System Security Threats and Risks)

INFORMATION ASSURANCE METRICS

System Security
Threats
And
Risks
Cleveland China
Brian Palmer
Ervin Kelly
April 20, 2010
IFSM 485
Seth J. Hudak

Page 1 of 36
4/20/2010

China/Kelly/Palmer

Table of Contents

1. Introduction
1.1 System Security Threats and Risk Scope and objective
This document is a guide for the detailed development, selection implementation of
information system and program level procedures to indicate the execution, effectiveness, and
impact of security controls along with and other security associated activities. Mell, Kent, &
Nusbaum (2005) acknowledged certain guiding principles on how an organization, through the
use of procedures, identifies the capability of security controls, policies, and procedures currently
existing in an organization. It provides tools to help management choose where to devote
additional information security resources, recognize and assess nonproductive security controls,
and prioritize security controls for constant monitoring. This publication is proposed to assist
organizations in understanding the threats posed by malware and alleviate the risks related to
malware incidents. This manuscript will provides additionally background information on the
major categories of malware, practical real world assistance on preventing malware incidents and
responding to malware incidents in an effective, efficient manner (Mell, Kent, & Nusbaum,
2005).

Page 2 of 36
4/20/2010

China/Kelly/Palmer


2. Definition of Information Assurance
Protecting data and the platforms that accommodate it is becoming one of the most
important technical jobs in many major corporations. Information assurance (IA) is the technical
discipline of data protection. Keeping information and its warehousing safe are a part of general
information security, which includes forecasting future dangers and preparing offensively for any
possible risks that are detected. The most important factor of information assurance is keeping
privileged and proprietary information out of the hands of the public. The second priority of
information assurance is keeping information platforms safe from intrusions that could
potentially dismantle warehousing, endangering or causing the loss of vital information.
Information assurance involves protection against anyone attempting to harm the
information itself as well as information storage systems, viruses, and other coded programs
created by hackers to wipe out data and the storage facilities for data. Securing information must
be in accordance with government standards and also “smart” and progressive enough to keep up
with the changing demands coupled with handling the frequently growing viruses and malware
that destroy data that is not appropriately protected. Information assurance also involves the
reconstituting of data and its housing after it has been compromised. This means refurbishing, rehousing, and re-securing data as well as reestablishing the list of those with authorized access
and assigning new login names and pass codes for all authorized parties (Encyclopedia of
Management, 2009).

2.1.1 System Assurance

Page 3 of 36
4/20/2010

China/Kelly/Palmer

As stated by Liles & Kamali (2006), “Systems assurance is the practice of hardening
operating systems from identified threats, analyzing and auditing hardware and devices for
identified threats, and remediating the devices and computing platforms within the enterprise
(Maconachy, 2001). For instance, proper configuration and defensive strategies employed for
protecting a network and specifically a router would be considered systems assurance.” (Liles &
Kamali, 2006, p. 3). System assurance includes making sure each user’s accounts are active and
appropriately used with permissions inside of the enterprise.

Table 1 Systems Assurance Courses
Systems Assurance Courses
Fundamentals of Information Assurance:
This course covers security mechanisms, fundamental aspects, operational issues,
policy, attacks, security domains, forensics, information states, security services,
threat analysis, vulnerabilities, and other topics.
Systems Assurance:
This course covers the implementation of systems assurance with computing
systems. Topics include confidentiality, integrity, authentication, non-repudiation,
intrusion detection, physical security, and encryption. Extensive laboratory exercises
are assigned.
Assured Systems Design and Implementation:
This course covers the design and implementation of assured systems in an enterprise
environment. Topics include hardening of operating systems, choice of platforms,
design criteria within the assured systems domain. Extensive laboratory exercises are
assigned.
Computer Forensics:
This course covers the techniques used in the forensic analysis of computerized
systems for gathering evidence to detail how a system has been exploited or used.
Extensive laboratory exercises are assigned.
(Liles & Kamali, 2006, p. 385)
2.1.2 Software Assurance

Page 4 of 36
4/20/2010

China/Kelly/Palmer

After further observation, Liles & Kamali (2006) identified that software assurance is an
assortment of secondary disciplines combined into practice. “Software assurance is the practice
of requirements gathering, secure coding, testing, auditing, and implementation of software in
the enterprise protecting against known vulnerabilities. Software assurance involves the
preparation of source codes such that recognized vulnerabilities are excluded from the product.
Additionally software assurance concerns preparing strong source codes so that unidentified
vulnerabilities generate protected failure conditions (Software, 1992). Preparation includes
auditing commercial off the shelf software (COTS), or free open source software (F/OSS) being
implemented within the enterprise, or third party prepared and/or contracted source codes.
Software assurance includes normally related computer science topics such as Software
Engineering (SE), Software Quality Assurance (SQA), Highly Assured Computing (HAC),
Capability Maturity Model (CMM), and other development lifecycle issues. Software assurance
elements include field crossing topics such as end of life cycle, maintenance, retirement,
reusability, and inheritance variation strategies. Software assurance definitively includes practice
oriented computing concepts including secure coding, threat modeling, vulnerability analysis,
execution, auditing, and defensive incorporation of software within the enterprise” (Liles &
Kamali, 2006, p. 3).
Table 2 Software Assurance Courses
Software Assurance Courses
Programming Fundamentals:
This course covers fundamental data structures, fundamental programming constructs,
objectoriented programming, algorithms and problem-solving, event-driven programming,
recursion, and other topics.
Advanced Programming:
This course covers advanced topics in programming languages, GUI development, threaded
applications, components, testing and debugging methods and advanced topics in event-driven
and object oriented programming techniques. Extensive laboratory exercises are assigned.

