Abstract
Organizations and businesses alike are heavily using information technology in processing, relaying and storing sensitive business data and information in equal measure. Given the sensitivity and privacy of the information, information security is paramount. A security breach or cyber attack on an organization presents detrimental impacts on the operation of an organization. It is essential for information security officers as well as network administrators to adopt and embrace pro-active and preventive techniques of dealing with threats. Timely reaction and prevention of possible threats and attacks can be done by performing vulnerability assessments. It is also significant to model and determine threats so as to be prepared in the event of attack. Vulnerability assessment helps to identify existing security loopholes and weakness in an organization's network and system as a whole. The threats and vulnerabilities identified through vulnerability assessment should be addressed before there are exploited by malicious attackers.
Introduction
Organizations are increasingly relying on information technology to perform most of their business operations and functions. The extensive and widespread use and application of information technology in the business process is due to the numerous advantages presented by the technology. Application of information technology has tremendously cut the cost and time of conducting activities. Similar to any other technology, there are negative impacts associated with the implementation and use of information technology in business processes. Information technology makes an organization vulnerable to certain threats such as cyber attacks.
As the defensive mechanisms change, information technology threats and vulnerabilities are always changing as well. It is imperative for an information officer to be vigilant and on the lookout for new threats (Whitman & Mattord, 2011). Having knowledge of existing and novel threats to an organization's network presents the network administrator and information security officer with a higher ground to effectively and timely deal with the threats.
Threat modeling and discovery helps an organization to establish how to prioritize resources and work so as to maximize information security. The process of modeling and discovering threats entails the identification of the organization’s assets which are most valuable and at high risk (Vacca, 2012). Threat modeling also involves the identification of potential threats to the organization's assets and prioritizing the efforts to mitigate the threats. On the other hand, vulnerability assessment is the process of identifying security loopholes and vulnerabilities in an organization’s network and system with the aim of addressing them before they are exploited by malicious attackers. The two processes are applied so as to improve information security of an organization. They fall into the category of preventive measures ensuring information security.
How to model and discover threats
Threat modeling also involves the identification of potential threats to the organization's assets and prioritizing the efforts to mitigate the threats. Continuous network monitoring presents an organization with a constant stream of information and data that can be utilized to highlight and correct security threats. Threat modeling allows the organization to get ahead of potential threats. It helps in simulating the attacker's behavior so as to anticipate the potential attack. The process is helpful in ensuring information security through preventing approach rather than reactive technique. Threat modeling is the systematic approach of highlighting and rating threats to enable organization prioritize their resources and work to mitigate information threats.
Types of threat modeling
Operationally Critical Threat, Asset, and Vulnerability Evaluation
Threat modeling can be done in three different ways; asset-based, attacker-based and software-based. Some of the current threat modeling techniques used employs the asset-based threat modeling. One of the most used threats modeling technique based on assets is known as CERT’s OCTAVE. The technique is used to address several issues such as the assets that require protection, the level of protection required, the manner and technique through which the assets may be compromised and the possible impacts in case the protection fails (Vacca, 2012).
It is imperative to note that asset-based threat modeling is majorly internally focused. The issues addressed in asset-based threat modeling are internally focused. It looks into possible threats and mitigation techniques from within the organization. Nevertheless, the OCTAVE asset-based threat focuses basically on the impacts of a compromise instead of the source of the threat. However, the required outcome is a prioritized list of threats which can be scrutinized with the aim of assessing the impact.
Open Web Application Security Project
Apart from OCTAVE, the other methods of threats modeling are based on software. There are known as software-based threats modeling. Software-based threats modeling forms a significant part of the OWASP’s threat modeling process (Yang & Wang, 2011). It is a well-formulated approach that allows the user to highlight, quantify and deal with the security risks that result from the use of an application. OWASP’s threat modeling process can be utilized in other information systems.
Microsoft’s STRIDE
Additionally, Microsoft’s STRIDE presents a threat grouping model as well as a target-oriented outline that reflects on the motivation of a malicious attacker. Microsoft’s STRIDE target and address different attack methods and threats such as tampering, spoofing, information disclosure, reputation and elevation of privilege. The threats modeling process presented by this technique addresses various information security attributes such as integrity, authentication, confidentiality, non-repudiation, authorization, and availability. Also, Microsoft has launched a new threats modeling tool based on software: Security Development Lifecycle Threat Modeling Tool (SDLTMT).
