Learning and Reflecting about IT Cyber Security

Final Reflective Exam (6/17-20/19)

Learning and Reflecting about IT Cyber Security (25 pts)

“Critical Reflection” is the process of analyzing, reconsidering, and questioning one’s experience within a broad context of issues and content knowledge.” [Barbara Jacoby, 2012]

Background Summary

During the past five weeks, we studied an overview of information security for IT managers. The goal of the course was to prepare you, as an IT professional, to become aware of the cyber security challenges in a world where continuously emerging threats, ever-present attacks, and the success of criminals illustrate weaknesses in current information technologies. This should also help you become aware of the role of an information security management practitioner who secures the systems and networks. The important lesson, however, is that EVERY IT PROFESSIONAL has a responsibility to be aware, to secure, and to protect the employees and data / information of a company of all potential security threats.

Purpose of the Assignment

Rather than take a traditional true false / multiple-choice test covering topics about specific security threats, this exam is designed to have you review and use critical thinking to answer three short essay questions.

Learning to write a “reflective” short essay is important because it helps you increase the value of your learning experience, it encourages you to take meaning from your own research and apply it to what you are learning, and it helps you relate new learnings and experiences to your prior knowledge.

Assignment Hint

Think about each question first. Then, list some bullet points off the top of your head. Research the question to find specific information to support your thoughts and your answers. Spend some time outlining your answer to be sure you have included everything you want to say. Include why you think and feel that way as well (justification). Then use the outline to write your thoughts in complete sentences and paragraphs. Do not submit your rough notes or outline, only submit your final written short essay for each question. Each short essay answer should be a minimum of 150 – 200 words. Remember, this assignment is worth 25 points (8-9 points per question.)

(Note: The previous four paragraphs are 318 words.)

There are no right answers. Good answers are your thoughts, your research, and how well you express what you have to say.

Final Exam Short Essays:

1. (8 pts) Two of the “Student Learning Outcomes” in the course Syllabus included:

6. Understand the trends, impacts, and effective security controls for the following types of threats:

· Web Application Attacks (#3)

· Point-of-Sale Intrusions (#4)

· Insider & Privilege Misuse (#5)

· Miscellaneous Errors (#6)

· Physical Theft & Loss (#7)

· Crimeware (#8)

· Payment Card Skimmers (#9)

· Cyber-Espionage (#10)

· Denial of Service Attacks (#11)

7. Compare the types of security attacks which affect the 17 Critical Infrastructure Sectors.

As a student, did the ITEC 493, IT Security for Managers, course accomplish these two Student Learning Outcomes (STOs)? Describe your feelings. Choose one security threat and one critical infrastructure sector that you studied over the semester as an example (counts as one question for grading purposes).

a. What did you learn about this threat and sector that was new to you?

b. How might you use this information in your future IT professional career?

2. (8 pts) During this summer, we studied the Verizon Data Breach Investigation (DBIR) reports (2019, 2018, 2017). We used the DBIRs throughout the course to find examples of actual security intrusions and threats plus the necessary security controls, which should be implemented to avoid or, at least, mitigate the security threats and attacks. Under BLACKBOARD / Module 3, I just posted another source of security best practice tools: DISA’s (Defense Information Systems Agency’s) STIGS’ (security technical implementation guides’) role in cybersecurity. Please review this information and prepare answers to the following two questions from the Quick Start Introduction & Demonstration Video (34:21 mins), https://public.cyber.mil/stigs/srg-stig-tools/ , (counts as one question for grading purposes). The answers to these questions are in the first two minutes of the video.

a. What is the difference between a STIG “Guide” and a STIG “tool?”

b. List three different members of the “User Community” and explain how you, as an IT Professional” might use the DISA STIGs even if you are not working in the Defense Sector?

3. (9 pts) During this semester, we used Small Group Virtual Discussions (SGVDs) to learn about nine different security threats. Small groups allowed you to discuss the threat examples and controls with only 7-8 other students instead of the entire class of 22 students. Separate SGVDs allowed you to concentrate each discussion on one security threat. Rather than discuss what you learned in these discussions, please take the time to reflect on the assignments and write the pros and cons of this type of learning method. What did you like or dislike? Any recommendations for future classes?

