Security Assessment Report Of AO World Plc

The aim of the report

The aim of this report is to address the issues and challenges being faced by the AO world plc organization considering the last IT installation and the operations involved within the activities of the organization. Since the organization is based on online services, it has become a considerable factor for addressing the vulnerabilities related to the challenges and issues in the security of the network. The organization collects many personal and sensitive information of the clients and those data or information are vulnerable to cyber-attack or intrusion. The attempt of this report is to identify the sectors which can be used to affect the integrity, availability,, and confidentiality of the system. The presented security assessment report will be helpful in creating threat profiles of the possible and already identified threats related to the proper and effective functioning of the organization. The security risks associated with the application of the network for the exchange and execution of the operational activities within the AO world can be listed as: Security breaches, data loss, viruses, hacking, and malicious attacks. Virtual Private Network adoption can be helpful for the staffs and the employees to access the data or information saved in the network during off-site. This approach can be helpful in securing the links and protecting the information being exchanged. This report provides an overview of the chosen organization as a case study and based on the thorough research over the organization a security assessment report has been presented. This report is capable of addressing the risks and issues through the application of the OCTAVE methodology in manner to identify the effective threats and issues and present a relative solution for the identified threats. 

AO World plc has been one of the leading online retailer company that is providing various domestic appliances to the citizens of the UK through online platform. Mr. John Roberts founded it in the year 2000 and has implemented latest information technologies for the execution of the operational activities of the organization [3]. The transformation was implemented during 2013, when the organization had invested a big amount for the establishment on new information technology in manner to deliver the products and services to the UK citizens.

The security assessment report presented in the following paragraphs has been conducted through the application of the OCTAVE methodology (Operationally Critical Threat, Asset and Vulnerability Evaluation). It is helpful in systemization and enhancement of the identified security risks those have been analysed and identified in the following security risk assessment [10]. This report will be helpful for the AO to retrieve the sufficing results considering the evaluation of the security despite of using the funds and resources excessively. The proposed methodology will be utilizing the valuable human resources of the AO for the collection of information related to the security issues and improving them for the better an effective handling of the data or information saved in the system [2]. The information will gathered from the following personals of the organization:

Background of AO World plc

According to Software Engineering Institute, OCTAVE “is designed to allow broad assessment of an organization’s operational risk environment with the goal of producing more robust results without the need for extensive risk assessment knowledge [4].”

AO’s IT infrastructure has been originally planned for the operations such as a complete independent for other divisions as a self-governing department including the logistics and the technical [7]. This led to the direct communication between the It department’s chief director and the security department’s chief director in manner to consider the aspects emphasizing on the information and data those have been emitted by the explanations provided on the interview on the medias [12]. Following is the list of the members of the analysis team:

• IT Department, Chief Director
• Security Department, Chief Director
• Senior / Team Supervisor of AO Department
• Communication Network Department, Director
• Assistants of AO Department, Administrative Head [5]
• Senior / Team of product delivery Maintenance Office
• Communication Network Department, Chief Engineer

PSTN Control Cards: Without having actual knowledge about the status of the service interruption and because of the communication network or hardware failure in the network, connecting the users and the organization could possibly lead to interruption in the PTSN Control Card operation status [6]. There are the possibilities of the accidental outage or interruption because of the failures due to the human faults. Following are the security requirements:

Integrity: the authorized technicians of the AO will only be allowed to access the network after verifying through the TDMF entry that is a PIN access code and having unique codes for each cabinets [11]. Other concerning objective is that the organization should be well aware with the activities including the modification, repair and installation through receiving the daily work schedules of the technicians involved in this project.

Confidentiality: Two primary security requirements are firstly, monitoring the service providers and the core network monitoring through the PSTN control card considering the open or close state of the monitoring cabinet door [17]. Secondly, violation related to this procedure without having a prior update to the system will be leading to the alert signalling through standard process.

Availability: There should be always availability of the access to the control card for the authorized individuals and the technicians in manner to enter the cabinet and make the needed changes [15]. Other factor associated with this availability is that it must be connected with the OCS in constant manner in manner to respond to the frequent periodic polling.

