ITC-596 IT Risk Management: IoT Vulnerability & Threat Assessment

Verified

Added on  2024/07/01

|20
|6776
|405
Report
AI Summary
This report, prepared for Gigantic Corporation, details an IT risk assessment focused on Internet of Things (IoT) applications. It identifies vulnerabilities and threats through methods like interviews and Delphi techniques, using tools such as probability and impact matrices for risk prioritization. The report classifies risks as high, medium, and low, emphasizing mitigation strategies for high and medium risks to prevent data theft and breaches. Recommendations include using the latest firewall and malware protection, periodic software upgrades, developing standard internet usage guidelines, and implementing strict password policies. The report also highlights the importance of data backups, employee training, regular audits, and monitoring systems. By implementing these measures, Gigantic Corporation can enhance its IT infrastructure security, build stakeholder trust, and ensure the effective and safe use of IoT in its operations.
Document Page
Assessment Item: 3
SUBJECT: ITC-596 IT RISK MANAGEMENT –

INTERNET OF THINGS

1
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Executive Summary
This report has been prepared and presented to the management of Gigantic Corporation

regarding the findings and vulnerabilities identified by the “IT Risk Assessment Lead Consultant

– Internet of Things”. The report has been prepared for enabling the management to take vital

decisions regarding technical risks associated while using IoT-based applications in its

operations. The report contains the major IT-related issues that have been identified by

conducting vulnerabilities and threats assessment and the recommendations have been provided

accordingly. These findings will help the management to develop appropriate IT policies and

procedures which enable to protect the vital information; both personal information of the

employees as well as corporate data.

In order to arrive at appropriate conclusions, the methods such as conducting interviews, Delphi

technique, and brainstorming were used for analysing the possible threats of using the current

policies that are employed for managing and controlling the data while using IoT-based

applications. The views and opinion provided by the experts provided an insight regarding the

vulnerabilities of the current IT infrastructure developed by Gigantic Corporation and the extent

of the risk associated while using the Internet of Things in various operations.

The tools and techniques such as probability and impact matrix, risk data quality assessment and

quantitative risk analysis were used for determining the immediate threats that have to be

mitigated by the organisation. These tools and techniques also enabled to ascertain the threats

and threat agents and the ways in which the loop-holes can be identified and mitigated.

The vulnerabilities and threats have been identified and presented separately along with

illustrating the ratings of these risks which have been classified as high, medium, and low. The

report concentrates on providing the solutions for mitigating high and medium risks as these

risks have the potential of hampering the smooth flow of operations. The high and medium risks

have to be immediately resolved for preventing the instances of threats such as data theft and

data breach. The recommendations have been provided based on the issues identified and the

best possible ways in which these risks can be mitigated effectively.

The report provides the following recommendations based on the findings and which should be

implemented by the management for protecting the organisation from facing serious

consequences, which include:

Using the latest firewall and malware protection software in all IoT-based applications
and server.

Using a firewall in the network which is used for communicating with the customers and
vendors.

Upgrading the applications and software periodically.
Developing and implementing the standard guidelines for using the internet and the
procedure that has to be followed while using software and application.

Developing standard procedures that have to be implemented while dealing with threats.
Strict adherence to the password policies and the sharing of information.
Providing the access to the application and software based on the job role of the user.
Using administrator credentials in all the computers and devices and restricting the user
from using external storage devices such as pen drives.

Restricting the movement of personnel to certain locations such as server rooms.
Using strong passwords for all the applications and software that are being used.
Maintaining a log of users and the type of software and applications they use for better
control.

2
Document Page
Creating unique Ids and passwords with strong login credentials for using software and
applications.

Installing CCTV cameras at appropriate locations for monitoring the activities performed
by the users and preventing intrusions in the restricted locations.

Separating the personal information of the employees and staff with that of corporate
information.

Taking a regular back-up of the data in a cloud set-up.
Providing training to the employees and staff regarding the ways in which the
applications and software are to be used.

Communicating the possible threats of using the internet to the employees and staff and
the risk associated with accessing websites other than the recommended sites.

Conducting third-party audits regularly.
Periodic assessment of vulnerabilities and threats for ascertaining the effectiveness of
implementing preventive measures.

Using firewall/filters at the server for detecting malwares/ransomware and for identifying
risky websites.

The report also provides a detailed explanation regarding the possible consequences that may

have to be faced if proper control mechanisms are not implemented. Due to the increasing use of

the Internet of Things, the company is too much dependent on the applications and software, it is

necessary to understand the risks associated with using these applications. These details will help

the management to modify the current procedures that are being followed and the measures that

can be taken for enhancing the safety and security of the data. The results of the assessment

provide a clear understanding as to the importance of identifying threat agents and the ways in

which the vulnerabilities can be exploited by the threat agents for accessing the information.

