This research work x-rays the indispensability of continuous
risk assessment on data and communication devices, to ensure
that full business uptime is assured and to minimize, if not
completely eradicate downtime caused by “unwanted elements
of the society” ranging from hackers, invaders, network
attackers to cyber terrorists. Considering high-cost of
downtime and its huge business negative impact, it becomes
extremely necessary and critical to proactively monitor,
protect and defend your business and organization by ensuring
prompt and regular Risk assessment of the data and
communication devices which forms the digital walls of the
organization. The work also briefly highlights the
methodologies used, methodically discusses core risk
assessment processes, common existing network architecture
and its main vulnerabilities, proposed network architecture
and its risk assessment integration(Proof), highlights the
strengths of the proposed architecture in the face of present
day business threats and opportunities and finally emphasizes
importance of consistent communication and consultation of
stakeholders and Original Equipment Manufacturers (OEMs)
This white paper endeavors to compare the traditional Threat identification techniques and the challenges they pose as they are applied into current product designs. It also proposes the key elements to consider while designing new threat identification solutions.
Penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. It helps confirm the effectiveness or ineffectiveness of the security measures that have been implemented. This paper provides an overview of penetration testing. It discusses the benefits, the strategies and the methodology of conducting penetration testing. The methodology of penetration testing includes three phases: test preparation, test and test analysis. The test phase involves the following steps: information gathering, vulnerability analysis, and vulnerability exploit. This paper further illustrates how to apply this methodology to conduct penetration testing on two example web applications.
For more classes visit
www.snaptutorial.com
You are part of a team has been selected by the Chief Information Officer (CIO) to perform an audit of the HR Department.
Create a 10- to 12-slide presentation (not including the title and reference slides) that examines the specific audit steps that should be performed to evaluate the
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructurejbasney
Presented Nov 11 2017
http://www.stem-trek.org/news-events/urisc/
“Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure”
Risk assessment provides valuable insights to the cyberinfrastructure security program, but launching a risk assessment process can seem daunting for all but the largest projects. Jim Basney will present risk assessment tools (checklists, spreadsheets, templates) developed by CTSC (trustedci.org) for getting started on a lightweight risk assessment for cyberinfrastructure projects of varying types and sizes.
This white paper endeavors to compare the traditional Threat identification techniques and the challenges they pose as they are applied into current product designs. It also proposes the key elements to consider while designing new threat identification solutions.
Penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. It helps confirm the effectiveness or ineffectiveness of the security measures that have been implemented. This paper provides an overview of penetration testing. It discusses the benefits, the strategies and the methodology of conducting penetration testing. The methodology of penetration testing includes three phases: test preparation, test and test analysis. The test phase involves the following steps: information gathering, vulnerability analysis, and vulnerability exploit. This paper further illustrates how to apply this methodology to conduct penetration testing on two example web applications.
For more classes visit
www.snaptutorial.com
You are part of a team has been selected by the Chief Information Officer (CIO) to perform an audit of the HR Department.
Create a 10- to 12-slide presentation (not including the title and reference slides) that examines the specific audit steps that should be performed to evaluate the
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructurejbasney
Presented Nov 11 2017
http://www.stem-trek.org/news-events/urisc/
“Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure”
Risk assessment provides valuable insights to the cyberinfrastructure security program, but launching a risk assessment process can seem daunting for all but the largest projects. Jim Basney will present risk assessment tools (checklists, spreadsheets, templates) developed by CTSC (trustedci.org) for getting started on a lightweight risk assessment for cyberinfrastructure projects of varying types and sizes.
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...IJNSA Journal
Over the past few years, intrusion protection systems have drawn a mature research area in the field of computer networks. The problem of excessive features has a significant impact on
intrusion detection performance. The use of machine learning algorithms in many previous researches has been used to identify network traffic, harmful or normal. Therefore, to obtain the accuracy, we must reduce the dimensionality of the data used. A new model design based on a combination of feature selection and machine learning algorithms is proposed in this paper. This model depends on selected genes from every feature to increase the accuracy of intrusion detection systems. We selected from features content only ones which impact in attack detection. The performance has been evaluated based on a comparison of several known algorithms. The NSL-KDD dataset is used for examining classification. The proposed model outperformed the other learning approaches with accuracy 98.8 %.
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
Feature Analysis of Estimated Causes of Failures in Medical Device Software a...Yoshio SAKAI
Background/Objectives
<research>
•383 medical device software failures from 1983 to 1997 are analyzed in “FAILURE MODES IN MEDICAL DEVICE SOFTWARE:AN ANALYSIS OF 15 YEARS OF RECALL DATA” (DOLORES R. WALLACE1 and D. RICHARD KUHN, 2001)
•Medical devices are getting more and more relying on software.
<objectives>
•Analyze 86 medical device software failures in FY 2010 and identify the change of the trend of failure causes from the former analysis
•Confirm whether the International standard issued in 2006, IEC 62304 (Medical device software - Software life cycle processes), is effective to new failure causes or not.
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
WHY IS THIS IT RISK ASSESSMENT WORKSHOP IMPORTANT?
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
An Extended Notation of FTA for Risk Assessment of Software-intensive Medical...Yoshio SAKAI
An extended notation of FTA for risk assessment of software-intensive medical devices
Yoshio Sakai, Seiko Shirasaka and Yasuharu Nishi
It is difficult to assess the risk of software-intensive medical devices. An extended notation of FTA recognizes the risk class before and after the risk control measure and the software in the system affects the top event of FTA.
You can see this content as 6-pages paper from IEEE Website.
Business Continuity & Disaster Recovery Planning 02 - 04 December 2013 Kuala ...360 BSI
Disasters could cripple your organization, suspending mission-critical processes and disrupting service to your customers. These disasters could be man-made or natural in nature.
The Business Continuity Plan addresses an organization’s ability to continue functioning when normal operations are disrupted. A Disaster Recovery Plan is used to define the resources, action, tasks, and data required to manage the business recovery process in the event of a disaster.
