Information Security Evaluation Assignment Sample

Subject Name : IT Computer Science

Introduction to Information Security

As technology grows making computation and communication smooth and easy, the number of connected devices on a worldwide network also grows. When the number of devices connected to a global network becomes bigger the threat of virus attacks and other kinds of information security threats also grow. Any individual organization using a communicating or computing device that is connected to some network at the risk of and cyberattack(M. Whitman & Mattord, 2015). The process of protecting information and the devices that are used to store and transmit information is called Information Security(M. E. Whitman & Mattord, 2012).

Be it an organization or individual the confidentiality integrity and availability of information are very critical this is called the C.I.A triangle(M. E. Whitman & Mattord, 2017). Though it generally perceived that information security is only for businesses and organizations, it should be realized that information security is important even at an individual level. Individuals store a lot of information such as digital copies of their tax records bills, salary details, academic achievements, insurance details, vehicle ownership details, personal photographs, photographs of families and friends, etc in their personal computers(“Personally Identifiable Information,” 2018). Personal computing devices have been used for carrying out for making financial transactions using several methods such as electronic wallets and other digital banking methods. Online shopping for various goods, online learning through various MOOC platforms, network gaming options have become very common for individuals these days. Given the role of technology internet and computing devices in an individual's personal life, it becomes very evident that information security must be prioritized for individuals also(Saridakis, Benson, Ezingeard, & Tennakoon, 2016).

In the present work normative model for various computing devices and technologies that an individual uses the kind of information shared online, the backup facility is available to end reachable et cetera are assessed and described. The identified vulnerabilities are reported and suitable collective measures are explored. A brief note on how this analysis helped in the identification of various security vulnerabilities at an individual level is presented before a formal conclusion.

Information Assets

We live in a very fast-paced, well-connected world today. Internet of Things or IoT has become the norm of the day making it possible for connecting different types of devices anytime, anywhere. A lot of individual information is being made available online(Marreiros, Tonin, Vlassopoulos, & Schraefel, 2017; Parsons, Mccormac, Butavicius, & Ferguson, 2010). Organizations are very much concerned about information assets because they mine the data for understanding customers better for providing better services. From an individual level, information asset refers to do any information that may help in personal identification, passwords, information on financial transactions, health records, insurance information, and sensitive data like personal photographs, etc. Additionally, the resources used to store search information like the physical hardware as well as software, cloud space purchased by an individual internet bandwidth,etc. are also classified as information assets belonging to that individual(Mattord, 2007; M. Whitman & Mattord, 2015).

Individuals cannot afford to who developed applications on their own and they have to acquire and use information system applications such as commercially available operating systems, word processing applications email applications browser applications, and the like. These applications make up the environment of an individual. Not all data on an individual's computers might be shared online. But that doesn't mean such data is not valuable nor does it mean the data is safe. Information security at the individual level deals with protecting the data that is available online as well as the data that is stored offline(M. E. Whitman & Mattord, 2011, 2017).

ISO/IEC 27002 specifies the standards for good information security and can be applied both at the level of an organization and an individual(Disterer, 2013; ISO/IEC, 2013; The British Standards Institution, 2015). AS 27002:2015 is a modified version of the standard to suit Australian needs.This document is a code of practice that describes how various information assets should be managed to ensure confidentiality integrity and availability of data is not compromised by any security threat. COBIT and ITIL platforms provide an end-to-end solution and hence are more suitable for organizations. Since this work is for an individual’s information security perspective, it hs been based on AS ISO/IEC 27002:2015 guidelines and a normative model of an individual’s information security using AS ISO/IEC 27002:2015 is derived in this section.

