Chapter Exercises below ex 1 –
Exercise 1 -Q2. Search the Web for several InfoSec-related job postings. Do the postings comply with the concerns outlined in this chapter? Why or why not?
Information security refers to the tools and processes developed and deployed to protect sensitive information from inspection, destruction, disruption and modification (Cisco 2018). Naukri (2019) identifies numerous job opportunities associated with information technology, and related with InfoSec. The opportunities include Information Security Manager, Senior Engineer (Information Security), AVP- Information Security Officer, and Information SecurityAnalysis. Others are Information Security-lead Auditor and Information Security Engineer.
These postings comply with the concerns defined in this chapter. The concerns include protection and securing of data and ensure credibility and confidentiality is championed. An information Security job description based on the website include vulnerability assessment, application security, penetration testing and managing and enforcing information and networksecurity policies and procedures (Naukri, 2019). For an Information Security Engineer, some of the responsibilities include risk assessment, information security, processes improvement and application of various techniques such as auditing and risks management. The posting identifies the importance of the different parties working together towards protecting the data.
Cisco. (2018). What is information security. Retrieved from https://www.cisco.com/c/en/us/products/security/what-is-information-security-infosec.html
Naukri. (2019). Information security. Retrieved from https://www.naukri.com/information-security-jobs
Exercise 2 – Q3. – Using the list of threats to InfoSec presented in this chapter, identify and describe three instances of each that were not mentioned in the chapter.
|Compromises to intellectual property||Selling the private informationSpecificities of the intellectual property sold to a third partyUsing copyrighted information for financial and economic gain|
|Deviations in quality of service from service providers||Unreliable internet servicesFluctuation in speed of InternetUnreliable power to power the equipment|
|Espionage or trespass||Persons not authorized to access data uses anteriormotives to access the dataPaying employees to steal the dataThe data can be compromised to meet specific objectives|
|Forces of nature||Lightning can strike the building (Peltier, 2016)Water can spill into the electronicsshort-circuiting it Earthquakes might lead networking devices damage|
|Human error or failure||The employees might compromise the details because of lack of following policyEmployees might employ the wrong procedures and processes in analyzing the dataAccidents can occur such as inability to secure the data appropriately|
|Information extortion||Thievesmight access some crucial information and use for blackmail purposes (Kim & Solomon, 2016).Criminal activity can be committed and one of the employees forced to compromise the information One of the employee can be compromised by other employees|
|Sabotage or vandalism||Some networking devices can be stoleSome illegal connections can be madeIllegal system adjustments can be made|
|Software attacks||External players can implement denial of servicesIntroduction of illegal software such as worms and viruses Readjustment of the software to meet internal objectives|
|Technical hardware failures and errors||Acquiring equipmentinappropriate for the taskIneffective attachments and fitting of the hardwareHardware can be stolen|
|Technical software failures or errors||Ineffective design of the softwareAvailability of back doors leading to hackingIneffective debugging of the software|
|Technical obsolescence||Outdated software leads to various risksDue to obsolescence, the productivity is affectedThe obsolete components might not work appropriately with the new systems|
|Theft||Employees can steal proprietary informationEmployees can partner with other people to steal the information (Chang & Ramachandran, 2016)Stealing some hardware components|
Chang, V., & Ramachandran, M. (2016). Towards achieving data security with the cloud computing adoption framework. IEEE Trans. Services Computing, 9(1), 138-151.
Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Publishers.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Exercise 3 – Q4. Ch 6 ex 4Using the data classification scheme presented in this chapter, identify and classify the information contained in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information is confidential, sensitive but unclassified, or suitable for public release?
Objective/purpose of the data classification scheme: to assist in securing my personal information with a focus onconfidentiality and integrity
Personal review of data classificationscheme:
Elhag, S., Fernández, A., Bawakid, A., Alshomrani, S., & Herrera, F. (2015). On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on intrusion detection systems. Expert Systems with Applications, 42(1), 193-202.
