that are sent to victim and they impersonate as a reliable file. And once they are downloaded and opened they control victim’s device. Particularly if victim has in-built social engineering tools then ransomware tricks victims to allow administrative access and take control. While some ransomware exploits security walls to affect devices and do not depend on tricking victims.
Three tools to tackle the ransomware attack
As stated by Han, Hoe, Wing & Brohi (2017) in order to tackle with ransomware attack Altova can use the following tools:
Observation of File system activity (SSDT): ransomware attacks can be tackled by monitoring of file system activity. This approach hooks into SSDT and filtrates I/O requests and their characteristics. Whenever a cluster of catious request is made, it is likely that subjected process is malicious. So Altova can keep a log of SSDT so as to possibly remove virus or ransomware that has infected devices.
Honeypots: as stated by 1Furnell & Emm (2017) these are used to locate malicious system activity and can be used by Altova against ransomware attack. Honeypots places files into systems that no user or application can tamper. So whenever ransomware vectors are sent to victim devices they can access honeypot files. This will allow Altova’s system devices react to intrusion and detect attack on files which can be applied to tackle with ransomware attacks.
Antivirus: this is common tool used to tackle with malicious attacks and is combination of heuristics and signature dependent detection. Altova can use Antivirus which works by maintaining a database of extorted signatures of familiar attacks. Whenever a file is run antivirus uses on-access scanner and examines the files and its signatures against its signature database. Moreover code of files gets examined in heuristic module. This combo permits antivirus to detect ransomware attacks.
Threats against network routers and switches.
Some common threats to network routers of Altova can be:
Session hijacking: it happens when an intruder inserts false IP packets after setting of session through IP spoofing, sequence number forecast and change or other methods.
Rerouting: as stated by Kreutz et al. (2015) it involves an attack that manipulates router updates which allows traffic to flow to unauthorised destinations
Masquerading: it can happen when an intruder manipulates IP packets to fake IP address. With this threat on network routers intruders get unauthorised access or injects forged data into network.
Other common threats to switches of Altova can be:
ARP spoofing: In this intruder sends fake ARP messages that link intruder’s MAC address with IP address of victim device or server. Once MAC address is conjoined to initial IP address intruders gets data which is planned for IP address. This threat can allow intruders intercept, modify or stop data in-transmit.
ARP poisoning: as opined by Da?, Karabade & Tuna (2015) in this threat intruder’s changes MAC address and strikes LAN switches through tampering targeted device ARP cache with forged ARP request and reply packets. This threat changes genuine address to intruders recognised MAC address with an intention to monitor. As such victim’s data and privacy gets compromised.
P2P traffic: this is used to share large quantity of data directly to specific computer on internet and it is predicted that for any ISP nearly 80% of traffic is consumed by P2P traffic. These are used to distribute Bots, spywares, adwares, Trojans, Rootkits by sending malicious files from P2P environment.
How routers and switches are vulnerable to destruction and abuse.
According to Da?, Karabade & Tuna (2015) routers and switches are susceptible to destructions and abuse due to mis-constructed hardware or software, inappropriate network design, inherent technology flaws, end user negligence and due to voluntary end users actions such as acts of aggrieved staffs.
Discussion on how the organization can ensure the reliability and availability of the web service.
Altova can insure reliability and availability of web service through Web service Reliable Messaging (WS-Reliability) protocols. As stated by Liu, Jia, Xue & An (2015) these will insure effective, asynchronous reliable message distribution. According to Alsaleh, Alarifi, Alqahtani & Al-Salman (2014) the archetype of WS-Reliability protocol aids composition with other messaging and web service standards and descriptions. It comprises of WS-Reliable Messaging, WS-Addressing, WSDL, WS-Policy, WS-Transactions and WS-Coordination, WS-End Point Resolution, WS- Meta Data Exchange, WS-Security Roadmap Protocols, WS-Transmission Control to permit message to be distributed reliably between web services.
The ways to ensure confidentiality and integrity of the staff email.
Approaches Altova can utilise to improve availability, confidentiality and integrity of email server are:
Secure Multipurpose Internet Email Extensions (S/MIME): according to Islam, Farah & Stafford (2018) this is an email safeguard standard that can be utilised to provide authentication and confidentiality of email servers with public key encryption and digital signatures. Verification is allowed with X.509 digital certificates and confidentiality is through with Public Key Cryptography Standard (PKCS) encryption.