In this workshop you learn to identify vulnerabilities and implement appropriate countermeasures to prevent and mitigate threats to your mission-critical processes. You will learn techniques for creating a business continuity plan (BCP) and the methodology for building an infrastructure that supports its effective implementation.
Benefits of Attending:
Using a carefully selected case study, course participants will:
- Create, document and test continuity arrangements for an organization
- Perform a risk assessment and Business Impact Assessment (BIA) to identify vulnerabilities
- Select and deploy an alternate site for continuity of mission-critical activities
- Identify appropriate strategies to recover the infrastructure and processes
- Organize and manage recovery teams
- Test and maintain an effective recovery plan in a rapidly changing technology environment
Exclusive:
- Bring your BCP/DRP for private consultation review
- BCP/DRP Step-by-step Guide
- BCP/DRP templates and worksheets to aid you in applying and putting into practice what you have learned from this workshop
- FREE CD containing course material, case studies, and other related items of the training workshop
Who should attend:
- Vice Presidents, Directors, General Managers
- Chief Information Officers
- Chief Security Officers
- Chief Information Security Officers
- Chief Technology Officers
- Heads of Departments in Information Security Management
Contact Kris at kris@360bsi.com to register.
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
With the increasing use of computers in business information security has also become a key issue in organizations. Risk assessment in organizations is vital in order to identify threats and take appropriate measures. There are various risk assessment methodologies exist which organizations use for risk assessment depending the type and need of organizations. In this research OCTAVE methodology has been used following a comparative study of various methodologies due to its flexibility and simplicity. The methodology was implemented in a financial institution and results of its efficacy have been discussed.
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Risk management plan
Executive Summary
The past few decades have seen technological evolutions on a rapid scale with the growth of the industry taking over the world by storm. Governments and companies alike are investing in further research and development of futuristic technologies in order to work towards a more efficient future in terms of productivity and task automation. The evolution of computers and powerful technologies being made available to the public with them having high processing power and some being small, powerful and portable has led to people having information in their hands, literally.
However, with the advantages of the recently introduced technologies, there still are threats brought about by the same since they have raised privacy and other security concerns as well as health concerns associated with a number of the devices. This paper is aimed at identification of strategies to handle risks which may arise from the continuous development of new technologies (Galati, 2015). Comment by Schneider, Paul: This is the only sentence in this summary which focuses on the paper, and it does a very poor job of previewing everything that the reader will see in this paper.
Project Summary
Scope Comment by Schneider, Paul: This section tells me nothing about the scope for your project. What are the task/activities needed to successfully complete your project?
This report is important in analysis of the importance of information technologies being managed and security implemented since with their introduction, most companies have taken them up therefore the need to prevent attacks via technologies implemented. Critical processes in business are reliant to information technologies therefore need for safeguarding them against hacking attacks among other similar threats relating to information technologies.
Milestones Comment by Schneider, Paul: This section tells me nothing about the milestones for your project. When does the project start? When does the project end? What are all of the milestones between the start & end?
All businesses especially in a technologically growing and depend world need to learn the vulnerabilities posed by the developments as well as methods which can be used to control or curb them. Most companies have successfully put in place firewalls and administrators of networks to monitor, analyze and notify of irregularities which may cause a breach to sensitive company information.
Cost Constraints Comment by Schneider, Paul: Very poor job.
In implementation of security within information technologies, there are costs involved, some being one off and others being recurrent however all serving the same purpose. Costs inclusive in implementation of security protocols are such as purchase as hardware and software offering security such as firewalls, antiviruses, antimalware programs and programs for detection of network intrusions. Costs can also arise from contracting an external organization to ...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...IJNSA Journal
Over the past few years, intrusion protection systems have drawn a mature research area in the field of computer networks. The problem of excessive features has a significant impact on
intrusion detection performance. The use of machine learning algorithms in many previous researches has been used to identify network traffic, harmful or normal. Therefore, to obtain the accuracy, we must reduce the dimensionality of the data used. A new model design based on a combination of feature selection and machine learning algorithms is proposed in this paper. This model depends on selected genes from every feature to increase the accuracy of intrusion detection systems. We selected from features content only ones which impact in attack detection. The performance has been evaluated based on a comparison of several known algorithms. The NSL-KDD dataset is used for examining classification. The proposed model outperformed the other learning approaches with accuracy 98.8 %.
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
Feature Analysis of Estimated Causes of Failures in Medical Device Software a...Yoshio SAKAI
Background/Objectives
<research>
•383 medical device software failures from 1983 to 1997 are analyzed in “FAILURE MODES IN MEDICAL DEVICE SOFTWARE:AN ANALYSIS OF 15 YEARS OF RECALL DATA” (DOLORES R. WALLACE1 and D. RICHARD KUHN, 2001)
•Medical devices are getting more and more relying on software.
<objectives>
•Analyze 86 medical device software failures in FY 2010 and identify the change of the trend of failure causes from the former analysis
•Confirm whether the International standard issued in 2006, IEC 62304 (Medical device software - Software life cycle processes), is effective to new failure causes or not.
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
WHY IS THIS IT RISK ASSESSMENT WORKSHOP IMPORTANT?
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
An Extended Notation of FTA for Risk Assessment of Software-intensive Medical...Yoshio SAKAI
An extended notation of FTA for risk assessment of software-intensive medical devices
Yoshio Sakai, Seiko Shirasaka and Yasuharu Nishi
It is difficult to assess the risk of software-intensive medical devices. An extended notation of FTA recognizes the risk class before and after the risk control measure and the software in the system affects the top event of FTA.
You can see this content as 6-pages paper from IEEE Website.
Business Continuity & Disaster Recovery Planning 02 - 04 December 2013 Kuala ...360 BSI
Disasters could cripple your organization, suspending mission-critical processes and disrupting service to your customers. These disasters could be man-made or natural in nature.
The Business Continuity Plan addresses an organization’s ability to continue functioning when normal operations are disrupted. A Disaster Recovery Plan is used to define the resources, action, tasks, and data required to manage the business recovery process in the event of a disaster.
