Information Security Research and Analysis

Verified

Added on  2020/11/23

|12
|2988
|346
AI Summary
This assignment involves a comprehensive analysis of various research studies related to information security. The papers cover topics such as IT adoption, security paradoxes, cloud security, and the development of comprehensive information security frameworks. The studies were published in reputable journals and conferences between 2017 and 2018. The assignment requires students to summarize the key findings and implications of each study, demonstrating a thorough understanding of the research and its relevance to the field.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
REPORT ON INFORMATION
SECURITY ISSUES

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
TABLE OF CONTENTS
EXECUTIVE SUMMARY.............................................................................................................1
INTRODUCTION...........................................................................................................................2
MAIN BODY...................................................................................................................................2
An outline of the process followed to devise the case study analysis.........................................2
Discussion on the lessons learnt by Target from the breach.......................................................3
CIA triad principles.....................................................................................................................4
Personal Identifiable Information (PII) for Organization...........................................................4
Threats and Vulnerabilities to the information of Organisation.................................................5
Protection at place and failures occurred to organisation...........................................................6
Organisation after the data breach...............................................................................................7
Data breach such an important case to organization...................................................................7
CONCLUSION................................................................................................................................8
REFERENCES................................................................................................................................9
Document Page
EXECUTIVE SUMMARY
In this report it is described about Target company is invested high amount in information
security of company instead of this in 2013 company faced data breaches. Also, it has been
described that many employees of target company including higher authorities lost their job due
to data breaches. In this CAI principles and PII is also described for data protection. Moreover, it
is discussed about many strategies applied by Target for preventing breaches of confidential data
such as Defense in Depth and Critical control.
1
Document Page
INTRODUCTION
The objective of information security is to ensure sensitive information only to authorized
parties and prevent data access from unauthorized parties and any modifications done by them.
The security group of company is responsible for conducting risk management through which
threats and vulnerabilities to data assets are constantly assessed and suitable protective controls
are applied for security (Ross, McEvilley and Oren, 2018). Threats can occur in different forms
such as malware attacks, identify theft and ransomware. In order to detect threats and mitigate
vulnerabilities, multiple layer security control is used by individuals which can be termed as
Defence in Depth strategy. Due to occurrence of breaches the target faces many problems legally
which damage the reputation of company. Report will include, PII for identification and CIA
triad principle. Also, the assignment will consist the threats and vulnerabilities of organisation.
MAIN BODY
An outline of the process followed to devise the case study analysis
In analysing the case study there are several methods that was followed. It is described as
below-ď‚· Evaluation of the case study- Research has concluded that there are different ways to
breach the data which has occurred in organization. Study has revealed that many big
industries has suffered various problems which may include issues like hacking the
customer person information like credit card number, address and confidential code (Gao,
Rau and Zhang, 2018). For example- the organisation has announced there were 50
million consumer affected by data breach. There are different methodologies which are
used in securing information of the organisation. It may include methods like black box,
dynamic and static.
ď‚· Analysis of the key issues faced by company- Research shows that the huge enterprises
are surrounded by problem of information breach. This has laid a negative impact on the
growth of company. Rupture of data can damage the entire business process. Breach of
information can lead to disclosure of important information of customers and
2

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
organizations. For example- In September 2016, the big data breach attack in the
organization to hack all the information related email address, telephone number and real
name have affected 600 million people.
 Methods undertaken to solve problem – As it is known that information security is one
of the most important responsibility of company. Various methods are undertaken in
order to secure data. Many organizations are involved in providing training to their
employee. They also lay emphasis on building strategies and developing new software
for protecting confidential information of employees, shareholders, suppliers, board of
management etc.
Discussion on the lessons learnt by Target from the breach
All the entity related to organisation was affected by breach. Target has been victim of
particularly big and damaging data breach. Many employees lost their jobs including higher
authorities like CEO and CIO. Bank adversely affected by the loss of confidential data, that bank
payed refund money to customer and also pay replacement cards to customers which may cost
more than $200 million (Singh and Chatterjee, 2017).
Target faced many legal issues due to large data loss. More than 140 legal cases filed
against the company. The company also dealing with investigation with Department of justice,
the FTC and SEC. States are more concerned and impose stricter laws and fines for breaches as
result company profit dropped by 46%. Company was sued by bank for PCI compliance auditor
and Trustwave. Then Target passed PCI compliance audits prior to this breach, indicating they
had been implemented security by credit card processing. Defence in Depth strategy has
different layer of protection which prevent from attacker from easily hacking. As demonstrated
in this breach, many different assets were used to move throughout the network, so consideration
of the POS systems alone would not address the root causes that led up to this attack.
3
Document Page
CIA triad principles
CIA triad is a model design for security policies regarding data of an organisation. CIA
refers confidentiality, integrity and availability of information. The factors of CIA Traid are
considered most important components of security.
ď‚· Confidentiality: Confidentiality is protecting information from disclosure to
unauthorized parties. The main component of preventing data from unauthorized parties
is encryption. This encryption means only authorized parties can view the information.
ď‚· Integrity: Integrity involves to protect information from being modified by unauthorized
parties. It maintaining consistency, accuracy and trustworthiness of data. These includes
file permission and access controls.
ď‚· Availability: Availability refers to reliable and constant access to information or data by
authorized people when needed. It is also important to update system properly.
Redundancy, failover, RAID and clustering are main measures for protect from
availability problems.
Information security includes designing and testing of data which may be personal or
confidential, communicating through networks and internet should be secured and protected. If
security breaches the CIA principles, the whole security system analysis that access of
unauthorized parties (Petrescu, 2018). The information is encrypted so hackers are not able to
read protected information and not allowed to access the file or not even any modification is
done.
Personal Identifiable Information (PII) for Organization
Personal Identifiable Information (PII) is data or information that identifies as specific
individual identification, or can be used with other sources to uniquely determine a person. It
includes a large number of information that identify person, such as DOB, address, driving
license number, credit card number, bank account and many more. Companies may maintain PII
for their employees, customers, clients or other individuals related to them. Organisation has to
maintain this private information properly or appropriately and take every precaution to protect it
from loss, or from unauthorized parties or theft (Bauer and Bernroider, 2017).
4
Document Page
Misusing or losing this private information can be a big problem for organisation which
can cost them financially and also damage the image in market. Organisation faced many
problems at the time of breach, litigation expenses, cost of implementing better security system
and also damaging company's reputation.
Company handles huge amount of PII of employees, customers and third parties, should
adopt privacy policies on use of PII. IT managers tightly control and protect PII in terms of CIA
triad. The goal is to create and enforce AUP's that clearly defines which data is the most sensitive
and are allowed to access for employees (Dang-Pham, Pittayachawan and Bruno, 2017). The
protection of PII is important concern for an organisation.
Target faced many consequences when PII data is leaked that some high ranked employees
lost their jobs and numerous legal actions were taken by government on company. Which may
cost to billions for set up all the matter this result Target was financially dropped and lost trust of
customers and negative impact on organisation.
Threats and Vulnerabilities to the information of Organisation
Vulnerabilities- Vulnerabilities are system weaknesses that can be exploited by cybercriminals
whereas
Threats- Threats are events that have negative consequences and is a dangerous action that can
cause harm. Threats and vulnerabilities are identified for all systems then risk should be carefully
analysed by company.
PCI compliance cannot be expected to find every vulnerability and security problem of
company. Because the field is too complex and auditors are not paid that much nor organisation
have expertise to find the risk and fixed the threats. Rather than depend on mandatory checklist
of information, Target company will be better to able overcome losses by performing risk
management activities daily. The threats and vulnerabilities which occur and most serve
consequences in cost to organisation should be prioritized highest and then fixed first.
Constant changes are required due to continuously changing of threats landscape.
Organisation staff needs to be very active and efficient to understand the new threats and
vulnerabilities when they appear and try to fix them as soon as possible (Tiwari and Joshi, 2018).
5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
New attacks may occur internal system of industry as vulnerabilities or security incident or
events. Due to not having proper threat modelling and risk management in company Target
suffered from various important data loss. Company applying defences in depth strategy on POS
system for data protection.
Protection at place and failures occurred to organisation
Protection of data is important key in an organisation. Many protections are needed to
protect business asset. Installing multiple cameras to keep an eye on theft but do not appoint
anyone for monitoring the cameras then it useless. Similarly, recent breaches in company show
that opponents are constantly effort to attack in weakest link to obtain access to steal data.
National Security Agency (NSA) imposed Defence in Depth approach for security.
Defence in Depth
There may be chances that Single level of protection may be failed so in Defence in
Depth it has introduced multiple level of protection and control which are engaged in protecting
business assets. Various companies suffered from breaches used encryption strategies (Baillette,
Barlette and Leclercq-Vandelannoitte, 2018). Unfortunately, encryption is not implemented
properly. Encryption is not protected itself, robust security is needed to assist the whole system
for effective encryption.
Target spent lot of money on security technology for dealing this threat. Company used
encryption in system but it is useless because data has been accessed from where it was
unencrypted. Defence in Depth provides layers of security, but the weakest link in each layers
can give a right to the next layer. This allows the attackers to access some of their most sensitive
data of Target. The company has implemented expensive monitoring software, but staff was not
sufficient not well trained.
Critical Control - Critical control can be defined as different cyber security list and guidelines
established for organisation in order to secure data. It helps in preventing attackers and also
support company in detecting them. By reviewing Target breach, critical control helps the
6
Document Page
organisation to determine preventions from attack. Analysing each action of attacker and
examined prevention in the future.
Organisation after the data breach
After breach, Target applying different security strategies, alternative outcomes and
determine how attack may have stopped and also determines that how data breach impact on the
organization. Risk management system is used to analysed threats and vulnerabilities for system
on daily basis to reduce the risk of attacks. The threats and liabilities are prioritized first and
determine that how to remove unwanted viruses in system. This risk analysing will help
company to protect damage to business. Using this different critical controls in defence of Depth
strategy may stop attackers to enter in various layers (Vithanwattana, Mapp and George, 2017).
Target organization which invest large amount of money in security and protection. A multiple
layer of defence includes preventative and detective measures should be employed. Due to
complex nature of security, Target learned detailed structure of networks, hardware, software
and processes to create comprehensive plan. Target also segregating POS system, end to end
encryption, inventory of system and detailed logging this help attacker away from credit card
data. Proper encryption of data protects from theft to read the sensitive information of company
and customers. Employee uses various logs would have exposed malware and network traffic to
mitigate losses.
Data breach such an important case to organization
Information security is important part of company to manage the business operations and
functions. It also secures the personal details of customers and organization. A data breach is
sudden incident in which affect the confidential data and sensitive data can access with
unauthorized person. Data breach occur in different fields such as Personally identifiable, trade
secrets and personal information. For Example- data breach is typical attacker to hack the entire
website and sensitive information in the database management system of organization. it can be
happened because of weak security password, stolen laptops and mobile devices. Sometimes,
users are connected with the wrong network (Groomer and Murthy, 2018).
7
Document Page
Many industries provide guidelines and compliance regulations to strict control data and
personal information by data breach. Cyber-criminal affect personal data of customer and
organization so that it is required for organization to implement new techniques to secure and
protect the data in efficient ways. For example- Payment card company uses different security
platform such as credit card number, names or address.
CONCLUSION
In this report, the Target faced many problems during breaches. In 2013 many credit card
was stolen from Target stores by accessing POS. Many critical controls are implemented by
company to prevent from these breaches in future and mitigate losses. Company invested heavily
in security of data and information after breach. Target implemented a multi-layer strategy using
defence in depth to protect from attackers. Security must be approached more strategically as a
way to protect critical assets, business’s reputation and profitability. The company should have
implemented the most cost-effective to mitigate the risk. Target should not be depended on
single security tool to prevent from data loss.
8

