COM744: Assignment 1

Table of Contents
1. Information Security

2. Information security risks and control strategies

3. Information security technologies

4. Cyber security threats and risk landscape evolving over the years.

5. Legal, Ethical and professional issues related to security and risk management.

6. References
 1. Information security
As the modern world is run by information, information security has become one of the main fields
of concerns in the industry. Simply, information security refers to as InfoSec, is the field of
protecting information from unauthorized uses such as accessing, using, disclosing, modification,
etc.[1] As a valuable asset, information exist in the forms of both electronic and physical such as
books, papers, electronic data, video, audio, etc. As the current era is known as information age,
almost all the fields in the world required reliable, accurate and up-to date information. There have
been many attempts to address the term information by many studies. As a result the field of study,
information science was coined in 1955[2].
Following are some of the concepts which address the question what is information[3].
Information as a representation of knowledge.
This concept theorize information as stored knowledge and the medium could be books or
electronic media.
Information as data in the environment
This concept suggest that information can be obtained from different kinds of stimuli and
phenomena from environment, but an appropriate interpretation is required in order to understand
the conveyed message.
Information as part of communication process
This concept mainly focusses on people rather than words or data as information and it suggest
that timing and social factors plays a major role in the process of understanding information.
Information as a resource or commodity
As the information exchange between sender and receiver, a value is added to the information.
As information plays a major role in organizations, information security has a similar importance
too. In order to understand what security is, a number of computer scientists and researchers have
defined security as “The quality or state of being secure that is to be free from danger.”[4] And
they have defined multiple layers of security inside an organization. They are Physical security,
which concerns about items, objects or areas, personal security, which concerns on individual or
group of individuals who are involved in organization and its operations, Operations security,
which concerns about details of particular operations, communication security, which involves
communication media, technology and contents and information security which involves
information and its major elements including systems and hardware.
Information security protects information from various types of threats. The American National
Security Telecommunications and Information Systems Security committee (NSTISSC) implies
the need of information security as in order to protect the value of the information to the
organization. They defines that there are two main characteristics of information that gives the
specific value to the organization. First one is the scarcity of the information outside the
organization and second one is the share ability of the information within the organization. That
means the information has its value to the organization only if it gives advantages or utilities to
those who have it when compared to others. So the aim of information security is to protect the
value of information by correctly identifying and protecting these characteristics as the threats
influence the organization’s ability to protect the information’s scarcity and ability to share it
within. Information security protects the organization’s data while safeguarding assets and
technologies giving organization the ability to function.

There are three main fundamental principles of security which namely, availability, integrity and
confidentiality.[4] Those are commonly named as Central Intelligence Agency (CIA) triad or the
AIC triad. According to the business security goals and requirements of each company, the
required level of security for each principle differs. All the threats, vulnerabilities and hazards are
measured by the amount of capability of breaching one or more of these CIA triad principles.
 Availability
Availability refers to the availability of data. If the information system is not available to the
authorized users, it will not be reliable and useful. In order to maintain the reliability, maintenance
of the hardware is necessary. Hardware failures, cyberattacks, human errors or insider threats
affects the system uptime, and ultimately affects the availability. If any disruption occurred to a
company website, all the online customers will be affected. This will cause dissatisfaction among
customers, loss of revenue, etc. Denial of Service or DoS attacks and Distributed Denial of
Services are the most commonly used attack against websites.
According to the ISTR 2017, 2016 there were some extraordinary cyber-attacks including
multimillion dollar virtual bank heists, attempts to disrupt US electrical process and also one of
the biggest DDoS powered by a botnet of IoI devices. The botnet was called Mirai and was
responsible for infecting routers and security cameras, low-powered and poorly secured devices.
Also in 2016, the first widespread attack on cloud services was done using a DoS campaign in
order to give a warning to show how cloud services are open to such types of attacks.
 Confidentiality
This indicates the organizations effort to keep its data confidential by monitoring and preventing
unauthorized parties to access the data while giving access to the authorized ones. These
confidential data contains some degree of sensitivity and could be either personal data such as
employee data, client data or business information. By obtaining such information from
unauthorized parties, could damage the company reputation or gain some advantage over them.
Examples of such data are client data from healthcare industry. As healthcare organizations have
strict regulations and policies such as Health Insurance Portability and Accountability Act
(HIPAA) in the United States, which gives patient the control over their patient data while forcing
the organization to provide security over their data.
Another example case of confidentiality is the e-commerce sector. The personal information of the
customers of the banks such as credit card information, personal information are needed to be
secured. There are number of laws and regulations that governs the data protection in e-commerce
sector which differs with the country or region. General Data Protection Regulation 2016/679 or
GDPR, enacted by European Union (EU) is one of them.
 Integrity
Integrity ensures the authenticity and reliability of data and make sure the data is not corrupted or
tampered with. It has 3 goals which ensures the security of data. Those are prevention of
information modification by unauthorized parties, prevention of information, unintentional
modification or unauthorized modification by authorized parties and preserving the consistency.
Simply, the data sent by the sender should be the same data received and there should not be any
addition or removal of data.
One of the common methods of attacking integrity of data are man in the middle attacks or MITM
attacks. It is done by intercepting communication between two parties in order to spy or tamper
the traffic data between the sender and receiver. These attacks are usually used for stealing
credentials and or communication interference purposes.

