Security Risk Management

Security Risk Management

Question One

Principle: Least Privilege

Least privilege refers to the knowledge and practice of reducing authorizations of computer systems, accounts, and users to only assets necessary for allowed routine activities that need to be conducted. However, the security principle of least privilege has wide application, from access control in organizations and physical protection in a business entity and even the external environment of the office. The least privilege is undeniably the most critical in information security. Frankly, access beyond what employees require to conduct their required job on a day-to-day basis should not be granted. (Wheeler 2011) Embracing the concept of least privilege in IT set up lessens the chances of attackers accessing vital systems or high-level information by breaching user profiles of low-level employees, software, or computers. The principle of least privilege aims to manage security breaches and prevent them from affecting the entire system.

Real-World Examples

An example of an organization that applies the least privilege principle is Taylor Fry. This organization provides various services. Taylor Fry has used creative problem solvers such as engineers, physicists, and computer scientists to provide diversity in improving the financial choices of their customers. The organization has developed on IT transformation includes a comprehensive analysis of their technical design and ecosystem. A multi-year project was conducted from IT policy to prepare the company for the near future development. Taylor Fry needed a solution for the description and assessment of risks related to third party vendor. Vendor Risk in conjunction with Breach Sight works to unceasingly examine the progress of automatizing security questionnaires and vendor protection. A cybersecurity ranking has been produced by the assimilation of the two products which the organization uses to examine the performance of cybersecurity. Taylor Fry applies the principle of least privilege to determine and manage security vendors.

Akamai technologies is also another company that applies the least privilege concept. Their global tight framework encompasses everything from the cloud to the enterprise to improve the efficiency of their companies and the satisfaction of their clients. The Akamai company maintains users close to decisions, interactions, and applications and secure from cyberthreats as compared to other companies by embracing this principle. The minimal permissions and resources required for Akamai Technologies to run effectively are given to each entity in the system, for example, electronic device or client. This concept minimizes the threat to the company that can come about by misconduct, human error, or accident. The fundamental is to establish an interrelationship between what is practical to handle in terms of de- providing and providing specific linear restraints (Wheeler 2011).

Advantages of applying the concept of Least Privilege in Risk Management

Organizations must control information risk as part of the management of the overall policy of risk management. Managers must decide on ways to reduce the risk of such information (Yeo et al. 2014). If an ordinary user mistakenly reconfigures an area in a network that is sensitive, a problematic instability could arise. The concept of Least Privilege minimizes the chances of users accessing the system unnecessarily. Barring access as an admin to a few privileged users minimizes the incidences of privileged operations and hence eliminating the possibilities of risky errors. A program with less exemption mitigates attacks, facilitates overall network efficiency, and reduces security risks.

Question Two

The risk management process is an instrument for actions that need to be tackled. To minimize risk, five procedures are undertaken. There are a few renowned systems for risk management in information technology and some recent ones explicitly focus on reducing risks associated with information security. Both systems apply the prevalent life cycle method despite having variations in terms and identification of the steps in the method despite having variations in methods of identification (Wheeler 2011).

The first step in the process of risk management is resource profiling.it encompasses; considering the most essential tools to a corporation, devices with the most sensitive information, or those that can be accessed by the public. The most important thing is to rate them according to relevance to a company despite the requirements and adapt it to maximize any reciprocal appraisal work (Wheler 2011). Sometimes, security professionals experience difficulty in setting aside assets with security defects Regardless, this plan is essential in maintaining focus on the important functions of the organization. It is easy to get devastated by the Constantly increasing catalog of possible risks at a precisely specified instant.

Challenges Involved

There are several challenges in resource profiling. Some difficulties can be experienced in using the strategy when handling external challenges from clients, auditors, and authorities to move the review to other places(Wheeler 2011). Georgia State has a foundation for risk management that grants a platform for businesses to raise funds provide grants to worthy learners, help manage top faculty, support the faculty of critical study and the Department of Risk Mitigation & Insurance services.

Georgia state university experienced some challenges when consolidating Georgia state and the Georgia perimeter college. Despite all this, though the major hindrance it came with some benefits. Usually, interference can create odd bedfellows. When the system of Georgia Perimeter College and Georgia State University combined, it increased Georgia State’s organization. It also provided a better route for students. Besides two companies with different operating forms were merged. Some of the challenges Georgia faced in early reorientation enabled the system managers to perfect future merges. Among the take away was that specific problems required less feedback.

