What is a Security Risk Assessment and How to Conduct one?
- Mitigations and Solutions
A security assessment assesses the use of resources, policies, and operational controls to manage and eliminate vulnerabilities that are exploitable by attackers internally and externally. The security requirements and measurements addressed concerns over the areas of Information Security Management; ie. computer hardware and software, data, operations, physical facility, personnel, and contingency. It assesses the use of resources and security controls to eliminate and/or manage vulnerabilities that are exploitable by threats.
Over the past decade, with the increased dependency on networked computers in student management, the risks involved in these systems and methodology has continuously emerged and evolved. Security controls are intended to reduce these risks. These controls involve limitations on the deployment and use of equipment, resources, policy, and procedure; for its successful implementation or deployment and to gain effectiveness from these controls, they need to be reviewed frequently.
The number of steps and phases vary depending on the type of security risk assessment deployed, the overall process is similar across all tasks involved in all these methods.
The objectives of a Security Risk Assessment may contain the following:
- Analyze the existence and effectiveness of current controls
- Conduct a vulnerability assessment to identify weaknesses that might be exploited by an attacker or a hacker
- Determine if the security controls and access to data and office premises are securely maintained
- Determine the unfavourable impact (or consequences) resulting from the successful exploitation of a vulnerability by a threat
- Ensure that proper guidelines are being composed by staff and students with regard to the security aspects
- Identify the nature of the vulnerabilities and areas where special attention is required to avoid threats
- Define and identify the threats that have the risk of causing harm to the business facility and its inhabitants
- Provide controls that could mitigate or eliminate the identified risks, as appropriate to your company’s operations
- Provide a mechanism or procedure for improved oversight of information security programs
- Produce security controls within enterprise architecture and systems
One of the preliminary steps of this assessment is to subject your company to several threats (or exploitation of vulnerability) and assess the probability of such occurrence of such incidents or threats at the facility based on implemented guidelines, staff awareness of security policy, the geopolitical situation, security and data protection controls and tools or assets in use concerning data security. In this stage, the important variables for this assessment are identified: assets, threats, vulnerabilities and the impact of the exploitation of these risks.
Vulnerabilities are exploitable weaknesses in the physical structure and design of the business facility, and implementation, operations and guidelines concerning the protection of assets and data.
If these vulnerabilities were exploited, it could result in:
- Unauthorised modification and removal of data or other sensitive contents
- Unauthorised disclosure of data
- Unauthorised access to data for uncertified users
- Denial of service to authorised users
- Financial, legal and reputational damages
Threats are unfavourable events that may damage, disclose and destruct an asset of the company. It might occur as a result of natural causes, employee negligence, malicious hackers and theft. The impact occurrence of a threat might leave the business vulnerable to even more threats and damage in several ways.
Incomprehension or noncompliance with physical security policy and procedures might facilitate the opportunity for unlawful removal of property or cause damage to such property of the company by lone motivated individuals (insiders/outsiders). Unauthorized access with or without the use of special tools and equipment might be used for theft of intellectual property (Liu, et al., 2012).
During or after a physical breach of property might destroy an asset beyond practical use. These include intentional and unintentional destruction of an asset or intellectual property without proper authorization. It is a more important concern than modification of an asset or any data or its temporary non-availability.
Great emphasis has to be placed on the impact area when handling and processing sensitive or classified information, such as student profiles and results, staff remuneration details, legal documents and details of internal and external communication logs of the business. The disclosure of any sensitive data will consequently damage the reputation of your company and its public trust; and in some cases, you might even face legal actions.
# Denial of Service
If an attacker succeeds in breaching the security measurements or controls, they might disrupt the day-to-day activities of your company. Although these threats are most likely temporary, their impact may vary depending on the nature of the service denied by the attacker and the service unavailability period.
Unauthorized data modification might distort database user information and lead to disruption of the business’s operation and cause complicated mishaps. Modification is the effect of threat manifestation caused by changing the state of an asset or data from accuracy or its state intended originally. For instance, changing the contact details of a student or staff might keep that person out of reach of the business and its latest news updates.
One of the key goals of this assessment is to analyze weaknesses and deficiencies and identify sources of potential vulnerabilities exploitable by threats. For the analysis, the physical environments of the information system in the business, tools used for data processing and handling, and user access to these systems along with the procedural controls were accessed.
4.1 Web Application Assessment
# SQL Injection
Most of the information received from web requests is not validated before being used by the website or processed for office use. It is vulnerable to attacks on backend components. If a SQL Injection attack was successful, it might expose employee or users’ sensitive data; in some of the worst scenarios, SQL commands can be used to run operating system commands. Therefore, a successful SQL Injection attack can have these serious consequences (Acunetix, 2021):
- Attackers may find the credentials of system users, including administrators, and use them to impersonate respective users and access their database privileges
- It may be used to drop tables (delete records) from the database. This will probably result in service unavailability for some time, even if the database was backed up
- It might let the attacker alter or steal personal student data in the database.
