INFORMATION SYSTEM INSECURITY

INFORMATION SYSTEM INSECURITY

Name:

Course:

Institution:

Date:

Executive summary

Cyber security has become a world disaster; thus, organizations have to improve their focus on cyber security in order to protect sensitive data and systems. There is no single organization that is immune to cyber-attacks. Organizations have lost a lot of finances due to these attacks by hackers. Some organizations think that they may not have the information that hackers need. Such a view is incorrect because all information is of value. Organizations are investing heavily on information security as guided by preventive controls, detective controls, and corrective controls. Preventive controls help in avoiding occurrence of incidence and deterring unauthorized access. Detective controls help in monitoring and also alerting organization of malicious activity. Corrective controls limit the scope of incidences and mitigate unauthorized actions by users. This report addresses preventive controls, detective controls, and corrective controls.

Take help for your assignment

Whenever you are in a need of help for your assignment, essay or report, we are here to assist you

CHAPTER ONE

INTRODUCTION

Subject

Computer information theft and data corruption have recently increased at alarming rates. Computer security is divided into logical security and physical security (Guil, 2017). Logical security entails the use of and access to programs in the conventional programming environment. The designing of the operating system and systems programs implements the logical security of computer systems. Logical security is comprised of; viruses, computer misuse, computer fraud, untested, operator error, user error and external unauthorized access. The measure of logical security includes preventing data access at the software level. Due to the increase of computer crimes, measures should be taken to avoid both physical security and logical security in computer systems. There are some threats that an organization can face including cyber-attack, stealing, loss, damage or modification of data, confidential information disclosure and unlawful access to user identifications and passwords. Individuals with malicious intentions have developed viruses and malicious software with the aim of corrupting information or data stored in computer systems. (Cyber Security Planning Guide, 2017). There is increased risk of successful attack in case the business is exposed to any of these attacks. All these threats lead to breach of security in an organization infrastructure.

Objectives

This assessment report aims at many objectives including the following; operating style, management philosophy, and risk assessments. A major reason behind the occurrence of inappropriate behavior in organizations is poor communication efforts made by the management. Another objective of the report is to assess the hardware components of both the server and client machine in Kiwi Pvt Ltd. To yield desired results regarding the accuracy and effectiveness of information, processes must be well designed and implemented. Also, the report aims to come up with the right measures that will help Kiwi Pvt Ltd to maintain logical security of their systems to avoid loss and modification of their important files.

The assessment report also provides the organization with a rough budget of the equipment and software tools needed to counter legitimate security threats. Software tools may include anti-virus software. The assessment is investigating that whether the current setup and issues can affect the security of the organization systems, whether the permission is the best. The report will also give suggestions for the best structure and even the right access permissions.

Purpose

The purpose of the report is to determine all the weaknesses of the current setup issues that lead to security breach and data loss. The report also aims to determine whether the fault experienced in the organization are caused by individuals or are caused by the viruses in the computer systems. The level of risks is also determined by the report and the recommendation given. These risks can be low, moderate or very high. The assessment aims at coming up with right solutions and measures for Kiwi Pvt Ltd to avoid the recent data modification and deletion. The report also aims to find out the expenses of implementing the recommended solutions.

Limitations

The report could be subject to number of criticisms as it is a case study report. The case study is of one experimenter who has collected all data. Such a method can lead to bias in the interpretation of data, which may then influence end results. Data collected from the case study cannot be generalized to a wider population. The report could have errors of memory or judgment, because perception and interpretations of results may differ from person to person. The report cannot be recreated because the situation of Kiwi Pvt Ltd cannot necessarily be replicated in other organizations.

