Threat Analysis final
- As the final step of this proposal, you will prepare a comprehensive Security Awareness and business continuity plan (taking what you did in Assignment 5.3 and expanding upon the summary) that will be used throughout the organization. The plan should address awareness from the perspective of employee expectations. The business continuity plan should address the requirements needed to recover from potential disasters, whether through natural causes (weather, fire, etc.) or a security breach. The paper should be outlined as follows:
Executive Summary/Introduction
Threat Analysis (Assignment 2.4)
Mitigation Strategies (Assignment 4.4)
Business Continuity Plan (Assignment 5.3 was an overview)
Security Awareness Program Plan/Overview
Conclusion - Provide transitions between these six sections. The total length of the paper should be 15–20 pages. You may use graphics or other features within your paper; however, these do not count toward the 15–20 page total.
FINAL PAPER 1
FINAL PAPER
1. INTRODUCTION 3
2. THREAT AND VULNERABILITY ASSESSMENT 4
2.1. ASSESSMENT SCOPE 4
2.2. MEASURES TO THREATS AND VULNERABILITIES IN THE COMPANY 6
2.3. THREAT AGENTS AND POSSIBLE ATTACKS 7
2.4. EXPLOITABLE VULNERABILITIES 9
3. MITIGATION STRATEGY 10
4. BUSINESS CONTINUITY PLAN 14
4.1. TESTING A DISASTER RECOVERY PLAN 14
4.2. RISK MANAGEMENT PLAN 15
4.3. CHANGE MANAGEMENT PLAN IMPACT 16
5. SECURITY AWARENESS PROGRAM 17
6. CONCLUSION 19
7. REFERENCES 21
Introduction
Gerić and Hutinski (2017), define threat as a potential harm or danger and Vulnerability as the exposure to possibility of harm. In information systems and organizational data, threats and vulnerabilities infer to the possible harms and possible exposure to harm of the information systems infrastructure and organizational data (Gerić & Hutinski, 2017). Tesla Company is a multinational company that as businesses in technological products such as cloud computing, artificial intelligence and e-commerce (Tran, Childerhouse & Deakins, 2016). Developing and categorizing a security mitigation strategy is essential for companies that deal with any kind of threat to their business. Risk mitigations strategies are designed to control, reduce, and eliminate known risks that threaten the business with a specified undertaking to prevent injury. The security awareness program is important especially to companies like Tesla. Each employee is supposed to be aware of their roles and responsibilities in fighting against cyber threat and attack. Training must be attended by every employee to completion and their capabilities tested in a simulated attack so that they can be familiar with the types of attack to expect. This paper is going to focus on the kind of policies and procedures that will help the Tesla Company to improve security awareness so that they can reduce the risk of cyber threats and attacks.
2. Threat and vulnerability assessment
2.1Assessment Scope
Though in most cases threat and vulnerability assessment involve both physical and intangible assets like computer hard-wares ,organizational networks ,virtualization, database, cloud and mobile systems, this assessment would only focus on users and the intangible organizational assets which form the information system infrastructure of Tesla Inc. Precisely, the assessment would focus on cyber- related attacks on these information systems infrastructures.
Tesla has a broad range of information system infrastructure which include, people, information systems, information security systems (Tanwar et al., 2019). Tesla’s primary information system assets include E-commerce and web-based services, namely, cloud computing, database, network, virtualization, mobile and inform systems.
Diagram and Description of Items Involved In the Assessment Scope.
Tesla Information System Infrastructure
Cloud service
Human resource
E- Commerce
Data Base System
Cloud Service
Cloud information system comprises of storage system and providence of virtualization programs to magnitude of companies all over the world. These services are available for subscribers and registered users that acquire the service in an order entry (Dhillon & Torkzadeh, 2016).
Human Resource
The Tesla human resource information system is a huge and complex system that not only acquires information of the companies merchants but also customer service information and product support persons that are responsible for product advertisements and taking care of customer issues (Tanwar et al., 2019).