The merits of this project are as given below:

By using firewall and anti-malware, the possible cyber attacks can be prevented thereby
safeguarding the vital information of the company.

Using strong login credentials ensures that the issues related to data theft and data breach
can be eliminated.

Upgrading the applications and software regularly helps the company from possible
malware attacks as the latest versions of the applications are assumed to be safe.

Formulating appropriate guidelines will help the management to implement appropriate
control measures enhancing the existing security of the IT infrastructure.

Communicating the possible risks associated with using the applications and software
enables to implement the policies effectively.

The overall improvement in the IT infrastructure and enhanced security helps to build
trust and confidence among the stakeholders and customers thereby ensuring continuous

growth and development of the organisation.

The report concludes that the results of the risk analysis have been prepared by using appropriate

methods and techniques which enhances its accuracy. By implementing the measures stated in

the report, the organisation will be able to achieve the desired level of effectiveness while using

the Internet of Things in its operations.

3
Document Page
Table of Contents
Executive Summary
.....................................................................................................................................1
Introduction
.................................................................................................................................................4
Risk Management Overview
....................................................................................................................... 5
Techniques used:
.........................................................................................................................................6
Risk Assessment and Analysis:
................................................................................................................... 7
Identification of the vulnerabilities
.......................................................................................................... 8
Threats
................................................................................................................................................... 10
Evaluation of the risks
...............................................................................................................................11
Assessment Findings
................................................................................................................................. 13
Risk Treatment and Response
...................................................................................................................14
Findings based Recommendations
.............................................................................................................14
Conclusion
................................................................................................................................................. 17
References
.................................................................................................................................................18
4
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Introduction
This report has been prepared for providing a detailed analysis of implementing the applications

and software in Gigantic Corporation based on the concept of the Internet of Things. With the

increased usage of web-based interfaces, the various issues related to the security of the data as

well as the server is being faced by the company. The report has been prepared by conducting a

detailed vulnerability and threat analysis by using appropriate methods and techniques and the

possible consequences of these threats have also been explained in detail. The report also

provides the solution for resolving the issues and the ways in which the threats can be mitigated

have also been explained. Suitable recommendations have also been provided which can be used

by the management for safeguarding the vital information of the employees and customers.

Aim

The purpose of the report is to analyse the possible threats that can be faced by Gigantic

Corporation while using applications and software based on the concept of the Internet of

Things. The threats and vulnerabilities are identified and the impact of these risks has also been

explained which can be utilised by the management while developing a risk mitigation plan.

Assessment Scope

The scope of the risk assessment contains the factors and elements associated with the internet of

things. The report explains the important factors; both internal and external, that has to be

considered while formulating policies and procedures for mitigating the issues related to the

Interne of Things. The safety and security of the data and the server has been given importance

as the organisation deals with a huge volume of data which is vital for the growth and

development of the organisation.

It is important to monitor and control the activities of the users since the company relies on the

various applications and software that are used for performing activities. The report provides

clear guidelines that have to be followed for preventing the instances of data theft and

unauthorised use of data. The importance of providing strong login credentials has also been

explained.

The recommendations that are provided in the last part of the report explain the possible ways of

resolving the issues related to access controls and safety and security of the information. The

findings-based recommendations enable the management to take appropriate measures for

implementing appropriate control measures which help to overcome the threats faced by

Gigantic Corporation.

5
Document Page
Risk Management Overview
The risk management is a process which involves identifying and managing the various risks

involved which may result in negatively impacting the operations of Gigantic Corporation. There

are various risks involved while developing a system based on the Internet of Things in which

the different functions of the organisation are connected through the Internet. The risks that are

involved while developing the system based on Internet of Things are system failures, instances

of data loss and data breach, natural disasters, and cyber attacks. These risks have to be mitigated

so that the organisation can overcome these issues and enhance the operational efficiencies and

protect the company from resulting losses (Biener, et. al., 2015).

It is very well established that it is important to protect the information as the competitors are

always looking for a way to extract confidential information for gaining an upper hand in the

market. Hence, it is essential that the key risks are identified so that a comprehensive plan can be

developed for protecting the server and the systems. The key factors have to be identified which

can be used for preventing any mishaps and the best possible ways of enhancing the cyber

security throughout the organisation.

The risk management process that has to be followed by Gigantic Corporation can be divided

into three steps:

Risk Assessment and Analysis:
In this stage, the firm’s exposure to the potential risks and
uncertainties in the business and the resulting losses that may occur due to these risks. For

analysing the true nature of the risks, the company has to ascertain the market condition and the

objectives that are defined while developing the system based on the Internet of Things. This can

be explained by citing an example wherein the finance and sales functions are interconnected so

that the sales figures can be projected based on the actual sales target achieved by the team. In

this scenario, the potential risks that can be faced by Gigantic Corporation are; system failures in

finance, connectivity issues, data breach and data theft, and cyber attacks. Hence, the company

should identify the potential threats by assessing the risks involved in particular departments and

functions (Van Grembergen & De Haes).

