Information Security Management Case Study

Part1–Information Security Management Case Study

Based in Manchester, UK, BlueTech Innovations Ltd. is a dynamic small and medium-sized enterprise (SME) that specializes in developing cutting-edge digital solutions and e-commerce platforms for small and medium-sized enterprises across multiple industries. BlueTech Innovations Ltd.'s particular use of a DBMS would rely on their company model, industry, and data requirements. Company used to improve customer connections, all firms employ DBMS for CRM, keeping a database of client data, interactions, and purchase history.

Company Details:

BlueTech Innovations Ltd. has the 150 employees and its turnover recorded at £18 million (as of the last financial year). Company is situated in the Manchester, UK and its operation has been dealing within the UK and have the some client in the EU and North America. 

Technological Infrastructure:

Devices in Use:

Workstations: Dell OptiPlex Series (Running Windows 10)

Servers: HPE ProLiant DL Series (Hosting the database and website)

Laptops: MacBook Pro (For senior management & remote employees)

Mobile Devices: Company-issued iPhones for specific roles like sales and customer support.

Networking Equipment:

Switches: Cisco Catalyst 2960 Series

Routers: Cisco ISR 4000 Series

Wireless Devices: Aruba Wireless Access Points

Firewalls: Palo Alto PA-3200 Series

Software and Database:

Database System: PostgreSQL (For hosting the customer database)

CRM Software: Salesforce (For managing customer interactions)

E-commerce Platform Backend: Built on PHP using Laravel Framework

Web Server: Apache HTTP Server

Security Protocols & Measures:

Web Application Firewall (WAF): Cloudflare, to protect against common web threats

Intrusion Detection System (IDS): Snort

Endpoint Security: Symantec Endpoint Protection

VPN for Remote Access: Cisco AnyConnect

Regular Patching: Monthly patch cycles for all software to ensure they are updated against known vulnerabilities.

Network Infrastructure 

Figure 1: Networking Infrastructure

(Source: Rouse., 2023)

The Palo Alto firewall guards a secure gateway at the beginning of BlueTech's network.

Three VLANs, one for workstations, one for servers, and one for management—are divided into the main office network.

Through the Cisco VPN, remote workers may connect safely and securely, guaranteeing encrypted communication and a secure connection.

Threat Overview

BlueTech faces a serious risk from the possibility of indirect links given the IS1 document reference, particularly given their integrated e-commerce platforms and custom digital solutions. SQL injections are especially dangerous because PostgreSQL is used for their database. Attackers are reported to be able to take advantage of SQL databases with inadequate security. Hackers might use this vulnerability as a point of entry, compromising consumer data or causing service disruptions.

Part2–Threat Identification

Injection Attacks (Specifically SQL Injection)

Database software is considered as a utility used or software program for maintaining, editing, and creating different types of records and data of various organizations. Database software helps to save numerous data in a suitably structured form fields, columns, and tables for all the users. All the saved files of different users are accessible with the help of a programmatic process (Rouse, 2023). There are numerous types of database software available such as Improvado, PostgreSQL, My SQL, Microsoft SQL Server, Oracle RDBMS and many more are available. However, PostgreSQL software is used by BlueTech Innovations Ltd. Injection process of the SQL server for maintenance of numerous data of the company is a dangerous level of data maintenance system under the part of PostgreSQL software.

PostgreSQL security flaws are regarded as the main problems with the system's overall security since they give users the ability to access arbitrary code under data management via the PostgreSQL process. No reporting procedure for data compromise or breach-related activity is taken into account by the database software's security team or coding process (Postgresql.org, 2023). This type of superuser activity increases the vulnerabilities of this database software. In today’s era, database technology advances at a breakneck pace with integrity, innovation, progression, and enhancements of developers, and devoted engineers. However, the breaching of highly sensitive data of the organization under the HPE ProLiant DL Series increases unauthorized access and attack levels. 

Part 3–Business Constraints

BlueTech Innovations Ltd., a small and medium-sized enterprise (SME) with an annual revenue of £18 million and a workforce of 150 individuals, encounters specific economic and operational limitations while implementing comprehensive information security protocols (Postgresql.org, 2023). In light of the recognition of SQL Injection assaults as a prominent security concern, it is imperative to comprehend the accompanying limitations in order to adopt a comprehensive approach.

Infrastructure Overhaul: Vulnerabilities are often addressed by replacing old systems or by investing in state-of-the-art network security solutions. These efforts are costly and may be considered superfluous, especially if the vulnerabilities have not yet been exploited. 

Ongoing Monitoring: Sufficient mitigation necessitates continuous observation. This results in ongoing expenses because it calls for both tools and human oversight (PGDG, 2019).

Laws and Regulations:

Significant fines could be levied for violating laws that are constantly changing, such as the GDPR. To guarantee complete compliance, expenditures in tools, training, and audits are typically required. 

Staff Time and Talent:

Vulnerabilities require experience to address. It's possible that the present IT team lacks the knowledge necessary to handle complex threats (Daskevics and Nikiforova, 2021). There are time and budgetary limits when it comes to training them or employing fresh staff.

Vulnerabilities in Networks:

Device Vulnerabilities: Cybercriminals may use outdated or improperly configured switches, routers, and firewalls as access points. Regular upgrades and patches necessitate downtime, which has an impact on corporate operations. 

User Vulnerabilities: Since workers are frequently the weakest link, they may unintentionally assist breaches. Even a system with strong security can be compromised by phishing attempts or bad password practices3 (Walkowski et al., 2020). Although it takes money and occasionally encounters resistance because of operational pressures, training them is vital.

Vulnerabilities in Databases:

It needs both tools and knowledge to guarantee that the database is well-defended against attacks such as SQL Injections. Although they have expenses, tools like Web Application Firewalls (WAF) can stop these kinds of attacks[^4^] (Zhong et al., 2020). Furthermore, maintaining an encrypted and segregated database can affect operating efficiency and require skill.

Economic Constraint Controls:

Costs associated with risk mitigation: Although the ISL technology detects risks, mitigating them comes at a cost. Capital is needed to purchase intrusion detection systems, threat intelligence platforms, or even basic firewalls (Postgresql.org, 2022). Sometimes, until a breach happens, it is difficult to demonstrate the tangible return on these investments.

Opportunity Costs: It might be difficult to convince people to switch funding from growth projects to security. Every dollar directed towards non-revenue-generating tasks like security may be seen as a missed opportunity, particularly in competitive environments[^5^].

Part 4–Human Constraints

1. Category of Dangerous Indirect Connections:

The "Indirect Connections" danger category poses a significant threat to information security. It addresses a variety of threat categories, such as vulnerabilities in networks and databases, social engineering, and insider threats.

2. Vulnerabilities in Human Social Engineering:

Social engineering attacks generally take advantage of human shortcomings. Attackers may attempt to force employees to divulge confidential information or allow unauthorised access. Phishing emails or phone calls for instance, have the potential to trick employees into disclosing login credentials (Enterprisedb, 2023). Human limitations, such as inadequate knowledge and instruction, may render workers vulnerable to these strategies.

3. Employee Restraints and Insider Threats:

Employees with database and network access could be the source of insider threats. Intentional or unintentional ignorance can lead to employee privilege abuse and security lapses. A company's ability to recognise and neutralise internal threats may be compromised by resistance to change and disregard for established security protocols. 

4. Vulnerabilities in Databases and Networks:

Important components of the organization’s information architecture are the network and database. These assets have vulnerabilities that could be used against them, resulting in system compromises or data breaches (FORTRA, 2021). These vulnerabilities may arise as a result of human limitations such as user error, inexperience, and a lack of resources for security.

5. Particular Flaws in the Database and Network:

It is crucial to take into account potential vulnerabilities in network devices, such as unpatched software, incorrect setups, and lax access controls, even though they weren't mentioned in the original response (Akhtar, 2022). Furthermore, exploitable vulnerabilities can be produced by database vulnerabilities such as insufficient encryption or improper access constraints.

6. Measures to Reduce Dangers Associated with Humans:

Organizations can put in place a variety of measures to manage these human limitations and lessen the hazards and vulnerabilities that go along with them:

Employee Education and Awareness: Educating staff members about social engineering techniques and offering in-depth training on security best practices can enable them to identify and fend off threats (PGDG, 2019).

Frequent Security Audits: Regular security audits are carried out to find vulnerabilities in database and network assets and to quickly fix them.

The process of implementing controls, like task automation and validation checks, to lessen user errors is known as user error mitigation. Insider threats and unauthorized access can be prevented by strengthening authentication protocols and access controls. Security policy and enforcement is the process of developing and putting into effect security regulations that demand conformity to security principles and protocols (Akhtar, 2022). Creating clear incident response plans will help you deal with security breaches quickly and efficiently.

 Human limits are important in information security, particularly when dealing with the "Indirect Connections" threat category. It is crucial to recognize that risk reduction and network and database security vulnerabilities are largely influenced by human behavior and awareness. It is critical to address these constraints via policies, procedures, and effective controls in order to fortify the organization's overall security posture.

Part 5–Risk Identification

Part6–Risk Assessment

Asset: Customer database online

One of BlueTech Innovations Ltd.'s most important assets is its online client database. It probably contains important client data, order specifics, transaction histories, and maybe payment data. Maintaining the trust of clients and running a business both depend heavily on its security.

Danger: Injection of SQL

The main threat has been determined to be SQL Injection. This is a frequent yet dangerous danger to databases that are accessible via online interfaces. Malicious actors may get unauthorised access to or influence over the database by manipulating database queries with carefully constructed input (Bluetechresearch, 2023). Because the information in the online customer database is sensitive, a successful SQL Injection attack could have dire consequences.

Deficiencies:

A vulnerability with a high probability is poor input validation. SQL Injection attacks can occur in web programmes that do not adequately validate or sanitize inputs. As a result, malicious SQL code that is entered into forms by attackers has the potential to be executed in the database and grant unauthorized users access to data. Weak Database Authentication: A vulnerability with a medium probability. An attacker's chances of gaining unauthorized access to the database are increased if it has weak passwords or does not have multi-factor authentication. Older database management software presents a little risk of attack. It's possible that known flaws in outdated software can be exploited by attackers (Bluetechresearch, 2023). There is a window of vulnerability between the discovery of a flaw and the application of a fix, even with routine updates.

Possible Effect:

Unauthorized Data Access is a serious problem. Attackers could steal sensitive client data and cause identity theft, financial fraud, and loss of trust if they are able to access the database because of inadequate input validation (Raj, 2022).

Data Manipulation: An attacker may modify prices, order specifications, or even payment records if they are able to manipulate the data stored in the database. This can have negative financial effects and jeopardize the data's integrity.

Data Loss: Should an attacker utilize SQL Injection to erase data from the database and regular backups are not performed, important data may be irreversibly lost.

Computed Danger:

Danger from Inadequate Input Validation: This poses a high risk due to its high probability and significant possible consequences. It should be our first priority to address this issue.

Weak Database Authentication danger: This presents a medium level of danger. Although there is a medium chance, there is still a high potential impact (Raj, 2022).

Outdated Software danger: Although this is a minor danger, it is nevertheless significant. Even a low likelihood of danger cannot be disregarded due to the severity of potential consequences.

Suggested Controls:

The controls indicated in the table are appropriate and ought to be put into place right once. Thorough input validation is a useful tool for reducing the risk of SQL Injection. Robust password regulations and consistent programme upgrades additionally mitigate the danger, preserving the authenticity and privacy of the virtual client database.

Furthermore, despite the significant dangers that BlueTech Innovations Ltd. may face, they may protect their customer database and maintain their company's reputation if they put the proper mitigation measures in place (BluetechResearch, 2023). The company's cybersecurity posture will be greatly strengthened by fixing the vulnerabilities that have been found and providing a plan for improvement.

