BRI Cybersecurity Risk Assessment Example

Published: 2017-12-29 10:58:24
1468 words
5 pages
13 min to read
letter-mark
B
letter
University/College: 
Vanderbilt University
Type of paper: 
Essay
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Risk assessment in information security

Purpose

This report comprises of carefully conducted evaluation on the Bureau of Research and Intelligence (BRI) information systems after they experienced a massive cyber attack which leads to data leakage and system compromise. This document also demonstrates the risk assessment methodology under the NIST SP 800 – 30 guidelines, the appendix in this report clearly documents the guidelines used to perform this exercise (Sadgrove, K. 2016). The reason for choosing this methodology is that for any enterprise regardless of cyber threat size, company size, or information system sophistication they can apply it and guarantee accurate results in practicing risk management in evaluating and upgrading current information security and resilience. The framework NIST SP 800 -30 has multiple sub approaches in response to cyber security, that are very useful in this complex world today. The guidelines and standard in these directives and practices provide the ability and road mad required in performing this risk assessment exercise at BRI. The framework guarantees;

1. Guide in describing the current organization cyber security posture

2. Describing the current cybersecurity target state.

3. Identifying and prioritizing improvement opportunities in the setting of repeatable and continuous processes.

4. Monitor the target state progress.

5. Give a better mechanism of communication with both internal and external stakeholders on the cybersecurity threat.

The aim it to complement not replacing the current organization risk assessment strategy and cybersecurity policies in place. Once in place, this framework plan allows continuous assessing, identifying and responds to threats that are there and those that arise in the future. This framework looks at the current cybersecurity system flaws and tries to recommend improvements to the vulnerable areas.

Cybersecurity risk management

The Bureau of Research and Intelligence (BRI) core mission is providing numerous intelligence to the American Diplomats worldwide. Due to ever reducing the congressional budget, BRI is forced to be selective in choosing its information systems and cyber security policies and frameworks (Sadgrove, K. 2016). Based on this they use sub-standard systems and strategies, that in the past few years has seen them experience the following cyber security vulnerability exploits as published in the New York Times:

• External hackers compromised the BRI network infrastructure, and this practice is ongoing. The information used in supporting the diplomats was accessed.

• The CIO of the BRI uses his personal email for both individual and cooperate use.

• The BRI human resource system is compromised as it authorized all users in the system to view other employee personal data including critical information like their social security pins, addresses, bank accounts’ numbers and more. After identifying this breach the management sort to destroy any evident, that would implicate them in procuring this sub-standard system.

• A state worker brought with them cooperate issue notebook with classified data home, which evidently ended up getting stolen and never recovered.

• ABRI contractor employee was published to the public classified files including communications between the President and the diplomats. 

• The malware was planted on the information system infrastructure embarrassing the embassies, putting most personnel at security risks including assets and their missions in the foreign states.

From this finding, many risk assessment activities followed in evaluating the current risk threat and the extent of the damages experienced by this vulnerability attacks. This report details the risk assessment carried out on this extensive system and what it is looking for and finally giving a recommendation for using and upgrading the system in future.

Risk management framework

This section seeks in achieving the following about the risk management framework:

• The agents and their roles about this risk evaluation exercise.

• The risks classification.

• The methodologies and tools used in gathering the appropriate information.

Mostly interviews and questionnaires were used in giving a broader scope into the; threats, vulnerabilities, risk impacts and risks likelihood. This report follows the NIST SP 800 – 30 risk management guidelines (Sadgrove, K. 2016). The following table demonstrates the risks levels that were implemented in identifying and classifying the risks about the BRI incidents.

Risk Score

Risk Explanation

High

Confidentiality, Integrity and Availability unavailability or compromise will have dire consequences on the enterprise processes and risks assets and personnel.

Moderate

Confidentiality, Integrity and Availability unavailability or compromise will have dire consequences on the company processes and risks assets and staff.

Low

Confidentiality, Integrity and Availability unavailability or compromise will have dire consequences on the business processes and risks assets and employees.

