7623Ict | Information And Security Assessment Answers
Scenario: Student Grading System Security
Remarkable University is implementing a new student grading system. The system needs to be developed and implemented to ensure that it is both fit for purpose and secure from identified threats.
The student grading system’s core components include:
- a front-end web/application server which is used by students, academics and administrative staff
- a database which holds students’ grades
The system will need to be built and managed to ensure that the servers are deployed securely and remain secured against common automated and simple manual attacks. Dedicated, targeted attacks are difficult to protect against, however simple measure can be taken to protect against most automated attacks. Identified threats against the system include:
- Grade hacking/modification, e.g. students who may wish to modify their own results or view or modify the results of others
- Privacy concerns, e.g.:
- internal users such as staff or students who may wish to view or modify results; and
- external users who may wish to gain access to or modify results or other personal information
- Malicious code such as worms
- Automated scanning and exploit tools
- Targeted exploit attempts
- Phishing attempts
The grading system application needs to remain secured, use appropriate access controls, enforce least privilege, and ensure that information flowing to and from the system is protected. The application needs to be developed in a secure manner and be protected against common attacks, and the database needs to be protected against common automated attacks and use appropriate access controls.
All components of the systems, and in particular the application and database, need to have appropriate access controls in place to ensure that only authorized users can access and update the system, and that access is tied to the role of each user. All access to the system should be logged, regardless of whether the access is by a user or administrators, and regardless of which component of the system is being accessed.
Answer:
Introduction
Remarkable University is the organization for which an IT Security Plan is being developed. The university has implemented a student grading system and the core components of the system include a front-end application that is used by three types of the users viz. students, academic staff, and administrative staff. The second component of the system is the database in which the grades of the students are stored. There are various threats that have been identified against the system and the occurrence of these threats will possess a great risk to the confidentiality, security, and privacy of the data sets.
IT Security Plan is important because it specifies the mitigation and control strategies that shall be followed to deal with the security risks mapped with every asset of the system.Â
Scope
There are various assets that are associated with the student grading system being developed and implemented at the Remarkable University.
The assets involved with the system include:
- Information stored and handled by the system: It includes the student grades, student details and academic profile (Huang, Zhang, Cheng & Shieh, 2017).
- Hardware: The system will be accessed by the users on desktop and mobile devices. There are also servers involved in the system.
- Software: The web application that has been developed along with the database deployed for information storage for the student grading system.
- Networking Peripherals & Communication Architecture: There are networking equipment, protocols, and communication tools involved that need to be protected.
Organization Risk Profile
The risk profile for the university is low as is it less vulnerable to the risks due to the education domain. It includes the following set of risks and threats that may be carried out on the IT assets.
- User authentication and access control issues: Privacy concerns
- Server Security Risks: Malware attacks
- Software Security Risks: Hacking/data integrity issues, malware attacks
- Network Perimeter Security: Automatic scanning, phishing attempts, target exploit attempts
- End-user PC Security: Malware attacks
Risk Assessment
IT Asset 1: Information stored and handled by the system
There are various risks that are associated with the IT asset as the information. It is the primary asset that will be exposed to the security risks and attacks.
User authentication and access control
This is the security area that is exposed to various security risks and vulnerabilities that may have an adverse impact on the IT asset as the information stored in the student grading system.
The attackers may give shape to the account hacking attacks by breaking the authentication and access control measures and norms applied. This may lead to the exposure of the private and confidential information of the student.
Unauthorized access, data breaches, and leakage of the data sets may come up due to the poor access control measures applied.
Server Security Risks
The data servers will be exposed to malware risks and attacks. There may be physical security attacks that may also come up. The information stored in these servers will be exposed as an outcome.
Software Security Risks
The web application will be exposed to malware attacks, denial of service attacks, data breaches, and data integrity issues (O'Donnell, 2008). The information sets will be directly or indirectly impacted as an outcome.
Network Perimeter Security
The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks. In all of these attacks, the privacy and confidentiality of the data and information sets will be hampered.
End-user PC Security
The devices which will be used for accessing the system may be exposed to attacks, such as device loss and malware attacks which will have a direct impact on the information sets stored within.
