Information security threats are various activities that can lead to violations of the information protection state. In other words, these are potentially possible events, processes, or actions that can cause damage to information and computer systems. Information security threats can be divided into two types: natural and artificial (Bieder & Gould, 2020). Natural phenomena include disasters that do not depend on humans, such as hurricanes, floods, and fires. Man-made threats depend directly on the person and can be intentional and unintentional. Unintentional threats arise due to negligence, inattention and ignorance (Bieder & Gould, 2020). An example of such threats can be the installation of programs that are not among the necessary ones for work and further disrupt the system, which leads to the loss of information.
Depending on the different classification methods, all possible information security threats can be divided into several main subgroups.
- Unwanted content is not only malicious code, potentially dangerous programs, and spam, but also sites prohibited by law as well as unwanted resources with information that does not correspond to the age of the consumer (Bieder & Gould, 2020).
- Unauthorized access – viewing information by an employee who does not have permission to use it, by exceeding official authority. Unauthorized access leads to information leakage. Depending on what the data is and where it is stored, leaks can be organized in different ways, namely through attacks on websites, hacking programs, intercepting data over the network, using unauthorized programs.
- Data loss can be considered one of the main threats to information security. Violation of the integrity of information can be caused by equipment malfunction or deliberate actions of people, whether they are employees or intruders (Balsamic et al., 2021).
- An equally dangerous threat is fraud using information technology (“fraud”).
Fraud includes not only manipulations with credit cards (“carding”) and hacking of an online bank, but also internal fraud. The goals of these economic crimes are to circumvent laws, security policies or regulations, embezzlement of property.
In addition, it makes sense to consider the possible sabotage of employees, which plays an important role in the security of the entire system. The fact is that some employees who have access to confidential data can give them out to attackers based on personal gain. There is also the possibility of deliberately breaking the entire system for revenge or to avoid work (Balsamic et al., 2021). The human factor is relevant to the case of TWICS company as well, and should be taken into account when developing a security mechanism. In order to avoid breaches caused by employees, it is necessary to accountably control the list of those authorized to interact with databases and operating systems (Bieder & Gould, 2020). This will allow management to monitor the authority of employees, as well as increase the level of accountability. At the same time, the list of competent employees should be short and their computers should have special software that allows remote monitoring of activities.
Vulnerability and Threats
There are two types of attacks which include basic and dangerous. DDoS (Denial of Service) is an attack aimed at bringing the site out of action. The company’s website stops working and, as a result, attracting customers and making a profit. This type of attack is a popular method to pressure and eliminate competitors, which is the case for the TWICS scenatio (Balsamic et al., 2021). The perpetrator of such attacks in most cases remains unpunished, since it is almost impossible to collect an evidence base. In addition, the advent of cryptocurrencies makes tracking chain of cash flow from the customer-executor much more difficult.
Another vulnerability is an attack that is aimed at compromising the educational resources that TWICS company provides. In this case, the web resource is examined for vulnerabilities, the exploitation of which leads to full or partial control over the site, theft of confidential information, penetration into the company’s internal network, attacks on application users.
In order to deal with the above dangers, it is necessary to identify weaknesses both in the business system and in the staffing of the organization. To do this, the most effective method will be a short survey that covers all the aspects necessary for this area and provides redundant information (Help Net Security, 2013). Specialists who conduct such a survey can provide the high-quality advice to management and close gestalts in operational safety. This diagnostic tool consists of the following questions:
- How often do you read files on computers? The answer to this question will allow network safety specialists to understand what is happening with the cache and how high the risk of finding both malicious and compromising files is.
- Does the organization have programmers and a technical department? Such information will allow specialists to identify the presence of specialists in the corporation, which contributes to the conclusion about the level of security and quick response to problems (Help Net Security, 2013).
- Who has access to information and databases? This question is one of the most important, since the degree of neglect of the situation depends on the response of the management (Ujwary-Gil, 2019). In other words, the number and quality of employees who have rights to interact with sensitive data will reveal the extent of potential threats and attacks.
- Do employees have the opportunity to work with data outside the workplace? The fact is that Internet networks and personal computers that are not protected by a corporation’s network are the most effective tools for hackers and scammers. In order to increase security, it is necessary to prohibit the processing of information outside the special network for any employees, including management.
- How often is the system subject to diagnostics and changes? Any database must be dynamic so that information is constantly updated. In this case, when data is leaked, they can quickly be made irrelevant, which will greatly complicate all hacking processes.
Countermeasures and Threat Prevention
Since, the TWICS training company requires protection mechanisms from data breaches and DDoS attacks, it is necessary to consider in more detail the proposed tools for improving security: The first tool is security under development. When ordering the development of an application, security issues should be discussed at the stage of signing the contract. Clarify whether the company has a specialist in charge of application security or whether the company uses the services of external auditors (Help Net Security, 2013). This stage is very important, because later, if many vulnerabilities are discovered, it will be easier to rewrite the application from scratch than to fix all the holes.
Additionally, information security outsourcing is used if the project is already running, then specialists need to think about attracting companies specializing in the field of application testing to conduct penetration tests and security audits of the source code (Ulema, 2019). Another tool is source code security audit, also known as code security review. It is a service that allows to check each line of code for vulnerabilities. Maximize the detection of SQL injections, XSS, CSRF, buffer overflows and race conditions before project launch.
The penetration test is aimed at identifying business logic vulnerabilities, incorrect access control, and incorrect authentication and session management. The task of the auditor is to bypass all means and methods of protecting the application and gain access to private data. It is important to understand that the audit shows the level of security at the time of testing (Ulema, 2019). The growth dynamics of modern Internet projects and constant updates: adding new functionality, updating code, and expanding infrastructure leads to the emergence of new untested areas that may potentially contain vulnerabilities (Ujwary-Gil, 2019). Therefore, management should not forget to test periodically, at least once a year, and constantly monitor logs for security incidents.
All of the above approaches are effective in reducing the consequences of computer attacks. For example, when databases are attacked by hackers, auditing and testing can protect data by changing sensitive information in a timely manner. Thus, when fraudsters obtain passwords or IP addresses, these criteria will be changed during their attack. The consequence of such a process will be the interruption of access to information for third parties, which means that a significant part of the data will go untouched.
Implementing security awareness and knowledge about what to do in the event of an attack is critical. To achieve a high level of personnel training, it is necessary to conduct monthly retraining and create an office of programmers who have the most up-to-date information and control over all resources. In addition, specialists must carry out daily monitoring of the system, which will allow them to instantly notice attempts to hack or steal information. In order not to train specialists from scratch, it is necessary to set standards for personnel, for example, obtaining specialized education.
Safety Network Diagram
The following diagram reviews the data security plan for the TWICS company. The organization operates with two web servers, which are represented by one web server logo to simplify the diagram visually. It applies to the amount of routers in campus as well as three file servers and e-mail server united in one main server. All internet connections should be secured by the firewall, which provides basic protection from hacking malware and data breaches.
In addition, the diagram mentions the team of security specialists and auditors who will interact with company’s staff and IT department, by conducting regular trainings. In addition, the team of specialists will ensure that company’s employees act according to the information technology code of conduct and code of ethics to eliminate the probability of human factor in data breaches. Finally, the security specialists will consult the TWICS company on the matter of effective data protection software and give instructions to users on how to protect the resources provided at the training center on their own devices.
Staff Training Plan
An important part of ensuring a high level of company protection is the training of programmers. The IT-sphere is rapidly developing and dynamic, which leads to the rapid obsolescence of knowledge and loss of competence. In order to avoid this, it is necessary to hire specialists with the appropriate education and work experience (FitzGerald et al., 2020). Security should be trusted only to experienced and reputable professionals. In addition, information is a form of income, so most people have selfish motives. In order to protect the organization from any leaks, it is necessary to limit specialists to strict liability.