CHAPTER TWO

BODY

Access control

Computer security incorporates some security techniques, such as, authentication, audit, and authorization. Access control provides essential services, such as, authorization, accountability, identification and verification (InfoSec Resources, 2017). In determining the users allowed to log into the system, the functions of identification and verification are used. A subject must undergo the processes of authorization and verification which determines what a user can do to the system. Identification and verification is a way of proving the identity of a user. Authentication can be done through use of Personal Identification Number, password, a smart card, voice, fingerprint, retina, or iris characteristics (Rouse, 2017).

Authorization and Accountability

Authorization is the process of determining what a subject/user can do to the system. There are three set of permissions that are defined by most modern operating systems. They include Read (R) permissions that permits the user to read files content and lists of directories content, Write (W) permissions which permits users to create, add, delete and rename a file content, Execute (X) where the subject can run the program when the file is a program (“File and Folder Permissions”, 2017). Accountability services determine what the subject/ user did to the system components. The subject logs, as well as, audit trails are recorded to relate the subjects to their activities. Audits logs and trails are used for identifying security breach and violation and rebuilding security instances. The recorded reports help system administrator to identify possible break-in attempts.

Types of access control.

The access control techniques include; Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC) (“Types of Access Control Systems for Effective Personnel Security”, 2017). DAC includes the policies which are provided by the system owner. It determines the people that the system should allow access and privileges to (InfoSec Resources, 2017). On the other hand, MAC incorporates access policies that are identified by the system, as opposed to the system owner (InfoSec Resources, 2017). There are two common techniques used for the MAC application; label-based and Rule-based access control that further describe particular settings for access to a user for an object in request. Simple rule-based technique is used by all MAC in determining granting or rejecting of access through comparing and equating a subject’s sensitivity label with that of the object. The other method for MAC is Lattice-based control which is used for Complex Access Control (CAC). CAC involves several objects and/or subjects. Lattice model is generally a mathematical arrangement defining largest lower-bound and smallest upper-bound values for a pair elements. (“Types of Access Control Systems for Effective Personnel Security”, 2017).

Role-Based Access Control (RBAC) includes the policies in which the system determines access. The three default rules which are defined include; a user only executes an operation if he or she has selected the role and has been authorized, the user is permitted to execute an operation when the transaction has been authorized, and lastly, the user’s primary role has to be authorized before proceeding to performing any activity (“Types of Access Control Systems for Effective Personnel Security”, 2017).

Assessment plan

The researcher used an assessment strategy where Kiwi Pvt Ltd provided crucial information about their interaction with the organization computer systems. Questionnaires were used to assess various aspects of staff computer interaction. All staff members were provided with short questionnaires that could consume around ten to fifteen minutes of their time. Another form of assessment used involved a one-on-one interaction between the researcher staff members. The researcher asked the staff members some questions that required simple explanations.

Disruption to user was minimized through using short questionnaires that required yes or no answers. The researcher also took a considerably short time to gather information directly from the staff. Around one to three days were needed for the assessment to be completed.

Local Area Network

Kiwi Pvt Ltd staff were interviewed to determine their awareness regarding the security of information systems. The staff must know the process of installing the components of wireless LAN in the organization. Security vulnerabilities become evident for a firm that is supporting wireless LAN environment. LAN security goals require meeting data confidentiality, data integrity, data availability, and data safety. All staff must be able to learn procedures that would serve as targets of security issues in the organization.

Findings

Kiwi Pvt Ltd has no access control mechanisms defined for their computer systems. The computer systems files and data have no defined permissions that are given by Kiwi Pvt Ltd. In this scenario, there is no single employee of the organization who cannot access all the data and the file of the organization. The employee has ‘Read’, ‘Write’, ‘Execute’, and ‘Delete’ permissions, and thus, employees can even modify and delete a file. Such a situation has resulted into some files being lost as they have been deleted and others have been modified for malicious intentions. The computer systems have no identification and verification mechanisms as all the staff can login at any time. There is also no authentication mechanism as staffs do not require password to the system. An external/intruder can access all the information stored in the computer system hence confidentiality lacks. There is also an increase in probability that some important data may be stolen and modified by some malice-driven individuals. The organization should define permissions so that only authorized staff can access data and all files. This thus improves logical security of the system.

