Data Security Assignment: Threat and Risk Assessment Report for EvolveNet
Question
Task:
Data Security Assignment Task:
Write a Threat and Risk Assessment Report that assesses the findings of a gap analysis and articulates the most prominent risks and threats to the subject organisation - EvolveNet.
The audience of the Threat and Risk Assessment Report is the SLT and Executive team of the target organisation and should be authored to a professional standard as would be expected in typical large organisation.
The report must include:
- An assessment of the control gaps identified in the gap analysis report (provided) and risk presented to the organisation
- Possible threat scenarios that the organisation is subject to due to the identified gaps
- A list of prioritised short-term (tactical) and long-term (strategic) initiatives to address the identified risks
- A copy of the threat matrix used for risk level rating
Organisational Overview:
EvolveNet is an Australian VOIP company that supplies over-the-top VOIP services for residential and businesses customers. Our key product is the AnyPhone VOIP service that allows customers to make lowest phone calls across the globe. Additional services include GlobalPhone, which provides local phone number in 20 different countries. s a world leader, EvolveNet provides the VOIP platform for over 50 domestic and global telecommunication partners.
EvolveNet employs over 300 people across Australia, with our Head Office located in Sydney. EvolveNet provides a reliable, easily-to-configure, plug and play VOIP service.
Key Information Assets and Systems
Customer database (~300,000 records)
Call records (2,000,000 records per day)
Internet-facing servers (website server, webmail, email, web service, DNS server)
Office 365 for mail, office applications and file sharing
Internal servers (file, print, intranet, corporate PBX, DHCP and DNS servers)
Self-service VOIP configuration website
Web development and test systems
Wholesale partner website
Customer-facing PBX and voicemail farm
Staff Windows workstations and laptops
VPN concentrator
Network routers and switches for corporate network
Boarder and DMZ firewall
AWS housed software defined voice (SDV) proof of concept environment
EvolveNet Corporate Strategy:
EvolveNet aims to be the number one provider of innovative VOIP products in Australia and across the world. Through the development of software defined voice solutions and the use of key cloud infrastructure partners, EvolveNet will gain a reputation for reliable and costs-effective services.
Answer
Executive Summary
The report on data security assignment is written for EvolveNet and it is a Voice over Internet Protocol, VOIP firm based in Australia. The services provided by EvolveNet cover the residential and business customers. The purpose of the report is to identify and bring out the security vulnerabilities and threats for EvolveNet and to comprise the risk treatment strategy that may be implemented. The threats that are identified are because of the underlying security vulnerabilities, such as lack of security updates, poor email security, unprotected test data, and others. There are several risks and threats that may arise due to these vulnerabilities. Some of these include malware attacks, violation of access control, cryptanalysis attacks, database security attacks, etc.
Introduction
Information security and privacy are the major concerns for every business organization in the current times. This is because of the increase in the use of the automated technology and the data sets. There are newer mechanisms that have been developed to execute the attacks on the data and the systems so that information privacy and security can be violated. The report is written for EvolveNet and it is a Voice over Internet Protocol, VOIP firm based in Australia. The services provided by EvolveNet cover the residential and business customers. One of the primary services provided by the organization is AnyPhone VOIP Service. It allows the customers to make low on cost phone calls to the desired entity worldwide. There are several other services provided and these cover 50 local and international partners. Some of the key assets for the organization include the customer database, call records, internal servers, wholesale partner websites, VPN Concentrator, and others (Miltgen& Smith, 2015).
The aim of the organization is to provide the best VOIP services to the customers and emerge as a market leader in the field.
Purpose
The purpose of the report is to identify and bring out the security vulnerabilities and threats for EvolveNet and to comprise the risk treatment strategy that may be implemented.
Organizational Assets
The use of technology and the involvement of data for EvolveNet are massive. The organization itself deals in to computing services and therefore the main asset for its firm is the organizational data. These data sets are further classified in different types and customer data is the most important asset in this category followed by the call records. The customer database has approximately 300,000 records and there call records comprise of 2,000,000 records per day (Leming, 2015).
Internet and networking have become the primary essential and the organizational assets also cover the internet servers that are used by the organization. Apart from these, the internal servers, web development systems, test systems, VPN Concentrator, firewalls, networking peripherals, and laptops & computer systems are some of the major assets of EvolveNet.
Control Gaps
EvolveNet is required to ensure that security and privacy of the data, systems, and the networks is always maintained. There are several ways to determine the status and one of the most relevant is the conduction of control audits. Such an audit was conducted for EvolveNet and there are a set of gaps that have been determined in the process. A list of these control gaps is prepared which shall be used to implement the security measures and improvement mechanisms.
- The frequency of the security audits and improvement exercises is very low which leads to the lack of security updates.
- Unprotected test data
- Unattended systems by the employees which can be easily accessed to retrieve the private and confidential data
- Poor access control on the software installed (O’hanley& Tiller, 2015)
- Poor email security with easy access to the critical data
- The new employees are not provided with any induction so that they may understand the security status and policies
- Information security policies and frameworks are not updated on a regular basis
- Lack of automated security controls to have protection from the security attacks, such as malware and network-based attacks
- Poor management of security keys
Threat Categories
The classification of the security threats that are determined for EvolveNet is done on the basis of the information category that is targeted by the threat. For every threat that is given shape, there is a specific objective for carrying out the threat. Most often it is the disruption of the overall information security and privacy. However, there is specific category of information that gets hampered with the threats that are executed.
|
Category |
Description |
|
Threats on Information Confidentiality |
Confidentiality is often targeted by the security threats that may occur on the data, networks, and systems at the organization. These threats may include the different forms of malware attacks, such as ransomware, virus, worms, or other forms of malware. The use of network may be done as the threat agent and it may be used to given shape to the eavesdropping attacks. These will lead to the negative implications on the information confidentiality |
|
Threats on Information Integrity |
There are several threats that may occur and may impact the information integrity. The manipulation of the message or media content associated with the organization is an example of such threats. The database security may be put at risk and the threats of integrity violation on the EvolveNet database may be present. |
|
Threats on Information Availability |
The data or network availability will be always necessary to maintain the flow of the system activities and operations. There are security attacks that may be conducted to directly implicate the information availability. The denial of service attacks and its variants is the most common form of availability attack that may occur(Cui et al., 2016). These are the flooding attacks in which the use of garbage values may be done so that the security of the data and network can be hampered. |
Vulnerabilities and Threats
|
Security Vulnerability |
Threat Scenario |
Likelihood |
Impact |
Risk Level |
|
Lack of Updates |
The security loopholes may keep on generating leading to the expansion of the attack surface and attack window. The access control and authentication violation can become easier. |
3 |
4 |
High |
|
Unprotected test data |
The data breaches and leakage can take place and these may be executed by the members of the test team. The data may be accessed and transferred to the unauthorized entities which may misuse the information (Gordon, 2016). |
4 |
4 |
High |
|
Unprotected systems |
The lack of security measures on the system, unattended systems can lead to the unauthorized access to the data sets along with the easy manipulation of the information. |
4 |
5 |
High |
|
Poor Email Security |
There are spoofing and phishing attacks that may occur along with the breaching of the information due to the lack of adequate security measures on the email server being used at the organization. |
2 |
4 |
Moderate |
|
Absence of technical security controls |
The detection of the intruder attempts and the similar attempts may not be timely done. These may lead to the malware attacks along with the network security attacks, such as eavesdropping or flooding attacks. |
4 |
5 |
High |
|
Poor key management |
The use of cryptography is done so that the overall security can be improved. However, the improper handling and management of the security keys may lead to the occurrence of the cryptanalysis attacks (Martin, 2020). |
2 |
4 |
Moderate |
|
No induction training for new employees |
A major share of security threats involves the employees of the organization. The insider threats may be given shape with the lack of induction as the employees will not be aware of the consequences of their actions. Some of the attacks may also be accidental due to the lack of training. |
3 |
5 |
High |
The mapping of the vulnerabilities is done with the threat scenario and these are further mapped with the risk probability and impact scores. These are assigned from a scale of 1 to 5 wherein 1 is lowest and 5 is the highest risk probability/impact. The risk level is assigned as per the two scores associated with the risk.
Risk Treatment Plan
|
Recommended Controls |
Security Vulnerability Address |
Priority |
Owner |
|
The information security policy shall be developed and must be updated on a regular basis. There shall be at least one audit conducted on a monthly basis with several information reviews in between. |
Lack of Updates |
2 |
Chief Information Security Officer (CIO) |
|
The dummy data shall be used as the test data by the test team. The production data shall only be accessible to a very few senior official |
Unprotected test data |
4 |
Test Manager |
|
The information security policy and plan shall comprise of the list of dos and don’ts for the employees. It shall also have the measures as automated system locks after 2 minutes of inactivity, preservation of the credentials, and likewise(Shamala et al., 2017). |
Unprotected systems |
3 |
Security Advisor |
|
The email security measures shall be used which shall comprise of secure email server, two-tier authentication along with the anti-phishing checks. The users shall also be trained to differentiate between the authentic and suspicious content and links. |
Poor Email Security |
5 |
Technical Security Expert |
|
The installation of the automated security controls shall be done which shall include the intrusion detection and prevention systems, anti-malware tools, anti-denial tools, and other automated security controls. |
Absence of technical security controls |
1 |
CIO |
|
The security keys shall be securely handled and assigned by the Chief Information Security Officer. |
Poor key management |
7 |
Technical Security Expert |
|
The new employees shall be trained with mandatory induction program so that the overall security can be improved. |
No induction training for new employees |
6 |
Security Advisor |
Risk Treatment and Management Initiatives
There are two risk management initiatives that shall be immediately implemented. These include the implementation of the information security plan and policy and the installation of the technical security controls. The automated technical security controls will make sure that the information security attacks and threats are detected and can be prevented. For instance, anti-malware controls will detect the attempt of malware attacks and will offer ransomware protection as well. If an intruder or attacker will attempt to launch the malware through the network or email then such attempts will be detected in time and the avoidance will be possible. Similarly, the anti-denial tools will make sure that the denial of service attacks does not take place. There are automated and technical access control and authentication measures also available. These must be used by EvolveNet. The use of two or multi-tier authentication along with the technical database security controls shall be done(Zhu et al., 2016).
The preparation and implementation of the information security plan will also enable the organization to have enhanced and improved security. The guidelines and plans to have the information security managed and maintained will be in place. Also, the security roles and responsibilities will be adequately allocated so that the overall security is improved.
Apart from these measures and the other controls that have been recommended, it will also be necessary that the physical security measures are undertaken. There are several entry and exit points in the premises of EvolveNet. If the authorized personnel get access to the organization and the secure zones, such as the server rooms then the damage may not be rolled back. The use of the surveillance tools must be done to keep all the areas protected. The identity check and luggage checks shall also be performed. There must be security guards deployed at all the entry and exit points.
The use of trainings is an effective measure that shall be used. The trainings will provide the mechanism to make sure that the users and customers are informed on the security aspects. The combination of security and ethical trainings shall be provided. The entities must be kept updated on the information security and privacy aspects (Marquardt, 2016). The inclusion of these in the induction trainings will ensure that the employees have the adequate information right from the beginning.
The selection of the data must also be done appropriately. The test team, for instance, shall not have the access to the production data. Only the dummy data shall be used for the purpose of testing. This will lead to the avoidance of the security and privacy attacks on the data. The access to the production data shall only be provided to the Test Manager and the senior officials. The employees of EvolveNet must also ensure that only the secure channels are used for sharing the confidential and critical information. The use of emails must never be done to exchange the critical and confidential data.
The combination of these measures will make sure that the risks associated with the organization, its networks, servers, and data are properly managed. The avoidance of the risks will be done and the overall improvements will be made.
