IT Risk Management

profiledananjayad2@
ITC596-A3Sample3.pdf

Table of Contents Executive Summary ................................................................................................................................. 3

Introduction ............................................................................................................................................ 4

Overview of the Organization ................................................................................................................ 4

Project Background ................................................................................................................................ 4

Risk Assessment for the Project ............................................................................................................. 4

Set of Risks, Threats & Vulnerabilities ..................................................................................................... 5

Device-related Risks ............................................................................................................................... 5

Network Attacks & Vulnerabilities ......................................................................................................... 5

Software Risks & Database Attacks ........................................................................................................ 6

Encryption Attacks .................................................................................................................................. 7

Legal Issues ............................................................................................................................................. 7

Ethical Risks ............................................................................................................................................ 8

Risk Assessment Matrix .......................................................................................................................... 8

Primary Threat Agents ........................................................................................................................... 9

Impact on the Organization ................................................................................................................... 9

Countermeasures .................................................................................................................................. 10

Literature Review: Protection Mechanisms against Risks .................................................................... 10

Conclusion ............................................................................................................................................. 12

References ............................................................................................................................................. 12

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

2

Executive Summary

Gigantic Corporation is a company that design web solutions and services for its customers. The

company primarily provides services to the SMEs. The primary aim of the organization is to enhance

the business activities and the customer base. It is currently designing an application that is based on

the concept of Internet of Things (IoT). This application is being design for a health centre which will

allow remote health management of the patients. The IoT application that is being designed by

Gigantic Corporation will include the IoT components as heart rate monitoring machine, glucometer,

blood pressure monitor, thermometer, data analytics tools, Smartphones, web server, database server,

and computer systems.

The application may be exposed to numerous risks, threats and vulnerabilities. These may be grouped

in the categories as device-related risks, network attacks and vulnerabilities, software risks, database

risks, encryption attacks, legal issues, and ethical issues. The threat agents associated with these

attacks may be IoT devices, networks, employees, and end-users. The report provides a description of

all of these risks and the threat agents along with the impact of these risks on the organization and a

literature review on the protection mechanisms.

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

3

Introduction

Overview of the Organization

Gigantic Corporation is a company that design web solutions and services for its customers. The

company primarily provides services to the SMEs. There company has its headquarters in Sydney,

Australia and has two other offices set up in Melbourne and Brisbane. It was incepted in 2014 and

started with 18 employees. The company has now grown up to 115 employees in just 3 years. The

primary aim of the organization is to enhance the business activities and the customer base.

Project Background

The organization has decided to move up the ladder by including latest technologies in its offerings. It

is currently designing an application that is based on the concept of Internet of Things (IoT). This

application is being design for a health centre which will allow remote health management of the

patients. The targeted audience for the project will be medical association and the patients. There

cannot be any changes made to allocation costs and schedule for the project.

Internet of Things (IoT) is a technology that is defined as an integrated network of devices, sensors,

servers, databases, information sets, software, computer networks, home appliances, and electronic

equipment. The IoT application that is being designed by Gigantic Corporation will include the IoT

components as heart rate monitoring machine, glucometer, blood pressure monitor, thermometer, data

analytics tools, Smartphones, web server, database server, and computer systems.

The project may involve numerous risks and the document is an assessment report for the same.

Risk Assessment for the Project

IoT platforms and applications are formed of a varied number and types of devices, tools, and

technologies. The case will be the same for the healthcare application being designed by Gigantic

Corporation. As a result, there may be certain risks, threats, and vulnerabilities that may be observed.

Risk management is one of the knowledge areas under Project Management that provides the Project

Manager and the team to efficiently manage the risks involved. The process is composed of sub-

activities as risk identification & assessment, risk treatment, risk monitoring & control, and risk

reporting.

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

4

Risk Management Process

Set of Risks, Threats & Vulnerabilities

Device-related Risks

The IoT application that is being developed by Gigantic Corporation will be composed of several

physical tools and devices. These tools will comprise of Smartphone or any other mobile device,

computer systems, glucometer, thermometer, heart rate recording machine, blood pressure machine,

networking peripherals etc. All of these devices will have their own properties and there will be

specific information that will be stored in these physical tools and equipment (Abdur, Habib, Ali &

Ullah, 2017).

The attackers may target these devices to gain access to the information sets present in the devices.

There may be occurrences of accidental device loss or deliberate device snatching and stealing. If

these devices go in the hands of the attackers, they may misuse them by gaining access to the

application and the information stored in the same. There will be varied nodes that will be present in

the application and the access to the application may be acquired with the use of these nodes as well.

