Delivery in day(s): 3
Introduction to Cyber Security Oz Assignments
In the current world of technological evolution, people and institutions rely on the information systems to communicate and share information as well as store vital institution’s data. Information system involves a network of assets which co-ordinate together to store, transform, retrieve and disseminate information of a learning institution, a corporation or a business. Information systems have essential contributions to the educational sector. To harness the benefits of individuals using their own electronic devices the Southern Cross University have adopted the policy of Bring Your Device (BYOD) to classes at Performance Management Education.
The use of these electronic devices to access, process and create the information and data of the university generates issues concerning information security breaches. The institution needs to implement strategies to prevent security breaches to the information and data. The university should undertake the information security strategies to guarantee that it still controls and manages the data accessed using BYOD device and also ensure that few reasonably possible restrictions are imposed on the university information resources accessed utilizing the BYOD policy.
This report analyzes the critical information assets of the university and discusses the threats caused by BYOD policy. It will also explore certificate-based authentication and compare with another authentication technique and also provide spam handling instructions for the university.
BYOD Risk Assessment
In developing, information security strategy, the first essential procedure is to identify and comprehend the critical assets that require protection. The critical information assets in an organization are the assets that impact integrity, confidentiality, availability and support the institution’s mission and vision and it strategic objectives[ CITATION Bor15 \l 1033 ].
1. The critical information assets of Southern Cross University are namely
2. Educational and research: examinations, intellectual development, research projects and information about students
3. Human resources: personal data of staff and reports.
4. Legal: contracts and internal documentation, employees confidential information of staff
5. Finance and Economics: financial information and procurement documentation
6. Information Technology: Databases, logins, and passwords, IT management information and IT developments copyright
BYOD Policy: Threats and Vulnerabilities
The adopted BYOD policy in classes at Performance education will arise various threats to the identified critical information assets of the university. Organizations have no complete or little control of the electronic devices in which their employees are utilizing and also have no control of the security conditions when employees are assessing its information systems[ CITATION Dan15 \l 1033 ]. The threats which may be brought by the BYOD policy are malware, phishing, social engineering, malicious mobile applications and Denial of service. Phishing is a well-constructed email that evades the network security strategies and obtains information systems data[ CITATION JCh14 \l 1033 ].
Malware is a rapidly growing information systems problem due to a high number of downloads and applications[ CITATION Pat131 \l 1033 ]. Malware may be utilized to steal the confidential information of employees and students and deviate financial transactions by using the security vulnerabilities such as insecure wireless networks and weak firewalls brought about by the mobile devices which cannot be controlled by the information technology department[ CITATION Cue15 \l 1033 ]. Phishing utilizes vulnerabilities such as personal cloud services and social networks in an unacknowledged staff or student collaboration environment to obtain financial gain and steal personal information. In social engineering, spam emails and spam on social networks utilize the vulnerabilities of human emotions to spread malware and inappropriately obtain confidential staff and students’ data. Denial of service threats results from vulnerabilities due to improper network planning resulting from the adoption of mobile electronic devices results in attacks on databases and log repositories. Vulnerabilities such as mobile device misconfiguration occur when employees install unauthorized and non-corporate applications which then provide opportunities for stealing institution information such as legal documents.
Information system risk assessment is implemented to give an a prioritized assessment and evaluation of the probability and impact of information security occurrences and presenting the potential threat to the information from each scenario as well as the existing protective measures[ CITATION She16 \l 1033 ]. In deciding whether to implement a quantitative and qualitative risk assessment, the advantages and disadvantages of the two frameworks are analyzed. Quantitative style advantage is that it takes into consideration the risks and locates section that requires urgent action[ CITATION Tix17 \l 1033 ]. Its disadvantage is that it makes cost-benefit analysis difficult because it does not provide specific, quantifiable magnitude of impacts measurements. Qualitative style advantage is that it provides cost-benefit analysis since it provides specific, quantifiable magnitude of impacts measurements. Its disadvantage is that its outcomes may be unclear depending on the measurements' numerical range.