 

System Analysis

• Management and Organizational Practices

From the case study, most of the BRI embassies do not have robust security policies in their systems since it allows users to have fast administrative database access. Users can edit the intelligence data at their will since no security roles and information classification is described. The CIO at BRI uses the same email for both cooperate and personal use (Sadgrove, K. 2016). There has never been any security audit done on the current system ever since it was installed. Additionally, there has not been any server documentation, system upgrades and patching of the databases and network infrastructure is never a priority for the management and system admins and if there are done there is no testing on their patches and systems. The financial analysts are also allowed access to development code and production code.

Risk Level: Medium

• Personnel Practices

There are vague terms and conditions present that users to not specify the users’ actions while using the system. Additionally, the system does not have a robust mechanism for checking the users’ credentials while signing in to the system as users use simple less than eight characters’ passwords.

Risk Level: High

• System design

The current regime has no role based OAuth mechanism present. Network login credentials were set to less than eight characters, and the password has no combination of letters, numbers, and special characters. Once a user is logged in there are no expiration dates. The system uses only passwords as the sole authentication mechanism. The database configuration was child’s play as the system designer created multiple Oracle databases under one account as such anyone with admin credentials can access the database and edit its settings since there are no privileges. The worst view of the system is that the BRI has no existing data encryption policies and strategies or even protection when using its VPN. This vulnerability allowed a user to access classified data by aggregating the database systems accurately.

Risk Level: High

• Infrastructure Security

The organization management recently allowed the bring your devices policy to work without any security guideline strategy or policies all they were looking at is just permitting the employee to fill comfortable at work as well as at home by letting them work on classified files on their own devices. There is authorization to use the cooperate devices in viewing social media example, Twitter, Facebook.

Analysis Evaluation

The following table categorizes the threats, risks, actors, the level of impact, the risk level.

Risk

#.

Weakness

Threat

Consequences of risks

Risk Impact

1

Fire extinguishing on the BFI data warehouse.

High temperatures

Accessibility of BFI and information.

High temper would activate sprinkler system causing water damage & compro­mising the availabil­ity of BRI.

2

Logged out or inactive BRI user sessions not terminated.

High-level access

Confidentiality, Accessibility integrity of BRI information.

Anyone who uses the account after the previous user can access the BRI info.

3

BRI OAuth has no specified user role authorization mechanism

No user level classification for users

Confidentiality, Accessibility integrity of BRI information.

Unauthorized access via ad-hoc privileges could compromise of confidentiality & integrity of BRI data.

4

No VPN data communication encryption mechanism.

Unprotected data and communication link easily for data manipulation.

Confidentiality, Accessibility integrity of BRI information.

DDoS attack the network and systems.

5

No updates or patches are implemented on the system

Outdated security strategies and plans. More vulnerability holes.

Confidentiality, Accessibility integrity of BRI information.

More vulnerability attacks the databases and the system network.

6

Weak passwords of less than eight characters. Moreover, the   only password for authentication

Easy system access and account manipulation.  

Confidentiality, Accessibility integrity of BRI information.

Account exploitations, manipulations and data breaches.

7

No sessions expiry time after logging in to the system

Easy system access and account manipulation.  

Confidentiality, Accessibility integrity of BRI information.

Account exploitations, manipulations and data breaches.


References

Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. CRC Press.

Hopkin, P. (2014). Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.

Sadgrove, K. (2016). The complete guide to business risks management. Routledge.

Rampini, A. A., Sufi, A., & Viswanathan, S. (2014). Dynamic risk management. Journal of Financial Economics, 111(2), 271-296.

Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long range planning, 48(4), 265-276.

Soin, K., & Collier, P. (2013). Risk and risk management in management accounting and control. Management Accounting Research, 24(2), 82-87.

Graubart, R., & Bodeau, D. (2016). The Risk Management Framework and Cyber Resiliency.

sheldon

Request Removal

If you are the original author of this essay and no longer wish to have it published on the SpeedyPaper website, please click below to request its removal: