Threats and Vulnerabilities in Information Systems

Most organizations in both private and public sectors rely on information technology and systems to achieve their business functions and missions. Information systems vary from personal and financial systems to office networks to very specialized systems such as weapons systems, environmental control systems, and industrial control system. Due to the ever-changing technology, information systems are subjected to threats having diverse effects on organizational assets and operations, employees, other organizations and the country as a whole by exploiting unknown and know vulnerabilities comprising the integrity, confidentiality or the availability of the data stored, processed or transmitted by the systems. Threats to information systems are environmental disruptions, users’ errors, technical errors, purposeful attacks and structural failures resulting in economic and national security of the states (Baskerville, 2014). To prevent threats and vulnerabilities in organization managers and leaders at all levels should have a clear understanding of the information system in their organization and their responsibilities towards managing the information security risk.

Each organization should have an organizational risk management process. Risk assessments identify, estimate and prioritize a risk to the operations of the organization that is the image, mission, reputation, and functions.  Risk assessments’ purpose is informing decision makers and supporting risk responses by identifying threats to organizations or threats against other organizations, both external and internal vulnerabilities to the organizations, the impact of potential threats and vulnerabilities to the organizations and the likelihood of the harm to occur. A vulnerability is a weakness in an information system, internal controls, system security procedures or implementing something exposing the organization to a threat. One cannot identify vulnerabilities within the information system rather vulnerabilities can be found in organizational structures such as poor inter-agency communications, lack of effective risk strategies and inadequate risk framing and inconsistent decisions (Webb, 2014). They can also be found in external relationships such as supply chains, telecommunications providers, information technologies and particular energy sources. Information security architectures and business processes are also sources of vulnerabilities.

A vulnerability increases the likelihood for a threat to occur by increasing its probability and the damage that it occurs. Weak security measures increase the chances of threats to an organization. There are other vulnerabilities caused by the predisposing condition of an organization. Conditions such as enterprise architecture, environment operation, business processes, and information system may increase or decrease the likelihood of a threat. Predisposing conditions such as the location of the organization in a flood or hurricane-prone region would increase the chances of a risk while stand-alone information system would decrease the chances of threats or risks due to lack of external network connections such as cyber-attacks. Vulnerabilities such as the use of outdated technologies, gaps in contingency plans, weaknesses in the information systems and failover mechanisms can be prevented through the use of up to date software and hardware equipment and the use of strong firewall connectivity to all computers connecting on the internet so as to secure the system. Use of power backups and also cloud services ensure that when there is a power failure and when the system clashes there is an online backup which is secure (Dixit, 2015).

Vulnerabilities in the Acme Company include firewall TCP rule bypass where it allows access and process of packets. The firewall is one of the security measures in many organizations but when improperly configured it will not work as supposed. A firewall should be properly configured not to allow any intrusion of strangers or hackers rather also to detect potential intruders in the system. Web application vulnerabilities such as SQL injection where one was able to collect information about the servers, user databases, user accounts, and data. This is a high-risk vulnerability where one can manipulate the data. Information disclosure and clickjacking were also detected through the web. To secure the web Acme should ensure that each employee is securely browsing using a secure browser that does not accept pop-ups. Turn off the option to save encrypted web pages and not to allow the browser to save passwords. Social engineering vulnerabilities such as information disclosure in the front desk and clicking links to unknown websites leading to cyber-attacks. The managers should ensure that the employees do not freely disclose information to anyone by training them on social engineering so as they can be detected when someone is trying to retrieve information from them (Tsohou, 2015). Also conducting training on cyber-attacks and how they occur could minimize the chances of employees clicking to unknown links and putting personal information.

Most of the vulnerabilities are similar to organizations and also measures taken are not any different. Organizations should also ensure when they purchase a software or a system it is scanned for vulnerabilities through the use of vulnerability scan which is a software that scans the network, hosts, a software or a system to see if any penetration can occur. The software is expensive and there are high possibilities of getting false positives. So as one to secure his or her organization measures such as strong passwords, software updates, file encryption, data, and software backup, avoiding user error, antivirus software and browser security should be enforced in the organization and followed to the letter by everyone.

References

Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security:

Managing a strategic balance between prevention and response. Information & management, 51 (1), 138-151.

Dixit, S., & Sharma, A. (2015). Effect of Cloud Computing on Enterprises: A Review.

International Journal of Computer Applications, 109(5).

Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of

Information security awareness programmes in organizations. European Journal of Information Systems, 24 (1), 38-58.

Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for

Information security risk management. Computers & security, 44, 1-15.