2. Information security risks and control strategies

Information security risks refers to the potential damages to the organization and its stakeholders
that an attack against information system can cause. Those threats and vulnerabilities usually
associated with information systems, their operations, use and also the operational environments
of information systems.[5] The main method of mitigating such risks are selection,
implementation, maintenance and continuous monitoring of risk control measures.
In order to ensure the information security, an organization must adopt risk control strategies.
These strategies help identify and neutralize potential risks that an information system face. Risk
control strategies shows how an organization plans to manage risks. These include policies,
procedures, protocols and standards which can be used to identify, assess and then respond to and
monitor and control the risk. Those control strategies are made using several organizational factors
related to strategic planning including, constrains, assumptions, criteria for decision making, etc.
National Institute of Standards and Technology (NIST) gives a guidance framework on risk
management for organizations to help create strategies on risk management. Such strategy should
clearly identify information flows and decision making process related to risk management.
Following is the NIST guidelines for risk management.[6]
Prepare – Describes the preparation process of an organization for managing security and privacy
risks.
Categorize – Describes the categorizing process of information system and data according to an
impact analysis.
Select – Describes the selection process of risk control measures for system based on risk
assessments.
Implement – Describes the implementation process of risk controls.
Assess – Describe the assessment and decision making process by senior officials on the
organization based on information security risks.
Monitor – Describe the monitoring process of risk control measures and risks to the system.
Symantec, which is the world’s largest civilian threat collection network, identify, analyze and
provide information on information security threats. This internet security threat report provides
insights for enterprises and small businesses and consumers on methods of protection for their
information systems. According to the Internet Security Threat Report April 2017, vol 22,[7]
provides insights on several types of security threats as follows.
Targeted attacks: Espionage, subversion and sabotage.
Since 2016, targeted attacks have changed drastically from shadow activities to public and political
subversive activities. Such attacks have been used in places such as Ukraine conflicts, US election,
Olympics during 2016. Those attacks were campaigns to alter the public opinions by stealing and
leaking data. In Middle East, a disk-wiping malware called Shamoon has been used to gain access
of targeted computers using tools such as PsExec, PAExec, etc. After the task was completed all
discs were wiped by the malware by triggering a disk wiping payload. The attacks in Ukraine were
done using a Trojan called KillDisk Trojan.
Another use of targeted attacks is economic espionage. Under economic espionage the most
common attacks are the stealing trade and commercial secrets. There are political and other factors
involved in such attacks. For example, the US and China made an agreement in 2015 to not to
conduct or support any economic espionage between two countries. And according to Symantec,
there are evidence of declination of activities suspected to relate to China.
There are several security control measures against targeted attacks. Such as implementing several,
overlapping and mutually supportive defensive systems. Those include firewalls, gateway
antivirus, and intrusion detection or protection systems (IPS). As the attackers target vulnerabilities
in the system, vendor platforms are used to search and patch system vulnerabilities. Also
implementing security policies such as encryption of any sensitive data at rest and in transit helps
increasing security against targeted attacks. Securing the passwords also an important factor for
increasing security against these attacks.

Email: Malware, Spam and phishing

Email is one of the vital communication tool for most of the organizations. It is also one of the
major source of security threats. Threats for emails can range from unwanted emails such as spam
to dangerous threats such as ransomware or spear-phishing campaigns. According to Symantec,
53% of all the emails contains spams and a proportion of that spams contains malware. This
proportion of malware is growing each year as the professionalization of malware spamming
operations.
During 2016, the email malware campaign has been increased from 1 in 220 to 1 in 131 due to the
botnets. Botnets have been used to deliver malware campaigns which are related to threats such as
Locky, Dridex, and TeslaCrypt. Locky and TeslaCrypt are ransomware and Dridex is a malicious
software, a Trojan which steals sensitive information such as bank details.
Another form of attacks related to emails is targeted spear-phishing campaigns. Mostly used form
of such campaigns are in the form of Business Email Compromise (BEC) scams. These are also
known as CEO fraud or Whaling in 2016. BEC scams are done by sending fraud emails to financial
staff of an organization pretending to be its CEO or higher management. Then they request a large
amount of money transfer. These types of scams are low tech scams as they do not require much
technical expertise but are very efficient in the form of scamming. In 2016, aerospace company
had fired its CEO after losing 50 million dollars to BEC scammers.
There are some information security controls regarding the security of emails. Using a protection
stack such as Symantec endpoint protection can be used to block malware. Also deleting any
irrelevant and suspicious emails such as emails containing links or attachments helps to increase
the security. Keeping the security software up to date is also helps in such cases too. Practices such
as not replying to suspicious emails, not clicking any links in the emails to log on to a website
(Unless they are confirmed to be genuine), and keeping strong passwords helps avoiding spam and
malware attacks.
Web attacks and toolkits
Since attackers have move from toolkits to emails as the method of threat deliver, web attacks have
reduced by a third or 32% during 2016. But it still poses a great deal of threat for information
security as averaging more than 229 000 daily web attacks recorded during 2016 according to the
Symantec.
Exploit kits are automated programs which are programed to attack vulnerabilities in information
systems or applications. Using a compromised web site, attackers can deliver malware to their
targets. The most detected exploit kit was the Angler exploit kit which was first appeared during
2013. This exploit kit included many technical advances such as anti-cyber security
countermeasures. Angler have the capabilities of downloading and executing malware from
memory without the need of writing to disk. Angler was mainly used to spread the ransomware
called CryptXXX, and it began to disappear after the Lurk banking fraud group arrest in Russia.
Other than Angler, there are few exploit kits available such as Spartan, RIG, Neutrino, etc.
There are some security control measures against exploit kits such as, regularly assessing web site
vulnerabilities, scanning the website for malware, Securing websites against threats such as MITM
and malware infection. Also when building the website, plugin software needed to be choose
wisely as they could include vulnerabilities.
 3. Information security technologies
Information security technologies include the technologies used in protection against information
security threats. These various technologies used in various parts of the information systems
managing security controls over their vulnerabilities. Such as Firewall used for managing network
traffic, antivirus software for scanning programs for viruses, etc.
Following are some of the security technologies used in organizations.[8]
Data Loss Prevention (DLP) software
DLP software used for validating sensitive information when transferring from organizations.
Such as when data sent through emails, DLP is used to secure emails by monitoring and preventing
sensitive and confidential information from being sent through these emails. So all the data, and
attachments of emails are closely monitored using a DLP software. Most commonly used DLP
software includes, Arcserve UDP, Barracuda Backup, Code42, Google Cloud Data Loss
Prevention, etc.
Intrusion Detection System (IDS)
IDS is a technology which used to monitor all the traffic of an organization and detect any
malicious threats trying to get in. It ensures to check all the traffic and raise alerts when the traffic
source found to be malicious or untrusted. Latest IDS software are capable of analyzing and
identifying patterns indicating cyberattacks. Some of the most used IDS software includes,
SolarWinds Security Event Manager, Kismet, Zeek, Open DLP, etc.
Intrusion Prevention System (IPS)
IPS software are responsible for taking action against the traffic which are being labeled by IDS
software as malicious. Usually an IPS does not let the data packet to enter the organization by
dropping it after it is identified by IDS. So it makes sure all the traffic which enters to the
organization’s network acts in accordance with organization’s network policies. It will ultimately
enables the continuation of the information system of organization without any interrupt. Most
commonly used IPS software includes, SolarWinds Security Event Manager, Splunk, Sagan,
OSSEC, Zeek, etc.
Security Incident and Event Management (SIEM) software.
When something unusual found on the network of an organization, SIEM is responsible for
invoking the alert. It can be used with other tools to make sure the network is aware of malicious
threats and keep the internal environment protected. It is also responsible for keeping track of the
logs generated during the network operation. It also acts as a central unit for all other security tools
which used to protect the network system. Mainly used SIEM software includes, Datadog Security
Monitoring, LogPoint, Graylog, ManageEngine Log360, etc.
Firewall
Firewall acts as the first protection layer of any system or network. According to the application,
there are different types of firewalls. Network firewalls re used to protect networks from malicious
threats. Another type of firewall is web application firewall. It is used to secure web applications.
Firewall is responsible for protecting the network from unusual traffic, malicious data and also
managing the ports only for authorized communication and preventing unauthorized ones.
SolarWinds Network Firewall Security Management, ManageEngine Firewall Analyzer, System
Mechanic Ultimate Defense, Norton, etc. are some of the firewall software available.
Antivirus software
Another technology used in cybersecurity is antivirus software. It is the most common software
used against computer viruses. As the viruses are malicious programs which are coded to make
the target, a host or a network to make unintended or unexpected tasks. When the antivirus is
deployed in the network, it can act as a endpoint protection tool. Also the devices which are
connected to a network can also have antivirus software installed in them. Antivirus software uses
particular signals or anomaly detections to identify viruses and take actions against them. The most
commonly used antivirus software includes, Bitdefender, Norton Security, McAfee, Comodo
Internet Security, Malwarebytes, etc.
In addition to such technologies, following measures can be taken as information security control
measures. In order to secure data, strong encryptions can be used. When transferring or
communicating data, accidental leaks and eavesdropping are prevented by it. Access management,
version management, audit logs are also important factors of securing the organization’s data.

