A contractor builds portable radar satellite communication systems for the military. The portable radar systems are used in battlefield areas to communicate sensitive, strategic information related to the battle plans. The radar systems must communicate within the global military network. The military requires that the contractors conduct security risk analysis of their internal networks and information systems for intrusion detection and cybercrime prevention. As the leader of a project team responsible for conducting the risk analysis, we will be responsible for producing analysis documents. The report will cover the definition of terms used in the risk analysis, methodology used to conduct the risk analysis together with mitigation. Using a qualitative risk analysis method, an assessment of the top five risks will be discussed. An evaluation of how any applicable federal legislation will help to minimize potential risks and help to prevent and detect cybercrime activities will be presented. A recommendation of acceptable and unacceptable risk standards that are consistent with the specified federal legislation based on best practices for securing and preventing cybercrime within the organization in the scenario will be provided. Furthermore, a cybercrime prevention strategy for the contractor will be developed.
The field of risk analysis has presumed increasing significance in our days given the concern expressed both by private and public divisions in health, safety and environmental predicaments (Clinch, 2009). In IT sphere, a risk analysis report can be employed to bring into line technology-linked objectives with company’s goals. A risk analysis report can either be qualitative or quantitative. In quantitative risk study, an attempt is made to statistically determine the probabilities of diverse hostile events and the possible extent of losses if a certain event occurs, whereas a qualitative risk analysis, often used, does not involve statistical likelihoods or forecasts of loss (Tipton and Krause, 2007). Contrary, the qualitative technique entails describing the numerous threats, determining the degree of vulnerabilities and creating countermeasures in case an attack takes place.
A threat is an action of intimidation whereby a deed is suggested to elicit a negative reaction. It can also be defined as a communicated intention to cause loss or harm to another individual. Threat is specifically used in a ritualized form, mainly so as to prevent the avoidable acts which can result to damage or death of the persons. Cyber-attacks in terms of unauthorized access, malicious code, and network based attacks should be considered (Groshong, 2011).
A hazard is a condition that results to a certain degree into a threat to health, life, environment or property. The majority of hazards are potential or dormant, with merely a theoretical harm or risk. Nevertheless, when a hazard turns out to be active, it can generate an emergency situation. Hazards only subsist when they are happening. Vulnerability and hazard interrelate to produce a risk. Hazards in this scenario encompass high shock, extreme temperatures, power interruptions, vibration, susceptibility to RFI/EMI radiation, and wind (Groshong, 2011). Structural hazards, data hazards, and control hazards should be well thought-of whilst developing the program code/ application software. For instance, if appropriate safeguards are not well put in place, the breakdown of apparatus microwave frequencies may cause harm to equipments or staffs.
In computer security, vulnerability can be defined as a weakness that enables an attacker to lessen the information assurance of a system. Vulnerability is the connection of three components: flaw or system weakness, access to the flaw by the attacker, and the ability of the attacker to exploit the vulnerability. In order to exploit the flaw, the attacker should have at least one pertinent method or instrument which can link to a system weakness (Clinch, 2009). In this case, vulnerability can also be termed as the attack surface. An appropriate configuration of routers and firewalls, unavailability of patch management, poor access controls, and mishandled or weak encryption technologies necessitates to be well thought-out as vulnerabilities in this situation (Groshong, 2011).
Risk is the possibility that an activity or action will cause harm to individuals, property or the environment, that is it will lead to an undesirable outcome. The concept means that a choice having a sway on the result existed or subsists. Possible losses can also be termed as risks. It is apparent that almost all human actions carries a certain degree of risk, however, some are more risky compared to others. The four components to be addressed in this case with every risk encompass technology, people, infrastructure, and process (Groshong, 2011). Risk management and evaluation are the main factors considered in identifying risks linked with this system.
