Vulnerability Assessment

Free «Vulnerability Assessment» Essay Sample


An insider threat is also called hacking in any organization, and a hacker is normally an employee in the organization who can get access to unauthorized information for financial gain. Hackers pose as members of staff by obtaining false credentials. Their activities in the organization aim at causing harm to its information (Williams, 2015). The harm caused by the insider threat takes various forms such as virus, theft of vital information, e.g. company’s secrets, theft in the firm, and alteration of data among others.

Risk Identification

As a result of inside threat, I identified several risks in the organization, and they mainly affected hardware, cyberspace, employees, and infrastructure. Centralized network system was one of the risks where the firm operates it from one point. This presents a threat as there is easy access to important information. The virus, system overload, and insufficient testing of the software was part of the risk identified. Virus corrupts files of the organization where important files and data get lost in the process. Inside threat is regarded as one of the risks identified in the organization through false credentials (Castiglione et al., 2015).

The weak internal control system was also a risk I identified in the company, since there was the lack of effective control to eliminate the risk of an insider. The firm lacked comprehensive protection, such as biometric controls, to prevent access to unauthorized information by a fake employee. The building lacked proper security and screening by the security officials. They were, therefore, unable to detect the company’s insider. Members of staff portrayed greed for money hence they were corrupt. This factor caused alteration of data for financial gain (Huth, 2013).

There was a risk of undetected malware in the company system that corrupted many files in the firm. The system configuration was difficult to understand and detect among the employees. Configuration problems posed a major risk to the company as most of the employees relayed on the system for thei normal operations. Lastly, there was a threat of well-known and predictable software and hardware that was easy to use by any person including an insider.

Risk Management

The company can apply security control to protect its infrastructure and avoid any insider threat. Administrative controls shall be established to minimize any risk threat in the company. The firm shall have policies and procedures that will control the entry and exit of individuals in the company building. The whole personnel should be screened to determine any security threat in the firm through the entry of harmful equipment in the building. An insider shall be detected at this stage and may be required to surrender the identity card.

The management of the company shall conduct regular security awareness trainings in the organization. Security awareness helps to enlighten the staff concerning any security threat they may be exposed to in the building. All relevant precautions will be offered to the employees, and in case of security threat relevant precautions will be in place to tackle the threat. Any change controls in the firm shall be implemented to effectively control any security threat (Tot, Grubor, & Marta, 2015).

Technical controls that include password management, identification methods, and access to control mechanisms shall be implemented to prevent any threat to the firm’s infrastructure. These controls will deter any unauthorized personnel from accessing important information in the company. Finally, physical controls will include protecting the perimeter wall, monitoring for any insider, and controlling to access into vital rooms in the organization. Biometric controls will help to eliminate entry to unauthorized rooms or departments in the firm. A combination of words and numbers shall be used in the password to prevent all the relevant information and corporates secrecy. The aforementioned controls shall be managed throughout the company’s lifetime.

Future Detection of Threats

The management shall regularly conduct threat detection in future and check anny weaknesses in the internal control system or any security policy. Others threats shall be detected through identification of any malware and weak firewalls in the system. There shall be continuous evaluation and review of the system, infrastructure, and employees. To help in threat detection, employees will be offered regular training on security threat in the firm and relevant ways to overcome them. Any unauthorized personnel in the company building shall be treated as a major threat and controls shall be established to avoid future threats and vulnerabilities.

Methods to Improve the Company’s Security

There are six methods that improve security of the organization and helps in preventing the company’s crucial information (Hsu et al., 2015).

Identifying main information functions. The management shall, therefore, identify the main uses of information in the organization to help classify important information that needs proper preservation.

Identify main information system. Having identified essential information functions, the main information system will be identified to help prevent any threat to the system. The systems are therefore categorized according to the essential system.

Identify system threats. As a result of prioritized information system, the management shall, therefore, focus on evaluation and examination of any system threat available.

Identify security techniques. Techniques concerning any security threat in the firm shall be determined and effectively applied to help in eliminating the potential threat. The techniques will be shortlisted for the proper evaluation by the IT department.

Pick and apply the best security techniques. Security techniques are evaluated and screened to select the best applicable technique in preventing a potential threat in the organization system.

Test for the effectiveness of the technique. The applied technique shall be evaluated to determine the effectiveness of the techniques strategies in the firm (Brown, Shaw, & Emery, 2015).