Analysis of IT Security Models, Threats, and Risk Assessment Report

Verified

Added on 2020/02/24

AI Summary

This report provides an overview of IT security, exploring the evolving technology landscape and the increasing need for robust security measures. It delves into various IT security models, including state machine and lattice access control models, explaining their functionalities and importance. The report also addresses different types of IT security threats, such as Trojans, viruses, worms, and spyware, and their impact on systems. Furthermore, it outlines the process of IT security threat and risk assessment, covering data collection, policy analysis, threat analysis, vulnerability analysis, and risk assessment. The report emphasizes the significance of a strong IT security system in protecting against data breaches and ensuring the smooth operation of businesses in the face of evolving cyber threats. References to relevant research papers and publications are also included.

RUNNING HEAD: IT RISK MANAGEMENT 1
IT risk management
Submitted by:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

IT RISK MANAGEMENT 2
Contents
IT Security & Technology Landscape.............................................................................................3
IT Security Models & Access Controls...........................................................................................4
The state machine model..............................................................................................................5
The Lattice Access Control Models.............................................................................................5
IT Security Threat and risk assessment...........................................................................................7

IT RISK MANAGEMENT 3
IT Security & Technology Landscape
The excessive breaches in data security experienced by majority of people are creating a
necessity of IT Security & Technology Landscape. These highly publicized data breaches depict
lack of security and internal failure. This can have an enormous impact on economy and the
brand reputation. Compounding of data in today’s vulnerable security environment is a
challenge. There is a huge mismatch between the customers need and security technology. It is
obligatory to protect the enterprise against any massive data breach (Adomavicius, Bockstedt,
Gupta & Kauffman, 2008). The process should not obstruct productivity in any manner. The
security system should not affect the growth in terms of developing new applications or
automating new process in a business. Today’s security technology environment is not ready to
meet the needs of the enterprise. There is a wide gap between the security technology and

IT RISK MANAGEMENT 4
customer wants. The network group in order to create a more secured environment has deployed
an effective network security tools. The end point group is accountable for the computers and
mobile devices. They are trying to resolve the issue by focusing over the security puzzle in order
to avoid the security lapse. Apart from recognition there’s a huge growing problem that can’t be
controlled. The growing need regarding the prioritization of security is becoming critical.
Companies today need an identifiable network system in order to protect themselves (Feng,
Zhang, Zhang & Xu, 2011).
Along with the techniques employed by the hackers, a variety of networked devices in
addition to the conventional servers and workstations to access network or do harm. The hackers
had a high degree of achievement with the Industrial Control Systems, i.e. the hardware and
software packages. All these processes thereby manage and monitor physical infrastructure
approximating power plants and IP linked embedded devices. These devices are most commonly
known as the Internet things For example: IP cameras, medicinal devices, and vehicle (Yang,
Geng, Du, Liu & Han, 2011).
All these devices are susceptible frequently because of installers and users failure to alter
default factory security settings. These kinds of strategies are strangely exposed straight to the
Internet. It is where a user can simply be created and subjugated by an attacker. As per SIA
Megatrends Reports, the huge convergence between the system and the technology is creating
network vulnerabilities. A strong security landscape is important to gain consistency. The report
specifies four goals: to alleviate the cyber threats, implication of hardened products and
practices, educating the stakeholders and establishing a string IT security system to balance out
customer needs. The information security model is used to authorize the security policies in

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

IT RISK MANAGEMENT 5
order to provide with a precise set of rules. These models can be abstract and intuitive in nature
(Metke & Ekl, 2010).
IT Security Models & Access Controls
The IT Security Models & Access Controls is a process to resolve whether a principal can
perform a particular function on a targeted entity.
The access control policy provides with a specified access decision functions. The purpose is
to attain the principal proposed functions, to guarantee security properties and to enable
administration of a changeable procedure (Krutz & Vines, 2010). The access control model is of
4 types:
 Mandatory Access Control (MAC)
 Role Based Access Control (RBAC),
 Discretionary Access Control (DAC)
 Rule Based Access Control (RBAC or RB-RBAC).
The state machine model
The state machine model is the one system which is always secured. A state is the
snapshot of system at a particular point of time. The process is to integrate the external input
with the internal machine state. A transition takes place after the acceptance of input. This will
result in a new state. All these transitions are very well examined and secured against the system
(Zissis & Lekkas, 2012)