You have from Monday, 6/17/19, 6:00 pm, through Thursday, 6/20/19, 11:00 pm, to complete this exam. Please POST your written answers to these three questions as one MS Word document posted as an attachment to BLACKBOARD / ASSIGNMENTS / EXAMS / FINAL. Be sure to include your name, course, date, and assignment title on your submission. Each question is worth from 0-8 or 9 points. See Grading Rubric on the next page. I look forward to reading your answers.

Final Exam Grading Rubric (for each question)

Questions #123
Below ExpectationsPoor answer, little thought and reflection, no connections between class readings and your own research and learning, some grammar / spelling mistakes1 pt  
Approaching ExpectationsGood answer, some thought and reflection, although descriptions of connections between class readings and your own research and learning is minimal, some grammar / spelling mistakes2 pts  
Meets ExpectationsGood answer, good thought and reflections, strong connections between class readings and your own research and learning, no grammar / spelling mistakes3 pts  ·
Exceeds ExpectationsExcellent answer, excellent thinking and reflection, multiple and specific connections between class readings and your own research and learning, clearly articulated, well-written – no grammar / spelling mistakes4-6 pts  
Plus   Word  Count· > 150 words = 3 pts· 100 < answer < 150 words   = 2 pts· < 100 words = 0 pts   0-3 pts  
Total Points  

KPP 6/17/19

And here is my work to give you some idea about the class and information

Annotated Bibliography-Information Technology Critical Infrastructure Case of Microsoft

Sadeghi, A. R., Wachsmann, C., & Waidner, M. (2015, June). Security and privacy challenges in the industrial internet of things. In 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC) (pp. 1-6). IEEE.

The authors of this article focused on understanding the context through which the information technology industry and the company’s critical infrastructures are studied. The authors who have conducted several studies in this perspective are of the views that most of the security measures for information in technology industry fail because scholars have focused their research through information technology field other than information security management perspective. It is because of this that authors in this article provide a recommendation that companies, and scholars should not focus their studies of critical infrastructure’s security from a technological perspective but in information security management perspective.

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs a more holistic approach: A literature review. International Journal of Information Management36(2), 215-225.

The authors of this article provide recommendations as to why organizations that operate in the information technology industry should not focus on their individual organization security. Through literature review, the authors provide evidence that supports the idea that security issues in the information industry are likely to be contained if organizations will take a holistic approach to approach in implementing information security to protect their critical infrastructures. The authors noted in this article that combined efforts by the organization will provide sufficient skills, expertise, and resources that these organizations require to implement a watertight security framework that will be used to secure the safety of their critical infrastructures in the individual companies.

Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers & Security60, 154-176.

The authors in this study are of the views that the internet-enabled security compromises have changed significantly today. The authors observe that threats related to hobby hacking have to more organized cybercrimes that target well-established organizations such as Microsoft. Based on the findings of the authors, most of these hacking and security of critical infrastructures in organizations is done based on economic reasons of which others are done by competitors. It is because of this that it is critical and important for organizations to enhance the security of their critical infrastructures by sharing security incidents information.

Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., & Halgand, Y. (2015). A survey of approaches combining safety and security for industrial control systems. Reliability engineering & system safety139, 156-178.

The findings from the survey that was done by Kriaa and others in 2015 indicates that organizations especially operating in information technology industry need to adopt a security approach that combines both security and safety of their major controlling components. The authors revealed in this survey that most the organizations in different industries that have combined their safety and security approaches towards their critical infrastructures have proven to be very successful and have experienced limited security breaches of their information technology important infrastructures. It is because of this that organizations should combine their safety and security measures aimed at protecting their important companies.

Knowles, W., Prince, D., Hutchison, D., Disso, J. F. P., & Jones, K. (2015). A survey of cyber security management in industrial control systems. International journal of critical infrastructure protection9, 52-80.

The authors of this study focused on studying cybersecurity management of control components in different industries. The survey findings are very interesting as it is very clear that most of the companies in industries that incorporate critical infrastructures in their operations do not put much focus on the protection of their infrastructures. The authors are of the views that important control components in organizations no longer operate in isolation but are enhanced or connected to other components such as corporate network to enhance business operations. The interdependency of the components in companies pose a huge risk to security breaches and it is because of this that organizations have to focus their efforts in securing their components from cyber insecurity.

