Management of Information Security Social Networking

Question: Describe about the Management of Information Security for Social Networking. Answer: Executive summary The report analyses the security incident of the customer information of PeopleSharz being hacked and released onto the internet. The report analyzes the background of the organization providing the social networking platform, PeopleSharz and the cloud platform provider, HotHost1. The analysis of this security incident of PeopleSharz is done through a thorough analysis of various factors of the business of the organizations. The threat analysis of the application of PeopleSharz is done through a number of phases of the technical vulnerabilities, physical vulnerabilities, network vulnerabilities and social engineering vulnerabilities of the organizations. The report also mentions the dependencies of completing the entire investigation process for the security incident. The report provides an overview of the support needed from the employees of both the organizations involved in the security incident, in order to complete all the analysis activities. The success factors of the investig ation process of the security incident of the organization provides a clear guideline to the management of PeopleSharz and HotHost1 in terms of the successful identification and management of the security vulnerabilities. The report also provides a number of recommendations to the management of both the organizations, in order to ensure the optimal security of the products of both the organizations in the future. These recommendations span across various components of the business and operational model of both the organizations. The recommendations aim at all the possible security threats to the products of both the organizations in order to maximize the security of the corresponding products (Choucri, 2014). Background and problem analysis This section of the report focuses on the possible reasons of the security vulnerabilities of the social media platforms of PeopleSharz hosted on the cloud space provided by HotHost1. These plausible reasons can be considered the ways in which the hacker might have gained access into the social networking platform of PeopleSharz. The cyber-attack on the social networking platform of PeopleSharz could be a result of a technical attack or a physical attack (Zhang, 2014). Technical attacks to exploit security vulnerabilities The hacker could have employed the ways mentioned in this section to gain access into the social networking platform of PeopleSharz. SQL injection Cross site scripting Cross-Site Request Forgery Remote file inclusion Local file inclusion Denial of service attack All of these attacks exploit the security vulnerabilities present in the application deployed by the organization. These security vulnerabilities can be present in either the application source code of PeopleSharz or the cloud platform provided by HotHost1. These security vulnerabilities in the application source code are a result of lack of experience of the developers and programmers in handling security vulnerabilities (Xu, 2016). Attacks to exploit gaps in access control mechanism These types of attacks focus on exploiting the gaps present in the access control mechanism of either of the applications i.e. the social networking platform deployed by PeopleSharz and the cloud platform deployed by HotHost1. Brute force attack This type of attack allows the hacker to set up an automated script for trying a large number of combinations of username and password at either the social networking platform or the cloud platform. These scripts try to gain access into the systems by trying to login using these large number of combinations of username and password, which may result in a successful break-in into the systems for the hacker (Lyne, 2013). Social engineering attacks The hacker could have implemented one of these types of attacks to gain access into the social networking platform. Some of these types of social engineering attacks are mentioned in this section. Phishing attack This type of attack allows the hacker to phish for the personal information and credentials of either the users or employees of either of the organizations. This type of attack can manipulate the employees to provide the administrative access to either of the platforms, which could have directly led the hacker to the user information (Desai, 2016). Pretexting attack This type of social engineering attack allows the hacker to create a manipulative and false scenario for either the users or employees of the organizations to provide their personal information along with their credentials (Engebretson, 2013). Click-baiting This type of attack allows the hackers to mislead the users and employees of both the organizations into clicking on manipulative links. These links in turn allows the hackers to gain access into the personal data of the users and employees along with their credentials into the applications (Zhang, 2014). Physical intrusion at the offices or facilities These types of attacks allow the hackers to physical intrude into the facilities of either of the organizations. Tailgating This attack allows the hacker to gain access into the facilities of the organization by strategically following the employees of the organizations (Rodriguez, 2013). Corporate espionage This type of attack allows the hacker to gain access into important information by the help of someone having access into the organizations facilities. Threat analysis This section of the report focuses on the phases of threat analysis to be done in both PeopleSharz and HotHost1, in order to identify the possible way used by the hacker to gain access into the application. Each of the phases also identifies the deliverables to be provided to both PeopleSharz and HotHost1. Static code analysis The first phase of the threat analysis will statically analyze the source code of the applications to identify various potential security vulnerabilities along with their severity. HP Fortify is a software application which scans the source code of other applications to identify the security vulnerabilities and their