IT Security and Risk Management

June 2021 Examination

1. The Oracle and KPMG Cloud Threat Report 2019 reveals that cloud vulnerability is
and will continue to be one of the biggest cyber security challenges faced by
organizations. This is because enterprises are leveraging cloud applications and storing
sensitive data related to their employees and business operations on the cloud. The
adoption of the cloud is creating new challenges for firms and exacerbating the old
ones. Discuss the specific cyber threats faced by enterprises with respect to cloud
applications and data storage. (10 Marks)

Answer 1.

Introduction:

Cloud computing has become the ideal way to deliver enterprise applications—and the
preferred solution for companies extending their infrastructure or launching new innovations.
The most common refers to running workloads remotely over the internet in a commercial
provider’s data centre, also known as the “public cloud” model. Popular public cloud offerings—
such as Amazon Web Services (AWS), Salesforce’s CRM system, and Microsoft Azure—all
exemplify this familiar notion of cloud computing. Today, most businesses take a multicloud
approach, which simply means they use more than one public cloud service. The data is stored in
an online manner through a third-party cloud computing provider. There are different types of
cloud storage systems depending upon the need and requirements of the enterprise. Three of its
main types are object storage, file storage and block storage.

Cloud computing describes how it works: a virtualized pool of resources, from raw compute
power to application functionality, available on demand. When customers procure cloud
services, the provider fulfils those requests using advanced automation rather than manual
provisioning. The key advantage is agility: the ability to apply abstracted compute, storage, and
network resources to workloads as needed and tap into an abundance of prebuilt services. The
public cloud lets customers gain new capabilities without investing in new hardware or software.
Instead, they pay their cloud provider a subscription fee or pay for only the resources they use.
Simply by filling in web forms, users can set up accounts and spin up virtual machines or
provision new applications. More users or computing resources can be added on the fly—the
latter in real time as workloads demand those resources thanks to a feature known as autoscaling.

Concept and application:

Though these cloud security systems provide various benefits to organizations, they may face
multiple challenges and threats. Various reports conducted in the previous years have
revealed that cloud vulnerability will continue to be one of the most prominent cyber security
challenges organizations face. The main reason behind this is all the sensitive data related to
the employees is stored on the cloud, and the applications are leveraged to third parties.
Some of the cyber security threats faced by enterprises concerning cloud applications and
data storage are discussed below:

1. MISCONFIGURATION:

Misconfigurations are often seen as an easy target, as it can be easy to detect on misconfigured
web servers, cloud and applications and then becomes exploitable, causing significant harm and
leading to catastrophic data leakage issues for enterprises like the 2019 Teletext exposure of
530,000 data files which was caused by an insecurely configured Amazon Web Service (AWS)
webserver. Security misconfigurations arise when security settings are not defined, implemented,
and default values are maintained. Usually, this means the configuration settings do not comply
with the industry security standards (CIS benchmarks, OWASP Top 10 etc) which are critical to
maintaining security and reduce business risk. Misconfiguration normally happens when a
system or database administrator or developer does not properly configure the security
framework of an application, website, desktop, or server leading to dangerous open pathways for
hackers. Misconfigurations are often seen as an easy target

2. INSECURE INTERFACES: Cloud applications generally provide multiple application

programming interfaces (API's) to their clients. These interfaces may be a threat in case
unauthorized parties assess these. These unauthorized parties could re-use the organization's
API or password. This could give them access to potential data. The organizations should,
therefore, make the use of best-rated security interfaces.

3. INSUFFICIENT DATA AND ACCESS MANAGEMENT: A strong Identity and Access

Management system (IAM) is particularly important for large companies. It provides the
means for close control of user access, which reduces the risk of external and internal data
security breaches. According to a 2018 study by Cybersecurity Insiders, 90% of
 organizations feel exposed to internal attacks. Another survey found that 75% of security
incidents result from internal risks. The most significant and frequent cause of security
issues is excessive employee access – giving employees authorization to too much data and
too many applications. How does this happen? Well, if there are no clear role definitions, if
there are inaccurate identity classifications, or if users are receiving access to all data in
applications, problems will arise. Organizations can make use of two- factor authentication.

4. CLOUD ACCOUNT HIJACKING: Cloud account hijacking is a process in which an

individual or organization’s cloud account is stolen or hijacked by an attacker. Cloud
account hijacking is a common tactic in identity theft schemes in which the attacker uses the
stolen account information to conduct malicious or unauthorized activity. When cloud
account hijacking occurs, an attacker typically uses a compromised email account or other
credentials to impersonate the account owner.While cloud computing carries with it a wealth
of benefits to organizations, including reduced capital costs and on-demand resources, it
also provides cyber criminals with an environment ripe for attack, since huge amounts of
data are housed in one place. Because the data is stored and accessed on devices and
resources often shared across many different users, the risks presented by cloud account
hijacking are plentiful.

5. INSIDER THREATS: An insider threat is a security risk that originates from within the
targeted organization. It typically involves a current or former employee or business
associate who has access to sensitive information or privileged accounts within the network
of an organization, and who misuses this access. Traditional security measures tend to focus
on external threats and are not always capable of identifying an internal threat emanating
from inside the organization.

Types of insider threats include:

 Malicious insider-also known as a Turncloak, someone who maliciously and

intentionally abuses legitimate credentials, typically to steal information for financial
or personal incentives. For example, an individual who holds a grudge against a
former employer, or an opportunistic employee who sells secret information to a
competitor. Turncloaks have an advantage over other attackers because they are
familiar with the security policies and procedures of an organization, as well as its
vulnerabilities.

 Careless insider-an innocent pawn who unknowingly exposes the system to outside
threats. This is the most common type of insider threat, resulting from mistakes, such
as leaving a device exposed or falling victim to a scam. For example, an employee
who intends no harm may click on an insecure link, infecting the system with
malware.
  A mole-an imposter who is technically an outsider but has managed to gain insider
access to a privileged network. This is someone from outside the organization who
poses as an employee or partner.

Conclusion:

Therefore, organizations must continuously keep tracking these cyber security threats and
find out how to deal with them. Maintaining a strong password for the applications, updating
them from time to time and using two-factor authentication are ways to deal with such cyber
threats. Governments around the world are bringing more attention to cybercrimes. GDPR is
a great example. Organizations can also make use of solid API access control systems. These
are some of how organizations can protect themselves against such cyber-attacks and threats.
It has increased the reputational damage of data breaches by forcing all organizations that
operate in the EU to:

 Communicate data breaches

 Appoint a data-protection officer

 Require user consent to process information

 Anonymize data for privacy

A lack of focus on cybersecurity can damage your business in range of ways including:
  Economic costs : Theft of intellectual property, corporate information, disruption in
trading and the cost of repairing damaged systems

 Reputational cost : Loss of consumer trust, loss of current and future customers to
competitors and poor media coverage

 Regulatory costs : GDPR and other data breach laws mean that your organization could
suffer from regulatory fines or sanctions as a result of cybercrimes

2. The objectives of an IT security policy is the preservation of confidentiality, integrity,

and availability of systems and information used by an organization’s members.
Explain the various aspects of designing a comprehensive security policy with respect to
the CIA triad. (10 Marks)

Answer 2.

Introduction:

The main objective behind the development of any security policy is preserving three main
factors of confidentiality, integrity and availability of systems and information. This is also
known as the CIA triad. This is the model used for guiding the management of policies
relating to the organization's information technology. Each of the acronyms has its meaning
and significance in the security policy development process. The organization members use
these to frame various policies relating to the IT security policy. The security policy of any
organization deals with two main aspects. The first one being the prevention of multiple
external threats that the organization has to face and maintain the integrity of the
organization's network. The second aspect is a reduction in the internal risks, such as
malicious insiders, by defining the organization's network resources' appropriate use. Here
are various elements involved in designing the comprehensive security policy concerning the
CIA triad.

Concept and application:

Organizations have to face various external and internal threats relating to cyber security.
Therefore, the organizations need to make and frame appropriate security policies for the
organization capable of protecting the organization against all of these threats and issues. The
CIA triad model has been beneficial in formulating these IT security policies for the
organization. The C in this stands for confidentiality that focuses on preventing sensitive
information from being misused and unauthorized access.
 The data and data related to the organization need to be protected at all costs. The acronym
stands for integrity, including the consistency and accuracy, and trustworthiness of data in its
life cycle. The last stands for availability, which means that all the desired information
should be readily available to all the authorized parties at all times.