An asset can be defined as anything intangible or tangible which has the capacity of being controlled or owned to generate value which is deemed to have positive economic value. In this situation, assets will encompass the information being communicated and physical equipments (Smedinghoff, 2008). The system would have such elements as Controlled Cryptographic Item (CCI), which will guarantee secrecy of the information sensitivity. Both secure and non-secure communications necessitates being appropriately encrypted and handled. Equipment maintenance staffs and operators are obligated to have DoD 8570 certifications and security clearances (United States Department of Defense DoD 8570.01-M, 2010).
Methodology Used to Conduct the Risk Analysis
Qualitative risk analysis methodology will be used to conduct the risk analysis in this case study. There are various qualitative methods employed in the risk analysis including hazard and operability study (HAZOP), preliminary risk analysis (PHA), and failure mode and effects analysis (FMEA/FMECA) (Tipton and Krause, 2007). In this study however, we will employ preliminary risk analysis methodology.
Preliminary Risk Analysis Methodology
Preliminary risk analysis, also referred to as the hazard analysis is a qualitative method that entails a methodical analysis of the incident categorization that can transform a probable hazard into an accident (Tipton and Krause, 2007). Preliminary risks analysis method seeks to identify the undesirable hazards or events and then such events are separately analyzed. For every hazard or event, potential enhancements and precautionary actions are thereafter put in place. Preliminary risk analysis methodology offers a base for determining which groups of hazards are more risky, thus a great deal of attention should be given to them and to the types of risk analysis techniques most suitable. This methodology is very effective in that it can be employed in working environments to readily identify activities which lack safety measures. A consequence/frequency diagram can be used to rank the identified hazards according to risk. This allows measures to be prioritized with an aim of preventing accidents.
Steps to Risk Analysis
The four steps of the risk analysis process encompass threat assessment, vulnerability assessment, impact assessment, and risk mitigation (Groshong, 2011). The main elements of the key analysis methodology include identification, control, elimination, and minimization of uncertain events.
Risk assessment is the procedure of threat identification which encompasses human, natural, and environmental. The team should identify the potential threats and establish a ranking system which weighs and prioritizes the risks linked with the threat.
Vulnerability assessment encompasses the identification of vulnerabilities through the employment of such tools as penetration testing, vulnerability scanners, and audits of management and operational controls. However, vulnerabilities may also be weighed and prioritized in a similar manner as threat, on the basis of their risk and on how they impact system operation (Groshong, 2011).
Impact assessment analyses the vulnerabilities and threats and assesses the effect these have on the system being evaluated. The linked effect on the system assist in defining the risk to the system and employing either qualitative or quantitative risk assessment offers insisting on how such risks can be reduced.
Risk mitigation considers the three evaluation procedures and eventually attempts to mitigate the risks linked with each vulnerability or threat. The use of a qualitative risk assessment will allow these risks to be assigned high, low or medium values based on the discussed assessments (Groshong, 2011). After the values have been assigned, the organization management can be provided with a report on the risks, hazards, and their effects on the system plus the weaknesses which requires to be reduced. The alleviation procedure necessitates constant monitoring of the procedures and the generation of tracking systems which assist to monitor efficiency of the risk management process.
Evaluate the Top Five Risks in This Scenario Using the Qualitative Risk Analysis Approach
It is apparent that the five top risks that can be linked to the satellite communication system include the following:
This is the penetration to the system by cracking and/or hacking. Within the industry, hardening helps to mitigate the threat (Tipton and Krause, 2007). Evidently, intrusion detection systems (IDS), patch management, encryption, intrusion protection system as well as passwords are vital devices and processes that ought to be determined during the development. Moreover, a penetration testing should be done on the system to identify any vulnerability.
This is the rebroadcasting as well as interception of signals to interrupt communication in organizations (Tipton and Krause, 2007). Apparently, signal Meaconing should be low under normal circumstances. However, the system should have in place inherent processes that will help to address the threat and linked vulnerabilities. According to studies, deigning into the system power increases or channel hopping at the testing or design stages helps to overcome the threats and linked vulnerabilities(Tipton and Krause, 2007).