Page 5 of 36
4/20/2010

China/Kelly/Palmer

Software Assurance:
This course covers defensive programming techniques, bounds analysis, error handling,
advanced testing techniques, detailed code auditing, and software specification in a trusted
assured environment. Extensive laboratory exercises are assigned.
2.1.3 Operations Assurance
Operations assurance advocates the components of physical security and operational
characteristics found in an organized information technology organization (Software,1999). The
scope of operational assurance involves concepts of physical security, data center design, and
legal and procedural reporting. Items of extreme concern to the enterprise would be found here,
which includes disaster recovery and planning. Business continuity and risk analysis are threads
of knowledge that run through the area of operations assurance.
Within operations assurance one would find for example the implications of the Health
Insurance Portability and accountability Act (HIPPA), Digital Millennium Copyright Act
(DMCA), or the concepts of physical security. Ironically, items frequently ignored as part of
information assurance would be the concept of backup and recovery testing procedures,
insurance, and other litigation aspects of operations. Defining, categorizing, and applying
financial loss expectation documents to management of an enterprise are a valuable skill in
operations assurance (Liles & Kamali, 2006).
Table 3 Operations Assurance Courses
Operations Assurance Courses
Ethical and Legal Issues of IT:
This course covers professional communications, social context of computing, teamwork
concepts and issues, intellectual properties, legal issues in computing, organization context,
professional and ethical issues, responsibilities, privacy and civil liberties, and other topics.
Disaster recovery and planning:
This course covers risk management and business continuity. Topics include disaster
recovery strategies, mitigation strategies, risk analysis, and development of contingency plans
for unexpected outages and component failures. Extensive laboratory exercises are assigned.

Page 6 of 36
4/20/2010

China/Kelly/Palmer

Information Assurance Risk Assessment:
This course covers industry and government requirements and guidelines for information
assurance and auditing of computing systems. Topics include risk assessment and
implementation of standardized requirements and guidelines.
2.2 FIVE PILLARS OF INFORMATION ASSURANCE
According to the Central Security Service, successful information assurance can be
broken down into five pillars; the five pillars are availability, integrity, authentication,
confidentiality, and nonrepudiation. The five pillars formulate specific information assurance
policy that ensures the maximum level of success for commercial entities that relate it to their
day to day business operations.
“The five pillars are used by the United States government for their information
assurance; the five pillars receive different amounts of use depending on the type of threat in
play. The same is true for any company that uses the five pillars for the protection of
information. Additionally, each company has different needs for security; each company’s needs
are based on industry, size, reputation, Internet presence, and other factors. Those most widely
used of the five pillars involve the education of personnel, the use of encryption, the
implementation of the most up-to-date information technologies, and the use of some form of
alarm system with the ability to warn personnel of an intrusion” (Encyclopedia of Management,
2009, p. 383-385).
2.3 ROLES AND RESPONSIBILITIES
Roles and responsibilities for developing and implementing information security
measures must be adhered to for organizational success. Information security is one of the

Page 7 of 36
4/20/2010

China/Kelly/Palmer

primary duties of every affiliate belonging to the organization, it is important that all members be
aware of their roles and responsibilities across the entire operation (Chew et al., 2008).
2.3.1 Agency Head
The Agency Head has various responsibilities related to information security measures.
The Agency Head ensures that information security measures are used in support of agency’s
strategic and operation planning process to secure the organization’s mission. Additionally, the
Agency Head is responsible for making sure information security measures are incorporated into
annual reports on the effectiveness of agency information security program by the Chief
Information Officer (CIO). The Agency Head supports information security measure
development and implementation, and communicates official support to the agency. They also
ensure that information security measurement activities have adequate financial and human
resources for success; actively promote information security measurement as an essential
facilitator of information security performance improvement throughout the agency; and approve
policies to officially institute measures collection (Chew et al., 2008).
2.3.2 Chief Information Officer
The Chief Information Officer (CIO) is responsible for using information security
measures to assist in monitoring compliance with applicable information security requirements.
The CIO uses information security measures in annual reports on effectiveness of the agency
information security program to the agency head. The CIO is committed to the responsibilities of
assessing information security procedures that support policies routinely. Some other areas of
concern for the CIO will be:
1

Properly marketing the value for using information security measures to monitor the
overall health of the information security program and to conform to related regulations

Page 8 of 36
4/20/2010

China/Kelly/Palmer

2

Making certain that information security programs are established and put into practice

3

Assign sufficient monetary and human resources to the information security measurement
program

4

Review resource allocation, and evaluate the information security program position and
operational risks to agency information systems

5

Give information security training to staff alone with other duties

(Chew et al., 2008).

2.3.3 Program Manager/Information System Owner
As stated by Chew et al. (2008) “Program managers, as well as information system
owners, are responsible for ensuring that proper security controls are in place to address the
confidentiality, integrity, and availability of information and information systems. The program
manager/information system owner has the following responsibilities related to information
security measurement:
1

Participating in information security measurement program development and
implementation by providing feedback on the feasibility of data collection and
identifying data sources and repositories;

2

Educating staff on the development, collection, analysis, and reporting of information
security measures and how it will affect information security policy, requirements,
resource allocation, and budget decisions;
Page 9 of 36

4/20/2010

China/Kelly/Palmer

3

Ensuring that measurement data is collected consistently and accurately and is provided
to designated staff who are analyzing and reporting the data;

4

Directing full participation and cooperation of staff, when required;

5

Reviewing information security measures data regularly and using it for policy, resource
allocation, and budget decisions; and

6

Supporting implementation of corrective actions, identified through measuring
information security performance” (Chew et al., 2008, p. 8).