In this workshop you learn to identify vulnerabilities and implement appropriate countermeasures to prevent and mitigate threats to your mission-critical processes. You will learn techniques for creating a business continuity plan (BCP) and the methodology for building an infrastructure that supports its effective implementation.
Benefits of Attending:
Using a carefully selected case study, course participants will:
- Create, document and test continuity arrangements for an organization
- Perform a risk assessment and Business Impact Assessment (BIA) to identify vulnerabilities
- Select and deploy an alternate site for continuity of mission-critical activities
- Identify appropriate strategies to recover the infrastructure and processes
- Organize and manage recovery teams
- Test and maintain an effective recovery plan in a rapidly changing technology environment
Exclusive:
- Bring your BCP/DRP for private consultation review
- BCP/DRP Step-by-step Guide
- BCP/DRP templates and worksheets to aid you in applying and putting into practice what you have learned from this workshop
- FREE CD containing course material, case studies, and other related items of the training workshop
Who should attend:
- Vice Presidents, Directors, General Managers
- Chief Information Officers
- Chief Security Officers
- Chief Information Security Officers
- Chief Technology Officers
- Heads of Departments in Information Security Management
Contact Kris at kris@360bsi.com to register.
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
With the increasing use of computers in business information security has also become a key issue in organizations. Risk assessment in organizations is vital in order to identify threats and take appropriate measures. There are various risk assessment methodologies exist which organizations use for risk assessment depending the type and need of organizations. In this research OCTAVE methodology has been used following a comparative study of various methodologies due to its flexibility and simplicity. The methodology was implemented in a financial institution and results of its efficacy have been discussed.
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Risk management plan
Executive Summary
The past few decades have seen technological evolutions on a rapid scale with the growth of the industry taking over the world by storm. Governments and companies alike are investing in further research and development of futuristic technologies in order to work towards a more efficient future in terms of productivity and task automation. The evolution of computers and powerful technologies being made available to the public with them having high processing power and some being small, powerful and portable has led to people having information in their hands, literally.
However, with the advantages of the recently introduced technologies, there still are threats brought about by the same since they have raised privacy and other security concerns as well as health concerns associated with a number of the devices. This paper is aimed at identification of strategies to handle risks which may arise from the continuous development of new technologies (Galati, 2015). Comment by Schneider, Paul: This is the only sentence in this summary which focuses on the paper, and it does a very poor job of previewing everything that the reader will see in this paper.
Project Summary
Scope Comment by Schneider, Paul: This section tells me nothing about the scope for your project. What are the task/activities needed to successfully complete your project?
This report is important in analysis of the importance of information technologies being managed and security implemented since with their introduction, most companies have taken them up therefore the need to prevent attacks via technologies implemented. Critical processes in business are reliant to information technologies therefore need for safeguarding them against hacking attacks among other similar threats relating to information technologies.
Milestones Comment by Schneider, Paul: This section tells me nothing about the milestones for your project. When does the project start? When does the project end? What are all of the milestones between the start & end?
All businesses especially in a technologically growing and depend world need to learn the vulnerabilities posed by the developments as well as methods which can be used to control or curb them. Most companies have successfully put in place firewalls and administrators of networks to monitor, analyze and notify of irregularities which may cause a breach to sensitive company information.
Cost Constraints Comment by Schneider, Paul: Very poor job.
In implementation of security within information technologies, there are costs involved, some being one off and others being recurrent however all serving the same purpose. Costs inclusive in implementation of security protocols are such as purchase as hardware and software offering security such as firewalls, antiviruses, antimalware programs and programs for detection of network intrusions. Costs can also arise from contracting an external organization to ...
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
Explain in Hindi: https://www.youtube.com/watch?v=6xqkDB3NHN0
Discovering vulnerabilities is important, but being able to estimate the associated risk to the business is just as important. Early in the life cycle, one may identify security concerns in the architecture or design by using threat modeling. Later, one may find security issues using code review or penetration testing. Or problems may not be discovered until the application is in production and is actually compromised.
Reference: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
https://www.owasp-risk-rating.com/
Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancementcyberprosocial
In today’s digital world, where cyber threats are everywhere you go, protecting your online assets is important. One way businesses do this is through penetration testing. This proactive approach helps identify weaknesses in their systems before bad guys can take advantage of them. In this article, we’ll take a closer look at penetration testing, why it’s important, how it’s done, and the benefits it brings.
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
Discover a comprehensive roadmap to fortify your IT operations against unexpected downtime through systematic risk assessment, strategic redundancy planning, and the implementation of cutting-edge monitoring and response protocols. Our whitepaper outlines seven crucial steps to safeguard your IT infrastructure, helping you proactively identify and address potential weak points, ensuring robust resilience and reducing the risk of disruptive outages. By adopting our proven methodology, organizations can enhance its ability to withstand IT-caused outages, ensuring uninterrupted services, improved customer satisfaction, and safeguarding your reputation in today's highly competitive digital landscape.
Cybersecurity Analytics: Identifying and Mitigating Threatspriyanka rajput
Network safety examination remains as a dynamic and versatile safeguard in the determined fight against digital dangers. Associations putting resources into front line examination apparatuses and preparing their network protection experts in information driven safeguard techniques.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
JMeter webinar - integration with InfluxDB and Grafana
Risk Assessment: Approach to enhance Network Security
1. Risk Assessment: Approach to enhance Network Security
Abstract
This research work x-rays the indispensability of continuous
risk assessment on data and communication devices, to ensure
that full business uptime is assured and to minimize, if not
completely eradicate downtime caused by “unwanted elements
of the society” ranging from hackers, invaders, network
attackers to cyber terrorists. Considering high-cost of
downtime and its huge business negative impact, it becomes
extremely necessary and critical to proactively monitor,
protect and defend your business and organization by ensuring
prompt and regular Risk assessment of the data and
communication devices which forms the digital walls of the
organization. The work also briefly highlights the
methodologies used, methodically discusses core risk
assessment processes, common existing network architecture
and its main vulnerabilities, proposed network architecture
and its risk assessment integration(Proof), highlights the
strengths of the proposed architecture in the face of present
day business threats and opportunities and finally emphasizes
importance of consistent communication and consultation of
stakeholders and Original Equipment Manufacturers (OEMs)
Keywords- Risks,Risk Assessment,Network
Architecture,vulnerabilities,Opportunities.