Security updates are not downloaded and installed during the weekends as machines are turned off during the weekends, which puts the computer system at risk of being attacked by viruses and other malware. There is a possibility of viruses and malware destroying data and files. Malware and viruses present in the computer systems can cause data being eaten up or modified. The computers should have been allowed to run on the weekends to finish downloading and installing security updates, and also to allow data back up to be carried out.

This assessment report has some recommendations that can be adhered to so that there could be no security breach, data deletion, and modification. Kiwi Pvt Ltd should employ a system administrator whose job is to define the permissions of all the staff. Not all the staff should have the same privileges. Each staff should have the own identification methods, like passwords that should not be shared with other staff. Junior staff should not have the same privileges as the senior staff. The client machine should have audit trails software to keep the records of all the actions of the users.

The organization is also recommended to buy and install the best anti-virus software tools and also malware detection tools. These will help in cleaning all the viruses present in the entire computer systems. Some of the best anti-virus software recommended to the organization include; McAfee Anti-virus Plus, Symantec Norton security Premium (2017), BullGuard, Kaspersky Internet Security, Webroot Secure Anywhere Antivirus, and AVG.

Conclusion

The evidence in the assessment have shown that the Kiwi Pvt Ltd has a lot of loopholes and weaknesses that can be exploited by staff members with malicious intentions. An employee can login to the system freely without using a password as there are no permissions defined, which is also one reason why the organization’s data is being deleted and modified by some staff members. Kiwi Pvt Ltd should maintain data confidentiality especially when the Local Area Network serves as the storage. The organization should make wireless local area network secure. Hardware failure can hit an organization without backup and can do some serious damage. Backup is essential, not only because of the threat of hardware failure, but also because malware function that can lead to permanent loss of data. An organization can depend on cloud backup that is very popular among users or it can back up data to an external hard drive.
network-security-management-report

Learn how can Essay Assignment Writing assist you

We are a team of professional assignment writers, essay experts, editors, proofreaders and tutors. We
can help you with all your projects, dissertations and reports. We guarantee a service that satisfies you
100%.

In conclusion, the organization should have a system administrator to define all the permissions attached to each staff. Each staff should have a unique password that should not be shared with others, thus, ensuring maximum data confidentiality. The organization should back up all the data in cloud backups as it is the best compared to backing up data in an external hard drive. Computer Firewalls should also be enabled to counter viruses in the system. In addition, the organization should install computer systems with the best anti-viruses available in the market.

References.

Guil, F. (2017). Computer Rooms – Meet the physical security measures. Retrieved 8 October 2017, from

https://www.giac.org/paper/gsec/2892/computer-rooms-meet-physical-security-measures/104866

Cyber Security Planning Guide. (2017). Retrieved 8 October 2017, from

https://transition.fcc.gov/cyber/cyberplanner.pdf

InfoSec Resources. (2017). Access Control: Models and Methods. [online] Available at: http://resources.infosecinstitute.com/access-control-models-and-methods/#gref [Accessed 10 Oct. 2017].

File and Folder Permissions. (2017). Msdn.microsoft.com. Retrieved 8 October 2017, from https://msdn.microsoft.com/en-us/library/bb727008.aspx

Rouse, M. What is authentication, authorization, and accounting (AAA)? – Definition from WhatIs.com. SearchSecurity. Retrieved 8 October 2017, from http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting

Types of Access Control Systems for Effective Personnel Security. (2017). Retrieved 8 October 2017, from

http://stor-guard.com/article/types-of-access-control-systems-for-effective-personnel-security-43

Umuc.edu. (2017). About Cyber Security | UMUC. [online] Available at: http://www.umuc.edu/academic-programs/cyber-security/about.cfm [Accessed 10 Oct. 2017].

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest