Vulnerability Assessment and BIA for MyHealth: CMP73001 Cybersecurity
VerifiedAdded on 2023/01/05
|14
|3497
|81
Project
AI Summary
This project, undertaken by a student, addresses the cybersecurity challenges of MyHealth, a hypothetical healthcare company. The assignment begins with a vulnerability assessment, emphasizing the need for penetration testing to identify and mitigate risks to patient data and financial assets. It explores different penetration testing phases, including reconnaissance, and discusses various attack vectors like malware, DDoS, and social engineering techniques such as phishing and impersonation. The project then delves into VPN implementations (remote access and site-to-site) and their security protocols (IPsec, SSL, and SSH), comparing SSH and Telnet. Furthermore, it examines social engineering tactics, including phishing, impersonation, and physical honeypots, and outlines risk mitigation strategies. Finally, the project analyzes business impact analysis (BIA) before and after control implementation, outlining the different phases of BIA and concluding with a brief overview of Australian cybercrime legislation relevant to MyHealth's operations. The project is a comprehensive examination of cybersecurity best practices and risk management within the healthcare sector.
Running head: UNIT CYBERSECURITY MANAGEMENT
UNIT CYBERSECURITY MANAGEMENT
Name of the Student
Name of the University
Author Note
UNIT CYBERSECURITY MANAGEMENT
Name of the Student
Name of the University
Author Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
Introduction:...............................................................................................................................3
Task 1: Penetration testing.........................................................................................................3
Task 2:........................................................................................................................................5
VPN:.......................................................................................................................................5
Remote access VPN:..............................................................................................................5
Site to site VPN:.....................................................................................................................6
IPsec:......................................................................................................................................6
SSL:........................................................................................................................................6
SSH:.......................................................................................................................................6
Telnet vs SSH:........................................................................................................................7
Task 3:........................................................................................................................................7
Social engineering:.................................................................................................................7
Phishing:.................................................................................................................................7
Impersonation:........................................................................................................................8
Leaving the physical Honeypots:...........................................................................................8
Risk mitigation:......................................................................................................................8
Impact of business analysis:...................................................................................................9
Before control BIA implementation:.....................................................................................9
1st phase:.................................................................................................................................9
2nd phase:................................................................................................................................9
3rd phase:...............................................................................................................................10
4th phase:...............................................................................................................................10
5th and last phase:.................................................................................................................10
BIA implementation after control:.......................................................................................10
Australian cybercrime legislation:.......................................................................................11
Conclusion:..............................................................................................................................12
References:...........................................................................................................................13
Introduction:...............................................................................................................................3
Task 1: Penetration testing.........................................................................................................3
Task 2:........................................................................................................................................5
VPN:.......................................................................................................................................5
Remote access VPN:..............................................................................................................5
Site to site VPN:.....................................................................................................................6
IPsec:......................................................................................................................................6
SSL:........................................................................................................................................6
SSH:.......................................................................................................................................6
Telnet vs SSH:........................................................................................................................7
Task 3:........................................................................................................................................7
Social engineering:.................................................................................................................7
Phishing:.................................................................................................................................7
Impersonation:........................................................................................................................8
Leaving the physical Honeypots:...........................................................................................8
Risk mitigation:......................................................................................................................8
Impact of business analysis:...................................................................................................9
Before control BIA implementation:.....................................................................................9
1st phase:.................................................................................................................................9
2nd phase:................................................................................................................................9
3rd phase:...............................................................................................................................10
4th phase:...............................................................................................................................10
5th and last phase:.................................................................................................................10
BIA implementation after control:.......................................................................................10
Australian cybercrime legislation:.......................................................................................11
Conclusion:..............................................................................................................................12
References:...........................................................................................................................13
Introduction:
In this particular assignment the necessity of the penetration testing of a hypothetical health
service company MyHealth is analysed and different stages of penetration testing is depicted
in details along with different types of VPN implementation and their differences.
Furthermore, in the later task the social engineering attack in penetration testing is discussed
and the risk associated with it in case of management of personal security is discussed. In the
last task the different outcomes of the business impact analysis for the existing technology of
MyHealth company is analysed in brief.
Task 1: Penetration testing
1.
a) MyHealth company provides excellent quality healthcare services to its patients and the
medical history of their patients are stored in their database server which has low level of
security. In modern days hackers are continually trying to breach unprotected/low-protected
networks to steal millions of records containing personal information like bank accounts
information and thus to steal billions of dollars from those accounts. Thus MyHealth
Company’s network is likely to be attacked by a cybercrime and thus the network should be
tested before the real attack happens (Hoffmann 2015). The penetration testing is method of
assessing the security of the network by simulating real world like attack scenarios for
discovering and then exploiting the gaps in security credentials by using some penetration
testing tools. The credential informations can be stolen records, intellectual property, card
holder data, personal, sensitive health information, ransom data or any other type of harmful
outcomes of business (Kim 2018). The penetration testing is basically done either by
installing pen testing tools in the systems of company and the IT experts inside the company
tests the vulnerability of the entire system or penetration testing service provider is asked to
In this particular assignment the necessity of the penetration testing of a hypothetical health
service company MyHealth is analysed and different stages of penetration testing is depicted
in details along with different types of VPN implementation and their differences.
Furthermore, in the later task the social engineering attack in penetration testing is discussed
and the risk associated with it in case of management of personal security is discussed. In the
last task the different outcomes of the business impact analysis for the existing technology of
MyHealth company is analysed in brief.
Task 1: Penetration testing
1.
a) MyHealth company provides excellent quality healthcare services to its patients and the
medical history of their patients are stored in their database server which has low level of
security. In modern days hackers are continually trying to breach unprotected/low-protected
networks to steal millions of records containing personal information like bank accounts
information and thus to steal billions of dollars from those accounts. Thus MyHealth
Company’s network is likely to be attacked by a cybercrime and thus the network should be
tested before the real attack happens (Hoffmann 2015). The penetration testing is method of
assessing the security of the network by simulating real world like attack scenarios for
discovering and then exploiting the gaps in security credentials by using some penetration
testing tools. The credential informations can be stolen records, intellectual property, card
holder data, personal, sensitive health information, ransom data or any other type of harmful
outcomes of business (Kim 2018). The penetration testing is basically done either by
installing pen testing tools in the systems of company and the IT experts inside the company
tests the vulnerability of the entire system or penetration testing service provider is asked to
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
monitor the network for finding the potentially vulnerable systems and/or accounts. The
testing tools scan every system in the network having open ports in which services of the
company are running. Now, as MyHealth company has only 3 IT experts, hence, it is
recommended to call professionals of a penetration testing service provider to release the
workload of the IT experts and performing pen testing in extensive manner (Bock, Hughey
and Levin 2018). The security professionals targets users via phishing mails, online social
engineering and pre text calling along with checking security protocols of each system.
Hence, the security risks against the assets of the company can be mitigated via penetration
testing via pre-detection of security vulnerabilities, loop holes inside the compliance of
information security, estimation of the response time since the breach in any portion of the
network, knowledge of probable effects of data breach or cyber-attack and most importantly
the actionable guidance to protect the network.
b) The Reconnaissance phase of penetration testing is the gathering of preliminary data or
extracting useful intelligence about the target. The gathering of data is performed on the basis
of better planning for attack. The Reconnaissance phase is performed actively or performed
passively. Active Reconnaissance means the target is accessed directly in order to gather data
and passive Reconnaissance means the data extraction is performed via an intermediary.
3) Malware is one type of software which is mainly designed to cause damage to a particular
system or connected systems. Malware mainly causes damage after it is injected into a
system can be of any form like executable codes, scripts, active contents and other type of
software. DDos is a specific type of attack in which more than one systems which are
infected with malware or virus are used to target a single system which is not yet infected
then cause denial of service (DOS) attack. The social engineering is a technique of
psychological manipulation for tricking the users for making certain mistakes or then to give
away certain types of sensitive information. Phishing is one type of fraudulent attempt for
testing tools scan every system in the network having open ports in which services of the
company are running. Now, as MyHealth company has only 3 IT experts, hence, it is
recommended to call professionals of a penetration testing service provider to release the
workload of the IT experts and performing pen testing in extensive manner (Bock, Hughey
and Levin 2018). The security professionals targets users via phishing mails, online social
engineering and pre text calling along with checking security protocols of each system.