The risk assessment process to be used by the university is outlined below;
Determine the critical processes of the university that guide and support them in attaining the institution’s objectives and mission. The senior administrators and the information systems senior officers should develop a framework for determining the critical processes of the university.
Identification of the information assets from the determined critical processes undertaken by the university in achieving their duties and mission objectives.
Establishment of the risk analysis scope and the objectives by considering the critical processes and the information assets of the university and taking into account the resources available to execute the activities.
Review of the Institution’s environment and develop a list of the possible threats scenarios and potential threat agents.
Evaluation of the risk scenarios by determining the probability of threat occurrence and their potential impact on the institution’s information systems
Determination of the framework for solving the identified risk; prevention, mitigation, avoidance,
Determine the cost-benefit analysis of the defined risk scenarios by taking into account the risk level of the classified information assets.
Selecting the security strategies to be adopted to lessen the risk levels on the critical information system assets of the institution
Threats of Bring Your Device and threats of rogue machines has resulted in institutions adopting information security strategies that ensure approved users and devices to access the network resources. One such security strategy which should be adopted by the Southern Cross University is Certificate-Based Authentication. This technique employs the use of a digital certificate to identify a user and device before giving access to an organization’s information system resources. Certificate-Based Authentication comes with various benefits namely user-friendly, easy deployment and management, mutual authentication, easy to extend to eternal users and leverages on existing policies.
Working Principle of certificate based authentication
The working principle of certificate-based authentication can be elaborated in the following steps[ CITATION ONe17 \l 1033 ];
A certificate with published public keys is issued for a client, and private keys database corresponding to the public keys is maintained by the client software. The password to the database is given to the client upon request for the first time in any given session.
The private key for the user’s certificate is retrieved by the client by unlocking the private database and then utilizes the private key to digitally sign randomly generated data. The digitally signed data and the signature act as evidence for the validity of the private key
The randomly generated signed data evidence and the user’s certificate is then sent by the client through the network
The server then utilizes the submitted evidence and the user's certificate to authenticate the identity of the user.
Finally, the server further performs other authentication tasks such as the presence of a certificate in an LDAP entry evaluation of the client permission to access a particular resource. If the user is allowed, its then enable the user to access the requested the information system resource.
A typical certificate based authentication is where a server requests a client to provide a valid certificate in order to allow access[ CITATION ONe17 \l 1033 ]. The user then authenticates with his username and password. User’s identity is not performed in this type of authentication since the certificate is not cross-checked (Figure 1)
Figure 1: Typical certificate based authentication framework
A most secure authentication employed in web applications is the two factor certificate based authentication[ CITATION Zin17 \l 1033 ]. A two factor authentication performs user’s identity as a first factor by using the certificate provided then prompts the user for his the password (Figure 2)
Figure 2: Different stages of a two-factor certificate authentication on web applications.
Certificate-based authentication allows for separation of roles while password-based authentication does not offer such feature. Certificate-based authentication is complex to implement and expensive but more secure while password-based authentication is cheap and easy to implement hence less secure[ CITATION Xue13 \l 1033 ]. The feature of certificate-based authentication that is useful for combating the threats from the BYOD policy is the fact that the technique uses what the user possess that is the private key and the password to the database containing the private key. Therefore this feature will allow the users of the university to be authenticated on what they have and what they know before being allowed to access the requested information system resource.
In the user authentication context, the certificate based authentication, is implemented in coordination with the standards methods such as username and password. The feature of certificate-based authentication that is useful for combating the threats from the BYOD policy is the fact that users are authenticated on what they have, certificate and what they know, password. Therefore, certificate based authentication should be implemented by an organization in order to harness its benefits which include user-friendly, easy deployment and management, mutual authentication, easy to extend to eternal users and leverages on existing policies
Spam relay the following key characteristics mass mailing, sender anonymity and unsolicited. The major elements of the Spam Act 2003 provided that information any who authorized the sending of a commercial power electronic messages must be included in the messages, commercial electronic messages enclose functional facility for unsubscribing, no use of an address harvesting software and civil penalties and injections are the main penalties of the Spam Act 2003[ CITATION Aus03 \l 1033 ].