Identification of Information Assets

Some of the most important devices used by an individual are:

A Dell Laptop: The laptop has a core i5 processor with 1.5 TB disc space. The operating system used Windows 10 which is up to date. Microsoft Office 360 suite has been installed. Google Chrome is the default web browser some otherapplications are used. Some of the installed applications include VLC VideoLAN player, Adobe acrobat reader X, a licensed version of WinZip 5.0, and Amazon Kindle application are installed. Norton 360 home security is installed. The laptop can connect to the home internet connection using both wireless and Ethernet connector options.
A Desktop PC: The desktop PC is an old machine with an i3 processor and 500 GB hard disk. It runs on Windows 7 operating system and has a browser application and few games installed.
Telstra wireless modem and an internet connection are used
An Android-based tablet: A Wi-Fi-enabled Android tablet from Lenovo is used and is used by everybody in the family for surfing, watching videos, and playing games.
An Android smartphone: Dual sim smartphone with VoLTE enabled network connectivity. GPS is enabled. Amazon account is primarily configured in this drive.
A fitness band: A Lenovo brand fitness band used to keep track of the number of steps walked, calories burned during workout sessions, and regularly remind to drink water is used. Additionally, it is also connected to the smartphone via Bluetooth. It also can indicate instant notifications, messages, and calls.
A pair of truly wireless Bluetooth earphones: These earphones are paired with the smartphone, TV, Laptop, and TV using Bluetooth.
A SmartTV connected with Amazon firestick: A Sony smart TV that is linked with Amazon prime account and Gmail Account for accessing Amazon Firestick services and YouTube Services is used.
An Amazon echo plus voice controller: An amazon Echo Plus voice controller is used to connect to Alexa-activated services and is connected to the Amazon account.
Amazon dash buttons(Shubair, Ahmed, & Safar, 2018): At various places in the house Amazon dash buttons are used. Three buttons are found in the laundry and toiletry section and five are found in the pantry. One button is found for pet supply.
An Amazon Oasis Kindle device that is Wi-Fi enabled is used and is in sync with mobile and the laptop.
A Digital Safe: A biometric-enabled, wall-mounted safe is used.
A smart door camera, fourhome-surround CCTVcameras, anda home interaction system with a smart lock and a smart doorbell are used for safety purposes and are synced to a Gmail account.
Apart from these devices, three removable SD cards, two removable USB flash drives, and one external hard disk are in use.

The Amazon account is connected to Gmail. Credit Card details have been stored as a part of the app information for easy payment options. Photographs of self, various family members, and friends are stored both on the laptop and in PC. Specific details on Electricity bills, loan details, bank account details, insurance, and all other financial details are stored in the laptop only.

Evaluation of Information Assets

Some of the observations made during the evaluation of the assets are listed below:

It was found that many of the application software was outdated.
The license of the antivirus included usage for 6 devices including PCS, tablets, and smartphones. Of this only one license was utilized in the laptop. Other devices did not have Norton installed.
The license seems to be valid for over 18 months, but the auto-updating feature was disabled. Hence the antivirus was not up to date. This poses a high-level risk.
A new OTG pendrive was found connected to the tablet. On exploring it was found that one of the kids in the family has found the pen drive lying unclaimed in the park and has brought it home. This random pen drive has been connected to the tablet. From then onwards several new applications have been automatically installed and some essential previously installed apps have started behaving weirdly. This is a very high impact security threat(Tischer et al., 2016).
There is no password used for logging into the administrative account of the desktop PC. Further, there is no separation of the guest account and administrator account. Two user accounts are present. Both of these accounts are configured as Administrator accounts and have full access and complete read write and execute permissions. Kids in the family using an account with administrative privileges is not correct.
Remote desktop protocol or RDP is enabled by default on the laptop as well as the desktop. In the desktop, all the files are downloaded to the C drive and are opened automatically. There is no restriction on opening executable files that are downloaded from the internet. However, this is not the case on the laptop(Bitton & Shabtai, 2019; Cai, Yu, & Zhou, 2004; Ussath, Cheng, & Meinel, 2016). Any intrusion using RDP will be very difficult to identify.
Once an email from someone claiming to be from Amazon offering a cash prize of 200 million dollars was received. Clicking on the link has taken to a page that looked like Amazon and it asked for login credentials. Since the family member who responded to the email did not remember the password of the family’s Amazon account, he could not proceed. Fortunately, the account was protected from a phishing attempt(Yeboah-Boateng & Amanor, 2014).
There was no backup for the photos, bills, and digital receipts that are stored in the PC and the laptop.

