The major aim of this document is to identify some of the vulnerabilities and threats which are associated with cybersecurity. The report will perform a risk assessment approach to the identified vulnerabilities. This risk assessment has issued guidelines on how an organization can identify and evaluate the current existing controls associated with cyber-security. There are five key areas that this report will major in which are; risk management, cyber controls, cyber incident management and resilience, cybersecurity tools, risk management approach, and risk Model
3.0 List of assets at risk
4.0 Risk management approach
Risk management is the process of identifying, responding and assessing to a risk. To manage a cyber-risk is the act of assessing the likelihood of a risk occurring. It is the potential impact of an event. This is then followed by determining the best deal with the identified risks which can either be to mitigate, transfer, and accept to avoiding. To mitigate risks it means to determine the types of security controls that one can apply. It is important to note that not all risks can be eliminated or even has an unlimited budget. Risk management is the act of managing the effects of uncertainty. A risk management plan is created by the lead Consultant.
5.0 Risk Assessment based on threats and vulnerabilities
Table 1: Personnel
|
Role |
Responsibly |
|
Lead Consultant |
Overseeing the process of risk assessment |
|
Database administrator |
Identifying confidential data |
|
Network manager |
Identifying network-based attacks |
|
Security manager |
Identifying security measures |
The techniques used to correct evidence are:
A risk assessment questionnaire
5.1 Risk model
So as to determine some of the risks that are associated with cyber-security, the team utilized a model aiming at classifying risks
The model that was utilized is
Risk which was the likelihood of risk occurring multiply by the magnitude of impact. (RISK= LIKELIHOOD OF RISK OCCURRING * MAGNITUDE OF IMPACT)
Table 2: The definitions associated with the model
|
Likelihood |
Definition |
|
Low |
This was a threat which there is a lot of controls in place to prevent the attack. It prevents the weaknesses from being carried out |
|
Medium |
This is a type of attack which source is motivated and capable but there are controls which are in place to prevent the attack |
|
High |
This is a type of attack which is highly motivated and there are not enough controls to prevent the attack |
Impact or Magnitude
|
Low |
Loss of integrity, availability, and confidentiality could be expected to have very minimal adverse effects to the operations of the organization or its assets (An event that is unlikely to occur and even if the event occurs then it can cause very small or no cost i.e. it can be absorbed by the organization) Examples Minor financial loss Minimal damage to some of the organization assets Human error |
|
Medium |
Loss of availability, confidentiality and integrity could be expected to have a serious adverse effect on the organization assets. (An event that has 50-50 chances of occurring and if the event occurs then it can be noticed) It is advised that this type of risk be revised regularly Example: Is a significant financial loss due to a loss of confidential information Significant damage to the some of the organizational assets |
|
High |
Loss of confidentiality is said to be very severe (An event that is very likely to occur and if it cost it is likely to cause the organization to to lose a lot of monetary value Example: A severe degradation of the organizational mission A major damage to the organizational assets The downfall of the organization network |
Table 3: Vulnerability statement
|
Vulnerability |
Description |
|
People (Low) |
This was a first low link for General Motor organizations when it comes to cybersecurity. This was rated from phishing emails, social engineering, and clicking of links which turns out to be malware. The organization then turns out to be a victim of organization email comprise. This usually ends up to the company losing some of its secrets. Tackling this issue can be very tricky but educating employees on some of the related cyber-crimes is the best method to tackle this issue. If employees are reluctant to change, then the General Motor organization can find means of accommodating them without interfering with the normal organization process |
|
Passwords |
Most of the organizational employees are unable to keep their password safe. |
|
Patch management |
Some of the General Motor organizations are unable to keep some of their software and hardware up to date. Most of the IT managers in General Motor organizations are being hit by the eternal blue weakness |
|
Missing data encryption |
The organizational software is unable to encrypt critical information before it is transmitted or stored. I.e. lack of proper data encryption and which results in lack of integrity, accountability, and confidentiality |
|
OS command injection |
Command injection is a type of attack which its major aim is to execute some of the arbitrary commands on the host OS through a vulnerable application The common injection vulnerabilities were: SQL, LDAP, XML, and XPath |
|
Buffer overflow |
This is a type of attack where an application or a process tries to write one or more data so as to a fixed length block of buffer or memory. When an attack exploits buffer they are able to crash processes |