Following are the strategies that can be helpful in protecting the system from these threats: firstly, for an instance if the short outage of the control card services do not exceeds the proposed polling period, it will not be causing significant problem [13]. Secondly, standby technicians can be activated, even if there is outage of the power supply as the UPS system will be automatically supplying the power. For any other inconveniences, Mobile Patrol Security can be contacted.

The OCTAVE methodology

Central Administration System (CAS) – OCS, OCIM, VPS, and AO server: The software or hardware failures because of the malfunctioning, destruction or tampering of the power and equipment supply loss those are capable of breaking down or temporary malfunctioning of the system. Following is the list of the security requirements:

Integrity: the administrative assistants will be maintaining all the assets those are helpful in routine maintenance and the inspections.

Confidentiality: The IT department’s Chief Director will be performing the activities related to the configuration and the initial installation of the components those have been included in the CAS [20]. Further modifications will need the approval of the director before making any changes or manipulation in the systems. “Operational status, of all components included, is real time monitoring by Chief Director of IT Department and Administrative Assistants, rotating into standby shifts, providing 24/7/365 QoS. [7].”

Availability: the Central Administration System should have the access to all the assets every time. Following recommendation can be presented as the protection strategies;

AO has been using the SDW cloud vendor in manner to allow temporary components’ breakdown for the real time redundancy. OCS, VPS, KIOSK, and OCIM provides the facility of Server Room (server physical location) that has a two factor authentication mechanism including the fingerprint biometric system and the PIN access system that can be helpful in enhancing the security of the systems and the physical locations [25].  The other components CAS and the connections including the kUI terminals, SDW, and KiND have been protected with the IDS system, VPN tunnelling, and hardware firewalls and these can be represented as the most beneficial approach.

KiND (Keruak Information Network Database): Because of the software or hardware tampering, loss in power supply, and equipment’s destruction, there are the possibilities in the failure of the KiND. Despite of these other factors such as modifications, deliberate or accidental manipulation with the data have the capability to malfunction the whole system including the operational interruptions [18]. Outdoor cabinet of the AO are monitoring the information related to the clients those are personal and sensitive can be easily exposed to every user of the KiND. Following are the security requirements for this issue:

Integrity: It is a considerable factor, that the individuals associated with the organization and its mechanisms should have the knowledge and experience of how to deal with the presented incident scenarios.

Confidentiality: The data or information save din the network should must be categorized at different levels considering the privileges associated with the access of the data [22].

Availability: there should be effectively monitoring on the KUI for 24*7. Following are some of the protection strategies: Firstly, the kUI users entering the Web Application through the application of the authentication mechanism should be classified in different user access groups and should be having the different information access rights. The VPN tunnelling willn be allowing the users to access the kUI despite of considering the facts associated with the unauthorized information leakage.

SDW (Sensage Data Warehouse): Due to the utilization of the SDW cloud services, there is not any approach of performing the qualitative security assessment utilizing the OCTAVE framework. This can be treated as the “black box” due to the unavailability of the knowledge and information associated with the inside assets present in the framework of the AO [21]. However, SDW can be represented as untrusted.

(KiND) Keruak Information Network Database
Concerning Areas	Threat Properties
1. Failure in the hardware due to the tampering of the software caused by the insider.	Access: physical Asset: KiND Actor: insiders Outcome: destruction / loss and interruption Motive: accidental
2. Failure in the retrieving or alteration of the data because of the software tamper Caused by the user either accidentally or intentionally and thus, hampering the entries related to the critical information [24]	Access: physical & network Asset: KiND Actor: insiders Outcome: modification, disclosure, destruction  / loss and interruption Motive: deliberate and accidental
PSTN Control Cards
1. The unauthorised user or technicians breaks the PSTN control card accidentally	Access: physical Asset: PSTN control card Actor: insiders Outcome: Destruction / loss and Interruption Motive: accidental
2. The unauthorised user or technicians permanently set the control card in manner to provide false / negative condition (no intrusion / no alerts)	Access: physical Asset: PSTN control card Actor: insiders Outcome: modification and disclosure Motive: deliberate
3. The cabinet gets breakdown accidentally by an outsider Outsiders (vehicle accident or some sort of similar incidents)	Access: physical and network Asset: PSTN control card Actor: insiders Outcome: Destruction / loss and Interruption Motive: deliberate
4. Vandals or Terrorists damages the outdoor cabinet	Access: physical and network Asset: PSTN control card Actor: outsiders [23] Outcome: Destruction / loss and Interruption Motive: deliberate
5. Technicians or any other authorized personnel accidentally break communication line of the PSTN control card	Access: network Asset: PSTN control card Actor: insiders Outcome: Destruction / loss and Interruption Motive: accidental
6. The unauthorized user or the technicians trap communication line intentionally and thus, blocks the remote access of the PSTN control card	Access: network Asset: PSTN control card Actor: insiders Outcome: Destruction / loss and Interruption Motive: accidental

