Information Security Management for CloudXYZ: Risk Assessment and Mitigation
Verified
Added on  2023/06/13
|18
|3419
|275
AI Summary
This report focuses on the development of a security system for Cloud XYZ, UK, for securing the storage and virtual service for customers connected with the organization. It includes risk assessment, owner specification, assets, threats, vulnerability, risk likelihood, and impact table.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: INFORMATION SECURITY MANAGEMENT Information Security Management Name of the Student Name of the University Author’s Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1 INFORMATION SECURITY MANAGEMENT Abstract The report is prepared for the development of the security system for the Cloud XYZ, UK for securing the storage and the virtual service for the customer connected with the organization. The loss of the organization should be mitigated with the prevention of the malfunction and modification of the data for prevention of the illegal user to access the resources of the organization. The personnel responsible with the risk should be identified for the identification of the roles and responsibility for the assessment of the risk. The network diagram of the organization is used for the analysis of the risk and vulnerability such that the risk can be mitigated for the improvement of the security of the current network framework. The security of the server and the demilitarized zone is analysed for protecting the resources of the organization. The network resources are categorized as primary and secondary assets and the threats for each of the asset are analysed for the identification of its impact on the security of the organizational network.
2 INFORMATION SECURITY MANAGEMENT Table of Contents Introduction...........................................................................................................................................3 Risk Assessment....................................................................................................................................4 Owner Specification...........................................................................................................................5 Assets................................................................................................................................................6 Threats for each assets......................................................................................................................8 Vulnerability for each assets............................................................................................................11 Risk Likelihood.................................................................................................................................12 Risk Impact table.............................................................................................................................12 Risk Identification with level............................................................................................................13 Summary and Recommendations........................................................................................................15 Bibliography.........................................................................................................................................16
3 INFORMATION SECURITY MANAGEMENT Introduction There are different ISO standards that are used as a baseline for the security of the information in an organization. The ISO standards is used for avoiding breaches in the network, reassuring the customers, gaining an edge and access new market opportunities. It is internationally recognized and applied for management of the safety practices and used as a systematic approach for increasing reliability and enforcement of the security controls. There are different standards of IOS such as ISO/IEC 17025, ISO 9001, ISO/IEC 27001 and ISO 50001. The standards are used for different purpose such as ISO/IEC 17025 is used for testing and calibration, ISO 9001 is used for management of the quality, ISO/IEC 27001 is used for management of the information security and ISO 50001 is used for the management of energy. Thus for the analysis of the security of the CloudXYZ ISO/IEC 27001 is applied and it helps the organization to securely store the information. The use if the ISO standard helps in increase the security of the data residing in the cloud platform. For the development of the network framework an authentication server should be used for permitting the user to connect with the database. The user needs to authenticate with the system for the management of the virtual server and ISO/IEC 27001 is used for the identification of the potential risk associated with the system. The privacy policy is assessed and the risk associated with it is eliminated for meeting the standard of the information security management. For analysis of the risk the following steps are performed and are given below: Step#1: Analysis of the risk associated with the system Step#2: Evaluation of the risk management system Step#3: Selection of the risk management methodology Step#4: Implementation of the risk management strategy and techniques Step#5: Monitoring the current system and eliminate the errors for reducing the risk
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4 INFORMATION SECURITY MANAGEMENT Figure 1: Steps involved in risk assessment Risk Assessment The risk assessment is done for analysing the impact of the risk and monitoring and eliminating the performance of the network. The performance of the network should not be affected with the implementation of the system. The following figure is used for defining the security of the system and identification of the failure point of the network. Figure 2: Overview of the network security solution
5 INFORMATION SECURITY MANAGEMENT The confidentiality, availability and integrity of the system is the main factor for the management of the information security and the following framework is used for the management of the risk. The risk is assessed for prioritizing the security risks and prevention of the loss of the organizational policy and implementing a technical control on the network. Owner Specification The HR manager is responsible for the management of the human resources of the organization and the network administrator is responsible for the management of the servers and the information residing in the database. The server manager is also responsible for the management of the configuration of the server.The owner of the system identified for the development of the system are given below: ď‚·Employees ď‚·Human Resource ď‚·Development team ď‚·Administration Department ď‚·Management team ď‚·Visitors /guests ď‚·Maintenance Team ď‚·Client
6 INFORMATION SECURITY MANAGEMENT Assets Primary Assets – The primary assets identified for the development of the risk management plan are listed below: Authentication Server Database server Firewall Web Server Mail Server Virtual Server, and Pc Secondary Assets – Intranet DMZ network Customer Phone and Visitor Pc A table is created for recording the details of the assets and is given below: IDName of AssetAsset typeRemarks A_1Mail ServerPrimary AssetMailaccountsare createdforthe employeesfor managementofthe internal communication securely. A_2FirewallSecondary AssetItisusedforthe managementofthe networktrafficand filtering the unwanted traffic in the network. A_3Authentication ServerPrimary AssetItisusedfor authenticatingthe user to connect with
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7 INFORMATION SECURITY MANAGEMENT thedatabaseand storethelogdetails for the user accessing the resources of the organization. A_4Web ServerPrimary AssetIt is used for hosting thewebsiteofthe organizationand storing the details of the organization. A_5Admin PCPrimary AssetThe Admin Pc is used forthemanagement of the server and the serviceusedforthe configurationofthe network solution. A_6Customer DBPrimary AssetThecustomer databaseisusedfor recordingthedetails of the customer and useitfor improvementofthe currentbusiness process. A_7HR PCPrimary AssetItisusedforthe managementofthe employeesandthe customer information. A_8Virtual ServerSecondary AssetItisusedforthe managementofthe loads and serve more requestfromthe users. A_9Cloud StoragePrimary AssetThecloudstorageis
8 INFORMATION SECURITY MANAGEMENT used for uploading the datainthecloud serversandprovide access to the users to access the data from remote location. A_10Visitor PCSecondary AssetIt is used for allowing thevisitorstogive accesstothecore networkand recording the details. A_11Mobile DeviceSecondary DeviceItisusedfor connectingwiththe wirelessnetworkof theorganizationand access the information stored in the server of the organization. A_12Staff PCPrimary AssetThe staff PC are used forthemanagement of the technical works, data of the enterprise andmanagementof the information. Threats for each assets Name of the AssetThreatLevelSource Mail ServerMalwareHigh levelReceivingmalicious emails from unknown sources SpamMedium levelOutside source is used for implementation of the spam mails Social EngineeringLow levelIt is used for getting
9 INFORMATION SECURITY MANAGEMENT thelogincredentials oftheuserbythe hackers FirewallShared secretHigh levelThesystemcanbe hackedfromoutside sources Phishing attackMedium levelItcanoccurfrom hacker for duplicating theidentityofthe user Domain HijackingLow levelIt is used for getting the access of the data trafficbythe outsiders. Authentication ServerDictionary attackHigh levelItisusedbythe hackerfortrying differentcombination of password Password authentication Medium levelOutsidersaccessing theserverfrom remote location. Brute force attackMedium levelOutsider from remote location Web ServerOpen relay attacksHigh levelOutsiderfromany place Cross Site ScriptingMedium levelOutsiderfromany place SQL injection attacksLow levelOutsiderfromany place Admin PCRansomwareHigh levelFrom external device and internet MalwareMedium levelFrom external device and internet SpamLow levelFrom external device
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10 INFORMATION SECURITY MANAGEMENT and emails Customer DBRainbow tableHigh level Passphrase, andMedium level Ownership factorLow level HR PCRansomwareHigh levelFrom external device and internet MalwareHigh levelFrom external device and internet SpamLow levelFrom external device and emails Virtual ServerLack of integration of application High levelInternalsourcesand hackers Inadequaterecovery point Low levelInternalsourcesand hackers Restoring granularityLow levelInternalsourcesand hackers Cloud StorageHackingHigh levelOutsidehackersfor accessing the sensitive information Visitor PCRansomwareLow levelFrom external device and internet MalwareLow levelFrom external device and internet SpamHigh levelFrom external device and emails Mobile DeviceSystem hackingHigh levelhackers VirusHigh levelInternet and external sources Spoofing attackHigh levelHackerandexternal sources Staff PCRansomwareHigh levelFrom external device and internet MalwareMedium levelFrom external device and internet
11 INFORMATION SECURITY MANAGEMENT SpamLow levelFrom external device and emails Vulnerability for each assets Virtual Server CVE-Modified – The JSON vulnerability and the XML vulnerability are analysed for analysing the security flaws that are used as a link for the reference and identification of the weakness of the network configuration. Mail server CVE-Recent – It is used for interaction with the security standard practice and it differs from the traditional attacks for the exploitation of the system and the software. The social engineering attacks are used by the hackers to gain the access of the confidential information. It consists of baiting, phasing, pretexting and spear phasing. False communication is created with the victim using chats, phone calls, spoofed website for gathering personal information and using it for illegal use. PC CVE-2018 – The dictionary attacks can be used by the attacker to determine the decryption or the passphrase key and gain the access of the computer. The brute force attack are used for searching password systematically and rainbow table are used for reducing the preparation time by analysing the pre computerised dictionary and reducing the storage requirement. Web server CVE-2017 – cross site scripting are used for identification of the flaws in the network and identification of the web application uses. The cookies can be accessed by the malicious codes for rewriting the content and using sql injection attacks for modification of the content of the servers. Firewall CVE-2016 – It is used as a cryptography for securing the communication and establishing the communication between the different users. The key agreement protocol and the use of the symmetric key cryptography are used for authentication. Unique session should be used for the authentication and responding against the challenges for derivation of the unique key for each of the transaction. The domain hijacking are used for the changing the permission and abusing the privileged for the domain hosting. The hijacker can use the domain name for implementing illegal activity and gain the access of the private information for logging into the servers.
12 INFORMATION SECURITY MANAGEMENT Database server CVE-2015 – The cost of the ownership should be identified for finding the inheritance factor and the device or information affected with the compromising the security. The loss of the resources and the information should be analysed for management of the elements and reducing the effect on the network information system. The rainbow table are used for listing the plaintext by permutation of the password that is specified from the hash table. It is used as a cracking software for the network security attacks. Authentication Server CVE-2014 – The brute force attacks are used for the guessing the possible password configuration and checking the password and passphrase for finding the correct one. This can be used as an exhaustive key search and also known as cryptanalytic attack. The dictionary attack are used for the harvesting the email and the pre computed tables are used for analysis of the issues and the major cost for storage of the disk storage. A refined approach should be used for the reducing the storage and lookup the hash values and matching with the existing password for getting the feasible salt values. The common password should be stored in the table and different combination can eb tried for getting the access of the server. Risk Likelihood The main risk that the system would be facing are: The risk likelihood of the risk level is provided in the table below: ColoursFrequencyRelative Frequency Red936% Yellow832% Green832% Total25100% Risk Impact table The specification of the impact table is provided below: Impact Definitions Rating -->Very LowLowModerateHighVery High CostImpact of Threat Insignificant cost increase <5% cost increase 5-10% cost increase 10-20% cost increase >20% cost increase
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