Database System
The data base stores all the necessary organization data for analysis. Tesla database is associated with information transformation, product presentation and order entries that enhance customers’ preferences and customizations of the company’s products and services. Additionally, information processed can be useful to management in decision making and therefore is a prime priority of the company to protect its database information system (Scholz et al., 2020).
E-Commerce
These are the web based platforms that the company uses to advertise, promote and sale their products and services. Due to the proficiency of the company website and the facts that it’s one of the main platform for local and international business platform, the website is a prime target and should be protected from hackers (Tanwar et.al., 2019).
2.2 Measures to Threats and Vulnerabilities in the Company
Tesla technology department (TTD) has various counter measures to mitigate the threats and vulnerabilities to their cyber systems. TTD hash provides Tesla’s computing clients with custom networks and data centres which are designed to protect the company information systems. TTD hash also puts in place network and web applications fire walls, encryptions, private connectivity options to protect the critical information system infrastructure in the company(Scholz et.al., 2020). Furthermore, Tesla protects it database through various encryptions such as, EBS, SQL Server RDS, Glacier and oracle RDS encryptions (Tanwar et al., 2019). The Tesla web platforms use the SSE (Server-side Encryption) to transmit sensible information and to encrypt the messaging queues. Another methods that Tesla has imposes to prevent cyber threats and attacks are use of hardware-based cryptographic keys in their storage facilities, compliance requirement and in accessing its database (Tanwar et al., 2019).
2.3 Threat Agents and Possible Attacks
There are numerous agents of cyber threats and attack in Tesla information systems infrastructure. Most of these agents and attacks have been aimed at Tesla because of its leading position in the market and the amount of data the company processes. These threats and attacks include, Passwords Attacks, Phishing and Spear Phishing, Malware Or Viruses Attacks, SQL Injection Attacks, Denial Of Service, Eavesdropping, Man In The Middle Attack, Birthday Attacks, cross-site scripting And Distributed Denial Of Service (DDOS) (Scholz et.al., 2020).
1) Phishing refers to sending mails that contain harmful programs that siphon private information of the receipt; spear phishing attack occur the same as phishing attack but this time round the sender targets a particular group of people and conducts research on them (Scholz et.al., 2020).
2) Birthday attacks are generation of two random words that generate same message digest in the hash algorithm for digital signatures and messages. In SQL injection, the attackers execute SQL queries through malefactors in the client input servers.
3) Cross-site scripting happens when attackers place malicious scripts in unprotect websites to redirect client to the hackers sites (Farn, Lin & Fung, 2014).
4) For Denial of service (DoS), the malicious programs overpowers the systems to unable to react to resource request while Distributed Denial Of Service (DDoS) happens when a huge number of systems become impaired by attack and refuse to respond to service request (Farn et.al., 2014).
5) In man in Middle attack, the infiltrator inserts themselves between the clients and the servers. Middle man attack include, IP spoofing, and session hijacking (Gerić & Hutinski, 2017).
6) Password attack is designated on the authenticating process of a system. There are two types of password attacks; dictionary attacks and the brute-force password attack. A dictionary attack occurs through social engineering, guessing while brute- force occurs through accessing password database (Farn et.al., 2014).
7) Eavesdropping occurs when an attacker intercepts the network traffic usually through credit cards or obtaining passwords that client use to transmit over the network
Threat
Assets
Impact
Risk
Phishing and spear phishing
Critical
high
high
Birthday attack
Critical
medium
low
Man in the middle attack
Critical
medium
high
Malware attack
Critical
high
high
Denial of service/ distributed denial of service
Critical
medium
high
Password attack
Critical
high
Eavesdropping
Critical
low
low
Table 1: a summary of threats, impact and Risk
2.4 Exploitable Vulnerabilities
Exploitable vulnerabilities refer to the system weakness that an attacker can use to perform their illegal activities within an information system.
