IT Security and Risk Management

December 2023 Examination

Answer 1:
Introduction:

In the continuously occurring situation of information security, one of the huge principles that
assist an organisation's capacity to protect itself is the pleasant energy of people, processes,
and technology. Known as the PPT (People, Process, and Technology) methodology, this
general methodology centres around the significance of these three factors in achieving solid
and expansive security. Security awareness is a desperate component of this methodology. It
combines training and attracting people, upgrading and refining processes, and utilising
technology to fortify an organisation's safeguards against a store of cyber threats. In this
article, we will explore the concept of security awareness inside the setting of PPT, its
application across these three perspectives, and its importance in the contemporary cyber-
security scene.
Concept and Application:
Security Awareness for People:
People are both the fundamental line of safeguard and, once in a while, the most vulnerable
relationship in an organisation's security. Security awareness for people consolidates teaching
and training specialists and accessories about the significance of cybersecurity and their
situations in shielding the organization. It unites the going with key points of view:
Cyber-security Training: Giving normal training to staff on perceiving and mitigating
security risks, getting a handle on the significance of solid passwords, seeing phishing
endeavours, and sticking to security methodology and shows
Making a Security Culture: Fostering a security-first culture where security is everybody's
liability, from the top management to the outrageous forefront workers
Incident Response Training: equipping specialists with the information and ability to really
answer security incidents This solidifies revealing breaks, malware, and other sketchy
exercises immediately.
Client Authentication and Authorization: Training clients on safe login practices and how
to manage authentication information like passwords and access authorizations continually
Application: A prudent application of security awareness for people could integrate driving
standard studios and replicated phishing activities to check representatives' capacity to see
phishing attempts. Besides, organisations can execute a "see something, say something"
policy, connecting with experts to rapidly report any sketchy turn of events.
Security Awareness for the Process:
Process refers to the planned and deliberate procedures and work processes inside an
organization. Security awareness for processes consolidates, guaranteeing that security
assessments are brought into these processes at each level. Central issues of view include:
Risk Assessment and Management: Perceiving, studying, and coordinating security risks
associated with different business processes
Compliance and Policy Adherence: Guaranteeing that security approaches, rules, and best
practices are integrated into the organisation's standard working structures
Incident Response Plans: Making, conveying, and dependably testing incident response
plans and methodologies to manage security breaks actually
Continuous Improvement: Drawing in a culture of continuous improvement where
processes are consistently explored and refined to conform to security threats
Application: An organisation could apply security awareness to processes by planning
commonplace security overviews, guaranteeing compliance with industry rules, and
arranging security-allocated spots in the turn of events and game-plan of programming and
applications.
Security Awareness for Technology:
Technology, regarding security awareness, integrates the instruments, frameworks, and
foundations that help an organisation's security efforts. It integrates sorting out the cutoff
points and limits of technology as well as its deficiencies. Key viewpoints include:
Security Technology Education: Training staff to appreciate and really use security
instruments like firewalls, obstruction affirmation structures, and antivirus programming.
Patch Management: Guaranteeing that all technology parts, including programming and
equipment, are routinely restored with the most recent security patches
Secure Configuration: Sorting out technology frameworks securely to reduce inadequacies
and guarantee they line up with best practices and standards
Security Awareness for End Clients: Showing end-clients technology uses best practices,
for example, safe web browsing, downloading from confided-in sources, and email security.
Application: An organisation can apply security awareness to technology by dependably
strengthening and patching its designs, driving entrance testing, and giving straightforward
rules to secure technology use.
Conclusion:
In the undeniable level of the robotized age, the mix of people, processes, and technology has
turned into the supporting areas of strength for security. Security awareness is the glue that
coordinates these three sections, guaranteeing that people are careful, processes are secure,
and technology is strong. This concept isn't static; it advances in response to the reliably
moving scene of cyber-security threats. A useful security awareness programme requires a
commitment to continuous education and assortment. It's beginning and ending with the
exception of a one-time occasion yet a continuous process, mirroring the noteworthy idea of
cyber-security. At long last, an organisation that empowers security awareness across its
people, processes, and technology is more prepared to protect against a resolutely amazing
and energetic bundle of cyber threats.

Answer 2:
Introduction:

In the digital age, getting sensitive data and information has become a central worry for
affiliations, all things being equal. Access control is a key piece of information security,
giving a technique for guaranteeing that clients approach company data and designs while
safeguarding against unapproved access. In any case, different affiliations battle with the
preliminary of giving up access that lines with a specific's role and responsibilities. In this
article, we will analyse access control methodologies and their execution with a definitive
target of safety, giving down-and-out justifications for our thoughts.
Concept and Application:
Access control methodologies are frameworks and systems used to manage and control
access to an association's assets, data, and designs. They consolidate the utilisation of
different advances, approaches, and systems to guarantee that clients are what their identity is
guaranteed to be and that they have suitable access and potential open doors based on their
roles. Coming up next are some key access control methodologies and their applications:
Role-Based Access Control (RBAC):
Concept: Role-Based Access Control assigns access, respects, and consents based on a
singular's role inside the alliance. Clients are collected into roles, and every role is given a
tonne of consents that line up with the responsibilities of that role.
Application: RBAC further creates access control management by lessening the need to
assign concurrences to individual clients. As yet balancing out there by a specific's work
limit, guaranteeing that they approach just the assets and data basic for their role. For
instance, a monetary expert will move towards cash-related data, while a presentation
manager will move towards cutting-edge materials.
Justification: RBAC diminishes the gamble of overprivilege, smoothes out access
management, and further creates security by keeping access to a "must-be aware" premise.
This approach guarantees that clients just methodology the data and designs integral to their
work limits, decreasing the risk of unapproved access and data breaks.
Mandatory Access Control (Macintosh):
Concept: Mandatory Access Control supports access choices based on security names and
approaches. Data and frameworks are organized by names, and clients are conveyed
unprecedented status. Clients can access data and designs based on the convergence point of
their chance level and the name of the asset.
Application: Macintosh is much of the time utilised in conditions with essentially sensitive
data, like government agencies. It guarantees that essential clients with genuinely accepted
status can access pack information. For example, a "particularly requested" report ought to be
accessed by clients with a "significantly ordered" slack.
Justification: Macintosh gives a higher degree of prosperity to sensitive information by
completely controlling access based on security orders. It prevents unapproved access,
whether clients have real access to the frameworks and data. Regardless, it may not be useful
for all connections, as it very well may be confounding to do.
Discretionary Access Control (DAC):
Concept: Discretionary Access Control awards data proprietors the capacity to figure out
who moves towards their assets. Data proprietors are ready while allowing or denying access
to other people.
Application: DAC is, in many cases, utilised in pleasant conditions where clients need
adaptability in allowing access. For instance, a record proprietor can give access to
communicate associates or accomplices while keeping control over who can see or change
the report.
Justification: DAC enables data proprietors to make access choices, which can be valuable
in pleasant and dynamic conditions. Notwithstanding, it requires a degree of trust in data
proprietors and can incite irregularities on the off chance that it isn't managed cautiously.
Attribute-Based Access Control (ABAC):
Concept: Attribute-Based Access Control goes with access choices based on a tonne of
attributes, for example, client attributes, asset attributes, and standard attributes. Game plans
are depicted by utilising these attributes to determine access.
Application: ABAC is altogether flexible and versatile, making it reasonable for astonishing
and dynamic conditions. Access choices are made by assessing attributes, empowering fine-
grained control over access. For example, access to a patient's clinical record isn't immovably
settled by attributes like the client's role, the patient's character, and the district of the deal.
Justification: ABAC is reasonable for present-day, dynamic affiliations where access
fundamentals are amazing and change reliably. It gives an essentially more granular and
adaptable technique for overseeing access control.
Conclusion:
Access control methodologies are imperative for accessing an association's data and
frameworks. They have a plan to guarantee that clients have sensible access to company data
while preparing for unapproved access. The decision about access control strategies ought to
be driven by the connection's particular security basics, industry rules, and activities. While
RBAC is rational for specific affiliations, those administering particularly accumulated data
could find Macintosh more reasonable. DAC and ABAC are valuable in supportive and
dynamic settings. Eventually, a solid access control framework is one that changes security
and comfort, yielding access to people who simply need it while shielding sensitive data.