Some of the aspects of designing a comprehensive security policy are as follows:

1. IDENTIFICATION OF THE THREATS AND RISK: The first thing in developing any
security policy is to identify all the threats and risk that an organization can face. The risk can
either be internal or external. One way to determine this risk and threats is by using various
monitoring and reporting tools. Employees of the organization should be well aware of these.
2. LEARN FROM OTHERS EXPERIENCE: Next way is to learn from the experience of
others. Most organizations make use of such security policies. It is always good to see whose
policies are performing well and make use of such procedures.
3. POLICY SHOULD CONFORM TO ALL LEGAL REQUIREMENTS: The policies of
the organization should conform to all the legal requirements. Else it could land the
organization in some legal problem. There may be specific standards set regarding the
integrity and privacy of data that the organization need to conform to. This will prevent the
organization from committing any security breach.
4. TRAINING THE EMPLOYEES OF THE ORGANIZATION: It is equally important to
train the employees of the organization from time to time and make them aware of all such
security aspects. This aspect is generally overlooked in most organizations which may prove
to be a significant drawback for them.
5. PENALITIES FOR SECURITY BREACH: Any security breach may be external or
internal, leading to huge damages being faced by the organization. It can also affect the brand
name and goodwill of the organization. Network security should be considered a severe
aspect of the organization. These policies are not general guidelines but part of accepted
terms and conditions of employment. Thus, any of the employees who lead to the
organization's security policy breach should be penalized.
6. LATEST TECHNOLOGICAL UPDATES: One way to keep up with the security policies
of any organization is to keep the organization updated with all the technological updating
that keep taking place. There are numerous software and ways that can be put in place to
frame an adequate and comprehensive security policy of the organization.

Apart from this, organizations can use different methods such as updating the organization's
staff, including the team in the policy framing process and maintaining an adequate security
level in the organization.

Conclusion:

Every organization may it be big or small, desires to have comprehensive and adequate
security policies for the organization as a whole. This ensures that the organization can
 protect all the sensitive information relating to the employees and the organization. These are
some of the ways that the organization can keep in mind while framing the CIA triad's
security policies. This will help the organization to achieve its objectives in the most
appropriate manner. The organization should ensure to follow a general set of rules and
principles to implement the CIA triad in an organization. This will help to protect the
organization's data against various external and internal cyber-attacks and risks.

Q3. Friends Credit Union (FCU) is a federally chartered and insured credit union offering
financial services for over 60 years. As a non-profit financial cooperative. it is owned and
operated by its members. With over 6400 million in assets and over 51,000 members.
FCU’s mission is to operate in a financially sound and competitive manner to ensure long-
term financial stability while safeguarding member assets. The landscape of organizations
across the globe and the way business is conducted has changed dramatically over the last
decade. New technologies have added tremendous efficiencies and methods for
communicating, and corporations have benefitted from these innovations. However, there
have been disturbing increases globally in the number of attacks through criminal
activities — be it cyber or onsite infiltration. FCU recognized that adhering to regulatory
compliance does not always equate to security. In an effort to provide world-class service.
as well as to ensure confidential client information remains secure, FCU contracted
independent remote and onsite social engineering assessments. Understanding that the
modem criminal preys on the human element as a weakness. Common undercover ploys
were developed and executed so determine the organization’s susceptibility to potential
exploitation. The results identified vulnerabilities within the organization and revealed the
need for corporate wide security awareness, crucial to mitigating future risks. Onsite and
remote social engineering engagements examined the effectiveness of the existing education
and awareness programs, challenging the security posture of the institution’s workforce.
The security risk assessment methodology Involved four phases, each phase conducted by a
certified security analyst.

(1) Reconnaissance

(2) Analysis

(3) Penetration

(4) Reporting

The engagement objective was to infiltrate the corporation and access confidential
information through phishing attacks and onsite intrusions. Based on the success rate of
achieving the objectives, FCU received a performance report for both of the social
engineering risk assessments.
a. Explain the need for social engineering attack preparedness of any organization and the
possible impact of being ill prepared for such an attack.

