Information Security Management Practices: Risk Assessment

Executive summary

Risk assessment was crucial for the TSF foundation to determine the vulnerabilities and risk re-mediation techniques to ensure that the foundation’s information assets were protected against being compromised by illegitimate and unauthorised persons. An assessment of the three situations revealed different threats, vulnerabilities, and various risk impacts. It was established that the web-based information system security based on OpenSSL was vulnerable to the adverse effects of Heartbleed vulnerability, and hackers, unauthorised access to the organisation’s information systems, loss of data confidentiality, lack of management commitment to system security, and hacker activities. Some of the recommendations to mitigate the risks include top management support, application support and updates, use of public key infrastructure, use of encryption technologies, password creation and renewal policies, use of firewalls, and regular renewal of certificates and revocation through the certificate authorities.

Introduction

This an extensive risk assessment report on three cases with Sprout Foundation (TSF) that has a financial turnover of roughly AUD230 million per annum. The organisation has offices at different locations interconnected on the Internet with web enabled communication devices and some offices are remotely located because of the nature of the area of operation. According to Akintoye and MacLeod (1997), each country of operation is governed by different regulations such as data privacy laws, data protection acts, and other laws and regulations governing the distribution, sharing, and use of data (Da Veiga & Eloff 2010). The non-profit organisation’s transactions are conducted on a distributed web based platform. However, it has been established that emerging threats expose the backup because of the vulnerabilities with the systems (Sun, Srivastava & Mock 2006). In addition, the potential security breaches that happened within the payment gateway that was designed to incorporate OpenSSL being exposed to the HeartBleed vulnerability (Stoneburner, Goguen & Feringa 2002).

A review of the standards used

The three situations were best analysed using the Payment Card Industry (PCI), the Data Protection act 2014, and the National Institute of Standards and Technology (NIST) standard (Bandyopadhyay, Mykytyn & Mykytyn 1999). On the other hand, the organisation was defined in the case study as a tier-2 not-for-profit despite having some inherent characteristics that fall into tier-1 not-for-profit category (Spears & Barki 2010).

The Sprout Foundation Case Study and Emerging Problems

The suggested mitigation strategies include remote backups of data to ensure data availability in case of disasters such as those that affect the environment, adopting cloud based services for remote data storage, adopting high speed wide bandwidth data communication broadband, and educating employees on their responsibilities to safeguard the information assets that are vulnerable to external and internal information security risks. The rational for adopting the strategies was to ensure that remote data using high speed communication channels could make it available and support real time storage. Using OpenSSL vulnerabilities such as Multiblock corrupted pointer is a technical approach that could enable the confidentiality and integrity of data when being backed up.

Data availability could be by making regular backups and that could enable the institution to make the data available for auditing purposes under the Australian regulations for donor funds. The response to this incident is to opt for a cloud based back up service provider who is well established in the industry to the services is easily accessible and available when needed. Consider hot and cold backups strategies that can be done onsite because of the sensitivity of the data to ensure that access to the data is maintained when the service provider is not accessible by procuring the backup hardware and software devices. Backup critical systems in real time based on hot storage and cold storage strategies through time synchronization and transmission of data to the requisite authorities for compliance with the Australian standards for auditing instead of waiting to retrieve the data for auditing at the last minute. In addition, regular system updated could counter on OpenSSL vulnerabilities successfully.

Case Study: Emerging Heartbleed Problems-Mitigation strategies work

The mitigation strategies for TFS’s vulnerability problems include ensuring that employees do not use personal devices on organization’s information systems that could ensure data sensitive corporate data is safe, implementation of remote access controls on the sever side and client side to ensure secure data transmission because of the multiple platforms on which donor funds are transferred using the TSF-ONE corporate system. Regularly patching and updating the TSF-ONE system to address application flaws, educating employees on their roles and responsibilities to protect TFS’s information systems, identifying vendors with reliable software tools such as those used to encrypt data. Assigning privileges enables non-repudiation, authenticity, confidentiality, and integrity of data and controlled access to data by those in the management positions.

To ensure the integrity, availability, and confidentiality of data is maintained, it is worth considering using data encryption technologies to mitigate the effects of the Heartbleed problem that introduces a security vulnerability to compromise the ability to authenticate, ensure data confidentiality, data integrity, and authorization of access privileges. Encryption makes the remotely stored data be safe because those with decryption key can make legitimate access to the information. In addition, it is necessary to use the public key infrastructure and certificate keys so that confidential data can only be accessed by those authorised to do so. Certificate authorities can be revoked and cancelled and the keys can be cancelled to ensure that sensitive data is ley safe in storage. A combination of certificate authorities, public key infrastructure, and encryption technologies could make the data safe while hot and real time auditing of the data could enable the organisation to avoid a conflict with the Australian authorities.