Domain Keys Identified Mail (DKIM): Altova can use DKIM technology to cut down malicious and unwanted mails from their email servers to improve its availability. According to Kaur, Gupta & Singh (2018) DKIM is domain level digital signature authentication archetype for email servers that allow signing domain to assert responsibility using signature based method. It authenticates identity and reliability of sender and their email for handling delivery. This authentication for emails servers is validated with cryptography signature and querying signer’s domain to retrieve public key.
Impact of human factors and organizational issues on IS-related security and risk management.
The human factors have an implication over the effectiveness of information security management system (ISMS) of Altova as they are one of the major forces that can result to proficiency or failure of information system security. As stated by Cavusoglu, Cavusoglu, Son & Benbasat, (2015) many information security incidents are outcomes of human involvement which can be either direct intentionally or through careless acts. In both situations the involvement of human factors exerts an impact that is based on two dimensions i.e. knowledge and personality or character of human employed in Altova. There can be various factors that support these dimensions which can be categorised as direct and indirect factors. Direct factors are those that commonly rely on individual human characteristics and have noted impacts over Information Security Management System of Atlova. These direct factors can be human error, information security awareness, skills, experience, apathy, incentive and dis-incentive policies, ignorance and carelessness and stress. However according to Safa, Von Solms & Furnell (2016) indirect factors are those which are completely dependent on external issues like organisational issues that can include appropriate budget and policy, enforcement and influence on culture, communication, management support. According to Information security breaches survey 2015 the human resources or employees of a company are the greatest security risk for information systems. Around 75% of companies had suffered with staff related security breaches in year 2015 and over 50% of the worst breaches were due to human or employees errors. Moreover, employees compromise security unwittingly and as per Cyber Security breach survey of 2017 around 72% cases of IS related security issues happened after employees received a fraudulent email. Also such incidences of security issues arise because as per survey of Cyber security breaches of 2017 only 20% of employees attend any kind of cyber security training, thus employees can have considerable impact over the information system of Atlova.
Risk management recommendations
In order to reduce the risk of employees on information system of Atlova education of employees is the major preventive where employees can be made aware of cyber security and their threats like phishing mails, insecure network etc. Some recommendation that Atlova can consider to reduce risk are:
Clear communication of possible impact of cyber accidents: according to Soomro, Shah & Ahmed (2016) as most staffs are not aware on possible undermining that is directed through them with poor cyber hygiene so it is advisable for Atlova to communicate to their employees the implications of cyber incidents and related financial loss or fines to damaged client confidence. This will help to generate awareness and maintenance of cyber hygiene.
Making cyber security as responsibility for everyone: Atlova can organise education program and ensure that everyone in company starting from top should be part of training and no one should be immune of such education programs. According to Frey & Osborne (2017) this will build responsiveness of everyone towards IT infrastructure of Atlova which will avert the risk of ignorance or negligence or intentional incidents.
Customising training on organisation need: According to Simmonds (2017) the employees of Atlova can be trained as per their specific training requisites to boost employee awareness and immune organisation needs for protecting its IT infrastructure. This training can vary from confidential waste destructions to encryption of data or emails. This training will allow employees of Atlova to imply knowledge on their routine roles which makes them more likely to minimise risks of potential security issues.
Imparting learning on effective password management: According to Tsohou, Karyda & Kokolakis (2015) as passwords are vital for information security systems so Atlova can execute a robust password policy by issuing their employees guidelines on password requisites and stressing need to generate robust and ideal passwords. Also employees should be imparted teaching on password management and should be warned from not sharing their passwords.
Training employees to identify and respond to attack: Atlova can provide effective training to their employees before the IS related security arises. They can document a remedial plan and training can involve particular rules like unplugging device from network in case of attack. Also employees can be offered channels like urgent numbers to alert administrators’ on any form of suspected emails or unusual activities.
8. Illustration the use of logs records including security, access, event in monitoring and analyzing the web server and email server problems.
According to Morton et al. (2018) the log records can aid in observing and examining web and email server concerns as these generate log files which are entry for every event or exchange that occurs on hardware or a device and serves as journal of record. Example MS based systems create Windows event log files and UNIX based servers and networking machines create System Log or Syslog. These logs can be used to manage compliance with company’s IT policies through monitoring, audit and report on file ingression, unauthorised act, practise change etc. As stated by Khan et al. (2016) a1 regular monitoring of distinct log events gives vital information about the user who has on logged into the network and details their activities. Hence analysis of event logs is essential for security reasons to interpret Information system vulnerability and determine if any susceptibility exists in security implementation. By using event and log management archetype companies can manage staggering amount of log information created in a system at regular intervals to understand real time access to log data which allows segregating and locating that specific suspected event which may create security issues or breach.