I. METHODOLOGY
In the course of this work, some other methodologies such as
Object Oriented Analysis and Design Methodologies
(OOADM), Incremental/Evolutionary Methodologies etc. were
considered and finally adopted Structured System Analysis
and Design Method(SSADM), Dynamic System Development
Method (DSDM) and Spiral Methodologies.
Reasons for the adoption are their direct applicability and
features among which are respectively as follow:
For SSADM,
• Intensive users involvement
• Clear and easily understandable documentation
• Process is Procedural
For DSDM
• Focuses on Business need and delivers on time
• Communicate continuously and clearly without
compromising quality
For Spiral
• Risk driven and keeps track of risk patterns in a
project.
• Iterative and incremental
All these features are used to analyze common existing
network architectures with the primary aim of:
• Identifying bottlenecks and Problems thereof.
• Investigating areas of improvement
• And proffering solutions to the system(Proposed
Network Architecture)
II RISKS AND RISK ASSESSMENT
If you don’t assess your data and communication devices,
definitely someone else would. And this will invariably leave
your organization at the mercy of the attackers – attackers are
ill-winds that blow no man any good.In fact, in most cases,
organizations are shutdown, monies are lost and the image of
the company is battered and left in doubt for the public as data
integrity, confidentiality and availability are not assured of.
Risks, contrary to earlier notion, are both positive and negative.
Therefore Risk, as adapted from Stoneburner, G., Goguen, A.
& Feringa, A. (2002, July), is net negative or positive effect of
exercise of vulnerabilities or opportunities which can be
exploited, enhanced, shared, transferred, or even accepted.
However, this work focuses on negative risks (vulnerabilities)
which can be intentionally exploited or accidentally triggered.
Subsequent publication which is part of the entire work, will
anatomize risks as opportunities which are positive.
Risk Assessment, as a critical part of risk management, is made
of many core processes (which the steps depicted in figure 3
and further explained) such as:
• Risk identification: This allows individuals to identify
risks so that the stakeholders will be in the know of
potential threats or opportunities inherent in the
devices. It is pertinent to start this stage as early as
possible and should be repeated frequently.
Nwagu, Chikezie Kenneth, Omankwu, Obinnaya Chinecherem, Okonkwo, Obikwelu Raphael
1
Computer Science Department, Nnamdi Azikiwe University Awka Anambra State, Nigeria.
Nwaguchikeziekenneth@hotmail.com
2
Computer Science Department, Michael Okpara University of Agriculture Umudike Umuahia, Abia State, Nigeria.
Saintbeloved@yahoo.com
3
Computer Science Department, Nnamdi Azikiwe University Awka Anambra State, Nigeria.
Oobi2971@yahoo.com
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
103 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
2. • Risk analysis and Prioritization: Risk analysis
transforms the estimates or data about specific risks
that developed during risk identification into a
consistent form that can be used to make decisions
around prioritization. Risk prioritization enables
operations to commit resources to manage the most
important or worst risks.
• Integration of Risk registers: This assures that risks
(both low and high priority ones) are tracked and
monitored through the entire process. In the course of
the initial process of Risk assessment, all low-priority
risks are kept in the register and while during
subsequent risk assessments, the content is updated
after the content is assessed, in addition to the entire
assessment. As a core part of process and result,
contains lists of identified risks, root causes of risks,
lists of potential responses, risk owners, symptoms
and warning signs, relative rating or priority list.
These are risks for additional analysis and responses,
and a watch list which is a list of low-priority risks
under close watch and monitoring.
• Communication and Consultation: Communication is
key is risk assessment. There should be steady and
consistent communication/consultation among
stakeholders within the organization as everyone is
practically involved and outside, especially to Original
Equipment Manufacturers (OEMs). In addition, the
stakeholders can utilize all their communication
channels (Calls, Emails, via Technical Account
Managers (TAM), Portal etc.) to the OEMs. This
ensures speedy and reliable responses which further
assist organizations to strategically align with
industry best practices and proactively avoid negative
risks.
III. RISK ASSESSMENT KEY STEPS
The Principal steps undertaken in order to thoroughly assess
risks associated with ICT systems are:
Step 1 – System/Device Characterization
Step 2 - Vulnerability Identification
Step 3 - Threat Identification
Step 4 - Control Analysis
Step 5 - Likelihood Determination
Step 6 - Impact Analysis and Integration of Risk register
Step 7 - Risk Determination
Step 8 - Control Recommendations
Step 9 - Assessment Documentation and Updating Risk
Register
Depending on the level of organizations risk awareness and
maturity, steps 2 to 6 can be carried out concurrently after
completing step 1.And throughout the entire processes and
steps ,there is consistent two-way communication and
consultation among stakeholders including OEMs.This is key
to ensure successful and seamless risk assessment processes
integration into organizational daily operational routines
• Risks and
Associated Risk levels
Step 9.
Results Documentation
Step 8.
Control Recommendations
• Recommended Controls
• Risk Assessment
Report
Step 5.
Likelihood Determination
Step 6. Impact Analysis
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Step 7.
Risk Determination
• Threat-source
motivation
• Threat capacity
• Nature of vulnerability
• Current controls
• Likelihood Rating
• Mission impact analysis
• Asset criticality
assessment
• Data criticality
• Data sensitivity
• Impact Rating
• Likelihood of threat
Exploitation
• Magnitude of impact
• Adequacy of planned or
• current controls
Step 2.
Threat Identification
Step 3.
Vulnerability Identification
Step 4.
Control Analysis
Step 1.