Methodology

System characterisation

System characterisation was done to collect data to determine the conditions for each component of the TSF’s assets that provide the operational capabilities to transact on both internal and external information systems. In accordance with Halliday, Badenhorst and Von Solms (1996), software application protocols and data users were also identified ion the three cases. The TSF foundation operates on a client server environment that consists of Windows 2000 and MS SQL 2000 operating systems with the systems functioning on multiple physical locations. The TSF system’s protection was based on software and hardware firewalls, universal Threat Management Systems (UTM), and routers on the intranet. In addition, the web server security was based on OpenSSL and supports different encryption technologies because it is an inclusion of open-source implementation of the TLS and SSL protocols (Feng & Li 2011). Here several sources of threats are discussed.

People

Ericsson (2010) maintains that people are the weakest link in any information system security program and form the first line of sources of threats because of the high susceptibility to commit intentional and unintentional errors. In general, the three levels of people who interact with the information systems include the CEO, CFO, and the employees (Feng & Li 2011)

The operational environment

  1. Functionality of the IT systems
  2. No support technicians
  3. Information security policies that are system specific, issues specific, and organisation specific for the different levels of threats for the TSF foundation.
  4. The information security architecture of the TSF institution.
  5. TSF uses an intranet for internal and external communication
  6. Uses information systems that have built-in security products
  7. The operational controls.

Threat identification

A threat is defined as the potential to exploit vulnerabilities within the operable TSF information system assets. According to Bahli and Rivard (2003), different sources of threats exists that need to be identified and ameliorated using a specific risk mitigation strategy.

Sources of threats

Natural threats

The sources of threats that could affect the TSF foundation include natural sources because the foundation operates in marginalised areas that are vulnerable to natural disasters such as floods, tornadoes, earthquakes, and electrical storms.

Human threats

Human sources of threats can either be internal or external to the TSF foundation. Internal human threats consist of employees who work for the foundation. External threats include the hackers, network based attacks such as denial of service attacks, attacks on the OpenSSL (Appari & Johnson 2010).

Environmental threats

According to Appari and Johnson (2010), the TSF foundation was vulnerable to environmental threats which include constant power outages because of poor electricity infrastructure and the effects of pollutants from different factories and other sources that could not be mitigated.

Technical threats

Technical threats were the result of disgruntled people within the institutions and external intruders wanting to gain unauthorised access into the information systems.

Methodology

Table 2: components of risks, vulnerabilities, and threats.

Risk components Vulnerability components Threat components
Unauthorised access to the organisation’s network by dialling into the network
Access can either be logical or physical access.
Lack of accountability identification and authentication procedures that led to identity theft, lack of system specific, and issues specific policies, and unauthorised access Internal environment including employees and managers, software vendors, products and other third part people
Use of malicious code to gain access to financial transactions of the organisation by gaining access to online financial transactions leading to financial data breaches Using Credit card to transfer money from the donor to the TSF funds (PCIDDS), Heartbleed actions on OpenSSL Vulnerability in the card holder’s environment, the environment includes hackers, and terrorists, OpenSSL cryptography, missing bounds check, vulnerability exposure such as CVE-2014-0160, stealing and using security keys.
The action involved transferring funds over the network without the authority of the responsible management TSF’s data recovery planning in the hands of new company in the market Internal Employees or third party agents having known how backup of data was done
Exploitation of system vulnerabilities to compromise the system to access sensitive information, OpenSSL, the web based attacks such as Bugfix and deployment and compromise of X.509 certificates. Backdoors can vendors who distribute the software with the knowledge and documentation of the software flaws within the system.
Use of scans/probes/attempted access
Users not authorised to access the system or use organisational assets (e.g., hackers,
Terminated workers, terrorists and
Computer
Criminals)
Successfully attacking and compromising the
Web page of the organisation, breach confidentiality
The management and those responsible for securing the information systems were not interested in enforcing security controls. Slow action by the
Federal Police, CEO, CFO, vulnerability of donor information and inaction of the executive team and backup of inaccessibility that can be used for unauthorised access
Insidious information by the partners and other stakeholders working with the TSF foundation
Data loss Australian laws, compliance to different standards and laws of each country of operation might cause the system to be slow and lead to the breach of confidentiality. For the second case, loss of backed up data could lead to financial loss of lack of accountability where the data could be stored because of insolvency. In addition, if the bankrupt organisation sells its servers to other organisations, the confidential data of other organisations might be lost.
The third case is about the
Heartbleed vulnerability

Table 1: Risk assessment.

