Posted: June 7th, 2023

ITSC1001INFORMATION SYSTEMS RISK AND SECURITY

ITSC1001
INFORMATION SYSTEMS RISK AND SECURITY
Tutorial 5

July 2022
The following is a summary of an actual project situation. Apply the knowledge you have gained through the lecture and develop a risk management plan.

The following study is about a real incident related to cyber security which occurred in September 2016 when the personal information of about 550,000 Australian blood donors was released on a website which is publicly accessible. The data was supposed to be stored at servers which are protected by adequate security wall from any kind of external intervention. However, the cyber security was compromised and TechCom which was supposed to maintain and develop the online network-based data of Australian Red Cross came under the scrutiny and investigation. The main reason for this particular security breach in data has been discussed in the following study along with some necessary business requirements which are to be considered before carrying out the operations of TechCom. The different types of data breaching techniques that can be used by external threats have been discussed along with some precautions that need to be taken by the concerned authorities to avoid them. Your role is to develop a management plan for TechCom.
The management plan should include the followings:
Objectives
Scope of a Risk Management Plan
Assigning Responsibilities
Describing Procedures and Schedules for Accomplishment
Documentation
Plan of action and milestones

ITSC1001
INFORMATION SYSTEMS RISK AND SECURITY
Tutorial 6

July 2022
A blog on “NIST Cybersecurity Framework or ISO 27001 – Which is the better choice for your company?” is given below. You should go through the article written and reflect on which Security standard is better for VIT.

NIST Cybersecurity Framework or ISO 27001 – Which is the better choice for your company?