2.3.4 Information System Security Officer
Acknowledging the significant duties, Chew et al. (2008) recognized “The Information
System Security Officer (ISSO) has the following responsibilities related to information security
measurement:
1

Participating in information security measurement program development and
implementation by providing feedback on feasibility of data collection and identifying
data sources and repositories;

2

Collecting data or providing measurement data to designated staff that are collecting,
analyzing, and reporting the data” (Chew et al., 2008, p. 8).

2.3.5 Other Related Roles
Information security measurement may require inputs from a variety of organizational
personnel components or stakeholders, including incident response, information technology
Page 10 of 36
4/20/2010

China/Kelly/Palmer

operations, privacy, enterprise architecture, human resources, physical security, and others
3. Identify Malware Categories
Many organizations face threats everyday with or without warnings from the security
controls set in place. The task of preventing potential attacks is getting difficult as attackers
continue to find ways to bypass an organization’s security. There are different types of malware
that an organization could face when protecting its information assets. However, this section of
the document will focus on worms, rootkits, botnets, and denial of service/distributed denial of
service (DoS/DDoS).

3.1.1

Worms

“Worms are self-replicating programs that are completely self-contained, allowing it not
to require a host program to infect an information system. Unlike viruses, worms also are selfpropagating, thus creating fully functional copies and executing themselves without user
intervention. This has made worms increasingly popular with attackers, because a worm has the
potential to infect many more systems in a short period of time than a virus can. Worms take
advantage of known vulnerabilities and configuration weaknesses, such as unsecured Windows
shares. Although some worms are intended mainly to waste system and network resources, many
worms damage systems by installing backdoors, perform distributed denial of service (DDoS)
attacks against other hosts, or perform other malicious acts. The two primary categories of
worms are network service worms and mass mailing worms” (Mell, Kent, & Nusbaum, 2005, p.
17-18).
Page 11 of 36
4/20/2010

China/Kelly/Palmer

“Network service worms spread by exploiting vulnerability in a network service
associated with an operating system (OS) or an application. Once a worm infects a system, it
typically uses that system to scan for other systems running the targeted service and then
attempts to infect those systems as well. Because they act completely without human
intervention, network service worms can typically propagate more quickly than other forms of
malware. The rapid spread of worms and the intensive scanning they often perform to identify
new targets often overwhelm networks and security systems (e.g., network intrusion detection
sensors), as well as infected systems” (Mell, Kent, & Nusbaum, 2005, p. 18).
“Mass mailing worms are similar to e-mail-borne viruses, however mass mailing worms
are self-contained instead of infecting an existing file as e-mail-borne viruses do. Once a mass
mailing worm has infected a system, it typically searches the system for e-mail addresses and
then sends copies of itself to those addresses, using either the system’s e-mail client or a selfcontained mailer built into the worm itself. A mass mailing worm typically sends a single copy
of itself to multiple recipients at once. Besides overwhelming e-mail servers and networks with
massive volumes of e-mails, mass mailing worms often cause serious performance issues for
infected systems” (Mell, Kent, & Nusbaum, 2005, p. 18).
3.1.2 Rootkits
According to the United States Computer Emergency Readiness Team (US-CERT), a
rootkit “is a piece of software that can be installed and hidden on your computer without your
knowledge. Attackers may be able to access information, monitor your actions, modify
programs, or perform other functions on your computer without being detected” (McDowell,
2008, p. 1). If a rootkit has been installed, an organization may not be aware that their
information system(s) has been compromised, and traditional anti-virus software may not be able
Page 12 of 36
4/20/2010

China/Kelly/Palmer

to detect the malicious programs. Attackers are also creating more sophisticated programs that
update themselves so that they are even harder to detect (McDowell, 2008).
3.1.3 Botnets
Botnets are computers that are able to be controlled by one, or many, outside sources.
“An attacker usually gains control by infecting the computers with a virus or other malicious
code that gives the attacker access”(McDowell, 2008, p. 1). An organization’s information
systems may be part of a botnet even though it appears to be operating normally. Botnets are
often used to conduct a range of activities, from distributing spam and viruses to conducting
denial-of-service attacks (McDowell, 2008).
3.1.4 DoS/DDoS
A distributed denial-of-service attack (DDos) occurs when an attacker uses many
computers to flood a network and/or attack another computer. He or she could then force your
computer to send huge amounts of data to a website or send spam to particular email addresses.
The attack is "distributed" because the attacker is using multiple computers to launch the denialof-service attack. However, the following symptoms could indicate a DDoS attack:
1

unusually slow network performance (opening files or accessing websites)

2

unavailability of a particular website

3

inability to access any website

4

dramatic increase in the amount of spam you receive in your account

(McDowell, 2009).