Software-based and asset-based threat modeling techniques are developed primarily based on software and asset respectively. Similarly, attacker-based threat modeling is primarily developed based on the motivations of an attacker. While it is imperative for an organization to apply all the three different threat modeling techniques, it is advisable for an organization to focus on one model (Whitman & Mattord, 2011). Attacker-based threat modeling tries to comprehend the motivation and mind of attackers so as to discover how they might perform an attack on a network or system. Attacker-based threat modeling is normally considered as the opposite of asset-based threat modeling.
Attacker-based threat modeling technique employs a strategic framework to comprehend the motivation and mind of a malicious attacker. The threat modeling technique seeks to discover the goals of the malicious attacker, the possible methods the organization can utilize an external forces of attack and the resources present to achieve the attack (Zhao & Zhao, 2010). The framework used in attacker-based modeling technique is categorized into three sections; ends, ways, and means. To understand and address possible threats by malicious attackers, the modeling technique employs the use of OODA loop. Using the OODA loop, the procedure outlines the top strategic priority to gain and uphold the initiative to maneuver within attacker’s decision cycle (Yang & Wang, 2011).
Apart from preparing friendly forces for defense, attacker-based threat modeling technique also focuses on examining the attacker’s intent and capabilities. Network administrators and information security officers are at a better chance of modeling threats if they know what the attacker wants, the tools at their disposal and the possible impact an attacker have on their networks and systems in equal measure (Whitman & Mattord, 2011). The concept of predictive analysis can be employed in attacker-based threat modeling to address what the attacker may want and attempt to the system.
How to conduct a vulnerability assessment
Vulnerability assessment is a significant process is attaining the security of information, data and organization’s assets. It is the process of identifying possible security loopholes and vulnerabilities within a network and systems (Vacca, 2012). The process then addresses the identified vulnerability and security loopholes before they are exploited by malicious attackers. Vulnerability assessment entails the performance of network penetration testing with the aim of identifying and addressing network security vulnerabilities before they are exploited by attackers.
There are different methods through which an organization can assess its vulnerabilities. In most cases, vulnerability assessment involves individual security assessment of various network components as well as system components. Every organization has a constituent of risk varying from issues of product production to finance (Yeo, 2013). There are mounting malicious break-ins into organization’s network and computer system. The information and asset security that can be attained through technical approaches is limited. As a consequence, it is imperative for organizations to adopt preventive approaches.
Vulnerability assessment phases
Vulnerability assessment is done three phases; conducting the assessment, identification of exposures and addressing exposures. The first step entails performing the assessment, followed by identifying the vulnerabilities and finally addressing the identified security loopholes. The main objectives involved in conducting assessment include planning and conducting the actual vulnerability assessment (Zhao & Zhao, 2010). The planning constituent of the first phase involves the collection of pertinent information, the definition of the scope of activities, description of responsibilities and roles, and creating awareness of the vulnerability assessment via the change management process (Yang & Wang, 2011). The process of performing vulnerability assessment entails interviewing network and system administrators, examination of correct procedures and policies pertinent to the system under evaluation and the security scanning of the system.
Firewall testing
Vulnerability assessment conducted on firewalls attempts to identify and address possible security loopholes in the firewall. Firewall present basic security to a network by filtering unwanted network connections from unrecognized sources. Security gaps in the firewall can allow an attacker to gather crucial information about the network and the system. The information can be used to plan an efficient attack technique against the organization's network.
The second phase of vulnerability assessment involves a collection of tasks. The resulting data from the security scanning and data gathering processes are reviewed in this phase. After review, the collected data and information are tied into the problem management process. The process determines the accountability for the issues and resolves the network security issues identified. On the other hand, the third phase of vulnerability assessment attempts to rectify the vulnerabilities and security loopholes identified in the previous phases (Zhao & Zhao, 2010). It is imperative for organizations to conduct an investigation to determine whether the services that cause the vulnerabilities are needed by the system. It is important to carry out the investigation before any steps are taken to rectify or resolve the identified vulnerabilities. In case a service that is causing vulnerabilities is needed by the system, it is significant to upgrade. Upgrading address the possible security loopholes in the system (Maynor, 2011).
