Urgenthomework logo
UrgentHomeWork
Live chat

Loading..

7623Ict | Information And Security Assessment Answers

â­ł 27 Download đź“„ 2 Pages / 313 Words

Scenario: Student Grading System Security

Remarkable University is implementing a new student grading system. The system needs to be developed and implemented to ensure that it is both fit for purpose and secure from identified threats.

The student grading system’s core components include:

  • a front-end web/application server which is used by students, academics and administrative staff
  • a database which holds students’ grades

The system will need to be built and managed to ensure that the servers are deployed securely and remain secured against common automated and simple manual attacks. Dedicated, targeted attacks are difficult to protect against, however simple measure can be taken to protect against most automated attacks. Identified threats against the system include:

  • Grade hacking/modification, e.g. students who may wish to modify their own results or view or modify the results of others
  • Privacy concerns, e.g.:
    • internal users such as staff or students who may wish to view or modify results; and
    • external users who may wish to gain access to or modify results or other personal information
  • Malicious code such as worms
  • Automated scanning and exploit tools
  • Targeted exploit attempts
  • Phishing attempts

The grading system application needs to remain secured, use appropriate access controls, enforce least privilege, and ensure that information flowing to and from the system is protected. The application needs to be developed in a secure manner and be protected against common attacks, and the database needs to be protected against common automated attacks and use appropriate access controls.

All components of the systems, and in particular the application and database, need to have appropriate access controls in place to ensure that only authorized users can access and update the system, and that access is tied to the role of each user. All access to the system should be logged, regardless of whether the access is by a user or administrators, and regardless of which component of the system is being accessed.

Answer:

Introduction

Remarkable University is the organization for which an IT Security Plan is being developed. The university has implemented a student grading system and the core components of the system include a front-end application that is used by three types of the users viz. students, academic staff, and administrative staff. The second component of the system is the database in which the grades of the students are stored. There are various threats that have been identified against the system and the occurrence of these threats will possess a great risk to the confidentiality, security, and privacy of the data sets.

IT Security Plan is important because it specifies the mitigation and control strategies that shall be followed to deal with the security risks mapped with every asset of the system. 

Scope

There are various assets that are associated with the student grading system being developed and implemented at the Remarkable University.

The assets involved with the system include:

  • Information stored and handled by the system: It includes the student grades, student details and academic profile (Huang, Zhang, Cheng & Shieh, 2017).
  • Hardware: The system will be accessed by the users on desktop and mobile devices. There are also servers involved in the system.
  • Software: The web application that has been developed along with the database deployed for information storage for the student grading system.
  • Networking Peripherals & Communication Architecture: There are networking equipment, protocols, and communication tools involved that need to be protected.

Organization Risk Profile

The risk profile for the university is low as is it less vulnerable to the risks due to the education domain. It includes the following set of risks and threats that may be carried out on the IT assets.

  • User authentication and access control issues: Privacy concerns
  • Server Security Risks: Malware attacks
  • Software Security Risks: Hacking/data integrity issues, malware attacks
  • Network Perimeter Security: Automatic scanning, phishing attempts, target exploit attempts
  • End-user PC Security: Malware attacks

Risk Assessment

IT Asset 1: Information stored and handled by the system

There are various risks that are associated with the IT asset as the information. It is the primary asset that will be exposed to the security risks and attacks.

User authentication and access control

This is the security area that is exposed to various security risks and vulnerabilities that may have an adverse impact on the IT asset as the information stored in the student grading system.

The attackers may give shape to the account hacking attacks by breaking the authentication and access control measures and norms applied. This may lead to the exposure of the private and confidential information of the student.

Unauthorized access, data breaches, and leakage of the data sets may come up due to the poor access control measures applied.

Server Security Risks

The data servers will be exposed to malware risks and attacks. There may be physical security attacks that may also come up. The information stored in these servers will be exposed as an outcome.

Software Security Risks

The web application will be exposed to malware attacks, denial of service attacks, data breaches, and data integrity issues (O'Donnell, 2008). The information sets will be directly or indirectly impacted as an outcome.

Network Perimeter Security

The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks. In all of these attacks, the privacy and confidentiality of the data and information sets will be hampered.

End-user PC Security

The devices which will be used for accessing the system may be exposed to attacks, such as device loss and malware attacks which will have a direct impact on the information sets stored within.

IT Asset 2: Hardware

Server Security Risks

There will be web servers and database servers used in the system and will be kept in the server room. These may be exposed to the physical security attacks if the attackers succeed in breaking through the physical security parameters applied.

End-User PC Security

The PC and the mobile devices that will be used to access the student grading system will also be exposed to the risks of being stolen. The loss or stealing of the device will have sever impacts on the information and the user.

IT Asset 3: Software

Software Security Risks

The software used in the system will be exposed to the risks, such as malware attacks, account hacking issues, target exploitation issues, data breaches, and data integrity issues.

IT Asset 4: Networking Peripherals & Communication Architecture

Network Perimeter Security

The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks.

Risk Register

A risk register has been prepared for the risks that have been identified above. There is a likelihood and impact score assigned to every risk. The likelihood and impact has been provided and the risk rank has been calculated as per the levels below.

Threat/Vulnerability

Likelihood

Consequence

Level of Risk


Risk Priority

Account Hacking & target Exploitation

Possible

Major

Extreme (E)

8

Data Breaches

Likely

Catastrophic

Extreme (E)

2

Data Leakage

Possible

Catastrophic

Extreme (E)

6

Malware attacks

Almost certain

Major

Extreme (E)

1

Device loss

Rare

Catastrophic

High (H)

10

Denial of Service and Distributed Denial of Service

Likely

Catastrophic

Extreme (E)

3

Message and Media Alteration – Data Integrity Attacks

Possible

Major

Extreme (E)

7

Eavesdropping Attacks

Possible

Catastrophic

Extreme (E)

4

Man in the middle attacks

Possible

Catastrophic

Extreme (E)

5

Physical Security risks

Unlikely

Catastrophic

Extreme (E)

9

Security Strategies and Actions

It will be necessary to take certain security actions and adopt strategies to make sure that the risks do not occur and are mitigated and controlled.

Risk Name

Security Strategy and Actions

Account Hacking & target Exploitation

There shall be use of biometric recognition that shall be done for identity management and access control. Multi-path encryption must be used for access control. The authentication measures shall utilize multi-fold authentication wherein the log in to the accounts shall be made possible with the use of one time passwords and face recognition (Jung & Park, 2013).

Data Breaches

The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk.

Data Leakage

The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk.

Malware attacks

Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out.

Device loss

The devices used by the end-users shall be installed with device tracker id so that the devices may be tracked in the case of loss or stealing.

Denial of Service and Distributed Denial of Service

Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out (Mahjabin, Xiao, Sun & Jiang, 2017).

Message and Media Alteration – Data Integrity Attacks

The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk (Lin, Yu, Zhang, Yang & Ge, 2018).

Eavesdropping Attacks

The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed.

Man in the middle attacks

The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed (Wang, 2018).

Physical Security Risks

The server rooms must be secured by deploying a security guard at the entrance and the surveillance tools shall be used to keep a track of all the activities. Digital modes of authentication, such as biometric authentication and automated locks shall be used to protect the systems and servers.

Residual Risks

There are certain risks that may occur in spite of the measures and controls adapted. One such risk is the malware risks and attacks. It is because the attackers are coming up with new forms of malware codes and algorithms to launch the attack on the systems of the end-users. There shall be disaster recovery plan and data backups kept in place so that the impact of the risk may be reduced in the case of its occurrence.

The insider threats and attacks may also occur and may not be possible to be controlled. This is because the internal employees and the members of the staff may knowingly or unknowingly pass the information to the unauthorized entities.

The risks associated with the mobile devices, such as loss or stealing of the devices will also be left since the users may forget their devices at certain location. The devices may fall out of their pockets and such occurrences cannot be controlled.

Risk Name

Likelihood Level

Impact Level

Risk Score

Malware Attacks

2

4

8

Insider Threats

3

5

15

Device Loss or Stealing

2

5

10

Resources

Hardware Resources

Biometric devices and sensors for the implementation of biometric recognition systems, surveillance tools, such as microphones and video cameras for enhanced physical security, and digital locks and vaults for keeping the devices safe and protected at all times.