Security Measures to Implement

The following security measures must be immediately implemented:

Install, Update the antivirus in all home devices and scan them completely.
Restrict access of accounts used by children to guest mode without Execute privileges
Change passwords and use strong passwords
Configure VPN and Firewall
Configure parental control for accounts used by kids.

Self-Reflection on Information Security

Internet and information security are of importance and I have always known that fact. I have been always cautious about my family's internet security and have always told them not to connect to public free Wi-Fi networks. I have also instructed my younger siblings about the risks of clicking on ads and counsel them to be careful about the risks of chat room communications etc. These efforts made me very confident and made me presume that I have created avery safe and secure digital environment at home.

While carrying out this exercise, I came to know that was not the case and I had several vulnerable areas that might lead to a full-blown security threat. I updated the software, installed OS patches, and configured all security features. While checking browser history and cookies, I was shocked to notice, the cookies have not been deleted for a while. I was well-aware of the risks that cookies may pose to a machine (Sivakorn, Polakis, & Keromytis, 2016; Zheng et al., 2015). Additionally, I also noticed some ads have been clicked upon accidentally and the landing page has been immediately closed.

I explored for cost-effective solutions and learned about the existence of some browser extensions such as “AdBlock” which will block unnecessary ads and these would eliminate the chance of even accidentally clicking upon a risky ad. I also learned about plugins such as “Self-Destructing Cookies”which destroy the cookies left by various websitesthat have been closed(Bugliesi, Calzavara, Focardi, & Khan, 2015). Additionally, such plugins also cleared any trackers left by websites on the machine as well as sessions that are active and left before logging out(Bugliesi, Calzavara, Focardi, & Khan, 2014; Joseph & Bhadauria, 2019). By disabling auto-download options and enabling an option to ask before downloading. This helps in the verification of the download source. some of the user accounts in the commonly used PC were configured as guest accounts without any Execute or Administrative privileges.

I also instructed my younger siblings about the risks that come with using stray removable devices on our personal machines. The tablet was found to be contaminated by several spyware applications, Malware applications, etc. The OTG flash drive seems to be the source of all the Malware applications. These apps where uninstalled and the necessary applications were updated.

Despite knowing the importance of strong passwords, I somehow how was consciously using the same password for different user accounts. I rectified by creating a strong password for each and every account separately. This would ensure even if one account is compromised, not all accounts could be hacked. I also enabled two-step authentication for some accounts. I have also have put a reminder for or changing the passwords once in every three months.

I disabled RDP and configured that any remote connection request would want explicit approval from the user. Also, Windows login passwords for all user accounts were created. Some of the folders were given only read privileges.

The antivirus was installed in all the devices including the desktop, laptop, tablet, and smartphone. It was updated to the most recent version and all the machines were scanned completely. Some files were quarantined and deleted. A backup forall the important data was created in the hard disk. Secure cloud space in Amazon AWS cloud service and an automatic backup on a weekly basis was configured.

The AS ISO/IEC 27002 standards explain various good information security practices such as the use of strong passwords, awareness about lurking cyber threats like phish and social engineering threats. It also describes the importance of secure data backup for ensuring C.I.A triangle. Though the AS ISO?IEC 27002:2015 standards are described for organizations, I was able to relate and appreciate the value of these practices at an individual too. Overall this exercise was a good leaning and was of great significance to me.

Conclusion on Information Security

With the digitization of information comes the risk of cyberthreats. It is the responsibility of the individual as well as the organizations to protect themselves against such cyber threats. Policies like AS ISO/IEC 27002:2015 provide a guideline for safe internet practices. It is of paramount importance for individuals and organizations to keep revisiting the security setup of their IT infrastructure and keeping it up to date to minimize the risks if not completely eliminate them. An evaluation of an individual’s information security was carried. Some vulnerabilities and risks were found and suitable mitigation strategies were identified. Overall, it could be concluded that safety while using Information systems requires keen attention to details and a thorough understanding of various security threats as well as the countermeasures.