Hence, the security risks against the assets of the company can be mitigated via penetration
testing via pre-detection of security vulnerabilities, loop holes inside the compliance of
information security, estimation of the response time since the breach in any portion of the
network, knowledge of probable effects of data breach or cyber-attack and most importantly
the actionable guidance to protect the network.
b) The Reconnaissance phase of penetration testing is the gathering of preliminary data or
extracting useful intelligence about the target. The gathering of data is performed on the basis
of better planning for attack. The Reconnaissance phase is performed actively or performed
passively. Active Reconnaissance means the target is accessed directly in order to gather data
and passive Reconnaissance means the data extraction is performed via an intermediary.
3) Malware is one type of software which is mainly designed to cause damage to a particular
system or connected systems. Malware mainly causes damage after it is injected into a
system can be of any form like executable codes, scripts, active contents and other type of
software. DDos is a specific type of attack in which more than one systems which are
infected with malware or virus are used to target a single system which is not yet infected
then cause denial of service (DOS) attack. The social engineering is a technique of
psychological manipulation for tricking the users for making certain mistakes or then to give
away certain types of sensitive information. Phishing is one type of fraudulent attempt for
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
obtaining sensitive information like the usernames, passwords or details of credit card
information by presenting a service as trustworthy entity in electronic communication
medium (Maurice et al. 2017). The man in middle is particular type of attack where the attack
secretly hides himself in the system and then alters the communications between the parties
who are directly communicating between each other. The Ransomware is a particular type of
malware attack by which a victim is threatened about publishing their personal information if
a ransom is not paid.
Task 2:
VPN:
A virtual private network is a type of network that provides the user to connect with a private
network through secure internet. The VPN service is mainly used for encrypting the network
connection by a VPN tunnel, internet traffic and the communication can go by the VPN
tunnel. The commonly used two types of VPN are
a) Remote Access VPN
b) Site-to-Site VPN
Remote access VPN:
In a remote access VPN individual users are allowed for establishing secure connections
through a remote computer network. In remote access VPN the users can acquire the services
and the resources remotely. This happens by user’s help and by private network. The remote
access is very much useful for businesses and the corporate people uses the remote access to
securely access the files of company and company resources (Huang, Zhang and Phay 2016).
The remote access VPN is implemented with following steps which are initialization of the
system in the server manager, remote access management console, enabling the VPN,
information by presenting a service as trustworthy entity in electronic communication
medium (Maurice et al. 2017). The man in middle is particular type of attack where the attack
secretly hides himself in the system and then alters the communications between the parties
who are directly communicating between each other. The Ransomware is a particular type of
malware attack by which a victim is threatened about publishing their personal information if
a ransom is not paid.
Task 2:
VPN:
A virtual private network is a type of network that provides the user to connect with a private
network through secure internet. The VPN service is mainly used for encrypting the network
connection by a VPN tunnel, internet traffic and the communication can go by the VPN
tunnel. The commonly used two types of VPN are
a) Remote Access VPN
b) Site-to-Site VPN
Remote access VPN:
In a remote access VPN individual users are allowed for establishing secure connections
through a remote computer network. In remote access VPN the users can acquire the services
and the resources remotely. This happens by user’s help and by private network. The remote
access is very much useful for businesses and the corporate people uses the remote access to
securely access the files of company and company resources (Huang, Zhang and Phay 2016).
The remote access VPN is implemented with following steps which are initialization of the
system in the server manager, remote access management console, enabling the VPN,
verification of the configuration, ports verification, specification of the condition ports,
Computation of policies.
Site to site VPN:
This type of VPN is a router to router VPN that is commonly used in corporate sectors. The
organizations those have different offices in different locations are mainly use this type of
VPN to contact from one office to another. This multi-location internet is also known as
intranet VPN connection. The extranet VPN is also made from site-to-site VPN where one
company contacts with other companies connected by a network.
