INFORMATION TECHNOLOGY (IT) SECURITY AND VULNERABILITIES
Expounding on the research questions, the first one concern the technical threats to Information Technology (IT) that individuals should be aware of. These are vulnerabilities that can be exploited by attackers to get into a system and orchestrate deliberate. These attackers have serious motives and often come packed with several tricks up their sleeves to perpetrate attacks. Employees ought to be enlightened about them and the most likely techniques they might use.
One of the methods used is social engineering. Social engineering involves accessing users’ information by deceiving them to give it to you. In organizations, employees may be tricked into giving very crucial information that may lead to attack with catastrophic impacts. My questionnaire shall have questions to users on whether such incidences have happened to them whereby someone tried to obtain credential information from them. The questionnaire shall also assess on who they trust online. It will also ask about the steps they can take in the case someone has accessed such credential information. These sort of questions help me discover just how much deceivable employees are and how best to mitigate these attacks.
Phishing is another technical threat whereby attacker poses as a legitimate entity and usually in most cases use emails to request for user usernames and passwords. Once granted this information, the attacker has access to a user’s account and can use it to acquire sensitive information or to perpetrate future attacks. They normally use urgency as a tool to trigger quick and not well thought out decisions by users. To put employees on alert about this, the questionnaire will have questions on whether they have ever been contacted to give out some of their authentication information. It shall also ask on who they might consider contacting in case the information has been stolen. Also, it shall ask if they get emails concerning coupons they can save to get money, whether they get emails with grammatical errors and whether they get requests from friends’ emails to send them money. This information will be used to give tailored recommendations based on the findings.
Another avenue for threats is the use of employee devices and removable storage media in their workplaces. Employee devices such as laptops and storage media such as flash drives may be brought to work by employees and possibly be used to store sensitive information. Some may also carry viruses and introduce them to the previously well-guarded and maintained work computers. Since these devices and media are not subjected to the security controls as organizational devices, they introduce a leak into the organization. They can easily get stolen, misplaced or hacked into and the valuable data be acquired by attackers. This problem will be addressed by looking into whether employees are allowed to bring their own devices, whether they do take office work to their homes and whether they do copy some sensitive information into their own devices or storage media.The findings shall be used to recommend the most viable controls concerning devices and removable storage media.
Another potential area of attack which is the existing security architecture. Is the organization’s intranet protected from the internet, are there existing firewall rules, are some sites blocked, can some sites be accessed only at given times and also which sites the users think should be blocked from access. The questionnaire will also look at the internet usage. There are some sites some employees are not expected to use up a lot of resources visiting. The survey will also assess just who can access the organization internet, are there login procedures and whose responsibility is it to ensure online security.
Software and applications in use by the employees
Software and applications in use by the employees may also be another exploitable area of concern. Trojan horses are malware that masquerades as performing useful tasks but in background perform harmful tasks. Some programs may be used to gather saved passwords, monitor users’ activities, send gathered information to attackers, cause the denial of service, cripple other software such as antiviruses and replicate themselves in entire systems. The questionnaire shall ask employees questions about whether they can install any software on the work computers, do they check for the verification of the software, do they check for the source of the software and also if they prefer freeware or paid software. It shall also ask whether they have experienced anomalies in software functionality and whether they reported the problem.
A Malware is any malicious software that is created with the intention to cause damage or disruption to a single or multiple systems. They include Trojan horses, viruses, and worms. Most of these can be transmitted using attachments, external storage media, downloads or instant messages. Once an employee opens such attachments, storage media or messages, the malware is activated. The questionnaire shall be used to look at the possible exploits that may be used by attackers to transmit this malware. It shall enquire from users whether they might have experienced abnormal computer function after opening attachments or downloads. It will also ask about the state of the antivirus programs installed on the computer and how often they are updated. It will also ask about the sites they download their software and ask whether they have ever received or forwarded suspicious emails from strangers. The questionnaire will also ask them whether they often open emails that have been sent to spam and whether they report these types of emails. This will enable me to assess the vulnerability of employees to these common avenues used by attackers to spread harmful programs and help to put employees on alert concerning them.