System Characterization
• Hardware
• Software
• System interfaces
• Data and information
• People
• System mission
• System Boundary
• System Functions
• System and Data
• Criticality
• System and Data
• Sensitivity
• Threat Statement
• History of system attack
• Data from intelligence
agencies, NIPC, OIG,
FedCIRC, mass media,
• Reports from prior risk
• assessments
• Any audit comments
• Security requirements
• Security test results
• List of Potential
Vulnerabilities
• Current controls
• Planned controls
• List of Current and
Planned Controls
INPUT Risk Assessment Activities OUTPUT
Figure 3: Risk Assessment Process (adapted from stoneburner et
al.)
Step 1 – Device/System Characterization:
The first step, is basically to define the scope of ICT systems,
be it data and communication devices, hardware, software or
as your organization need directs. This would assist the
stakeholders to establish clear category as outputs at this step
based on functionality, criticality and /or sensitivity of the
devices/systems. With these, it will be essentially easy to
define the risk, its priority and of course, assign appropriate
resource which would help to mitigate the identified risks
completely at this stage or reduce it to acceptable level which
would immediately be kept in the risk register for close
monitoring and watch in the subsequent risk assessments. If
this happens, would automatically jump the process to step 7
which keeps the end in sight for the entire processes.
Step 2 - Vulnerability Identification
This is principally looking at the existing documentations (risk
assessment etc.) and records (audits, continuous
quality/process improvement etc.) and studying them, so as to
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
104 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
3. come up with list of vulnerabilities and /or potential
vulnerabilities associated with respective devices/ICT systems.
Step 3 - Threat Identification
This involves studying history of attacks and possibly their
trend. Accessing and leveraging on similar information from
other organizations would be an added advantage as all known
threats and their respective sources would reflect on the threat
statement. With this broader coverage of threat statement, the
risk assessment core processes would be on the lookout for
them and mitigating plan proactively put place to ensure no
exercise of those threats by the threat sources.
Step 4 - Control Analysis
Having established the systems boundary, possible
vulnerabilities identified and threat statement clearly written, it
becomes important to analyze existing controls and their
respective efficacies and potencies against them(identified
vulnerabilities and threat-sources).With these, list of existing
current controls would be written and their inadequacies
bridged as planned(proposed) controls.
Step 5 - Likelihood Determination
At this stage, threat-source motivation should have been
known and put into consideration, nature of the vulnerability
and of course, threat capacity if successfully exercised, then
likelihood rating could be determined. Likelihood rating is
simply the probability that identified vulnerabilities can be
exercised successfully by threat-sources. To determine the
likelihood involves examining threat-source motivation and
capability, type of vulnerability involved and effectiveness of
existing controls. Hence the likelihood that a particular
potential system weakness could be exercised by a given
threat-source is then categorize as high or low. However in
most cases, organizations go a little deeper and categorize it as
high, medium, or low depending on the anticipated severity.
It is High when the threats are likely exploitable and the threat
source is attracted, very motivated and highly capable to
initiate it. However the existing controls are ineffective and
insufficient to prevent exercise of the vulnerability thereof.
It is Medium when threats are highly exploitable, the threat
source attracted, very motivated and highly capable. However
the existing controls may prevent exercise of the vulnerability.
It is low when the threats are not likely exploitable, threat
source is not attracted and lacks motivation and capability to
initiate the attack. This is mainly due to the existing controls
which are sufficient to prevent the exercise of the
vulnerability.
Step 6 - Impact Analysis and Integration of Risk register.
This is one of the critical steps of risk assessment processes as
the probable adverse impact of successful exercise of the
vulnerable is determined and measured for negative risks and
optimal benefits/full utilization of the ICT systems is also
determined for positive risks to justify for stakeholders
especially senior management team the decision taken as
regards to likely return on investment (ROI). Integration of
Risk register at this point in the process is another remarkable
strength as it assist to build comprehensive list of low impact
risks as the entire impact analysis is being conducted.
According to Kosutic, (2014) the purpose of this analysis is
primarily to give one an idea:
a) About the timing of your recovery, and
(b) The timing of your backup, since the timing is crucial – the
difference of only a couple of hours could mean life or death
for certain organizations if hit by a major incident. For
example, if it is a financial institution, recovery time of four
hours could mean you will probably survive a disruption,
whereas recovery time of 12 hours is unacceptable for certain
systems/activities in a bank, and disruption of a full day would
probably mean such a bank would never be able to open its
doors again. And there is no magic standard which would give
you the timing for your organization – not only because the
timing for every industry is different, but also because the
timing for each of your activities could be different. Therefore,
you need to perform the (business) impact analysis to make
correct conclusions for likely successful exercise of
vulnerabilities.
Hence Business Impact analysis is to evaluate the impact of
the affected ICT systems/devices to the business and entire
organization which could be loss of integrity, loss of
confidentiality or loss of availability.
According to Chia,(2012), CIA refers to Confidentiality,
Integrity and Availability as Confidentiality of information,
integrity of information and availability of information. Many
security measures are designed to protect one or more facets of
the CIA triad.
Exercise of vulnerabilities result could result in entire bleach
of security goals (integrity, availability and confidentiality) or
any of their combinations. Stoneburner et al, explained the
security goals in terms of system and data as follows:.
a) Loss of Integrity. System and data integrity refers to
the requirement that information be protected from
authorized modification. Integrity is lost if
unauthorized changes are made to the data or IT
system by either intentional or accidental acts. If the
loss of system or data integrity is not corrected,
continued use of the contaminated system or
corrupted data could result in inaccuracy, fraud, or
misleading decisions. Also, violation of integrity may
be the first step in a successful attack against system
availability or confidentiality. For all these reasons,
loss of integrity reduces the assurance of an IT
system.
b) Loss of Availability. If a mission-critical IT system
is unavailable to its end users, the organization’s
mission may be affected. Loss of system functionality
and operational effectiveness, for example, may
result in loss of productive time, thus impeding the
end users’ performance of their functions in
supporting the organization’s mission.
c) Loss of Confidentiality. System and data
confidentiality refers to the protection of information
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
105 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
4. from unauthorized disclosure. The impact of
unauthorized disclosure of confidential information
can range from the jeopardizing of national security
to the disclosure of Privacy Act data. Unauthorized,
unanticipated, or unintentional disclosure could result
in loss of public confidence, embarrassment, or legal
action against the organization.
