PBL 3 - IT Network, Telecommunication Risks

Authentication: Password Management (eSecurity Vol 45, page 12)

1) Based on the article identify and list out related IT network & Telecommunication risk (at least 3)

1) Password stolen, captured, copied, guessed or forged

2) Authentication bypass

3) Brute force attack

4) Sharing password

5) Weak password recovery mechanism

6) Account lockout

2) State your opinion for countermeasure strategy to govern each risk

1) Avoid using very weak password such as ‘12345’

2) Use strong password with characteristics such as:

• At least eight alphanumeric characters long.
• Combination of numbers, symbols, and capital and lower-case letters.

3) Do not use obvious dictionary words and combinations of dictionary words such as “password”.

4) Make the password personal and easy to remember, but ensure that “personal” information is not available online.

5) Change the password periodically, for example once every six months.

6) Never write down, share or store passwords online.

Individual lesson learnt :

1. Syuhadah - “Password is like our own treasure. It should be mysterious yet really valuable. Never let anyone know about your treasure. Keep it to yourself so it will always be safe. ”

2. Amalina - “We need to make our own password unique enough as it will differ from others and make it difficult for ‘hacker’ to steal our password.”

3. Aqilah - “Choosing a hard-to-guess but easy-to-remember password is important”

4. Shamila - “Password is something like a door which need to be locked or secured because there’s valuable behind the door means it contains data or information”

5. Alysha - “Password are like our life where we put important things inside and need to be secured properly so that others can’t take from us without our consent.”

IT DEPARTMENT ORGANIZATIONAL CHART

IT DEPARTMENT
TELECOMMUNICATION COMPANY

INTERNAL FUNCTION

	Internal Function	Descriptions	Potential Risk	User
1	Network Manager	Responsible to install and maintain company network and give training to staff to provide first technical support. Have recovery plan in order to minimize disruption to the business when the network is down.	Cyber attacks, spear phishing in order to attack specific company that is targeted.	Employees of the company
2	Database Manager	Deal in data, financial records, credit card accounts, billing addresses, and other customer records are all stored in databases. Maintain the functionality and privacy of their database systems. Troubleshooting unseen system problems	Perennial threat, malware is used to steal sensitive data via legitimate users using infected devices.	Employees  of the company Data entry department
3	Technical Manager	Provide support to users with computer or other technical difficulties. Generate ideas for improving technical products . They also must provide guidance for all members of the team when it comes to designing, implementing and updating software. They are responsible for addressing faults within any company system and making sure those faults are fixed.	Short circuit, the component of hardware has been stolen.	Employees  of the company Customers
4	Help Desk Manager	Manage the service desk and oversee the delivery of quality of technical support service to clients, internal or external clients who have contracted technical support service. They need both knowledge of the software or hardware systems.	Human error as they might not answering or replying calls and emails.	Customers the frontline team of service desk
5	Application, Development, Implementation Manager	Performing systems analysis and project management activities which include planning, designing, implementing and maintaining district-wide business applications and computer systems.	System or applications not functioning properly	Employees  of the company Customers
6	Information Management and Security Manager	Coordinate and execute security policies and controls, as well as assess vulnerabilities within a company.	Malware infect the network, software or computer hardware	Employees  of the company Customers
7	DBA	A specialized computer systems administrator who maintains a successful database environment by directing or performing all related activities to keep the data secure. The main responsibility of a DBA professional is to maintain the data integrity.	Deployment failures at the moment they are deployed, data leaks and stolen database backups.	Employees  of the company Data entry
8	Infrastructure Technician	An Infrastructure Technician provides support to internal and external customers, helping them to be productive when using technology to do their own jobs, by using tools to problem solve and troubleshoot non routine problems.	Limitation of budget	Employees  of the company Customers
9	Portal Admin	Develop all portal layout and maintain functionality of all site.	Portal breakdown	Employees  of the company Customers
10	Information Security Analyst	Monitor computer network for security issues. Investigate security breaches and other security incident. Install security measures and operate software to protect system and information infrastructures, including firewall and data encryption program.	Data breach, hacking,	Employees DBA

