Identifying Potential Risk, Response, and Recovery

Executive Summary 

Malicious attacks on information systems present ever increasing problem to organizations. The damage to confidential information, the financial repercussions and damage to company reputations are some of the problems. Assignment 1 identified the three types of attacks as active attacks, passive attacks and phishing and social engineering attacks. All these attacks are unique, and yet their probability of occurrence are still high. It is necessary for the organization to initiate risk mitigation strategies for all the attacks. The strategies can avoid, reassign, mitigate, or accept risks depending on identified controls. The active attacks are the most dangerous forms of attack for a videogame company, and though they are easy to detect, they are hard to prevent. Therefore, the company should focus on putting in place effective risk preventative, mitigation and reassignment strategies. This paper details different risk management strategies for the three different types of attacks. Notably, a videogame company has vast and sensitive information on game development and confidential customer information, thus it is necessary to put in place administrative, preventative, detective and corrective controls to compliment the risk prevention, mitigation and risk assignment strategies. 

Active Attacks Management Strategies

As discussed earlier, active attackers try to bypass and break into secured organization systems and networks using viruses, worms and Trojan horse. Active attackers are after confidential and important information and data. While it is easy to detect active attacks, it is hard to prevent those (Golchha et al., 2014). Active attacks are very risky for a videogame company as they target sensitive product information, hence the organization should put in place risk avoidance and risk mitigation strategies just in case the risk avoidance strategy does not work. Nonetheless, the organization should have risk acceptance and assignment strategies in place. 

The common sources of active attacks are viruses, worms and Trojan horse. The organization can install anti- virus as a risk avoidance measure. Other avoidance mechanisms are use of internet firewall and unique passwords that make it hard for active attackers to access the system (Golchha et al., 2014).

Risk mitigation strategies for active attacks include backup and encryption. Through information backup, the company will retain original information even after the attacker has interfered with the information and data in the system. Encryption is an avoidance and a mitigation strategy as it ensures that important video game information cannot be understood by attackers. 

A risk acceptance strategy involves no strategies, the organization will go on with its activities and hope the attackers will not attack, and if they do, the organization will accept the consequences and move on. Lastly, a risk assignment strategy involves hiring a third party to be in charge of the company’s information security. There are companies that specialize in information security, and businesses with sensitive information tend to rely on this strategy. 

There are potential controls for active attacks that will reinforce the above strategies. Administrative controls are laws, regulations, policies and practices for the organization’s information security (Northcutt, 2016). Administrative controls can be preventative, detective or corrective. For instance a preventative control for active attacks can be a system software that prevents all employees from accessing sensitive information, a firewall or even physical access security. An example of a detective control is antivirus, while backup data is a corrective control. 

Passive Attacks

Passive attacks involve monitoring of non-encrypted traffic to access passwords and private information. The aims of passive attack is to access and disclose confidential and sensitive information without the approval of the owner. In most cases, passive attack is also used as the foundation of an active attack, and sadly they are hard to detect as they do not alter the existing data (Raiyn, 2014). 

There are different strategies associated with different risks presented by a passive attack. For instance, a risk mitigation strategy is through the use of Network admission control (NAC), NAC quarantines the unauthorized passive attack to prevent damage (Teji et al., 2013). A risk avoidance strategy for passive attacks involves a combination of firewall, remote access security, encryption and intruder prevention system (IPS). All these prevention strategies are aimed at preventing passive attackers from accessing sensitive information and using it to cause damage to the organization. 

A risk acceptance approach will not reduce the effects of passive attacks, however it is worth considering when the organization is not involved in serious and important projects. Under a risk acceptance strategy, the organization will recognize the threat of passive attacks but it will do nothing to prevent them in that preventing will be more costly to the organization. Lastly, a risk assignment strategy involves handing over information security to a third party to implement prevention and mitigation strategies such as encryption.

To implement the above risk strategies, the company has to put in place administrative, preventative, detective and corrective control. The administration can put in place tougher security measures and policies for instance through security training. A notable preventative control for passive attack is an intruder prevention system (IPS). The IPS can also be used as a detective control alongside system monitoring. Lastly, the company can constantly upgrade its OS, processes and application as a corrective control for passive attacks (Northcutt, 2016).

Phishing and Social Engineering attacks

Phishing schemes are quite common these days, it involves spoofing emails and malware infected websites. Social engineering on the other hand involves the use of social skills to gain access to confidential information. 

A risk avoidance strategy for phishing and social engineering risk is through staff training. This form of attacks use various strategies to target human beings at their weakest link, therefore every employee at the company should be trained to identify their weakest link to prevent such attacks. They will be trained on how to avoiding divulging sensitive information on unsecure websites, avoiding fishy email attachments and links and avoiding phone phishing. 

A risk mitigation strategy is through investigative technical solutions which can identify the source of attack. Implementation of intrusion detection system (IDS), IPS and email monitoring solutions can help the organization to trace the source of the attacks and minimize its consequences. 

Alternatively, the organization can train its employees on the notoriety of phishing and social engineering attacks, and adopt a risk acceptance approach and be prepared for the worst. The risk acceptance strategy is not a wise strategy, and the organization can choose to use a risk assignment strategy if it is incapable of putting in place effective risk management strategy. 

The administration should also put in place various preventative, detective and corrective controls for phishing and social engineering attacks. Constant staff training is an effective preventative control which can also act as a detective measure as phishing targets human vulnerabilities. Lastly, a corrective control for phishing and social engineering is effective training, improved filtering mechanism and data backup. 

References

Golchha, P., Deshmukh, R., & Lunia, P. (2014). A Review on Network Security Threats and Solutions. International Journal of Scientific Engineering and Research (IJSER), 3 (5), 21-24. 

Northcutt, S. (2016).Security Controls. SANS Technology Institute. Retrieved from: http://www.sans.edu/research/security-laboratory/article/security-controls

Raiyn, J. (2014). A survey of Cyber-Attack Detection Strategies.  International Journal of Security and Its Applications ,  8 (1), 247-256.

Teji, J., Chuchra, R., Mahajan, S., Gill, M., & Dandi, M. (2013). 247 Detection and Prevention of Passive Attacks in Network Security . International Journal of Engineering Science and Innovative Technology (IJESIT), 2 (6), 247-250.