Security Assessment Report
An information system refers to the different systems that are used to collect, analyze, and process information. The information system of an organization consists of the computer system hardware, computer software, databases, the human resources in the organization, and the computer network (“Types of Information Systems”, n.d). One of the components of the computer software component of an information system is the operating system. An operating system is defined as the software that is responsible for the functioning of the different hardware in the system as well as the management of the different application software that can be installed in the system. The operating system is vulnerable to different types of threats. Examples of such security threats can include hacking, malware and viruses, phishing, and denial-of-service (DoS). To prevent the occurrence of such threats in an organization, the organization should conduct a Security Assessment Report (SAR). From the SAR, the different vulnerabilities in the organization’s system are identified and solutions on how to patch the vulnerabilities are noted.
Operating Systems
Operating systems can be classified into either open-source operating systems or commercial operating systems. (Silberschatz, Gagne, and Galvin, 2018) One of the most common open-source operating systems is the Linux operating system. Examples of commercial operating systems include Windows, which is developed by Microsoft Corporation and the Mac operating system, which is developed by Apple Inc. The major function of an operating system is translating the commands inputted by the user to perform and control the different peripherals in the system. By doing so, the operating system acts as the in-between the user and computer hardware. The operating system also supports the installation and execution of different application software. The application software is used by the user to perform different specified actions.
User’s Role in an Operating System
The major user’s role in an operating system is to provide different instructions to the computer. This is achieved through the use of a user interface. User interfaces can either be a graphical user interface (GUI) or even a command-line interface (CLI). The instructions inputted by the user through the user interfaces are translated into different actions. For example, when a user wants to print a document, they will input the command into the computer, after which the operating system will translate the instructions and enable the connected printer to print the document.
Kernel and Operating System Applications
A kernel acts as the in-between the user applications installed in the system and the different components of the computer, such as the memory, the processor, and the different peripherals connected to the computer. Hence, kernel applications refer to the operating system applications that connect the application software and the computer’s hardware. Kernel applications are crucial for the functioning of the computer. Therefore, once the computer boots up, they are assigned a separate part of the storage device in the computer. Unlike most applications that are installed by the user or the organization, the kernel applications are run once the system boots up until it is powered down. Another difference between the kernel applications and the applications installed by the user is that since the kernel applications are responsible for the interaction between the computer peripherals and the user applications, the kernel applications translate the commands inputted by the user through the user-installed applications into actions by the peripherals connected to the computer.
Embedded Operating System
An embedded operating system refers to an operating system that is customized to perform specific actions in a specified device. Embedded operating systems are specified to a specific device. This reduces their applicability to other types of devices. (Jerraya and Wolf, 2005) An example of an embedded operating system is the operating system that is used in an Automated Teller Machine (ATM). This type of operating system can only be used in the ATM and cannot be implemented in another device, such as a video game console.
Operating systems are examples of computer software that are part of the overall information system architecture. Apart from computer software, an information system architecture is composed of hardware, networks, data, and human resources. Cloud computing is one of the emerging network architectures. In cloud computing, the data in the network is stored and processed on servers that are accessed remotely through the internet. The different models of cloud computing include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). (Subashini and Kavitha, 2011) Advancements in technology have also made other cloud computing models possible. These models include Security as a Service, Database as a Service (DaaS), and Containers as a Service (CaaS). By providing different cloud services, cloud computing removes the need for an organization to acquire the components to support the different services. This not only reduces the cost incurred by the organization but also increases the ability of the organization to grow.
Windows Vulnerabilities
Vulnerabilities in an operating system make it possible for attackers to exploit them and perform different attacks in the computer system. The popularity of the Windows operating system means that it is the most likely operating system to get attacked by attackers. Different security vulnerabilities in Windows operating systems can be exploited by attackers. These vulnerabilities can range from a lack of authentication to SQL injections. An example of a popular vulnerability in Windows is enabled by the autoplay feature of the operating system. This feature allows the computer to automatically run the commands in removable storage devices that are connected to the computer. Attackers can make use of this feature to run malicious applications on a computer. (Sharma, Kumar, and Sharma, 2011)
Linux Vulnerabilities
Since the Linux operating system is open source, there are different versions of the operating system. The availability of different versions of the operating system is an added advantage since attackers might have a difficult time identifying the vulnerabilities in the different versions. This results in a reduced number of vulnerabilities in the Linux operating system when compared to the Windows operating system. However, the Linux operating system is not fully invulnerable. As an open-source operating system, the developers are not keen on providing the required security patches. Similarly, the applications that run on the operating system might lack updated security measures and this is a security vulnerability that can be used by attackers.