Page 13 of 36
4/20/2010

China/Kelly/Palmer

When a DDoS attack is launced against an organization, business operations can cease
from a few hours to a few days depending on how bad the attack is. The DDos can flood the
network causing all network services to become unavailable. For example, organizations whom
are in the e-commerce market can lose consumers because their website is not available. As a
result, the organization loses out on revenue generated by everyday consumers. The risk of bad
publicity can also occur if the organization does not resolve the issue quickly.
3.2 Potential Impacts from Vulnerabilities
Organizations tend to focus more on outside threats than inside threats. In reality, the
insider threat should be equally taken into consideration as well because there may be a risk of
malicious employees attempting to perform suspicious activities on the network. There has been
a realization that “the insider and outsider threats are merging as outsiders are more and more
easily penetrating the security perimeters and becoming “insiders” (Gilligan, 2009, p. 5).
Specific controls such as network segmentation, control of administrative rights, enforcement of
need to know, data leakage protection, and effective incident response all directly address the
key ways that insider threats can be mitigated. The controls implemented to limit unauthorized
access within the organization work effectively to mitigate both insider and outsider threats.
It is important to note that these controls are meant to deal with multiple types of attacks,
including but not limited to malicious internal employees and contractors, independent individual
external actors, organized crime groups, terrorists, and nation state actors, as well a combination
of these different threats (Gilligan, 2009). As Gilligan (2009) states, “these controls are not
limited to blocking only the initial compromise of systems, but also address detecting already‐
compromised machines, and preventing or disrupting attacker’s actions” (Gilligan, 2009, p. 6).
The defenses identified through these controls deal with decreasing the initial attack surface
Page 14 of 36
4/20/2010

China/Kelly/Palmer

through improving architectures and hardening security, identifying already‐compromised
machines to address long‐term threats inside an organization’s network, controlling users’
privileges on systems, and disrupting attackers’ command‐and‐control of implanted malicious
code (Gilligan, 2009). The Figure below illustrates the scope of different kinds of attacker
activities that these controls are designed to help thwart.

(Gilligan, 2009, p. 6)
The rings represent the actions attackers may take against target information systems.
These actions include initially compromising an information system by exploiting one or more
vulnerabilities (i.e., “Getting In”). Attackers can then maintain long‐term access on a system,
often by creating accounts, subverting existing accounts, or altering the software on the computer
to include backdoors and rootkits (i.e., “Staying In”). Attackers with access to information
systems can also cause damage, which could include stealing, altering, or destroying
information; impairing the system’s functionality to jeopardize its business effectiveness or
mission; or using it as a jump‐off point for compromise of other systems in the environment (i.e.
Page 15 of 36
4/20/2010

China/Kelly/Palmer

“Acting”). Where these rings overlap, illustrates attackers having more ability to compromise
sensitive information or cause damage. Outside of each set of rings in the figure, various
defensive strategies are presented to help limit the abilities of attackers (Gilligan, 2009).

3.3 Threats associated with Information Security
This section of the paper identifies the goals and major threats that are associated with
information security. Jesan (2006) acknowledged that, “information is one of the very important
assets in almost all organizations” (Jesan, 2006, p. 1). Information security is just as valuable
and noteworthy as is information. The main goals of Information Security are to protect the
confidentiality, integrity and availability of the information that its processes and handles within
a network system. Once the networks infrastructure is connected to the internet, the information
that is acquitted and processed, it becomes a potential target for cyber attacks (Jesan, 2006).
Organizations and business have spent billions of dollar as a preventive measure to save the lost
of value and sensitive information. Security threats and breaches remain high as a potential
danger to a network infrastructure. Consequently, businesses and organizations make uses of
various techniques and methods to prevent the saboteur or tampering against their networking
system. Some organizations utilize a self-hacking-audit tool to eliminate any possible threats
that may be of harm to their networking system. The following threats have been identified to
eliminate any possible compromise or accidental lost of information that is considered dangerous
to any networking system, they are:
3.3.1 Hacking
Hacking is considered be nothing more than a people gaining access to a computer
system without the knowledge of its owner. Once an individual gain access to a target computer
Page 16 of 36
4/20/2010

China/Kelly/Palmer

system, sensitive and private information can be compromise and used to destroy or damage an
individual identity. Hackers target eCommerence, banks and others websites that contains
valuable information on an individual. Although, some hackers utilize their talent for fun, others
focus on finding ways to penetrate a network by exposing their vulnerability and weakness
within the infrastructure. Hackers used a variety of malicious code and viruses to find loop holes
and unsecured terminals to achieve their objective (Jesan, 2006).
3.3.2 Viruses and Worms
Viruses and Worms are computer programs which are released inside a computer with
the sole intend to destroy or damage the equipment. Although both program are used for the
same propose, their function are totally different. Both programs have the ability to replicate
itself, but when they are activated on a computer network, the virus need a carrier to travel on the
network to work correctly, whereas the worm has the ability to travel throughout the network
without any assistance. As per Trendmicro, a total of 400 new viruses are created each month
and over 60,000 viruses have been identified which spread very quickly to destroy an
organization computer infrastructural (Jesan, 2006).
3.3.3 Trojan Horse
Trojan Horse is a very dangerous program if manage by the wrong person. This
program is a function that is used by system administrators’ to control work-station remotely.
There are two components to the system administrator’s job: One program runs the clients
function and the other runs as a server. This is one unique tool in which a hacker used to gain
control of a network system. If a hacker gain control of this type of activity, they have the ability
to monitor all transmitting data that are transmitted over a corporation network (Jesan, 2006).
3.3.4 Spoofing

Page 17 of 36
4/20/2010

China/Kelly/Palmer

Spoofing is the ability to deceive other computer users about the sources information being
provided is actually coming form a legitimate user. Spoofing has been divided into three type
spoofing technique used to prevent this type of action from happen. The following three
spoofing type is:
1. IP Spoofing is the ability to changes the source-address of an IP packet, so that it
identifies the sources address as a legitimate address, and not an address of a hacker.
The function of an IP spoofing is to authenticate the original message to prevent a
disruption within the network (Jesan, 2006).