The major focusing sector will be the information infrastructure of the AO through the examination and determination of the key components related to the technology architecture. This could led to the unauthorized actions against the previously identified critical assets taking into the considerations of the identified technological weaknesses [14]. An unauthorized user for proposing solutions and exploiting the solutions in manner to mitigate or minimize the exploitation caused by these weaknesses could utilize these weaknesses. following paragraph explains the vulnerabilities and related solutions those could be incorporated within the business continuity plan.

Considerable Components	Vulnerabilities in the Technology	Proposed solution
Communication between the AO and its partners and customers	The communication between the personals is being taken by the PSTN through the application of the control card. For the situation such as, total network failure, there will be not any communication between these entities resulting in the unavailability [16] of the information related to the condition of the cabinet. This will be alternatively resulting in the service interruption through deliberately or intentionally.	In manner to have more than one ISPs, additional GSM connectors can be installed via different paths of the communication that will be helpful in providing the redundancy between the communication entities.
Accessing the data or information related to the operational activities of the AO through the KiND Location of the Kind	The data or information saved in the system could be disclosed by an unauthorized user or an unhappy insider and thus, could result in the disclosure of the data to him or her	The approach can be made for the preparation of the new network database, separating it from the KiND that will be helpful in hosting the required and related data or information by the AO those have been installed within the systems of the AO and being maintained by the administrative of the AO [6]
SDW (Sensage Data Warehouse)	The OCTAVE framework methodology is not capable of utilizing the external cloud vendor and the analysis of the real time log data. Thus, it can be represented as untrusted no matter whether it has been tunnelled by the VPN or not or having a firewall	Replacing the SDW redundancy system with another installed AO department that can be easily and effectively managed by the administrators of the AO
Terminal physical location of the new entry KUI users New entry KUI users	There are the possibilities of the physical damage to the physical location of the systems of the KUI users that could led to expose or destruction of data or information related to the AO’s operational activities [23]. There is another assumption as because of the no training provided to the new users, there are the possibilities of the loss or modification of the data or information.	Transferring all the amployees of the KUI within the existing physical location of the AO can be a helpful approach in providing better and effective training. This training should also address the regulations and policies associated with the application of the services.

The purpose of this policy would be to address the security issues identified in the first part of this report and through the implementation for the policies; the AO will be beneficial as follows:

1. Establishing the organization-wide information security framework in manner to safeguard the data or information saved in the system related to the operational activities and including the personal and sensitive information of the individuals in effective and efficient manner.
2. Protecting the stored data or information from unauthorized access in manner to restrict the intruder from exposing, manipulating and deleting the data or information saved in the network that could possibly affect the organization’s reputation [22]. This will stop the intruder from the affecting the privacy and security of the individuals associated with the AO.
3. Protecting the information assets, those have been estimated through the application o the OCTAVE methodology framework in the above sections.
4. Complying with the UK regulations, state and local law, federal, policies and agreements those will be required for the organization in manner to implement thee security safeguards in effective and efficient manner [16].

