IT Security Risks and Risk Mitigation Approaches : Report

Added on - 23 Feb 2020

  • 7

    pages

  • 2906

    words

  • 7

    views

  • 0

    downloads

Showing pages 1 to 3 of 7 pages
Critical Analysis of Security RisksMitigation ApproachesContentsIntroduction...........................................................................................................................................1IT Security & Technology.......................................................................................................................1IT Security Models & Access Controls....................................................................................................2IT Security Threat and Risk assessment.................................................................................................3Conclusion.............................................................................................................................................5References.............................................................................................................................................5IntroductionThe objective of this report is to understand the security risk in teh IT space and explore variousmitigation strategies to gain a professional experience of risk management field. The report includesthe critical analysis of the various IT security risks and risk mitigation approaches such as detectionsystems, firewalls and vulnerability scanners[ CITATION Lou121 \l 16393 ]. The security risks areevaluated in terms of the vulnerabilities of the systems while mitigation strategies are evaluated onthe basis of their potential to reduce these vulnerabilities. The report would also explore thefeasibility of using cyber-insurance as a risk mitigation strategy. The report is divided into threesections that include discussions of the concept of IT security in technology space, exploration of ITsecurity and access control models and assessment of threat.IT Security & TechnologyCyber security is crucial to every organization in the connected world today. Daily occurrences ofexposures and risks raise concerns with increasing number of cyber attackers. They utilize new andadvances strategies to launch attacks leaving organizations vulnerable to threats. While technologiesprovide support for core business processes of the organization, the focus on it is not sufficient toget an organization secure such that an informed business vulture has to be created that is bothaware of security risks and is capable of dealing with them when exposed[ CITATION Ste143 \l16393 ].Organizations build security management capabilities in three areas that include prevention,detection and response. Prevention is achieved by implementing governing procedures which
involves creation of awareness of security risks in staff through training and building accountabilityas well as responsibility in them to operate in a secure manner[ CITATION NIS14 \l 16393 ].Detection involves monitoring of events and incidents that suggest risks with strange patterns ofusage caused by cyber attackers. When an evidence of attack is received, a pre-planned response isused for responding to attacks through deactivation of exploited technologies and use of a recoveryprocedure[ CITATION Ste012 \l 16393 ]. At this stage, management may use forensic analysis skills tounderstand attacks and respond to them[ CITATION Lou121 \l 16393 ].Some common cyber security mistakes that companies can do leaving their systems insecure andunprotected were observed in the study of IT security and these included:Companies want to gain 100% protection which is not feasible in reality but this tendencymakes them do mistakes as they implement all possible solutions and assume that security isachieved. Instead organizations need to develop a defensive posture and work on each ofthe areas including prevention, detection, and response sufficiently[ CITATION Int14 \l 16393].Companies investing in best technology solutions often assume that they are also protectedbut cyber security actually does not depend on the technology used and thus, they need tostill use sufficient protective measures[ CITATION Cen14 \l 16393 ].With advanced security measures implemented, companies assume that they have bettertools than the hackers or attackers which may not be the actual case and thus, can put thecompanies to risk[ CITATION Jam021 \l 16393 ]When it comes to compliance with the cyber security procedures, companies usually assumethat it is only about monitoring but the actual motive behind these procedures is not to justmonitor but help companies achieve a better level of protection which is only possible whenthe companies use the procedures to understand the evolution of threats and ensure thatappropriate lessons are learnt from their evaluation[ CITATION Ste143 \l 16393 ].IT Security Models & Access ControlsIT security involves dealing with prevention, detection and response to the security risks. Accesscontrol mechanisms are the methods that are used for prevention of security threats. The objectivebehind implementing access control mechanism is to take care of three categories of securitycategories including confidentiality, integrity, and availability[ CITATION ISC10 \l 16393 ]. Theinformation of the users has to be kept private to maintain confidentiality. This information mustalso be protected such that it can only be used by authoritative people to maintain integrity. Theinformation has to be made available sufficiently and on time to the users[ CITATION IBM11 \l 16393]. Access control deals more with the preservation of confidentiality and integrity and it providesprotection against information disclosures and internal attacks[ CITATION DHS09 \l 16393 ].There are several access control models that are used by organizations to establish access controlmechanisms in their organizations such asLampson’s Matrix and Discretionary access control, Bell-LaPadula, Lattice-Based and Mandatory Access Control, and Role-based access control (RBAC)[ CITATION JIR07 \l 16393 ].
Lampson’s Matrix: In this model, a matrix of operations and resources is created and whether theyshould have the read or write control over specific resources is determined. The matrix contains alist of capabilities in rows and permissions in columns. This is a very basic model that serves as afoundation for other models[ CITATION Off15 \l 16393 ].Discretionary access control:It is similar to the Lampson’s matrix but it also identifies ownershiprelationships between subjects such that permissions are granted at discretion. However, this modelhas some drawbacks. Users can at times opt for insecure rights like “777” if they are given thesedescription rights. Further, a discretionary user can copy the data of another user[ CITATION ESE16 \l16393 ].Bell-LaPadula, Lattice-Based and Mandatory Access Control:This mechanism is designed to workwith classified documents in the computer systems. In this system, access is given based on aclassification that is done considering object classification and users clearance. These classificationsare categorised into unclassified, confidential, secret, and top-secret. This mechanism is mosteffective in maintaining confidentiality of a system as it involves effective userclassification[ CITATION MYO16 \l 16393 ].Role-based access control (RBAC):RBAC provides a family of classification which associatespermissions with roles. Permissions are not directly assigned to users. This model is very useful inovercoming administrative difficulties of the organization. It can reduce complexity as well as cost tothe company. An interesting feature of this model is that roles are hierarchical which means thatthey can inherit permissions from their parents. The model identifies core concepts, role hierarchy,and constraints between concepts.All models have different ways of classification of access controls and have different benefits andthus, appropriate model may be chosen based on individual requirement of anorganization[ CITATION Rom07 \l 16393 ].IT Security Threat and Risk assessmentThere are several risk and threat assessment methodologies that exist today. Some of them are opensource while others are proprietary technologies. All these technologies have similar objectives tofulfil and that is to identify what requires protection, what are the threats, what are vulnerabilities,what are implications of exploitation of these vulnerabilities, and what can be done to minimize theimpact or loss. The outcome of any risk assessment process must be recommendation of methodsthat can increase the level of protection concerning availability of data, integrity and confidentialityof systems while at the same time maintaining usability and functionality of the systemsintact[ CITATION Xer16 \l 16393 ].There are some core areas of risk assessment and these include:Scope: The assessment scope is identified at the beginning of the assessment process to help ananalyst understand what is needed to be covered in the assessment, what needs protection, andwhat the level of protection required is. The scope would also help an analyst identify systems orapplications that can be used in the assessment. The scope must have both internal and external
desklib-logo
You’re reading a preview
card-image

To View Complete Document

Become a Desklib Library Member.
Subscribe to our plans

Download This Document