Answer 3a:

Introduction:

The Bangladesh Bank Cyber Heist of February 2016 fills in as an unquestionable reminder of
the dependably evolving risks faced by financial institutions in the automated age. In this
case, cybercriminals attempted to think twice about the bank's systems to coordinate
fraudulent asset moves. Understanding the key vulnerabilities and security slips that
permitted these criminals to focus in on the bank is essential for fortifying cyber-wellbeing
endeavours in the financial sector.
Thought and Application:
A couple of key vulnerabilities and security slips emerged from the Bangladesh Bank cyber
heist:
SWIFT System Vulnerabilities: The cybercriminals took advantage of vulnerabilities in the
SWIFT system, especially by manipulating SWIFT messages to cause fraudulent transactions
to seem, by all accounts, to be genuine. This element has the meaning of securing the
interbank messaging system, which is a principal piece of international financial transactions.
Authentication Weakness: The aggressors figured out a smart method for thinking twice
about the bank's SWIFT terminal by bypassing authentication and using their licenses. This
suggests that there were powerless authentication parts set up. Generous, different
authentication and careful access control are crucial for preventing unapproved access.
Errors in Transactions: A part of the fraudulent trade requests contained spelling errors,
which raised questions at the Federal Reserve Bank. This shows that pickiness and exhaustive
support for trade requests are basic. Mechanised systems or checks should be set up to detect
inconsistencies.
Nonappearance of Monitoring and Alerts: The incident uncovered a coherent setback in
monitoring and alerting systems. Luckily, a pre-arranged authority at the Federal Reserve
Bank saw the spelling errors, prompting further scrutiny and the withdrawal of additional
transactions. Continuous monitoring, consistent alerts, and trade support might have hindered
more critical hardships.
Conclusion:
The Bangladesh Bank Cyber Heist revealed colossal vulnerabilities and security slips within
the bank's systems, by and large connected with the SWIFT system, authentication parts,
trade support, and monitoring. This incident fills in as a fundamental model for the financial
sector, emphasising the need for vivacious cyber-well-being endeavors. The case features the
meaning of ordinary security assessments, expert training, and coordinated attempts between
financial institutions and experts to ruin and ease such cyber risks. Finally, it features the
reliably increasing requirement for financial institutions to remain wary and invest in cyber
security to safeguard their assets and the integrity of the general financial system.
Answer 3b:
Introduction:

The Bangladesh Bank Cyber Heist of 2016 clearly incorporates the global and interconnected
nature of cyber threats, focusing on financial institutions. Considering such cyber attacks,
international cooperation and information sharing expect tremendous work in seeing,
coordinating, and ruining cyber threats. This case highlights the significance of cross-line
joint undertakings in cybersecurity.
Concept and Application:
Rapid Threat Mitigation: In the repercussions of the Bangladesh Bank Cyber Heist,
international cooperation became fundamental to coordinating the threat rapidly. Information
sharing between Bangladesh Bank, the Federal Reserve Bank of New York, and other critical
get-togethers was principal in distinguishing the assault and upsetting further difficulties. A
joint exertion empowered an organised reaction to stop the cybercriminals.
Attribution and Investigation: The international area had a colossal impact in crediting the
assault, although the people being alluded to were not convincingly seen. Cooperation with
policing and cybersecurity specialists from different nations prompted a cautious
investigation. This exemplifies the need for cross-line cooperation to consider cybercriminals
careful.
Shared Threat Intelligence: The Bangladesh Bank episode included the significance of
shared threat intelligence. The assault's standard system, including the utilisation of Quick to
start deceiving exchanges, raised concerns globally. This experience incited more obvious
international cooperation in sharing intelligence related to financial cyberthreats. It empowers
financial institutions to even more quickly understand and anticipate emerging threats.
Global Awareness and Preparedness: This case filled in as an update for financial
institutions all around the planet, featuring the weakness of the global financial construction.
It highlighted the importance of international cooperation in taking note of attacks as well as
in proactive endeavours to reinforce cybersecurity measures.
Conclusion:
The Bangladesh Bank cyber heist is a conspicuous indication of the international nature of
cyber threats against financial institutions. It incorporates the basic job of international
cooperation and information sharing in taking note of and ruining such attacks. No matter
what an interconnected and reliably advancing cyber landscape, the portrayals drawn from
this case include the necessity for arranged global work to refresh cybersecurity, trade threat
intelligence, and by and large defend against harmful entertainers. Financial institutions,
gatherings, and international bodies should keep on taking part to support the global financial
framework against cyber threats.