Loss of Control and/ or the Physical Security of the Military Assets
This is usually is a real threat especially when the military equipment gets into the wrong arms. This is due to the fact that the risk of the equipment rises tremendously (Tipton and Krause, 2007). As a result of this the vulnerabilities and the threats increase due to the reason that the enemy knows the capabilities of the system.
This is a technique that is used to prevent the radio frequency from getting to the desired destination (Tipton and Krause, 2007). Evidently, the broadband radio frequency that is directed to the system can either cause the damage of the system or hinder communications. Such an attack can result into the denial of service of the system. In addition, it can cut off the equipment from the external sources. This kind of risk can be addressed by ensuring that the equipment is designed appropriately as well as developing multipath links to overcome the damage (Tipton and Krause, 2007).
The interference as a result of noise or weather conditions results into difficulties in trying to send any intelligible message traffic (Tipton and Krause, 2007). In order to overcome the threat, measures and strategies that will help identify the man-made as well as natural threats need to be put in place. Besides, the mitigating measures also need to be identified (Tipton and Krause, 2007).
The assumption made for the portable satellite system is that the system can be positioned to fixed locations which will offer physical security measures of protecting the system from damage, loss, or attack. Furthermore, the system is employed to communicate classified and top secret information for wartime emergencies. Key technologies offered by the National Security Agency (NSA) are necessary and moreover, the system has the capacity of making use of Type I AES encryption for information that is transmitted through the GIG (Groshong, 2011). In addition, the system should be approved or certified by the Joint Interoperability Test Command (JITC), whilst the Authority to Operate (ATO) and Authority to Connect (ATC) for the GIG is compulsory (Smedinghoff, 2008). The system should also make use of the Federal Information Processing Standards Publications (FIPS) 140-2 compliant encryption (Smedinghoff, 2008). Meaconing, Intrusion, Jamming, Interference, (MIJI) procedures are established and put in place in order to alleviate the threats and in addition identify the roots of such threats (Smedinghoff, 2008).
Evaluate How Any Applicable Federal Legislation Will Help to Minimize Potential Risks and Help to Prevent and Detect Cybercrime Activities
In this case, various legislation is applicable which creates a framework for information security. The application of these processes will assist in reducing risks and mitigating vulnerabilities intrinsic in this system.
Department of Defense (DoD) Information Security and Accreditation Process (DITSCAP) Instruction 5200.40 offers the Designated Approval Authority (DAA), accreditation and certification guidance, and a procedure which encompasses formal security test and assessment, and system documentation. Joint Interoperability Test Command (JITC) endorses systems and the issue of Authorization to Operate (ATO) for all DoD GIG compatible equipment (Groshong, 2011).
Federal Information Security Management Act (FISMA) (44 U.S.C. § 3541) necessitates every government agency to formulate and implement a program to offer security for the data systems which supports assets and operations of the agency (Groshong, 2011). The National Institute of Standards and Technology (NIST) have the responsibility of developing methods, guidance and standards for commercial and federal agencies on Information Technology systems in order to meet the federal law formulated by the Federal Information Security Management (FISMA) (Groshong, 2011).
The Department of Defense 8570.01-M Information Assurance Workforce Improvement Program offers categorization and guidance of certification and positions of the staffs who offer the Information Assurance (IA) (Groshong, 2011). There are various levels of access and each level requires a particular extent of experience, training and certification in order to carry out specific tasks within the Department of Defense GIG network (United States Department of Defense DoD 8570.01-M, 2010). The notion ‘Privilege Access’ categorizes the degree of control of a particular user that is a network administrator, local user, or system administrator (United States Department of Defense DoD 8570.01-M, 2010).
The National Institute of Standards and Technology (NIST) SP 800-30 Risk Management Guide for Information Technology Systems, offers a procedure of managing risk (Groshong, 2011). The risk management guide offers a basis for the development of an efficient risk management program that consists in both the practical guidance and definitions essential for evaluating and alleviating the identified risks within the Information Technology systems.
The National Institute of Standards and Technology SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems, Information Security, offers risk management process for the Federal Information Technology systems, carrying out the activities of security controls selection and implementation, security categorization, security control evaluation, security control monitoring, and information system authorization (National Institute of Standards and Technology SP 800-37, 2010).