severity. This phase of the process of threat analysis will generate a report containing all the potential security vulnerabilities in the social networking platform of PeopleSharz along with the cloud platform of HotHost1. The report will contain detailed description of the security vulnerabilities, possible solutions and recommendations for the applications (Kandias, 2013). Server security and protocols analysis This phase of the threat analysis process will focus on the analysis of the security of the servers on which the applications are running. The analysis will focus on the various protocols supported by the servers, in which the applications are deployed. This in turn creates a detailed report on the specific protocols and technologies supported by the application servers, which could be potentially vulnerable to cyber-attacks or could be essential for defending the application from the cyber-attacks. The report will also include a number of protocols and technologies widely used in the current implementation of similar applications worldwide along with a few recommendations regarding the current protocol implementations of the application server. Discussions with the employees This phase of the threat analysis process focuses on the possibility of one of the employees working in either of the organizations, helping the hacker gain access into the social networking platform. This phase will involve professional human behavior experts carrying out a number of discussions with some of the employees of both the organizations. Only the employees having required access into the database of the organizations will be included in this phase of the threat analysis process. This phase will generate a report containing the probability of the hacker being supported by one of the employees of the organizations (Adams, 2014). Physical site visits This phase of the threat analysis process focuses on the physical visits of the sites holding the servers on which the application is deployed along with the offices of both the organizations. The site visits will allow us to identify a number of shortcomings in the security implementations at the corresponding sites, if any. This phase aims at identifying the possibility of the hacker gaining access into the application through physically intruding into the facilities of either of the organizations. The physical site visits phase will generate a report with the detailed explanation of the security implementations of the various sites of the organization along with a few recommendations for enhancing the security of the application (Cha, 2016). Network analysis This phase of the threat analysis process focuses on the analysis of the network, which allows the social networking platform to be deployed in the internet and allows the cloud platform to provide its services to PeopleSharz. This phase of the threat analysis process identifies possible security issues in the network used by the social networking platform to connect to the internet along with the possibilities of the data transmitted through the corresponding network being listened to without proper authentication and authorization. This phase will generate a report containing the detailed description of the specification of the network used by the social networking platform along with the potential vulnerabilities and recommendations (Vacca, 2012). Load analysis This phase of the threat analysis process focuses on the analysis of the load on the social networking platform over a particular period of time and at the present. The load analysis activity specifically focuses on the probability of the hacker gaining access into the social networking platform through a denial of service attack. This phase of the threat analysis process generates a report containing the analysis of the loads on the social networking platform over a certain period of time along with the recommendations to enhance the load balancing capabilities of the social networking platform (Vasek, 2016). Access control analysis This phase of the threat analysis process focuses on the analysis of the access control mechanism implemented in the social networking platform of PeopleSharz. The access control mechanism includes all the information regarding the assignment of roles to the users and employees of the organizations. The various roles defined in the applications are provided different authorization and privileges depending on their daily work and responsibilities. This phase of threat analysis focuses on these factors of access control mechanism to identify possible gaps and redundancies in the implementation, which might lead to the presence of security vulnerabilities. This phase of threat analysis aims at the revelation of possible gaps in the access control mechanism implemented in both the organizations and generates a report containing the detailed description of the access control mechanism implemented in both the organizations along with the recommendations to improve the overall security of b oth the organizations along with the application (Reddy, 2014). This process of threat analysis focuses on the analysis of what happened and what led the hacker into the social networking application. But the reports generated from these threat analysis phases also allow the organizations to ensure that similar incidents are avoided in the future through enhancing the security of the application. These reports from the threat analysis process provide a lot of recommendations for the enhancement of the security of the organizations and applications along with the detailed explanation of the various security implementations in both the organizations (Shema, 2012). Dependencies and critical success factors to the job This section of the report focuses on a number of dependencies of the process of analyzing the threats to the application and identifying the way in which the hacker gained access into the application. Hence this section of the report mentions the critical success factors of completing this activity. Access to the source code of the applications This is one of the most important success factors for the completion of the process of