Risk Evaluation:
In this stage, the criteria are defined based on which the risks can be assessed
and the factors that have to be considered while evaluating the risks.

Risk Treatment and Response:
The techniques and procedures are enlisted in this stage which
helps to mitigate the issues identified in the risk assessment stage.

Developing monitoring controls:
It is essential for monitoring the systems and vulnerable
factors continuously so that the threats can be prevented and appropriate actions can be taken

quickly for mitigating the threats at the initial stage itself.

6
Document Page
Figure 1: Risk Management Process
Source: (LucidChart, 2017)

Techniques used:

The techniques that are used for analysing the risk parameters are:

Documentation reviews:

The documents that are maintained by the organisations related to the assets, details of the

previous projects, and the results of the previous projects implemented are examined.

Interview:
The interviews were conducted by preparing suitable questionnaires for ascertaining
the type of risks that are usually faced by the management. The participants were divided into

separate groups namely; employees, experts, and top-level executives.

Delphi Technique:
In this technique, a list of questions was sent to the experts and stakeholders
for getting the responses on various topics and the results are sent back to them for arriving at a

common consensus.

Brainstorming:
The brainstorming sessions were organised with the group of experts and top-
level executives for identifying the risks associated with the project.

SWOT Analysis:
This is a management tool which can be used by the management for
ascertaining the strengths, and weaknesses of the firm and the opportunities that can be utilised

for overcoming the weaknesses.

The SWOT analysis of Gigantic Corporation for using the Internet of Things in various

operations is given below:

Strengths
Weaknesses
Presence of well-established IT
infrastructure.

Using outdated applications and
software

7
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Experienced staff for using the
applications and software.

Good reputation of the company for
using web-based applications.

Enhanced production capacities
Preparation of accurate management
reports for decision making

Exposure to risk related to data theft
and data breach.

Prone to fire accidents
Lack of emergency guidelines for
handling unexpected events.

Back-up issues
Opportunities
Threats
Using latest updates and patches for all
the applications and software

Implementing appropriate user control
measures.

Using fire safety measures
Preparing a detailed document for
mitigating the unexpected events.

Taking back-up in a cloud set-up
Hackers/outsiders stealing important
information related to the operations.

Insiders/employees disclosing the
details to outsiders.

Man-in-the middle attacks
Fire damages
From the above analysis, the strengths and weaknesses can be ascertained and the steps that can

be taken by Gigantic Corporation for mitigating the threats that have been identified. The

weaknesses and threats can be mitigated by using the opportunities that have been identified in

the above analysis. Hence, SWOT analysis has been conducted for analysing the risks involved

while developing the system based on Internet of Things in Gigantic Corporation. This analysis

will help in making important decisions related to the use of preventive measures that can be

used for developing a comprehensive and effective IT infrastructure.

Tools and Techniques:
Various tools and techniques were used for ascertaining the probability
of risks associated with the project such as probability and impact matrix, risk data quality

assessment along with performing quantitative risk analysis.

These tools and techniques enable to understand the extent of the actual risks involved while

performing various activities and the extent to which the available data is reliable. Also, these

tools enable to identify those risks which require immediate attention.

Risk Assessment and Analysis:

The first step in the process involves understanding the risk appetite of Gigantic Corporation that

is, the risk that can be tolerated by the firm for conducting the business operations. As the

company is a large firm, the resources are available to absorb a few risks. The level of risks

involved depends on the goals and objectives of the organisation and the priorities of the

business towards performing various operations. The assets of the companies are also defined for

developing the counter-measures such as funds, operational data, previous records, and technical

know-how.

The company has to categorise the Internet of Things (IoT) as;

IoT which can be controlled, and
8
Document Page
IoT which cannot be controlled
IoT which can be controlled
are the computers and other devices which are used by the
employees within and outside of the company. These devices can be tracked and hence, the risks

associated with these devices and applications are limited. The users of these devices can be

identified easily, therefore, the instance of data breach and any other threats can be easily

identified.

IoT which cannot be controlled
is those where the systems of the firm are connected through
an external networks such as communication between the customers and the company. Here, the

interacting phase cannot be controlled as the customers use a different type of devices and

connections. These external agents are a serious threat as the malicious content can enter the

server thereby involves a high amount of risk.

Figure 2: Stages in Risk Assessment

Source: (Reij & Schothorst, 2012)

Identification of the vulnerabilities

Vulnerabilities are the weaknesses in the IT infrastructure which makes the threats possible. In

other words, the potential threats can only enter if the IT system has some loopholes within it.

