Main Menu

My Account
Online Free Samples
   Free sample   Risk management assignment is security threats within royal adelaide hospital

Risk Management Assignment Investigating IS Security Threats Within Royal Adelaide Hospital

Question

Task:
Risk Management Assignment Details:
This assessment is designed to assess your technical skills in investigation IS security, risk threats and management to an organization. The assessment is also assessing your skills to evaluate risk management techniques and IS auditing. You are required to select an organization that uses information systems to perform daily business operations. You have to identify the most valuable assets for the organisations and investigate the security threats and mitigation techniques. You have also to propose/evaluate the risk management techniques adopted by the selected organization to ensure the reliability, confidentiality, availability, and integrity. You have also to discuss audit plan and processes used by the organization and investigate the impact of human factors on security and risk management.

Task Specifications
This assessment includes three tasks as follows:

Task-1:
Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. Use Steghide tools available in Kali Linux/Linux to hide a text file that includes your group students names and IDs on audio file. You have first to create audio file with no more than 30 second to record your group students names only. Then, you have to create text file to include group details include names and student IDs. Finally, use Steghide tools (use APIC as passphrase) to embedded your text file into the created audio file.

In your report, you have to provide screenshot demonstrate the steps with the commands you followed during the process of installation of Steghide, and the way use used to hide group information text file into audio file and finally the steps to extract the text file from audio for verification of your work.

Task-2:
Access control is granting or denying approval to use specific resources. Technical access control consists of technology restrictions that limit users on computers from accessing data. In this task you have to work in a group to understand Access Control List (ACL) and files system security using Linux environment. You have to complete the tasks using kali Linux or any Linux OS.

In your report, you have to provide screenshot to demonstrate the steps you followed during the process of conducting the assignment tasks requirements according to your group student IDs, first name and last name.

Task-3:
Discuss with clear demonstration, how the Steganography and access control list techniques that you conducted in Task-1 and Task-2, respectively, can achieve confidentiality, integrity, and availability (CIA). You have to provide justification during your discussion.

Answer

Introduction
The concept of Information Security (IS) and risk management examined in the risk management assignment has emerged as one of the most significant concerns for any business organization. This is because of the increasing frequency of the information security risks and attacks. The occurrence of such events results in the negative implications on the organization assets. It can also lead to the negative impacts on the customers and stakeholders as their confidential and private information may get compromised (Shamala et al., 2017).

To manage the information security risks and issues, there are a number of security strategies and technologies that have been developed.

Outline
The report covers the brief background to the selected organization and presents the details of the organization assets and the security threats and risks that these assets are exposed to. The determination of the human factors is done thereafter with the analysis of the impacts of these human factors on the overall risk management process. The inclusion of risk management and mitigation strategies is included with the CIA triad. The coverage of steganography, access control lists, and audit plan is done along with the disaster recovery and cyber defence mechanisms.

Organization Background
The Royal Adelaide Hospital (RAH) is the largest hospital in South Australia and it provides primary and secondary health services to the patients. The hospital has 800 beds and it provides services to approximately 85,000 inpatients and 4,00,000 outpatients annually.

RAH makes use of technological systems and tools to enhance the quality of services and the operations. The use of cloud-based databases for storage and transmission of patient information, billing & invoicing system, tele-health monitoring system, customer relationship management system, etc. is done by RAH (Rah, 2019).

Assets & Threats
The primary asset for RAH is the patient data and information. The private health information of the patients is stored in the form of electronic medical records, EMRs. These EMRs are the significant assets for RAH. The details of the medical professionals and members of the staff is also an important information asset. The other assets include the medical documents and files, healthcare devices & equipment, organizational resources, and the organization premises (Doynikova, Fedorchenko and Kotenko, 2019).

Due to the involvement of a number of cloud technologies and the other computing resources, there are a number of threats that RAH is exposed to.

Threat Name

Description

Malware Attacks

The RAH databases and systems may be attacked with different forms of malware, such as viruses, logic bombs, ransomware, etc. The sensitive information may be acquired and misused which may violate the privacy of the patients.

Information Breaches

The unauthorized access on RAH networks and systems may be obtained to access and manipulate the information present on the same (Bisogni and Asghari, 2020).

Data Loss

Some of the data packets over the network or the data sets present in the system may be dropped or deleted.