9. Discussion in detail the use of audit log reports for performing auditing analysis, supporting the organization’s internal investigations, and indenting operational trends and log-term problems. In particular for the email and web server issues
The usage of audit log reports can help in detecting and analysing the intrusion activities that may go unobserved and it helps in providing evidence of either or not the event resulted into breach. According to Groomer & Murthy(2018) frequent gathering of audit logs helps to make vital decisions for firms by supporting their interpretation of nature of security incidents in case of active internal investigations and post mortem evaluation. Moreover audit log reports are important to set baselines and helps in recognising operational trends and log-term problems during internal investigation including audit and forensic analysis. A proficient audit logging program in an organisation can detect in earlier hand the security incident and impact to avert theft of data. Thus enabling low impact of data breach compared to an organisation where intruders download bulk covered data over long time without being noticed.
In particular for email and web servers logs should cover information in context to specific events that may take place impacting a covered device. Audit log reports should include OS events such as record of start and shut down of system, network connectivity change or failure, attempt to modify security setting and control. These audit log reports should also include OS audit records such as log on attempts, account change etc along with maintaining report for Application Account Information that can cover authentication attempts, application account changes etc. Further audit log reports should also include Application operations over web servers and emails that can include application start and shutdown, application failure, configuration change, application transactions. For example, email servers tracking sender, recipients, subject name and attachment names for all mail, web servers tracking URL requests and kind of return by server and business functions tracking financial data that were ingress by usage.
10. Proposal of five network security devices to control security and mitigate threats related to the web and email servers.
The network security devices that can be used for web and email servers are:
Scanners: as stated by Kreutz et al. (2015) these can be used to automate and make the process of web server security easier. These when activated will scan the web server hosts of web applications and will launch advanced security checks against network services running on web servers. These scanners insure security of website and web servers by examining for SQL, Injection, Cross site scripting, configuration issues in server and susceptibilities. These also validate password tenacity on verification pages and naturally examine websites, contents and applications.
Security information and event management (SIEM): as stated by Stojmenovic & Wen (2014) these devices can be used to combine all information required to enable security of web servers and networks through identification and response to threats. These are available in virtual and physical appliances and server software form.
Next Generation Firewall (NGFS): according to Sicari, Rizzardi, Grieco & Coen-Porisini (2015) these devices set a defence for network and web server attacks by creating a wall between reliable internal network and unknown outside networks. These can be a hardware or software device such as Cisco Firepower NGFW that unites proven firewall network with effective IPS and advanced malware protection. These also allows better visibility, are more lucid and more protected.
Unified threat management (UTM): these devices offer various security characteristics and offerings in single device or network that protects customers from strikes. UTM involves multi-functions like anti-virus, anti-spam, content filtering and web filtering.
Email security: these application devices can be used to block inward attacks and controls outward messages to protect loss of confidential data.
Conclusions and Recommendations
Thus it can be concluded that as information security systems are exposed to vulnerability so a proper risk management plan should be developed prior in hand. The recommendations include designing of risk management and mitigation plan as per needs of IT infrastructure and generating awareness among people in organisation with proper training. Also regular monitoring should be done to check activities and any suspicious event should be immediately taken into concern and examined for making effective decision making for security.
References
Alsaleh, M., Alarifi, A., Alqahtani, A., & Al-Salman, A. (2014). Visualizing web server attacks: patterns in PHPIDS logs‡. Security And Communication Networks, 8(11), 1991-2003. Available at: doi: 10.1002/sec.1147 [Accessed on 19 Sep. 2018]
Cavusoglu, H., Cavusoglu, H., Son, J. and Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, [online] 52(4), pp.385-400. Available at: https://10.1016/j.im.2014.12.004 [Accessed 19 Sep. 2018].