In view of these, magnitude of impact of successful
exercise of vulnerabilities could be classified as just low
or high; high, medium or low depending on the risks
threshold or appetite of organizations. The classification
could also be done along the magnitude of anticipated
loss. Finally, this step comes out with impact ratings for
probable successful exercise of identified vulnerabilities.
Of course, the risk register is consequently updated
accordingly and stakeholders are timely communicated of
the impact, its ratings and risks under close monitoring
(content of the risk register)
Step 7 - Risk Determination
At this step, for the risk to be accurately determined, steps 1 to
6 are put into consideration specifically its respective inputs
and outputs. With these, likelihood of vulnerability
exploitation, magnitude of the impacts and effectiveness and
adequacy of planned and existing controls are thoroughly
examined. As output, all the identified risks and associated
risk scale (low, medium or high). Significant result of this step
is the risk matrix which usually 3 x 3(though some
organizations may decide to go more granular by adopting 4
x4 or 5 x 5. The matrix is a logical consideration of likelihood
of exploitation of the identified vulnerabilities by threat
sources and the associated impact if successful which
implicitly has considered the existing and planned controls.
Step 8 - Control Recommendations
This is a critical step in the risk assessment process as the
consultative and communication channels among stakeholders
and the OEMs are further utilized to ensure that
commensurate, trendy and best of security controls are
recommended to fully mitigate or eliminate existing identified
vulnerabilities. With the best of security controls, intending
threat sources are totally discouraged or arrested in the course
as the costs of successful exploitation of vulnerabilities are
made far higher than the anticipated gain thereby discouraging
and checking attackers . Hence the output of this step is a list
of recommended control in addition to existing controls.
Step 9 - Assessment Documentation and Updating Risk
Register
As the final step, all the risk assessment steps and processes
are documented including the identified vulnerabilities, impact
of successful exploitation, list of existing and recommended
controls etc. are presented to the process owners and
stakeholders. It is advisable for organizations to create a
platform (may be an intranet portal for stakeholders only) on
which these reports are timely shared. This is important too, as
risk assessment responsibility is for all stakeholders and not
“esoterically” reserve for ICT experts as the practice has
always been.
IV. COMMON EXISTING NETWORK ARCHITECTURE AND ITS
MAIN VULNERABILITIES
A common typical existing Network architecture is flat and
vulnerable as all the data and communication devices such as
routers, Idirect, Pixs, switches, fortigate, Pix and many other
devices including those from internet Service Providers. These
devices are connected directly to the organization`s core switch
and/or mostly via the organization`s router. Even the servers,
PABX and other telecommunication devices are all connected
directly to one and same core switch. Of course, the stacked
switches for end users` devices are linked up and also
connected to the same core switch.
This design does not only give room for one point of failure(the
core switch) for the entire network but any eventual and
slightest break-in through any of these devices comfortably
drops the attacker into the heart of the organization`s business
data and the rest could be story as your guess of the result is as
good as mine.
Service Providers` Devices/Routers, IDS,IPS,Pix etc
Switches
Servers
(Unix,APP,CMS,Axapta,SQL,
BB,Mail etc)
Workstations(Macbooks,
Laptops,Desktops ,BYOD
etc)
Black holes, Stealth
Ports, Unused IP
addresses etc.
OSs Vulnerability(Open
SSH etc.),Unused
Ports,Timely
updates(Patches,Servic
e packs),Hardware
Checks/Repairs,Anti-
virus/worms signatures
are out of date
Associated Risks/
Threats
Figure 1: Common Traditional network architecture.
Above block diagram clearly illustrates existing network
architecture as implemented by many organizations. The
arrows going into the network show traffic from the internet as
requested and originated by users in accordance to business
needs and the ones going out of the network are traffics sent
out by users to fulfill same and/or different business needs.
The first layer shows boundary devices which comprises of the
Routers, Idirect, IPS, IDS, Pix, switches and many others as the
case may be.
The second layer shows servers(mail,Application,Web
server/proxy,DCs,File,Hyper-Vs,DPM,SQL, Axapta,CM etc.),
devices such as WAN optimizer,PABX, and end-users` devices
such as the laptops, desktops,BYODs etc., of course, its
associated risks/threats at the level.
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
106 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
5. And most organizations allow remote access such as telnet etc.
on the core switch for easy administration of the network from
home or out of office, without switch port security, creation of
VLANs for the used ports and shutting down unused ports.
The risks thereof ranges from Black holes, unused ports,
granting access to a range of IP addresses while only few are
used,OS vulnerabilities, delayed update of anti-virus and worm
signatures etc. This architecture is not a total proof against
attacks as a sudden access into any of the boundary devices
will totally expose entire network and leaves it at the mercy of
the attackers. Again there is no obvious communication and
consultation among the stakeholders, not to talk of, with the
OEMs
The main Vulnerabilities of the existing network architecture
are:
• Being a Flat architecture - all boundary devices are
connected to one device and same LAN(no
segregation) which makes it easy for an attacker who
finds his way into network (router, switch, Idirect,
etc.) accidentally or intentionally to fully exercise his
attack and bring down the entire network. Also this
gives room for one point of total failure for entire
network as earlier hinted.
• Granting access to IP address range: If free IP address
is sniffed and entrance is successful, routes will be
changes and other configurations altered.
• According to Pascucci M.(2012), Router
Misconfigurations such as
HTTP Open on the core Router: With this,
the routes could be changed and NVRAM
wiped.
Password files stored on Router: Most
admins stored company`s credentials on a
file on the router`s storage. Most of the
routers run SSHv1 and penetration tests gain
access to the file which offers limitless
access of the company to the invader.
