MIS607 Cybersecurity Report 3 Sample
Task Summary
Reflecting on your initial report (A2), the organisation has decided to continue to employ you for the next phase: risk analysis and development of the mitigation plan.
The organisation has become aware that the Australia Government (AG) has developed strict privacy requirements for business. The company wishes you to produce a brief summary of these based on real- world Australian government requirements (similar to how you used real-world information in A2 for the real-world attack).
These include the Australian Privacy Policies (APPs) especially the requirements on notifiable data breaches. The APP wants you to examine these requirements and advise them on their legal requirements. Also ensure that your threat list includes attacks on customer data breaches. The company wishes to know if the GDPR applies to them.
The word count for this assessment is 2,500 words (±10%), not counting tables or figures. Tables and figures must be captioned (labelled) and referred to by caption.
Caution: Items without a caption may be treated as if they are not in the report.
Be careful not to use up word count discussing cybersecurity basics. This is not an exercise in summarising your class notes, and such material will not count towards marks. You can cover theory outside the classes.
Requirements
Assessment 3 (A3) is in many ways a continuation of A2. You will start with the threat list from A2, although feel free to make changes to the threat list if it is not suitable for A3. You may need to include threats related to privacy concerns. Beginning with the threat list:
• You need to align threats/vulnerabilities, as much as possible, with controls.
• Perform a risk analysis and determine controls to be employed.
• Combine the controls into a project of mitigation.
• Give advice on the need for ongoing cybersecurity, after your main mitigation steps.
Note:
• You must use the risk matrix approach covered in classes. Remember risk = likelihood x consequence.
• You should show evidence of gathering data on likelihood, and consequence, for each threat identified. You should briefly explain how this was done.
• At least one of the risks must be so trivial and/or expensive to control that you decide not to use it (in other words, in this case, accept the risk). At least one of the risks, but obviously not all.
• Provide cost estimates for the controls, including policy or training controls. You can make up these values but try to justify at least one of the costs (if possible, use links to justify costs).
Solution
Introduction: In the present world digitalization within any organization creates a significant threat to mitigate the cyber-attacks. University Assignment Help, Different financial losses are also going to be happened due to such intruders’ attacks. Therefore, Risk register matrix and stride model will be discussed throughout the whole report. The report also demonstrates the concept of STRIDE framework within the organization. A resolution framework will be attached after the report to mitigate such risk from grassroots level.
Body of the report:
Australian Privacy policy and GDPR:
The Australian privacy policy is recognized as one of the important key cornerstones to restrict any kind of security breaches within the organization of Australia. This privacy act is also recognized as Privacy Act 1988. There are mainly 13 Australian Privacy policies included to secure the data or information of the users. Australian Privacy protection Act depends on different types of key points named as:We also need to think about how can we increase our capacity on the offensive side here, to get to that point of deterrence. (Hellman, 2017, 52-52)
? The proper collection, use of some valuable information.
? Organization’s governance and accountability
? A proper accumulation of personal information.
? Individual information accessibility (Lesser, 2021, 26–29).
? Principle:
? APP 1: Personal information of the management team. The organization's Personal Information should be open and transparent. It will also provide.
? APP 2: Pseudonymity and anonymity. According to the AP entities, it is not very necessary to identify someone with the help of a pseudonym. A few exceptions will be applied to this case.
? APP 3: Collection of consumers personal information. According to the rule, personal information should be collected in a significant manner to accumulate sensitive information (Khrustalev & Kostyurin, 2019, 1185-1194).
? APP 4: Dealing with unrequested information. According to the APP entities All unrequested information should be handled prominently.
? APP 5: Notification of personal data. According to the APP entity, in case of personal information collection should be requested to tell the individual.
? APP 6: All disclosure of personal information. The information which is going to be disclosed should be limited to the APP privacy act.
? APP 7: Direct marketing. Organizations have enough right to expose the information only for direct marketing purposes.
? APP 8: Use of the Government based identifier. Limited circumstances need to adopt government-related identifiers.
? App 9: Quality personal information. APP act must require to take adequate steps for up-to-date information at the time of the data collection process.
? APP 10: Cross border personal information. Personal information of any consumers within the organization should be protected through the APP act.
? APP 11: Security of the information. The Australian Privacy Act should take some reasonable steps for misuse of the personal information or authorization act.