IPsec:
The transparency in information is obtained by IPsec connection. The IP packet TCP is more
secured than the UDP protocol. In fact this is the most secured TCP and very much efficient
for using. There are four different modes of IPsec operates on two different headers which are
Authentication server and Encapsulating Payload of Security.
SSL:
The working of SSL is mainly on the transport layer and the TLS/SSL support is used to built
the application. All of the current browsers are SSL supported, however, in SSL the VPN is
also used by communication through web browser.
SSH:
This SSH protocol is very much expensive and not used commercially but it is cost efficient
after implementation. The two versions of SSH are SSH-1 and SSH-2 and SSH-2 is more
secured than SSH-1. Although, SSH-1 is most popular and easy to implement but it has
several limitations like CRC integration issues, issues regarding data security. SSH-2 is
mostly helpful in the process of encryption. SSH is made from TCP like the emails and
programming tools similar to oracle.
Computation of policies.
Site to site VPN:
This type of VPN is a router to router VPN that is commonly used in corporate sectors. The
organizations those have different offices in different locations are mainly use this type of
VPN to contact from one office to another. This multi-location internet is also known as
intranet VPN connection. The extranet VPN is also made from site-to-site VPN where one
company contacts with other companies connected by a network.
IPsec:
The transparency in information is obtained by IPsec connection. The IP packet TCP is more
secured than the UDP protocol. In fact this is the most secured TCP and very much efficient
for using. There are four different modes of IPsec operates on two different headers which are
Authentication server and Encapsulating Payload of Security.
SSL:
The working of SSL is mainly on the transport layer and the TLS/SSL support is used to built
the application. All of the current browsers are SSL supported, however, in SSL the VPN is
also used by communication through web browser.
SSH:
This SSH protocol is very much expensive and not used commercially but it is cost efficient
after implementation. The two versions of SSH are SSH-1 and SSH-2 and SSH-2 is more
secured than SSH-1. Although, SSH-1 is most popular and easy to implement but it has
several limitations like CRC integration issues, issues regarding data security. SSH-2 is
mostly helpful in the process of encryption. SSH is made from TCP like the emails and
programming tools similar to oracle.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Telnet vs SSH:
In Telnet there is just a connection with the server which passes back and forth the characters
with no encryption and hence every transmission goes exactly as it were sent and anyone can
view the information. On the other hand, public key encryption is employed in SSH and a
simple additional security is added to the system. The first time any system is added to the
network through SSH service the IP address or the name of the network is stored in the client
records of SSH and public encryption key of the machine is also stored (Pozzobon et al.
2018). Now, when the user connect through same of IP address through a different machine
then SSH warns that the public key is different and there is a chance that someone might be
spoofing in the network from a foreign machine.
Task 3:
Social engineering:
The social engineering penetration testing is one of the most famous techniques which is used
by most of the professionals and the ethical hackers those are contacted by the MyHealth
team for revealing the two modes of penetration testing which are on-site and off-site
penetration testing.
The phishing is one of the off-site penetration testing methods while, dumpster diving,
physical honeypots, reverse social engineering and impersonation are considered as on-site
penetration testing methods.
Phishing:
In this scenario, penetration tester calls the help desk and request to password as he/she forgot
their information, pretending as a Myhealth customer who is trying to get their credentials.
In Telnet there is just a connection with the server which passes back and forth the characters
with no encryption and hence every transmission goes exactly as it were sent and anyone can
view the information. On the other hand, public key encryption is employed in SSH and a
simple additional security is added to the system. The first time any system is added to the
network through SSH service the IP address or the name of the network is stored in the client
records of SSH and public encryption key of the machine is also stored (Pozzobon et al.
2018). Now, when the user connect through same of IP address through a different machine
then SSH warns that the public key is different and there is a chance that someone might be
spoofing in the network from a foreign machine.
Task 3:
Social engineering:
The social engineering penetration testing is one of the most famous techniques which is used
by most of the professionals and the ethical hackers those are contacted by the MyHealth
team for revealing the two modes of penetration testing which are on-site and off-site
penetration testing.