Haixiang, G., Yijing, L., Shang, J., Mingyun, G., Yuanyue, H., & Bing, G. (2017). Learning from class-imbalanced data: Review of methods and applications. Expert Systems with Applications, 73, 220-239.
Rowley, J., & Hartley, R. (2017). Organizing knowledge: an introduction to managing access to information. Routledge.
Exercise 4 –Q3. Using a web search engine, visit one of the popular disaster recovery/business continuity sites, such as www.disasterrecoveryworld.com, www.drj.com, www.drie.org, www.drii.org, or csrc.nist.gov. Search for the terms hot site, warm site and cold site. Do the
The purpose of hot sites mirrors the activities of a datacenter infrastructure. The backup site has all the resources that are similar to the workplace, which includes office space, power, cooling and servers depending on the specific objectives. The hot site operates through providing complementary services to the main datacenter (Aronis & Stratopoulos, 2016). The syncing of the data means that the business is protected and any technical or disaster, the business operations would continue. The problem of such strategy is expensive and it is important for any business establishment to weigh the cost benefit analysis of the hot site.
Cold site is a datacenter or office that lacks server related equipment. The cold site provides office space, cooling and power in situations of inconveniences (Hansen, 2016). The cold site needs the support of IT personnel and engineering to set equipment and services to meet the operational and functional requirements. Cold site are the most appropriate for business continuity.
A warm site lies between cold site and hot site. A warm site hasdatacenter or office space with already installed server hardware (Mattei & Satterly, 2016). The difference of warm site from hot site is that it provides a platform for installation of productionenvironments. Such an approach is appropriate for business that requires certain levels of redundancy.
The perceived missing part
Analyzing these sites indicates the importance of the activity being performed. Some business might not require continued redundancy meaning the best strategy is the cold site (Cook, 2015). For example, businesses located in safe environments are less susceptible of disruptions meaning mirroring is not important. However, a business that operates across numerous jurisdictions and provides services to millions of people requires the warm site and sometimes hot site.
Aronis, S., & Stratopoulos, G. (2016). Implementing business continuity management systems and sharing best practices at a European bank. Journal of business continuity & emergency planning, 9(3), 203-217.
Cook, J. (2015). A six-stage business continuity and disaster recovery planning cycle. SAM Advanced Management Journal, 80(3), 23.
Hansen, E. C. (2016). Next generation enterprise network business continuity: maintaining operations in a compromised environment (Doctoral dissertation, Monterey, California: Naval Postgraduate School).
Mattei, M. D., & Satterly, E. (2016). Integrating Virtualization and Cloud Services into a Multi-Tier, Multi-Location Information System Business Continuity Plan. Journal of Strategic Innovation & Sustainability, 11(2).
Make change to ex 5 q4
Exercise 5 – Q4. Using the format provided in the text, design an incident response plan for your home computer. Include actions to be taken if each of the following events occurs:
|Before an Attack Users I will check the system continuouslyI will be aware of the sites and online platforms I will accessI will review any application before I installI will partner with my ISP to prevent any failureEffective engagement with ISP providersImplement risk aversion strategiesEffective maintenance Technology Install antivirusEnsure modern applications and technologies are in placeInstall right electrical systems Using the right tools and equipment|
|After an Attack Users Frequently scanning my computerVerifying and checking right applications Obsolete software and hardware has to be replaced Creating a documentation of the problems that have occurred Technology Ensuring all the applications are working effectivelyChecking antivirus and other firewall systems in placeReaching the maintenance program and whether the equipment and tools were replaced accordingly Creating a scheduled system to continuously maintain the systems including the site|
|During an Attack Users Reviewing the antivirus/antimalware software especially after any attackDetermining whether the antivirus is effectiveReviewing the location of the systems to prevent potentials of fire and bursts water pipes Technology Sell off the leaking pipes and call maintenance (Ab Rahman et al. 2017)Replace any susceptible applications and hardware Create an incident report for future reference|
Risks are inevitable depending on the conditions and scenarios. Fire incidents and water problem can be addressed easily (Ab Rahman & Choo, 2015). Planning should also target the physical component. For example, thieves can come and steal the equipment and computer systems. It means the location of the system should have the right security including authorizing the persons who can enter the space (Soomro, Shah & Ahmed, 2016). In addition, authorization extends to persons who are permitted to access the computer system. Categorizing the data and encrypting the data ensures even if unauthorized persons access the information such individuals cannot benefit.
Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling in the cloud. computers & security, 49, 45-69.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.
Ab Rahman, N. H., Cahyani, N. D. W., & Choo, K. K. R. (2017). Cloud incident handling and forensic‐by‐design: cloud storage as a case study. Concurrency and Computation: Practice and Experience, 29(14), e3868.
Exercise 6 – Q5. Using the components of risk assessment documentation presented in the chapter, draft a tentative risk assessment of a lab, department, or office at your university. Outline the critical risks you found and discuss them with your class
Department of Information Technology: Risk Assessment Documentation
The purpose of the assessment is to identifyvulnerabilities and threats related to the Department of Information Technology. The application of the risk assessment is identification of risk mitigation plans.
The system is made of numerous components. It includes students inputting and receiving information from the application. The design of the system is based on Active Server Pages in addition to Internet Information Server. IT Department houses the applications and systems.
Some of the players include Risk Assessment Team, Network Manager, Database Administrator and Security Administrator. In addition, the users of the information systems are involved in contributing towards improving the safety and security measures.
The techniques employed are risk assessment questionnaire, assessment tools, vulnerability sources, and site visit. Others are interviews, review of documentation, and transaction walkthrough (Abbasi, Sarker & Chiang, 2016). Reviewing document including checking the system documentation, security policies, operational manuals and network diagrams are crucial for advancing security requirements. In addition, visiting the site informs about the physical access measures and other environmental controls.
The risk model takes the form of threat likelihood versus magnitude of impact. The calculation leads to high, medium and low risk likelihood. The threat source is high and control measures are absent when the risk level is high (Modarres, 2016). Themedium aspect identifies the potential of threat source and there are measures in place to control the vulnerability. The low risk implies threat source is absent while measures are in place to prevent any problem from occurring.
The components are grouped into application, databases, operating systems, networks, interconnections and protocols. The protocols include web server and SSL used for protecting and transmitting data (Abbasi, Sarker & Chiang, 2016). The networks used are Cisco routers and checkpointfirewall. The operatingsystem isMicrosoft Windows NT while the database isMicrosoft SQL Server 2000. Various applications are used including Microsoft Active Server Pages and other applications.
The potential vulnerabilities include cross-site scripting, SQL injection, password strength, unnecessary services, disaster recovery, lack of documentation, and integrity checks (Abbasi, Sarker & Chiang, 2016). Operating processes, design and system specifications are not documented. Absences of effective disaster recovery strategy while the application server and web servercontains various unnecessary services such as anonymous ftp and telnet. Any successful attack can attack the local machine, user’s session token and spoofing the content.
The potential threat sources include hacking, cybersecurity, insiders and environment. Threats associated with hacking include unauthorized system access, break-ins, system intrusion, social engineering and web defacement. Computer criminal includes system intrusion, spoofing and identity theft (McIlwraith, 2016). Insiders refer to targets from the employees and can be associated with dishonest and negligence of the employees. The consequences from the employees include unauthorized system access, system bugs, malicious code and access personal information.
Abbasi, A., Sarker, S., & Chiang, R. H. (2016). Big data research in information systems: Toward an inclusive research agenda. Journal of the Association for Information Systems, 17(2).
McIlwraith, A. (2016). Information security and employee behaviour: how to reduce risk through employee education, training and awareness. Routledge.
Modarres, M. (2016). Risk analysis in engineering: techniques, tools, and trends. CRC press.