Sample BIS3004 IS Security and Risk Management Assignment

BIS3004 IS Security and Risk Management Assignment Sample

Assessment Details:

Today’s Internet has its roots all the way back in the late 1960s, but it was only used by researchers and the military for almost a quarter of a century. The Internet has opened the door for threat actors to reach around the world invisibly and instantaneously to launch attacks on any device connected to it.

Read the case study titled: “Protecting against Cyber Threats to Managed Service Providers and their Customers” at:

https://www.cyber.gov.au/acsc/view-all-content/advisories/protecting-against-cyber-threats-managed-service-providers-and-their-customers

Answer the following questions related to the case study:

1. Identify and examine all types of the cyber threats identified by ACSC and summarize them in a table.

2. Identification and categories 10 assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, and networking)

3. Create a table to identifying and prioritizing threats against each type of asset identified in item (2). You have to demonstrate the way you follow to prioritizing threats with justification.

4. In general, the security defences should be based on five fundamental security principles: layering, limiting, diversity, obscurity, and simplicity. The ACSC proposed recommendations to limit cyber security incidents. Analyse these principles with the recommendations by the ACSC. In your analysis, you have to clearly demonstrate how the ACSC recommendations are related to fundamental security principle with justification.
Create a report to answer the above questions, your report must include introduction and report summarisation in addition to a cover page that includes your details.

Solution

Introduction

Security concerns are mounting as the internet becomes more widely used throughout the world. Malicious actions are a significant danger to the digital world, especially in this age of pandemics when the majority of people use internet connections to work remotely. Spam, phishing, hoaxes, and impersonation are just a few examples of the types of bad behaviour that have been reported. Phishing operations and frauds with a COVI-19 subject are being generated by attackers, as reported by ACSC, to acquire access to classified information that is both private and governmental. As the tendency continues to rise, any firm must take significant steps to safeguard its systems and data. The ACSC warns that phishing based on COVID-19 may appear in a variety of ways for individuals to steal personal as well as financial details. Hackers are employing a variety of tactics to deceive users into disclosing sensitive data they shouldn't have (Chadwick 2020). ACSC has offered various examples of phishing tactics used by attackers to get sensitive information from their targets. Attackers are sending malicious website links by SMS and posing as well-known brands to get victims to click on the links in the links they provide them. Taking advantage of this COVID-19 issue, attackers are requesting crucial information using fake official government links as well as financial firm email accounts. As a result, any company must be aware of the many forms of hostile activity, as well as the associated dangers and countermeasures.

Types of the cyber threats identified by ACSC and summarize them in table

The ACSC has recognised the following categories of cybercriminal activities:

Identification and categories 10 assets

As stated by Kure et al. (2018), assets are those things inside an organization that have a high value because they are tied to sensitive data. Laptops, desktops, and even individual pieces of data are all candidates. Both components and devices are examples of what we mean by the term "asset" (Kure et al. 2018). When formulating plans to safeguard the company's infrastructure, assets play a key role. Security measures for susceptible assets must begin with the identification and classification of assets. In addition, identifying and categorizing assets with care might help future risks be dealt with. The future safety of the company might be compromised if a key asset is not identified.

A company's most valuable property when this comes to maintaining privacy is its information or data Assets. The primary goal of the vast majority of hackers is to get access to the company's data by exploiting this weakness. Inside a company, a variety of information and data assets may be recognised. These include data stored inside a database; students' educational documents; worker records; client records; video and picture records; banking information and other financial details; training materials; accounting records; emails; and tax-related documents for assignment help.

In the same way, people are indeed a valuable resource for any business since they help to keep the organization safe and secure all information flow inside it (Nikander et al. 2020). Computer programmers, IT analyst’s system, network engineers, legal advisors as well as executives are all examples of personal resources or assets that may be recognised in the business. Every employee who has access to confidential data about the company should be viewed as a vital resource.

When it comes to a firm, hardware assets refer to the actual physical items required to carry out a certain task. To protect the firm's information from cyber-attacks, the firm's hardware assets include notebooks, routers, servers, switches, desktops, firewall systems, and information storage devices that have a vital role.
The tools that are used inside an organization to manage and preserve its data are referred to as its "software assets." Development and design software tools, attendance monitoring software, Microsoft Office applications, payroll software, Operating systems, and in-house software are all examples of integrated software assets that may be cited as belonging to the company (OReardon and Rendar 2020).

The procedure's method refers to the documentation about how software and hardware in the company should be utilized or how data flow should indeed be controlled inside the company. It may also include information regarding the legal activity and procedure responsible for dealing with the resources. Consequently, asset regulations, software licenses, software deals, and agreements with other parties are all examples of assets that fit this description.

Identifying and prioritizing threats against each type of asset

Identifying and prioritizing threats to a firm's records is an essential first step in ensuring its safety. Risk to the resource, Risk to the data, the price for the recovery, and Price to prevent are listed factors that are important for this study.