2. DNS Spoofing utilizes a different technique of directing users to a different website
for the purpose of collecting personal information. DNS spoofing control the main
domain, where names and IP addresses are created. This process is very dangerous,
because it gives a hacker access to the entire domain database, which creates a living
nightmare for customers that has sensitive information stored (Jesan, 2006).

3. ARP(Address Resolution Protocol) Spoofing maintain the table of MAC address of the
entire computer install on an organization network. All information that comes to the
ARP is directly delivered to the computer based on the mapping available on the
ARP’s table. This process updates all information that is transmitted to the ARP’s
table, whereby hackers can update and steal IP address (Jesan, 2006).
3.3.5 Sniffing
Sniffing is the procedure used to confirm that all packets of a message pass safely
through the network. This technique was first used to fix network problems. Hackers
Page 18 of 36
4/20/2010

China/Kelly/Palmer

utilize this method to scan login IDs and passwords transmitted over the wire. Any data
obtained during this process become valuable to the hacker during their attacks on the
network system. To avoid sniffing attack, it is suggested that all the data transmitted over
the network be encrypted for safety reason (Jesan, 2006).
3.4 Information Security Challenges
The securities surrounding protecting sensitive information within an organization are careful
measure as a big challenge for a security officer. Chew et al. (2008) identified certain security
measures that are very beneficial to an organization. Chew recognized that gathering
information successfully depends on the construction of the security plan within the unit. An
existence program maturity when the organization follows all policies and procedures that have
been implemented in the organization. As policies become more detailed, it is imperative that
the policies become more standardized and implemented at all level of the organization.
The challenges that information security faces depends on the goals and objectives that are set
forth by upper-management within the organization. Each goal and objective must be fully
understood and enforced at all level to be effective. Standard policies and procedures must be
well documented, posted and addressed throughout the entire agency. During the
implementation phase of the informational security awareness program, each challenge must be
fully addressed with a resolvable solution before moving to the next phase. To overcome any
challenges of an information security goal, management must establish an effective tracking
system mechanism to document and quantify various aspects of the information security
performance. In order for this program to be effective, each phase of the program must show
mature progress and the measurement of each phase must be evaluated as an improved

Page 19 of 36
4/20/2010

China/Kelly/Palmer

performance. The following illustration shows a progression of an information security program

(Chew, et al., 2008, p. 12)
3.5 Risk Managing
As security controls are implemented for an information system, concern risk and
vulnerability becomes a major factor involving management at all level. Ross et al., (2007)
recommended the significant elements used to manage an organization’s information security
program are to provide the organization with an effective framework for selecting the
appropriate security controls for an information system. Network enterprise are encourage to
follow security controls such as Executive Orders, policies, regulations, directives, standards and
applicable laws must be adhered to and strictly enforced. To be effective, one can apply the

Page 20 of 36
4/20/2010

China/Kelly/Palmer

context of the system development life cycle and the Federal Enterprise Architecture to both
legacy and new information system. Listed below is a listed of the components and related
activities that are associated in managing any potential risk within an organization, also known
as the NIST Risk Management Framework (Ross et al., 2007).

1

“Categorize – the information systems and the information resident within that system
based on FIPS 199 impact analysis.

2

Select – an initial set of security controls for the information system based on the FIPS
199 security categorization and the minimum security requirements defined in FIPS 200.

3

Supplement – the initial set of tailored security controls based on an assessment of risk
and local conditions including organization-specific security requirement, specific threat
information, cost-benefit analyses, or special circumstances.

4

Document – the agreed-upon set of security controls in the system security plan including
the organization’s rationale for any refinements or adjustments to the initial set of
controls.

5

Implement – the security controls in the information system. For legacy systems, some
or all of the security controls selected may already be in place.

6

Assess – the security controls using appropriate methods and procedures to determine the
extent to which the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security requirements for the
system.

Page 21 of 36
4/20/2010

China/Kelly/Palmer

7

Authorize – information system operation based upon a determination of the risk to
organizational operations, organizational assets, or to individuals resulting from the
operation of the information system and the decision that this risk is acceptable.

8

Monitor and assess selected security controls in the information system on a continuous
basis including documenting changes to the system, conducting security impact analyses
of the associated changes, and reporting the security status of the system to appropriate
organizational officials on a regular basis” (Ross et al., 2007, p. 24-23).

3.6 Security Metrics
The groundwork of powerful senior level executive support is necessary for the success
of the security program and others such as for the performance of a security metrics program.
The support launches a focal point on security inside the highest levels of the organization.
Without a steady platform the success of the security metrics program can collapse when
difficulties created by politics and budget limitations.
3.6.1 Definition
Based on thoughts of George Jelen, SMART is an acronym that represents specific,
measurable, attainable, repeatable, and time-dependent. George Jelen is an associate of the
International Systems Security Engineering Association (ISSEA). SMART can be used to define
an excellent metrics. Valuable metrics specify to the extent in which security goals, such as data
confidentiality, are being achieved, and they reinforce procedures taken to better an
organization’s overall security plan. Making a distinction between metrics meaningful mainly to
individuals with direct duty for security management separately from those that converse directly

Page 22 of 36
4/20/2010

China/Kelly/Palmer

to senior management interests and matters is important to maturity of an effective security
metrics program (Payne, 2006).

