Threat and Vulnerabilities - Assignment Example

 Introduction A threat is an event that has potential of causing a negative impact to a resource. Vulnerability on the other hand is the environment or quality of the resource that allows for threats to be realized (Bidgoli 2006). Threats are normally present in hardware, software systems and networks, but are usually mitigated using security features and procedures. The appropriate security therefore, depends on the vulnerability of the system and the threats in question. There is a relationship therefore between threats and vulnerabilities thus each threat should be assessed depending on the extent of its vulnerability. Protection of the systems and software of the computer therefore, is protection of computer assets (Pfleeger & Pfleeger, 2012) Tools and techniques for identifying and analyzing Based on the relationship between threats and vulnerabilities, there are various tools and techniques of identifying and analyzing these threat and vulnerabilities. The first technique is the application security threat assessment, which identifies the architectural information of the application, which is in turn used to develop a threat profile for that application. It involves identifying the threat nature and likely vulnerabilities, noting the impact of the probabilities and analyzing their consequences (Fujita et al., 2009). A list of threat is assessed, threats categorized into types and agents, and malicious threats detected, and whose source can either be authorized or unauthorized.Unauthorized attacker is one who does not have permission to access the application while authorized attacker is an insider and legitimate user of the application. This technique is used as a basis for determining the need for further analysis (Owasp 2006) The second technique is the application security architecture review which involves the analysis of the application to determine the sensitive data, critical assets and interconnections. The technique helps in determination of potential attack vectors that are used in testing. It further helps to determine the areas of vulnerability, both actual and potential (Owasp 2006). The technique aids in determining why and how security measures were integrated into the application. The third technique is the automated external application scanning, which uses automated open source or a commercial software to identify a known application layer vulnerabilities. It identifies error conditions that arise from incorrect or improper input, run on an automated and regular basis to determine an ongoing vulnerability management measure, and is used critical applications as a basis for expert testing (Owasp 2006). The fourth technique is the automated source code analysis that carries a static code analysis on software source codes using special software tools so as to discover potential vulnerabilities within the code. It is the best technique for determining defects in code functionality. It is effective way of finding and eliminating security vulnerability within the organization (Fujita et al., 2009). Another technique is the manual penetration testing technique which is a technique whereby an experienced analyst uses open source automated utilities for performing task specific functions and hands on analysis to try to hack the application further as an attacker. The tools used are developed for specific purposes. It is best applicable to transaction based or multi-level access application. Finally, manual security focused code review is another technique, that involves software source code review, to identify the source code level issues that may make it easy for an attacker to compromise an application system or business functionality (Owasp 2006). It may be used in software development life cycle to resolve coding issues. Critiques on the practice of offering rewards for discovering vulnerabilities The practice of offering rewards for discovering vulnerabilities is criticized on the basis that, despite the efforts of the companies to motivate the security analysts by offering them monetary rewards for discovering the vulnerabilities in their systems there still remains a risk of these security analysts participating in the black market even after this reward. Use of outsiders as the security analysts exposes the organization’s critical information (Pfleeger & Pfleeger, 2012). These outsiders despite being rewarded may take advantage and sell this information to hackers thus participation in the black market. They may sell the information about vulnerable programs in the organization to potential hackers despite their receiving the rewards. Thus, the practice of offering rewards to security analysts is not a guarantee that they will not sell this information. Risks of challenging individuals to exploit vulnerabilities One of the risks of challenging individuals to exploit vulnerability is the risk that these same vulnerabilities that are available, either caused by unintentional software or by design may as well be used by malicious persons as a way of compromising confidentiality and availability of their infrastructure (Pfleeger & Pfleeger, 2012) There is also the risk that the time difference between when the vulnerability is discovered and when method of attack becomes available may be too short. This results to hackers attacking the system before the system administrators find an appropriate way of protecting the system against attack. This implies that the attackers can attack the system soon after the announcing of vulnerability and before the organization is able to take an appropriate security measure (Pfleeger & Pfleeger, 2012) Opinion on formation of ethical hackers Apparently, an ethical hacker is a word that describes an individual who has expertise in computer and networking expert in reference to accessing the systems and applications of a computer on behalf of its owners in order to find security vulnerabilities that potential hackers might exploit (Bidgoli 2006). Ethical hackers therefore get access to the critical information of the computer systems of others, whereby the owners are not aware. There is usually a threat to the confidentiality of the information obtained by these ethical hackers. Thus ethical hackers may put these systems at a threat of being hacked. They can do this by exposing this information about the systems vulnerability to the public, who might act as potential hackers. Ethical hackers may also be a threat to the computer systems of others by deliberately taking part in the black market practices by selling this information about the vulnerability to the potential hackers. This leads to the opinion that ethical hackers are not an effective way of enhancing the security of systems. They can as well be the source of malicious risks to these systems they are meant to protect. References Top of Form International Conference on New Trends in Software Methodologies, Tools and Techniques, Fujita, H., & Mařík, V. (2009). New trends in software methodologies, tools and techniques: Proceedings of the Eighth SoMeT_09. Amsterdam: IOS Press. Bottom of Form Owasp (2006). Definition for security assessment techniques. https://www.owasp.org/index.php/Definition_for_Security_Assessment_Techniques Bidgoli, H. (2006). Handbook of Information Security Volume 3. Hoboken: John Wiley & Sons Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing computer security: A threat/vulnerability/countermeasure approach. Upper Saddle River, NJ: Prentice Hall.Top of Formooooooooooooooooooooooo Bottom of Form Read More