? APP 12: Access to personal information. Organizations have enough rights to give priority to those customers for accessing the personal information as per the requirements. A specific exception is applied in that particular case. APP rules need to be followed for correcting personal information.
? APP 13: Correction of personal information.
GDPR:
General Data Protection is defined as a set of data or rules for treating all valuable and personal information sequentially. A significant law has been provided to maintain all customers' information in a significant manner. GDPR mainly uses all personal data by incorporating personal information. THE GDPR law mainly provides for the EU people with maintaining a set of principles. These principles are:
1. Purpose limitation
2. Data minimization
3. Accuracy
4. Proper storage limitation.
5. Integrity and confidentiality.
The GDPR mainly uses the data controller to provide all required access to resolve all errors regarding personal information. GDPR has provided a bunch of rules and regulations to cover the APP act.
Thread List and Stride Categorization:
The threat modeling process needs a significant collaboration between security architects, security operations, and threat intelligence teams to identify individuals' responsibilities to mitigate the threat. The STRIDE model is recognized as one of the useful options to mitigate all potential vulnerabilities which can steal all essential information within any organization.
“While cyber-warfare might use some precepts of kinetic warfare, others had little significance in cyberspace”(Lilienthal & Ahmad, 2015) There are mainly six threat categories being identified like Spoofing technique, Tampering data, information disclosed, Repudiation threat, and elevation of the privileges. According to the analysis, 7 types of cybersecurity threats have been identified which are named as Malware, Emotet, Denial of Service, Man in Middle, Phishing, SQL injection, Password-based attacks.
1. Ransomware/malware: According to the analysis, in Ransomware or malware attacks the IT system holds all infected files and data which is paid by the hackers. Ransome ware attack is linked with consumers' data breach policy. Malicious software downloads, infected websites, and phishing emails are the main factors that directly affect the customers' regular data. Forceful shut down of any computers or any files that might have encrypted all essential information.As an example Ransomware attack may shut down all essential operations within the organization. Ransomware is quite helpful to give threatened all patients’ regular data and information.
2. DDoS attack: Distributed Denial service attack is also recognized as another branch for all the hackers. Cybercriminals have enough capability to stop the access of any user from particular websites. Cyber attackers are constantly trying to spoof the consumer system by generating “spoof ”IP addresses. It will create a huge impact on the victim system. Attackers are producing some irregular IPs to access the victim's personal information. Not only that but also Attackers are sending a lot of information to the victims for improving the extensive connection outside the server's end.
3. Social attacks: Attackers are trying to access the sensitive information of all rival companies in the market to acquire competitive advantages
Attackers are highly capable of stealing the information of the users with the help of accessing login and password information. Vulnerable and malicious attackers have enough capability to steal such information for installing malware in the devices. The PHISHING technique is recognized as one of the important tools to steal the information of all users by producing infected attachments. Cyber attackers are always trying to send some emails to get access to all login credentials of the user.
STRIDE Model:
The STRIDE model is very much useful to secure the app in three different stages. The first step has given enough information to find out all threats with the help of a proactive process. The design system has enough capability to identify the potential threat. The second step is very helpful to identify the risk. The third step demonstrates the risk recovery process. This design is quite helpful to counter all threats by the cloud computing process. The stride model tries to check the authentication, protection, confirmation, and confidentiality of the users. Emails from the side of intruders gives a significant impact on the mail (Stiawan et al. 2017).
1. Spoofing technique is one of the important factors to access all unauthorize data. It can also creates authentication within the organization.
2. Unauthorize person are not able to get into this activity at the point of getting privileges.
3. Information have been disclosed in front of unauthorize person.
4. Action should be prohibited in order to mitigate risk.
5. Critical data or information should be modified by malicious technique.
Threat Analysis:
Figure1:Risk register matrix
(Source: Stallings & Brown, 2018)
Cyber security threats are one of the important factors to analyze the priority of the risk factors. Hacking passwords, DDoS attacks, and Ransomware are recognized as main threats to steal all valuable information from the users. It will also create a huge impact on organizational growth. Ransomware attacks are responded to as high threats to steal the information of regular customers.
DDoS Attack is also recognized as a medium risk factor to analyze the severity of the attack. Here customers are data and organizational policy has been broken by the unethical attack from the side of intruders. IP addresses are spoofed with the help of DDoS attacks. Customers within the organization might lose their computer access by this intruder's attack(Benzel, 2021).