Phishing Attacks

The impersonation technique may be used to trick the members of the staff or the patients to gain personal information, such as credentials and then misuse the same to have access to the information sets (Baiomy, Mostafa and Youssif, 2019).

Network Eavesdropping

The unauthorized network monitoring may be done which may lead to the exposure of the confidential and private information.

Denial of Service

The availability to the information assets and the information systems will be compromised due to the flooding of the network channels with garbage values.

Selective Forwarding Attacks

Some of the nodes may be compromised and their respective entries in the route table may also be changes which may lead to the inability to streamline the flow of the nodes on the network route (Alajmi and Elleithy, 2015).

Integrity Violation

The manipulation of the message and media content may be performed.


Human Factors & their Contribution in the Risks
There are a number of human factors that are associated with RAH and these contribute towards the risk occurrence and behavior. The information systems that are used in RAH are accessed by the administrative and medical staff members. There are access rights and permissions that are granted to these resources. It is possible that the misuse of these rights is done and there are insider threats that are given shape. The competitors of RAH may approach a few of the staff members and may ask them to transfer the confidential information (Mazitelli, 2015). The staff members may carry out such attacks due to the personal gains. However, the privacy of information will be compromised and RAH may have to face legal obligation as an occurrence.

There are also risks and threats that may occur due to the negligence of the users. The hospital provides the tele-health monitoring services to the patients. There are also online portals that can be used to book an appointment or carry out the discussion with the medical professionals. The patients may access such systems and portals on unsecure networks which can make it easier for the attackers to capture the network details. It is also possible that the patients unknowingly share their credentials with the unauthorized parties.

The devices used by the patients and the medical professionals may not be updated that may also contribute towards the security risks and threats.

Risk Management and Mitigation Techniques
The management of the security risks and threats can be done using a number of mitigation techniques and tools. The threats that are identified target the three primary properties of information as Confidentiality, Integrity, and Availability (CIA) (Malhotra, 2015). The mitigation techniques shall be efficient to manage all of these three information properties.

Steganography - Steghide Tool
Steganography is one of the techniques that RAH can use to hide the secret and private information in the usual non-secret file or data. This will make sure that the secret information does not get leaked over the networks and is securely accessed at the destination (Hameed, 2015). There are a number of automated tools that have now been developed and one such tool is Steghide tool. RAH shall make use of this tool to effectively manage the information and data sets.

Steghide tools was installed using the command: apt-get install steghide

Steghide help feature was invoked using: steghide –help

Steghide Tool in risk 1

Steghide Tool in risk 2

To embed the text file within the audio file, the following command was used

steghide embed ef '/home/admin2626/Desktop/Studentdetails' -cf '/home/admin2626/Desktop/StudentRecording.m4a' -p APIC

However, the command returned an error saying that steghide tools didn’t support the .m4a file format. As a result, the audio was re-recorded in a different format (.wav).

Again the same command was executed and this time it worked:
steghide embed ef '/home/admin2626/Desktop/Studentdetails' -cf '/home/admin2626/Desktop/My Recording 29.wav' -p APIC
It resulted in :
embedding “/home/admin2626/Desktop/StudentDetai1s“ in “/home/admin2626/Downloads/My recording 29.wav“... done

steghide extract -sf '/home/admin2626/Downloads/My recording 29.wav' -p APIC -xf '/home/admin2626/Downloads/extractedtext.txt'

It resulted in :

wrote extracted data to “/home/admin2626/Downloadslextractedtext.txt“.

Steghide Tool in risk 3

The file ‘extractedtext.txt’ was the successfully extracted text embedded within the audio file.

Steghide Tool in risk 4

Access Control Lists & File System Security – Linux Environment
Another technique which can be used to protect the information sets and the systems is the use of the access control lists and enhance the file system security. The primary share of the risks occurs as the attackers succeed in the violation of the access control norms and measures (Lopriore, 2016). The use of access control lists and security measures will ensure that the mitigation of such risks can be done.

S No

APIC Student ID

First Name

Last Name

1

201702844

Muhammad

Babar

2

201702589

Shahzaib

Shakeel

3

201701893

Rajpreet Kaur

Sidhu

 

Creating Main Directory APIC
The very first task was creating the directory; it was done using the following commands and then was set to full access.