Radvanovsky, R. S., & McDougall, A. (2018). Critical infrastructure: homeland security and emergency preparedness. CRC Press.

Radvanovsky and McDougall are prominent and renowned authors on issue cyber security today. In this book, the authors took their time to provide in-depth analysis of the preparedness of Homeland agency on dealing with attacks on critical infrastructures both in the public and in industrial perspective. The authors use different cases to convey their message as they argue that much has been done by Homeland agency to prepare itself to deal with attack or emergencies that affect critical infrastructures. The authors concluded their book by recommending that the Department of Homeland security should enhance their emergency preparedness to deal with attacks and emergencies that may affect the operation of major critical infrastructures that may compromise the security of the entire nation.

Mashkina, I. V., Guzairov, M. B., Vasilyev, V. I., Tuliganova, L. R., & Konovalov, A. S. (2016, May). Issues of information security control in the virtualization segment of company information system. In 2016 XIX IEEE International Conference on Soft Computing and Measurements (SCM) (pp. 161-163). IEEE.

The authors of this article focused their research on the issues that impact the security of the information system negatively in the time when information virtualization is gaining acceptance. The authors are of the views that organizations in the information industry are facing challenges of implementing security measures to protect their critical components because of the high level of virtualization in this section of the company. The findings of this study are very important in understanding some of the problems that organizations such as Microsoft that have most of their system virtualized face in implementing security policies to protect their critical infrastructures.

Limba, T., Plėta, T., Agafonov, K., & Damkus, M. (2019). Cybersecurity management model for critical infrastructure.

Limba, Plėta, Agafonov, and Damkus (2019) in this study focused on developing a framework that organizations can use to enhance the security of their cyber-systems and critical infrastructures. The authors in this study are of the views that organizations need to develop security measures that are sufficient in regard to the protection of their critical infrastructures. A model cyber security management framework is explained in this article by the authors and recommendations based on evidence to adopt the model are provided. The findings of the authors to support their model cyber security management framework are similar to those that are provided in the study that was done by Radvanovsky and McDougall (2018) to the Homeland security department.

Paté‐Cornell, M. E., Kuypers, M., Smith, M., & Keller, P. (2018). Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Analysis38(2), 226-241.

The authors in this study provide a systematic review of the literature to understand some of the available models that are used to protect critical infrastructures in the information technology industry. The authors’ model that is described in this article resembles the model that was developed by Pate-Cornell et al (2018). The findings of this study are very important in this study since the authors use examples of information technology companies to test the model. It is because of this that the content of this study is very important in completing my final analysis report.

References

Knowles, W., Prince, D., Hutchison, D., Disso, J. F. P., & Jones, K. (2015). A survey of cyber security management in industrial control systems. International journal of critical infrastructure protection9, 52-80.

Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., & Halgand, Y. (2015). A survey of approaches combining safety and security for industrial control systems. Reliability engineering & system safety139, 156-178.

Limba, T., Plėta, T., Agafonov, K., & Damkus, M. (2019). Cyber security management model for critical infrastructure.

Mashkina, I. V., Guzairov, M. B., Vasilyev, V. I., Tuliganova, L. R., & Konovalov, A. S. (2016, May). Issues of information security control in the virtualization segment of company information system. In 2016 XIX IEEE International Conference on Soft Computing and Measurements (SCM) (pp. 161-163). IEEE.

Paté‐Cornell, M. E., Kuypers, M., Smith, M., & Keller, P. (2018). Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Analysis38(2), 226-241.

Radvanovsky, R. S., & McDougall, A. (2018). Critical infrastructure: homeland security and emergency preparedness. CRC Press.

Sadeghi, A. R., Wachsmann, C., & Waidner, M. (2015, June). Security and privacy challenges in the industrial internet of things. In 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC) (pp. 1-6). IEEE.

Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers & Security60, 154-176.

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs a more holistic approach: A literature review. International Journal of Information Management36(2), 215-225.