1) Malware or viruses have been deemed one of the most exploitable vulnerabilities in any information system and Tesla systems are no exemption (Scholz et.al., 2020). Though Tesla as a technological company is deemed to have one of the most secure networks and information systems, malware are being developed every day implying that it one exploitable attackers may use to infiltrate into the company’s information systems infrastructure.
2) The company’s employees are also another exploitable vulnerability to the company. Employees are not only the primary architects of password attacks but also exploitable vulnerability when approached with phishing and spear phishing attacks (Gerić & Hutinski, 2017).
3) IOT (internet of things) is also another exploitable vulnerability in Tesla Company. Devices like smart printers, phones, refrigerators, coffee markers and manufacturing robots can be used to launch attacks on the company’s information system (Dhillon & Torkzadeh, 2016).
4) Updates are also another exploitable vulnerability. As much as these updates bring better program and system functionalities they bring new security vulnerabilities that attackers may exploit (Scholz et.al., 2020).
Vulnerabilities
Assets
Impact
Risk
Malware/ viruses
Critical
high
high
employees
Critical
high
high
Internet of Things (IOT)
Critical
medium
Medium
Updates
Critical
high
high
Table 2: a summary of exploitable vulnerabilities, impact and Risk
3. Mitigation Strategies
Developing and categorizing a security mitigation strategy is essential for companies that deal with any kind of threat to their business. Risk mitigations strategies are designed to control, reduce and eliminate known risks that threaten the business with a specified undertaking to prevent injury. These strategies when implemented will help prevent businesses that are vulnerable to cyber-attacks from being hacked. Tesla Company is a multinational company that as businesses in technological products such as cloud computing, artificial intelligence and e-commerce (Tran, Childerhouse & Deakins, 2016). This web-based services that the company operates makes it vulnerable to cyber based threats and attacks. This paper is going to look at the risk mitigation strategies that the company can employ to reduce, eliminate and control the impact of the cyber based threats and attacks.
The first step to a risk mitigation strategy is to diagnose the business and find out the risks that the businesses faces. For Tesla Company, it faces numerous attacks from the Tesla information systems infrastructure. The attacks include malware or viruses attacks, passwords attacks, birthday attacks, phishing and spear phishing and cross-site scripting (Stergiopoulos et.al., 2015). All of these threats have a high impact if they happen and the risk that tesla faces from these kinds of attacks is high. Therefore, it is important for the company to come up with risk mitigation strategies to help prevent the attacks and keep the Tesla information systems infrastructure safe from cyber-attacks.
Risks need to be taken on when the strategies that are designed reduces the risk to a very low level or as low as reasonably practicable (Talluri, Yildiz & Yoon, 2013). The company needs to choose the best mitigation strategy that would lower the risk probability and the severity of outcome. For optimal results to be obtain, more than one mitigation strategy should be employed by the company.
The first mitigation strategy is risk avoidance where the company works at avoiding situations that have a high probability impact for damage and financial loss. For a company like Tesla, it has to employ this strategy to avoid risks such as cross-site scripting. This can be achieved by making sure the employs avoid malicious sites that could direct malware to the company servers. Phishing attacks can also be prevented through avoidance of opening mails from unknown sources which may contain viruses. Although avoidance is a good risk mitigation strategy, it does not always work as individuals will always be caught unawares to these kinds of attacks and the company has to employ strict measures to ensure avoidable threats and attacks do not happen.
The company limits the risk it is exposed to by regulating the perceived risk. As such, the company works well at regulating the exposure of the company’s software to threats and attacks. For a company like Tesla, limiting the amount of risk would not be easy as it’s a multinational company that deals with a huge client base but it can put in measures such as limiting the websites that employees can go to such as social media and advertisement sites (Stergiopoulos et al., 2015). The company can block such sites and limit the risk of employees getting swayed to other potentially dangerous websites. The company can also restrict administrative privileges of some of the employees. Administration privileges allow employees to access sensitive information or bypass critical security settings. Limiting administrative privileges to a few employees will minimize the risk of the company getting threat or cyber-attacks.
