One could argue that doing this the other way around – starting with vulnerabilities – would make better sense. Which seems best to you? Explain, and illustrate your reasoning with an example.
Many works of literature focusing on risk mitigation and management in information security have been produced (Bertino, 2015). Much of these texts begin with an analysis of risk followed by threats, hazards, and lastly vulnerabilities as the useful fundamental features of information systems. Other books argue that the analysis is useful if started from vulnerabilities followed by hazards, threats, and lastly risks. I believe that beginning with the assessment of vulnerabilities is the most suitable approach. Vulnerability evaluation will provide the analysts with IT features that can make the system predisposed to threats (Bertino, 2015).
After that, the threats and hazards should be identified based on the above approach. Lastly, the analysts should evaluate the risks presented by the recognized threats and hazards. Based on the above analysis, it is apparent that it makes more sense to begin the investigation with vulnerabilities instead of risks. The approach offers the analysts with the best hazards risk assessment methodology. Through this, the risk assessment will be made easy because the IT personnel will be informed of the particular threat and danger posed to the system.
Suppose you are working at a small to medium-sized Fixed Base Operator (FBO) at a regional airport; they have about 100 employees in total, of which perhaps 60 are constantly or frequently using their various IS/IT systems, both for the normal, customary business IS/IT functions as well as supporting customer aircraft maintenance, support, and operations activities. Your boss asks you for advice: how would we determine where our IT systems have what kind of vulnerabilities? What would you advise?
If the company carries out regular preventative vulnerability evaluations against their IS/IT systems, they can identify possible concerns, which can be solved before their network is compromised (Kim & Solomon, 2012). In the assessment, key actions should be undertaken. They include understanding regular attacks, listing all the possible vulnerabilities, using vulnerability-scanning tools, and assessing the risks.
Attacks targeted at the company will vary. If the company’s IT personnel understand the standard threats and the diverse approaches used to compromise their systems, they will be in a better position to mitigate intrusions (Kim & Solomon, 2012). They should also create a comprehensive list of possible vulnerabilities. Through this, they should concentrate more time to recognize anything mysterious about your network.
Equally, the company should utilize available instruments to evaluate the current security situation of their network. For instance, they should use the tools to identify vulnerable ports and unpatched software. For example, the company can utilize Microsoft Baseline Security Analyzer, Nmap, or any other tool (Kim & Solomon, 2012). After identifying the potential vulnerabilities, the firm should determine the associated risks. The recognized vulnerabilities on their system pose possible expenses, time, and resources to their library. The costs combined with the possibilities of someone abusing these susceptibilities will aid in establishing the level of threat involved.
Recent news coverage has highlighted that many systems builders (PCs, laptops, and many other kinds of devices) have done very little to fully implement “on-board” security for their USB device interfaces. This article in BBC News (Links to an external site.), highlights the problems described at a recent Black Hat conference. (For more background on how USBs work, start by reading “Is USB safe? (Links to an external site.)”). Your boss (at the same FBO you were working for in question 2) asks you “now what do we do?” What do you tell him? Is this a real source of risk, or merely a “worry bead” to keep an eye on?
It is worrying to note that many system creators have done very little to mitigate the threat posed by USB devices. As such, USB technologies permit enormous amounts of information to be transmitted at supersonic speeds. The USB gadgets continue to reduce in size as their memory capacity increases. The features have allowed fast, efficient, and convenient data transfer. However, I would advise the company to be concerned with the threats posed by the use of USB technologies.
Recent research noted that USB devices could be recoded to snip the content of any information encrypted on the drive and to propagate firmware-transforming code to any personal computers connected to the peripherals (Johnson, 2015). The investigation noted that USB devices could imitate a keyboard and issue instructions to the computer to run malware or snip files. Equally, the device can emulate a network card and alter the PC’s domain name system. Through this, the traffic to the computer can be redirected secretly. Also, a USB peripheral may infect connected PCs at the boot phase prior malware tools have an opportunity to arbitrate (Johnson, 2015). Based on the above illustrations, the company should be cautious when using USB devices. As such, they should not insert the devices into the PCs they do not trust.
Assume for the sake of argument that it is true that “bad USB” devices can in fact lie convincingly to operating system scans, security or anti-malware probes, etc. What other information security and assurance steps could you take to mitigate, manage, or eliminate the risks this might pose to your FBO (and your job)?
Most antivirus and firewall programs offer no protection against the security threat presented by USB devices (Lee, 2012). As such, OS system scans or antimalware probes rarely detect infected USB peripherals. The technology can expose the company’s system to viruses and Trojans. Equally, the devices offer means through which valuable information can leave the corporation in vast amounts. In this regard, the company should implement additional security measures to mitigate, control, or eradicate the threats this might pose to the FBO company.
Restricting the use of these devices in the company is nearly impossible (Lee, 2012). Similar to numerous cybersecurity risks, the issue can be reduced based on how the company behaves. For example, employees should be cautioned against inserting USB devices from external sources into the company’s PCs. Similarly, the USB peripherals used internally should not be inserted into untrusted computers.
Similarly, the company can mitigate the risk posed by the technology using DeviceLock® software (Lee, 2012). The software permits system managers power to control how employees can access specific devices on the company’s PCs. To achieve this, the administrators should install the software and configure the privileges available to each user. By doing so, they can guard their network by barring unlawful user admission to USB ports.
References
Bertino, E. (2015). Security and privacy of electronic health information systems. International Journal Of Information Security, 1(3), 34-36.
Johnson, D. (2015). Why your USB device is a security risk. Web.
Kim, D., & Solomon, M. (2012). Fundamentals of information systems security. Sudbury, Mass.: Jones & Bartlett Learning.
Lee, K.(2012). Reverse-safe authentication protocol for secure USB memories. Security And Communication Networks, 5(8), 834-845.