The threats identify these loopholes for damaging the data or stealing a particular system

resulting in huge losses to the organisation as well as damaging the reputation of a firm (Sándor,

et. al., 2017).

As discussed in the above, both controlled and uncontrolled IoT has to be analysed for

identifying the possible threats including future threats. The IT technicians should differentiate

the threats as per the interface that is being used by the users while accessing the information.

The employees and staff usually use the LAN for performing the tasks and the customers use

some external connections for communication (Wang, et. al., 2014). The following table

identifies the vulnerabilities that can hamper the normal functioning of Gigantic Corporation:

Table 1: Vulnerabilities

Description
Exposure
[Metrics

from 1 to

5, where

Severity

[Metrics

from 1 to 5,

where 1

Vulnerability

Assessment

Value

Remarks

9
Document Page
1
indicates

low risk]

indicates

low risk]

Lack of back-up
4 4 4 An appropriate system of back-up is
not developed wherein; the important

data is saved in a different location,

most commonly in an external

storage device or cloud interface.

This impacts the entire organisation

in case of data breach and data theft.

System Usability

issues

4
4 4 Currently, the employees can access
any computer for performing tasks.

Hence, it is highly possible that the

instances of data theft are increased.

Use of external

networks

4
4 4 At present, the customers
communicate by using the external

network and hence, the risk of data

breach and cyber attacks is higher.

Lack of control

measures

4
4 4 A systematic approach is required for
preventing the threats from entering

the server. For instance, the admin

access is provided to more number of

users which may result in the

instances of data theft.

Lack of

awareness

among the users

3
2 2 The users are not aware of the threats
involved regarding data while using

the applications and software.

Inadequate

training for the

new users

3
2 2 The current procedures that are being
followed are aimed at providing

training that is limited to providing

information regarding using the

applications and software. However,

the procedure that can be followed

for minimising the threats is not

provided.

Use of an

outdated firewall

4
4 4 This is a high-risk scenario as the
malicious content may enter the

server resulting in data loss.

10
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
The above-mentioned vulnerabilities have been identified for developing a comprehensive
system which can be used for developing a system for mitigating the issues. A detailed

explanation regarding the vulnerabilities has also been explained which is helpful for

ascertaining the solutions that can be used while implementing control mechanisms.

Threats

Threats are the negative event that results in undesired outcome such as data loss or incurring

financial losses. These threats are initiated by Threat Actors who breach the security apparatus

because of drawbacks in the IT management system (Chatzimichailidou, et. al., 2015). The

threats that can potentially damage the company’s data are competitors trying to steal vital

information from Gigantic Corporation. The threats that can cause damage to the company have

been provided in the following table:

Table 2: Threat and Threat Agents

Threats
Threat Agent Impact Remarks
Spoofing of

credentials

Employees
High The unauthorised access to the
confidential information is

possible as the user can easily

access the device.

Man-in-the-

middle

attacks

Outsiders/Hackers
High These are aimed at collecting
specific information about the

company and usually, a false

identity is created for entering

the company’s server.

Ransomware
Hackers High The hackers send spurious
emails for obtaining financial

information such as credit card

details of the employees,

passwords, and others.

Blocking
Hackers Medium A network can be blocked by
identifying vulnerabilities of

exchange protocols.

Data

likability

Companies
Medium The huge volume of data that is
stored and processed enables to

identify the user as the stored

data can be interlinked.

Profiling
Companies Medium Collecting and storing the
information may lead to creating

the employees’ profile such as

credit card numbers, email

addresses, etc.

11
Document Page
Fire
Accidents

Outsiders/Staff
High Fire accidents result in damaging
the cables affecting the

communication channel.

The above threats have the potential of damaging the reputation of the firm resulting in facing

long-term consequences. The increased usage of the Internet of Things applications results in

storing important details of the employees and staff and the threat agents exploit the

vulnerabilities for creating damages. The threats and threat agents both require sufficient time

and space for entering the system and there are various methods in which the vulnerabilities are

exploited such as man-in-the-middle attacks.

Evaluation of the risks

These are the chances of facing a negative event which is to be avoided along with its probability

and impact, which can be denoted as:

Risk = probability X impact\

Figure 3: Security Controls For Enterprise “Internet Of Things”

Source: (Unatek, 2016)

The risks that can be faced by Gigantic Corporation are:

Disruptions and denial-of-service attacks:

It is essential to develop a system which ensures continuous availability of the IoT-based devices

for avoiding operational failures and interruptions. However, denial-of-service attacks are aimed

at interrupting the flow of the communication channel resulting in system failures which may

12
chevron_up_icon
1 out of 20
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]