4. Cyber security threats and risk landscape evolving over the years.
According to the past data the threat landscape is a dynamic one rather than static.[9] Within a
single year there could be many shifts in the nature of cyber-attacks due to various reasons. For
example, Angler exploit kit was the mainly used exploit kit in the beginning of 2016. But after the
arrest of 50 Russian members who are responsible for Lurk banking fraud, the Angler attacks were
also vanished. Also the future prediction of cyber threats is not a simple or accurate one because
of the invention of newer technologies that we aren’t aware of. But by using the past data available,
some areas of threat landscape can be predicted. As in the beginning, cybercrimes were operated
under shadows and by individuals for personal agendas. But in nowadays, cybercrimes are more
organized and opened to public. The agendas are also gotten bigger such as political or terrorism.
Also there are groups or individuals who target financial institutes or organizations for stealing
valuable information or large sum of money.
Following data shows a comparison between cybercrimes over the past few years.[7],[10]
Spam rate to total emails have been declined from 60% in 2014 and 53% in both 2015 and 2016.
And in 2019 this rate has dropped to 48%. Also when considering about phishing rate, the rate has
declined through the years. In 2014, the rate is 1 in 965. In 2015 it has declined to 1 in 1,846 and
in 2016 it was 1 in 2,596. Also in 2018 it has declined to 1 in 3,207. When considering ransomware,
the number of ransomware have gone up since 2015. In 201, the number of detected ransomware
are 340,665 and in 2016 it was 463,841. And in 2018 it has gone up to 545,231.
When considering the amount of damage done, average ransom amount has increased too. In 2014
from average of $373, to $1,077 in 2016. By the 2018, this amount has gone up to $5000.
So we can say that information security threats for small and medium sized organizations will be
lower since the phishing rate and malware rate is getting lower. But organized group or individual
attacks on large institutes and economic organizations such as federal reserves or banks will get
higher since the inclination of average ransom amount.
Since the improvement of technology, almost everything is connected such as IoT technologies.
So these emerging technologies will become more likely targets for cyber-attacks. There are
already things such as IoT devices converted into botnets for targeted attacks such as the Mirai
botnet. As the day to day life become more digitalized, it will also provide more hunting grounds
to cybercriminals and hackers and will pose a bigger threat to human life and society. Modern
technologies such as auto driving cars are getting targeted too. But with the advancements such as
machine learning and deep learning, the defense mechanisms against cyber threats are also getting
stronger. Spam email recognition using machine learning algorithms is one example of such
instances. But the bad news is such technologies are also available to attackers too. There are
evidence that the use of AI in several cyber-attacks such as in the case of honeypot systems attack.

