ITC595 Information Security: Report on Security Vulnerability
Security professionals need to ensure that they keep up to date with the latest threats and security issues. This allows them to update their risk profiles, such as identifying if their systems are vulnerable. In order to determine what the risk to an organisation is, you need to know what the problems could be.
In this assignment, your task is to identify a recently announced security vulnerability and write a profile of the threat. The profile should contain the name of the threat, the systems it attacks, how it performs its attack, mitigation strategies and concluding reflection on the adequacy of the mitigation strategies. The risk to an organisation using vulnerable systems should also be determined.
Answer:
Introduction
Organisations face new threat scenarios every day. This report provides a threat profile for one of the most recent security threat and vulnerability facing organisations currently. The report also provides a detailed description of the vulnerability attacks and prevention.
"text-align: justify;">A threat is whatever thing that has the capability or intention to interrupt the operation, functioning or reliability of an information system or application (John, 2001, pg 25). The term vulnerability refers to a flaw in a system or applications that can let an attacker to infringe the integrity of that system or application (Vacca, 2013, pg 201). Vulnerabilities include software bugs, virus or malware and script code injection. Threat profile describes threats and vulnerabilities that are likely to attack an organisations information assets and how they may try to harm, change, distort or in some way prevent services, information and other components within the organisation from being rightfully being used or retrieved. For the rationale of this report the following parameters were used to create the threat profile; threat name, description, threat agent, attack vector, attacked system, threat risk rating and finally existing risks mitigation control.
|
Threat name: OpenSSL Heartbleed vulnerability (CVE-2014-0160) |
|
Threat description: A severe vulnerability in the OpenSSL cryptographic software library. The vulnerability can allow malicious people to repossess private memory of an application in chunks of 64K at a time which might include the secret keys, usernames and passwords. |
|
Threat agent: Non-human |
|
Attack vector: TCP/IP transport layer security protocols (TLS) |
|
Asset(s) at risk: Wired and wireless communications using OpenSSL versions 1.0.1 through 1.0.1f |
|
Threat / risk rating: Severe |
|
Exploitation of this vulnerability can lead to: ü Loss of confidential, sensitive or classified data and information to unauthorised persons. ü Loss of data integrity through data corruption or destruction of information ü Severe legal actions, unintended expenses, financial losses or damage to an organisation reputation |
|
Existing risk mitigation control: ü Use the latest OpenSSL versions ü Patching ü Configure OpenSSl to remove support for the Heartbeat protocol using the OPENSSL_NO_HEARTBEATS flag (Ivan,2014, pg 164) |
Conclusion
Preparing a threat profile in an organisation allows the risk and incident management team to be prepared on how to handle threats that might face the organisation. The threat profile describes how the threat occurs, which system it attacks, the attack vector and how to mitigate the attack. This detailed information enables the incident management team to put into action safeguards to moderate the risk of anticipated attacks even before they happen.
References
Ivan R. (2014).Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications. Festy Duck Limited: London
John E.C., (2001).Fundamentals of Network Security. Artech House:
US-CERT (2014). Retrieved August 03, 2017 from Alert (TA14-098A) OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160). website https://www.us-cert.gov/ncas/alerts/TA14-098A
Vacca J. R., (2013). Managing Information Security Second Edition. Elsevier Inc: USA
Buy ITC595 Information Security: Report on Security Vulnerability Answers Online
Talk to our expert to get the help with ITC595 Information Security: Report on Security Vulnerability Answers to complete your assessment on time and boost your grades now
The main aim/motive of the management assignment help services is to get connect with a greater number of students, and effectively help, and support them in getting completing their assignments the students also get find this a wonderful opportunity where they could effectively learn more about their topics, as the experts also have the best team members with them in which all the members effectively support each other to get complete their diploma assignments. They complete the assessments of the students in an appropriate manner and deliver them back to the students before the due date of the assignment so that the students could timely submit this, and can score higher marks. The experts of the assignment help services at urgenthomework.com are so much skilled, capable, talented, and experienced in their field of programming homework help writing assignments, so, for this, they can effectively write the best economics assignment help services.
