Cyber Security - Analysis Conducted at CIO/ CISO Level
- 5th Jun, 2019
- 17:43 PM
The rise of digital technologies and their adoption by organisations at all levels had led to most of their resources moving online. Thus, the digital domain has become as essential to businesses as their physical counterparts. This has led to a new wave of attackers that target the digital resources of an organisation in a number of ways. Recent examples of extremely impactful cyber crimes such as the WannaCry ransomware attack have compelled organisations to increase their security measures and incorporate a more stringent patch deployment process. It is the purpose of this assignment to detail the steps to be taken by a CIO/CISO to effectively deal with a security flaw and patch it using the required tools and methods.
Modern IT vulnerabilities are multidimensional and exploit a variety of security flaws (Li et al., 2017). Thus, it is pertinent for CISOs to maintain a robust vulnerability identification, assessment, and patch management process and secure their IT infrastructure. This process starts with identifying the vulnerabilities in the first place. The steps recommended to maintain the IT infrastructure effectively consist of the following:
MAINTAINING AN INVENTORY OF THE ORGANISATIONAL IT INFRASTRUCTURE
It is essential that an inventory be maintained that details the hardware components used in the organisation, and the software they run. Effective organisation of essential resources would help the system administrators better monitor and implement security patches to the necessary hardware and software components (Rittinghouse and Ransome, 2016).
The CISO could undertake initiatives that educate the employees of the organisation about the basics of cyber security and their implications on their work. This would help reduce the workload of the system administrators and would ensure the avoidance of common security flaws. This would also create a more secure IT infrastructure, especially for organisations allowing users to access their networks remotely.
For a CISO, it is of the utmost importance that they stay informed on all the relevant vulnerabilities and their respective patches. Hardware and software patches can be discovered by manufacturers as well as third party sources, which the system administrator must address as soon as possible to ensure they cannot be exploited by anyone (Peltier, 2016). The most common sources of identifying vulnerabilities include:
MANUFACTURER AND DEVELOPER ANNOUNCEMENTS
The most reliable source of newly discovered vulnerabilities is often the manufacturers of the hardware or software developers, which put out timely announcements regarding recently discovered security flaws in their hardware or software as well as potential solutions and patches to them. This information is broadcast in a number of forms such as announcements on company website, emails to customers etc. that the CISO should monitor regularly in order to keep themselves informed.
In addition to manufacturers, a CISO might make use of third party vendors that specialise in dealing with security issues regarding a multitude software and hardware. These third party security advisors can sometimes provide information regarding security flaws before the official announcements by manufacturers or developers since most vendors wait until they develop a patch before making an official announcement.
In order to make use of all these services efficiently, a CISO might implement a alerting system based on their criticality, which would automate the system of collecting information regarding security flaws and eliminate the need to monitor the manufacturers and security advisors for any announcements.
Evaluating & Prioritising Vulnerabilities
Patching security flaws is a time sensitive process and requires careful planning and execution (Knapp and Langill, 2014). Patching systems in a timely manner makes systems secure from most security flaws and ensures that any malicious software do not affect the systems. However, CISOs and system administrators often lack the time and resources to deal with all vulnerabilities and thus it is important to categorise the security threats based on their severity and develop strategies to deal with them effectively. The process of prioritising security vulnerabilities usually incorporates the following criterions:
Threats are usually any probable direct risk to information systems such as information servers, e-mails servers, and website servers.
The criticality of a system is the measure of its importance to the most important operations of an organisation. The most critical IT elements in an organisation include frequently used systems such as information databases, essential IT infrastructure, and email services.
Vulnerability is a certain weakness, or an absence of a security measure in a software or hardware (Layton, 2016). This could include elements such as faulty software on a hardware device, a hardware device lacking essential security measures etc.
A particular security issue is assessed based upon these factors and the flaws that are ascertained to be more critical, vulnerable, and pose a greater threat to essential systems are dealt with first.
Most software applications in use today are vastly complex and contain several thousands of line of code. Patching a system, therefore, is a critical task and should account for any exceptions its deployment can impose on the whole software. A poorly implemented patch might fix the flaw it was targeting, but cause another issue to pop up in the system (Scott-Hayward et al., 2016). Therefore, since patching a software can often have unintended consequences, it is necessary to test the deployment of the patch on a limited basis before installing it throughout the organisation. The test systems could be virtual machines, or dedicated test systems that are virtually identical to the real systems. Testing the patches not only ensure that the patches deployed work as designed but also that they do not affect any other software or functional aspects of the system. The testing phase mainly checks the systems for the following aspects:
Ensuring that the affected files and settings that made the system vulnerable in the first place have been rectified
- Deploy a vulnerability scanner that scans the whole system for any potential vulnerability and inform the user of their severity
- Testing for certain scenarios that regular users of the organisation are bound to face and ensuring that any functional aspect of the patched software are not affected.
Based upon these initial tests, the effectiveness and viability of the software are assessed. If the software patch is determined to be ineffective or if it affects any functional aspects of the system, alternative systems for dealing with the security issue are developed or a new patch is developed.
Following a successful test of the patch, the developed patches are then deployed on the IT infrastructure of the organisation. The specific methods of applying patches may vary radically depending upon the situation and the security issue (Lenzmeier et al., 2016). A patch might be deployed by simply modifying certain configuration files or might involve a full system refurbishment. Further, manufacturers or software developers might provide detailed instructions for effectively patching their products, which should be followed diligently by the system administrator in charge of deploying the patch. It is also pertinent that a full system backup is performed before applying the patch in case of the occurrence of any unforeseen event, hampering the system. This can allow system administrators to restore the system to its earlier state easily. Upon deploying the patch, the system administrators as well as users must verify that the applied patch functions as designed and removes the security flaw it was designed to eliminate. Further, all auxiliary functions of the concerned software must be checked as well to ensure that they are not affected by the deployed patch in any way.
Organisations today must take measures to protect their systems from a variety of malicious software that exploit security flaws in the system. It is the task of the Chief Information Officer or the Chief Information Security Officer in an organisation to ensure that the entirety of the IT infrastructure in an organisation is secure from any malicious software. The assignment deals with the process of identifying a potential threat, assessing its risk to the system, and deploying a patch to fix it. The factors considered while making essential decisions are discussed and the steps taken to deploy a certain patch effectively are detailed.
Knapp, E.D. and Langill, J.T., 2014. Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems. Syngress.
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. CRC Press.
Lenzmeier, C.T., Khalidi, Y.A., Ingle, A. and Syed, S., Microsoft Technology Licensing LLC, 2016. Software deployment in large-scale networked systems. U.S. Patent 9,262,366.
Li, X., Chang, X., Board, J.A. and Trivedi, K.S., 2017, January. A novel approach for software vulnerability classification. In Reliability and Maintainability Symposium (RAMS), 2017 Annual(pp. 1-7). IEEE.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management, and security. CRC press.
Scott-Hayward, S., Natarajan, S. and Sezer, S., 2016. A survey of security in software defined networks. IEEE Communications Surveys & Tutorials, 18(1), pp.623-654.