# Cross-site Scripting
4.2 Phishing Assessment
Phishing attacks are one of the most common methods used by attackers to gain access to a system, steal sensitive information, or hold information hostage (known as Ransomware)(GSA, 2016).
As employees are the first and last line of defence when it comes to mitigating your risk of a data breach or ransomware attack, a specially crafted phishing email was generated and sent to them for this assessment (GSA, 2016).
4.3 Wireless Assessment
On an onsite portion of this assessment, a walkthrough should be conducted in the business’s facility to identify and evaluate the existing Wireless Access Points (WAPs) installed in the physical workplace. It was intended to determine if any rogue access points are in use.
# Penetration testing
Wireless penetration testing (also called pen testing) analyzes the current wireless infrastructure to identify weaknesses and attempts to exploit them to gain additional access to networks in use. During the wireless penetration test, WAPs and possibilities of attempts to exploit and gain access to the network through those WAPs were identified. The following tools were used to map out the network and discover vulnerabilities (Rosencrance, 2018).
- Wireshark — was used to profile network traffic and for analyzing network packets. It can capture traffic from all the different network media types used, including Wireless LAN, Bluetooth and USB.
- Nmap (network mapper) — it scanned the systems and networks for vulnerabilities connected to open ports; Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It directs the IP addresses linked to the systems to be scanned and tested for open ports.
The penetration test highlighted some weaknesses in the business’s security policy. In particular, it calls attention to the finding that the security policy of the business focuses on preventing and detecting an attack only. It does not include a process to expel an attacker.
4.4 Database Assessment
It was aimed to determine the configuration of business databases against configuration baselines to identify potential misconfigurations and database vulnerabilities. This helped to identify various configuration problems and patch management issues; which resulted in identifying deviations from baseline and insecure configurations that were applied in the student database.
Furthermore, placing the database in a single location is not advisable. In case of a fire or electricity outbreak, various services of the business will be disrupted.
4.5 Physical Security Assessment
The security measures implemented in the interior of the business property were assessed.
Consequences of inconsistent power supply and unavailability of an alternative power source or backup power source might leave the business vulnerable to countless damages, including data loss and interruption of services. These issues can be addressed (i.e avoid or minimize the impact) by detailing a protocol to be followed during an electricity outbreak, installing surge suppressors and voltage regulators, and establishing a database structure where database storage is stored in different locations.
# Fire detection
In case of fire, all personnel inside the building are at risk. Your business is responsible to install fire detectors, smoke detectors and heat detectors. As sufficient fire exits are not built inside the classrooms, and as the only possible way out of the business facility is the stairs (as lifts cannot be advised during a fire), the management has to address these issues without delay.
5. MITIGATIONS AND SOLUTION
The information security management system (ISMS) of your client has placed a set of policies and procedures to manage its sensitive data systematically. These procedures should aim to minimize the risk of a security breach and limit the impact of such damages while ensuring that day-to-day tasks are carried out proactively.
For this methodology to be effective and meaningful, the role of employee behaviour in processing and protecting data and security or validation controls are prominent. Employees should be sufficiently trained and made aware of the consequences of insubordination and carelessness while handling data and security controls, and the possible impact of these actions on students, employees and the business overall.
5.1 Physical Access Controls
If the information systems and relevant assets are not physically secure, nothing else about the system can be considered secure.
# Intrusion Detection
These systems (such as Video Motion Sensors) are designed to detect and respond to intruder activities. It is also called electronic security systems (ESS). Unauthorized instructions should be deleted and alarmed utilizing sensors or visual surveillance. Installation and use of ESS is an important part of security maintenance in all the classrooms and halls, including the staff area.
# Closed-Circuit Television (CCTV)
A CCTV camera system has two main specified functions: setting alarms and surveillance. With a properly installed and maintained CCTV surveillance system, the IT department and security protection personnel can monitor a greater view of the business property.
# Identification Methods
The people who are allowed to the premises need to be identified. Each individual has to identify the associated access relevant to his/her job description. Card readers or badge systems can be used as identification methods depending on the nature of the business.
5.2 User Controls
The responsibilities of all employees involved in the data input processing and handling have to be defined well, and their roles periodically reviewed along with the contents of key fields or data files to confirm their validity and integrity. The data users should be provided with sufficient information about the data processing systems so that they could determine the accuracy, completeness and classification of such information.