13 INFORMATION SECURITY MANAGEMENT CostImpact of Opportunity Insignificant cost reduction <1% cost decrease 1-3% cost decrease 3-5% cost decrease >5% cost decrease Schedule Impactof Threat Insignificant slippage <1 month slippage 1-3 months slippage 3-6 months slippage >6 months slippage Schedule Impactof Opportunity Insignificant improvement <1 month improvement 1-2 months improvement 2-3 months improvement >3 months improvement Probability1–9%10–19%20–39%40–59%60–99% Impact Rating 124710 Very LowLowModerateHighVery High Risk Matrix Probability Rating 5 - Very High510203550 4 – High48162840 3 – Moderate36122130 2 – Low2481420 1 - Very Low124710 Risk Identification with level The risk identification level is provided below: RiskslevelDescriptionNumberMitigation Domain HijackedHighThedomainofthe networkishijacked and the hackers able toextractthedata from the servers and updates the data with errors in them. CVE-2018Theforthe mitigationall theaccess pointstothe network must besealedoff and the direct access to the serversfrom
14 INFORMATION SECURITY MANAGEMENT theclient should also be restricted. SQLinjection attacks MediumTheSQLinjection attackshampersthe databaseserverand make invalid updates in the database which increase the time for the processor to fetch the data. CVE-2017Tostopthis type of attacks in the network theaccess levelinthe databaseare required to be specified.It should also be ensuredthat theaccess grants are not revoked withoutprior restrictionof the administrator. No recovery and data loss Very HighThedataofthe serverslostwhen there are no options tosaveandbackup thedataand important data of the server is lost CVE-2016The data is to be backed up regularlyand datastorage facilities are to be maintained efficiently. DataLossby Phishing HighThe phishing attack is theonewherethe hackershacksthe password CVE-2015Forthe phishing attacktobe avoidedthe network shouldbe installingan
15 INFORMATION SECURITY MANAGEMENT efficient firewalland useawell- protected MalwareLowThemalwareis insertedintothe network by a file or a softwareandthe malware then the data inthenetworkis distraught CVE-2014Toavoidthis type of threat the network is tothe protected withthe firewalls. SpamLowThespamfileis insertedintothe networkandthese files keep on providing irrelevant data to the user CVE-2013To protect the systemfrom spamthe serveraccess shouldbe restricted. Summary and Recommendations The risk identified for the development of the secure network solution is important for the success of the network. The network should be flexible and all the servers should be installed in the DMZ zone. The In the current network solution the cloud storage, authentication server, customer database and the virtual servers are connected with the intranet and is exposed to the vulnerability of different kind of attacks that can rise from the internal users. The server needs to be secured from the internal as well as the external users connected with the network. The installation of the server in the DMZ network helps in controlling the network traffic and secure the data residing in the cloud and the customer database from illegal usage. The customer and the visitor network device should be provided the access of the resources of the organization and ISO standards should be followed for the configuration of the network. Following the standard helps in reducing the errors in the configuration and increase the flexibility of the network.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
16 INFORMATION SECURITY MANAGEMENT Bibliography AlHogail, A., 2015. Design and validation of information security culture framework.Computers in Human Behavior,49, pp.567-575. Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response.Information & Management,51(1), pp.138-151. De Lange, J., Von Solms, R. and Gerber, M., 2016, May. Information security management in local government. InIST-Africa Week Conference, 2016(pp. 1-11). IEEE. Dotcenko, S., Vladyko, A. and Letenko, I., 2014, February. A fuzzy logic-based information security management for software-defined networks. InAdvanced Communication Technology (ICACT), 2014 16th International Conference on(pp. 167-171). IEEE. Laudon, K.C. and Laudon, J.P., 2016.Management information system. Pearson Education India. Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information security management”.Journal of Enterprise Information Management,27(5), pp.644-667. Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern fairy tale.IEEE Security & Privacy,13(6), pp.18-21. Pathan, A.S.K. ed., 2016.Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations.Computers & Security,53, pp.65-78. Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study.Information & management,51(2), pp.217-224. Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review.International Journal of Information Management,36(2), pp.215-225. Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management.Computers & security,44, pp.1-15.
17 INFORMATION SECURITY MANAGEMENT Zammani, M. and Razali, R., 2016. An empirical study of information security management success factors.International Journal on Advanced Science, Engineering and Information Technology,6(6), pp.904-913.