3.6.2 Build
To make possible comprehension and acceptance at every stages of a new security
metrics plan, it is sensible to position the plan in course of action enhancement frameworks that
are already known to the organization. For instance, the Dupont Corporation program foundation
is based on “Six Sigma Breakthrough Strategy”, an advertised management method that shed
spotlight on defect elimination. There are numerous other corporations that attach their metrics
program to corporate security standards compliance. No matter what the core framework is;
seven essential approaches for establishing a security metrics plan can be used as a guide.

1. Define the metrics program goal(s) and objectives
2. Decide which metrics to generate
3. Develop strategies for generating the metrics
4. Establish benchmarks and targets
5. Determine how the metrics will be reported
6. Create an action plan and act on it, and
7. Establish a formal program review/refinement cycle
(Payne, 2006)

Page 23 of 36
4/20/2010

China/Kelly/Palmer

3.6.3 Value
An extensively accepted management belief is that an action cannot be controlled if it
cannot be measured. Security settles under this rubric. Metrics can be a valuable utensil for
security executives to distinguish the success of different mechanisms of their security programs,
the security of a precise system, product or process, and the skill of staff or departments inside an
organization to tackle security concerns for which they are accountable. Metrics could also assist
with discovering the level of risk in not taking a given action, and in that way give supervision in
putting into place corrective procedures. Also, metrics might be used to elevate the level of
security responsiveness inside the organization. Lastly, security administrators can better respond
to difficult questions from their senior managers and others like; are we better protected today
than we were previous, how do we measure up to others in this regard, or are we safe enough, all
due to understanding achieved through metrics (Payne, 2006).

3.6.4 7-Step Methodology
Step 1: Define the metrics program goal(s) and objectives
Since creating and sustaining a security metrics plan could require substantial effort and
reroute assets away from other safety measures actions, therefore distinct and decided target(s)
with intentions of the program is important to be settled upon up front. A lone objective that
evidently states the end toward which all measurement and metrics assembling efforts should be
intended for is a good approach, even though there is no solid and quick rule about this. For
instance, a target avowal might be:

“Afford metrics that plainly and purely express how professionally and successfully

Page 24 of 36
4/20/2010

China/Kelly/Palmer

our company is harmonizing security risks and protective measures, so that
investments in our security program can be properly sized and targeted to meet
our overall security goals” (Payne, 2006, p. 3-4).

Step 2: Decide which metrics to generate
To give an idea of this step, a “Six Sigma” approach would focus on security processes
for which defects could be detected and managed, and Step 2 duty of crafting a metrics plan
would be to point out those specific safety procedures. A conformity-based advance would
evaluate how closely recognized security values are being adhered to.
Either a top-down or a bottom-up approach for deciding which metrics might be wanted
would provide support if any preexisting framework was missing. The top-down tactic begins
with the goals of the security program, and followed by backward duty identifying detailed
metrics that would assist to determine if those goals are being achieved, and to finish
measurements needed to produce those metrics.

(Payne, 2006, p. 4)
The bottom-up approach initially captures describing which security processes, products,
services, and so on are in place that can be or already are measured, then bearing in mind which
Page 25 of 36
4/20/2010

China/Kelly/Palmer

significant metrics could be resulting from those measurements. It concludes reviewing how
sound those metrics link to the overall security program goals (Payne, 2006).

(Payne, 2006, p. 5)
Step 3: Develop Strategies for Generating the Metrics
Strategies for gathering required information and deriving the metrics must be crafted
after what is to be measured is well comprehended. These strategies must identify several goals
which are: the source of the information, the rate of recurrence of information collection, and the
person accountable for raw information correctness, information collection into measurements,
and creation of the metric (Payne, 2006).

Step 4: Establish benchmarks and targets
During this stage suitable targets would be acknowledged and enhancement targets
positioned. This course of action offers new thoughts for supervising an activity, but also can
provide relative information required to create metrics more significant. Benchmarks assist with
instituting attainable targets for enforcing enhancements in existing practices. Benchmarking is
ultimately the practice of contrasting one’s personal duty and obligations against teammates
inside the business or noted “best practice” organizations outside the business. A security

Page 26 of 36
4/20/2010

China/Kelly/Palmer

administrator must seek advice from industry-specific information resources for probable
benchmarks and best practices (Payne, 2006).
Step 5: Determine how the metrics will be reported
Security metrics efforts have to be successfully communicated in order to get positive
results. Only distribute metrics to personnel it pertains to such as the security manager and staff.
Other metrics may be utilized for corrective measures within an organization. The context,
format, frequency, distribution method, and responsibility for reporting metrics must be clear up
front, so the end product can be pictured by those involved in establishing the metrics and the
individuals using the metrics for decision-making (Payne, 2006).