Software Resources

The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed. Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out. Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out.

Human Resources

  • Chief Information Security Officer (CIO): The resource will be required to develop and implement the IT Security plan and the associated set of policies (Wsj, 2018).
  • Security Auditor: It will be essential to carry out security audits and reviews at regular intervals to find out the gaps involved. The improvement measures will be taken on the basis of the results of the audits conducted.
  • Security Analyst: The analysis of the network security logs and system logs will be done by the resource to determine the deviations and suspicious activities.
  • Implementation Resource: The security strategies and actions will be implemented and monitored by the resource.

Maintenance & Training

The end-users shall be provided with the trainings on the security practices that they shall adopt to prevent and control the attacks from occurring. The users shall also be made aware of the common mistakes that they make which may allow the attackers to give shape to the security attacks. The security team must also be provided with the training on the security strategies that they shall adopt.

The maintenance work will include the installation of the updates and security patches at regular intervals. These will ensure that any of the security vulnerabilities and loopholes are resolved and avoided. The security software, such as anti-malware tools, anti-denial tools, and network-based security controls shall be updated as a part of the maintenance activities (Bays, Oliveira, Barcellos, Gaspary & Mauro Madeira, 2015).

References

Bays, L., Oliveira, R., Barcellos, M., Gaspary, L., & Mauro Madeira, E. (2015). Virtual network security: threats, countermeasures, and challenges. Journal Of Internet Services And Applications, 6(1). doi: 10.1186/s13174-014-0015-z

Huang, H., Zhang, Z., Cheng, H., & Shieh, S. (2017). Web Application Security: Threats, Countermeasures, and Pitfalls. Computer, 50(6), 81-85. doi: 10.1109/mc.2017.183

Jung, K., & Park, S. (2013). Context-Aware Role Based Access Control Using User Relationship. International Journal Of Computer Theory And Engineering, 533-537. doi: 10.7763/ijcte.2013.v5.744

Lin, J., Yu, W., Zhang, N., Yang, X., & Ge, L. (2018). Data Integrity Attacks against Dynamic Route Guidance in Transportation-based Cyber-Physical Systems: Modeling, Analysis, and Defense. IEEE Transactions On Vehicular Technology, 1-1. doi: 10.1109/tvt.2018.2845744

Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017). A survey of distributed denial-of-service attack, prevention, and mitigation techniques. International Journal Of Distributed Sensor Networks, 13(12), 155014771774146. doi: 10.1177/1550147717741463

O'Donnell, A. (2008). When Malware Attacks (Anything but Windows). IEEE Security & Privacy Magazine, 6(3), 68-70. doi: 10.1109/msp.2008.78

Wang, Y. (2018). Analysis on the Causes of Network Language Violence and Its Countermeasures. Destech Transactions On Social Science, Education And Human Science, (adess). doi: 10.12783/dtssehs/adess2017/17825

Wsj. (2018). The Growing Role of the CIO. Retrieved from https://www.wsj.com/articles/the-growing-role-of-the-cio-1520992980


Buy 7623Ict | Information And Security Assessment Answers Online

Talk to our expert to get the help with 7623Ict | Information And Security Assessment Answers to complete your assessment on time and boost your grades now

The main aim/motive of the management assignment help services is to get connect with a greater number of students, and effectively help, and support them in getting completing their assignments the students also get find this a wonderful opportunity where they could effectively learn more about their topics, as the experts also have the best team members with them in which all the members effectively support each other to get complete their diploma assignments. They complete the assessments of the students in an appropriate manner and deliver them back to the students before the due date of the assignment so that the students could timely submit this, and can score higher marks. The experts of the assignment help services at urgenthomework.com are so much skilled, capable, talented, and experienced in their field of programming homework help writing assignments, so, for this, they can effectively write the best economics assignment help services.

Get Online Support for 7623Ict | Information And Security Assessment Answers Assignment Help Online

Copyright © 2009-2023 UrgentHomework.com, All right reserved.