Mac Operating System and Mobile Devices Vulnerabilities
Similar to the Linux operating system, the Mac operating system has fewer vulnerabilities than the Windows operating system. One of the vulnerabilities that affect the Mac operating system is unpatched security flaws. Winder (2019) provides an example of such vulnerability. The vulnerability includes the ability for unverified applications to be installed in a computer by circumventing the Gatekeeper feature. This vulnerability can allow users to be tricked by attackers into installing a malicious application on their computers.
Mobile devices are also vulnerable to different attacks. Some of the vulnerabilities that are found in operating systems such as Windows, Linux, and macOS can also be found on mobile devices. An example of these vulnerabilities is the lack of update security patches. This enables attackers to gain easy access to mobile devices. Ismail (2017) notes the different vulnerabilities found on mobile devices can be attributed to jailbreaking or rooting of the device. The jailbreaking or rooting of a mobile device makes it possible for the user to install different applications from unofficial platforms. The installed applications can contain malicious code which can reduce the security of the mobile device.
Injection Vulnerabilities
The injection vulnerabilities are executed through the inclusion of malicious code in the execution of an application. This changes the way the application is executed and can result in the attacker gaining unauthorized access into a system. An example of an injection vulnerability is the SQL injection. SQL injections mainly focus on identifying the vulnerabilities in a database. The vulnerabilities are likely to occur when the input validation of the system is not configured correctly. (Boyd and Keromytis, 2004) Another example of an injection vulnerability is the XML injection. In this attack, the attacker changes the way the XML application functions to function in a manner intended by the attacker. (Jan, Nguyen, and Briand, 2016)
Security Awareness Technologies
Intrusion into a computer system can result in the attackers damaging the system, stealing confidential data or even modifying the data in the system. Some of the security measures that can be implemented in the system include intrusion detection systems (IDS) and intrusion prevention systems (IPS). An intrusion detection system is used to identify the different attempts to gain unauthorized access to the system. When the IDS detects such attempts, it notifies the system administrator, who puts in place measures to stop the attacks. (Ashoor and Gore, 2011) An intrusion prevention system is also involved in the identification of possible threats in the system. However, unlike the IDS, the IPS is also capable of preventing attacks from being executed in the system. (Ashoor and Gore, 2011) The use of intrusion detection systems and intrusion prevention systems provides a security layer that hinders unauthorized access into a system.
Why Corporate and Government Systems are Targets
There are different reasons why attackers target corporate and government systems. One of the reasons is that the attackers are hacktivists and are trying to make a statement against the operations of the corporate of the government agency. The different operations of the government body or the corporation can motivate the attackers to compromise their computer systems. The corporate and government systems can also become targets of attackers from former disgruntled employees. Additionally, the system is targeted by attackers due to the high potential returns after the attacks. When attacks such as ransomware are successful, the potential returns from corporate and government agencies are high, hence, the attackers prefer attacking their systems instead of attacking systems that would not result in high returns.
Vulnerability Scan Windows Operating System
The tool used to conduct the vulnerability scan in the Windows operating system is the Microsoft Baseline Security Analyzer (MBSA). The use of MBSA made it possible to detect the different vulnerabilities in the system. An example of a vulnerability checked by the tool is the presence of multiple administrators. The scan confirmed that there was only one administrator in the system. When checking for weak passwords in the system, the tool showed that the guest user accounts in the system did not have passwords. The MBSA was also used to check the security updates in the system. The tool identified that different security updates were needed in the system. The MBSA also provided an option for correcting the different vulnerabilities identified in the system.
Vulnerability Scan Linux Operating System
The vulnerability scan in the Linux operating system was conducted using the OpenVAS tool. One of the benefits of using the OpenVAS tool is that it provides a ranking of the severity of the vulnerability in the system. Some of the identified vulnerabilities in the system included the PostgreSQL weak password, MySQL weak password, possible backdoor: Ingreslock, and VNC Brute Force login. The OpenVAS tool, similar to the MBSA, also proposed solutions to the vulnerabilities identified. One of the solutions to the possible backdoor in Ingeslock was to close the Ingreslock port. The proposed solution to the weak PostgreSQL and MySQL passwords was to impose a more secure password strategy.
Conclusion
Different security vulnerabilities were identified during the scan. Most of the vulnerabilities included the lack of passwords or the use of weak passwords. These security vulnerabilities make it possible for attackers to gain access to a system. The recommended solution to fix the different vulnerabilities is conducting user training on the importance of the creation and use of strong passwords. Another recommendation is the installation of security updates and other security measures such as firewalls.
References
Ashoor, A. S., & Gore, S. (2011, July). Difference between intrusion detection system (IDS) and intrusion prevention system (IPS). In International Conference on Network Security and Applications (pp. 497-501). Springer, Berlin, Heidelberg.
Boyd, S. W., & Keromytis, A. D. (2004, June). SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (pp. 292-302). Springer, Berlin, Heidelberg.