IT RISK MANAGEMENT 6
The Lattice Access Control Models
The Lattice Access Control Models is a complex access control model based on the
interaction in between different objects. These are resources, computers and objectives this type
of model defines the level of security to an object in order to generate effectiveness. The subject
is only allowed to access an object to ensure security level.
 The Subjects and Objects have security levels and not obligatory grouping
 discretion strategy (e.g., Bell-LaPadula)
The other model is as follows:
 Predicate Models
– ASL, OASIS, domain-specific models(Cárdenas, Amin & Sastry,2008)
 Safety Models
– Take-grant, Schematic Protection Model, Typed Access Matrix (Rival, Choi &
Lumb, 2009).
 Plus Domain Transitions
– DTE, SELinux, Java
–
IT Security Threat and risk assessment
There are different types of computer security threats. Some of these are pretty damaging
while some are harmful for the system. The types of computer security threats are as follows:

IT RISK MANAGEMENT 7
Trojan: This one is considered as one of the most complicated threats among all. Most of
the complicated computer threats come from the Trojan family unit. It is really a power virus that
can damage the computer.
Virus: Virus is a really popular for its malicious function. This replicates itself and focus
on destroying a computer. The overall purpose of a virus is to cause malware.
Worms: These are one of the undamaging threats considered to create problem. It does
not modify the system but affect the computer
Spyware: This malware is intended to scout on the victim’s system. A system affected
from spyware is affected badly. The attacker generally extorts the user (Zhang, Wuwong, Li &
Zhang, 2010).
Organizations are progressively more reliant on information systems for all their business
actions with customers, suppliers, partners and their employees. They need to be convinced to
function steadily. The cyber security risk requires being implicit in the perspective of the overall
business. The malware in system and technology has a long term impact on data management
(Ralston, Graham & Hieb, 2007).
The core risk assessment areas are as follows:
 Data Collection: The information on vulnerabilities and threat related to the specific
system identified and gathered from different resources.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

IT RISK MANAGEMENT 8
 Analysis of Policies and Procedures: The process includes an analysis sans review of
the existing policies to gauge the compliance level in an organization. These sources help
in managing the function in an effective way.
 Threat Analysis: These are the risks that contribute towards destruction or interruption
of services. This is a key element used to manage the risk in an effective way. The risk is
identified as a relation in between the business environment and the organization.
 Vulnerability Analysis: The process includes assessment of the information gathered
and to determine the existing exposure. This will give indication to proposed safeguards.
The different tools are: Nessus, SAINT, whisker etc.
 Correlation and assessment of Risk Acceptability: The final task is to assess the
existing policies and procedure. In absence of proper safeguards, the vulnerability level
will increase. A review of existing and planned safeguards needs to be performed in
order to gain competency (Cárdenas, et al 2011).

IT RISK MANAGEMENT 9
References
Adomavicius, G., Bockstedt, J. C., Gupta, A., & Kauffman, R. J. (2008). Making sense of
technology trends in the information technology landscape: A design science
approach. Mis Quarterly, 779-809.
Cárdenas, A. A., Amin, S., & Sastry, S. (2008, July). Research Challenges for the Security of
Control Systems. In HotSec.
Cárdenas, A. A., Amin, S., Lin, Z. S., Huang, Y. L., Huang, C. Y., & Sastry, S. (2011, March).
Attacks against process control systems: risk assessment, detection, and response.
In Proceedings of the 6th ACM symposium on information, computer and
communications security (pp. 355-366). ACM.
Feng, D. G., Zhang, M., Zhang, Y., & Xu, Z. (2011). Study on cloud computing
security. Journal of software, 22(1), 71-83.
Kaufman, L.M., 2009. Data security in the world of cloud computing. IEEE Security &
Privacy, 7(4).
Krutz, R. L., & Vines, R. D. (2010). Cloud security: A comprehensive guide to secure cloud
computing. Wiley Publishing.
Metke, A. R., & Ekl, R. L. (2010). Security technology for smart grid networks. IEEE
Transactions on Smart Grid, 1(1), 99-107.
Ralston, P. A., Graham, J. H., & Hieb, J. L. (2007). Cyber security risk assessment for SCADA
and DCS networks. ISA transactions, 46(4), 583-594.

IT RISK MANAGEMENT 10
Rimal, B. P., Choi, E., & Lumb, I. (2009). A Taxonomy and Survey of Cloud Computing
Systems. NCM, 9, 44-51.
Yang, G., Geng, G., Du, J., Liu, Z., & Han, H. (2011). Security threats and measures for the
Internet of Things. Journal of Tsinghua University Science and Technology, 51(10),
1335-1340.
Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk
management framework for the cloud computing environments. In Computer and
Information Technology (CIT), 2010 IEEE 10th International Conference on (pp. 1328-
1334). IEEE.
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation
computer systems, 28(3), 583-592.