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
REFERENCES
Books and Journals
Baillette, P., Barlette, Y. and Leclercq-Vandelannoitte, A., 2018. Bring your own device in
organizations: Extending the reversed IT adoption logic to security paradoxes for CEOs
and end users. International Journal of Information Management, 43, pp.76-84.
Bauer, S. and Bernroider, E.W., 2017. From information security awareness to reasoned
compliant action: analyzing information security policy compliance in a large banking
organization. ACM SIGMIS Database: the DATABASE for Advances in Information
Systems, 48(3), pp.44-68.
Dang-Pham, D., Pittayachawan, S. and Bruno, V., 2017. Applications of social network analysis
in behavioural information security research: concepts and empirical analysis. Computers
& Security, 68, pp.1-15.
Gao, F., Rau, P.L.P. and Zhang, Y., 2018. Perceived Mobile Information Security and Adoption
of Mobile Payment Services in China. In Mobile Commerce: Concepts, Methodologies,
Tools, and Applications (pp. 1179-1198). IGI Global.
Groomer, S.M. and Murthy, U.S., 2018. Continuous auditing of database applications: An
embedded audit module approach. In Continuous Auditing: Theory and Application (pp.
105-124). Emerald Publishing Limited.
Petrescu, A.G., 2018. Management Approach of Risk Analysis in Information
Security. International Journal of Innovation in the Digital Economy (IJIDE), 9(3),
pp.13-26.
Ross, McEvilley and Oren, 2018Gao, Rau and Zhang, 2018Singh and Chatterjee, 2017Petrescu,
2018Bauer and Bernroider,2017Tiwari and Joshi, 2018Baillette, Barlette and Leclercq-
Vandelannoitte, 2018Vithanwattana, Mapp and George, 2017Groomer and Murthy,
2018Dang-Pham, Pittayachawan and Bruno, 2017
Ross, R.S., McEvilley, M. and Oren, J.C., 2018. Systems Security Engineering: Considerations
for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
[including updates as of 1-03-2018] (No. Special Publication (NIST SP)-800-160).
Singh, A. and Chatterjee, K., 2017. Cloud security issues and challenges: A survey. Journal of
Network and Computer Applications, 79, pp.88-115.
9
Document Page
Tiwari, P.K. and Joshi, S., 2018. A Comprehensive Report on Security and Privacy Challenges
in Software as a Service. In Multidisciplinary Approaches to Service-Oriented
Engineering (pp. 143-167). IGI Global.
Vithanwattana, N., Mapp, G. and George, C., 2017. Developing a comprehensive information
security framework for mHealth: a detailed analysis. Journal of Reliable Intelligent
Environments, 3(1), pp.21-39.
10
1 out of 12
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]