Ismail, N. (2017, February 21). Common security vulnerabilities of mobile devices. Retrieved October 13, 2019, from https://www.information-age.com/security-vulnerabilities-mobile-devices-123464616/.
Jan, S., Nguyen, C. D., & Briand, L. C. (2016, July). Automated and effective testing of web services for XML injection attacks. In Proceedings of the 25th International Symposium on Software Testing and Analysis (pp. 12-23). ACM.
Jerraya, A. A., & Wolf, W. (2005). Hardware/software interface codesign for embedded systems. Computer, 38(2), 63-69.
Sharma, G., Kumar, A., & Sharma, V. (2011). Windows operating system vulnerabilities. International Journal of Computing and Corporate Research, 1(3).
Silberschatz, A., Gagne, G., & Galvin, P. B. (2018). Operating system concepts. Wiley.
Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), 1-11.
Types of Information Systems – Components and Classification of Information Systems. (n.d.). Retrieved October 12, 2019, from https://www.managementstudyguide.com/types-of-information-systems.htm.
Winder, D. (2019, May 26). Unpatched Apple macOS Vulnerability Lets Malicious Apps Run — What You Need To Know. Retrieved October 13, 2019, from https://www.forbes.com/sites/daveywinder/2019/05/26/unpatched-apple-macos-vulnerability-lets-malicious-apps-run-what-you-need-to-know/#7d00bbc666d5.
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
The operating system (OS) of an information system contains the software that executes the critical functions of the information system. The OS manages the computer’s memory, processes, and all of its software and hardware. It allows different programs to run simultaneously and access the computer’s memory, central processing unit, and storage. The OS coordinates all these activities and ensures that sufficient resources are applied. These are the fundamental processes of the information system, and if they are violated by a security breach or exploited vulnerability, they have the potential to have the biggest impact on your organization.
Security for operating systems consists of protecting the OS components from attacks that could cause deletion, modification, or destruction of the operating system. Threats to an OS could consist of a breach of confidential information, unauthorized modification of data, or unauthorized destruction of data. It is the job of the cybersecurity engineer to understand the operations and vulnerabilities of the OS (whether it is a Microsoft, Linux, or another type of OS) and to provide mitigation, remediation, and defense against threats that would expose those vulnerabilities or attack the OS.
There are six steps that will help you create your final deliverables. The deliverables for this project are as follows:
- Security Assessment Report (SAR): This report should be a 7-8 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Nontechnical presentation: This is a set of 8-10 PowerPoint slides for upper management that summarize your thoughts regarding the findings in your SAR.
Step 1: Defining the OS
The audience for your security assessment report (SAR) is the leadership of your organization, which is made up of technical and non-technical staff. Some of your audience will be unfamiliar with operating systems (OS). As such, you will begin your report with a brief explanation of operating systems fundamentals and the types of information systems.
Click on and read the following resources that provide essential information you need to know before creating a thorough and accurate OS explanation:
- operating systems fundamentals
- the applications of the OS
- The Embedded OS
- information system architecture
- cloud computing
- web architecture
After reviewing the resources, begin drafting the OS overview to incorporate the following:
- Explain the user’s role in an OS.
- Explain the differences between OS kernel applications and the applications installed by an organization or user.
- Describe the embedded OS.
- Describe how the systems fit in the overall information system architecture, of which cloud computing is an emerging, distributed computing network architecture.
Include a brief definition of operating systems and information systems in your SAR.
Step 2: OS Vulnerabilities
You just summarized operating systems and information systems for leadership. In your mind, you can already hear leadership saying, “So what?” The organization’s leaders are not well versed in operating systems and the threats and vulnerabilities in operating systems, so in your SAR, you decide to include an explanation of the advantages and disadvantages of the different operating systems and their known vulnerabilities.
Prepare by first reviewing the different types of vulnerabilities and intrusions explained in these resources:
- Windows vulnerabilities
- Linux vulnerabilities
- Mac OS vulnerabilities
- SQL PL/SQL, XML and other injections
Based on what you gathered from the resources, compose the OS vulnerability section of the SAR. Be sure to:
- Explain Windows vulnerabilities and Linux vulnerabilities.
- Explain the Mac OS vulnerabilities and vulnerabilities of mobile devices.
- Explain the motives and methods for the intrusion of the MS and Linux operating systems;
- Explain the types of security awareness technologies, such as intrusion detection and intrusion prevention systems.
- Describe how and why different corporate and government systems are targets.
- Describe different types of intrusions such as SQL PL/SQL, XML, and other injections.
You will provide leadership with a brief overview of vulnerabilities in your SAR.