The social attack is also recognized as a high priority and high level of consequences. The phishing attack is determined as one of the high severity attacks because all intruders are sending mail to the customers. Customers are always curious to open the unknown mail as a result by clicking any option creates a huge impact on their system. These emails mainly stole all the essential information of the users. A log file has been created by the user to lose all required access to the user. It can help intruders to remotely access the system of users. All necessary information of the organization is being at great risk.
Weak Password: Cloud-based service has been hacked with the help of a weak password system. Weak passwords in the cloud service of an Australian organization might be the loss of sensitive and personal information of users. The multi-Factor authentication technique is one of the important key factors to analyze the sensitive information of all users. Sensitive information should be handled in a gentle way to sustain the growth of the organization. According to the risk matrix analysis, Social attack is getting the topmost priority by measuring the intruders' attack in the market (Ekelund & ampIskoujina, 2019).
This risk matrix provides adequate ideas about those areas which will need to resolve for avoiding any hazard within the organization.
Threats and Controls:
According to the previous analysis, it can be stated that there are multiple numbers of methods are responsible to inject malicious software within the system to steal all essential information as per the market requirements. A deep analysis of this phenomenon can give a wide range of concepts about the severity of the multiple risk factors. Phishing technique is determined as the most dangerous malicious software which creates log files within the users' system. Eventually, it will lose the access of the users from their computer. This cybersecurity threat has become powerful after the implementation with the help of someskilled full hackers outside the organization. According to the severity of this act, a huge number of methods are being responsible to treat such activity from the grassroots level.
Required Control Measure:
Figure 3: Risk control measure and effective budget strategy
(Source: Stallings & Brown, 2018)
Required control measure:
1. Proper knowledge of IT assets: The organization should have had proper knowledge to strengthen the internal and external environment of this organization. BYOT devices, Third-party components are recognized as the main services that need to be protected with the help of efficient employees within an organization. The supervisor of the organization will need to be more aware of the vulnerabilities attacks.
2. Strict security protocol:
• Automatic patching is required to access all the contents within the system.
• An authentication policy should be more strong to get access to any control system. Security within the IT devices should be extended with the help of the
BYOT device.
• Regular backup and updates are required to improve the growth of such organizations.
• A strict security protocol is necessary to improve the organizational internal and external securities.
3. Real-time Visibility:
Cybersecurity risk has been presented everywhere so the IT management team should form a risk assessment team to identify or upcoming threads within the organizations. Cybersecurity threats should be mitigated with the help of proper insights regarding the organizational factors.
4. Adaptive, Continuous, and Actionable risk assessment:
The most important aspect of this risk assessment is to identify the priority of such risk factors. New technologies are required to be introduced for uplifting the business process. These processes are needed to be reviewed efficiently for improving the security of the organizations.
Risk assessment also defines the concept of all vulnerabilities might produce harm to all the systems present within the organizations. The strict security protocol is determined as one of the important strategies to assess the severity of the risk factor (McLaughlin, 2011).
Mitigation scheme:
A strong IT management team with a proper IT environment structure is highly responsible to avoid any kind of security breaches within the organization. It can also create a huge impact on organizational growth. These methods are going to be described here for getting better visibility about this particular topic.Intruders and attackers can easily attack within the system of the organization by some effective strategies. Therefore, it is very much important to reduce such activities by taking some effective measures like improving the current security system, protecting outbound information, and improving the awareness within the organization.
Improving the security system:
A proper guideline is quite necessary to tighten the software system within the organization. Proper and maximum-security control should be followed for improving organizational growth. Unnecessary services should be stopped to give access to the intruders. A necessary precaution needs to be taken for strengthening the organizational internal factors.
Useful patches: A small hole within the system should be covered up with the help of an effective poking system. It's very hard to run any regular scanning process for enhancing the software system. Software should be updated with maintaining required patches.
Protection of the outbound information: Th system information should be protected by the system with the help of malware and bots. The management team of the organization must need to produce their focus on those employees who are doing some mistakes to ensure the safe information of data. All the information should be bounded effectively to understand the growth of the organization. Malicious software entry should be restricted with critical security activities.
Raising awareness: Everyone who is working within the organization should be alert regarding handling all phishing emails. All the attackers are trying to send phishing information through mail and messaging apps for retrieving all essential information of the customers and employees. Authentication is the main issue in handling any IT-related information within the organization.