IT Asset 2: Hardware
Server Security Risks
There will be web servers and database servers used in the system and will be kept in the server room. These may be exposed to the physical security attacks if the attackers succeed in breaking through the physical security parameters applied.
End-User PC Security
The PC and the mobile devices that will be used to access the student grading system will also be exposed to the risks of being stolen. The loss or stealing of the device will have sever impacts on the information and the user.
IT Asset 3: Software
Software Security Risks
The software used in the system will be exposed to the risks, such as malware attacks, account hacking issues, target exploitation issues, data breaches, and data integrity issues.
IT Asset 4: Networking Peripherals & Communication Architecture
Network Perimeter Security
The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks.
Risk Register
A risk register has been prepared for the risks that have been identified above. There is a likelihood and impact score assigned to every risk. The likelihood and impact has been provided and the risk rank has been calculated as per the levels below.
Threat/Vulnerability |
Likelihood |
Consequence |
Level of Risk |
Risk Priority |
Account Hacking & target Exploitation |
Possible |
Major |
Extreme (E) |
8 |
Data Breaches |
Likely |
Catastrophic |
Extreme (E) |
2 |
Data Leakage |
Possible |
Catastrophic |
Extreme (E) |
6 |
Malware attacks |
Almost certain |
Major |
Extreme (E) |
1 |
Device loss |
Rare |
Catastrophic |
High (H) |
10 |
Denial of Service and Distributed Denial of Service |
Likely |
Catastrophic |
Extreme (E) |
3 |
Message and Media Alteration – Data Integrity Attacks |
Possible |
Major |
Extreme (E) |
7 |
Eavesdropping Attacks |
Possible |
Catastrophic |
Extreme (E) |
4 |
Man in the middle attacks |
Possible |
Catastrophic |
Extreme (E) |
5 |
Physical Security risks |
Unlikely |
Catastrophic |
Extreme (E) |
9 |
Security Strategies and Actions
It will be necessary to take certain security actions and adopt strategies to make sure that the risks do not occur and are mitigated and controlled.
Risk Name |
Security Strategy and Actions |
Account Hacking & target Exploitation |
There shall be use of biometric recognition that shall be done for identity management and access control. Multi-path encryption must be used for access control. The authentication measures shall utilize multi-fold authentication wherein the log in to the accounts shall be made possible with the use of one time passwords and face recognition (Jung & Park, 2013). |
Data Breaches |
The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk. |
Data Leakage |
The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk. |
Malware attacks |
Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out. |
Device loss |
The devices used by the end-users shall be installed with device tracker id so that the devices may be tracked in the case of loss or stealing. |
Denial of Service and Distributed Denial of Service |
Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out (Mahjabin, Xiao, Sun & Jiang, 2017). |
Message and Media Alteration – Data Integrity Attacks |
The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk (Lin, Yu, Zhang, Yang & Ge, 2018). |
Eavesdropping Attacks |
The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed. |
Man in the middle attacks |
The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed (Wang, 2018). |
Physical Security Risks |
The server rooms must be secured by deploying a security guard at the entrance and the surveillance tools shall be used to keep a track of all the activities. Digital modes of authentication, such as biometric authentication and automated locks shall be used to protect the systems and servers. |
Residual Risks
There are certain risks that may occur in spite of the measures and controls adapted. One such risk is the malware risks and attacks. It is because the attackers are coming up with new forms of malware codes and algorithms to launch the attack on the systems of the end-users. There shall be disaster recovery plan and data backups kept in place so that the impact of the risk may be reduced in the case of its occurrence.
The insider threats and attacks may also occur and may not be possible to be controlled. This is because the internal employees and the members of the staff may knowingly or unknowingly pass the information to the unauthorized entities.
The risks associated with the mobile devices, such as loss or stealing of the devices will also be left since the users may forget their devices at certain location. The devices may fall out of their pockets and such occurrences cannot be controlled.