Lastly, in technical attacks, category is the access controls in the system. Access controls include measures put in place to ensure that only authorized persons have access to some systems. They include authorization and authentication. Authorization involves giving access privileges to users based on their roles and levels. Authentication includes the use of login systems to access systems.
The questionnaire shall collect data on whether all users have been assigned their respective access rights, whether these rights are sufficient for their roles and who can change these rights. Concerning authentication, it shall inquire the procedure of creation of user accounts, method of delivery of the credentials and who can create or delete user accounts. This information will enable me to give detailed recommendations on these two very critical access controls.
The questionnaire shall be used to also gather information about non-technical threats to information systems. These are risks caused by some weaknesses of the employees of an organization. This will entail information on password policies in use, the implementation of such policies, backup of critical information, physical access rights and the discovered or possible exploits to the controls that are in place. The questionnaire will also ask about the information users have made public on social media such as Facebook and Twitter. This will enable the proper assessment of employee weaknesses.
Password policies are the rules in place by an organization to ensure that users adopt strong passwords and maintain their strength. The questionnaire will ask whether the password policies are in place and use. It will be used to look at the character combinations required for any password. It shall also enquire about maximum and minimum password length and minimum and maximum password age. It will also ask about the recovery procedure for forgotten passwords. It will also ask about the sharing of one’s password with others. The collected information will enable a correct assessment of whether the password policies are adequate in minimizing threats and give recommendations to boost the security of the organization's systems.
As concerns backup of critical information, the questionnaire shall look at whether such information is backed up as a contingency measure in case of catastrophes or breakdowns. It will ask about which information is considered critical to an organization. It shall also look at the backup mechanisms in play; whether it is an online backup or in external storage devices. If it is by use of the latter, the questionnaire will enquire on the storage of such media whether they are encrypted and password protected. It shall also look at the frequency or intervals of the backing up of the information and also inquire about who can access the backed up information and also who can restore the backups in the event of a failure. This will be used to gauge the preparedness of the organization for a failure due to attacks or natural disasters. The findings shall also be used to determine whether the backed up information is also secure from attacks too.
Physical access controls mechanisms
Physical access controls are mechanisms used to limit the access to given areas of the organization where sensitive data is stored and also where critical processes are performed. The questionnaire shall enquire whether there are Closed Circuit Television cameras keeping an eye on the buildings restricted areas. It will also enquire about the presence of guards in restricted areas. It will look at who is allowed in such zones and which clearance level one must have to be granted access. It will also look at the authentication mechanisms of the personnel allowed to access such areas, do they use voice or face scans, biometrics or passwords. These findings will be used to assess whether the restricted areas are properly guarded and whether the persons with access to these areas are verified to be who they are. This will help in drawing recommendations to improve the existing security of these restricted areas.
Over the cause of time, cracks may open up in the security mechanisms that were once effective rendering them ineffective. These may result from laxity of employees mandated with securing the organization or from the discovery of some bugs in systems that can evade the guards put in place. Trap doors are secret undocumented entry points to a system used by their developers. Some poor programmers fail to remove these entry points before handing over software to clients. The questionnaire will ask users whether they have discovered some secret access mechanisms or ‘cheat codes’ enabling them access or perform some restricted functions. It will also look at whether the users have been able to penetrate the system’s security mechanisms and if yes, how they did it. Logic bombs are a piece of code that executes when particular conditions are met. The questionnaire will also ask them whether they had discovered some glitches or abnormal functionalities that were not there when the systems were delivered and whether they have been reported.
Social engineering mechanisms often involve the collection of user information over time to use it to get their trust and thus get them to give them sensitive information such as login credentials or organizational bank accounts information. The payoff from a successful attack is often high and therefore these attackers take the time to gather this information. Social media are one of the places where employees might continually give information to the public that can be used by the attackers. The questionnaire will ask on which type of information employees have made public in social media. It will also enquire about how many friends or followers they have and which information these people can access. It shall then ask about which type of information the employees might have shared in the past, and they think it’s sensitive. It shall also ask about whether employees have used their work emails in any of these social media or whether they have used their personal emails for work functions. This information will be used to gauge the carelessness of employees in safeguarding their private information and also whether they have put into risk organization information in their social media. The findings will also help in giving recommendations that will prevent future social engineering or phishing attacks.