Discuss About The IT Security And Technology Landscape?
The excessive breaches in data security experienced by majority of people are creating a necessity of IT Security & Technology Landscape. These highly publicized data breaches depict lack of security and internal failure. This can have an enormous impact on economy and the brand reputation. Compounding of data in today’s vulnerable security environment is a challenge. There is a huge mismatch between the customers need and security technology. It is obligatory to protect the enterprise against any massive data breach (Adomavicius, Bockstedt, Gupta & Kauffman, 2008). The process should not obstruct productivity in any manner. The security system should not affect the growth in terms of developing new applications or automating new process in a business. Today’s security technology environment is not ready to meet the needs of the enterprise. There is a wide gap between the security technology and customer wants. The network group in order to create a more secured environment has deployed an effective network security tools. The end point group is accountable for the computers and mobile devices. They are trying to resolve the issue by focusing over the security puzzle in order to avoid the security lapse. Apart from recognition there’s a huge growing problem that can’t be controlled. The growing need regarding the prioritization of security is becoming critical. Companies today need an identifiable network system in order to protect themselves (Feng, Zhang, Zhang & Xu, 2011).
Along with the techniques employed by the hackers, a variety of networked devices in addition to the conventional servers and workstations to access network or do harm. The hackers had a high degree of achievement with the Industrial Control Systems, i.e. the hardware and software packages. All these processes thereby manage and monitor physical infrastructure approximating power plants and IP linked embedded devices. These devices are most commonly known as the Internet things For example: IP cameras, medicinal devices, and vehicle (Yang, Geng, Du, Liu & Han, 2011).
All these devices are susceptible frequently because of installers and users failure to alter default factory security settings. These kinds of strategies are strangely exposed straight to the Internet. It is where a user can simply be created and subjugated by an attacker. As per SIA Megatrends Reports, the huge convergence between the system and the technology is creating network vulnerabilities. A strong security landscape is important to gain consistency. The report specifies four goals: to alleviate the cyber threats, implication of hardened products and practices, educating the stakeholders and establishing a string IT security system to balance out customer needs. The information security model is used to authorize the security policies in order to provide with a precise set of rules. These models can be abstract and intuitive in nature (Metke & Ekl, 2010).
IT Security Models & Access Controls
The IT Security Models & Access Controls is a process to resolve whether a principal can perform a particular function on a targeted entity.
The access control policy provides with a specified access decision functions. The purpose is to attain the principal proposed functions, to guarantee security properties and to enable administration of a changeable procedure (Krutz & Vines, 2010). The access control model is of 4 types:
- Mandatory Access Control (MAC)
- Role Based Access Control (RBAC),
- Discretionary Access Control (DAC)
- Rule Based Access Control (RBAC or RB-RBAC).
The state machine model
The state machine model is the one system which is always secured. A state is the snapshot of system at a particular point of time. The process is to integrate the external input with the internal machine state. A transition takes place after the acceptance of input. This will result in a new state. All these transitions are very well examined and secured against the system (Zissis & Lekkas, 2012)
The Lattice Access Control Models
The Lattice Access Control Models is a complex access control model based on the interaction in between different objects. These are resources, computers and objectives this type of model defines the level of security to an object in order to generate effectiveness. The subject is only allowed to access an object to ensure security level.
- The Subjects and Objects have security levels and not obligatory grouping
- discretion strategy (e.g., Bell-LaPadula)
The other model is as follows:
- Predicate Models
- ASL, OASIS, domain-specific models(C?rdenas, Amin & Sastry,2008)
- Safety Models
- Take-grant, Schematic Protection Model, Typed Access Matrix (Rival, Choi & Lumb, 2009).
- Plus Domain Transitions
- DTE, SELinux, Java
IT Security Threat and risk assessment
There are different types of computer security threats. Some of these are pretty damaging while some are harmful for the system. The types of computer security threats are as follows:
Trojan: This one is considered as one of the most complicated threats among all. Most of the complicated computer threats come from the Trojan family unit. It is really a power virus that can damage the computer.
Virus: Virus is a really popular for its malicious function. This replicates itself and focus on destroying a computer. The overall purpose of a virus is to cause malware.
Worms: These are one of the undamaging threats considered to create problem. It does not modify the system but affect the computer
Spyware: This malware is intended to scout on the victim’s system. A system affected from spyware is affected badly. The attacker generally extorts the user (Zhang, Wuwong, Li & Zhang, 2010).
Organizations are progressively more reliant on information systems for all their business actions with customers, suppliers, partners and their employees. They need to be convinced to function steadily. The cyber security risk requires being implicit in the perspective of the overall business. The malware in system and technology has a long term impact on data management (Ralston, Graham & Hieb, 2007).
The core risk assessment areas are as follows:
- Data Collection: The information on vulnerabilities and threat related to the specific system identified and gathered from different resources.
- Analysis of Policies and Procedures: The process includes an analysis sans review of the existing policies to gauge the compliance level in an organization. These sources help in managing the function in an effective way.
- Threat Analysis: These are the risks that contribute towards destruction or interruption of services. This is a key element used to manage the risk in an effective way. The risk is identified as a relation in between the business environment and the organization.
- Vulnerability Analysis: The process includes assessment of the information gathered and to determine the existing exposure. This will give indication to proposed safeguards. The different tools are: Nessus, SAINT, whisker etc.
- Correlation and assessment of Risk Acceptability: The final task is to assess the existing policies and procedure. In absence of proper safeguards, the vulnerability level will increase. A review of existing and planned safeguards needs to be performed in order to gain competency (C?rdenas, et al 2011)
Adomavicius, G., Bockstedt, J. C., Gupta, A., & Kauffman, R. J. (2008). Making sense of technology trends in the information technology landscape: A design science approach. Mis Quarterly, 779-809.
C?rdenas, A. A., Amin, S., & Sastry, S. (2008, July). Research Challenges for the Security of Control Systems. In HotSec.
C?rdenas, A. A., Amin, S., Lin, Z. S., Huang, Y. L., Huang, C. Y., & Sastry, S. (2011, March). Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the 6th ACM symposium on information, computer and communications security (pp. 355-366). Accounting.
Feng, D. G., Zhang, M., Zhang, Y., & Xu, Z. (2011). Study on cloud computing security. Journal of software, 22(1), 71-83.
Kaufman, L.M., 2009. Data security in the world of cloud computing. IEEE Security & Privacy, 7(4).
Krutz, R. L., & Vines, R. D. (2010). Cloud security: A comprehensive guide to secure cloud computing. Wiley Publishing.
Metke, A. R., & Ekl, R. L. (2010). Security technology for smart grid networks. IEEE Transactions on Smart Grid, 1(1), 99-107.
Ralston, P. A., Graham, J. H., & Hieb, J. L. (2007). Cyber security risk assessment for SCADA and DCS networks. ISA transactions, 46(4), 583-594.
Rimal, B. P., Choi, E., & Lumb, I. (2009). A Taxonomy and Survey of Cloud Computing Systems. NCM, 9, 44-51.
Yang, G., Geng, G., Du, J., Liu, Z., & Han, H. (2011). Security threats and measures for the Internet of Things. Journal of Tsinghua University Science and Technology, 51(10), 1335-1340.
Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2010 IEEE 10th International Conference on (pp. 1328-1334). IEEE.
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation computer systems, 28(3), 583-592.