Step 6: Create an action plan and act on it
The action plan must enclose all tasks to be accomplished to begin the security metrics
program, to include projected end dates and assignments. Action items should be derived from
the objectives. So all involved understands and stay focused on the importance of an action plan
you must document the connection of actions to the objectives. The plan must have a testing
process. Deficiencies may show some metrics to be impractical and need reconsideration of
what is to be measured and how (Payne, 2006).
Step 7: Establish a formal program review/refinement cycle
Finally, the whole security metrics program should formal and habitual be checked, this
must be instilled into the overall process. During the assessment process questions like; is there
motive to distrust the accurateness of any of the metrics? Are the metrics helpful in deciding new
strategy for the overall security program? How much energy will it take to produce the metrics?
These questions and others will be imperative to answer. A new look into security metrics

Page 27 of 36
4/20/2010

China/Kelly/Palmer

standards and finest practices inside and outside the business must also be carried out to aid in
identifying new improvements and opportunities to tweak the program (Payne, 2006).
3.7 Metrics Program Implementation
The metrics program implementation practice works a metrics program that is iterative by
character and guarantees that suitable features of Information Technology (IT) security are
considered for a particular moment in time. Implementation of Information Technology security
metrics involves using Information Technology security metrics for monitoring IT security
control performance and using the outcomes of the observing to start performance enhancement
activities. The iterative process entails six segments, which, when completely carried out, will
guarantee uninterrupted use of Information Technology security metrics for security managed
performance monitoring and enhancement. Illustrated below is a figure of the Information
Technology security metrics program implementation process (Chew et al., 2008).

(Chew et al., 2008, p. 35)

4.1 Malware Incident Preventive
Malware incident prevention consists of a few key rudiments which are policy,
awareness, vulnerability mitigation, and threat mitigation. Making certain that policies
Page 28 of 36
4/20/2010

China/Kelly/Palmer

concentrate on malware deterrence it supplies a foundation for putting into practice preventive
controls. Human error that is the cause for unpleasant incident can be lessened by instituting and
upholding common malware awareness programs for every user plus particular awareness
training for the Information Technology personnel directly concerned with malware prevention
related activities. A number of potential attack vectors can be eradicated by applying effort on
defenselessness alleviations. By putting into service a mixture of threat mitigation methods and
tools like antivirus software and firewalls, can stop threats from effectively attacking systems
and networks.
When setting up a method to malware prevention, organizations must be aware of the
attack vectors that are almost certain to be executed at present and in the near future. They must
also think about how much control they will have over their systems are in relation to
manage/non-manage settings; this has important posture on the success of a variety of protective
measures. Also, businesses should integrate established protective means into their malware
prevention efforts. Conversely, businesses ought to be conscious to the fact that no matter how
much time and energy they devote to malware incident prevention, incidents will still take place.
That's why, organizations must encompass healthy malware incident treatment functions to limit
the harm that malware can cause and restore data and services proficiently (Mell, Kent, &
Nusbaum, 2005).

4.2 Malware Incident Response
As defined in NIST SP 800-61, Computer Security Incident Handling Guide, the incident
response process has four major phases: preparation, detection and analysis,
containment/eradication/recovery, and post-incident activity (Mell, Kent, & Nusbaum, 2005).

Page 29 of 36
4/20/2010

China/Kelly/Palmer


(Mull, Kent, & Nusbaum, 2005, p. 4-1)
The first stage of malware incident response entails carrying out introductory activities,
for instance like creating particular malware incident managing procedures and training courses
for incident response teams. The prep period also invests energy and time in policy usage,
awareness activities, weakness mitigation, and safety tools to diminish the amount of malware
incidents. Reoccurring risk will without doubt continue, and no tactic is fail-safe, regardless of
measures. Detection of malware infections is thus necessary to alert the organization whenever
incidents occur. Fast discovery is vital for malware incidents since they are more likely than
other kind of incidents to distress countless users and systems in little time, and sooner discovery
can assist in lessen the amount of contaminated systems. The business ought to act fittingly
depending on the severity of the incident, and that’s for every incident to alleviate its impact by
controlling it, wiping out infections, and eventually recovering from the incident. This can be
very difficult during extensive contagion, especially when majority of an organization’s systems
may be infected all at once. Following an incident, the organization should present a description
that delivers the fine points for cause and cost of the incident along with the steps the
organization must take to avoid unforeseen incidents and to get ready more effectively to attack
incidents that do transpire. Even though the rudimentary incident conduct process is the alike for

Page 30 of 36
4/20/2010

China/Kelly/Palmer

any sort of malware incident, ubiquitous infections offer various challenges that the normal
incident response process does not address (Mell, Kent, & Nusbaum, 2005).

4.3 The Future of Malware
The future of malware starts with the preventive measures that are put in place by
organizations and businesses to defend potential attacks against viruses, threats and malicious
codes. Larks (2007) predicted that 40% of motivated cyber crime will target organizations
network infrastructure for a financial gain. These figures point out the events surrounding the
uses of malware as an encouraging factor to promote the financial gain for cyber criminals
(Larks, 2007). Although the future of malware is unpredictable, organizations are recording all
known existing threats to create a database as a baseline for future study. Due to the variation of
the increase of IT solutions and security controls that are in place, criminals often exploited all
possible ways of attacking a network infrastructure from multiple routes. As technology
continues to press forward in the 21st century, electronic devices such as cell phones and PDA’s
are potential target equipment used to help transmit worms, malicious codes and viruses to attack
non-traditional platforms. To effectively control malware incidents and malware prevention,
businesses and organizations must developed a short and long term preventive system to mitigate
all activities that would increase the response of effectively stopping a malicious code from
destroying a informational technology infrastructure.