Part 7–Critical Analysis

Reflection On Risk Assessment

The scope of the risk evaluation was extensive, taking into account both prospective threats and system weaknesses. But when you stop to think about it, you realize that simply identifying dangers is insufficient. Additionally, we should regularly reevaluate the changing threat scenario. Cyberthreats are dynamic; attackers create new strategies and new vulnerabilities appear.

Employing the IS1 Risk Assessment standard provided an organized method for determining and assessing hazards. Consistency is guaranteed by its structured nature, but its possible rigidity poses a constraint. Since every company is different, relying just on a tool could leave out details unique to BlueTech Innovations Ltd (Bcs.org, 2023). Maybe the best strategy would be to combine a more flexible, individualized approach with an organized tool.

The risk assessment made clear how crucial it is to take commercial and financial restrictions into account. These limitations influence not just possible mitigation techniques but also the structure of the system's inherent vulnerabilities. Budgetary restrictions, for example, may result in out-of-date software, which presents a vulnerability (Satoricyber, 2023). This important discovery—that cybersecurity is intertwined with economic factors—emphasizes that cybersecurity is not merely an IT problem but a fundamental business matter.

Get Extra 10% OFF on your WhatsApp order!

use my discount

The interconnection of assets and weaknesses is one feature that jumps out. A flaw in one area, like the network infrastructure, can have repercussions and put other resources, like the customer database, at risk. Because of this interdependence, cybersecurity must be approached holistically, considering each asset, vulnerability, and threat in light of the ecosystem as a whole.

While technological advancements are crucial, human interaction is still a key component of cybersecurity (Kure, Islam, and Razzaque, 2020). Staff awareness and training programmes are just as important as any firewall or intrusion detection system. This human element was not thoroughly examined in the risk assessment, which is a drawback. Subsequent evaluations must to give greater weight to the human factor, examining possible dangers from social engineering, insider threats, and other sources.

Risk assessment needs to be an ongoing procedure rather than a one-time event. The demands of business, the external environment, and the digital landscape are ever-changing. It is possible that the risk assessment completed today will not be entirely applicable in a few months or perhaps a year (Knowles, 2021). One important lesson is that risk assessment is an iterative process.

Reflection On The use of 1

The IS1 framework offers a systematic approach to conducting risk assessments. The implementation of this systematic approach guarantees a constant evaluation of risks, hence minimizing the possibility of overlooking any crucial elements. The structure provided by BlueTech Innovations Ltd. is of great value as it enables the company to effectively manage its online presence while also prioritizing data protection.

The utilization of the IS1 tool facilitated the comprehensive coverage of all critical domains within the evaluation, encompassing both physical assets and information assets (Zola, 2021). The meticulousness of this approach is crucial in guaranteeing that every possible vulnerability is thoroughly examined and accounted for.

The concepts of standardization and benchmarking are crucial in various academic and professional fields. Standardization refers to the process of establishing and implementing uniform practices, procedures, or criteria.

By employing a widely acknowledged standard such as IS1, BlueTech Innovations Ltd. is able to assess its security protocols in comparison to the most effective practices prevalent in the industry. Benchmarking plays a crucial role in comprehending the position of the organization within the cybersecurity domain and serves as a potent instrument for effectively conveying our security stance to stakeholders.

Although the systematic method employed by IS1 offers advantages, it can occasionally be perceived as excessively inflexible. Each organization possesses distinct characteristics, and employing a standardized technique may not adequately account for the specific intricacies exhibited by BlueTech Innovations Ltd (Agyepong et al., 2023). In order to enhance future assessments, it may be advantageous to use IS1 inside a flexible assessment framework.

There exists a possible risk associated with over-dependence on IS1 or any other technology. It is imperative to bear in mind that tools should serve as facilitators of the risk assessment process, rather than exerting control over it (Bcs.org, 2023). The human element, characterized by intuition and critical thought, continues to be of utmost importance.

Although IS1 is a comprehensive system, its outcomes and outputs may provide challenges for non-technical stakeholders due to its technical nature and difficulty in interpretation. The process of converting the findings of IS1 into practical insights and comprehensible language for all relevant parties is an aspect that requires careful consideration.

