ICT380 information security policy and governance
Kevin is smart, and cruised through studying IT security at university without really working hard. This allowed him plenty of time to have fun and socialize. When the time came to graduate, he sought to join a small start-up company rather than a large, established organization.
Williams Enterprises (WE) was started by Williams only a couple of years ago, and specializes in advanced movement detection algorithms for use in conjunction with security cameras. Its software is used in high-end industrial applications with specific security requirements, and government applications including the Department of Defense. It has just 10 employees, mostly programmers. It has only one member of staff, Lee, who is responsible for managing WE’s computer systems and network.
Six months ago, WE was hacked, which has made Williams extremely nervous. Although it does not appear that the intruders gained access to WE’s highly secretive algorithms, as a small company it cannot afford even a tiny amount of bad publicity. Consequently, Williams asked Lee to look at employing a good graduate specializing in IT security, and Kevin was selected.
The WE office occupies the ground floor in a larger building. On his first day, Kevin, the new IT security recruit, enters the building through its main entrance, and from there took the door marked ‘Williams Enterprises’, where he was greeted by the receptionist. However, subsequently Kevin enters through the back door, which is left unlocked during business hours, and leads straight to the main room where the programmers work. The company’s programmers often work odd hours, but there is nearly always someone in this room 24 hours a day. Kevin’s work area, where he and Lee spend most of their day, is in a much smaller room leading off the main room. One of the reasons this room is so small is because part of it has been sealed off to form a server room. Kevin and Lee quite regularly go in and out of the server room throughout the day, so it is very convenient to have it so close by.
The programmers operate workstations in the main room, although some have been allocated laptops at their request so they can work from home occasionally. Employees have accounts on their own personal machine, and once logged in, these computers are set up to automatically connect to the servers. Programmers can download various code files to edit locally, before merging these changes onto the servers. The computer systems and network do not use any encryption, and Lee says this isn’t necessary because the company is so small that everyone knows each other and there are no untrusted computers or users that ever connect.
When he first joins, Kevin is given his own personal machine with a fresh image of all the company’s default software. When he first boots this up, it prompts him to enter a password, and from there he has administrative privileges to set up the machine however, he wants. Kevin considers that this is one of the big advantages of working for such a small and laid-back company — as the vast majority of the employees have significant technical skills, there are few hard and fast rules. Partly also because of this, Kevin finds that he often does not have a huge amount of work to do. This does not bother him too much, as it gives him plenty of time to chat to Joanne, one of the company’s programmers, and the two soon start dating.
A. Identify and discuss two problematic human related risk relevant to security as outlined in the scenario above.
[10 marks]
B. For each, briefly describe two principles of access control you would recommend to address the human related issues that may occur in the above scenario.
[10 marks]
https://spectrum.ieee.org/the-human-os/biomedical/devices/5-major-hospital-hacks-horror-stories-from-the-cyber-security-frontlines?utm_source=Boomtrain&utm_medium=email&utm_campaign=Tech_Alert_03172016&bt_email=polk@telecom.tuc.gr&bt_ts=1458218180034
Refer to the security incidents described in this article Cybersecurity for Hospitals and answer the following questions
-----------------------------------------------------------------------------------------------------------
From any of the incidents described in the above article:
( the vulnerabilities you identify can come from any one of the incidents e.g. - you could identify all five vulnerabilities from the same incident, or one from each)
Identify five different access control vulnerabilities relevant to information security that led to the incident. For each of the identified access control vulnerabilities, suggest security safeguards to the I.T infrastructurethat could have prevented the incident from occurring.
[20 marks]
Refer to the security incidents described in this article Cybersecurity for Hospitals and answer the following questions
From any of the incidents described in the above article:
( the vulnerabilities you identify can come from any one of the incidents e.g. - you could identify all five vulnerabilities from the same incident, or one from each)
Identify five different physical vulnerabilities relevant to information security that led to the incident(s). For each of the identified physical vulnerabilities, suggest security safeguards that could have prevented the incident(s) from occurring.