Another risk mitigating strategy is the multi-factor authentication. This is done through ensuring the system has several password protected access. This is especially crucial for users who perform privileged actions or those users that have the access to sensitive information. Tesla Company can employ this strategy which will help prevent potential threats or adversaries from accessing legitimate credentials which might facilitate further malicious activities. This would also make it easier to detect if a system is being hacked since the many layers of credentials would mean the hackers take more time to by-pass security therefore making it easier for the hack to be detected early.
Patching the operating systems of the company is also a good risk mitigating strategy. Patching those devices that have a high risk of attack with extreme risk vulnerabilities for a period of time would prevent the company’s software from unnecessary threats and attacks (Menoni et.al. 2013). For Tesla Company, this strategy would be effective if they made sure the latest versions of the operating system are the ones that are used for the company’s operations. Any unsupported versions of the operating systems should be avoided by all means necessary.
Application whitelisting is also a necessary risk mitigation strategy especially for a company like Tesla as it aims at preventing the execution of malicious programs and software. Whitelisting also identifies attempts on malicious execution of codes in the system and prevents the activity from going on before any kind of damage is done. Whitelisting also prevents the unauthorized use of software and programs which might increase the risk of attack. This risk mitigation strategy also prevents the installation of those programs and applications that might expose the company’s software to cyber-attacks.
The company can also decide to transfer the risk by outsourcing their services to other companies, purchasing insurance for damages and loss incurred that are related to cyber-attacks or form a partnership with another company that employs the same services as them. For a company like Tesla they can outsource their services since they are a multinational company (Tran, Childerhouse & Deakins, 2016). This would ensure that they are exposed to limited risk and the cost of enforcing risk mitigation strategies can be shared with the other company. The company can also get insurance against damages caused by cyber-attacks as this would ensure that the company is well compensated in case they fall victim to an attack or threat that may cost a lot of money in damages.
Daily backups of important programs, software, applications and configuration settings would ensure the information is kept safe and that it can be accessed again in case of a ransomware attack that was not anticipated or prevented (Menoni et.al. 2013).
4. Business Continuity Plan
Concepts and practices of designing and implementing a business continuity and Disaster Recovery Plan
The first concept is to ensure that servers are kept in diverse locations so that when one is damaged by disaster the other ones continue functioning and providing services to the customers. Ensuring that there is back up for all the software, programs and application will ensure quick recovery from a disaster (Carter, 2018).
The next step is to ensure that there is a secondary source where data can be accessed. The company can outsource some of its services to another company so that in case of a disaster, provision of services can continue through the outsourced programs.
4.1. Testing a Disaster Recovery Plan
Creating a checklist is the first thing to do where department heads and senior management assess the business continuity plan and the disaster recovery plan to improve on developments, update information.
Setting up a simulation where servers are tested on their restoration and recovery capabilities. Some of these simulations involve testing in real life situations like loss recovery procedures and restoring backups. The employees should also be tested on staff safety, asset management, leadership response to disaster and relocation protocols after a disaster.
Procedural drill and hands-on can be supported by a run-through. This is to ensure that important points of command and delegation channels are informed about what is expected of when disaster finally happens. These kinds of emergencies involve data replica tasks, stand-by server switch overs, data validation and cloud backups.
4.2. Risk Management Plan
The risk management plan should include the budget of the entire plan. The plan needs to have a budget so that the company can have an idea how much it is going to cost them to manage risk.
The plan should also have a time frame as the management needs to know the amount of time it would take for things like training to be completed. The plan also has to include every person’s roles and responsibilities as far as disaster management is concerned. This will ensure that employees have an idea of exactly what to do in case of a disaster (Chess, Fay & Thornton, 2017).
The plan has to also include methodology and approaches so as to let people know exactly the procedures to be followed in case of a disaster. Probability of a disaster happening and the impact it will have to the company should also be included in the risk management plan. This will let the management be aware of the likelihood of a disaster happening and the damage it would cost to the company.
Tracking should also be included in the plan where the management can track and know how things are going on and whether they are on schedule or not. It will also help the management know how the money that was budgeted is being spent in the implementation process of the plan.