OUTSOURCED FUNCTION 

	Outsource Function	Description	Reason	Potential Risk	User
1	IT Technician	Organize and schedule upgrades and maintenance without deterring others from completing their work. Perform troubleshooting to diagnose and resolve problems such as repair or replace parts and debugging. Maintain records or logs of repairs and fixes and maintenance schedule.	Save costs and time No need to hire new technician in every department	Outsource technician might be busy and cannot come on time because of other jobs outside.	Employees of the company Any department that requires technician to upgrade and do maintenance of the system.
2	IT Solution Specialist	Support the technical specification to solve customer’s need by understand those need and translate them into a platform or configuration for new products or services.	To oversee what we might overlooked into our system.	New features and functionality might contain a bugs.	-Employees of the company -IT specialist team -Customers
3	Trainer	- Training plan - Timing of different training sessions - Choosing the relevant training methods - Preparing the training materials and aids - Conducting training sessions and - Evaluating the post training session			- New employees of the company
4	System Analyst	Specializes in analyzing information systems to solve company business problem, other than analyse the information technology for their own business.	save cost	Hardware and software failure such as  data corruption Security breaches	-Employees of the company -System analyst team
5	Mobile App Developer	create , maintain and implement the source code to develop mobile apps and programs that meet the needs and requirement of the client by using computer programming languages.	Do not have any specialist in this area Save cost	Outsourced developer might not meet our expectation because they might think that they can easily make the apps by not looking at the important aspects such as security.	Application, Development, Implementation Manager

Risk Inventory

IT SYSTEM COMPONENT	RISK	Likelihood Impact Category	Likelihood of risk and consequence	Suggest risk control
1. Hardware	1. Theft -Laptop used by Dean	Likely Severe High - The Impact is Severe because Dean hold many access to important data.	4	Defense - Lock laptop bag - Bring bag everywhere
	2. Hardware Failure	Possible Significant Med Hi - The Impact is Significant because hardware failure will disturb productivity	3	Defense -Ensure proper usage of hardware
2. Software	1. Software failure - iTaleem crash - Malware	Likely Significant Med Hi The impact of the risk is likely significant because software failure may cause trouble to the company.	4	Acceptance - Programmers need to pay more attention when building the software - Using agile method so that the software is up to date.
	2. Security flaws - Https website - Limited software access	Very likely Severe High The impact of the risk is very likely severe because every software need to have high protection so that the software is  not easily get attacked.	5	Defense   - The company should do awareness campaign about the safety of the software so that the software is secured. - The company should not give access to the outsiders.
3. Network	1. Phishing	1. Likely, Severe -The impact of this risk is likely and severe as the technology is now easily access and someone can easily gain sensitive informations	4	Defense - Educate users about ethics on using the network.
	2. Malicious Threat	2. Possible, Significant -All devices are equipped with antivirus, so it is possible to get malicious threat if it is not up-to-date but the impact is significant as it might damage or steal the information from the network.	3	Defense -Install antivirus software and ensure that it can detect anything from the downloaded files
4. Data	1. Loss of data - Hacking - Virus	Possible Severe Med Hi The impact of this risk is severe as it will affected the organization where it holds confidential information.	5	Defense -Backup the data in the cloud computing. - Every organizations need to have BCDR plan.
	2. Breach of data - Loss of worker id - Password authorization	Possible Significant Med Hi The impact of this risk is significant when the organization did not provide a good security measure.	4	Acceptance - Company need to have special security workshop for workers.
5. People	1. Old people	Very likely Moderate Med Hi	3	Termination - Set retirement age for the employees - Put a contract term for each employees
	2. Sick employee	Possible , Moderate (Medium)	3	Acceptance -Give medical insurance to each employees -Provide free medical treatment for each employees
6. Process	Manual course registration	Likely Significant Med Hi	4	Acceptance : - ITD needs to align with kuliyyah regard students' courses and availability - Student should get notify all rejected courses that is reserved by them
	Unsystematic mahallah registration	Possible Moderate Medium	3	Acceptance : Stick to one mahallah registration system only

Assigning Likelihood & Consequences/Impact: Risk Category