The phishing is one of the off-site penetration testing methods while, dumpster diving,
physical honeypots, reverse social engineering and impersonation are considered as on-site
penetration testing methods.
Phishing:
In this scenario, penetration tester calls the help desk and request to password as he/she forgot
their information, pretending as a Myhealth customer who is trying to get their credentials.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Phishing is a social engineering penetration testing method by which the tester make a phone
call to the help desk of MyHealth and the password about the information is queried and the
tester pretend as one of the MyHealth customer who wants to obtain some company
credential for some MyHealth service.
Impersonation:
The social engineering methods in this particular case are disguising as security person of
MyHealth organization and then entering into the MyHealth for obtaining valuable data of
the company. Some famous areas of impersonation are given below.
Some common tricks for impersonation is wearing the office attire of Myhealth to look as
employee. Also, another trick is to pretend like a marketing team (Halibozek and Kovacich
2017). Sometimes the marketing team members are given access to the secure areas of
MyHealth and then those members gain the trust of the company and they are hardly
identified as threat by the company.
Leaving the physical Honeypots:
In this trick the portable devices are intentionally left in the office premises and then people
pretend as they have forgotten the devices with important media files such that they can enter
in the company and then get access to systems of the company and then use those devices
which contains malwares programmed for specific objectives.
Risk mitigation:
The security risks can be mitigated by implementing physical security check with company
identification card, unique pin. Employing restriction about sharing sensitive customer data to
outside parties without special permission from MyHealth company. Security awareness is
needed by the organizational employees and additional trainings of the staff members needed
to be arranged for risk mitigation.
call to the help desk of MyHealth and the password about the information is queried and the
tester pretend as one of the MyHealth customer who wants to obtain some company
credential for some MyHealth service.
Impersonation:
The social engineering methods in this particular case are disguising as security person of
MyHealth organization and then entering into the MyHealth for obtaining valuable data of
the company. Some famous areas of impersonation are given below.
Some common tricks for impersonation is wearing the office attire of Myhealth to look as
employee. Also, another trick is to pretend like a marketing team (Halibozek and Kovacich
2017). Sometimes the marketing team members are given access to the secure areas of
MyHealth and then those members gain the trust of the company and they are hardly
identified as threat by the company.
Leaving the physical Honeypots:
In this trick the portable devices are intentionally left in the office premises and then people
pretend as they have forgotten the devices with important media files such that they can enter
in the company and then get access to systems of the company and then use those devices
which contains malwares programmed for specific objectives.
Risk mitigation:
The security risks can be mitigated by implementing physical security check with company
identification card, unique pin. Employing restriction about sharing sensitive customer data to
outside parties without special permission from MyHealth company. Security awareness is
needed by the organizational employees and additional trainings of the staff members needed
to be arranged for risk mitigation.
Task 4:
Impact of business analysis:
The Business impact analysis is defined as a systematic process by which the critical factors
are determined and successfully evaluated which may lead to disaster.
Before control BIA implementation:
BIA implementation before control has no specific guidelines that are needed to be followed
in MyHealth organization. The rules depends on the criteria of the business and size of the
organization.
1st phase:
This is one of the most vital step for performing the BIA over the organization named
MyHealth and pre-assumptions are granted from the senior management for project approval.
The steps of this stage are defining the objectives, constructing the goals and scopes of the
project.
2nd phase:
In this particular phase the information of the BIA project is collected that includes follow-
up, questionnaires and surveys that are developed by the BIA team. The answers of the
queries that are made are collected in this phase which is important for assessing potential
impact of interruptions that were made (Ohmori, Fujio and Higashino 2019). The valueable
information is generally about the persons who are currently part of the process, the occrentce
time of the impact, measurement of the legal impact and the historical data which is currently
in line with the impact.
Impact of business analysis:
The Business impact analysis is defined as a systematic process by which the critical factors
are determined and successfully evaluated which may lead to disaster.
Before control BIA implementation:
BIA implementation before control has no specific guidelines that are needed to be followed
in MyHealth organization. The rules depends on the criteria of the business and size of the
organization.