Information Technology Critical Infrastructure Case of Microsoft

Executive Summary

Microsoft Corporation is the leading developer company of computer software systems and applications. The company also engages in the publication of books, the production of computer tablets and also gives e-mail services. In addition to this Microsoft also operates research labs in various parts of the world such as Cambridge, China, India, and Beijing. The Microsoft Corporation has had notable success which has expanded and also ventured into information services and entertainment industries which offer a variety of products and services such as the Microsoft Network. Cyber-attacks threaten the information sector at Microsoft Corporation. Mitigation of these threats is necessary so as to limit the dangers that these threats bring about. Critical infrastructure means the continuous operation that is necessary for the societies’ stability and security from various industries or institutions. Various sectors such as healthcare sector, transportation sector, energy sector, and water sector are essential for the security and stability of a society. Attention to issues like cyber security is required from the organizations that run the various sectors. In order to enhance critical infrastructure protection, cooperation from both the public and private sectors is required. Often, the critical infrastructure is owned and operated by industries in the private sector and highly depends on technologies that are under private companies. Therefore, the government has a vital role in recognizing the security needs and success requirements. The Organization of American States publication which was developed in partnership with Microsoft highlights the importance of collaboration between the public and private sector. In this publication, Microsoft gave technical insights that will best enhance the guarding of systems based on owner priorities by the critical infrastructure operators.

Information Technology Critical Infrastructure Case of Microsoft

Final Report: Analysis and Recommendations

The Microsoft Corporation address security issues in regard to mobile codes by offering role-based security. Authentication is one of the key security concepts at Microsoft. Authentication refers to the examination of users’ credentials and also validating the credentials so as to discover and identify the verified identity (Knowles et al, 2015). During Authentication, the information obtained can be used by a person’s code directly. Another key security concept at Microsoft is authorization whereby the permission to perform a requested action is permissible (Soomro et al, 2016). This process happens after authentication whereby data about the identity of a principal are used to determine the sources that can be accessed by the principal.

Analysis and Recommendations

Information security is highly influenced by the use of information technology. This makes many users of information technology at the risk of information security issues. Therefore, information security measures are necessary so as to enhance the protection of valuable information of the users (Limba et al, 2019). Security measures are enhanced through the use of CIA triad which is the securing tool for information systems and technological assets. The goals of confidentiality, integrity, and availability will help in protecting important information at Microsoft. Confidentiality refers to guarding of information from access that is not authorized. Information protection is one of the goals that are emphasized by the CIA triad. In confidentiality, it is ensured that information can only be accessed by authorized people. Restriction to those who can access some information is the main aim of confidentiality.

Confidentiality relates to the information sector in that the personal information of people should not be shared to any unauthorized persons as this may bring about different threats (Limba et al, 2019). The Microsoft Company should ensure that information of its principals should only be accessed by authorized persons. Integrity refers to the accurate and consistent keeping of information with the exception of when authorized changes are required. Change of information can result from careless access, information system errors and access to information by unauthorized sources. Maintenance of integrity is, therefore, necessary as it helps in information security. During the storage and transmission of information, it should remain unchanged and no modification should be done to the information (Kriaa et al, 2015). The information security should put in place measures that monitor and regulate authorized access, the use of information and its transmission.

Integrity will help the information sector of Microsoft Company to ensure that no alterations are made to information during storage and transmission. Availability refers to the circumstance where information is available when needed and where it is required. The authorized users of information should be able to get information when they need it, the availability of information is enhanced through the proper working of all the components of the information system (Mashkina et al, 2016). Access to information can be made impossible when the information systems have problems. The information sector of Microsoft should ensure the proper working of all its information systems so that the users can access information anytime they need it. All his components of the CIA triad are important. They will all enhance information security at the Microsoft Company. The coordination of confidentiality, integrity, and availability is what will enhance the attainment of the goals of the information security sector of Microsoft. All these aspects are therefore required to enhance information security.

The information technology sector is faced with a number of threats. A computer virus is a common threat faced by the information technology sector. A computer virus IS a software piece which spreads from an infected computer to another (Paté‐Cornell et al, 2018). The virus is dangerous in that it can lead to deletion information or even steal corrupt some information. Computer viruses are also a threat to the information technology sector because the virus could lead to the spread of information like emails from one computer to another. Rogue security software is also another threat to the information technology sector. Security update advertisements can be dangerous when one clicks on the update so as to install the update as it leads to the downloading of software that is not genuine (Soomro et al, 2016). However, Microsoft has a webpage which gives a description of rogue security software and also informs people on how to protect themselves from it. Malicious spyware, an application created by cybercriminals is also a threat to the information technology sector. The Trojan application helps in spying on the cybercriminal’s victims (Mashkina et al, 2016). A software example is key logger which records keyboard typing of a victim and then the information is sent back to the cybercriminal.