Answer 3a.

Introduction:

Social engineering refers to the multiple malicious activities accomplished through human
interactions by psychologically tricking the users and misusing sensitive information. It is
dangerous in the sense that it is done concerning human error than software or technological
vulnerabilities. So it is always advised to organizations to be prepared for any social engineering
attack.

Concept and application:

Social engineering can be done in several ways with human interactions. This includes baiting,
scareware, pretexting, and phishing and spear phishing. This could impact the organization
internally by damaging its reputation. So the organization needs to be prepared well in advance
against these threats and issues. Else it can lead to much negative impact on the organization.

Multiple attack methods: There are various ways of human intervention that can prove to be
dangerous for the organization. There is no fixed method, so the organizations need to be
prepared for all of them and keep reviewing their security policies from time to time.

Misuse of sensitive information: The attackers can gather all the target individuals' sensitive
background information and misuse it for their benefits. They can identify the victims and collect
all the related information.

Deceiving the target individuals: The attackers try to trick the target individual by spinning a
story and taking all the interaction control. This will enable them to have a foothold. They can
even expand their foothold over the period and executive more attacks. This could even lead to
the disruption of the business.

Removing all the traces: The attackers are very well prepared. They take all the steps to remove
all the paths of the malware and cover the attacks. They plan things in such a way that does not
come to the notice of the other individuals. The methods used by them can lead to enormous
losses for the organization.

If the organizations do not prepare themselves for all of these wells in advance, this can lead to
enormous losses for the organization and damage the brand name. The individuals themselves
need to be aware and report any such suspicious activity in the organization. The organization
should ensure to have strict security policies to avoid such threats and risks.

Conclusion:
Thus, organizations need to be prepared for any social engineering attack well in advance. Not
being prepared well in advance can impact the organization's overall growth and development
adversely, and it may have to incur huge damages. The organization should ensure that all the
necessary guidelines and precautions are well in advance to fight against all such threats and
risks.

b. Explain the 4 phases involved in the security risk assessment of FCU in the above case.

Answer 3b.

Introduction

The development of a comprehensive and adequate security policy is essential for any
organization, irrespective of its size and nature. So is the case with the security risk assessment.
It is done to avoid any external or internal risk to the organization regarding cyber breach and
security. The four phases involved in the security risk assessment of FCU are explained below.

Concept and application:

As read above, the four phases of survey, analysis, penetration and reporting involved in the
security risk assessment are explained below. This assessment may be done by the organization
as and when required.

(1) Reconnaissance: The term relates to gathering deep and sensitive information about the
target system is termed reconnaissance. This is the most extended phase in the overall security
assessment and may last for weeks or months. The information about the organization may be
available on the internet through various routes. Organization need to ensure specific guidelines
is followed in the organization to avoid such a breach. It should ensure that sensitive information
is not exposed to the web. There is proper disposal of the written as well as the printed
information and similar other measures.

(2) Analysis: Next step involved analyzing identified security threats and risk for the
organization. It involves careful evaluation and assessment of all such factors critical to the
organization. Time and resources are allotted to each of these factors to ensure the mitigation of
risks. There should be some correlation between the assets, threats, risk and vulnerabilities.

(3) Penetration: The following steps involve following an adequate mitigation approach and
enforcing the most appropriate security controls for each of the risks identifies and analyzed in
the step mentioned above.

(4) Reporting: The last one in assessing the security risk is the reporting of such risks. It
involves implementing various tools, techniques and processes in the organization that could
lead to the probable reduction in these threats and vulnerabilities and minimize them. This would
also lead to effective management and use of the firm's resources. The reporting is required to
promptly take all the necessary steps by the administration and the related decision-makers.

Conclusion:

Thus, the security risk assessment is equally important as the framing of such policies to avoid
any external or internal security threat or risk to the organization. This helps the organization to
assess its threats from time to time and take necessary actions whenever required. This will help
in the prevention and misuse of sensitive and significant information being transferred or being
shared. This also prevents its unauthorized access by such parties or individuals.