Task

Command

Create directory named APIC

mkdir APIC

Set full access to APIC directory

sudo chmod a+rwx ‘home/admin2020/APIC

 

Steghide Tool in risk 5

Creating Sub-directories under APIC
The next task was to create sub-directories under the main APIC directory by using a few specific folder permissions as detailed below and the following commands were used to achieve that.

Task

Command

Create directory ‘{StudentID1} - Set read and write access permission only

·         mkdir APIC/201702844’

·         sudo chmod +rw ‘home/admin2020/APIC/201702844’

Create directory ‘{StudentID2} - Set read access permission only

·         mkdir APIC/201702589

·         sudo chmod +r ‘home/admin2020/APIC/201702589’

Create directory ‘{StudentID3} - Set read and execute access permission only

·         mkdir APIC/201701893

·         sudo chmod +rx ‘home/admin2020/APIC/201701893

 

Steghide Tool in risk 6

Creating user and giving sub-directory permissions – User Muhammad

Another user ‘Muhammad’ besides the default one was added and then was given access to two other sub-directories using the following commands.

Task

Command

- Create user ‘{FirstName1} - Write ACL to enable: 1. full permission to ‘{StudentID1} 2. read and write permission to ‘{StudentID2} and 3. read permission only to other directories.

·         Sudo adduser muhammad

·         sudo chown muhammad '/home/admin2020/APIC/201702844' sudo chmod -R 777 '/home/admin2020/APIC/201702844'

·         sudo chown muhammad '/home/admin2020/APIC/201702589' sudo chmod -R +rw '/home/admin2020/APIC/201702589'

·         sudo chown muhammad '/home/admin2020/APIC/201701893' sudo chmod -R +r '/home/admin2020/APIC/201701893'

 

 

 

Steghide Tool in risk 7

Creating user and giving sub-directory permissions – User Shahzaib

The third user created was ‘Shahzaib’ and was given the following permissions using the commands detailed below.

- Create user {FirstName2} - Write ACL to enable:

1. full permission to ‘{StudentID2} 2. read and execute permission to ‘{StudentID1} 3. read permission only to other directories.

 

·         Sudo adduser shahzaib

·         sudo chown shahzaib '/home/admin2020/APIC/201702589'
sudo chmod -R 777 '/home/admin2020/APIC/201702589'

·         sudo chown shahzaib '/home/admin2020/APIC/201702844'
sudo chmod -R +rX '/home/admin2020/APIC/201702844'

·         sudo chown shahzaib '/home/admin2020/APIC/201701893'
sudo chmod -R +r '/home/admin2020/APIC/201701893'

 

Steghide Tool in risk 8

Creating group and giving group permissions – Group Babar

The first user group created was Babar and was given access to two sub-directories and 2 members were added to it using the following commands.

- Create group {LastName1} - Add ‘{FirstName1} and ‘{FirstName2} to LastName1} group - Write ACL that {LastName1} group users will get full access to ‘{StudentID1} directory and read access to ‘{StudentID2} directory

 

·         sudo addgroup babar

·         sudo adduser muhammad babar

·         sudo adduser shahzaib babar

 

·         sudo chgrp babar '/home/admin2020/APIC/201702844'

sudo chmod g+rwx '/home/admin2020/APIC/201702844'

·         sudo chgrp babar '/home/admin2020/APIC/201702589'

sudo chmod g+r '/home/admin2020/APIC/201702589'

 

 

Steghide Tool in risk 9

Creating group and giving group permissions – Group Shakeel

The last group created was the group named Shakeel and a new user for Rajpreetkaur was created and was added to it along with Shahzaib.

- Create group {LastName2} - Add ‘{FirstName2} and ‘{FirstName3} to {LastName2} group - Write ACL that {LastName2} group users will get full access to ‘{StudentID2} directory and write and execute access to ‘{StudentID1} directory.

 

·         sudo addgroup shakeel

·         sudo adduser rajpreetkaur

·         sudo adduser shahzaib shakeel

·         sudo adduser rajpreetkaur shakeel

 

·         sudo chgrp shakeel '/home/admin2020/APIC/201702589'

sudo chmod g+rwx '/home/admin2020/APIC/201702589'

·         sudo chgrp shakeel '/home/admin2020/APIC/201702844'

sudo chmod g+rX '/home/admin2020/APIC/201702844'

 

 

 

Steghide Tool in risk 10

Audit Plan
One of the most important techniques that RAH shall adopt is IS auditing. The auditing shall be done at the regular intervals and shall attempt to determine the existing gaps and the improvements that can be made.