The digital and cybersecurity domain is characterized by constant evolution (De Groot, 2023). Although IS1 provides a strong basis, it is crucial to ensure its continuous updating and potential integration with additional tools or approaches that tackle novel and evolving threats.

Reflection On The Case Study

The provision of comprehensive background information was of utmost importance. The aforementioned factor facilitated a more comprehensive examination at a later stage, underscoring the significance of a meticulous preliminary foundation. Nonetheless, achieving a harmonious equilibrium between pertinent particulars and an overwhelming abundance of information proved to be a formidable task.

The interconnection between many aspects of the corporation, including its network infrastructure and commercial activities, became apparent (postgresql, 2023). The presence of a vulnerability or threat in a particular domain can have an indirect influence on another domain, hence emphasizing the necessity of adopting a comprehensive security strategy.

The case study underscored the dynamic nature of threats. As the organization undergoes transformation, it also encounters a corresponding array of possible risks. The inherent dynamism of cybersecurity necessitates the adoption of a proactive and adaptive approach.

The case study made an effort to address all conceivable vulnerabilities; nonetheless, the dynamic nature of the technological landscape implies that certain vulnerabilities may have been inadvertently omitted or could arise in the future (Walkowski et al., 2020). This serves as a humbling reminder of the significance of ongoing monitoring and evaluation.

The economic and business constraints refer to the limitations and restrictions that affect the operations and activities of businesses within the economic context. These constraints can arise from several factors such as market conditions, government regulations, financial limitations,

The disclosure of the considerable interconnection between economic variables and cybersecurity has emerged (Vermeer, 2021). This observation underscores the fact that cybersecurity is not solely an information technology (IT) matter, but rather a critical component intricately linked to corporate strategy and financial planning.

The case study provided more support for the notion that although technology plays a crucial role, it is imperative to acknowledge the significance of the human factor. The implementation of training programmes, the cultivation of awareness, and the establishment of a strong company culture are essential factors in effectively mitigating potential hazards.

The Significance of External Tools and Standards:

The utilization of tools such as IS1 proved to be of great value. Nevertheless, the case study underscored the need to not only depend on external criteria (PGDG, 2019). The process of tailoring and incorporating these solutions to align with the specific requirements of the organization is of utmost importance.

The Significance of Feedback Loops in Academic Contexts

The significance of feedback loops is underscored by a rigorous examination of the case study. The findings derived from this investigation ought to be integrated into the company's operations, guaranteeing that acquired knowledge is applied and results in ongoing enhancement. In addition to addressing the technological and operational components, the case study highlights the ethical considerations surrounding cybersecurity, particularly with regard to the protection of client data (Satoricyber, 2023). The aforementioned increase in responsibility emphasizes the significance of implementing strong cybersecurity protocols, not alone for the sake of adhering to regulations or financial considerations, but also as a moral imperative.