4.3. Change management plan
The change management plan ensures that the risk strategy has enough resources to be able to prevent disaster from happening as well as provide enough resources to cover the disaster recovery process.
Change management also ensures whether the risk strategy that has been implemented will be effective or not. Having a bad change management can impact negatively on the business as people will have no idea what to do in case of a disaster.
Through change management people can know the amount of time it will take for the company to recover from a disaster and the time it will take for business to go back to normal. The steps to take and procedures to follow in case of a disaster and how to prevent the disaster from happening will be determined by change management (Orlikowski & Hoffman, 2017).
Concepts that should be included in a security plan for the development of secure software
The concept and the planning of the software should be included to ensure the software is viable. This is to ensure that the software is efficient and free from cyber threats and attacks. The team that programs the software should be well trained in software security to ensure the software is always secure and free from attacks. They can also include safety measures such as multiple password entries to make it difficult to hack.
The architecture and the design of the software should enable it to be secure and free from cyber threats and attacks. This includes modeling the software structure through adding third-party components that ensure the development of the software is sped up.
The implementation of the software should include multiple process of debugging and testing the software to ensure its safe and secure. This would also involve simulations of real life cyber-attacks to improve its level of defense.
5. Security Awareness Program
According to Eminağaoğlu, Uçar & Eren(2019), the security awareness program is a program done in a formal way whose goal is to train users about the potential threats to the company’s information system. This training is also supposed to help the company to avoid situations that may put the company’s data at risk. The goal of this program is to lower the level of the attack impact to the company, to enforce the procedures and policies that the company has put in place to protect its data and to also teach employees on the importance of taking personal responsibility to protect the information of the organization. For a multinational company like Tesla, this is an important program because it is the role of the employees to ensure they do their duty in the fight to prevent cyber threats and attacks. This paper is going to focus on the kind of policies and procedures that will help the Tesla Company to improve security awareness so that they can reduce the risk of cyber threats and attacks.
All employees in the company are supposed to be given the permission to spend time learning about security awareness. This would help the employees to recognize that this is a priority not only to them but to the organization as well (Eminağaoğlu, Uçar & Eren, 2019). The C-Suite support is an important program that would ensure that time is allocated for the employees to complete the training module, come up with a training budget and ensuring the employees understand why cyber security is essential by setting the tone of the training stressing the importance keeping the company safe from cyber-attacks. For a company like Tesla this would ensure that all the executives and the management team are aware of how cyber-attacks happen and the impact of things like information disclosure, password theft and know how to detect a ransomware infection. Simulations on how attacks happen such as phishing would ensure employees are aware of the exact way the attack happen and how they are supposed to respond in such a scenario. The security awareness training that is created should be engaging as well as relevant to the subject topic.
The next security awareness program is to personalize the campaign with each employee and make sure that they are relatable to the content that is being trained. Every employee is to be given specific role and responsibilities that they are familiar with and it rhymes with their jobs (Caldwell, 2016). This would ensure that all employees are aware of exactly the role that they have to play in the fight against cyber threats and attacks. Tesla Company is a multinational company with diverse employees from different countries. It would have to employ more personalized training like making the content available in several languages so that people can understand well why security awareness is important to the company. They are also supposed to know why they are supposed to make sure they are fully aware of their roles and responsibilities in the fight against cyber threats and attacks.
The business continuity plan should be able to establish a new data center at the same or a different site if the first site is destroyed by a disaster. This would ensure that the operations are ongoing and that their clients do not miss out on the services being provided. For a multinational company like Tesla, the ability to recover from a disaster should be top priority (Cerullo & Cerullo, 2014). The companies provide its services to millions of people across the world and some even depend on their services to earn a living. Being able to recover from a disaster is important to ensure the business continues even despite the setback.
