Professional Documents
Culture Documents
Task Details: This Assignment Requires You To Perform Risk Identification, Assessment and
Task Details: This Assignment Requires You To Perform Risk Identification, Assessment and
Purpose: The purpose of this assignment is to assess the students’ understanding on identifying
the risks, vulnerabilities and awareness of current industry and research trends in the field of
information security.
Students need to exercise operational, analytical, and critical skills in order to reduce the
potential securityrisks involved in the given case study. Analyse and evaluate the organizational
adoption of security controls. Design solutions for concrete security problems for distributed
applications. This assessment contributes to learning outcomes a, b, c, d.
Value: 35% Due Date: Report submission Week 11; Demonstration Week 12
Submission requirements details: All work must be submitted on Moodle by the due date.
Reference sources must be cited in the text of the report and listed appropriately at the end in a
reference list using Harvard Anglia referencing style.
Task details: This Assignment requires you to perform risk identification, assessment and
treatment based on the given case study. Also, it is required to implement an ethical hacking
(which does not do any malicious activity) on your own virtual machine. This is just for
demonstration purpose and focusing the risk identification, assessment, and treatment
accordingly and you should implement it on any other computers.
The assignment’ specification requires you to use Kali Linux and the related tools to perform the
configuration and testing.
Case Study: A health care center suffers from very low information security in terms of maturity
across many elements of infosec and information assurance, including cyber resilience and
application of cybersecurity good practice. Patients expect a high level of protection of their
data; however, data breaches can put the reputation of the institute at risk. It is highly
recommended that a certain level of filtering is imposed for the network to be secure so as to
sustain from threats and attacks.
Let us assume that you are hired by the health care center to develop an information security plan
to identify the possible threats to the organization. For example, it is necessary to identify the
important services (e.g., website, booking portal, electronic health equipment...) that the
healthcare center is running.
The criteria that you need to address based on the given scenario is summarized into two parts:
Part A:
1. Assessing the current risk of the entire business
2. Treat the Risk as much as possible
At this point, create Threats-Vulnerabilities-Assets (TVA) worksheet. Also, calculate the risk
rating of each of the five triplets out of 25.
Part B:
You are expected to implement one of the attacks that could be happening on any of the assets.
For example,
if one of the assets is the platform used (e.g., Booking portal), it has a login page, and the
patients have to enter their username and password. You can assume that the platform is
vulnerable to password-cracking attacks. This assessment requires you to use password crackers
to break passwords.
A password cracker is software designed to break passwords. Use two types of password
crackers (e.g., Brute force Attack, Rule Attack or Dictionary attack) to extract passwords from
the Rainbow table. You are required to first set up a rainbow table and apply the password
cracker on that.
NOTE: You should not run the attacks on any other systems, as you are not allowed to collect a
user’s personal information due to cybercrime. Only run the attacks on your computer or use
benchmark-vulnerable websites that are used for training purposes.
Executive Summary:
This report addresses the need for an information security plan for a healthcare Centre, which
currently lacks maturity across several elements of information security and assurance. Patients
expect their data to be protected at all times, and data breaches could harm the institution's
reputation. The report focuses on identifying possible threats to the organization, prioritizing
them, and designing a risk treatment plan. The report also includes an ethical hacking
demonstration using two password-cracking methods.
Introduction:
The healthcare sector relies on a vast amount of sensitive data to provide quality services to
patients. Therefore, it is crucial to ensure the confidentiality, integrity, and availability of this
data. In this scenario, the healthcare center lacks adequate information security and requires a
comprehensive security plan. This report aims to identify potential risks to the organization,
prioritize them, and propose a risk treatment plan to reduce the likelihood and impact of these
risks.
At the end of the risk identification process, the healthcare center should have:
i) A prioritized list of assets:
1. Patient Information Database
2. Clinical Application System
3. Electronic Health Equipment
4. Booking Portal
5. Email Communication System
ii) A prioritized list of threats facing those assets:
1. Malware attacks on systems holding sensitive patient data
2. Phishing attacks on employees to gain unauthorized access to systems
3. Ransomware attacks that can encrypt the patient data and demand a ransom for its release
4. Insider threats where employees or contractors may intentionally or unintentionally cause
data breaches
5. Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks that can disrupt
the availability of the healthcare centre's systems
6. Third-party service providers who may have access to patient data and systems
7. Unauthorized physical access to the healthcare centre's premises and devices
8. Unsecured endpoints such as personal devices and laptops that may connect to the
healthcare center’s network
Ensuring the security of patient information is a crucial aspect of every healthcare system, since
it is accountable for safeguarding the confidentiality and accuracy of such data. Healthcare
establishments keep a great deal of confidential data such as financial records, medical records,
and other sensitive documents. It is crucial for healthcare establishments to ensure that their
information security measures are modernized and efficient in safeguarding patient data against
unauthorized entry or cyber-attacks(Sheth et al., 2021).
To create a successful information security strategy, the initial step involves recognizing and
pinpointing all crucial resources of the establishment(Kosutic, 2021). In the presented study, the
assets that have been recognized consist of various items, such as patient information files,
databases, webpages, electronic messaging networks, scheduling platforms, electronic medical
machinery, and overall network systems. Every item of value serves as a possible entry point for
malevolent individuals seeking unapproved access to medical information, and it should be
safeguarded accordingly.
After pinpointing the assets, it is necessary to determine the potential dangers that may pose a
threat to each asset. The risks that may be posed to assets can differ greatly, but generally
comprise of activities such as cyber attacks, malware infiltration efforts, phishing schemes, spam
correspondence, equipment damage, and software failures. It is crucial to acknowledge that all of
these risks have the potential of causing unauthorized entry to patient information, thereby
exposing the organization to severe repercussions(Seh et al., 2020).
Once the potential risks are identified, it is important to determine the vulnerabilities associated
with each asset. Malevolent individuals, resulting in vulnerabilities, may exploit weaknesses
within the security systems of an organization. Several vulnerabilities, such as data stored
insecurely, deficient encryption and authentication protocols, absence of security updates and
patches, substandard firewall setups, inadequate SSL implementations, insufficient input
validation, unsecured messages, basic authentication protocols, missing multi-factor
authentication methods, and insufficient user access controls, can be observed.
The ethical hacking demonstration highlights the extraction of passwords from a rainbow table
by utilizing two distinct password-cracking techniques. Two frequently utilized techniques to
break passwords are brute force and dictionary attacks. Although brute force attacks are slow in
nature, they are still successful in cracking passwords as they exhaustively attempt all possible
combinations until a match is discovered. On the other hand, dictionary attacks accelerate the
procedure of cracking by utilizing pre-made registers of frequently used passwords. The protest
is being showcased or exhibited.
In conclusion,
Healthcare systems must prioritize the importance of information security to safeguard patient
data from potential unauthorized parties, as it is a crucial element(George and Bhila, 2019).
Smart paraphrase: A comprehensive information security strategy must involve identifying
crucial assets, anticipated threats that could endanger these assets, potential vulnerabilities that
may be manipulated by harmful parties, and protective measures that can be implemented to
lower risks and keep patient information safe. Healthcare organizations can guarantee the safety
of their systems and the confidentiality of their patients' records by implementing these
measures.
References:
George, J. and Bhila, T. (2019) ‘Security, Confidentiality and Privacy in Health of Healthcare
Data’, International Journal of Trend in Scientific Research and Development, Volume-3. doi:
10.31142/ijtsrd23780.
Seh, A. H. et al. (2020) ‘Healthcare Data Breaches: Insights and Implications’, Healthcare, 8, p.
133. doi: 10.3390/healthcare8020133.