Programmers already working in the company must be sent for advanced training and provided with access to the most relevant courses that provide innovative knowledge. The purpose of such courses is to gain knowledge in the professional field of programming, system administration, testing. It is also necessary to form an extensive library of technical and educational literature in the company. If necessary, the company should purchase educational and reference literature, subscribe to specialized periodicals.
It is important to emphasize that employee training should be carried out using remote training technologies. This will allow professionals to improve the quality of knowledge and skills without neglecting the work. This must be done gradually, and not once, so as not to leave the system unprotected. In other words, the best solution is to train specialists in groups, so that one replaces the other. This will effectively distribute time management so that neither employees nor the organization take risks.
One of the possible sources of data breaches can be caused by the bring your own device (BYOD) policy, implied in the TWICS company. Therefore, the organization should develop a set of instructions and guidelines to instruct their clients who want to use their own devices and store the company’s materials on it. Such instructions may include strict prohibition of transferring course materials to third parties. The security specialists and company’s IT department should provide mandatory trainings to BYOD customers and provide them with necessary software that protects their devices. This way data breaches that originated from BYOD policy would be minimized.
In addition, the business has to develop a culture of cybersecurity. Most organizations assign duties to staff of protecting the online business platforms through well-structured ideas and processes. The collaboration between business continuity and cybersecurity can fail in circumstances where the culture is missing. For success to be ensured, there needs to be effective communication coupled with a clear and quick response that is accurate in ensuring a robust recovery assessment. The attack has to be combated and measures put in place to ensure future attacks do not occur. Quick response to secure the data that had been corrupted is crucial in ensuring business continuity.
The culture of cybersecurity should be passed on to all employees by educating them on the impact of cyber-attacks on a business and the measures to protect the organizational data from manipulators and attackers. Creating awareness for all staff is more efficient than leaving the issue to the top management. All companies have to develop an internal mechanism to control cybercrimes and enhance the security of their business operations. All the employees should be given unique passwords that they should never save on the sites to avoid the access of information by unnecessary personnel. The codes should be changed frequently to avoid masterly of the passwords by other people. The literature supports the claim that business is experiencing attacks that need to be addressed to ensure the integrity of data and continuity of the organization.
In order to fully test the implemented changes for effectiveness, it is necessary to conduct complex testing and diagnostics. A penetration test is a type of security testing that is used to test the security of an application. It is conducted to detect a security threat that may be present in the system. If a system is not secure, then any attacker can compromise or gain authorized access to data (FitzGerald et al., 2020). A security risk is usually an accidental error that occurs during the development and implementation of software.
Penetration testing typically evaluates a system’s ability to protect its networks, applications, endpoints, and users from external or internal threats. It also tries to protect security controls and only allows authorized access (FitzGerald et al., 2020). This must be done whenever:
- The security system detects new threats from intruders.
- A new network infrastructure is being added.
- The system is being updated or new software is being installed.
- A new end user program or policy is installed.
Penetration testing is a combination of methods that look at various problems of systems and tests, analyze and provide solutions. It is based on a structured procedure that performs step by step penetration testing (Ujwary-Gil, 2019). The results of this process allow specialists to identify all weaknesses and eliminate them. It is with the help of this method that it is possible to evaluate the effectiveness of the actions taken to improve safety.
Balsamic, B., Himani, B., Sumathi D., Firoz Khan, K. P. and Poongodi, T. (Eds.). (2021). Convergence of blockchain technology and e-business. CRC Press.
Bieder, C. and Gould, K. P. (Eds.). (2020). The coupling of safety and security. Exploring interrelations in theory and practice. Springer International Publishing.
FitzGerald, J., Dennis, A. and Durchikova, A. (2020). Business data communications and networking. Wiley.
Help Net Security. (2013). Top 10 security threats for 2011. Web.
Ulema, M. (2019). Fundamentals of public safety networks and critical communications systems. Wiley.
Ujwary-Gil, A. (2019). Organizational network analysis. Auditing intangible resources. Taylor & Francis.