Although admins “believe” that .doc cannot
be on opened on Cisco IOS.
Allow Telnet and other remote accesses open
on the boundary devices (routers, switches
etc.: Since this is a flat network and telnet is
opened to the LAN on the core switch and
router, any accidental access to a workstation
or even through a compromised user
credential via VPN grants an attacker access
to the devices which automatically makes it
vulnerable.
• According to Manes C. (2014), most common
misconfigurations such as:
Leaving Shutdown in the remote session
options: This is mainly applicable in servers
and it’s a common practice by
systems/Network administrators and their
“reason” being that they want to be able to
restart and /or shutdown the device if need be
remotely
Leaving sample applications and code on a
production system: Sample applications are
meant to guide you on how to do something
.It has been discovered that system
administrators inadvertently or intentionally
leave both the sample application and codes
on the production systems. These are
valuable tools for attackers.
Autoconfigured IP addresses in DNS: if a
server has two ip.addrs in DNS, it will reply
to a query with both of them. If one of those
addresses is bogus, a client stands a 50:50
chance of trying that bogus address before it
tries the legitimate one. This typically means
slow performance and call for assistance.
Dropping ICMP: This makes it impossible to
carry out basic connectivity troubleshooting
to the device. However, some administrators
drops ICMP which is against the RFCs
which states that Hosts must respond to
ICMP echo requests. This make it difficult to
easily ascertain uptime status of the devices.
DNS Islanding in Active Directory (AD):
This occurs when a DC points to itself for
DNS instead of to another. This makes it, in
most cases to be out of synchrony with other
DCs and if it stays out for too long (about 60
days default) it simply means that it would
not “talk“ to other DCs which makes all the
devices that uses it for name resolution will
be rendered incommunicado.
V. PROPOSED NETWORK ARCHITECTURE AND ITS RISK PROOF
INTEGRATION
The proposed network system architecture has two- layer
security which offers proof against all manner of attacks.
Figure 4 is a block architecture of the proposed Network
Architecture. The two layers are named private and public. The
private communication devices boarder the corporate network
and are configured with the organization`s Private IP addresses
with corresponding subnets such as 10.10.x.x/24. All the
corporate communication devices are connected to these
devices via stack of Private switches.
However, at the public level, all the connectivity from all
service providers` devices are terminated on the public switch
on which the public router is directly connected too. The
Private router is connected to the public switch. Then the
public switch is connected WAN ports of a strong firewall
device such as fortigate while its LAN port is connected to the
core switch of the LAN.And finally one of the interfaces of the
Private router is connected to the same core switch of the LAN.
From here (core switch) the signals flow down and up to the
stack of private (LAN) switches. However, on the public
switch, each connected port has port security access configured
and any unused port is shutdown to ensure no vulnerability is
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
107 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
6. exploitable at all. Port security will work on host port. In order
to configure port security we need to set it as host port. It could
be done easily by switchport mode access command. You can
secure trunk connections with port security.
According to Cisco press (2014), the following configuration
below illustrates available commands for port security and port
shutdown:
To configure port security:
Switch> enable
switch#configure terminal
Enter configuration commands, one per line. End with
CNTL/Z
switch(config)#interface fastethernet 0/1
Switch (config-if)#switchport port-security ?
mac-address Secure mac address
Maximum max secure addressess
<cr>
Switch (config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
Switch(config-if)#switchport port-security violation ?
protect security violation protect mode
restrict security violation restrict mode
shutdown security violation shutdown mode
Switch(config-if)#switchport port-securityhost
To shutdown a switch port:
Switch> enable
switch#configure terminal
Enter configuration commands,one per line. End with CNTL/Z
Switch (config)# interface gigabitethernet1/0/2
You can verify your settings by entering the show interfaces
privileged EXEC command.
In addition to port security, Telnet and other remote accesses
are disabled on both the public and private boundary devices.
And on the private devices mainly the core switch, the
following features are configured:
Private VLAN edge: This offers security and logical
boundary - isolation between ports on a switch, hence
ensures that different packets such as the VOIP traffic
travels directly from its entry point to the aggregation
device through a virtual path and cannot be directed
to a different port.
Port-based ACLs for Layer 2 interfaces: This is
security policy applied on per-Layer 2 port basis.
With this, incoming traffics are matched against the
ACLs and good matches are allowed passage .And
others are denied passage.
Multilevel security on console access: This ensures
that only authorized users allowed to effect changes
on the configurations of the devices. Hence prevent
unauthorized users from altering the switch
configurations. Of course, authorized users have
varying degree of access which limits what a user can
do.
Granting Specific access on the public layer devices
such as to specific host or IP address instead of IP
address range or network. This is very critical on this
layer. However on the private layer, it can be diluted
a little to ensure VLANs talk to one another
Cisco security VLAN ACLs (VACLs) on all VLANs:
This functions as logical boundaries which assures
that inhibit unauthorized data flows to be bridged
within VLANs.
Operating Systems Updates: All patches should be
tested in a test environment before rolling out to
production environment. And whenever in doubt, one
of the communication channels (as earlier stated)
should be activated and followed-up to ensure timely
response.
Engaging Experts with relevant experience: This is
also key to ensure that desired security configurations
or intentions are achieved according to organization’s
needs.
Port-Level Traffic Controls: This is principally
configure on the public layer specifically on the
public switch. This offers storm control among many
other security features.
LAN or network Storm happens when
excessive hostile packets are sent
continuously on the LAN segment creating
unnecessary and excessive traffics which
results in network performance degradation.
The storm control prevents disruption to
regular and normal traffics which is mainly
causes by multicast, broadcast or unicast
packet storm on any of the physical
interfaces.
To enable traffic storm control feature, at the
global configuration mode, use storm-
control {broadcast | multicast | unicast}.
However, by default it is disabled. The
storm-control action {shutdown |trap}
command is used to instruct the switch the
action to take when storm is detected. By
default, the storm is suppressed which
means that no action is configured.
