Information Technology and Information System Security - Coursework Example

Name: Tutor: Title: Security Evaluation Course: Date: Introduction Today, it cannot be doubted that Information Technology is changing at a high pace. This greatly affects personal information, business processes as well as work environments. However, it is quite unfortunate that individuals entrusted with the responsibility to maintain the security posture of their business processes, personal computing systems and environments are not well-informed that security is changing rapidly. This implies that a number of people and organizations do not actually seem to acknowledge that albeit technologies, computing environments and operating systems could be left static. The approaches needed to maintain the security of such systems as the attempt to control the latest threats that affect them would be adapted continuously and force change. Due to the spreading news about the latest computer viruses, information attacks and new vulnerabilities as well as updates needed for operating systems as circulated across the globe, it becomes necessary for individuals to develop appropriate security mechanisms to protect their computer systems and information resources against threats. A Security Assessment of my Personal Computing Situation In order to effectively evaluate the security condition of my critical computer systems and data, I involved in active testing and risk evaluation phases. I have discovered that through risk assessment processes, current and future security and computer configuration issues can be easily identified and controlled so as to maintain the availability, confidentiality and integrity of my computing systems and environment. Therefore, my security assessment involves regular auditing and evaluation of the existing computer systems and data as my security-based practice. A discussion of the methodology adapted for security evaluation of my personal computing environment Although threats can occur in form viruses, terrorism, cyber-hackers or power disruptions, my argument is that evaluation of the risks associated with particular threats is a critical task of any security auditing and assessment. In this view, I decided to adopt a Threat Analysis approach for security evaluation of my personal computing situation. It is a methodology implemented on the basis of different types of threats, vulnerabilities and methods of system attack in relation to security threats. This methodology is ideal for this exercise simply because it identifies threats and it could help me to define the risk mitigation policies for my computer systems and information resources. Therefore, ensuring the identification of risks, their adequate classification and prioritization for mitigation is a major aspect of any security assessment. Basically, the Threat Analysis security methodology helped to develop a systematic approach to protect the availability, confidentiality and integrity of my computing systems and data. However, it is important to note that the metrics used in a Threat Analysis approach proves to be a challenging requirement whilst determining the status of my computing security performance. This clearly indicates that modifications such as developing a more generic methodology should be considered to minimize the exposure of my computing system and data to huge threats and vulnerabilities. It becomes quite clear that the new generic approach will involve threat analysis and security metrics that will effectively prioritize threats and the associated vulnerabilities so as to continue enhancing the security of my computing systems and environment. A summary of the tasks undertaken to conduct the review The main tasks undertaken to conduct the security assessment for my computing system and data involved the identification of my current assets and vulnerabilities to their common threats. This helped to determine the types of threats that my computing system needed to be protected against. My tangible assets included computers, laptops, printers, scanners, network modems, operating systems, storage devices-flash disks and CDs and buck-up tapes while intangible assets identified included, personal data such as academic certificates stored in the computer and system information. Another important task in my security assessment was to identify the likely approaches, technicalities and tools of attack. I noticed that the methods of attack include viruses and worms, cracking of password and e-mail. This seemed to be a challenge to me because I am tasked to update my knowledge of these methods of attack continually. This is simply because such methods and technicalities are commonly used to circumvent the security measures put in place and they are regularly being developed. After identifying the likely methods and tools of attack, I decided to undertake asset mapping to verify if all assets were included. In this step, it was relevant for me to assess the valiance of my assets as well as the risk that I could accept willingly as the owner. Rooted in the already determined values, I found it necessary to prioritize them. The table below clearly indicates how I prioritized my assets based on their values and the level of security needed in my computing environment in terms of High, Medium and Low levels of security. Assets Levels of security needed -High -Medium -Low Laptops and personal computers -A high level of security is needed because they have big financial value. -the machines provide direct control services to computing system. Printers and scanners -Although they offer me access to the common computing services, these assets are not critical. -the assets are important to me because of their intermediary financial value. Networking devices-modems and switches -requires a high level of security because they are critical devices for ensuring the availability of my networked environment. External Storage Devices-back-up tapes, flash-disks and CDs -Although they may be infected by viruses, they are not of high financial values. Data and Information stored in the computer and laptops -system information or system configuration information, back-up data and my personal information is valuable to me and should be highly secured. Testing and review of the test outcomes was also carried out. I performed simulation attacks on computer system so as to assess the different vulnerabilities available. However, I realized that there was a need for me to modify my security policies and controls to effectively monitor the various vulnerabilities that seem to be specific threats to my computing systems. However, it is important to note that simulation tests should not be carried out live performing systems to avoid disastrous outcomes. The findings of your review and recommendations for improvement From my administrative security analysis point of view, I discovered that the integrity of my computer system information is a key asset to me, and thus system attack to my computer would mean compromising the integrity of my system and personal information. Availability of my data stored in the computer is a principle asset to my computing environment. Therefore, any threat posed to my personal or system information means a denial of service attack which is most likely to be caused by outside attacker. As a security administrator, I consider the confidentiality of my information as an important asset to me. I noticed that the threat to confidentiality of my information is basically intrusion attacks and it could be caused either by insider and outsider