Step Description Inputs Outputs
1
2 Risk analysis Risk identification Risk identification document
3 Characterising the system
  • People, Processes
  • Technology (hardware software)
  • Data and information
  • CEO, CFO, Exec team, and Senior management, software vendors
  • Functions of the system
  • Boundaries of the system
  • Criticality of system and information data
  • Data sensitivity
4 Identification of threats Documented data from on the information security of the system such as Heartbleed hardware, software, Routers, Universal threat management systems (UTM), Firewalls, Encryption technologies , Public Key Infrastructure (PKI),. Threat statement
5 Vulnerability Identification Documentation of previous security assessment report, audit data, vulnerability assessments List of vulnerabilities and risk assessment reports.
6 Control Analysis Current controls applied based on the PCI and other regulations and standards. Statement of existing and planned controls
7 Likelihood Determination Threat sources and motivation to act as a threat agent and the effects on existing controls. Rating of the potential likelihood
8 Impact Analysis Single point of failure, Hardware Issues/Equipment Failure or loss, compromise on Integrity, Availability and Confidentiality of data in storage and on transit, system administration practises. Impact rating statement
9 Risk Determination The effect of the threats on the information system, effectiveness of the controls used, customer practises, inadequate application support, data disclosure. Statement of risk levels

Risk analysis

Risk Risk mitigation
1 Environmental risks Physical relocation of information systems to saver places
2 Web based risks (cross site scripting, heartBleed) on the OpenSSL cryptography library Certificate renewal and revocation.
3 information systems inherent flaws System patches and regular updates
4 Lack of management support and IT security skills Training on security awareness and the need for management support
5 Remote access controls of the sever side and client side Configuration management
6 Data availability because of service provider insolvency Contractual agreement with the service provider, on-site and off-site backups.
7 Data loss and theft from server because of remote data storage Employing trusted party.
8 Hardware and software failures because of natural disasters. Cloud computing as an option
9 Internal threats from disgruntled employees Training, policies, standards for information access and data use.
10 Data disclosure because of Australian laws Compliance with data privacy laws, and other data protection acts and standards.
11 Inadequate technical controls such as firewalls Installation of firewalls and antimalware programs.
12 Loss of data because of remote service provider failure to offer services. Considering cloud computing solutions
13 Stakeholder dissatisfaction Assurance of Compliance with information security standards such as PCISS
14 Non-repudiation, authenticity and identification problems because of lack of validation and verification procedures when accessing system resources Incorporate the sue of validation and verification checks
15 Lack of operational issues specific, system specific, and organisation IT security policies Clarification of IT security policies and requirements for compliance
16 OpenSSL vulnerabilities such as Multiblock corrupted pointer, Encryption of data on transit.
17 Phishing Information security policy
18 Lack of effective password user policies (alphanumeric) Password use policy (combination of upper case, and alphanumeric and regularly change the passwords)
19 Cross site scripting such as User accounts being stolen, credentials misused, keystroke logging, content theft, visitor browser stealing, sever bandwidth use, data theft Create and implement data protection and application use polices, Interface and API, additional hardware installation
20 Web server running compromise Limit use of web server, authenticate users, access control lists, and Secure Sockets Layer (SSL), and use appropriate ports.
21 Patches to correct flaws in operating system software not installed. Regular patches and updates.
22 Remote access to server console not properly monitored Set remote access to the right configurations.
23 Internal access to server Contractual agreement with the remote service provider
24 System administration practises not defined
25 Poor Physical Security Implement physical controls
26 Loss of documentation software-compromising confidentiality and integrity of data Safe storage of documentation
27 Inadequate system logging (event and system use information lacking),
28 Lack of encryption and keys Use encryption technologies and public key infrastructure (PKI) for key generation.
29 No clear segregation of duties Assign roles and responsibilities to ensure mitigation strategies are dedicated to a specific role
30 Inadequate Applications Support Benchmark of quality, use best practices to procure software from known vendors.

Risk control

Risk controls are an approach that is fundamental in securing an information system. Controls are necessary to ensure practises are in place to mitigate the risks for the three situations that were encountered by TSF foundation.

Table 3: Risk controls strategies.