5. Legal, Ethical and professional issues related to security and risk

management.
As the information security is a vital part of the organization, there are different laws, ethics and
policies which governs the information security. Laws are set of rules which formally adopted and
have a governing authority while ethics are set of acceptable behaviors. And when an organization
formalize an acceptable behavior, it is then called a policy. Policies have legal bonds but one
should read and accept these policies before that person is bound to them. Following are some
laws in the United States which are related to information security.
Computer fraud and abuse act is one of the laws implemented to govern the threats to computers
in general established in 1986. This law defines the laws and formalize them to counter threat from
computer related crimes.[11]
Computer security Act of 1987 is also another act to govern computer related threats but in this
case specialized to the information security of federal agency. This act dictates that all the
computer systems which contains classified federal information must have a security plan in place.
The security and freedom through encryption act of 1999 permits people to use and sale of software
that uses or enables encryption.
Other key laws which governs to protect the privacy are the Federal Privacy Act of 1974, the
Electronic Communications Privacy Act of 1986, and the Health Insurance Portability and
Accountability Act of 1996.
But in different countries the same law does not apply in the same manner. For example, United
States is stricter on software license infringement also known as piracy. But countries such as
Netherlands are lot more permissive than US. Asian countries have moderate attitude over piracy.
So when someone can be penalized for the same act differently in different countries.
When it comes to ethics, the perspective of a certain individual regarding ethical practices related
to computer technology differs with their nationality, region, etc. Deterrence is the method of
prevention of unethical activities but also requires some significant penalties. So in order to
encourage positive ethics, code of ethics are being introduced by a set of organizations.
When it comes to the issues regarding ethics in computer technology, one’s perspective on the
practical scenario is a major factor. So cultural difference between people changes their view on
ethical issues.[12] In order overcome this problem, organizations should educate their employees
on organization’s code of ethics and must train the employees on ethical behaviors, specially, in
the areas if information security. In order to promote deterrence to unethical and illegal activities,
following conditions should be preset. Those are, fear of penalty, probability of being caught and
being penalized. There are professional organizations which promote professional and ethical
behavior in certain industries. Professional organizations related to computer technology and
information security includes, Association of Computer Machinery, Information Systems Security
Association, Information Systems Audit and Control Association, etc.
 6. References

[1]M. M. Alhassan and A. Adjei-Quaye, “Information Security in an Organization,” International

Journal of Computer (IJC), 2022, pp. 100 - 116.

[2]H. Birger, “Theoretical development of information science: A brief history,” Journal of

Information Science, 2014.

[3]A. D. Madden, “A definition of information,” Aslib Proceedings, vol. 52, no. 9. Emerald, pp.
343–349, Nov. 01, 2000. doi: 10.1108/eum0000000007027.

[4]Y. P. Surwade and H. J. Patil, Information Security. 2019.

[5]S. D. Gantz and D. R. Philpott, “Thinking About Risk,” FISMA and the Risk Management
Framework. Elsevier, pp. 53–78, 2013. doi: 10.1016/b978-1-59-749641-4.00003-5.

[6]"NIST Risk Management Framework | CSRC", Csrc.nist.gov, 2016. [Online]. Available:

https://csrc.nist.gov/projects/risk-management/about-rmf. [Accessed: 15- Jul- 2022].

[7]ISTR, Symantec Internet Security Threat Report, vol. 22, April 2017.

[8]S. Technologies, "Security Technologies | Top 7 Key Security Technologies", EDUCBA, 2022.
[Online]. Available: https://www.educba.com/security-technologies/. [Accessed: 15- Jul- 2022].

[9]"The Evolving Cyber Threat Landscape - Cyber Smart Consulting Ltd", Cyber Smart
Consulting Ltd, 2022. [Online]. Available: https://cybersmartconsulting.com/cyber-threat-
landscape/. [Accessed: 15- Jul- 2022].

[10]ISTR, Symantec Internet Security Threat Report, vol. 24, February 2019.

[11]"Legal, Ethical, and Professional Issues in Information Security", BrainKart, 2022. [Online].
Available: https://www.brainkart.com/article/Legal,-Ethical,-and-Professional-Issues-in-
Information-Security_7926/. [Accessed: 15- Jul- 2022].
[12] E. Warren, “Legal, Ethical, and Professional Issues in Information Security”, Available:
https://www.cengage.com -> 1111138214_259148.pdf [Accessed: 15- Jul- 2022].