attackers to my computing systems. Virus attack is yet another threat to the integrity of my information and computer system. I discovered that a virus could be caused by a friend who visits me at my computing environment and involves in copying games to my computers, laptops or could be an outsider who may deliberately crack to disrupt the normal functioning of computer system. Based on the information about the methods used by system attackers, I have decided to develop pre-attack and contingency plans as my proactive strategies so as to reduce the existing vulnerabilities to improve on my set in place security policies. As a result, I will be able to determine the damages that attackers may cause on my computing system to control the associated weaknesses and vulnerabilities. On the other hand, post-attack measures will also be developed as my proactive strategies to enable assess the damages that attackers will have caused, repair them as well as implement the already developed contingency plans. In doing so, I will be able to document the performance outcome of my computing system and learn from the past experience to enhance the functioning of my computing systems, safe-guard my stored data and computing environment. However, I realized that assigning values to assets is not a simple task as security personnel may take it because the value may appear to be personal yet people differ in their priorities. I have discovered that attacks which occur in form of natural disastrous, for instance, lightning or flooding cannot be tested, and thus only simulation can be used on them. For my computing situation, I simulated a fire in a room where I have kept my laptops, computers, printers, scanners and networking devices-modem with the imagination that my computer installed with a Windows 2003 server was damaged and data stored on it had lost. As security personnel, this simulation scenario helped to determine my responsiveness ability so as to ascertain the amount of time that can be consumed to get back the damaged computer into normal functioning. In my view, I could argue that testing and modifying the security policies and the associated controls in regard to the test results should be a continued process. This implies that testing and modification process should be evaluated accordingly and revised on periodical basis to enhance the implementation of security policies and controls. Basically, there is great need for me to focus on how to develop and implement risk management control measures to ensure the availability, confidentiality and integrity of my computing systems and environment. A brief reflection on the methodology or review approach In adopting the Threat Analysis for security assessment of my personal computing situation, I have discovered that the process greatly helps to classify certain risks related to vendor-supplied software, for example, bugs, vulnerable services, insecure default configurations as well as inadequate operating system patches. In addition, use of this methodology helped to understand that certain options exist for administrative controls but are not applied correctly. Such controls include insecure requirements set as the minimum password length and the insecure default configuration options for a computer system. The user activities, in particular sharing of directories to individuals who do not have authorized access and policy avoidance, may lead to failure to run and update the virus scanning applications as well as other malicious activities that occur if computer and information risks are not clearly-defined. By adopting the Threat Analysis methodology for security assessment of my personal computing situation, I have learnt that the task of risk management requires making a balance between the acceptable and possible actions to manage the computing environment against threats and vulnerabilities. Clear identification of threats and vulnerabilities makes it possible to effectively extract specific information about the type of threat that may pose the leading magnitude of risk value. In using this evaluation approach, it is easy to assess the risk based on aspects such as the impact of the risk, the damage caused to the computing assets whenever threats materialize as well as the size vulnerabilities and the likelihood occurrence of the threats in a computing environment. I could be able to rank the threats and vulnerabilities in terms of those that could be accepted, transferred or controlled. The Threat Analysis review approach to my computing situation allowed for adequate evaluation of my risk profile. This is because it encourages me to continuously undertake risk management against threats and vulnerabilities that may cause a negative impact on my computing system. It is quite clear that the methodology supports the idea that an effective information security model should involve two key aspects, risk analysis and its management. For risk analysis, it should be noted that inventory of the whole information systems must be taken, the value of each system determined and the level to which it is exposed to risks should as well be established. Similarly, risk management involves selecting effective security controls and measures that can minimize the exposure of a computing environment to risks to a given acceptable level. I have learnt that I need to improve on the security controls and measures for my computing systems so as to develop a more effective risk management capability. As a result, I will be well-positioned to control the loss of availability, integrity and confidentiality of computing systems and environment. Bibliography Whitman, ME & Mattord, H.J., 2011, The Roadmap to Information Security: For Information Technology (IT) and Information System Security (InfoSec) for Managers, Cengage Learning. Appendix An appendix with the details of the security review Detailed Assessment Questions Issues Considered The Assessment against the identified issues Are the Availability, Integrity and Confidentiality of the computing system and data valued? -security measures put in place to control the attack of viruses. -updates on the existing intrusion attacks and threats that may cause a denial of service attack. -measures for fire suppression such simulations for natural disastrous and protection against hardware and software theft -Although the objective of information systems security of confidentiality, availability and integrity is valued, less effort is made to secure the computing system and environment. -Testing simulation is implemented, but the focus is more on natural disastrous How safe are software packages and their licenses, network modems as well as backups? -if firewalls are installed on the computer -secured back-ups for software packages -no protection measures put in place to secure software packages and back-ups. -the networked environment is not protect with firewalls against intruders Is effective security implemented on computer folders, files and servers? -whether if strong passwords created for the computer system, data kept in the folders and files. -basically security is not considered on data and information saved on files and folders. Are the pre-attack and post-attack strategies as well as contingency plans considered? -availability of proactive and reactive strategies. -chances of developing contingency plans to asses damages that attackers cause. - There are plans to develop contingency plans, proactive and reactive strategies to assess and control threats and their impacts on computing systems are yet to be implemented. Read More