Page 31 of 36
4/20/2010

China/Kelly/Palmer

4.4 Acronyms
Capability Maturity Model (CMM)
Chief Information Officer (CIO)
Commercial off the Shelf Software (COTS)
Denial of Service/Distributed Denial of Service (DoS/DDoS)
Digital Millennium Copyright Act (DMCA)
Federal Information Processing Standards (FIPS)
Free Open Source Software (F/OSS)
Health Insurance Portability and accountability Act (HIPAA)
Highly Assured Computer (HAC)
Information Assurance (IA)
International Systems Security Engineering Association (ISSEA)
Information System Security Officer (ISSO)
Information Technology (IT)
National Institute of Standards and Technology (NIST)
Operating System (OS)
Software Engineering (SE)
Software Quality Assurance (SQA)
Specific Measurable Attainable Repeatable and Time-dependent (SMART)
United States Computer Emergency Readiness Team (US-CERT)

Page 32 of 36
4/20/2010

China/Kelly/Palmer

5. Conclusion
As new threats and attacks are created daily, the implementation of a system security
threats and risk analysis will assist an organization of safeguarding the authentication,
confidentiality, integrity, availability, and non-repudiation of data relevant to an organization.
Though every incident cannot be prevented, the mechanisms and tools involved will ensure
business operations can continue during and/or after an incident occurs. The organization’s
essential personnel such as the CIO, and ISSO will oversee this information security program is
maintaining its overall performance for the organization. The information security challenges
facing an organization can be minimal once the proper execution, effectiveness, and impact of
security controls, and other security associated activities are achieved. As a result, the
organization will be able to carry out the mission, goals, and objectives of its business
operations.

Page 33 of 36
4/20/2010

China/Kelly/Palmer

REFERENCES
Bryant, A. (2007). Developing a Framework for Evaluating Organization Information Assurance
Metric Programs. Retrieved February 8, 2010, from
http://www.dtic.mil/cgibin/GetTRDoc?AD=ADA467367&Location=U2&doc=GetTRDo
c.pdf
Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., & Robinson, W. (2008).
Performance Measurement Guide for Information Security, National Institute of
Standards and Technology, Retrieved February 24, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
Choo, K. R. (2007). Trends & issues in crime and criminal justice no. 333: Zombies and Botnets.
Australian Institute of Criminology, Retrieved February 18, 2010, from
https://www-hsd1-org.ezproxy.umuc.edu/homesec/docs/foreign/nps49-11040907.pdf&code=d946a975b896bc1ad8cba801138fa09e
Encyclopedia of Management. 6th ed. Detroit: Gale, Retrieved February 17, 2010, from
http://go.galegroup.com.ezproxy.umuc.edu/ps/i.do?&id=GALE%7CCX3273100129&v=
2.1&u=umuc&it=&r&p=GVRL&sw=w
Gilligan, J. (2009). Twenty Most Important Controls and Metrics for Effective Cyber Defense
and Continuous FISMA Compliance. Retrieved February 26, 2010, from
http://www.scribd.com/doc/12755648/Twenty-Most-Important-Controls-and-Metricsfor-Effective-Cyber-Defense-and-Continuous-FISMA-Compliance
Jesan, J. (2006). Information Security. Ubiquity, (v) 2. Retrieved February 23, 2010, from
http://portal.acm.org.ezproxy.umuc.edu/citation.cfm?id=1119621.1117695&coll=ACM
&dl=ACM&CFID=77541277&CFTOKEN=20025986
Page 34 of 36
4/20/2010

China/Kelly/Palmer

(Con’t) REFERENCES
Larks, T. (2007). THE FUTURE OF SECURITY. MicroScope,37. Retrieved March 17, 2010,
from ABI/INFORM Trade & Industry. (Document ID: 1386198221).
Liles, S. & Kamali, R., (2006) An Information and Security Curriculum Implementation, (v) 3.
Retrieved March 13, 2010 from
http://informingscience.org/proceedings/InSITE2006/IISITLile135.pdf
McDowell, M. (2008). Understanding Hidden Threats: Rootkits and Botnets. United States
Computer Emergency Readiness Team. Retrieved February 16, 2010, from
http://www.us-cert.gov/cas/tips/ST06-001.html
McDowell, M. (2009). Understanding Denial-of-Service Attacks. United States
Computer Emergency Readiness Team. Retrieved February 17, 2010, from
http://www.us-cert.gov/cas/tips/ST04-015.html
Mell, P., Kent, K., & Nusbaum (2005). Guide to Malware Incident Prevention and Handling.
National Institute of Standards and Technology. Retrieved February 27, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
Payne, S. C. (2006). A guide to security metrics. SANA Security Essentials GSEC Practical
Assignment Version 1.2e. Retrieved February 10, 2010, from
https://www-hsdl-org.ezproxy.umuc.edu/homesec/docs/edu/nps36-08300704.pdf&code=73dca2ad3a05b0c16e6aaf1cd7055bbc
Peng T., Leckie, C., & Ramamohanarao, K. (2007). Survey of network-based mechanisms
Countering the DoS and DDoS problems. ACM Computing Surveys, 39(1), 1-42.
doi: 10.1145/1216370.1216373

Page 35 of 36
4/20/2010

China/Kelly/Palmer

(Con’t) REFERENCES
Rees, J., & Allen, J. (2008). The state of risk assessment practices in information security: An
exploratory investigation. Journal of Organizational Computing and Electronic
Commerce, 18, 255-277. doi:10.1080/10919390802421242
Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, G., & Rogers, G.(2008).
Recommended Security Control for Federal Information Systems, National Institute of
Standards and Technology, Retrieved February 25, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf

Page 36 of 36
4/20/2010

China/Kelly/Palmer

System Security Threats and Risks)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to System Security Threats and Risks)

Similar to System Security Threats and Risks) (20)

Recently uploaded

Recently uploaded (20)

System Security Threats and Risks)