Risk Name |
Likelihood Level |
Impact Level |
Risk Score |
Malware Attacks |
2 |
4 |
8 |
Insider Threats |
3 |
5 |
15 |
Device Loss or Stealing |
2 |
5 |
10 |
Resources
Hardware Resources
Biometric devices and sensors for the implementation of biometric recognition systems, surveillance tools, such as microphones and video cameras for enhanced physical security, and digital locks and vaults for keeping the devices safe and protected at all times.
Software Resources
The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed. Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out. Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out.
Human Resources
- Chief Information Security Officer (CIO): The resource will be required to develop and implement the IT Security plan and the associated set of policies (Wsj, 2018).
- Security Auditor: It will be essential to carry out security audits and reviews at regular intervals to find out the gaps involved. The improvement measures will be taken on the basis of the results of the audits conducted.
- Security Analyst: The analysis of the network security logs and system logs will be done by the resource to determine the deviations and suspicious activities.
- Implementation Resource: The security strategies and actions will be implemented and monitored by the resource.
Maintenance & Training
The end-users shall be provided with the trainings on the security practices that they shall adopt to prevent and control the attacks from occurring. The users shall also be made aware of the common mistakes that they make which may allow the attackers to give shape to the security attacks. The security team must also be provided with the training on the security strategies that they shall adopt.
The maintenance work will include the installation of the updates and security patches at regular intervals. These will ensure that any of the security vulnerabilities and loopholes are resolved and avoided. The security software, such as anti-malware tools, anti-denial tools, and network-based security controls shall be updated as a part of the maintenance activities (Bays, Oliveira, Barcellos, Gaspary & Mauro Madeira, 2015).
References
Bays, L., Oliveira, R., Barcellos, M., Gaspary, L., & Mauro Madeira, E. (2015). Virtual network security: threats, countermeasures, and challenges. Journal Of Internet Services And Applications, 6(1). doi: 10.1186/s13174-014-0015-z
Huang, H., Zhang, Z., Cheng, H., & Shieh, S. (2017). Web Application Security: Threats, Countermeasures, and Pitfalls. Computer, 50(6), 81-85. doi: 10.1109/mc.2017.183
Jung, K., & Park, S. (2013). Context-Aware Role Based Access Control Using User Relationship. International Journal Of Computer Theory And Engineering, 533-537. doi: 10.7763/ijcte.2013.v5.744
Lin, J., Yu, W., Zhang, N., Yang, X., & Ge, L. (2018). Data Integrity Attacks against Dynamic Route Guidance in Transportation-based Cyber-Physical Systems: Modeling, Analysis, and Defense. IEEE Transactions On Vehicular Technology, 1-1. doi: 10.1109/tvt.2018.2845744
Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017). A survey of distributed denial-of-service attack, prevention, and mitigation techniques. International Journal Of Distributed Sensor Networks, 13(12), 155014771774146. doi: 10.1177/1550147717741463
O'Donnell, A. (2008). When Malware Attacks (Anything but Windows). IEEE Security & Privacy Magazine, 6(3), 68-70. doi: 10.1109/msp.2008.78
Wang, Y. (2018). Analysis on the Causes of Network Language Violence and Its Countermeasures. Destech Transactions On Social Science, Education And Human Science, (adess). doi: 10.12783/dtssehs/adess2017/17825
Wsj. (2018). The Growing Role of the CIO. Retrieved from https://www.wsj.com/articles/the-growing-role-of-the-cio-1520992980
Buy 7623Ict | Information And Security Assessment Answers Online
Talk to our expert to get the help with 7623Ict | Information And Security Assessment Answers to complete your assessment on time and boost your grades now
The main aim/motive of the management assignment help services is to get connect with a greater number of students, and effectively help, and support them in getting completing their assignments the students also get find this a wonderful opportunity where they could effectively learn more about their topics, as the experts also have the best team members with them in which all the members effectively support each other to get complete their diploma assignments. They complete the assessments of the students in an appropriate manner and deliver them back to the students before the due date of the assignment so that the students could timely submit this, and can score higher marks.Ă‚Â The experts of the assignment help services at urgenthomework.com are so much skilled, capable, talented, and experienced in their field of programming homework help writing assignments, so, for this, they can effectively write the best economics assignment help services.