To verify/check the storm-control
suppression levels on an interface, use show
storm-control [interface] [broadcast |
multicast | unicast] command.
Additional Layer 2 best security practices: This is
highly recommended to ensure that best of layer 2
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
108 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
7. security measures are in place in the private layer
switches(core and other stacked switches).According
to Bhaiji Y.(2008),best practice for managing,
implementing and maintaining secure layer 2 network
are:
• Manage the switches in a secure
manner. For example, use SSH,
authentication mechanism, access
list, and set privilege levels.
• Restrict management access to the
switch so that untrusted networks
are not able to exploit management
interfaces and protocols such as
SNMP.
• Always use a dedicated VLAN ID
for all trunk ports.
• Be skeptical; avoid using VLAN 1
for anything.
• Disable DTP on all non-trunking
access ports.
• Deploy the Port Security feature to
prevent unauthorized access from
switching ports.
• Use the Private VLAN feature
where applicable to segregate
network traffic at Layer 2.
• Use MD5 authentication where
applicable.
• Disable CDP where possible.
• Prevent denial-of-service attacks
and other exploitation by disabling
unused services and protocols.
• Shut down or disable all unused
ports on the switch, and put them in
a VLAN that is not used for normal
operations.
• Use port security mechanisms to
provide protection against a MAC
flooding attack.
• Use port-level security features
such as DHCP Snooping, IP Source
Guard, and ARP security where
applicable.
• Enable Spanning Tree Protocol
features (for example, BPDU
Guard, Loopguard, and Root
Guard).
• Use Switch IOS ACLs and Wire-
speed ACLs to filter undesirable
traffic (IP and non-
Figure 2: Proposed Layered Network architecture using data
and communication devices
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
109 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
8. This totally eliminates possible entrance of the intentional or
accidental attackers/invader. And this drives steady
communication and consultation among stakeholders/OEMs to
ensure that Operating systems of the devices are always
updated both on the private, public and entire corporate
network. In addition, necessary advance security measures are
implemented at appropriate layers.
With steady communication and consultation of OEMs, the
stakeholders are provided with updates,firmwares, patches or
service packs and some customized net scanners such as
Microsoft Baseline Security Analyzer(MBSA) for windows
platform and Open Vulnerability Assessment
System(OpenVAS) for open-source related
(Cisco,Avaya,android etc.) Platform. These customized
applications detect common security misconfigurations and
vulnerabilities in the data and communication devices. And
with these scanners, organizations can frequently carry our in-
depth checks for vulnerabilities and any low priority ones such
as patches, OS updates etc. detected are added to the risk
register for close watch and monitoring.
The result from this, forms further basis for thorough risk
assessment on all the layers of devices to ensure the targeted
integrity, availability and confidentiality
VI. CONCLUSION
Every Organization has mission and vision which is backed
and driven by strong information and communication
technology. And due to ever dynamic and unique nature of
information and communication technology, data and
communication devices cannot move out way of trouble. In
fact, they are more vulnerable to economic and political
uncertainties than any other investments. In view of this,
above proposed network architecture is key, to ensure that
organizations are proactively positioned to eliminate inherent
vulnerabilities of common network architecture and take
advantage of the proposed solutions.
Furthermore, since attacks assume dynamic forms, it is
advisable to charge network Engineers , systems
administrators and Experts to make this process a daily routine
and carry out aggressive end-users awareness campaign on
what to do once they sense data compromise vis-à-vis
Integrity, Availability and confidentiality. This is important as
Risk assessment is the duty of all stakeholders hence the
encouragement to ensure consistent two-way communication
and consultation among stakeholders.
VII. REFERENCE
[1] Stoneburner G., Goguen, A. & Feringa, A. (2002). Risk Management
Guide for Information Systems. Retrieved January 4, 2015
From http://csrc.nist.gov/publications/nistpubs/800-30/sp800-
30.pdf.
[2] Alshboul, A. (2010).Information Systems Security measures and
countermeasures: Protecting Organizational Assets from
malicious Attacks, 3, Article 486878. Journals on
Communications of the IBIMA, 2010, 1-9. Retrieved March
15 2015 from
http://www.ibimapublishing.com/journals/CIBIMA/2010/486
878/486878.pdfJ.
[3] Bhaiji, Y.(2008). Security Features on Switches( courtesy Csico press).
Retrieved on December 7, 2017 from
http://www.ciscopress.com/articles/article.asp?
p=1181682&seqNum=3
[4] Chia, T., (2012). Confidentiality, Integrity, Availability: The three
components of the CIA Triad.
http://security.blogoverflow.com/2012/08/
Confidentiality-integrity-availability-the-three-components-of-
the-cia-triad/
[5] Manes C.(2014). The 21 most common misconfigurations that will come
back to haunt you!Retrieved March 20 2015 from
http://www.gfi.com/blog/the-21-most-
common-misconfigurations-that-will-come-back-to-haunt-you/
[6] Kosutic, D., (2014). Risk Assessment vs. Business Impact Analysis.
http://webcache.googleusercontent.com/search?q=cache:
8eF68VJu0cYJ:
advisera.com/27001academy/knowledgebase/risk-assessment-
vs-business-impact-analysis/+&cd=1&hl=en&ct=clnk&gl=ng
[7] Pascucci M.(2012).Network Security Horror Stories: Router
Misconfigurations.Retrieved March 22 2015 from
http://blog.algosec.com/2012/09/network-security-horror-
stories-router-misconfigurations.html
[8] IRS Office of Safeguards Technical Assistance Memorandum
Protecting Federal Tax Information (FTI) Through Network
Defense-in-Depth. Retrived April 20, 2015 from
https://www.irs.gov/pub/irs-utl/protecting-fti-
throughnetworkdefense-in-depth.doc.
[9] Cisco Press(2014). Cisco Networking Academy's Introduction to Basic
Switching Concepts and Configuration .
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 16, No. 4, April 2018
110 https://sites.google.com/site/ijcsis/
ISSN 1947-5500