Network Attacks & Vulnerabilities

The IoT application will be able to perform its functions only if it will be connected to a network. The

connectivity will be necessary in most of the application functionalities which may lead to the

development of a connection by the user to an unsecure network. For example, a patient may wish to

access his/her medical report on the application while shopping in the market. The patient may

connect the Smartphone to the public Wi-Fi of the market to access the records. The public networks

have huge number of security vulnerabilities that will be linked with the application as well.

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

5

Another form of security attack that may occur in this case is the eavesdropping attack. The attacker

may monitor the network activity without the permission. The unauthorized capturing and monitoring

can be done through man-in-the-middle attack as well.

Man in the Middle Attack

The situation of a sinkhole may be developed by the malicious entities to deteriorate the application

availability (Mosenia & Jha, 2017).

The attackers may also introduce a lot of unwanted traffic from one or multiple sources. These will

result in the breakdown of the application and the attacks will be termed as denial of service or

distributed denial of service attack (Ling et al., 2017).

Software Risks & Database Attacks

Technology is not used in the right direction by all the entities and the incorrect use of technology

may result in the compromise of security and privacy of the applications and the information sets that

are targeted.

The attacking surface in this application will be big as every device will have its own security norms,

properties, and limitations. The attackers may utilize such a situation to make incorrect use of

technology by launching malware attacks or SQL injection attacks.

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

6

SQL Injection Attack

The database server involved in the application may be a physical server or cloud databases may also

be used. The use of the second choice will prove to be beneficial for making the application cost-

effective. However, it will bring along cloud-related security attacks and risks that may result in the

compromise of the confidentiality, integrity, and availability of the information and data sets

(Abomhara & Koien, 2015).

The breaching of the information sets, identity thefts, and manipulation of the information may also

be witnessed.

Encryption Attacks

One of the newer forms of security attacks in the IoT world is the encryption threats and attacks. The

attackers may utilize the side-channel attacking mechanism in this case to violate the encryption

algorithm implemented in the application feature. The transactions and processing of the application

and the devices involved may be observed to infer the security keys utilized for the purpose of

encryption (Bekara, 2014). The cryptanalysis attacks may be given shape by the malevolent entities

and most of these attacks are adaptive. The ability to prevent and control such attacks may not be

easy.

Legal Issues

The application will not only be exposed to the security and privacy issues only. There may also be

legal and regulatory issues and risks that may be observed. The application is being designed for the

health centre and the utilization of the application may be done in or outside of Australia. The

application developers will be required to incorporate and adhere to the global laws and regulatory

policies along with the Australian laws and norms.

The violation of these regulations or the exposure of the private and confidential health information

may result in legal obligations for the organization. The issues around ownership and authority for the

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

7

attack may also be a major concern. Risk transfer is a primary strategy that the organizations look to

adapt in such cases which may lead to severe losses to the users.

Ethical Risks

Ethics play an extremely important role in the field of ICT and other sectors as well. There are ethical

principles and guidelines that are defined by several bodies and at least one such code shall be

followed in the organizations. However, there are ethical violations that are often carried out by the

employees of an organization.

In this case, the project team members will have the access to the health details of the patients. Also,

the credentials to the database will be available. This information may be given to the unauthorized

entities, such as the competitors of the organization to deteriorate the organizational reputation and to

have selfish gains. These ethical violations are also termed as insider threats that have become a

common occurrence in the organizations.

Risk Assessment Matrix

Risk Name Likelihood (5

Highest, 1 Lowest)

Impact (5 Highest,

1 Lowest)

Rank (Likelihood

x Impact)

Treatment Strategy

Device

Loss/Stealing

2 5 10 Risk

Avoidance/Transfe

r

Legal Risk 1 5 5 Risk Avoidance

Ethical Risks –

Insider Threats

3 4 12 Risk Avoidance

Network-related

Attacks

4 4 16 Risk

Avoidance/Mitigat

ion

Software Attacks –

Malware Issues

4 3 12 Risk

Avoidance/Mitigat

ion

Database Risks 3 3 9 Risk

Avoidance/Mitigat

ion

Encryption Risks 2 4 8 Risk

Avoidance/Mitigat

ion

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

8

Primary Threat Agents

There is always a medium required to give shape to the security and other forms of attacks. The

majority of issues in the case of IoT application for the project are security and privacy concerns.

These attacks will require a threat agent which can be one or multiple from the list given below.

 IoT Devices: The primary threat agent will be the physical tools and equipment used in the

IoT application. These tools and equipment may be any of the computing resource or a health

monitoring tool. The devices may be captured by the attackers through unauthorized

mechanisms and the information present in these devices may get exposed to the attackers

(Mape, 2017).

 Network: The IoT application will be able to perform its functions only if it will be connected

to a network. The connectivity will be necessary in most of the application functionalities

which may lead to the development of a connection by the user to an unsecure network

resulting in increased security loopholes.

 Employees: The ethical issues and insider threats will be majorly given shape by the

employees as the agents of the threat. The occurrence of such issues will be usually

deliberate; however, there may also be accidental steps that may increase the probability of

the attack.

 End-Users: There are scenarios that are created by the end-users that at times lead to the

formation of a security loophole resulting in the ability of an attacker to give shape to a

security attack. For example, the users may keep common or weak passwords to login to the

application or may connect the application to an unsecure network. In such cases, the attack

surface and window will expand providing the attackers with the ability to give shape to the

security threats.

Impact on the Organization

The impacts of the risks and issues that have been listed above may vary on the basis of the factors,

such as information sets targeted, application functionality affected by the attack, motive of the attack,

nature of the attack, and likewise.

The application will comprise of a varied set of information, such as private data sets, public data sets,

confidential information, sensitive data, non-sensitive data etc. The impact of the security risk or

privacy issue will be more severe of the data sets that are targeted in the attack are private,

confidential, or sensitive in nature. On the other hand, the impact will be less severe if public or non-

sensitive data sets are impacted. There are further regulations and policies that guard the health

information. One such regulation is Health Information Portability and Accountability Act 1996

(HIPAA). According to this act, there may be legal obligations that may result as an impact in the case

of violation of the properties of health information (Kumar & Patel, 2014).

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

9

The impact of such issues and risks can be negative for the health centre. This is because of the reason

that the reputation of the health centre in the market may come down due to the compromise on the

privacy and security of the patient details. The patients may also opt out of the services offered by the

health centre and may collaborate with other service providers in the market. The revenues, profits,

market value, and customer base of the health centre may come down as an impact of the issues.

Countermeasures

The countermeasures to the risks and issues that are discussed in the sections above will be required to

be implemented. These countermeasures shall include a combination of logical controls and

administrative upgrades for the management of risks and maintenance of security.

Administrative changes, such as audits and reviews by the security team shall be a regular exercise.

Additionally, latest security tools for attack detection, prevention, and control shall be used. There

shall also be an integration of the managerial practices with the security practices (Riazul Islam,

Kwak, Humaun Kabir, Hossain & Kwak, 2015).

The use of network security tools and awareness among the users regarding the security practices,

ethical standards, and guidelines must be promoted as well.

Literature Review: Protection Mechanisms against Risks

The organization must also make use protection measures so that occurrence of these issues may be

avoided. Also, in case of an occurrence, the organization shall be ready to control the damage and

recover from the disaster in minimal response time.

Frequency hopping is one of the protection measures that shall be used to protect the application from

network-related attacks. The attacker will not be able to jam the network if the frequency is altered at

regular cycles. Spoofing attacks shall be prevented with the use of the technique as message

authentication code and timestamp (Goeke, 2017). The use of encryption of all the data sets shall be

made mandatory so that the attacker fail in the misuse of the information sets.

The authentication schemes used in the application shall also be enhanced to avoid data breaches and

data loss. SSH authentication and multi-fold authentication schemes must be used to avoid Brute

Force attacks and violation of access control (Kleppmann & Irwin, 2018).

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

10

SSH Authentication

The IoT application must not restrict to the age old access control measures. The newer forms of

access control tools shall be used and integrated in the application (Bhabad & Bagade, 2015).

Technology is rapidly advancing and the application of technology in the field of security controls has

been impressive. The rise of cyberattacks and other web-based attacks has led to the emergence and

development of technical tools and controls for security. Malware attacks on the IoT application shall

be controlled and detected with the integration of the application with the latest anti-malware tools.

Denial of service and distributed denial of service attacks shall be detected and prevented with anti-

denial tools.

The focus of the organization shall not be restricted towards the prevention and detection of the

attacks. However, the occurrence of such issues shall be avoided and the efforts must be done in that

direction as well. One of such measures that shall be used shall be service auditing. It is the process

that will list out all the services being carried out on the application server. All the details associated

with the network ports and nodes and the application protocols will be brought forward by this

process. A real-time presentation and analysis of the application services will be made available.

Another process that shall be used in the same direction shall be file auditing (Ellingwood, 2015).

Disaster recovery and damage control are also the mechanisms that will lead to the protection of the

information and data sets. There must be a disaster recovery plan developed for the project so that all

forms of disaster may be handled and tackled. There are automated backup and recovery tools and

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

11

schemes that must be integrated in the IoT application. These tools will keep a copy of the data sets at

an alternate location. The application will be brought back to the recovery state in the case of the

disaster.

There must be attention paid to the basic protection measures, such as firewalls and proxy servers.

Conclusion

Gigantic Corporation has undertaken a project of the development of an IoT-based application for a

health centre. The aim of the project is to design and develop a secure application that shall allow the

users to monitor their health conditions. The patients and medical association will be the primary

users of this application. There may be several risks that may be associated with this project. The

majority of these risks will be in the form of security and privacy issues. There may be attacks

associated with the IoT devices, networks, software, encryption, and database. There may also be

legal and ethical issues that may also be observed.

It is recommended that latest countermeasures and protection mechanisms shall be utilized and

integrated in the application to prevent, detect, and control the risks and threats. The integration of the

application with backup and recovery tools, anti-malware and anti-denial tools shall be made. Also,

there shall be use of security techniques as encryption, frequency hopping, multi-fold authentication,

message authentication, and timestamp. The basic measures in the form of installation of firewalls and

use of proxy servers shall also be included.

References Abdur, M., Habib, S., Ali, M., & Ullah, S. (2017). Security Issues in the Internet of Things (IoT): A

Comprehensive Study. International Journal Of Advanced Computer Science And

Applications, 8(6). http://dx.doi.org/10.14569/ijacsa.2017.080650

Abomhara, M., & Koien, G. (2015). Cyber Security and the Internet of Things: Vulnerabilities,

Threats, Intruders and Attacks. Journal Of Cyber Security And Mobility, 4(1), 65-88.

http://dx.doi.org/10.13052/jcsm2245-1439.414

Bekara, C. (2014). Security Issues and Challenges for the IoT-based Smart Grid. Procedia Computer

Science, 34, 532-537. http://dx.doi.org/10.1016/j.procs.2014.07.064

Bhabad, M., & Bagade, S. (2015). Internet of Things: Architecture, Security Issues and

Countermeasures. Pdfs.semanticscholar.org. Retrieved 24 January 2018, from

https://pdfs.semanticscholar.org/94bb/0b62588808fd2614c572162fa170cce06856.pdf

Gigantic Corporation: Internet of Things (IoT) – Risk Assessment

12

Ellingwood, J. (2015). 7 Security Measures to Protect Your Servers | DigitalOcean. Digitalocean.com.

Retrieved 24 January 2018, from https://www.digitalocean.com/community/tutorials/7-

security-measures-to-protect-your-servers

Goeke, L. (2017). Security Challenges of the Internet of Things. Theseus.fi. Retrieved 20 January

2018, from

https://www.theseus.fi/bitstream/handle/10024/128420/Goeke_Lisa.pdf?sequence=1

Kleppmann, M., & Irwin, C. (2018). Strengthening Public Key Authentication against Key Theft.

Martin.kleppmann.com. Retrieved 24 January 2018, from

https://martin.kleppmann.com/papers/mrsa-pass15.pdf

Kumar, J., & Patel, D. (2014). A Survey on Internet of Things: Security and Privacy Issues.

International Journal Of Computer Applications, 90(11), 20-26.

http://dx.doi.org/10.5120/15764-4454

Ling, Z., Luo, J., Xu, Y., Gao, C., Wu, K., & Fu, X. (2017). Security Vulnerabilities of Internet of

Things: A Case Study of the Smart Plug System. IEEE Internet Of Things Journal, 4(6),

1899-1909. http://dx.doi.org/10.1109/jiot.2017.2707465

Maple, C. (2017). Security and privacy in the internet of things. Journal Of Cyber Policy, 2(2), 155-

184. http://dx.doi.org/10.1080/23738871.2017.1366536

Mosenia, A., & Jha, N. (2017). A Comprehensive Study of Security of Internet-of-Things. IEEE

Transactions On Emerging Topics In Computing, 5(4), 586-602.

http://dx.doi.org/10.1109/tetc.2016.2606384

Riazul Islam, S., Kwak, D., Humaun Kabir, M., Hossain, M., & Kwak, K. (2015). The Internet of

Things for Health Care: A Comprehensive Survey. IEEE Access, 3, 678-708.

http://dx.doi.org/10.1109/access.2015.2437951