Risk Management Assignment: IS Security at Australian Cyber Security Centre
Question
Task: Today’s Internet has its roots all the way back in the late 1960s, but it was only used by researchers and the military for almost a quarter of a century. The Internet has opened the door for threat actors to reach around the world invisibly and instantaneously to launch attacks on any device connected to it.
Read the case study titled: Threat Update COVID-19 Malicious Cyber Activity and prepare a risk management assignment answering the following questions:
1. Identify and examine all types of the malicious cyber activities identified by ACSC and summarize them in a table.
2. Identification and categories assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, and networking)
3. Create a table to identifying and prioritizing threats against each type of asset identified in item (2). You have to demonstrate the way you follow to prioritizing threats with justification.
4. In general, the security defenses should be based on five fundamental security principles: layering, limiting, diversity, obscurity, and simplicity.
The ACSC proposed eight strategies to prevent malware delivery and limit cyber Security incidents. Analyze these principles with the strategies proposed by the ACSC. In your analysis, you have to clearly demonstrate how each mitigation strategy is related to fundamental security principle with justification.
Answer
Introduction to Risk Management Assignment:
The security of information systems depends on the protection of servers, networks and consumers. Data is a growing asset in the Digital age, with data collected, stored, and transmitted online on all forms of technology (Hannila et al., 2019). Security of information systems is a huge problem for the digital world of civilization. Risk management seems to be the mechanism by which possible threats are identified (Ho et al., 2015), their effects assessed, and how they can respond when the risks become realities. Attackers are driven by financial gains, confidentiality, or market disturbances. A cyber security management strategy is essential for any company, regardless of scale or sector. The implementation of a plan for cyber risk assessment aims to recognize a company challenge. Different types of security threats have been identified and discussed in the case study. During the pandemic situation the cyber-attacks have been increased rapidly and about 1,100 cases of COVID-19 threats, the ACCC's Scamwatch received approximately $130,000 in confirmed losses. About 115 fraud and cyber security incidents have been reported to the ACSC. This would actually be even smaller since the figure is just the cases identified to the ACSC and the ACCC. The number is very high and is considerably greater. The analysis of the multiple cyber threats has been done in this report with proper justifications and incidents. The mitigation process of the cyber security threats has also been discussed in this report.
Discussion:
Different malicious cyber activities:
As per the case study, there are multiple types of cyber-attacks identified by ACSC and they are quite common in the current situation. SMS malware is a smart phone cyber-attack aimed at customers via SMS instead of via e-mail. This type of phishing attack attempts to duplicate smart phone users with falsified text message providing links to official, with fake notifications that contributes to malware phenomenon in future. The text message will warn the recipient, using an immediate and persuasive language, with serious repercussions if she does not take any action or persuade the victim to assist the sender with the data required. Sometimes it is related to bank and end up with demanding the bank details of the user which lead to hack the bank account of the receiver. Phishing by email is indeed a game of digits (Meyer &Reniers, 2016). An intruder sends thousands of malicious emails, even though only a small proportion are scammed, causing risks to substantial data and other credential information of users. Like this, certain tactics are used by attackers to maximize their rates of effectiveness (Sadgrove, 2016). The terminology and language used within an email is much more difficult to recognize as a malicious website since most of these emails are much more carefully designed. It is crucial to target the origin if users search the email reference and the current connection to which users are pointed. Spear phishing seems to be a social engineering threat in which an offender, portrays as a trustworthy person (Hubbard, 2020),and fools a victim into clicking a connection in an encrypted email or instant message. The goal then unintentionally exposes classified details, installs harmful programs on its network or conducts a first stage of a continuing, advanced danger, to list any of the potential implications. As per the case study, such attack has occurred in a large company in Australia and the employees of that company faced such issues related to their financial data. (Chance & Brooks, 2015) Another type of scam is remote access scam, in which a scammer tries to get the user to remotely control their personal system which helps the hacker to get money from the user and capture their confidential data. The ACSC is getting more and more accounts of remote access fraud from companies and the citizens. Most of the sources suggest that the fraudsters are from IT firms, telecoms corporations, banks and the ACSC (Aven, 2016). Cyber attackers also try to force consumers to provide remote access to address problems and provide a variety of situations that would persuade users that their computer needs emergency access. This type of cyber attack is very dangerous because while accepting to giving access to the personal system, the highly sensitive data of the user can be hacked by the attacker. Also there have been scenarios that increased to occur in the pandemic situation like hackers tried to convince users to click on certain links provided by them in terms of IT help desk and it will lead the users to corrupted websites which help the hackers to access the personal data of the user (Glendon et al., 2016). Business Email Breach is a form of scam targeted at businesses carrying out wire transfers and providing foreign suppliers. Top management' or senior staff in connection with financing or engaging in wire transfers have organizational or publicly accessible email addresses that are either fraudulent or hacked with major trappers or phishing attacks that result in the financial losses. Cyber criminals who try to acquire unauthorized payments through the network frequently use a fraud email account or the company, distributor or client's false email address. Thefts like this are usually aimed at companies with overseas vendors and companies that make wire transfer transfers daily. In the COVID-19 situation, lot of cases related to hacking of email accounts of executives or mangers have been seen and COVID-19 themed fake mails have been generated through that hacked mail ids. These scenarios have been identified and they are quite alarming to the users for the security of their sensitive data.