statically analyzing the source code of the applications to identify the possible security vulnerabilities in the applications. The static analysis of the code will be done for both the applications i.e. the social networking platform developed by PeopleSharz and the cloud platform developed by HotHost1. The static analysis of the source code of both the applications will be done by a team of security vulnerability experts. The static analysis of the source code of the applications will reveal the possible security vulnerabilities and our experts will need support from the developers in understanding the business logic of the source code, where the vulnerability is identified (Aloul, 2012). Administrative access to the applications A team having expertise in load testing and management of security vulnerabilities will have the responsibilities of testing the load handling capabilities of the applications. To achieve the goal of understanding the load handling capabilities of the application, this team will need administrative access into the applications. This success factor to the completion of the activity will allow the team to go through all the functionalities of the applications to determine the accuracy of the security vulnerabilities identified in the static code analysis. The administrative access to the applications also allows the team to carry out an effective load testing of the applications (Canali, 2013). Support from the employees having access to the database Our team human behavior experts would have a number of discussions with the employees having access into the database management system of the application. The team will need full support from these employees in either of the organization to ensure smooth process of analyzing the access control mechanism. Support from admin employees maintaining the cloud platform The team from HackStop Consulting will need support from the administrative team of the HotHost1, which in turn will allow the team to understand the protocols and implementations on the server side of the application. This in turn will allow the team from HackStop Consulting to have an overview of the server side implementation along with the possible gaps or vulnerabilities in the implementation. Support from the physical security team The team from HackStop Consulting will need full support from the teams handling the physical security at the sites of both the organizations. This will allow the threat analysis to include the analysis of the capabilities of the physical securities at the server sites of both the organizations, which in turn will define the probability of the hacker gaining access into the application database through physical intrusion. Recommendations This section of the report focuses on a number of recommendations to PeopleSharz to enhance its security practices. All of these recommendations are segregated based on the type of cyber-attack they aim at. Changes in the business processes for technical attacks The recommendations mentioned below aim at the enhancement of the security against the technical attacks. Security code analyzer The development teams of both the organizations should include the security code analyzers in their development activities. The scan by the security code analyzer allows the developers to avoid security vulnerabilities in their work. This in turn will make the entire application much more secure (Jang-Jaccard, 2014). Change in software development practices Along with the usage of the security code analyzers in the development activities, the developers in both the organizations should focus on following the best coding practices in their developmental activities. This in turn makes the application more robust and secure (OConnell, 2012). Focus on security testing The organizations should put more focus on the security testing of their applications before making them available to the customers. The new enhancements and features pf the applications provided by both the organizations should be tested through rigorous security testing phases to ensure the absence in the security of the applications (Bergman, 2013). Proper training and development activities Both the organizations should put more focus into the training and development activities of the employees in order to make them more conscious about the security aspects of their daily work. This in turn involves the application security as an important part of the development and testing activities of the employees. Better access control mechanism Both the organizations, PeopleSharz and HotHost1 should redesign their access control mechanism in order to make their products more secure along with increasing their robustness. Some of the rooms of improvements in the access control mechanisms of both the organizations are mentioned below. Single sign-on This is the most important factor in the modern access control mechanisms implemented across different organizations operating in the information technology industry. This allows the employees to have a single set of credentials to login to various systems across the organizations, which in turn decreases the requirement of the employees to remember a large number of credentials. This minimizes the maintenance of the credentials in hard copy format along with the stealing of the credentials (Kumar, 2013). Role-based authorization This factor in the access control mechanism can be improved in both the organizations to provide the employees with minimal authorization as per their roles in the organization. This in turn allows the employees to have the just enough access privileges to carry out their daily business activities. This change in the access control mechanism allows the organizations to be more secure from the cyber-attacks in the future (Sadeghian, 2013). Managing social engineering attacks These recommendations allow the employees in both the organizations not to be vulnerable to various social engineering attacks. Business guidelines and protocols Both the organizations, PeopleSharz and HotHost1 can implement strict the business guidelines and protocols to ensure the minimization of gaps in various business