Physical Threats
The concept of a physical threat is usually described as an incident that can end up in the loss of sensitive data or serious damage to the company’s information system. On a bigger scale, the threats can be divided into three underlying categories. The first category includes internal hazards that may be represented by issues with power supplies and an excessive indoor humidity (this is especially important for the rooms where the hardware is located) (Conklin, 2016).
The second category includes external threats and commonly includes natural calamities such as earthquakes, floods, and other disasters. Not to mention, the third category relates to the physical threats that may involve theft or vandalism. This type of threats (the human factor) can be associated with the notions of intentional and unintentional errors and illicit infrastructure activities. In addition to the hazards listed above, one can also add terrorism and trip hazards.
These physical threats are characteristic of any given facility. Even though terrorism is not a prevalent threat for the healthcare IT department, there should always be a plan for this particular situation (Weiss & Solomon, 2016). Overall, the key five physical threats can be highlighted – hardware issues, natural calamities, theft, terrorism, and trip hazards.
Logical Threats
Much more serious problems transpire when we address the issue of logical threats that can impact the given facility. First of all, the most predominant logical security threat is the presence of viruses. The latter usually take the highest spots on the list of the most dangerous threats due to their virtual simplicity and the amount of damage they can do to an information system over a relatively short period of time.
Numerous surveys from different companies show that virus-containing attachments and emails were received by almost 75% of all organizations (Weiss & Solomon, 2016). The problem is even more serious for bigger companies as the number of infected emails and files that they receive throughout the year is approximately 85% out of all organizations. If we address this issue directly, we will see that Trojans and Worms are currently leading the virus market. Viruses caused a total damage of $2 billion over the period of two weeks, and the development of this threat is not going to stop (Tipton & Nozaki, 2016). The second critical threat is the aftermath of being victimized by a virus.
The danger of this threat is real, so it is important to perceive it as a serious problem that should be mitigated one way or another. The problem with the repercussions of being attacked by a virus consists in the fact that viruses are designed in a way that allows them to leave certain backdoors. Later, these loopholes can be used to exploit the weaknesses of the infected system and generate even more vulnerabilities.
In case if the company fails to patch the backdoor, they will expose themselves to a secondary attack and most probably lose the majority of their assets. The issue, in this case, can also be associated with the process of translating the end machines into remote servers that are intended to send out numerous emails (Whitman & Mattord, 2016). This usually ends up in the advent of a Denial of Service attack that negatively influences the server and can be of great assistance to those hackers who are interested in stealing the organization’s sensitive data. Not surprisingly, the attacks become more complex with every other year (Tipton & Nozaki, 2016).
Here, we can interconnect this logical threat with the human factor because the malicious code can only be employed when it is opened by the end user. Unfortunately, sometimes it is enough simply to open the email in order to become infected and unveil the malevolent code.
Another issue associated with logical threats is the use of application-specific hacks. This particular threat usually leads to outcomes that may include (D)DoS attacks and buffer overflows. One of the most prevalent methods of causing issues by means of hacks is the implementation of SQL injections. The latter become more sophisticated, and there are currently numerous opportunities to cause confusion within a database and grant access to the sensitive data with the use of SQL injections.
Hackers are able to steal the data my means of injecting the malicious code and mixing the classified data with its public counterpart (Conklin, 2016). The most interesting fact about SQL injections is that there quite a few customers that are willing to pay for the implementation of an adverse SQL injection with the intention of accessing the private data of any given company. The issue should be addressed comprehensively because there are plentiful documented cases of data stealing (even from the DEA) (Weiss & Solomon, 2016).
The fourth issue with logical threats is phishing. Despite the fact that the case study focuses on the health care environment, the personal information regarding bank accounts and other financial statements can be used by the criminals in a negative way. For instance, the criminals may send out emails asking the end users to introduce their email addresses and passwords in the fields that look exactly as the trusted sited but redirect to a fake page.