5.3 Processing Controls
Appropriate and adequate input validation controls should be incorporated into operational applications or systems. These controls should be applied to students’ and employees’ input (specifically sensitive data, such as addresses, contact and bank details). Specific areas to focus on include, but are not limited to (UNDP, 2009):
# Input checks or dual input
Limiting input fields to a specific range of input data and boundary check to detect the following errors:
- Missing or incomplete data
- Inconsistent data collection and control
- Known scripting or injection-based attacks
- Invalid characters in the data fields
- Validation checks
# Validation checks
Data entered can become corrupted by deliberate acts, hardware or processing errors. Incorporated validation checks can detect these corruptions of information. Areas to check:
- The use of appropriate programs to recover or prevent failures
- The security against buffer overrun attacks
- The procedure is implemented to prevent programs from running in an incorrect order
5.4 Access Controls
These requirements specify how access is managed and who has access to certain information under which specified circumstances. Access control is a special concern for systems used in the business, as these systems are distributed across multiple computers. To safeguard the state of access control, it is essential to make certain that the access control configuration or model will not lead to user permissions leakage to an unregistered party. These areas are required to be checked to ensure the access control methodology, but are not limited to (Harrison M. A., 2020):
- Access to sensitive files should be controlled and conducted securely
- Only approved or administrative users may install operational and production software or applications
- The software should be authorized by a staff whose officially approved duties allow them to do so
- The software should be maintained at a level recommended by the supplier
- Physical and logical access should be given to authorized users with proper management approval, and their activities should be logged and monitored with appropriate controls in place
- While conducting tests or upgrading any operational or production system, test data that represent operational data should be used instead of actual operational and production data or any other sensitive information.
- Programs and website source code should be protected against authorized access or modification
5.5 Support Process
The managers responsible for a particular support environment (a department or section), should be responsible for the maintenance or security of computer and application systems of that particular parameter. It is their responsibility to ensure that these machines, software and operating environment are not compromised and that any proposed system changes are documented, reviewed and tested.
# Change controls
- Version control should be implemented and enforced, as it can be used in case of unauthorized functionality or unintentional software changes
- All changes to the website’s source code, upgrade or uninstallation of system hardware or software shall be coordinated and approved by a staff whose poses the authority
- A risk assessment should be included in the change control process, to analyze the impact of specification changes and security controls required. It should also ensure that the existing security control procedures are in appropriate condition and that the assigned employee or vendor is given sufficient and approved access to make the required changes
- Whenever required, adequate performance testing should be conditioned, using appropriate test data and test facilities
# Software development
- Software developments and outsourced sourced software (including student and Human resource management systems), should be supervised and monitored by the ICT department.
- Software licensing arrangements, intellectual property rights and code ownership should be maintained appropriately
- Outsourced software testing b installation to detect viruses and malicious Trojan code
5.6 Technology Vulnerability Control
Appropriate and timely action shall be taken to, avoid, limit and identify potential vulnerabilities and risks. Businesses should define and assign roles and responsibilities associated with technical vulnerabilities to respective management staff, including vulnerability risk assessment and vulnerability monitoring. Once a potential technical vulnerability risk has been identified these areas need to be assessed and checked, but are not limited to:
- Identify the associated parties and risks
- Coordinate actions to mitigate and resolve the issue
- Impacted areas and boundaries of work
- If a patch is available, compare and formulate the risk associated with the vulnerability and that of installation of the patch to ensure the integrity and effectiveness of the patch
- In a case where no appropriate patch is available, at the minimum these controls should be considered:
a) Inform related to the staff and make them aware of the vulnerability
b) Restrict access to services or capabilities related to vulnerability whereas possible
c) An audit log of all the actions taken concerning the vulnerability should be monitored
d) Add appropriate access control
e) In addressing risk, the system or area with the highest risk should be prioritized
5.7 Legal Compliance and Requirements
The management should be made aware of all relevant legal, regulatory, and contractual information security requirements.
Acunetix, 2021. What is SQL Injection (SQLi) and How to Prevent It. [Online] Available at: https://www.acunetix.com/websitesecurity/sql-injection/
[Accessed 12 May 2021].
GSA, 2016. Proactive Risk and Vulnerability Assessment. [Online]
Available at: https://www.gsa.gov/cdnstatic/Proactive_Risk_and_Vulnerability_Assessment_RVA_Statement_of_Work_SOW_Template.docx
[Accessed 12 May 2021].
Harrison M. A., R. W. L. a. U. J. D., 2020. Access Control Policy and Implementation Guides. Protection in Operating Systems, Volume 19.
Jenkins, B. D., 1998. SECURITY RISK ANALYSIS AND MANAGEMENT, Illinois: Countermeasures, Inc.
Landoll, D. J., 2006. THE SECURITY RISK ASSESSMENT HANDBOOK. 1st ed. Florida: Taylor & Francis Group LLC.
Liu, C., Tan, C.-K., Fang, Y.-S. & Lok, T.-S., 2012. The Security Risk Assessment Methodology. International Symposium on Safety Science and Engineering in China, pp. 600–609.
Rosencrance, L., 2018. DEFINITION: Pen Test (penetration testing). [Online] Available at: https://searchsecurity.techtarget.com/definition/penetration-testing
[Accessed 12 May 2021].
Timbs, N. H., 2013. Physical Security Assessment of a Regional, Tennessee: East Tennessee State University.
UNDP, 2009. INFORMATION SYSTEMS SECURITY STANDARDS, New York: BoM Office of Information Systems and Technology.