|
Cross-site scripting |
This is the type of an attack which can be used as a mechanism to transport an attack by the end user. By successfully exploiting this type of attack a hacker can be able to disclose end-user session |
|
Downloading of codes without security checks |
By user downloading codes from the internet with checking the cross-checking the source, they can download malware to the General Motor network |
|
Integrity check |
Most of the General Motor systems do not perform integrity check sufficiently on to the data that is inputted into the system |
|
Lack of documentation |
Some of the General Motor organizations lacked documentation of their systems and those systems that had documentation it was not well done in accordance to the laid standards |
|
Sensitive data exposure |
This is the act of accessing data at rest or data that is transit. The data that usually accessed is that in back-ups or that user-browsing data. |
|
Broken authentication and session management |
This is where an attacker exploits a session management and authentication flaw |
|
Security misconfiguration |
This is a type of attack which is very dangerous. Some security misconfiguration is: Ø Running software which is out of date Ø Running services which are unnecessary Ø Not changing the factory setting Ø Incorrect exception management Ø By using default accounts |
Table 4: Threat list and its description
|
Threat |
Description |
|
Un-patched software |
This is a software is that is not up to date. The most common type of an attack is the client-side software that remains unpatched |
|
Social engineering Trojans |
Social engineering is a type of manipulating people so that they can give their confidential information which can later be used to case an attack. (The confidential information that could be given could be user passwords or usernames) |
|
This is a set of computer hacking processes that is usually orchestrated by a certain entity |
|
|
Network traveling worms |
|
|
Phishing |
This is a type of attack where an attacker tries to entice person so as they can provide sensitive information |
|
Malware |
This a type of attack which is designed to harm the computer system |
|
Clone phishing |
This is a type of phishing attach where one creates an identical email that contains similar content and attachment to send malware attacks |
|
Denial of Service attacks (DoS) |
This is a type of attack to which the victim’s software overloads the computing resources. |
Table 5: Threat statement
|
Threat-source |
Threat actions |
|
Hacker |
Ø Social engineering Ø System break-in Ø DoS Ø Unauthorized system access Ø Phishing |
|
Computer criminal |
Ø System intrusion Ø Identity theft Ø Spoofing |
|
Insiders |
Ø Clicking of unknown links Ø Unauthorized system access Ø Malicious code such as virus Ø Browsing of personally identifiable information |
|
Environment |
Ø Fire Ø Natural disaster |
6.0 An IT Control framework and any existing industry risk recommendations for the project
6.1 Policy Procedures
The following are policy procedures for an online system:
6.2 Best recommended practice
It is evident that cyber-security is the responsibility of each and every employee in the organization so as to protect the organization staff and customers. The best recommended practices are:
6.3 Current evidence supporting the discussion
Data breaches have occurred several types against online systems. Some of the systems that have been breached yahoo which happened in August 2013, Equifax; this caused the organization to loose over 140 million records, TJX companies has lost 94 million records which happened in 2006 and timeshop which lost over 20 million records in July this year. This means that the targeted are online systems.
List threat agents
7.1 Issues
The table 6 below shows some of the issues related to the threat agents
|
Threat agent |
Security |
Privacy |
|
Terrorists |
Attack on the organization building |
N/A |
|
Hackers |
Attack on the organization network so as to gather information like confidential credentials |
Jam the organization communicating devices so as to chaos |
|
Thieves |
Attack the organization alarm system with an intention of taking away organization devices |
Attack the organization hub |
|
Competitors and organized crimes |
Attach organization appliances so as to help grow a criminally funded botnet |
Attack sensors like IP phones to snoop on the organization private conversation |
|
Nation states |
Attack the communication device such a router so as to disrupt the organization services |
Attack sensors such as cameras so as to eavesdrop communication |
|
Activists |
Attack the organizational network together with the gather information |
7.2 Consequences
The threat agents are clearly differentiated by their ability to execute attacks. We observe that online systems such as that of General motors have three broad consequences levels which are mow, moderate, and high. At a low level it means that the threat agent has relatively meek resources and capabilities. Some of these agents include amateur hackers, commercial rivals, and political pressure groups. Moderate levels are competent individuals. High threat agents are those individuals who have that capability and have significant resources.