Three Examples of Spam
The above examples of spam are obtained from itgsnews website; http://www.itgsnews.com/spam-and-phishing-examples-itgs-revision/
Below are Anti-spam Guidelines and Best Practices that should be adopted by the university to minimize spam within their information system.
Staffs should not use office replies to external messages, when applying an automatic response for emails when not in the office, and should make it be sent only to their contacts and not everyone.
Spam incidents reports should be reported to the specific domain where the spam was received from.
Avoid providing your official email addresses when signing up to other websites mainly if the website does not ensure a guarantee of privacy for the provided personal details.
The staff and the students should avoid providing email addresses in public blogs or forums because have developed scripts that can notice email addresses and links in blog pages.
Both the staff and the students should unsubscribe from non-required newsletters or notifications by unchecking the newsletters and notifications boxes in website
Every user should disable auto-download of external images and their display of because many spammers embed their phishing emails in external images.
IT administrator should Customize of SPF/DKM filtering from the control panel and analyzed against adopted policies to avoid spam messages.
IT administrator should perform Spam filtering by checking the IP addresses and domains against a developed blacklist exhaustive lists.
The adopted BYOD policy in classes at Performance education will result in various potential threats to the critical information assets of the university. The critical information assets in an organization are the assets that impact integrity, confidentiality, availability and support the institution’s mission and vision and it strategic objectives. The University has adopted various information security strategies including certificate-based authentication to guarantee that it still controls and manages the data accessed using the BYOD device and also controls who accesses the information system resources. The University should encourage their staff and employees to adopt the developed Anti-spam guidelines to reduce, avoid and prevent spamming of the university information system resources.
1. Australian Government 2003, 'Spam Act 2003', Government Act, Australian Governemnt.
2. Boranbayev, A, Mazhitov, M & Kakhanov, Z 2015, 'Implementation of Security Systems for Prevention of Loss of Information at Organizations of Higher Education', 2015 12th International Conference on Information Technology-New generations, Las Vegas, NV.
3. Chang, J, J, Ho, PC & Chang, TC 2014, ' Securing BYOD', IT Professional, vol 16, no. 5, pp. 9-11.
4. Cuevas, PD, Mora, A, Merelo, J, Castillo, P, Sanchez, PG & Fernandez-Ares, A 2015, 'Corporate security solutions for BYOD: A novel user-centric and self-adaptive system', Computer Communications, vol 68, pp. 83–95.
5. Dang-Pham, D & Pittayachawan, S 2015, 'Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A protection motivation theory approach', Computers & Security, vol 48, pp. 281-297.
6. O'Neil, M, Heidbrink, S, Ruoti, S, Whitehead, J, Bunker, D, Dickinson, L, Hendershot, T, Reynolds, J, Seamons, K & Zappala, D 2017, 'TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication', Proceeedings of the 26th USENIX Security Symposium, Usenix, Vancouver, BC, Canada.
7. Patten, KP & Harris, MA 2013, 'The Need to Address Mobile Device Security in the Higher Education IT Curriculum', Journal of Information Systems Education, vol 24, no. 1, pp. 41-52.
8. Shedden, P, Ahmad, A, Smith, W, Tscherning, H & Scheepers, R 2016, 'Asset Identification in Information Security Risk Assessment: A Business Practice Approach', Communications of the Association for Information Systems, vol 39, no. 15, pp. 297-320.
9. Tixteco, LP, Tixteco, MC, Perez, GS, Medina, LK, Gomez, J & Tellez, AC 2017, 'Recommendations for Risk Analysis in Higher Education Institutions', The Eleventh International Conference on Emerging Security Information, Systems and Technologies, IARIA.
10. Xue, K, Ma, C, Hong, P & Ding, R 2013, 'A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks', Journal of Network and Computer Applications, vol 36, no. 1, pp. 316-323, https://DOI.org/10.1016/j.jnca.2012.05.010.
11. Zink, T & Waldvogel, M 2017, 'X.509 User Certificate-based Two-Factor Authentication For Web Applications', Technical report, Department of Computer and Information technology Science, University of Konstanz, KN-2017-DISY-03, Distributed Systems Laboratory, Germany.