References

• Cardenas, P. K. Manadhata, and S. P. Rajan, “Big Data Analytics for Security,” IEEE Secur. Priv., vol. 11, no. 6, pp. 74–76, 2013.
• Bechtsoudis and N. Sklavos, “Aiming at higher network security through extensive penetration tests,” IEEE Lat. Am. Trans., vol. 10, no. 3, pp. 1752–1756, 2012.
• Tsohou, M. Karyda, S. Kokolakis, and E. Kiountouzis, “Analyzing trajectories of information security awareness,” Technol. People, vol. 25, no. 3, pp. 327–352, 2012.
• Yassir and S. Nayak, “Cybercrime: A threat to Network Security,” IJCSNS Int. J. Comput. Sci. Netw. Secur., vol. 12, no. 2, pp. 84–88, 2012.
• Joshi and U. K. Singh, “Information security risks management framework – A step towards mitigating security risks in university network,” Inf. Secur. Appl., vol. 35, pp. 128–137, 2017.
• Chuan-Yuh Wang, “A knowledge network production: Ten years of information security research,” African J. Bus. Manag., vol. 6, no. 1, pp. 213–221, 2012.
• Dang-Pham, S. Pittayachawan, and V. Bruno, “Applications of social network analysis in behavioural information security research: Concepts and empirical analysis,” Secur., vol. 68, pp. 1–15, 2017.
• Dang-Pham, S. Pittayachawan, and V. Bruno, “Applying network analysis to investigate interpersonal influence of information security behaviours in the workplace,” Manag., vol. 54, no. 5, pp. 625–637, 2017.
• Dang-Pham, S. Pittayachawan, and V. Bruno, “Exploring behavioral information security networks in an organizational context: An empirical case study,” Inf. Secur. Appl., vol. 34, pp. 46–62, 2017.
• Dang-Pham, S. Pittayachawan, and V. Bruno, “Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace,” Comput. Human Behav., vol. 67, pp. 196–206, 2017.
• Elachgar, B. Boulafdour, M. Makoudi, and B. Regragui, “Information security, 4TH wave,” J. Theor. Appl. Inf. Technol., vol. 43, no. 1, pp. 1–7, 2012.
• Shiravi, A. Shiravi, and A. a. Ghorbani, “006 A survey of visualization systems for network security,” IEEE Trans. Vis. Comput. Graph., vol. 18, no. 8, pp. 1313–1329, 2012.
• Shiravi, A. Shiravi, and A. A. Ghorbani, “A survey of visualization systems for network security,” IEEE Transactions on Visualization and Computer Graphics, vol. 18, no. 8. pp. 1313–1329, 2012.
• Aguirre and S. Alonso, “Improving the Automation of Security Information Management: A Collaborative Approach,” IEEE Secur. Priv., vol. 10, no. 1, pp. 55–59, 2012.
• Isaca, “COBIT 5 for information security,” Syst. Audit Control Assoc., 2012.
• Daimi, Computer and network security essentials. 2017.
• Padayachee, “Taxonomy of compliant information security behavior,” Comput. Secur., vol. 31, no. 5, pp. 673–680, 2012.
• Ren, C. Wang, and Q. Wang, “Security challenges for the public cloud,” IEEE Internet Computing, vol. 16, no. 1. pp. 69–73, 2012.
• -L. Hui, W. Hui, and W. T. Yue, “Information Security Outsourcing with System Interdependency and Mandatory Secu.rity Requirement,” J. Manag. Inf. Syst., vol. 29, no. 3, pp. 117–156, 2012.
• E. Whitman and H. J. Mattord, “Principles of information security,” Course Technol., pp. 1–617, 2012.
• V. Pawar and J. Anuradha, “Network security and types of attacks in network,” in Procedia Computer Science, 2015, vol. 48, no. C, pp. 503–506.
• V. Pawar and J. Anuradha, “Network security and types of attacks in network,” in Procedia Computer Science, 2015, vol. 48, no. C, pp. 503–506.
• Rastogi, “Information Security Service Culture – Information Security for End-users,” J. Univers. Comput. Sci., vol. 18, no. 12, pp. 1628–1642, 2012.
• Li, Q. Wang, L. Yang, and X. Luo, “092 The Research on Network Security Visualization Key Technology,” 2012 Fourth Int. Conf. Multimed. Inf. Netw. Secur., pp. 983–988, 2012.
• Zhang, Y. Xiao, M. Chen, J. Zhang, and H. Deng, “A survey of security visualization for computer network logs,” Security and Communication Networks, vol. 5, no. 4. pp. 404–421, 2012.