8.0 Risk impact and mitigation strategies for General motors online system
|
Item s/no |
Vulnerability/threat source |
Existing controls |
Likelihood of occurrence |
Impact |
Risk rating |
Observation |
Mitigation |
|
1 |
Password effectiveness |
Most of the organizations had a password which contained alpha-numeric |
medium |
Medium |
Medium |
User applications password can be cracked |
Use of special character combination with alphanumeric |
|
2 |
Social engineering |
Most organizations Train their employees on the usage of internet |
Medium |
Medium |
Medium |
The user can be tricked into clicking on a link |
Employee awareness of the various current cybersecurity threats |
|
3 |
Unpatched software |
No controls |
Medium |
Medium |
Medium |
Lack of updating organization software |
Updating software on a quarterly weekly basis where applicable |
|
4 |
Advanced persistent attacks |
Firewalls |
High |
High |
High |
Hackers perform intelligence gathering from well-known public areas such as Facebook |
Ensuring all the security patches are installed and making sure that organization systems are up to date A layered series of controls so as to achieve defense-in-depth network security |
|
5 |
Denial of Service |
Installing of anti-virus in the organization systems |
High |
High |
High |
The rise of botnets where an attacker get thousands of computers to launch DoS type of attacks |
Deploying reverse proxy Over-provisioning bandwidth: having more bandwidth in one web-server Employing a DOS specialist who can help in dealing with large DoS type of attacks |
|
6 |
Phishing |
Keeping informed about phishing techniques |
Medium |
Medium |
Medium |
Users are tricked into clicking links that have malware |
Installing anti-phishing toolbar Thinking before clicking |
9.0 Brief summary (Literature Review)
As we all know cyber-attacks in the General Motor organization is rising at a very high rate. This cyber-security risk assessment report is designed to help General Motor organizations remedy cyber-related risks. This can be done by proving a detailed in-depth analysis of cyber-related attacks and risk mitigation strategy that can be adopted by General Motor organizations. Three of the major benefits of this cyber-security assessment report is that it provides a very clear understanding security paradigm. Second, the report provides a clear understanding of cyber-related attacks and provides a risk mitigation plan.
The table below summarizes the components that will be affected with the online system attack
Brief over of the components affected
A summary of common attacks to the General motors online system are;
The techniques used to correct the evidence of the above attacks
Security policies that General Motor organizations need to develop into their security policy
10.0 Summary of protection mechanism that one would deploy
Guidance software, on the other hand, recommends that General Motor organizations need to use new technologies which can find and at the same time map data across the organization. Once the organization is able to map data, it can then go ahead to make decisions on how they can reduce cyber-related risks and they can govern data. Deloitte firm recommends that when dealing with cyber-security, risk management processes follows a capability maturity model approach. According to Deloitte the model have five levels which are initial, repeatable, defined, managed, and optimizing.
There are about seven considerations for risk management which are culture, information sharing, resilience, priorities, cyber hygiene, and threat environment. Under culture is where the organization leaders are required in establishing a culture of risk management and cyber-security. Information sharing is where the General Motor shareholders are aware of the risks especially the shared. Priorities is where an organization is required to determine the potential impact of each and every risk. Cyber hygiene of the other hand is the practice of focusing on some of the basic activities so as to secure organization infrastructure, reduce risks, and prevent attacks.
10.1 Others protection mechanism
9.0 Conclusion
One of the components that this report has recommended to General Motor organizations is setting up a risk management system which is done after assessing the organization assets. As Citrix recommends General Motor organizations need to have a fully implanted and documented procedures for each and every activity that it creates for cyber-related risks. These procedures should be based in the industry leading practices. Some of the procedures that General Motor organizations can take advantage are software and hardware implementations.
References
Cleveland. (2008). Cybersecurity issues for advanced metering infrastructure. In Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century, 2008 IEEE, 1-5.
Shacklett, M. (2018, April 3rd). 10 ways to develop cyber security policies and best practices.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download