Assessment type: Practical and Written Assessment, Individual assignment (2000 words).

Purpose: The purpose of this assignment is to assess the students’ understanding on identifying
the risks, vulnerabilities and awareness of current industry and research trends in the field of
information security.
Students need to exercise operational, analytical, and critical skills in order to reduce the
potential securityrisks involved in the given case study. Analyse and evaluate the organizational
adoption of security controls. Design solutions for concrete security problems for distributed
applications. This assessment contributes to learning outcomes a, b, c, d.
Value: 35% Due Date: Report submission Week 11; Demonstration Week 12

Submission requirements details: All work must be submitted on Moodle by the due date.
Reference sources must be cited in the text of the report and listed appropriately at the end in a
reference list using Harvard Anglia referencing style.

Assessment topic: Risk identification, assessment and treatment

Task details: This Assignment requires you to perform risk identification, assessment and
treatment based on the given case study. Also, it is required to implement an ethical hacking
(which does not do any malicious activity) on your own virtual machine. This is just for
demonstration purpose and focusing the risk identification, assessment, and treatment
accordingly and you should implement it on any other computers.
The assignment’ specification requires you to use Kali Linux and the related tools to perform the
configuration and testing.

Case Study: A health care center suffers from very low information security in terms of maturity
across many elements of infosec and information assurance, including cyber resilience and
application of cybersecurity good practice. Patients expect a high level of protection of their
data; however, data breaches can put the reputation of the institute at risk. It is highly
recommended that a certain level of filtering is imposed for the network to be secure so as to
sustain from threats and attacks.
Let us assume that you are hired by the health care center to develop an information security plan
to identify the possible threats to the organization. For example, it is necessary to identify the
important services (e.g., website, booking portal, electronic health equipment...) that the
healthcare center is running.

The criteria that you need to address based on the given scenario is summarized into two parts:
Part A:
1. Assessing the current risk of the entire business
2. Treat the Risk as much as possible

Task I: Risk Identification

In achieving the above two goals, you will do the followings –
1. Find at least five assets
2. Find at least two threats against each asset
3. Identify vulnerabilities for the assets

Task II: Risk Assessment

At the end of the risk identification process, you should have
i) a prioritized list of assets and
ii) a prioritized list of threats facing those assets and
iii) Vulnerabilities of assets.

At this point, create Threats-Vulnerabilities-Assets (TVA) worksheet. Also, calculate the risk
rating of each of the five triplets out of 25.
Part B:
You are expected to implement one of the attacks that could be happening on any of the assets.
For example,
if one of the assets is the platform used (e.g., Booking portal), it has a login page, and the
patients have to enter their username and password. You can assume that the platform is
vulnerable to password-cracking attacks. This assessment requires you to use password crackers
to break passwords.
A password cracker is software designed to break passwords. Use two types of password
crackers (e.g., Brute force Attack, Rule Attack or Dictionary attack) to extract passwords from
the Rainbow table. You are required to first set up a rainbow table and apply the password
cracker on that.
NOTE: You should not run the attacks on any other systems, as you are not allowed to collect a
user’s personal information due to cybercrime. Only run the attacks on your computer or use
benchmark-vulnerable websites that are used for training purposes.
 Executive Summary:

This report addresses the need for an information security plan for a healthcare Centre, which
currently lacks maturity across several elements of information security and assurance. Patients
expect their data to be protected at all times, and data breaches could harm the institution's
reputation. The report focuses on identifying possible threats to the organization, prioritizing
them, and designing a risk treatment plan. The report also includes an ethical hacking
demonstration using two password-cracking methods.

Introduction:

The healthcare sector relies on a vast amount of sensitive data to provide quality services to
patients. Therefore, it is crucial to ensure the confidentiality, integrity, and availability of this
data. In this scenario, the healthcare center lacks adequate information security and requires a
comprehensive security plan. This report aims to identify potential risks to the organization,
prioritize them, and propose a risk treatment plan to reduce the likelihood and impact of these
risks.

