Information Systems Security Essay

In today’s IT world every organization has a responsibility to protect the information and sensitive data they have. Protecting data is not only responsibility of security and IT staff but every individual is involved in protecting the information. The risks to information security are not digital only, but it involves technology, people and process that an organization may have. These threats may represent the problems that are associated to complex and expensive solution, but doing nothing about these risks is not the solution. The case we have been assigned today deals with physical and logical vulnerabilities and protection against the risks and threats by implying the best controls to either mitigate, avoid and transfer the risks. Being an Information Security officer at a newly opened location in a busy mall, I have been asked to identify physical and logical risks to the pharmacy operations and also to suggest remedies to avoid any huge loss to the business. The pharmacy operations involve the unique transactions which involves the critical patients’ data, valuable medication and access to cash. The regulation set by the government obligates a pharmacy to meet certain standards to secure logical and physical access to information systems. The pharmacy is comprised of 4 work stations, there is a drug storage are and an office in the premises which has a file server, domain controller and a firewall. The three of the four work stations are placed at the counter to record and retrieve information of customers’ order. The entry of the store if from the mall and there the drug storage area is securely locked location behind the front counters. The store has a back door entry which is used by the employees and for delivery of new drugs. As an IT officer I have to protect all aspect of security including physical security of IT systems. Information Systems Security Physical security is an essential part of information technology security. Physical security encompasses not only the area containing system hardware, but also locations of wiring used to connect the systems, supporting services, backup provisions and any other part of the systems. Laptops and other types of mobile computing devices must also be protected from theft. The data on the mobile devices sometimes more than the value of the device. Such devices can also be an entry point on network. First look at the physical vulnerable area to IT systems within the pharmacy. After identifying the IT assets of company we can surly identify the physical risks. * Server Room * File server * Domain controller * Front Counter workstations * Switches/hubs The back door as showed in the floor plan is used by the employees of the pharmacy and it is often used for delivery of drugs. The access through this door is a physical vulnerability. Only authorized personal should be allowed to use this door. Any unidentified entry or activity should be monitored carefully. Such incident can result in loss of physical devices. The server room is a highly secured area which should be allowed only to IT people, other personal should be granted access by seeking special approval. The door should be locked all the time to protect IT assets. The workstations at the front counters should also be locked and placed securely to avoid any theft. The caged area cannot be locked all the time, it would result in low productivity as the staff move between the store, office and front counters. Securing the server room by locking it is the first step; surveillance makes it more effective if someone breaks into the server room. In case of an incident, one can easily pull up the video and check it for a particular time or for a particular event. â€Å"A logical breach affects the network, data and software without physically affecting the hardware. One of the problems with any logical breach of security is that the damage is invisible and its extent is unknown†. (Georgia Institute of Technology). As we read in the book, vulnerabilities are found in all seven domains of the network: * User Domain: * Lack of awareness of security policy * Accidental acceptable use policy violation * Intentional malicious activity * Social engineering * Workstation Domain: Unauthorized user access * Malicious software introduced * Weaknesses in installed software * LAN Domain * Unauthorized network access * Transmitting private data unencrypted * Spreading malicious software * LAN-to-WAN Domain * Exposure and unauthorized access of internal resources to the public * Introduction of malicious software * Loss of productivity due to Internet access * WAN DomainTransmitting private data unencrypted * Malicious attacks from anonymous sources * Denial of Service attacks * Weaknesses in software * Remote Access Domain * Brute-force attacks on access and private data * Unauthorized remote access to resources Data leakage from remote access or lost storage devices * System/Application Domain * Unauthorized physical or logical access to resources * Weaknesses in server operating system or application software * Data loss from errors, failures, or disasters† (Kim, 2012) System and data could be vulnerable due a physical breach where an intruder affects any system or node by uploading some invisible malicious code on one of the computers. Usually the logical breach results due an unauthorized access to the system/network. The users on the front desk should be given access to the information they need to perform their job on need to know basis. Any workstation is capable to breach into sensitive information. Access to any machine could lead to confidential information breach. All users are required to use their credential to access information on the network. A strong password is required by the policy outlined by the IT department. Logical vulnerability deals with anything which is to do with computer software/network other than the physical network. People are the weakest link in the whole chain. They are the biggest threat to the IT network; any user could compromise the system without even knowing the result of his/her actions. Users using personal device on the enterprise network is the biggest threat ever. Use of personal media should be strictly prohibited because it could bring in the malicious code which gives access to hackers to break into network and steal confidential information. A weak password also helps intruders to disguise them as the legitimate user and access the information to compromise the network. Software and antivirus updates could also be crucial if it is not done on time, it can lead into breach. The physical threat and vulnerability can result in huge loss in revenue and confidential information leakage. As mentioned above, any physical vulnerability can result in loss such as theft of the equipment, any device plug to attack remotely or record data. We often printers in the network security, most printers nowadays stores information on built in memory on the printers before printing. If somebody walks out with the printer, access to information in printer’s memory can be accessed easily. Figure 1 Key Logger As showed in the picture, there is a small device which is a key