1st phase:
This is one of the most vital step for performing the BIA over the organization named
MyHealth and pre-assumptions are granted from the senior management for project approval.
The steps of this stage are defining the objectives, constructing the goals and scopes of the
project.
2nd phase:
In this particular phase the information of the BIA project is collected that includes follow-
up, questionnaires and surveys that are developed by the BIA team. The answers of the
queries that are made are collected in this phase which is important for assessing potential
impact of interruptions that were made (Ohmori, Fujio and Higashino 2019). The valueable
information is generally about the persons who are currently part of the process, the occrentce
time of the impact, measurement of the legal impact and the historical data which is currently
in line with the impact.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3rd phase:
This phase is all about proper analysis of the collected information based on the collected
data and reviewing those data in intuitive way. After the review the three objectives of this
phase are
a) Defining the business functions list based on the priority
b) Identifying the technology and human resources
c) Establishing the recovery function and the operation of the business
At the time of information collection, the team of the project mainly emphasizes on
performance and impacts of quantification.
4th phase:
This phase is about gathering all the results and preparing a professional business report
which includes executive summary, objectives and scopes, methodology, findings and
suitable recommendations.
5th and last phase:
The last phase is decision making which mostly depends on MyHealth organization’s senior
management and they are ultimate recipients of the BIA report management (Klein and
Walcott 2019). Now, at the time of disaster recovery plan the recipients rely on report of the
content. Hence, the BIA report is updated when new technologies are introduced and the
overall report is reviewed by the senior management.
BIA implementation after control:
Now, when the implementation of control of BIA is done by phase 2, the task is to identify
the threats which are either natural disaster or the failure of the system. Now, in the 4th phase
the control is managed for the intrusion detection technique, encryption and for the system
This phase is all about proper analysis of the collected information based on the collected
data and reviewing those data in intuitive way. After the review the three objectives of this
phase are
a) Defining the business functions list based on the priority
b) Identifying the technology and human resources
c) Establishing the recovery function and the operation of the business
At the time of information collection, the team of the project mainly emphasizes on
performance and impacts of quantification.
4th phase:
This phase is about gathering all the results and preparing a professional business report
which includes executive summary, objectives and scopes, methodology, findings and
suitable recommendations.
5th and last phase:
The last phase is decision making which mostly depends on MyHealth organization’s senior
management and they are ultimate recipients of the BIA report management (Klein and
Walcott 2019). Now, at the time of disaster recovery plan the recipients rely on report of the
content. Hence, the BIA report is updated when new technologies are introduced and the
overall report is reviewed by the senior management.
BIA implementation after control:
Now, when the implementation of control of BIA is done by phase 2, the task is to identify
the threats which are either natural disaster or the failure of the system. Now, in the 4th phase
the control is managed for the intrusion detection technique, encryption and for the system
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
authentication. Some relevant non-technical controls are physical authentication, encryption
and detecting the technique. Few types of non-technical controls are security policies and
administrative and physical actions. Hence, the technical and non-technical controls can be
broadly classified by detective and preventive controls.
The detective control is used for discovering new attacks and the preventive control
techniques are mainly used for process of encryption. In phase 5 the likelihood of the incident
is being checked and based on that the detective control is divided in three classes which are
high, medium and low likelihood. Now, in phase 6, the security risk is prioritized according
to the impact and the likelihood (Radeschütz, Schwarz and Niedermann 2015). Now, in the
7th phase the suitable actions corresponding to class of detection is identified and control
scheme is recommended. Now, in the last phase all the vulnerabilities, likelihood are
documented as all the risks and then BIA report for detective control are made effective by
which the errors are found and all of the policies are checked whether running in appropriate
manner.
Australian cybercrime legislation:
Now, based on Australian law cybercrime legislation there are numerous frauds and spam
that happened in the MyHealth organization. Some common online frauds are identity theft
and phishing scams (Ciambrone, D.F., 2018). In phishing spam is included which is basically
gaining access to the profiles of MyHealth organization and then the hackers sent multiple
fraudulent emails to other member of the MyHealth. As soon as the links given in any one of
those mails are clicked, malicious software are automatically downloaded through internet
and then corrupts the system making it in accessible to use and sent all the valuable
information in the system to other parties.
and detecting the technique. Few types of non-technical controls are security policies and
administrative and physical actions. Hence, the technical and non-technical controls can be
broadly classified by detective and preventive controls.