Threats are prioritized depending on these factors

Analysing the five fundamental security principles with the security recommendations proposed by the ACSC

A company needs to plan, develop, and deploy security to protect its digital systems against cyberattacks and harmful activity. Five key security concepts must be adhered to create such a safe system (Gunduz and Das 2020). These principles are known as “layering, limiting or hindering, diversity, obscurity, and simplicity”.The concept of layering refers to the sort of security concepts that include securing systems by constructing numerous levels. A hacker can get into one single-layered security system by just cutting into one of the layers of defense. This poses a significant risk and enables it to be less difficult for malicious actors to penetrate the device and steal data. However, the company may reduce the risk of criminal actions and cyber-attacks by constructing numerous security layers. When one protection layer is breached, it is improbable that other levels would be breached as well, ensuring that the device remains secure.Another sort of security approach that helps reduce potential risks is called limiting and does so through controlling who may access certain files and data. One should only be given access to the data that is strictly necessary for them, and nothing more. Two sorts of restricting mechanisms exist those based on technology and procedures. People may only access data and files via using technological techniques like verification or permissions, whilst employees are banned from transporting the papers and data outside of the business. In addition to these other key security concepts, diversity is one of them (Braun et al. 2018). An essential protective mechanism, but one that may be undermined if all their levels are identical, is layered protection. There is a good possibility that the hackers will be able to break via all of the levels if they successfully breach one layer utilizing a technique. Each layer of protection must thus be unique and diversified in character. According to researchers, utilizing items from many providers may help create variety. It is also possible to create diversity by using a range of authentication procedures and data security at various levels. In addition, obscurity is characterized by a lack of clarity and challenge comprehension. There are indications inside the ACSC study that a few of the harmful assaults are based on surveys supplied through applications and phone calls (Mohammed 2019). A key security concept for keeping the system free of such dangers is the idea of anonymity. To avoid the attack, several researchers advise against using the manufacturer-supplied default credentials or SSIDs. In a similar vein, when this comes to creating passwords or exchanging data, staff should be strongly pushed to avoid repeating the same patterns. To avoid hostile assaults and cyber threats, concealing or making data difficult for hackers to access is an essential function of obscurity. It’s crucial to remember that simplicity is a significant factor in protecting a system against dangers. Devices should be constructed such that authorized users may use them easily, but that unauthorized individuals will have great difficulty interfering in any manner (Li et al. 2021). The system can quickly and efficiently provide access and rights to legitimate users while simultaneously blocking access to undesired and unauthorized individuals.

Application control, configuring Microsoft-office macro options, restricting administrator access, using two-factor authentication, making daily data backups, updating operating systems, and updating programmes are among the seven techniques advised by the ACSC research for reducing malware delivery and cyber security threats. The first suggestion for preventing unwanted apps from running is the Application control method. This layering concept of protection is reflected in this mitigation method. To safeguard a device, this layering concept suggests adding more and more levels. As a result, the development of the layer of a system to restrict the operation of undesired programmes is made possible via the management of network software. Similarly, the ACSC recommends changing Microsoft-Office macro options to avoid malware execution. Using macros to automate operations inside Microsoft-Office is a common practice (Zwilling et al. 2022). The layering concept and also the diversity theory apply to this method provided by ACSC. Through establishing macro options as well as managing the application's operation, ACSC has offered numerous levels of security. To make matters more complicated, the software used to manage the defensive layer as well as set up macros is a varied range of tools. One approach for breaching one layer of protection will not work for the other since they are so distinct. As a further point of reference, the ACSC's recommendation to reduce administrative rights is based on the notion of limiting protection. For example, according to ACSC's recommendations, businesses should limit access to apps based on a person's role and what individuals require. Malicious behaviours may be avoided by limiting the access of susceptible personnel to critical information systems that the hackers are looking to get. The ACSC also recommends the use of multi-factor verification as a means of reducing the likelihood of cyber security breaches (Ghafir et al. 2018). Using this method, you may apply the stacking and restricting principles to the project. An additional layer of protection for the network and apps of the company will be provided by multi-factor verification. Hackers will have a far more difficult time getting past the additional levels of protection provided by multi-factor verification. The ACSC recommends regular backup as a technique for recovering data and applications in the event of threats and assaults. As per the ACSC, fixing apps that are much more vulnerable to assaults may help avoid harmful cyber assaults. To avoid the assault, the ASCS recommends that users encrypt their applications to prohibit all advertisements and needless downloads. Lastly, the ACSC advised updating the operating system (OS) on every device to prevent this device from being hacked. A few items are more susceptible than others ranging from PCs to routers and firewalls. As a result, the company needs to make certain that the OS of all of these machines is brought up-to-date and upgraded to protect them from being targeted by an attacker.

As a result, the ACSC's recommendations for mitigating harmful assaults and bolstering cyber security are based on the five aforementioned security principles (Colicchia et al. 2018). These tactics concentrated on erecting a multi-layered defence with a diverse assortment of components in each tier. The ACSC has advocated several various levels of security, including multi-factor verification, application control, and updating operating systems and software regularly. In addition to this, it adheres to the limiting approach by putting restrictions on administrative rights. In a similar vein, changing macro settings, routinely upgrading the software, and making daily backups are all connected with this obscurity concept since they tend to modify the default configuration inside the device and bring about systemic changes.

Summary

As a result, ACSC covered a wide range of harmful acts in the study. Finally, the study recognised and classified all of a firm's assets to protect them from a variety of risks that may arise in future. Four separate kinds of risks were prioritized: impact on the assets, data, and expense of preventing and mitigating the danger. Lastly, the paper highlighted how the recommended security countermeasures by ACSC linked to these five essential security concepts, which are "layering, limiting, obscurity, simplicity, and diversity”. These concepts were covered in detail throughout the research.

References