In this case, the users may not even be aware of the fact that they are sharing their sensitive information with scammers (Kim & Solomon, 2016). The last threat is the combination of the threats presented above. This issue is pivotal because hackers may use backdoors so as to create vulnerabilities in the weakest parts of the system while distracting the IT department from a major breach. The problem with these real-time threats is evident and should be addressed by the management right away.
Physical Security Controls
In order to stay protected and make the most out of the available assets, the company will have to implement a number of security control directives. These measures should be in line with the types of physical threats that were outlined in the first chapter of this paper. First of all, we should address the problems connected with the internal factors (Kim & Solomon, 2016). The company should install automatic fire detectors and purchase fire extinguishers that do not function on the basis of water. Also, it may be reasonable to purchase and install several voltage controls so as to evade any issues related to the instability of power supplies.
The level of humidity in the server room should be controlled by an air conditioner. The external threats can be mitigated by the use of a lightning protection system (Tipton & Nozaki, 2016). The latter is not flawless, but it can reduce the chances of the information system being knocked out and losing the personal and organizational information. There are no ways to protect the facility from a flood unless the system is located in high lands. Theft can be prevented by means of ensuring restricted access to the information system and locking the doors. In order to prevent terrorist attacks or hostile behavior, the administration may consider installing a number of alarm buttons.
Logical Security Controls
There are numerous ways to ensure that logical security controls are in place. First of all, it is reasonable to apply several reactive patches and install antivirus software on all the machines (Conklin, 2016). It can also be helpful to set up the firewall. On a bigger scale, these events should be perceived as a standard process and recurrently performed on an annual basis. Nonetheless, the organization should consider applying a number of steps that would help them to prevent attacks instead of merely responding to them.
There are not a lot of activities that are intended to prevent the infection of the machines with Worms and Trojans and subsequent email spamming that leads to malicious attacks. Also, there is a need to come up with a strategy designed to protect the facility from SQL injections and their complex variations (Whitman & Mattord, 2016). It is recommended to apply an additional level of security in order to ensure that the organization is protected. There are three key layers that can be identified as useful when dealing with the five logical threats previously mentioned in the paper. First of all, it is critical to scan the system for any (potentially) malicious activity and monitor all the requests addressed to the database (Kim & Solomon, 2016).
One of the instances of such behavior is the transfer of exceptionally long strings of symbols that may be characteristic of SQL injections. Therefore, a system designed to prevent intrusions should be developed so as to track all the unsanctioned activity that may or may not harm the information system. DoS attacks can also be recognized before damaging the system. In order to spot them, it is necessary to observe all the incoming and outcoming traffic so as to prevent the network from failing (Tipton & Nozaki, 2016).
One of the core responsibilities of the IT department is to test all the software that is used by employees on a daily basis. In this case, the problem may consist in the fact that the majority of coders do not have a mindset of a security-related person and simply do their job so as to meet the deadline. Additionally, there is a need to perform penetration testing after the first layer of safety measures was applied to the information system. One of the instances of such approach can be the detection of a malicious virus infecting the system (Conklin, 2016).
If the virus used a backdoor, the antivirus structure should deal with instead of merely removing the virus. It can also be reasonable to interconnect firewall and antivirus so as to be able to resist backdoor entries. The installation of an all-inclusive security management system can also be considered effective (yet complex). It is advised to help the suppliers to make the best use of patch management systems.
Their systematic deployment and update will help the organization to mitigate the adverse effects of persistent logical threats that become even more deceitful with time. The problem with the logical threats described in this paper consists in the fact that there is no universal solution to this aspect of security management (Kim & Solomon, 2016). In order to certify the antivirus protection, the organization may want to utilize special compliance tools so as to ensure that an additional level of defense is in place.
