Discussion 7

Course Name: IAP302

Instructor Name: Hồ Hải
Lab Due Date: 29/6/2021

Group: Nguyễn Ngọc Bảo Long - SE150889

Nguyễn Trần Đại Phước - SE150992
Dương Chí Hùng - SE151235

IOT Risk and Solution

Risk:
- Privacy breach
- Personal Data theft
- Vulnerable to internet if exploit available on device
Vulnerabilities:
- Weak authentication method
- Weak Encryption method
- Firewall Improper configuration
Threat:
- Sensitive Data Exposure
- System Intrusion
- To life itself if device related healthcare or toxic related
Evidence of how important is IoT Security
- Faxploit connected to Fax machine1
- Smart Home Instrusion2
Mitigation solution:
- Use better data encryption
- Implement better firewall rules

1
https://www.checkpoint.com/press/2018/faxploit-new-check-point-research-reveals-criminals-can-target-
company-private-fax-machines-take-networks-spread-malware/
2
'Felt so violated:' Milwaukee couple warns hackers are outsmarting smart homes (fox6now.com)
 - Apply better permissions rules
Disaster Recovery Solution:
- Shut off system immediately after breach, make full audit on device logs
- Prepare backup server if IoT device have a back end
- Have a built in battery in case of battery fail
The importance of having a disaster recovery solution:
- Ensure Availability of the resource
- Decrease the risk of device complete failure which lead to non-functional
system

Hùng:
The importance of having a disaster recovery solution:
- Minimize damage and losses.
- Minimize duration of corruption.
- Continue critical business operations.
- Have plans for each stages of Disaster/Corruption: Pre-disaster, During
disaster, Post-disaster.
Case example for BIA policy creation: Aircraft accident
- We can not know when an aircraft could be trouble. So we have to apply BIA
to analyze all the threats, vulnerabilities especially in IT infrastructure could
harm the system or aircraft that can cause accident. Also, BIA have us know
what processes are the most important in case an accident occurs.
Long:
The importance of having a disaster recovery solution:
- Ensure Availability of the resource.
- Decrease the risk of device complete failure which lead to non-functional
system.
BIA Case:
 - Codes Spaces Incidence3, this incidence had proven that, loss of production
data with backup has lead this company to dust. This company hasn’t take
any measurement to make backup data at somewhere else safe instead it
keeps all data on one service provider Amazon. So, what we can conclude
from this is. Because of improper Business Impact Analysis were made, they
cannot foresee the risk of losing all production data so the Disaster Recovery
Plan didn’t cover this case which lead to this disastrous event.
Phước:
Reason why policies are a requirement for BCP and DRP:
- Determine what went wrong so the problems can be addressed.
- Created and enforced at the organization's discretion, following its industry
and compliance requirements.
- To minimize data loss and restore normal business operations within the
shortest possible time.
- Drastically reduce restore times on the basis of your needs, which would be
completely impossible without using a Disaster Recovery Plans.
- Limit the losses not only in terms of revenues, but even related to, for
example, costs for possible damage caused by downtime and management
or technical assistance expenditure.
Example: Currently, to serve production and business, businesses and
organizations often build their own data centers (Data centers), server rooms
(Server rooms) with configured hardware infrastructure. Powerful, accompanied
by internal backup systems to ensure data safety, improve availability for all
activities of organizations and businesses. However, these systems will become
ineffective when businesses or organizations encounter major disasters that
affect the entire building or geographical area. This is the reason why should we
have Data Recovery Plans.

3
Code Spaces forced to close its doors after security incident | CSO Online
 Assignment 7
Course Name: IAP302
Instructor Name: Hồ Hải
Lab Due Date: 29/6/2021

Group: Nguyễn Ngọc Bảo Long - SE150889

Nguyễn Trần Đại Phước - SE150992
Dương Chí Hùng - SE151235

Policies Who? What? When? Why?

Users will only be given sufficient User Enable Access to Minimize threat of
rights to all systems to enable them access to system unauthorized
to perform their job function. User system access
rights will be kept to a minimum at
all times.

Users requiring access to systems User Discrete Access to Minimize threat of

must make a written application on access to an unauthorized
the forms provided by the I.T application application access
Department.

Where possible no one person will I.T Full-rights No one Implements

have full rights to any system. The Departmen system eligible for Segregation of
I.T. Department will control t access full system purpose
network/server passwords and access
system passwords will be assigned
by the system administrator in the
end-user department.

Access to the network/servers and User System Accessing Implement access

systems will be by individual Access the system control for safety
username and key, or by smartcard
and PIN number/biometric
Usernames and keys must not be User User Using Prevent
shared by users. Credential credential unauthorized
access
Usernames will consist User User On Identification
of initials and surname Credential Credential across organization
Creation
The I.T. Department will be notified User User On Prevent
of all employees leaving the Credential Resignatio unauthorized
Organisations employment. The I.T. n access from
Department will then remove the unused account
employees rights to all systems
Auditing will be implemented on all IT Authentica On attempt Keep track of
systems to record login Departmen tion Audit Login authentication
attempts/failures, successful logins t attempt for
and changes made to all systems. security provision

I.T. Department staff will not login I.T Linux, UNIX Using Prevent
as root on to UNIX, Linux systems, Departmen System System unauthorized user
but will use the su command to t access vulnerability
obtain root privileges of Linux system

Internet and Network Monitoring Technologi Provide unauthoriz Minimize threat of

es’ informatio ed or unauthorized
Informatio n related irregular access on network
n to network behavior
Technology on netowrk
Services
(ITS)
Internet Use Filtering System Personnel Actions Download, Law-breaking,
toward upoad, inappropriate in
unallowed contain, workplace
behavior: display….
racism,
sexual,
etc…
Intentionally circumvent security Personnel Breaching Accessing Inappropriate
mechanisms such as cracking company unauthoriz behavior in
passwords, exploiting system allowed ed organization,
vulnerabilities, or using systems in access of informatio against the
excess of granted privileges informatio n, cracking organization rules,
n others etc,…
password
Intentionally write, compile, copy, Personnel Creating Creating, Against the safety
propagate, execute, or attempt to malicious writing, policy, data leak,
introduce any malicious computer code executing system broken
code designed to self-replicate, malicious down,…
damage, or otherwise hinder the code
performance of any computer
system. Such software may be
referred to as malware virus, worm,
or a Trojan Horse
Personnel inside the organization Personnel Medical Reading, HIPAA Compliance
must use or view the Medical Record Using
Record without owner consent Medical
Record

Personnel must not store any Personnel Medical Storing HIPAA Compliance
Medical Record on private device Record Medical
Record

How information security systems policies can help mitigate risk

- Keep your employees and organization well-known of what risk and how they
occur especially in IT systems.
- Everyone in the organization knows what they have to do and if it is right or not.
- Keep organization away from penalties and fines.