|
Cyber-attacks |
What happens |
|
SMS phishing |
Attacker sends fake messages containing malicious links which lead to untrusted website and hacks the details of the user |
|
e-mail phishing |
Fake links are generated via mails and while clicking the links, it allows the hacker to access the data of the user |
|
Payment phishing |
Fake links for payment and transactions are send to the user and the ID and password of the user and other bank details are hacked |
|
Remote access scam |
Attacker sends messages or links to convince the user for giving remote access to their system so that the attacker can fully control the system of the user |
|
IT helpdesk scam |
Often malicious links and messages are sent while asking to update system of the user and in turn the entire system gets hacked if the user clicks on to any of those links. |
Identification & categories assets:
Asset recognition is an integral factor in the capacity of an entity to compare various data sets regarding properties easily. The requirements for identified assets are dependent on knowledgeable identification and knowledge of assets. This classification outlines the objective of asset identification, an asset recognition data structure, asset identification methods and guidelines about the use of asset identification (Hopkin, 2018). A variety of known instances of usage for asset recognition are identified. Information assets generate, receive, preserve, or send data using one or maybe more processing media types, or just a simple media (Srinivas et al., 2019). Non-volatile computing devices involve desktop and notebook machine, cloud, data backup, network storage, phones, and tablets as well as multi-functional scanners or printers or copiers. There are different assets that can be considered in case of information security like hardware, computer system, database of the organization, different software applications that the organization uses and communication etc. Specific kinds of devices or technologies used for the production, reception, retention, or transmission of confidential information are highly specialized. The software and equipment are so integrated that they are dependent on each other. Also, the network connection that have been used in the organization can be a source of sensitive information.
In order to grasp and recognize any media hosting sensitive information, any possible compromising on the security, integrity and accessibility of such sensitive data are essentially crucial.
People: It includes users and employees of any organization
Procedures: Any portal or application used to contain private details
Data and information: ID, password or any other personal credentials
Software: Includes different applications, web pages and other portals that require personal details
Hardware: Includes internal devices used for data storage
Networking: Includes particular network service used for security purpose by which data and information are carried out
Identifying and prioritizing threats against each type of assets:
Threats may be defined as situations which affect the secrecy, completeness or availability of an item, and may be deliberate or accidental. Purposeful risks include malicious hacking and insiders robbing documents, while unintended threats usually include employee errors, mechanical malfunctions, or actual injury, such as a natural catastrophe. Every day, technological innovation is introduced. New devices include some form of Digital access, (El et al., 2018) and yet have no risk assessment more than once. Any unsecured link means insecurity. This poses a very important danger. The exponential growth in technology is a sign of innovation, but protection is badly delayed. In most of the cases data have been hacked by introducing different links and other malicious ways. In case of using particular network services, there may be password hack or other details can be hacked. Sometimes, the id and password have been saved in any portal which can be accessed by hacking. Also some links are generated and provided in mails. People or employee of any organization if follow the steps provided in the mail then it will lead to data breach and the sensitive data can be hacked by the cyber criminal which may lead to financial loss and other harassments. Sometimes there may be different softwares which have been used for important work and the applications may not have that much security to protect the data of the user. So data can be leaked from there as well. The wifi or Internet connection that have been used without password, can be hacked very easily. Many times the cyber criminals can hack the cloud storage that have been used by any organization or used by people (Thakur et al., 2015). Criminals search for non-password cloud repositories, use unexploited systems and commit brutal assaults to reach the user profiles. In some cases private data are planted, and in others, cloud services are used for encryption DDoS attacks. Passwords are designed to avoid access to the device or any other confidential material for unauthorized persons. When staff use words that are easily imagined or put them to rest, the significance of passwords is undermined and the failure to enter system is facilitated.
|
Assets |
Threats |
Priority |
Justification |
|
Software |
Malicious codes can be saved or downloaded via any link on internet or any portal which leads to hack the system of the user |
High |
Mostly contains personal informations |
|
Hardware |
Virus or malicious codes can damage the system |
Medium |
Data storage |
|
Network |
Access of private details to any unauthorized network or portal can hack the sensitive information of the user |
High |
Controls the transfer of information within the system |
|
Data and information |
Installation of virus via malicious links or crash on the system or unauthorized access |
High |
Contains personal credentials |
|
Procedures |
Any procedure used in any organization or any application which store the information of the user and if it is not protected then there is chance to hack that |
Medium |
Contains sensitive data which can be obtained by applying suitable process |
|
People |
Less knowledge about different malicious links and threats can lead people to be convinced by the hacker to give them access to their system and their system get hacked |
High |
Less knowledge about the security threats and in data leakage |
Analyzing the fundamental security principles with the security mitigation and the proposed strategies by ACSC :
The prevention of cyber threat consists of policies and proceedings implemented by companies to assure safety, data violations and disruption in the event of security violations. The initial move is to make sure the new manufacturer safety and organizational updates apply to both IT applications and operating systems (Shafqat & Masood, 2016).
(1)Layered protection is a cybersecurity strategy that utilizes multiple elements to secure multi-degree security assessment operations. The goal of a layered protection strategy is to ensure that any single defense feature has a backup to avoid vulnerabilities or failures in other network security.
(2) Limiting is an important factor in this case. It will help to limit the access of the system to any other application. Obscurity is good but it is not that much because it will help to prevent the treats until it is not identified by the attackers.
(3) Diversity awareness can make a device more targeted than a well-known homogeneous approach and inherently more stable (Schatz et al., 2017). For organizations, the prevention measures needed to be carried out to minimize danger of cyber vulnerability and secure information have a much broader reach.
(4) Obscurity is important because it is based on the security engineering and it reduces the likelihood of any cyber threat.
(5) Simple network level security is always good to protect the system from cyber threats. Complex networks are easy to be hacked viruses (Edgar &Manz, 2017). Established server backup approach is important. If the email account or any other account related to private information is hacked then people should immediately report to it (Gupta, 2018).
As per the mitigation strategies identified by ACSC, there are certain steps to be carried out.
(a) Application control should be implemented to protect system from unapproved programs. In the event of large events such a technique provides redundant versions of the applications to roll back. It will help to prevent the execution of unwanted applications.
(b) Modern patches can be released as early as possible by Microsoft as well as other providers. The updates include fixes to solve the current documented bugs and exploits. Patch applications can be focused on for the data protection. Also, there are various technological strategies to avoid cyber security threats in an organization (Graham et al., 2016). Many opt for a professional services vendor that actually manages and secures the IT infrastructures as a whole.
(c) Microsoft macros should be blocked because it might be used for executing malicious code in the system.
(d) Total device backups in the business can require substantial costs to introduce as component of the protection first strategy People should avoid any kind of unauthorized links provided in any text message or email (Sun et al., 2018). Backup is very important to recover the lost data.
(e) Web browser should be configured accordingly to avoid data leakage. Select one that is evaluated for device data safety and enforcement and take a big step to ensure a digital network (Stevens, 2016). It will help to prevent unauthorized access.
(f) For better data protection people can use multi factor authentication process which will notify the user if anyone tries to use their personal credentials in unauthenticated way.
(g) Administration privilege restrictions are also needed for protecting the user account from any kind of unauthorized access.
(h) People should use updated operating system always to avoid such threats to take place.
Conclusion:
Hence, from the report it is observed that data security is very much important for each and everyone. There are different security related risks and data breaches are taking place very frequently. Threats of technology and privacy feats are reporting in the news regularly, with victims ranging from small start-ups to multinational firms. The preservation of the confidential data, publicly identifying information, secure medical data, private details, proprietary information, data and regulatory and business information systems from fraud and harm attempted is critical as it covers all aspects. Cyber security is very much important these days. The most critical data protection features are cryptographic data encryption for information in transit and at rest, efficient access management, and efficient data access tracking and recording. Different security risks have been discussed in this report and their mitigation process are also identified. Further research on other issues is required to be done for the data security purpose and public awareness.
Reference:
Aven, T., 2016. Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), pp.1-13.
Chance, D.M. and Brooks, R., 2015. Introduction to derivatives and risk management. Cengage Learning.
Edgar, T.W. and Manz, D.O., 2017. Research methods for cyber security. Syngress.
El Mrabet, Z., Kaabouch, N., El Ghazi, H. and El Ghazi, H., 2018. Cyber-security in smart grid: Survey and challenges. Computers & Electrical Engineering, 67, pp.469-482.
Glendon, A.I., Clarke, S. and McKenna, E., 2016. Human safety and risk management. Crc Press.
Graham, J., Olson, R. and Howard, R. eds., 2016. Cyber security essentials. CRC Press.
Gupta, B.B. ed., 2018. Computer and cyber security: principles, algorithm, applications, and perspectives. CRC Press.
Hannila, H., Silvola, R., Harkonen, J. and Haapasalo, H., 2019. Data-driven begins with DATA; potential of data assets. Journal of Computer Information Systems, pp.1-10.
Ho, W., Zheng, T., Yildiz, H. and Talluri, S., 2015. Supply chain risk management: a literature review. International Journal of Production Research, 53(16), pp.5031-5069.
Hopkin, P., 2018. Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers. Hubbard, D.W., 2020. The failure of risk management: Why it's broken and how to fix it. John Wiley & Sons.
Meyer, T. and Reniers, G., 2016. Engineering risk management. Walter de Gruyter GmbH & Co KG.
Sadgrove, K., 2016. The complete guide to business risk management. Routledge.
Schatz, D., Bashroush, R. and Wall, J., 2017. Towards a more representative definition of cyber security. Journal of Digital Forensics, Security and Law, 12(2), pp.53-74.
Shafqat, N. and Masood, A., 2016. Comparative analysis of various national cyber security strategies. International Journal of Computer Science and Information Security, 14(1), p.129.
Srinivas, J., Das, A.K. and Kumar, N., 2019. Government regulations in cyber security: Framework, standards and recommendations. Future Generation Computer Systems, 92, pp.178-188.
Stevens, T., 2016. Cyber security and the politics of time. Cambridge University Press.
Sun, C.C., Hahn, A. and Liu, C.C., 2018. Cyber security of a power grid: State-of-the-art. International Journal of Electrical Power & Energy Systems, 99, pp.45-56.
Thakur, K., Qiu, M., Gai, K. and Ali, M.L., 2015, November. An investigation on cyber security threats and security models. In 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (pp. 307-311). IEEE.
Attack experience:
As per my personal experience, during the Covid Situation, my brother was working from home for his organization and faced some cyber infringement meanwhile. He was working on his personal laptop and one day got an e-mail from the IT department of his company to install antivirus in his system which was mandatory for the project work. So, he followed the steps mentioned in the e-mail and installed the antivirus to his system. But after that his laptop got hanged and his account got hacked. As he was unaware of such IT department threats, the phishing activity carried out on his system caused loss of data and information that he stored in his laptop. He immediately reported to the office about this incident and came to know that the e-mail address has been hacked by any cybercriminal and this incident happened to many of the employees of that organization. In order to mitigate such attack in near future, organization should educate their employees about such cyber threats with the updated cyber threats occurring. While this attack occurred after one or two days the company took initiative to completely update the systems of the effected employees with latest firewall to avoid such attack in future and started preparing regular sessions to educate the employee how to handle such threats.