The last thing that is required is an eminent risk assessment strategy. Even though there are numerous business possibilities available online, they are closely related to critical vulnerabilities that can reduce the company’s chances to protect it from viruses and all the other logical threats (Conklin, 2016). Therefore, the majority of external logical threats can be addressed only when the organization realizes its vulnerabilities.
Addressing the Risks Associated with Physical Threats
The risks that are associated with hardware issues should be addressed with the use of risk mitigation. On a bigger scale, this particular issue should be dealt with in a preventive manner so as to eradicate the occurrence of negative consequences. The leader of the IT department should make sure that all the hardware functions correctly and is set up in a way that will not trigger critical meltdowns.
The risks that relate to natural calamities can be addressed by means of risk acceptance (Whitman & Mattord, 2016). Even though there are ways to protect oneself from the negative consequences of being exposed to flood, lightning, hurricanes, or other disasters, the overall recommendation is to accept the risk and make everything possible to ensure that the department employees merely bear in mind the fact that natural calamities cannot be easily avoided. The level of risk related to theft is rather high due to the prevalence of this type of crimes. Therefore, it is recommended to mitigate the risk by installing special anti-theft mechanisms and locking down the facility whenever possible (Tipton & Nozaki, 2016).
In perspective, the risk of theft will fall down due to the inability to crack the safety measures applied by the organization. The risk of terrorism cannot be avoided or assigned either, so it is pivotal to accept it and make the best effort to mitigate it. The organization may be interested in teaching their employees how to behave in case of a terrorist attack and what can be done to eliminate the threat. It is important to make the employees realize that terrorist attacks are real and cannot be overlooked within the modern business setting (Kim & Solomon, 2016). Trip hazards, in turn, are not as viral as terrorism is, but it is critical to mitigate this risk by means of placing all the cables in a safe manner.
The manager of the IT department making sure that a fall prevention plan is active and all the cables are securely fixed (meaning that they do not get underfoot). Therefore, it can be concluded that the majority of physical risks experienced by the organization can be mitigated and the working environment can become a lot safer.
Addressing the Risks Associated with Logical Threats
The first logical threat that can be addressed is the presence of virus attacks. The best risk handling strategy, in this case, is risk mitigation because numerous activities can be performed to prevent virus infection and the loss of sensitive data. Moreover, the organization should not evade the risk of being infected because it can be harmful on both short- and long-term scales (Conklin, 2016). Consequently, the value of the damage done by a virus also cannot be ignored.
Nonetheless, the risk of losing the data will have to be accepted because the system was already infected. When it comes to the application-specific threats (also known as hacks), it is pivotal to mitigate the risk. So as to protect the organization from (D)DoS attacks, the IT department will have to come up with a number of ways intended to preserve the data that belongs to the company (for instance, by means of installing firewall and other software that can serve as an obstacle for the hackers’ attacks) (Kim & Solomon, 2016). The next threat that will have to be addressed within the framework of the current project is phishing. It is critical to mitigate this risk as well.
The latter can be done by monitoring the latest news and observing any suspicious activity that transpires within the network. The risk cannot be avoided due to the fact that phishing became rather popular lately and its most complex variations can cause fatal damage to the information system of the organization. To conclude, the combination of two or more logical information security threats cannot be accepted or avoided as well (Conklin, 2016). The problem here consists in the fact that the IT department has to come up with a strategy that will allow the organization navigate through the threats without being affected by them.
References
Conklin, A. (2016). Principles of computer security (4th ed.). New York: McGraw-Hill Education.
Kim, D., & Solomon, M. (2016). Fundamentals of information systems security. Burlington, MA: Jones & Bartlett Learning.
Tipton, H. F., & Nozaki, M. K. (2016). Information security management handbook (6th ed.). Boca Raton: CRC Press.
Weiss, M. M., & Solomon, M. G. (2016). Auditing IT infrastructures for compliance. Burlington, MA: Jones & Bartlett Learning.
Whitman, M., & Mattord, H. J. (2016). Management of information security. Boston, MA: Cengage Learning.