The company should also be able to ensure they keep things running even during the disaster. The services should continue running even during planned outages such as maintenance and backups. For a company like Tesla scheduled maintenance and system backups happen most of the time so as to keep the software and the programs up to date. The company has to ensure that during this time operations do not stop and that the services keep on being provided (Savage, 2012). This can be achieved by ensuring that there is more than one server which would enable the company to keep on providing services despite the disruptions.
The company is also supposed to ensure that they have the capability to access software and applications despite the disruptions. Tesla Company can achieve this by outsourcing some of their services so that the programs can be accessed remotely. The availability of these applications will ensure the customer is able to access the services of the company despite the disruptions.
6. Conclusion
With increasing incidences of cybercrime activities that have been reported, it is important that organizations be vigilant in their efforts to mitigate potential cyber threats and attacks. Employing these risk mitigation strategies would help prevent the companies from potential cyber threats and attacks. This strategy can be implemented at an early level so that the company can prevent the attacks from an early stage, and it would also make employees be aware of the potential threats from an early stage. For Tesla Company, these strategies would help in prevention of the many potential attacks that they face daily.
The security awareness program is important especially to companies like Tesla. Each employee is supposed to be aware of their roles and responsibilities in fighting against cyber threat and attack. Training must be attended by every employee to completion and their capabilities tested in a simulated attack so that they can be familiar with the types of attack to expect. The business is also supposed to have continuity strategies in place like outsourcing or having secondary servers to ensure the business in the company continues.
7. References
Dhillon, G., & Torkzadeh, G. (2016). Value‐focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293-314.
Farn, K. J., Lin, S. K., & Fung, A. R. W. (2014). A study on information security management system evaluation—assets, threat and vulnerability. Computer Standards & Interfaces, 26(6), 501-513.
Gerić, S., & Hutinski, Ž. (2017). Information system security threats classifications. Journal of Information and organizational sciences, 31(1), 51-61.
Im, G. P., & Baskerville, R. L. (2015). A longitudinal study of information system threat categories: the enduring problem of human error. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 36(4), 68-79.
Scholz, R. W., Czichos, R., Parycek, P., & Lampoltshammer, T. J. (2020). Organizational vulnerability of digital threats: A first validation of an assessment method. European Journal of Operational Research, 282(2), 627-643.
Tanwar, S., Thakkar, K., Thakor, R., & Singh, P. K. (2018). M-Tesla-based security assessment in wireless sensor network. Procedia computer science, 132, 1154-1162.
Menoni, S., Molinari, D., Parker, D., Ballio, F., & Tapsell, S. (2012). Assessing multifaceted vulnerability and resilience in order to design risk-mitigation strategies. Natural Hazards, 64(3), 2057-2082.
Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., & Gritzalis, D. (2015). Risk mitigation strategies for critical infrastructures based on graph centrality analysis. International Journal of Critical Infrastructure Protection, 10, 34-44.
Talluri, S.,Yildiz, H., & Yoon, J. (2013). Assessing the efficiency of risk mitigation strategies in supply chains. Journal of Business logistics, 34(4), 253-269.
Tran, T. T. H., Childerhouse, P., & Deakins, E. (2016). Supply chain information sharing: challenges and risk mitigation strategies. Journal of Manufacturing Technology Management
Carter, W. N. (2018). Disaster management: A disaster manager’s handbook.
Chess, B., A., Fay, S., & Thornton, R. (2017). U.S. Patent No. 7,207,065. Washington, DC: U.S. Patent and Trademark Office.
Orlikowski, W., & Hoffman, D. (2017). An improvisational model for change management: The case of groupware technologies. Inventing the Organizations of the 21st Century, 265, 16-27.
Caldwell, T. (2016). Making security awareness training work. Computer Fraud & Security, 2016(6), 8-14.
Cerullo, V., & Cerullo, M. J. (2014). Business continuity planning: a comprehensive approach. Information systems management, 21(3), 70-78.
Eminağaoğlu, M., Uçar, E., & Eren, Ş. (2019). The positive outcomes of information security awareness training in companies–A case study. information security technical report, 14(4), 223-229.
Savage, M. (2012). Business continuity planning. Work study.