Risk Identification and Assessment Plan:

 Asset Identification:
a. Patient records
b. Database systems
c. Website
d. Email Communication
e. Booking Portal
f. Electronic Health Equipment
g. Network Infrastructure
 Threats:
1. Systems containing confidential patient information are susceptible to malware attacks.
2. Phishing attacks on employees to gain unauthorized access to systems.
3. Ransomware attacks have the capability to encrypt medical information and ask for a
payment in exchange for its decryption.
4. Insider threats encompass situations where data breaches occur due to the actions of
employees or contractors, whether they were deliberate or accidental(Davies, 2018).
5. Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks that can disrupt
the availability of the healthcare centre's systems.
6. Unsecured endpoints such as personal devices and laptops that may connect to the
healthcare centre's network.
7. Third-party service providers who may have access to patient data and systems.
8. Unauthorized physical access to the healthcare centre's premises and devices.
Vulnerability Identification:
a. Patient records - Insecure Storage of Data, Lack of encryption and authentication
protocols
b. Database systems - Lack of Security Patches and Updates, Poor Firewall Configuration
c. Website - Weak or No SSL Implementation, Inadequate Input Validation
d. Email Communication - Unencrypted Messages, Low Level Authentication Protocols
e. Booking Portal - Lack of Multi-factor Authentication, Poor User Access Control
Protocols
f. Electronic Health Equipment - Lack of Security Updates, Poor Physical Security
Measures
g. Network Infrastructure - Weak or No Encryption Protocols, Poor Firewall Configuration

At the end of the risk identification process, the healthcare center should have:
i) A prioritized list of assets:
1. Patient Information Database
2. Clinical Application System
3. Electronic Health Equipment
4. Booking Portal
5. Email Communication System
ii) A prioritized list of threats facing those assets:
1. Malware attacks on systems holding sensitive patient data
2. Phishing attacks on employees to gain unauthorized access to systems
3. Ransomware attacks that can encrypt the patient data and demand a ransom for its release
4. Insider threats where employees or contractors may intentionally or unintentionally cause
data breaches
5. Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks that can disrupt
the availability of the healthcare centre's systems
6. Third-party service providers who may have access to patient data and systems
7. Unauthorized physical access to the healthcare centre's premises and devices
8. Unsecured endpoints such as personal devices and laptops that may connect to the
healthcare center’s network

iii) Vulnerabilities of assets:

1. Outdated software and systems
2. Weak passwords and lack of password policies
3. Unpatched security vulnerabilities in software and systems
4. Insufficient security controls and policies for remote access and BYOD
5. Inadequate security training and awareness for employees
6. Lack of regular backups and disaster recovery plans
7. Inadequate physical security measures such as access control and surveillance systems
8. Inadequate logging and monitoring of systems and network activities

Threats-Vulnerabilities-Assets (TVA) Worksheet:

Triplet Risk Rating (Out of 25)
EHE - Unauthorized Access - Weak 17
Passwords
BP - DoS Attack - SQL Injection 14
Vulnerabilities
PID - Insider Threats - Lack of Encryption 18
ECS - Phishing Attacks - Lack of Encryption 15
CAS - XSS Attacks - Insufficient Input 20
Validation
 Analysis:

Ensuring the security of patient information is a crucial aspect of every healthcare system, since
it is accountable for safeguarding the confidentiality and accuracy of such data. Healthcare
establishments keep a great deal of confidential data such as financial records, medical records,
and other sensitive documents. It is crucial for healthcare establishments to ensure that their
information security measures are modernized and efficient in safeguarding patient data against
unauthorized entry or cyber-attacks(Sheth et al., 2021).

An all-inclusive plan for safeguarding information is a necessity for every healthcare

establishment. A well-crafted strategy must pinpoint the crucial resources of the company,
possible hazards that could jeopardize these resources, weaknesses that could be used by
malicious individuals, and preventive measures that can mitigate risks and safeguard patient
information.

To create a successful information security strategy, the initial step involves recognizing and
pinpointing all crucial resources of the establishment(Kosutic, 2021). In the presented study, the
assets that have been recognized consist of various items, such as patient information files,
databases, webpages, electronic messaging networks, scheduling platforms, electronic medical
machinery, and overall network systems. Every item of value serves as a possible entry point for
malevolent individuals seeking unapproved access to medical information, and it should be
safeguarded accordingly.

After pinpointing the assets, it is necessary to determine the potential dangers that may pose a
threat to each asset. The risks that may be posed to assets can differ greatly, but generally
comprise of activities such as cyber attacks, malware infiltration efforts, phishing schemes, spam
correspondence, equipment damage, and software failures. It is crucial to acknowledge that all of
these risks have the potential of causing unauthorized entry to patient information, thereby
exposing the organization to severe repercussions(Seh et al., 2020).

Once the potential risks are identified, it is important to determine the vulnerabilities associated
with each asset. Malevolent individuals, resulting in vulnerabilities, may exploit weaknesses
within the security systems of an organization. Several vulnerabilities, such as data stored
insecurely, deficient encryption and authentication protocols, absence of security updates and
patches, substandard firewall setups, inadequate SSL implementations, insufficient input
validation, unsecured messages, basic authentication protocols, missing multi-factor
authentication methods, and insufficient user access controls, can be observed.

Finally, In order to safeguard patient information from potential threats, it is imperative to

identify appropriate measures to mitigate risk. Effective responses must tackle every recognized
vulnerability and encompass measures like encryption and authentication protocols for
safeguarding patient information, frequent security patches and updates for database systems,
utilization of SSL certificates for websites, secure messaging channels for email communication,
implementing multi-factor authentication for booking portals, and upholding security checks for
electronic health equipment(Williamson and Curran, 2021). Additionally, strong encryption
protocols for network infrastructure, training personnel on data protection policies, ameliorating
firewall configuration, enhancing website input validation, upgrading email communication
authentication measures, and improving user access control protocols for booking portals should
also be taken into consideration.

The ethical hacking demonstration highlights the extraction of passwords from a rainbow table
by utilizing two distinct password-cracking techniques. Two frequently utilized techniques to
break passwords are brute force and dictionary attacks. Although brute force attacks are slow in
nature, they are still successful in cracking passwords as they exhaustively attempt all possible
combinations until a match is discovered. On the other hand, dictionary attacks accelerate the
procedure of cracking by utilizing pre-made registers of frequently used passwords. The protest
is being showcased or exhibited.

In conclusion,

Healthcare systems must prioritize the importance of information security to safeguard patient
data from potential unauthorized parties, as it is a crucial element(George and Bhila, 2019).
Smart paraphrase: A comprehensive information security strategy must involve identifying
crucial assets, anticipated threats that could endanger these assets, potential vulnerabilities that
may be manipulated by harmful parties, and protective measures that can be implemented to
lower risks and keep patient information safe. Healthcare organizations can guarantee the safety
of their systems and the confidentiality of their patients' records by implementing these
measures.

References:

Davies, B. (2018) ‘Independent Contractor or Employee?’, SSRN Electronic Journal. doi:

10.2139/ssrn.3316441.

George, J. and Bhila, T. (2019) ‘Security, Confidentiality and Privacy in Health of Healthcare
Data’, International Journal of Trend in Scientific Research and Development, Volume-3. doi:
10.31142/ijtsrd23780.

Kosutic, D. (2021) The Impact of Cybersecurity on Competitive Advantage.

Seh, A. H. et al. (2020) ‘Healthcare Data Breaches: Insights and Implications’, Healthcare, 8, p.
133. doi: 10.3390/healthcare8020133.

Sheth, M. et al. (2021) ‘Research Paper on Cyber Security’, p. 2021.

Williamson, J. and Curran, K. (2021) ‘Best Practice in Multi-factor Authentication’,

Semiconductor Science and Information Devices, 3. doi: 10.30564/ssid.v3i1.3152.