activities. This in turn allows the employees to have the support in making the correct decision in various social engineering attacks (Barai, 2013). Training The employees in both the organizations can be trained not to be prone to various social engineering attacks. The training activities in both the organizations will allows the employees to follow the business processes strictly and not be deviated from the business protocols and guidelines (Greenwald, 2014). Better physical security at various sites These recommendations allow both the organizations to have better physical security at the different sites of the organizations. Better ICT implementation The implementation of better information and communication technologies will allow the physical security teams to have better control over the security of the sites. The better communication technology implementation also allows the physical security team to have minimal response times to various incidents (Whitman, 2013). Regular training and development activities Both the organizations can put more effort into the training and development activities of the physical security personnel in the workplace. These training and development activities of the security personnel of the organizations will in turn enhance the physical security of the various sites of the organizations (Von, 2013). Inclusion of the physical security protocols in the business guidelines The inclusion of the physical security protocols in the business guidelines allows the employees to be responsible for the physical security of the organizations. This in turn allows all the employees to be conscious enough to avoid security gaps and to respond to security incidents in minimal time (Ifinedo, 2014). References Adams, N.M. and Heard, N., 2014.Data Analysis for Network Cyber-Security. Imperial College Press. Aloul, F., Al-Ali, A.R., Al-Dalky, R., Al-Mardini, M. and El-Hajj, W., 2012. Smart grid security: Threats, vulnerabilities and solutions.International Journal of Smart Grid and Clean Energy,1(1), pp.1-6. Barai, B. and De, N., Iviz Techno Solutions Pvt. Ltd, 2013. Method and system simulating a hacking attack on a network. U.S. Patent 8,464,346. Bergman, N., Stanfield, M., Rouse, J., Scambray, J., Geethakumar, S., Deshmukh, S., Matsumoto, S., Steven, J. and Price, M., 2013. Hacking exposed: Mobile security secrets solutions. McGraw-Hill. Canali, D. and Balzarotti, D., 2013, February. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In 20th Annual Network Distributed System Security Symposium (NDSS 2013) (pp. n-a). Cha, S.W., Park, J.S., Cho, J., Han, K.S. and Kim, J.B., 2016. A Study on the Web Services Vulnerability Assessment Plan. International Journal of Security and Its Applications, 10(7), pp.203-212. Choucri, N., Madnick, S. and Ferwerda, J., 2014. Institutions for cyber security: International responses and global imperatives.Information Technology for Development,20(2), pp.96-121. Das, P., Classen, H.W. and Dav, R., 2013. Cyber-Security threats and privacy controls for cloud computing, emphasizing software as a service.The Computer Internet Lawyer,30, pp.20-24. Desai, M., Patel, S., Somaiya, P. and Vishwanathan, V., 2016. Prevention of Distributed Denial of Service Attack using Web Referrals: A Review. Engebretson, P., 2013. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Elsevier. Goolsby, R., Shanley, L. and Lovell, A., 2013.On cybersecurity, crowdsourcing, and social cyber-attack. OFFICE OF NAVAL RESEARCH ARLINGTON VA. Greenwald, G., 2014. Hacking Online Polls And Other Ways British Spies Seek To Control The Internet. Internet: https://firstlook. org/theintercept/2014/07/14/manipulating-online-pollsways-british-spies-seek-control-internet, Stand, 24, p.2014. Jang-Jaccard, J. and Nepal, S., 2014. A survey of emerging threats in cybersecurity.Journal of Computer and System Sciences,80(5), pp.973-993. Kandias, M., Stavrou, V., Bozovic, N. and Gritzalis, D., 2013, November. Proactive insider threat detection through social media: The YouTube case. InProceedings of the 12th ACM workshop on Workshop on privacy in the electronic society(pp. 261-266). ACM. Kumar, A., Gupta, S.K., Rai, A.K. and Sinha, S., 2013. Social networking sites and their security issues.International Journal of Scientific and Research Publications,3(4), pp.1-5. Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition.Information Management,51(1), pp.69-79. Lyne, J. (2013) 30, 000 web sites hacked A day. How do you host yours? Available at: https://www.forbes.com/sites/jameslyne/2013/09/06/30000-web-sites-hacked-a-day-how-do-you-host-yours/#53acf2d93a8c (Accessed: 22 October 2016). OConnell, M.E., 2012. Cyber security without cyber war.Journal of Conflict and Security Law,17(2), pp.187-209. Reddy, G.N. and Reddy, G.J., 2014. A Study of Cyber Security Challenges and its emerging trends on latest technologies.arXiv preprint arXiv:1402.1842. Rodriguez, C. and Martinez, R., 2013. The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security. Frost Sullivan, pp.1-25. Sadeghian, A., Zamani, M. and Shanmugam, B., 2013, September. Security threats in online social networks. InInformatics and Creative Multimedia (ICICM), 2013 International Conference on(pp. 254-258). IEEE. Shema, M., 2012. Hacking web apps: detecting and preventing web application security problems. Newnes. Vacca, J.R., 2012.Computer and information security handbook. Newnes. Vasek, M., Wadleigh, J. and Moore, T., 2016. Hacking is not random: a case-control study of webserver-compromise risk. IEEE Transactions on Dependable and Secure Computing, 13(2), pp.206-219. Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security.computers security,38, pp.97-102. Whitman, M.E. and Mattord, H.J., 2013.Management of information security. Nelson Education. Xu, W., Groves, B. and Kwok, W., 2016. Penetration testing on cloud---case study with owncloud. Global Journal of Information Technology, 5(2), pp.87-94. Zhang, J., Notani, J. and Gu, G., 2014, September. Characterizing Google Hacking: A First Large-Scale Quantitative Study. In International Conference on Security and Privacy in Communication Systems (pp. 602-622). Springer International Publishing.