Recommend Acceptable and Unacceptable Risk Standards That Are Consistent with the Specified Federal Legislation Based on Best Practices for Securing and Preventing Cybercrime within the Organization in the Scenario
According to experts, risk analysis gives one an opportunity to prioritize his or her expenditure and efforts by taking into consideration the resources and where they will have a huge effect (Clinch, 2009). It is apparent that the threats and vulnerabilities that cause minimal harm to the equipment are known as acceptable threats. For instance, the tornadoes and hurricanes would be a good example especially in areas in the universe where the possibility of them occurring is very minimal. Minimal protection to the kinds of risks with very little impacts is acceptable. Industry standard in these cases may cost less and provide a reasonable amount of risk (Groshong, 2011). On the other hand, unacceptable risk standards are those that allow for a huge impact. In addition, the protection offered to prevent the system from getting damaged is insufficient. In our case, the information technology is a military target that will be used in a foreign hostile environment. Evidently, this will require the use of more processes to overcome the risks (Clinch, 2009). Therefore, since the industry is not in a position to address the risk and ensure the maximum protection of the information technology system, it is recommended that additional safeguards, encryption, hardening as well as redundancies be deployed in order to meet the acceptable levels (Groshong, 2011).
Develop a Cybercrime Prevention Strategy for the Contractor
The National Institute of Standards and Technology (NIST) have designed a comprehensive methodology for cybercrime prevention and information security. The methodology comprises six steps that assist in developing a cybercrime prevention strategy that conforms to the Federal Law on the Information Security (Groshong, 2011). In addition, the strategy is able to protect the contractors involved from the unacceptable risks. Following the methodology steps ensures that the system developed is secure and that it is in line with the Department of Defense standards. Moreover, the development costs are minimized, the information security enhanced and the risk factors linked to the project reduced (Groshong, 2011).
The six steps included in the methodology include:
This entails categorizing the information system as well as the information developed for transmitting. Furthermore, safeguarding and storing the equipment as well as the information systems (Groshong, 2011).
Baseline security measures that abide by the requirements of the organizations common security should be selected and documented. The dynamic subsystems should comply with the security controls of the organization, constraints and assumptions (Groshong, 2011). Identification and documentation of the system dependencies is also essential as well as the sub system requirements.
The security controls need to be implemented and a description of how they are implemented given (Groshong, 2011). It should be ensured that the compulsory configuration security is implemented and that they comply with the organizational and federal policies.
The security controls need to be assessed using the assessment processes to check whether the controls are implemented and they are functioning as required (Groshong, 2011). In addition, ascertain whether the controls are configured in a right manner and that they are producing the as expected. In conclusion, you should document a security assessment report.
The information technology system operation should be authorized based on the risks to the operation of the organization and other organizations, assets, individuals and the national interests (Groshong, 2011). A plan of action should be developed with the measures to be used to address the weaknesses to be found. Besides, a security authorization package which comprises the security assessment report, security plan, the plan of action and measures to be undertaken should be developed. These are very vital documents for the accreditation and authorization process (Groshong, 2011).
The security controls of the ongoing processes should be monitored. This is done so as to assess the controls effectiveness, document the changes of the system, to carry out the impact analysis as well as report the status. Conduct remediation actions based on monitoring activities and update security plan, security assessment reports and plan of action as needed (Groshong, 2011). Monitoring should be carried out at all stages from the design to the accreditation process.
Risk analysis involves three consisted elements: risk perception, risk assessment and risk management (Tipton and Krause, 2007). There has also been appreciation that it is essential to incorporate both the public and private divisions in defining the nature of the danger and the development of policies and programs for managing such risks. Risk analysis can be delineated as the procedure of defining and investigating the risks to businesses, individuals, and government activities posed by possible human-caused or natural hostile events. Following the National Institute of Standards and Technology (NIST) will ensure that the costs are reduced by identifying, prioritizing as well as mitigating security risks.