The audit report shall be formally developed and submitted to the members of the board along with the suggestions on improvement. The maintenance and update cycle shall be designed accordingly.

Disaster Recovery and Cyber-Defense
There are also defensive approaches and mechanisms that need to be adopted. The disaster recovery plan shall be established for RAH which shall also include the backup schedule and tools. The automated tools shall be used for the purpose of backups (Lin and Huang, 2016).

The defense mechanisms shall include the use of advanced firewalls for software, hardware, and networks. The network-based intrusion detection and prevention systems shall also be used. There are several tools that have been developed for automating the information security and privacy aspects. These include the anti-malware tools and anti-denial tools. The utilization of the multi-mode authentication shall also be done so that the prevention and control of the security threats and attacks can be done.

Conclusion
There are a number of assets associated with RAH and these assets are exposed to numerous security threats and attacks. The use of mitigation techniques as Steganography, access control lists, data backups, etc. shall be done so that the proper control and management of the risks can be carried out.

References
Alajmi, N. and Elleithy, K. (2015). Comparative Analysis of Selective Forwarding Attacks over Wireless Sensor Networks. International Journal of Computer Applications, 111(14), pp.27–38.

Baiomy, A., Mostafa, M. and Youssif, A. (2019). Anti-Phishing Game Framework to Educate Arabic Users: Avoidance of URLs Phishing Attacks. Indian Journal of Science and Technology, 12(44), pp.01–10.

Bisogni and Asghari (2020). More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws. Journal of Information Policy, 10, p.45.

Doynikova, E., Fedorchenko, A. and Kotenko, I. (2019). Automated Detection of Assets and Calculation of their Criticality for the Analysis of Information System Security. SPIIRAS Proceedings, 18(5), pp.1182–1211.

Hameed, A.S. (2015). Hiding of Speech based on Chaotic Steganography and Cryptography Techniques. Risk management assignment International Journal of Engineering Research, 4(4), pp.165–172.

Lee, S.-H. and Park, D.-H. (2015). A Security Check Maturity Model for Information System Audit. Journal of Security Engineering, 12(2), pp.151–168.

Lin, G. and Huang, F. (2016). Research on Database Remote Disaster Recovery and Backup Technology Based on Multi Point and Multi Hop. International Journal of Database Theory and Application, 9(6), pp.265–274.

Lopriore, L. (2016). Access control lists in password capability environments. Computers & Security, 62, pp.317–327.

Malhotra, Y. (2015). Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics, Operations, &, Intelligence: Enterprise Risk Management to Model Risk Management: Understanding Vulnerabilities, Threats, & Risk Mitigation (Presentation Slides). SSRN Electronic Journal.

Mazitelli, N. (2015). Insider threats. Engineering & Technology Reference.

Rah (2019). SA Health. [online] Royal Adelaide Hospital. Available at: https://www.rah.sa.gov.au/.

Shamala, P., Ahmad, R., Zolait, A. and Sedek, M. (2017). Integrating information quality dimensions into information security risk management (ISRM). Journal of Information Security and Applications, [online] 36, pp.1–10. Available at: https://www.sciencedirect.com/science/article/pii/S2214212617300972.

NEXT SAMPLE

Related Samples

Question Bank

Looking for Your Assignment?

Search Assignment
Plagiarism free Assignment

FREE PARAPHRASING TOOL

PARAPHRASING TOOL
FREE PLAGIARISM CHECKER

FREE PLAGIARISM CHECKER

PLAGIARISM CHECKER
FREE PLAGIARISM CHECKER

FREE ESSAY TYPER TOOL

ESSAY TYPER
FREE WORD COUNT AND PAGE CALCULATOR

FREE WORD COUNT AND PAGE CALCULATOR

WORD PAGE COUNTER



AU ADDRESS
9/1 Pacific Highway, North Sydney, NSW, 2060
US ADDRESS
1 Vista Montana, San Jose, CA, 95134
ESCALATION EMAIL
support@totalassignment
help.com