NIST vs. ISO 27001 | Which one is better for your company?
February 24, 2014
On February 12, 2014, the National Institute of Standards and Technology (NIST) publishedFramework for Improving Critical Infrastructure Cybersecurity, commonly known asCybersecurity Framework. If you already came across ISO 27001, you’re probably wondering: What does this Framework have to do with ISO 27001? Should you use one over the other or NIST vs. ISO 27001? Which one is better for your company? What is the difference between ISO 27001 and NIST?
NIST, commonly known as Cybersecurity Framework, follows the U.S. president’s executive order Improving Critical Infrastructure Cybersecurity from 2013. It is suitable for use by any organization that faces cybersecurity risks.
ISO 27001 is an information security standard published in 2005 and was last revised in 2019. It is accepted worldwide as a de facto main framework for information security / cybersecurity implementation. It describes the Information Security Management System, and it places security in the context of the overall management and processes in a company. Overview Cybersecurity Framework follows the U.S. president’s executive orderImproving Critical Infrastructure Cybersecurityfrom 2013, and was initially intended for U.S. companies that are considered part of critical infrastructure. However, it is suitable for use by any organization that faces cybersecurity risks, regardless its maturity, size, or industry.
ISO/IEC 27001is an information security standard published in 2005 and last revised in 2019, published by the International Organization for Standardization. It is accepted in most countries as a de facto main framework for information security / cybersecurity implementation. It describes the Information Security Management System, and it places security in the context of the overall management and processes in a company. It is suitable for use by any organizations of any maturity, size, or industry. Who is obliged to comply with ISO 27001 and the Cybersecurity Framework? Both frameworks are voluntary, so NIST and ISO do not require organizations to implement them.
What happens in practice is that in some countries, governments define laws or regulations that make compliance with them mandatory in certain circumstances. NIST versus ISO 27001 – Do both have recognized certifications? At this moment, only ISO 27001 has certification recognition schemes that are recognized worldwide.
Cybersecurity Framework implementation recognition depends upon the criteria defined between the involved parties. What do Cybersecurity Framework and ISO 27001 have in common? Most importantly, both Cybersecurity Framework and ISO 27001 give you the methodology on how to implement information security or cybersecurity in an organization. In reality, you could implement information security according to either of these, and you would probably achieve quite good results.
Both are technology neutral, applicable to any type of organization (not only to those that are part of critical infrastructure), and both have the purpose of achieving business benefits while observing legal and regulatory requirements, and requirements of all the interested parties.
And, perhaps the biggest similarity is that they are both based on risk management: this means that they both require the safeguards to be implemented only if cybersecurity risks were detected.
What does the Framework have that ISO 27001 doesn’t? When analyzing NIST versus ISO 27001, what I really like about Cybersecurity Framework is how clearly it is structured when it comes to planning and implementation – I must admit it is better than ISO 27001 in that respect:
Framework Coreis divided into Functions (Identify, Protect, Detect, Respond, and Recover), and then into 22 related Categories (e.g., Asset Management, Risk Management, etc. – very similar to sections in ISO 27001 Annex A), 98 Subcategories (very similar to controls in ISO 27001 Annex A), and for each Subcategory several references are made to other frameworks like ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and CCS CSC. This way, it is very easy to see what the requirements for cybersecurity are and where to find out how to implement them.
Framework Implementation Tiers(Partial, Risk Informed, Repeatable, and Adaptive) explain how deeply the implementation of cybersecurity should go. This way, a company can easily decide how far they want to go with their implementation, taking into account requirements from various interested parties.
Framework Profile(e.g., Current Profile, Target Profile) easily pictures where the organization is right now, related to the categories and subcategories from Framework Core, and where it wants to be. This way, it is very easy to see where the gaps are, and then Action plans can be developed for closing these gaps.
Further, Framework Profiles could be used for setting the minimum requirements for other organizations – e.g., suppliers or partners, and such technique unfortunately does not exist in ISO 27001.
NIST vs. ISO 27001 –Where ISO 27001 is better So, let’s go deeper into the NIST vs. ISO 27001 comparison. One of the greatest advantages of ISO 27001 is that companies can become certified against it – this means that a company can prove to its clients, partners, shareholders, government agencies, and others that it can indeed keep their information safe.
Further, ISO 27001 is an internationally recognized and accepted standard – if a U.S. company wants to prove its ability to its clients, partners, and governments outside of the United States, ISO 27001 will be much better than the Framework.
Another difference between ISO 27001 and NIST is that ISO 27001 focuses on protecting all types of information, not just information stored or processed in IT systems. It is true that paper-based information has less and less importance, but for some companies such information might still pose significant risks.
Unlike Cybersecurity Framework, ISO 27001 clearly defines which documents and records are needed, and what is the minimum that must be implemented. See alsoList of mandatory documents required by ISO 27001 (2013 revision).
Finally, whereas the Framework focuses only on how to plan and implement cybersecurity, ISO 27001 takes a much wider approach – its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that not only plans and implements cybersecurity, but also maintains and improves the whole system. This is because practice has shown that it is not enough to plan and implement a system, because without constant measurement, review, audit, corrective actions, and improvements, such a system will gradually deteriorate and ultimately lose its purpose. Learn more here:ISO 27001 implementation checklist. Ease of implementation This topic needs to be considered from two points of view.
ISO 27001 provides an easier way to implement the management part of the security framework, i.e., the elements that will ensure that security can be managed in the long run (e.g., risk management, recognizing internal and external requirements, decision making, providing resources, internal audit, management review, corrective actions, etc.).
When it comes to the implementation of security controls, Cybersecurity Framework enables companies to easily understand what is to be implemented, and where the gaps are.
So, Cybersecurity Framework is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved, whereas ISO 27001 is better with the overall picture of how to fit security into a company. About costs, how do they differ? When it comes to costs, besides the costs related to the implementation of controls, and eventual personnel training, ISO 27001 also has costs related to the standard itself (the NIST document is free of charge), and in the case of certified organizations, costs related to certification and surveillance audits. On the other hand, compliance with NIST will most likely require more investment in technology. Cybersecurity Framework or ISO 27001? When it comes to the differences between ISO 27001 and NIST and choosing between them, I would say that it is not a question of NIST versus ISO 27001 – it seems to me that it would be best to combine the two. (By the way, Cybersecurity Framework suggests it can easily complement some other program or system, and ISO 27001 has proved to be a very good umbrella framework for different information security methodologies.)
So, to conclude this NIST vs. ISO 27001 comparison, I think the best results can be achieved if the design of the whole information security / cybersecurity would be set according to ISO 27001 (clauses 4, 5, 7, 9, and 10), and to use Cybersecurity Framework when it comes to risk management and implementation of the particular cyber security areas and safeguards. Of course, practice will show how Cybersecurity Framework works in real life, and whether this kind of combination makes sense. What is your experience?