Risk Rating Matrix
The risk rating matrix on the basis of the threats and vulnerabilities are included in the matrix below. The determination of the risk rating is done for each of the risks that are identified.
|
Threat Scenario |
Risk(s) Determined |
Likelihood |
Impact |
Risk Rating |
|
The security loopholes may keep on generating leading to the expansion of the attack surface and attack window. The access control and authentication violation can become easier. |
Violation of Access Control |
3 |
4 |
12 |
|
The data breaches and leakage can take place and these may be executed by the members of the test team. The data may be accessed and transferred to the unauthorized entities which may misuse the information. |
Data Breaches Data Leakage |
4 |
4 |
16 |
|
The lack of security measures on the system, unattended systems can lead to the unauthorized access to the data sets along with the easy manipulation of the information. |
Data Integrity Violations, Data Manipulation, Insider threats |
4 |
5 |
20 |
|
There are spoofing and phishing attacks that may occur along with the breaching of the information due to the lack of adequate security measures on the email server being used at the organization(Janicki et al., 2016). |
Spoofing and phishing attacks |
2 |
4 |
8 |
|
The detection of the intruder attempts and the similar attempts may not be timely done. These may lead to the malware attacks along with the network security attacks, such as eavesdropping or flooding attacks. |
Malware Attacks, Flooding attacks, Eavesdropping attacks |
4 |
5 |
20 |
|
The use of cryptography is done so that the overall security can be improved. However, the improper handling and management of the security keys may lead to the occurrence of the cryptanalysis attacks. |
Cryptanalysis attacks |
2 |
4 |
8 |
|
A major share of security threats involves the employees of the organization. The insider threats may be given shape with the lack of induction as the employees will not be aware of the consequences of their actions. Some of the attacks may also be accidental due to the lack of training. |
Insider threats |
3 |
5 |
15 |
The risk rating has been assigned on the basis of the likelihood and impacts that were determined for the threat scenarios. The multiplication of these values is done to determine the risk rating for each of the risks identified.
Conclusion
There are a number of security threats and vulnerabilities associated with EvolveNet. It is necessary that the identification of all of these security threats and risks is properly done so that the suitable measures can be implemented. The threats that are identified are because of the underlying security vulnerabilities, such as lack of security updates, poor email security, unprotected test data, and others. There are several risks and threats that may arise due to these vulnerabilities. Some of these include malware attacks, violation of access control, cryptanalysis attacks, database security attacks, etc. The security measures shall be a combination of different mechanisms. The use of automated technical security controls and physical controls shall be done. There shall also be administrative measures that must also be done, such as the implementation of information security plans. There shall be continuous security improvements that must always be done so that the overall security is in place.
References
Cui, Z., Zhu, H., & Chi, L. (2016). Lightweight key management on sensitive data in the cloud. Security and Communication Networks, n/a-n/a. https://doi.org/10.1002/sec.850
Gordon, A. (2016). The Hybrid Cloud Security Professional. IEEE Cloud Computing, 3(1), 82–86. https://doi.org/10.1109/mcc.2016.21
Janicki, A., Alegre, F., & Evans, N. (2016). An assessment of automatic speaker verification vulnerabilities to replay spoofing attacks. Security and Communication Networks, 9(15), 3030–3044. https://doi.org/10.1002/sec.1499
Leming, R. (2015). Why is information the elephant asset? An answer to this question and a strategy for information asset management. Business Information Review, 32(4), 212–219. https://doi.org/10.1177/0266382115616301
Marquardt, N. (2016). An Experimental Approach to the Evaluation of Business Ethics Training. Journal of Business Ethics Education, 13, 41–66. https://doi.org/10.5840/jbee2016134
Martin, K. (2020). Cryptography?: the key to digital security, how it works, and why it matters. W. W. Norton & Company, Inc.
Miltgen, C. L., & Smith, H. J. (2015). Exploring information privacy regulation, risks, trust, and behavior. Data security assignment Information & Management, 52(6), 741–759. https://doi.org/10.1016/j.im.2015.06.006
O’hanley, R., & Tiller, J. S. (2015). Information security management handbook. Crc Press.
Shamala, P., Ahmad, R., Zolait, A., &Sedek, M. (2017). Integrating information quality dimensions into information security risk management (ISRM). Journal of Information Security and Applications, 36, 1–10. https://doi.org/10.1016/j.jisa.2017.07.004
Zhu, H., Mei, Z., & Xie, M. (2016). Identity-based key management for cloud computing. Security and Communication Networks, n/a-n/a. https://doi.org/10.1002/sec.1474
