7CCSMSEM
Security Management
Tutorial Weeks 1 & 2
Group of Appreciation of the Natterjack Toad (GANT)
The Group of Appreciation of the Natterjack Toad (GANT) is a conservation group that is keen to promote and preserve the well-being of the Natterjack Toad. It is a UK-registered charity and has a significant number of members world-wide who are all keen to promote the work of GANT. Unfortunately, it is an endangered species that is gradually being destroyed by the development of new areas. For example, it was locally extinct in some areas of Wales due to development work and it had to be re-introduced.
All information for the group can be accessed using a web-based application or by contacting the group’s honorary secretary Dr Jane Peabody for the paper-based records. This information includes the group’s member records, its activities, meeting places, natterjack toad habitats, confidential aspects about their work, etc. In the past, members have raised concerns about information assurance as the website has been previously compromised owing to the server containing no significant security controls.
The chairman Ms Rachel Jackson has heard about information security and believes it is the right time to take it more seriously, but she doesn’t know that much about it. This is where you come in. Ms Rachel Jackson has hired your group to learn more about protecting their information.
Question 1. What is Information Security?
Let’s get the ball rolling. You are preparing for a meeting with Ms Rachel Jackson to convince her that information security should be taken seriously by GANT. In preparation for the meeting, your group should agree on the following principles and points:
– What is Information Security?
The practice of preventing unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information
– What is the focus of Information Security?
Confidentiality, Integrity and Availability (but also other properties like accountability (non-repudiation), etc.)
– What information assets under the control of GANT may require protection?
Everything. This includes members records (i.e. date of birth, location, passwords), the toad’s camp location (if leaked, people may attack them). etc
It is also important to prepare a brief discussion about confidentiality vs availability of information. While they are conceptually opposing goals, you will need to convince Ms Rachel Jackson how there can be acceptable trade-offs for the two goals. Please use the information assets that you identified as part of the discussion.
Confidentiality tries to keep information secret to only those who need to know, whereas availability seeks to make information accessible. While information can be kept secret by removing all access to it, this raises the question whether it is then useful to keep at all. There must be a tradeoff to let only parties who need access to the information. Cryptography can be used encrypt the information so it can be accessible, but only those with the decryption key can open it.
Question 2. What threats and vulnerabilities may GANT face in the future?
The meeting with Ms Rachel Jackson has begun. She clearly understands the principles of Information Security, but she does not yet know how to assess threats, vulnerabilities or risk. To help her understand, identify three threats and vulnerabilities that GANT’s information assurance system needs to manage. Please remember that Ms Rachel Jackson is not tech savvy per say. For example, she will not understand how a MYSQL injection attack works. Try to use simple English to explain the above three points.
A threat highlights a problem that if it arises will result in adverse consequences. This may include 1) Information about members might be accessible by unauthorised people. 2) Information about the habitats of the Natterjack toad might be used by those who are not inclined to support its ongoing existence. 3) The website might be compromised, and unofficial messages added to it.
A vulnerability is a weakness in the system that might allow the threat to happen. This may include 1) Records of members are stored in an unreliable computer system that may crash in the future. 2) Information about the toad’s habitats may be stored on an old Internet-based and insecure server. 3) The administrator password for the website has never been changed from the default password.
Question 3. What is a Threat Agent? Could you, from the threats you mentioned GANT could face, select one and discuss who the Threat Agent might be?
The Threat Agent may give rise to a Threat. It is the likely culprit of a risk to the organization. Threat agents can be natural, accidental, or malicious. For the case of GANT, and for the threats already indentified in the previous question, threat agents may include 1) Unscrupulous property developers may gain access to personal details about members and later harass them. 2) A habitat of the Natterjack toad might be destroyed by someone who is not interested in its existence. 3) Someone might gain access to the GANT website and update it with offensive information.
Question 4. Imagine GANT hired you to conduct a vulnerability assessment, so they could use it for their ongoing internal security risk management process. What would be the rationale you would use to choose the most adequate set of assurance techniques?
You could consider the actual context and domain of the organisation (e.g. it is not the same testing the security of a normal IT system than a nuclear power plant). In particular, GANT has this web-based application that one could consider potential ways in which attackers might exploit it. Also, it may be you need to check for social engineering, for instance those custodians of the paper-based records at GANT. Then, from the available possibilities the most cost-effective ones should be chosen. That is, those that will minimise the cost of performing them and will be most effective to discover vulnerabilities.
Question 5. What are the differences between Threat Assessment and Vulnerability Assessment?
In threat assessment, you look at the potential threat agents and how/why they may be interested in targeting your organisation as well as their characteristics like their capability. In vulnerability assessment, you actually look at the vulnerabilities your system has independently from the threats.