Question Three

It is necessary to correctly describe a risk when about to inform clients or executives about a threat. Definitely, mixing up vulnerabilities, impacts and control can confuse the viewers. When describing exposure to danger, it is important to consider the implications of the company. It should not just be the distinct operation of exploitation (Wheeler 2011). A regular risk statement translates to an impression being shared with people throughout the organization such as in a system set. Written risk statements sometimes don’t achieve these goals and may be inefficient. Six weeks after a hack took place, Equifax made a statement on the press, announcing an undeniable data breach. According to Equifax’s press statement, the breach was caused by the faulty implementation of software security to solve the weaknesses of certain web applications.

Question Four

Security Service: Session Management

Sessions enable state-maintaining applications. Clients and servers must cooperate after a client logs in to preserve a secure state before the client logs off. Normally, values are associated with distinct sessions, and this is saved in a cookie or passed by the user as a variable. Nevertheless, it is crucial to secure this value with sophisticated encryption when the session identification is held (Wheeler 2011) .it is a requirement of applications to always be able to transfer and submit session Applications should transfer and submit session identifiers to consumers. They can be exposed to interference when Web applications have these attributes in the pages or HTTP requests.

Applications

Sessions are an end user-linked duration that starts when a consumer logs into the web and ends when the web application window is closed or after a certain period of inactivity. Intruders can gain access to a user’s session by exploiting culpability in session management and forgery threats in bridge requests. Session IDs are most frequently authentication tokens. This means that users are encrypted depending on their information and session IDs upon entry. This necessarily acts as a temporary password for access to their sessions (Ismail 2013)

When active on a web app session, a user sends applications and this can include sensitive data. In most cases, the application can preserve this data and monitor the status of the user over many requests during sessions. Fundamentally, it is needed that the application, protects the user’s confidential information. Moreover, session management is necessary for controlling such web experiences. These tokens are crucial as they are exchanged between the applications and the server back and forth. For each request, there will be a corresponding session and the response made will help the application to identify detail s unique to the client using it. For each request, there will be a session token and response that enables the application to identify details unique to the client using it.

Relevance to The Service

cyber-attacks take advantage of the susceptibility in session management by seeming like justifiable website users (Visaggio & Blasio 2010). Corruption of web sessions can cause illegal access and reinstatement of sessions that adversely affect the integrity of a website. Almost all websites utilize cookies to preserve the state of a session in HTTP requests. Surprisingly, Cookies have a flaw in their design that inhibits their protection. Generally, cannot secure sessions against intruders who can create content on a similar domain. Though this attack is common, current proposals and standards in the industry do not confront this flaw. Cookies are still being developed on top of primitive websites intended for less developed environments.

Nonetheless, current web apps are increasing in their complexity, with good interfaces that can combat desktop software. An intruder can substitute their sessions with that of a client if they cannot gain access to the session of the user. At a minimum, the client can sign in as the intruder. Regardless, the attacker can control the session on several pages, and consequently attack as though the user was in session.

Sessions are critical in the transfer of information at a request from a browser to a site. As a result, if an attacker can infiltrate a session if they breach confidentiality and access information. Cookies are the main means by which most browsers transfer and store sessions. Therefore, they must be confidential to provide security. Cookies enable websites to use HTTP Set header to save key pairs to the client’s device, which the user agent restores on requests. Servers may specially define the context for cookies consisting of a route and domain when setting cookies.

References

Ismail, Reem. (2013). A Secure Session Management Based on Threat Modeling. Iraqi Journal of Science. 54 No.4. 1176-1182.

Visaggio, Corrado Aaron & Blasio, Lorenzo. (2010). Session Management Vulnerabilities in Today’s Web. Security & Privacy, IEEE. 8. 48 – 56. 10.1109/MSP.2010.114.

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Yeo, Melanie & Rolland, Erik & Ulmer, Jackie & Patterson, Raymond. (2014). Risk Mitigation Decisions for IT Security. ACM Transactions on Management Information Systems (TMIS). 5. 10.1145/2576757.