References

• Agyepong, E., Cherdantseva, Y., Reinecke, P. and Burnap, P. (2023). A systematic method for measuring the performance of a cyber security operations centre analyst. Computers & Security, 124(2), p.102959. doi:https://doi.org/10.1016/j.cose.2022.102959.
• Akhtar, H. (2022). 10 common PostgreSQL mistakes and how to avoid them. [online] InfoWorld. Available at: https://www.infoworld.com/article/3681655/10-common-postgresql-mistakes-and-how-to-avoid-them.html [Accessed 26 Oct. 2023].
• Bcs.org (2023). Cyber risk assessment in a post-IS1 world | BCS. [online] www.bcs.org. Available at: https://www.bcs.org/articles-opinion-and-research/cyber-risk-assessment-in-a-post-is1-world [Accessed 26 Oct. 2023].
• BluetechResearch (2023). Innovation Tracker Archive. [online] BlueTech Research. Available at: https://www.bluetechresearch.com/tools/innovation-tracker/ [Accessed 26 Oct. 2023].
• Bluetechresearch (2023). Water Technology Digest. [online] BlueTech Research. Available at: https://www.bluetechresearch.com/ [Accessed 26 Oct. 2023].
• Bucko, A., Vishi, K., Krasniqi, B. and Rexha, B. (2023). Enhancing JWT Authentication and Authorization in Web Applications Based on User Behavior History. Computers, [online] 12(4), p.78. doi:https://doi.org/10.3390/computers12040078.
• Daskevics, A. and Nikiforova, A. (2021). IoTSE-based open database vulnerability inspection in three Baltic countries: ShoBEVODSDT sees you. [online] ieeexplore.ieee.org. Available at: https://ieeexplore.ieee.org/document/9704952/ [Accessed 26 Oct. 2023].
• De Groot, J. (2023). What is Cyber Security? Definition, Best Practices & Examples. [online] Digital Guardian. Available at: https://www.digitalguardian.com/blog/what-cyber-security.
• Enterprisedb (2023). How to Monitor PostgreSQL Connections. [online] EDB. Available at: https://www.enterprisedb.com/postgres-tutorials/how-monitor-postgresql-connections [Accessed 26 Oct. 2023].
• FORTRA (2021). Insider Threat: 74% of security incidents come from the extended enterprise, not hacking groups | Press Release. [online] www.clearswift.com. Available at: https://www.clearswift.com/resources/press-releases/insider-threat-74-security-incidents-come-extended-enterprise-not-hacking-groups.
• Knowles, M. (2021). Cybersecurity Risk Management: Frameworks, Plans, & Best Practices. [online] Hyperproof. Available at: https://hyperproof.io/resource/cybersecurity-risk-management-process/.
• Kure, H., Islam, S. and Razzaque, M. (2020). An Integrated Cyber Security Risk Management Approach for a Cyber-Physical System. Applied Sciences, [online] 8(6), p.898. doi:https://doi.org/10.3390/app8060898.
• OWASP (2021). SQL Injection Prevention · OWASP Cheat Sheet Series. [online] Owasp.org. Available at: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html.
• PGDG (2019). PostgreSQL: The world’s most advanced open source database. [online] Postgresql.org. Available at: https://www.postgresql.org/.
• postgresql (2023). CREATE DOMAIN. [online] PostgreSQL Documentation. Available at: https://www.postgresql.org/docs/current/sql-createdomain.html [Accessed 26 Oct. 2023].
• Postgresql.org (2022). 5.4. Constraints. [online] PostgreSQL Documentation. Available at: https://www.postgresql.org/docs/current/ddl-constraints.html.
• Postgresql.org (2023). PostgreSQL: Security Information. [online] www.postgresql.org. Available at: https://www.postgresql.org/support/security/.
• Raj, A. (2022). Unauthorized access the biggest cause of data breaches. [online] Tech Wire Asia. Available at: https://techwireasia.com/2022/07/unauthorized-access-the-biggest-cause-of-data-breaches/.
• Rouse, M. (2023). What is Database Software? - Definition from Techopedia. [online] Techopedia.com. Available at: https://www.techopedia.com/definition/1190/database-software.
• Satoricyber (2023). 3 Pillars of PostgreSQL Security. [online] Satori. Available at: https://satoricyber.com/postgres-security/3-pillars-of-postgresql-security/.
• Vermeer, B. (2021). SQL injection cheat sheet: 8 best practices to prevent SQL injection | Snyk. [online] snyk.io. Available at: https://snyk.io/blog/sql-injection-cheat-sheet/.
• Walkowski, M., Krakowiak, M., Oko, J. and Sujecki, S. (2020). Efficient Algorithm for Providing Live Vulnerability Assessment in Corporate Network Environment. Applied Sciences, 10(21), p.7926. doi:https://doi.org/10.3390/app10217926.
• Zhong, R., Chen, Y., Hu, H., Zhang, H., Lee, W. and Wu, D. (2020). SQUIRREL: Testing Database Management Systems with Language Validity and Coverage Feedback. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 3(11). doi:https://doi.org/10.1145/3372297.3417260.
• Zola, A. (2021). What is a risk assessment framework, and how does it work? [online] SearchCIO. Available at: https://www.techtarget.com/searchcio/definition/risk-assessment-framework-RAF.
•