References for Information Security

Bitton, R., & Shabtai, A. (2019). A Machine Learning-Based Intrusion Detection System for Securing Remote Desktop Connections to Electronic Flight Bag Servers. IEEE Transactions on Dependable and Secure Computing. https://doi.org/10.1109/tdsc.2019.2914035

Bugliesi, M., Calzavara, S., Focardi, R., & Khan, W. (2014). Automatic and robust client-side protection for cookie-based sessions. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). https://doi.org/10.1007/978-3-319-04897-0_11

Bugliesi, M., Calzavara, S., Focardi, R., & Khan, W. (2015). CookiExt: Patching the browser against session hijacking attacks. Journal of Computer Security. https://doi.org/10.3233/JCS-150529

Cai, L., Yu, S., & Zhou, J. L. (2004). Research and implementation of remote desktop protocol service over SSL VPN. Proceedings - 2004 IEEE International Conference on Services Computing, SCC 2004. https://doi.org/10.1109/scc.2004.1358052

Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security. https://doi.org/10.4236/jis.2013.42011

ISO/IEC. (2013). International Standard ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls. Iso/Iec 27002:2013(E).

Joseph, J., & Bhadauria, S. (2019). Cookie based protocol to defend malicious browser extensions. Proceedings - International Carnahan Conference on Security Technology. https://doi.org/10.1109/CCST.2019.8888425

Marreiros, H., Tonin, M., Vlassopoulos, M., & Schraefel, M. C. (2017). “Now that you mention it”: A survey experiment on information, inattention and online privacy. Journal of Economic Behavior and Organization. https://doi.org/10.1016/j.jebo.2017.03.024

Mattord, H. J. (2007). Rethinking risk-based information security. https://doi.org/10.1145/1409908.1409921

Parsons, K., Mccormac, A., Butavicius, M., & Ferguson, L. (2010). Human Factors and Information Security : Individual , Culture and Security Environment. Science And Technology. https://doi.org/10.14722/ndss.2014.23268

Personally Identifiable Information. (2018). In Encyclopedia of Social Network Analysis and Mining. https://doi.org/10.1007/978-1-4939-7131-2_100873

Saridakis, G., Benson, V., Ezingeard, J. N., & Tennakoon, H. (2016). Individual information security, user behaviour and cyber victimisation: An empirical study of social networking users. Technological Forecasting and Social Change. https://doi.org/10.1016/j.techfore.2015.08.012

Shubair, D., Ahmed, I., & Safar, M. (2018). A survey on IoT contribution in smart goods ordering cycle ? Amazon buttons. ACM International Conference Proceeding Series. https://doi.org/10.1145/3231053.3231067

Sivakorn, S., Polakis, I., & Keromytis, A. D. (2016). The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016. https://doi.org/10.1109/SP.2016.49

The British Standards Institution. (2015). Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. ISO/IEC 27017:2015.

Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016). Users Really Do Plug in USB Drives They Find. Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016. https://doi.org/10.1109/SP.2016.26

Ussath, M., Cheng, F., & Meinel, C. (2016). Insights into Encrypted Network Connections: Analyzing Remote Desktop Protocol Traffic. Proceedings - 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, PDP 2016. https://doi.org/10.1109/PDP.2016.38

Whitman, M. E., & Mattord, H. J. (2011). Roadmap to Information Security: For IT and InfoSec Managers.

Whitman, M. E., & Mattord, H. J. (2012). Implementing Information Security. In Principles of Information Security. https://doi.org/10.1016/B978-0-12-381972-7.00002-6

Whitman, M. E., & Mattord, H. J. (2017). Principles of Information Systems, Sixth Edition. In Learning.

Whitman, M., & Mattord, H. (2015). Ongoing threats to information protection. Proceedings of the 2015 Information Security Curriculum Development Conference, InfoSec CD 2015. https://doi.org/10.1145/2885990.2885994

Yeboah-Boateng, E. O., & Amanor, P. M. (2014). Phishing , SMiShing & Vishing : An Assessment of Threats against Mobile Devices. Journal of Emerging Trends in Computing and Information Sciences.

Zheng, X., Jiang, J., Liang, J., Duan, H., Chen, S., Wan, T., & Weaver, N. (2015). Cookies lack integrity: Real-world implications. Proceedings of the 24th USENIX Security Symposium.