ITSC1001
INFORMATION SYSTEMS RISK AND SECURITY
Tutorial 7

July 2022
Australian Cyber security Centre (ACSC) is an Australian government website publishing latest cyber security alerts. Visit ACSC website using the following link:

https://www.cyber.gov.au/acsc/view-all-content/alerts/small-and-medium-businesses
The alerts are labelled based on their severity such as:
Select one alert from each alert status and go through the contents. You should discuss your opinion about how will you stay secure against it.

ITSC1001
INFORMATION SYSTEMS RISK AND SECURITY
Tutorial 10

July 2022
Introduction to Wireshark: Basic Installation and Test Run Wireshark allows us to display the contents of messages being sent/received from/by protocols at different levels of the protocol stack. Wireshark is a free network protocol analyzer that runs on Windows, Linux/Unix, and Mac computers. It’s an ideal packet analyzer that includes the capability to analyze hundreds of protocols, and a well-designed user interface. It operates in computers using Ethernet, Token-Ring, FDDI, serial (PPP and SLIP), 802.11 wireless LANs, and ATM connections (if the OS on which it’s running allows Wireshark to do so).
Running Wireshark
When you run the Wireshark program, the Wireshark graphical user interface shown in Figure 2 will be displayed. Initially, no data will be displayed in the various windows.

Figure 1: Wireshark Graphical User Interface
The Wireshark interface has five major components:
The command menus are standard pulldown menus located at the top of the window. Of interest to us now are the File and Capture menus. The File menu allows you to save captured packet data or open a file containing previously captured packet data and exit the Wireshark application. The Capture menu allows you to begin packet capture.
The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark; this is not a packet number contained in any protocol’s header), the time at which the packet was captured, the packet’s source and destination addresses, the protocol type, and protocol-specific information contained in the packet. The packet listing can be sorted according to any of these categories by clicking on a column name. The protocol type field lists the highest-level protocol that sent or received this packet, i.e., the protocol that is the source or ultimate sink for this packet.
The packet-header details window provides details about the packet selected (highlighted) in the packet listing window. (To select a packet in the packet listing window, place the cursor over the packet’s one-line summary in the packet listing window and click with the left mouse button.). These details include information about the Ethernet frame and IP datagram that contains this packet. The amount of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on the right- pointing or down-pointing arrowhead to the left of the Ethernet frame or IP datagram line in the packet details window. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed, which can similarly be expanded or minimized. Finally, details about the highest-level protocol that sent or received this packet are also provided.
The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows). In the example below, we’ll use the packet-display filter field to have Wireshark hide (not display) packets except those that correspond to HTTP message.

Taking Wireshark for a Test Run Perform the following steps:
Start up your favourite web browser, which will display your selected homepage.
Start up the Wireshark software. You will initially see a window like that shown in Figure 2, except that no packet data will be displayed in the packet listing, packet-header, or packet-contents window, since Wireshark has not yet begun capturing packets.

