7CCSMSEM
Security Management
Tutorial Week 7 (Sketch of Solutions)
Recall GANT from a previous tutorial:
Group of Appreciation of the Natterjack Toad (GANT)
The Group of Appreciation of the Natterjack Toad (GANT) is a conservation group that is keen to promote and preserve the well-being of the Natterjack Toad. It is a UK-registered charity and has a significant number of members world-wide (100,000 members across 42 countries) who are all keen to promote the work of GANT. Unfortunately, it is an endangered species that is gradually being destroyed by the development of new areas. For example, it was locally extinct in some areas of Wales due to development work and it had to be re-introduced.
All information for the group can be accessed using a web-based application or by contacting the group’s honorary secretary Dr Jane Peabody for the paper-based records. This information includes the group’s member records, its activities, meeting places, natterjack toad habitats, confidential aspects about their work, etc.
Question 1. The officers of GANT have decided that they need to establish a better means of communicating among themselves and with the members of the society. Some members report that they have been targeted by persons sending them malware in emails or attempting to extract data about toad populations. The officers have no knowledge of this area of computing and need advice on how to protect their systems, at home and in the GANT office, against malware. The loss or unauthorised disclosure of sensitive membership or toad population data would be embarrassing and potentially harmful to human and amphibian alike.
What advice would you give to the society with regard to the countermeasures they need in order to provide an adequate level of protection from malware?
First of all, recall that any decisions on the security controls to be implemented should be based on a risk analysis. In this case, there is a need to balance the risk of malware against the costs of purchasing and implementing countermeasures.
A good place to start would be as follows. Have a combination of anti-virus and personal firewall program on each PC that has a connection to the Internet or is networked to another computer that does. Choose a product that will also restrict the executables that will run on that computer to a known list of authorised products. Change all the default settings in operating systems, applications and browsers, for example passwords,
configurations, open ports and so on, to make it harder for malware to compromise the computer. Apply patches to the operating system and applications promptly. Have some backup policy in place. Others could also be considered depending on the financial capability of GAN (e.g. network firewall or IDS, etc.).
Question 2. In response to the above, some people at GANT do not really understand the need to apply patches to combat malware. Why is it important to download and apply a software patch as soon as possible? Please explain your answer and provide an example
Downloading and applying a software patch as soon as possible is very important because threats could exploit any vulnerabilities in the software. For instance, Malware is known to precisely exploit vulnerabilities in software. Even worse, when a patch/update is released, hackers can more easily reverse-engineer it to write the exploit for the vulnerability the patch is trying to solve. Therefore, the more you delay patching the software the more likely it is that an exploit will have been created to take advantage of the vulnerability.
Question 3. The chairman of GANT, Ms Rachel Jackson, is going to follow the advice about buying anti-malware security controls, but she is lost on which products to buy. Do you have any tips for Ms Jackson on how to pick a manufacturer’s product?
Recall from the lecture on Security Economics that choosing a good security product is difficult. However, some tips include:
• Read independent reviews
o High degree of effectiveness in detecting and removing malware?
• Frequency of updates
o Is the scanner still maintained? Is it aware of the new malware threats?
• Whitelist of accepted executables
o Let the organisation control what can be executed on their network
• Reputable company
o If you are going to buy an expensive licence, make sure the company will
stick around!
• Impact on operations
o If the scanner will mean your employees can no longer do their work, you’ll need to find another solution.