Smart about setting the password policy:
The organization's management team should maintain the password policy which can enhance the strength of the password. This can enhance phishing scams by sending some emails and messaging apps. A strong password policy can not take a hacker long to enter within the system by creating external and internal information.
Encrypted data: All the systems within the organization have all the essential information of the customers. Therefore, it is very important to make the data more secure than previous. All personal information within the database should be end to end encrypted. As a result, Hackers are not able to access any sensitive information.
Costing policy: According to the requirements advance technical projects are charging high cost in the market. Therefore, it is very much important to understand the effective budget policy for these projects.
Conclusion:
The whole report was given a concrete idea about the Australian Privacy policy and GDPR to enhance the rules and regulation of APP. In this report, different types of cyber-attacks and the severity of these attacks are mentioned in detail. The risk register matrix was given a detailed discussion about this particular topic to protect all sensitive information of the users. Different types of threats and controlling systems are mentioned here to stop any kind of cyber-attacks within the organizations. It can also increase the brand value and priority within the real world.
References:
Benzel, T. (2021). Cybersecurity research for the future.(viewpoints / security). Communications of the Acm, 64(1), 26.
Cyber security threats. (2016, Jul 20). The Toronto Sun https://torrens.idm.oclc.org/login?url=https://www.proquest.com/newspapers/cyber-security-threats/docview/2234576639/se-2?accountid=17690
Cyber threats undermine 'legal war': Former defence head warns of difficulty of gathering evidence to justify armed conflict. (2019, Mar 27). The Daily Telegraph https://torrens.idm.oclc.org/login?url=https://www.proquest.com/newspapers/cyber-threats-undermine-legal-war/docview/2197699633/se-2?accountid=176901
Cybersecurity threats in the insurance industry. (2018). Claims, 66(01). https://lesa.on.worldcat.org/v2/oclc/7284328375
Cybersecurity threats. (survey)(brief article). (2015). Strategic Finance, 97(4), 10. https://lesa.on.worldcat.org/v2/oclc/5897857617
Ekelund, S., & Iskoujina, Z. (2019). Cybersecurity economics – balancing operational security spending. Information Technology & People, 32(5), 1318–1342. https://doi.org/10.1108/ITP-05-2018-0252
Hellman, M. E. (2017). Cybersecurity, nuclear security, alan turing, and illogical logic. Association for Computing Machinery. Communications of the Acm, 60(12), 52–52.
Hyman, J. (2018). Cybersecurity for insider threats. (legal). Workforce (Media Tech Publishing, Inc.), 97(6), 24. https://lesa.on.worldcat.org/v2/oclc/8165589903
Khrustalev, E. Y., & Kostyurin, G. A. (2019). Cybersecurity threats: triggers and prevention recommendations. National Interests: Priorities and Security, 15(6), 1185–1194. https://doi.org/10.24891/ni.15.6.1185
Lesser, J. (2021). Cybersecurity threats explode. New Jersey Business, 67(7), 26–29. https://lesa.on.worldcat.org/v2/oclc/9127094383
*Lilienthal, G., & Ahmad, N. (2015). Cyber-attack as inevitable kinetic war. Computer Law & Security Review: The International Journal of Technology Law and Practice, 31(3), 390–400. https://doi.org/10.1016/j.clsr.2015.03.002
*McLaughlin, K. L. (2011). Cyber-attack! is a counter attack warranted? Information Security Journal, 20(1), 58–58.https://web-p-ebscohost-com.torrens.idm.oclc.org/ehost/pdfviewer/pdfviewer?vid=1&sid=756d9736-868f-4581-aad2-401c13ca1304%40redis
*Stiawan, D., Idris, M. Y., Abdullah, A. H., Aljaber, F., & Budiarto, R. (2017). Cyber-attack penetration test and vulnerability analysis. International Journal of Online Engineering, 13(1), 125–132. https://doi.org/10.3991/ijoe.v13i01.6407
Would you like to schedule a callback?
Send us a message and we will get back to you
Highlights
Earn While You Learn With Us
Confidentiality Agreement
Money Back Guarantee
Live Expert Sessions
550+ Ph.D Experts
21 Step Quality Check
100% Quality
24*7 Live Help
On Time Delivery
Plagiarism-Free
81 Isla Avenue Glenroy, Mel, VIC, 3046 AU