To begin packet capture, select the Capture pull down menu and select Options. This will cause the “Wireshark: Capture Options” window to be displayed as shown in the below figure.
Figure 2: Capture Options
After selecting the network interface (or using the default interface chosen by Wireshark), click Start. Packet capture will now begin – all packets being sent/received from/by your computer are now being captured by Wireshark.
While Wireshark is running, enter the URL: http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-file1.html and have that page displayed in your browser. To display this page, your browser will contact the HTTP server at gaia.cs.umass.edu and exchange HTTP messages with the server to download this page. The Ethernet frames containing these HTTP messages will be captured by Wireshark. After your browser has displayed the INTRO- wireshark-file1.html page, stop Wireshark packet capture by selecting stop in the Wireshark capture window. The HTTP message exchanges with the gaia.cs.umass.edu web server should appear somewhere in the listing of packets captured. But there will be many other types of packets displayed. Even though the only action you took was to download a web page, there were evidently many other protocols running on your computer that are unseen by the user.
Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in Wireshark) into the display filter specification window at the top of the main Wireshark window. Then select Apply (to the right of where you entered “http”). This will cause only HTTP message to be displayed in the packet-listing window.
Select the first http message shown in the packet- listing window. This should be the HTTP GET message that was sent from your computer to the gaia.cs.umass.edu HTTP server. When you select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and HTTP message header information will be displayed in the packet- header window. By clicking plus and minus boxes to the left side of the packet details window, minimize the amount of Frame, Ethernet, Internet Protocol, and Transmission Control Protocol information displayed. Maximize the amount information displayed about the HTTP protocol.
Exit Wireshark

ITSC1001
INFORMATION SYSTEMS RISK AND SECURITY
Tutorial 9

July 2022
There are several types of Malicious code available which includes the followings:
Computer viruses,
Worms,
Trojan horses,
Back doors/trap doors,
Logic bombs,
Bacteria

Use the internet and search for an example and a cyber security breach related to it. You should write down the brief description of the incident along with example.

_______________________________________-
Risk Management Plan for TechCom:

Objectives:

Identify and assess potential risks to the security of TechCom’s online network-based data.
Develop strategies and measures to mitigate and manage the identified risks.
Implement security controls and procedures to protect against data breaches and cyber threats.
Continuously monitor and evaluate the effectiveness of the risk management plan and make necessary adjustments.
Scope of the Risk Management Plan:
The risk management plan will focus on the security of TechCom’s online network-based data, specifically addressing the breach that occurred in September 2016. It will encompass the identification of potential risks, assessment of their impact and likelihood, implementation of security controls, and ongoing monitoring and Assessment.

Assigning Responsibilities:

TechCom Management: Overall responsibility for overseeing the risk management plan and ensuring its effective implementation.
IT Security Team: Responsible for conducting risk assessments, implementing security controls, monitoring network activity, and responding to security incidents.
System Administrators: Responsible for maintaining and updating the servers and network infrastructure to ensure their security and integrity.
Employee Training: All employees should receive training on security best practices, including data handling, password management, and identifying and reporting suspicious activities.
Describing Procedures and Schedules for Accomplishment:

Risk Assessment:
a. Identify potential risks and vulnerabilities in the network infrastructure and data storage systems.
b. Assess the impact and likelihood of each identified risk.
c. Prioritize risks based on their severity and potential impact.
d. Document the findings of the risk assessment.

Risk Mitigation and Control:
a. Implement appropriate security controls to mitigate identified risks.
b. Regularly update and patch software and systems to address known vulnerabilities.
c. Deploy firewalls, intrusion detection systems, and other security measures to protect against unauthorized access.
d. Implement access controls and user authentication mechanisms to ensure only authorized individuals can access sensitive data.
e. Encrypt sensitive data to protect it from unauthorized disclosure.
f. Establish incident response procedures to effectively handle and mitigate security incidents.

Monitoring and Assessment:
a. Regularly monitor network activity and logs to detect any suspicious or abnormal behavior.
b. Conduct periodic security assessments and penetration testing to identify new vulnerabilities.
c. Review and evaluate the effectiveness of security controls and adjust them as necessary.
d. Provide regular reports to management on the status of the risk management plan and any incidents or vulnerabilities detected.

Documentation:

Maintain comprehensive documentation of the risk management plan, including risk assessments, security control implementation, incident response procedures, and monitoring reports.
Document any changes or updates made to the risk management plan over time.
Ensure documentation is easily accessible to relevant stakeholders and regularly reviewed and updated.
Plan of Action and Milestones:

Conduct initial risk assessment: August 2022.
Develop and implement security controls: September 2022.
Provide employee training on security best practices: October 2022.
Monitor network activity and conduct periodic security assessments: Ongoing.
Review and update the risk management plan annually: July 2023 and onwards.

Order | Check Discount