Da?, R., Karabade, A., & Tuna, G. (2015). Common network attack types and defense mechanisms. In Signal Processing and Communications Applications Conference (SIU), Malattya, Turkey. [Online] IEEE. (pp. 2658-2661). Available at: 10.1109/SIU.2015.7130435 [Accessed on 19 Sep. 2018]
Frey, C., & Osborne, M. (2017). The future of employment: How susceptible are jobs to computerisation? Technological Forecasting & Social Change, 114(C), 254–280. Available at: doi:10.1016/j.techfore.2016.08.019 [Accessed on 19 Sep. 2018]
Furnell, S., & Emm, D. (2017). The ABC of ransomware protection. Computer Fraud & Security, 2017(10), 5-11. Available at: doi: 10.1016/s1361-3723(17)30089-1[Accessed on 19 Sep. 2018]
Groomer, S. M., & Murthy, U. S. (2018). Continuous auditing of database applications: An embedded audit module approach. In Continuous Auditing: Theory and Application[Online] Emerald Publishing Limited. (pp.105-124). Available at: https://www.emeraldinsight.com/doi/abs/10.1108/978-1-78743-413-420181005 [Accessed on 19 Sep. 2018]
Han, J. W., Hoe, O. J., Wing, J. S., & Brohi, S. N. (2017). A Conceptual Security Approach with Awareness Strategy and Implementation Policy to Eliminate Ransomware. In Proceedings of the 2017 International Conference on Computer Science and Artificial Intelligence, Jakarta, Indomesia [Online] ACM. (pp. 222-226). Available at: doi>10.1145/3168390.3168398 [Accessed on 19 Sep. 2018]
Islam, M., Farah, N., & Stafford, T. (2018). Factors associated with security/cybersecurity audit by internal audit function. Managerial Auditing Journal, 33(4), 377-409. Available at: doi: 10.1108/maj-07-2017-1595 [Accessed on 19 sep. 2018]
Kaur, K., Gupta, I., & Singh, A. K. (2018). Data Leakage Prevention: E-Mail Protection via Gateway. In Journal of Physics: Conference Series [Online] IOP Publishing. (Vol. 933, No. 1, p. 012013). Available at: https://iopscience.iop.org/article/10.1088/1742- 6596/933/1/012013/meta [Accessed on 19 Sep. 2018]
Khan, S., Gani, A., Wahab, A., Bagiwa, M., Shiraz, M., Khan, S., Buyya, R., et al. (2016). Cloud Log Forensics: Foundations, State of the Art, and Future Directions. ACM Computing Surveys (CSUR), 49(1), 1–42. Available at: doi:10.1145/2906149 [Accessed on 19 Sep. 2018]
Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE [Online] IEEE Vol. 103(1), 14-76. Available at: 10.1109/JPROC.2014.2371999 [Accessed on 19 Sep. 2018]
Liu, Z. Z., Jia, Z. P., Xue, X., & An, J. Y. (2015). Reliable Web service composition based on QoS dynamic prediction. Soft Computing [Online] Springer Berlin Heidelberg Vol. 19(5), (pp 1409-1425). Available at: https://doi.org/10.1007/s0050 [Accessed on 19 Sep. 2018]
Morton, M., Werner, J., Kintis, P., Snow, K., Antonakakis, M., Polychronakis, M., & Monrose, F. (2018). Security risks in asynchronous web servers: When performance optimizations amplify the impact of data-oriented attacks. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P)[Online] IEEE. (pp. 167-182). Available at: https://www3.cs.stonybrook.edu/~mikepo/papers/asyncweb.eurosp18.pdf [Accessed on 19 Sep. 2018]
Patyal, M., Sampalli, S., Ye, Q., & Rahman, M. (n.d.). Multi-layered defense architecture against ransomware. International Journal of Business and Cyber Security, 1(2). Available at: https://search.proquest.com/docview/1936249286/ [Accessed on 19 Sep. 2018]
Safa, N., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56. Available at: https://search.proquest.com/docview/1760019822/ [Accessed on 19 Sep 2018]
Sicari, S., Rizzardi, A., Grieco, L., & Coen-Porisini, A. (n.d.). Security, privacy and trust in Internet of Things: The road ahead. Computer Networks, 76. Available at: https://search.proquest.com/docview/1643239985/ [Accessed on 19 Sep. 2018]
Simmonds, M. (2017). How businesses can navigate the growing tide of ransomware attacks. Computer Fraud & Security, 2017(3), 9-12. Available at: doi: 10.1016/s1361- 3723(17)30023-4 [Accessed on 19 Sep. 2018]
Soomro, Z., Shah, M., & Ahmed, J. (n.d.). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), –225. Available at: doi:10.1016/j.ijinfomgt.2015.11.009 [Accessed on 19 Sep. 2018]
Stojmenovic, I., & Wen, S. (2014). The fog computing paradigm: Scenarios and security issues. In Computer Science and Information Systems (FedCSIS), 2014 Federated Conference on Computer science and Information, Warsow: Poland. IEEE. (pp. 1-8). Available at: doi: 10.15439/2014F503 [Accessed on 19 Sep. 2018]
Tsohou, A., Karyda, M., & Kokolakis, S. (n.d.). Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Computers & Security, 52(C), 128–141. Available at: doi:10.1016/j.cose.2015.04.006 [Accessed on 19 Sep. 2018]