logger. If any personal (internal or external) have access to the assets of the company can install such a device which will not be found with careful examination. Such devices can log the keys strokes which will open a door for attackers to get access to information all the time. Figure 2 Threats & Potential Impact The picture above is self-explanatory, is the network is physically or logically vulnerable any attacker can break which can lead to the impact mentioned above. In case of pharmacy where it is required by the law to take very extra care of customers’ confidential information no risks can be taken. In-case the network is compromised due to physical and logical vulnerability, the attacker can disrupt the whole business. Some disgruntle employee can cause DOS which will bough down the network which will result in delay in orders, low productivity. Vulnerability can also cause loss of information, loss of privacy of customers, legal liability due to leakage of confidential information which is governed by the HIPAA. And above of all reputation among customers, it is very difficult to gain customers’ confidence if it is lost just because of any event. To identity and deal with risks, we are going to take the same approach as defined in the book. After carefully examining the risks, we are going to analyze the impact and based on the impact we will develop a strategy either to mitigate, transfer, avoid or accept the risks. Figure 3 Risk Management Process To deal with the physical risks identified above, the best strategy would be to mitigate or transfer it in-case of any event. Numbers of steps are suggested to mitigate the risk due to physical vulnerability. The back door is used by employees only. The server room is always locked and with prior permission no other than IT personal can enter in it. All IT assets have been locked securely to avoid any theft. Surveillance is also part of our strategy to mitigate any risks. Risks transfer strategy comes into play if anything happened to IT assets. Based on the value of assets most of the assets are covered under insurance. But data is such a valuable asset of the company that no insurance can cover the loss of data theft. After evaluating the logical vulnerabilities, I am going to suggest risk mitigation and risk acceptance strategy. â€Å"Malicious attacks increasingly complex variations are continuously being introduced and can sometimes spread widely before protection software companies deliver the latest detection strings and solutions†. Standard for Technology in Aumotive Retail, 2012) . The first step would be to mitigate the risks at any cost) but since the people are weakest link in the whole IT security scenarios they tend to do things unintentionally which compromise the security. Based on these facts I have also suggested the risk acceptance strategy. This fact is known by most of the businesses but they still do it because they do not perform any operations without manpower. The staff working at front desks or any employee at the pharmacy could use personal media which could lead to any attack. The weak password can also help attackers to use logical bomb technique to guess the password. A strong administrative control is required to avoid such incidents. Some of the suggestions to mitigate the logical vulnerabilities: Security Awareness- as mentioned above the people is the weakest link in the IT security. User awareness on virus control is the most effective tool to control it. In the awareness programs they should be reminded that data should be accepted from the trusted sources. Incase they receive files from untrusted source should not be open. Persona media should be approved by IT department to use. Patch Management- latest patch protects the system against the latest viruses. It is a process that updates the vulnerable areas on the application level. Hackers usually use the flaws and weak points in the system and exploit them to get on the network. Software OEM issues a new update to fix the issue, windows and antivirus auto update is common examples of such patch management. Most organization does not allow automatic updates due to interference in current operations. They usually test the patch on test environment before replicating it to production nodes. Anti-virus scanners – these products scan files and email and instant messaging programs for signature patterns that match known malicious software. Since new viruses are continually emerging, these products can only be effective if they are regularly updated with the latest virus signatures. See your product manual for instructions on how to activate this. Anti-virus scanners can be positioned on gateways to the network and/or on network hosts. Anti-virus scanners need to be frequently updated to be effective. Therefore, regularity and method of update are criteria that need to be considered when selecting anti-virus products. The first line of defense is administrative controls against any physical and logical threats. These are the policies which is prepared and approved by the management to staff for compliance. In pharmacy’s case strict policies are suggested to comply with regulatory compliance (HIPAA). First of all physical access to premises especially from the back door needs to be secure. The policy to enter in the building using a cat card or smart token is mandatory which a control to prohibit any unauthorized access. The IT room is also protected by a digital lock which can only be accessed by ntering correct combination of the password. The IT devices cannot be move out without prior approval from management on a prescribed form. Another preventive control is to disable all removable media from the systems at the front desk. The USB/serial ports are disabled and it can only be granted on special approval. To control logical vulnerabilities I have suggested mix of administrative, detective, preventive, corrective controls. All users by policy are required to use strong passwords, the password must contain, one letter in caps, one symbol/numeric value. The total length should be between 8-20 characters. Users are required to change the password every 30 days and they cannot use passwords any 10 previously used passwords. Users are also cautioned about not to write passwords. Most of the employees have role based access to IT systems. All front desk employees go straight to the application required to book patients’ orders. They cannot open or use personal email on the systems. The access to internet is controlled by the web application filter which only allows users to check pre-approved sited required to manage operations. All systems have the latest updated antivirus software which does not allow any infected file to execute. The best strategy to deal it with is preventive. Similarly to prevent any intruder in the network, IDS are deployed to monitor any unusual activity. Backup of data with regular interval makes it possible to continue the business in case of any break down due to any malicious activity. The data is backed up with only last changed items after every 4 hours. As mentioned earlier the patients’ data is highly confidential, any loop whole can result in legal liabilities.