The detective control is used for discovering new attacks and the preventive control
techniques are mainly used for process of encryption. In phase 5 the likelihood of the incident
is being checked and based on that the detective control is divided in three classes which are
high, medium and low likelihood. Now, in phase 6, the security risk is prioritized according
to the impact and the likelihood (Radeschütz, Schwarz and Niedermann 2015). Now, in the
7th phase the suitable actions corresponding to class of detection is identified and control
scheme is recommended. Now, in the last phase all the vulnerabilities, likelihood are
documented as all the risks and then BIA report for detective control are made effective by
which the errors are found and all of the policies are checked whether running in appropriate
manner.
Australian cybercrime legislation:
Now, based on Australian law cybercrime legislation there are numerous frauds and spam
that happened in the MyHealth organization. Some common online frauds are identity theft
and phishing scams (Ciambrone, D.F., 2018). In phishing spam is included which is basically
gaining access to the profiles of MyHealth organization and then the hackers sent multiple
fraudulent emails to other member of the MyHealth. As soon as the links given in any one of
those mails are clicked, malicious software are automatically downloaded through internet
and then corrupts the system making it in accessible to use and sent all the valuable
information in the system to other parties.
Conclusion:
Hence, in conclusion it can be stated that the all the tasks of the assignment has been
successfully met along with in detail security risks of MyHealth company with current
existing technology as depicted in the previous task. In the task 3 the probable risk mitigation
procedures are explained in detail and there may exist other tricks like ID theft and
intelligence information theft by which cyber attacks can occur in the system and thus this
methods should be known to the employees of MyHealth. Also, the most common methods
for mitigating the risks are discussed in part 3 section, however, for some types of threat there
needs to be some other mitigation techniques like securing offices with quick response alarms
for cases of major and devastating breaches in the system. Now, in the last part the business
impact analysis is performed in two stages which are BIA after control and BIA before
control which are described in details. BIA is very much important for a company as it helps
in disaster recovery plan for identification of costs which are linked to failure like cash flow
loss, equipment replacement, loss of profits and staff and data impact analysis. The report of
BIA mainly quantifies the main aspects of the components of the business for suggesting
allocation of fund for protecting the information. The impact can also be monitored by
monetary values for comparison purposes. BIA is often performed prior to the risk analysis.
BIA can be served like an entry point for the recovery of disaster strategy and thus recovery
time objectives can be examined. Also, in BIA the objectives for the recovery point is
perfectly identified and the resources and/or materials needed for continuity of the business
can be successfully identified.
Hence, in conclusion it can be stated that the all the tasks of the assignment has been
successfully met along with in detail security risks of MyHealth company with current
existing technology as depicted in the previous task. In the task 3 the probable risk mitigation
procedures are explained in detail and there may exist other tricks like ID theft and
intelligence information theft by which cyber attacks can occur in the system and thus this
methods should be known to the employees of MyHealth. Also, the most common methods
for mitigating the risks are discussed in part 3 section, however, for some types of threat there
needs to be some other mitigation techniques like securing offices with quick response alarms
for cases of major and devastating breaches in the system. Now, in the last part the business
impact analysis is performed in two stages which are BIA after control and BIA before
control which are described in details. BIA is very much important for a company as it helps
in disaster recovery plan for identification of costs which are linked to failure like cash flow
loss, equipment replacement, loss of profits and staff and data impact analysis. The report of
BIA mainly quantifies the main aspects of the components of the business for suggesting
allocation of fund for protecting the information. The impact can also be monitored by
monetary values for comparison purposes. BIA is often performed prior to the risk analysis.
BIA can be served like an entry point for the recovery of disaster strategy and thus recovery
time objectives can be examined. Also, in BIA the objectives for the recovery point is
perfectly identified and the resources and/or materials needed for continuity of the business
can be successfully identified.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 14
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.