The key threats to the information sector can be managed through a number of strategies. Solutions need to be implemented to different threats. The management, leadership and team members at Microsoft departments should help in implementing solutions that will sustain them in the different information technology threats (Paté‐Cornell et al, 2018). The issue of information technology sector threats can also be solved through the identification and catalog of the sensitive information that the department has. Sensitive information should be kept safe in this era of mobile phones. In Microsoft, the Azure Information protection aids the department in detecting information that is sensitive and securing sensitive personal information regardless of the place it is stored or whom the information is shared with. Another strategy of minimizing the information technology sector threat is by ensuring that only authorized users and systems are the ones who can access sensitive information (Radvanovsky & McDougall, 2018). The department should be careful of whom asses some information. Authentication can be enhanced through the multi-factor authentication that is built into the Azure AD and gives a single authentication platform which the department uses to give access to individuals and systems which are authorized.

The information technology sector at Microsoft has been faced by various threats such as the rogue security software. Individuals end up installing malicious software. Through the webpage that describes the rogue security software, individuals can be educated on how to identify legitimate updates (Skopik et al, 2016). The computer virus threat in the information technology sector can also be curbed by the use of antivirus. This can help in reducing the loss and corrupt of personal information.

The Chief Information Security Officer post at the Microsoft Company will help in the Information Technology Sector. The Officer will enhance the security of all the personal information that the Microsoft Company contains (Radvanovsky & McDougall, 2018). Taking care of personal information of users by many organizations has always been a challenge. The threats that are faced by the Information Technology Sector make an individual’s personal information unsecure. Many at times information has been accessed by unauthorized individual and systems which is dangerous for the victims (Sadeghi et al, 2015). It is, therefore, the role of the Chief Information Security Officer to ensure that confidentiality and integrity are exercised when handling the data. Unauthorized persons and systems should be blocked from accessing data that is not meant for them. The Officer also ensures that the information is not altered during storage and when the information is being transmitted. The role of the Officer also includes ensuring that information is available to its users anytime they need it. Therefore, proper management of all information systems is essential so as to avoid the problem of lack of information when it is required by the users (Paté‐Cornell et al, 2018). Threats in the information sector should also be mitigated by the officer by putting in place strategies such as authentication of the authorized users of the information at Microsoft Company.

Conclusion

Critical infrastructure protection can be enhanced through the formulation of policies which will emphasize on security baselines. Through these policies, Microsoft Corporation will get informed on how to secure critical information systems while at the same time allowing the evolving and innovativeness of industries in their approaches. In order to enhance critical infrastructure protection, cooperation from both the public and private sectors is required. Often, the critical infrastructure is owned and operated by industries in the private sector and highly depends on technologies that are under private companies.

References

Knowles, W., Prince, D., Hutchison, D., Disso, J. F. P., & Jones, K. (2015). A survey of cyber security management in industrial control systems. International journal of critical infrastructure protection9, 52-80.

Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., & Halgand, Y. (2015). A survey of approaches combining safety and security for industrial control systems. Reliability engineering & system safety139, 156-178.

Limba, T., Plėta, T., Agafonov, K., & Damkus, M. (2019). Cyber security management model for critical infrastructure.

Mashkina, I. V., Guzairov, M. B., Vasilyev, V. I., Tuliganova, L. R., & Konovalov, A. S. (2016, May). Issues of information security control in the virtualization segment of company information system. In 2016 XIX IEEE International Conference on Soft Computing and Measurements (SCM) (pp. 161-163). IEEE.

Paté‐Cornell, M. E., Kuypers, M., Smith, M., & Keller, P. (2018). Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Analysis38(2), 226-241.

Radvanovsky, R. S., & McDougall, A. (2018). Critical infrastructure: homeland security and emergency preparedness. CRC Press.

Sadeghi, A. R., Wachsmann, C., & Waidner, M. (2015, June). Security and privacy challenges in the industrial internet of things. In 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC) (pp. 1-6). IEEE.

Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers & Security60, 154-176.

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs a more holistic approach: A literature review. International Journal of Information Management36(2), 215-225.