Vulnerability assessment tools
There are tools that an organization can utilize to perform a vulnerability assessment of its systems and networks in equal measure. Some of the tools used in vulnerability assessment include; Nmap, Nessus, Whisker, Enum and Firewalk. Nmap is a security utility used for network discovery and network security auditing. It can be utilized to scan enormous networks and single hosts rapidly and accurately (Zhang, Wuwong & Zhang, 2010). Additionally, the tool can be used to establish the number of available hosts; the services run on each host and the operating system used in the system hosts. Other the other hand, Nessus is used as a remote security scanner. It is used to audit specific network and establish any weakness and potential vulnerabilities within the network. The tool is utilized to launch predefined exploits, and it reports on the level of success of each exploit launched on the system.
Apart from Nessus and Nmap, vulnerability scanning can be attained using Whisker. It is a web scanner that scans for known vulnerabilities that exist in web servers. It exposes the URL that caused the even or attack. The tool can determine the type of web server run on a system (Zhao & Zhao, 2010). Additionally, Enum is another tool that can be applied to assess network and system vulnerabilities. The tool is Win32 information enumeration utility that is based on console. It can retrieve machine list, user lists, nameless, share list, passwords and LSA policy information through the use of null sessions (Maynor, 2011). Also, the tool can be used to perform an elementary brute force dictionary attack on different accounts.
Impacts of key cyber threats on organizations
Cyber threats present devastating impacts on organizations as a whole as well as its business processes. Apart from the loss and exposure of sensitive and private information, cyber threat exposes organizations to massive costs associated with security. Additionally, cyber threats present physical and logical damage to organization assets such as system and network components. Security breaches as a result of cyber crime results in loss of clients to an organization under attack (Zhang, Wuwong & Zhang, 2010). Cyber threats have the ability to expose the sensitive data and information retrieved from a security breach. As a consequence, various information security attributes, such as privacy and confidentiality, are violated in the process.
Organizations that experience security breaches through cyber crime always loose sales. Cyber activist perform cyber attacks on organizations with the aim of running them out of business. Cyber threats such as denial of service attack ensure that the services provided by an organization do not reach its intended users. It renders the systems and services of the organizations unavailable to its legitimate users. As a consequence, the organization loses its clients, thus sales. There are numerous organizations and businesses that have shut down their services out of concern that they lack adequate protection against cyber-theft. Cyber attacks and threats have more than the just financial impact on an organization. Online companies and organizations are forced to change their business operations owing to cyber threats.
Conclusion
Information security is an imperative part of the business process in the current market where information technology is applied in virtually almost all business processes. Businesses and organizations continue to experience information security threats as information technology advances. It is imperative for network administrators to embrace preventive approaches to information security rather than reactive approaches. Vulnerability assessment enables early detection and mitigation of possible threats so as to prevent possible exploitation. Also, threat modeling presents organizations with a head start against the attackers so as to anticipate and effectively thwart possible threats.
References
Maynor, D. (2011). Metasploit toolkit for penetration testing, exploits development, and
vulnerability research. Elsevier.
Möckel, C., & Abdallah, A. E. (2010, August). Threat modeling approaches and tools for
securing architectural designs of an e-banking application. In Information Assurance and
Security (IAS), 2010 Sixth International Conference on (pp. 149-154). IEEE.
Vacca, J. R. (2012). Computer and information security handbook. Newnes.
Whitman, M., & Mattord, H. (2011). Principles of information security. Cengage Learning.
Yang, S. C., & Wang, Y. L. (2011). System dynamics based insider threats
modeling. International Journal of Network Security and Its Applications, 3(3), 1-14.
Yeo, J. (2013). Using penetration testing to enhance your company's security.Computer Fraud &
Security, 2013(4), 17-20.
Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk
management framework for the cloud computing environments. In Computer and
Information Technology (CIT), 2010 IEEE 10th International Conference on(pp. 1328-
1334). IEEE.
Zhao, J. J., & Zhao, S. Y. (2010). Opportunities and threats: A security assessment of state e-
Government websites. Government Information Quarterly,27(1), 49-56.