List of Figures
Figure 1: Components of Risk Management 7
Figure 2: Number of organizations attacked by unauthorized users 17
Management Summary
As part of this report, the current trends of security threats to SMEs were examined. The system components were then categorised, threats identified and prioritized, and vulnerabilities assessed. The assets were prioritized using weighted factor analysis method. A risk register was prepared with the suggested mitigation activities. The risk control strategies were discussed and risk controls measures that were suggested in the risk register discussed again.
Introduction
Current trends of security threats to SMEs
The Small and Medium Enterprises face the same cyber security threats that a large corporation faces, but without their budget. Figure 2 in Appendix has the trends for cyber-attacks for 2014 and 2015 for large and small organizations. The outcomes of these incidents include corruption or loss of data and hardware, unavailability of service, critical financial loss, and theft of business, confidential or proprietary information apart from others.
Categorization of System Components
Keeping in mind the size of the organization, the recommendation is for adopting manual procedures for categorization and tracking of the system components. Based on the preliminary examination, the assets are classified as per Table 1 below.
Source:
Threat Identification and Prioritization
A group of employees was selected so that all the departments were represented. Then a brainstorming was conducted to identify threats that can affect the company. The following threats were identified as possible. They were then ranked based on four criteria;
Which of these threats are most likely to occur in the present environment
Which of the threats represent the most danger to the company’s information assets
Which of the threats, when it occurs, could cost the company the most from recovering
Which of the threats need the greatest expenditure to prevent.
The threats were then weighted and the result is in Table 2.
Source:
Vulnerability Assessment
After the threats and assets had been identified and prioritized, the vulnerability assessment was done using the brainstorming method. This involved examining each information asset and the threats it faced, to identify the vulnerabilities. Vulnerabilities are the specific paths which the threat agents can exploit to attack the information asset. This resulted in a list (Table 3) of organization’s assets and their vulnerabilities.
Source:
Risk Management
Risk management is the process of identifying risks due to vulnerabilities and taking measures to reduce the impact of the risks, to the organization’s assets, to an acceptable level. There are three branches to the risk management; 1) risk identification, 2) risk assessment, and 3) risk control.
Figure 1: Components of Risk Management
Source:
Asset Prioritization
After identifying and categorizing the assets, the attributes for tracking each of the assets are decided and recorded. For hardware, the MAC addresses, the make and model, and any other attribute that can uniquely identify it are recorded. People are tracked by utilizing their employee IDs and positions. The software is tracked using their names, software versions, and the number of copies. Data is classified as per Table 1 (Sensitive, protected, and public). Then, the information assets are valued based on their criticality, their revenue generation capability, and their contribution to profitability. It is assessed as to which of these information assets are expensive to replace and the most expensive to protect. Those information assets that cause the most embarrassment or liability if leaked are identified. Table 4 shows the information asset prioritization using Weighted Factor Analysis.
Note: This is on the lines of weighted factor analysis performed according to NIST SP 800-30
Risk Register
Risk Control Measures
There can be three types of controls; policies, programs, and technologies. The policies specify the company’s approach to security. The risk controls strategies include defending, transferring, mitigating, accepting, and terminating.
Defending control strategy is to stop the vulnerability from being exploited. This is done by countering threats by limiting access to assets, removing vulnerabilities from the assets, or adding protective safeguards. This can be accomplished by the application of policy, education and training, and application of technology.
Transferring control strategy attempts to transfer the risk to other assets. This is accomplished by outsourcing some of the functions or insuring the assets.
Mitigating control strategy tries to reduce the impact of the exploitation of the vulnerability through planning and preparation. These include having a well thought out incident response plan, well-tested disaster recovery and business continuity plans.
Accepting control strategy is the strategy where nothing is done to protect the asset and the loss due to the exploitation is borne by the organization. This can be a conscious or unconscious decision. This is normally done when a thorough cost-benefit analysis is done, when there are no controls available or the asset is not critical.
Terminate control strategy ensures that the organization does not undertake any activity that involves the risks of exploitation of the vulnerability. This reduces the risk exposure.
Controls
The loss of information can cause damage to the reputation of the company. The following controls have to be installed to ensure prevention of loss of information. Firewalls are installed so that unwanted and malicious traffic can be regulated. This can be a corporate firewall at the network level as well as personal firewalls installed on each laptop. Antivirus and antimalware software have to be installed on all laptops. These and the other software have to be updated regularly using automated patch management software such as NetChk software. The webmail and email server have to be setup for filtering malicious mail. Unnecessary applications have to be uninstalled. On the network devices, unused ports have to be blocked and unnecessary services are stopped from running. The wireless traffic is encrypted by using WPA2-AES encryption. Access control to various databases has to be implemented so that not everybody has access to everything. A policy of least privilege has to be applied. This implies that nobody needs to know unless there is a need to know. There should be restrictions on resource sharing so that the “need to know” and “least privilege” policies are not violated. There should be robust backup and recovery procedures so that data can be easily recovered. The servers used should be single-function servers for robustness. The physical security procedures should be updated so that strict access control measures are implemented. Strong authentication methods have to be used, preferably multi-factor authentication can be adopted. Intrusion detection monitoring should be employed. Regular vulnerability scans have to be done so unearth new or existing vulnerabilities that have to be addressed quickly. The remote access, if allowed, has to be restricted and it should be encrypted and it should have strong authentication. Last but not the least, the IT staff should be skilled administrators and should perform only IT functions.
Conclusions
The security of the information assets of a company is very critical as loss of this asset can be devastating for the company. The legal liabilities, as well as the reputation loss, could destroy a company. To manage these, an appropriate risk identification, risk assessment, and risk control measures have to be taken. The installation of a control should be based on thorough CBA. The IT staff should be attentive to the threats that are in existing by regularly reading the security bulletins of the security firms and acting on them when appropriate. They should look at the best practices of other successful companies and try to implement them in the organization, after thorough analysis. Every effort should be made to regularly educate the employees, contractors and even visitors about safe and unsafe practices so that issues can be minimized.
References
Hampton, M., 2014. Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?. [Online] Available at: http://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user[Accessed 15 April 2016].
HM Government, 2015. 2015 information security breaches survey, London: HM Government.
Hutchings, A., 2012. Computer security threats faced by small businesses in Australia. Trends & issues in crime and criminal justice, February.Volume 433.
Kelly, L., 2016. The top five SME security challenges. [Online] Available at: http://www.computerweekly.com/feature/The-top-five-SME-security-challenges[Accessed 14 April 2016].
Landoll, D. J., 2011. The security risk assessment handbook. 2nd ed. Boca Raton, FL: CRC Press.
Musthaler, B., 2010. Automated patch management for small organizations. [Online] Available at: http://www.networkworld.com/article/2196609/security/automated-patch-management-for-small-organizations.html[Accessed 15 April 2016].
Stoneburner, G., Goguen, Y. A. & Feringa, A., 2002. Sp 800-30. risk management guide for information technology systems. Gaithersburg, MD: NIST.
Weiss, A., 2012. How to prevent DoS attacks. [Online] Available at: http://www.esecurityplanet.com/network-security/how-to-prevent-dos-attacks.html[Accessed 15 April 2016].
Whitman, M. E. & Mattord, H. J., 2012. Principles of information security. 4th ed. Boston, MA : Course Technology.
Appendix
Figure 2: Number of organizations attacked by unauthorized users
Source: , 140 respondents for the Large organisations and 90 responses for Small organisations.