Vulnerability Threats Existing controls Additional actions to reduce threats
Lack of accountability, identification and authentication procedures leading to identity theft.
Lacking system specific, and issues specific policies.
Internal environment such as TSF employees None Educate users to account for donor funds, use of public key infrastructure, and avoidance of behaviour that could encourage people to act as the source of threats.
Using Credit card to transfer money from the donor to the TSF funds(PCIDDS), Heartbleed actions on OpenSSL The environment includes hackers, and terrorists. OpenSSL cryptography, missing bounds check, vulnerability exposure such as CVE-2014-0160, stealing and using security keys. Use of OpenSSL, use of firewalls on the network, and Universal Threat Management system (UTM), and other application level controls Educating people on information security awareness
Different regulatory requirements, information security standards Dissatisfied employees, unskilled employees None
Reactive management instead of being proactive.
Train the employees and the management of different laws, standards for data protection, privacy, and how to react or respond to suspicious activities.
New programs for the improvement of the communities Vendors, stakeholders, and partners with TSF. Limited roles of the organisation and responsibility lies with the target organisation Accountability, non-repudiation, and reliable reporting.
A management that is reactive to incidents such as the news of the insolvency of the remote service provider or data backup services and the new Unauthorized users
(e.g., hackers, terminated
employees, computer
criminals, terrorists)
None Consider using the Public Key Infrastructure (PKI), use of a Secure Reverse Proxy Solution, use of a single location to manage the keys, ensuring secure storage of keys, ensuring that memory bound are used to ensure system security, use of a single location to re-mediate issues, and using secure gateways for each system user.
Patch OpenSSL libraries, generate both private and public keys, issue advisories, and ensure that X.509 revocation checks are applied on all servers.
Use of personal computing and memory devices. Employees and third parties who have access to the information systems None Write a policy that prohibits the use of external devices and memory sticks without the authority of the management.
Funds transfer using credit cards computer criminals, and disgruntled employees. Enabled financial transactions on the web, with security enforced using OpenSSL rules. Compliance required for the card with PCISSS, create a certificate authority, generate server certificates and validate the trusts to ensure authentic communication.
A different company used for recovery of TSF data, backup inaccessibility, and reactive remediation. Employees who belong to the non-profit organisation, vendors, and backdoors, and malicious code. Off-site data back pups done regularly in every 30 days. Should consider cloud services and frequent data backups on off-site sites.
Failure to apply new system and application patches Unauthorized users
(e.g., hackers, terminated
employees, computer
criminals, terrorists)
None Appropriate to implement security controls such as patching the systems with new updates.

Control analysis

Controls analysis deals with an analysis of the threat levels and the impact each threat could have on the assets of the TSF non-profit foundation. The IT Security Roles & Responsibilities have not been clearly outlined because when the threat on the OpenSSL happened, the response was reactive from the management. In addition, there is lack of data classification on confidential data such as passwords and credit cards.

Level Likelihood Definition
High When the threat is high
Moderate A moderate threat is one that can be ameliorated using current security controls.
Low The threats source does not have the potential to cause harm.

Impact analysis

Table 4. Magnitude of Impact Definitions for Sprout Foundation.

Risk
No.
Risk Summary Risk Impact Risk Impact Rating
1 Compromised confidentiality, integrity and availability of data Disclosing information without being authorised to do so High
2 Exploitation of the flaws inherent in OpenSSL Using the HeartBleed vulnerability exploitation High
3 Remote access by carrying out financial transaction services on the web. Unauthorized disclosure and modification of data. High
4 Successfully compromise the firewalls and anti-malware programs Leading to illegitimate access and unauthorized disclosure of information. High
5 Data loss because of server access or unavailability. Leading to illegitimate access and unauthorized disclosure of information. High
6 Hardware Issues/Equipment Failure or loss Leading to illegitimate access and unauthorized disclosure of information. Low
7 Single Point of Failure Because of compromised website, defaced website. Low
8 Lack of information system administration capabilities Leading to illegitimate access and unauthorized disclosure of information. Low
9 Overdependence on the key person Poor system support Lo
10 Critical documentation lost because of remote server unavailability Confidentiality and integrity of corporate data could be compromised. Low
11 Clear Text Transmission of Critical Data Confidentiality of corporate data could be compromised. Low

Risk Determination

  1. Web based communication in the presence of the OpenSSL enabled pages.
  2. Accounting for funds
  3. Conducting financial transactions on mobile devices
  4. Overhaul of the system
  5. Storage of data on third party servers
  6. Unavailability of information because of insolvency of the service provider

Risk Analysis Report

Risk Impact Controls in place (Yes-Y, No-N) Recommendation
1 Environmental risks H Y Implement policy
2 Web based risks (cross site scripting, heartBleed) on the OpenSSL cryptography library H N Certificate renewal and revocation.
3 Flaws in the information systems M N System patches and regular updates
4 Lack of management support and IT security skills H N Training on security awareness and the need for management support
5 Remote access controls of the sever side and client side H N Configuration management
6 Data availability because of service provider insolvency M N Contractual agreement with the service provider, on-site and off-site backups.
7 Data loss and theft from server because of remote data storage L N Employing trusted party.
8 Hardware and software failures because of natural disasters. L N Cloud computing option
9 Internal threats H Y Training, policies, standards for information access and data use.
10 Data disclosure because of Australian laws M Y Compliance with data privacy laws, and other data protection acts and
11 Inadequate technical controls such as firewalls M N Installation of firewalls and anti-malware programs.
12 Loss of data because of remote service provider failure to offer services. H N Considering cloud computing solutions
13 Stakeholder dissatisfaction M N Assurance of Compliance with information security standards such as PCISS
14 Non-repudiation, authenticity and identification problems because of lack of validation and verification procedures when accessing system resources M Y Incorporate the sue of validation and verification checks
15 Lack of operational issues specific, system specific, and organisation IT security policies H N Clarification of IT security policies and requirements for compliance
16 OpenSSL vulnerabilities such as Multiblock corrupted pointer H N Encryption of data on transit.
17 Hackers H N
18 Lack of effective password user policies (alphanumeric) H Y Password use policy (combination of upper case, and alphanumeric and regularly change the passwords)
19 Cross site scripting such as User accounts being stolen, credentials misused, keystroke logging, content theft, visitor browser stealing, sever bandwidth use, data theft H N Use API policies
20 Web server running compromise M N Use standard authentication methods
21 Patches to correct flaws in operating system software not installed. M N Patches and updates
22 Remote access to server console not properly monitored M Y Configure system properly
23 Internal access to server H N Contractual agreement with the remote service provider
24 System administration practises not defined M N Teach system administration skills
25 Poor Physical Security M Y Implement physical controls
26 Loss of documentation software-compromising confidentiality and integrity of data H N Safe storage of documentation
27 Inadequate system logging (event and system use information lacking), M N Use Log management system
28 Lack of encryption keys M N Encryption keys
29 No clear segregation of duties M Y Assign dedicated roles
30 Inadequate Applications Support M N Update vendor software

References

Akintoye, A S & MacLeod, M J 1997 ‘Risk analysis and management in construction’, International journal of project management, vol. 1, no. 15, pp. 31-38

Appari, A & Johnson, M E 2010, ‘Information security and privacy in healthcare: current state of research’, International journal of Internet and enterprise management,’ vol. 4, no. 6, pp. 279-314.

Bahli, B & Rivard, S 2003, ‘The information technology outsourcing risk: a transaction cost and agency theory‐based perspective’, Journal of Information Technology, vol. 3, no. 18, pp. 211-221.

Bandyopadhyay, K, Mykytyn, P P & Mykytyn, K 1999,’ A framework for integrated risk management in information technology’, Management Decision, vol. 5, no. 37, pp. 437-445.

Da Veiga, A & Eloff, J H 2010, ‘A framework and assessment instrument for information security culture’, Computers & Security, vol. 2, no, 29, pp. 196-207.

Feng, N & Li, M 2011, ‘An information systems security risk assessment model under uncertain environment’, Applied Soft Computing, vol. 7, no. 11, pp. 4332-4340.

Halliday, S, Badenhorst, K. & Von Solms, R 1996, ‘A business approach to effective information technology risk analysis and management’, Information Management & Computer Security, vol. 1, no. 4, pp. 19-31.

Spears, J L & Barki, H 2010, ‘User participation in information systems security risk management’, MIS quarterly, vol. 3, no. 34, pp. 503-522

Stoneburner, G, Goguen, A. & Feringa, A 2002, ‘Risk management guide for information technology systems’, Nist special publication, vol. 30, no. 800, pp. 800-30.

Sun, L, Srivastava, R P & Mock, T J 2006, ‘An information systems security risk assessment model under the Dempster-Shafer theory of belief functions’, Journal of Management Information Systems, vol. 4, no. 22, pp. 109-142.