Step 3: Preparing for the Vulnerability Scan
You have just finished defining the vulnerabilities an OS can have. Soon, you will perform vulnerability scanning and vulnerability assessments on the security posture of the organization’s operating systems. But first, consider your plan of action. Read these two resources to be sure you fully grasp the purpose, goals, objectives, and execution of vulnerability assessments and security updates:
- Vulnerability assessments
- Patches
Then, provide the leadership with the following:
- Include a description of the methodology you proposed to assess the vulnerabilities of the operating systems. Provide an explanation and reasoning of how the methodology you propose will determine the existence of those vulnerabilities in the organization’s OS.
- Include a description of the applicable tools to be used, and the limitations of the tools and analyses, if any. Provide an explanation and reasoning of how the applicable tools to be used you propose will determine the existence of those vulnerabilities in the organization’s OS.
- Include the projected findings from using these vulnerability assessment tools.
In your report, discuss the strength of passwords, any Internet Information Services’ administrative vulnerabilities, SQL server administrative vulnerabilities, and other security updates and management of patches, as they relate to OS vulnerabilities.
Step 4: Vulnerability Assessment Tools for OS and Applications
Security and vulnerability assessment analysis tools, such as Microsoft Baseline Security Analyzer (MBSA) for Windows OS and OpenVAS for Linux OS, are stand-alone tools designed to provide a streamlined method for identifying common security misconfigurations and missing security updates for the operating systems and applications. These tools work on layers 5-7 of the Open System Interconnection (OSI) model.
Your leadership will want to understand the differences and commonalities in the capabilities of both tools and will want this included in the SAR.
Use the tools’ built-in checks to complete the following for Windows OS (e.g., using Microsoft Baseline Security Analyzer, MBSA):
- Determine if Windows administrative vulnerabilities are present.
- Determine if weak passwords are being used on Windows accounts.
- Report which security updates are required on each individual system.
- You noticed that the tool you used for Windows OS (i.e., MBSA) provides dynamic assessment of missing security updates. MBSA provides a dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other grouping.
- Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment. In this case, a tool such as MBSA will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML.
You will also complete a similar exercise for Linux OS (e.g., using the OpenVAS tool). Select the following links to learn more about OpenVAS and computer networks:
- OpenVAS
- Computer Networks
Utilize the OpenVAS tool to complete the following:
- Determine if Linux vulnerabilities are present.
- Determine if weak passwords are being used on Linux systems.
- Determine which security updates are required for the Linux systems.
- You noticed that the tool you used for Linux OS (i.e., OpenVAS) provides a dynamic assessment of missing security updates. MBSA provides a dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other grouping.
- Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment
Knowledge acquired from this Workspace exercise and capability of this tool will help your company’s client organizations secure the computer networks’ resources and protect corporate data from being stolen.
Validate and record the benefits of using these types of tools. You will include this in the SAR.
Step 5: The Security Assessment Report
By utilizing security vulnerability assessment tools, such as MBSA and OpenVAS, you now have a better understanding of your system’s security status. Based on the results provided by these tools, as well as your learning from the previous steps, you will create the Security Assessment Report (SAR).
In your report to the leadership, emphasize the benefits of using a free security tool such as MBSA. Then make a recommendation for using these types of tools (i.e., MBSA and OpenVAS), including the results you found for both.
Remember to include these analyses and conclusions in the SAR deliverable:
- After you provide a description of the methodology you used to make your security assessment, you will provide the actual data from the tools, the status of security and patch updates, security recommendations, and offer specific remediation guidance, to your senior leadership.
- You will include any risk assessments associated with the security recommendations, and propose ways to address the risk either by accepting the risk, transferring the risk, mitigating the risk, or eliminating the risk.
Include your SAR in your final deliverable to leadership.
Step 6: The Presentation
Based on what you have learned in the previous steps and your SAR, you will also develop a presentation for your company’s leadership.
Your upper-level management team is not interested in the technical report you generated from your Workspace exercise. They are more interested in the bottom line. You must help these nontechnical leaders understand the very technical vulnerabilities you have discovered. They need to clearly see what actions they must either take or approve. The following are a few questions to consider when creating your nontechnical presentation:
- How do you present your technical findings succinctly to a nontechnical audience? Your Workspace exercise report will span many pages, but you will probably not have more than 30 minutes for your presentation and follow-up discussion.
- How do you describe the most serious risks factually but without sounding too temperamental? No one likes to hear that their entire network has been hacked, data has been stolen, and the attackers have won. You will need to describe the seriousness of your findings while also assuring upper-level management that these are not uncommon occurrences today.
- How do your Workspace exercise results affect business operations? Make sure you are presenting these very technical results in business terms that upper-level management will understand.
- Be very clear on what you propose or recommend. Upper-level management will want to not only understand what you discovered; they will want to know what you propose as a solution. They will want to know what decisions they need to make based on your findings.
Your goal for the presentation is to convince the leadership that adopting a security vulnerability assessment tool (such as MBSA) and providing an extra security layer is a must for the company.
The deliverables for this project are as follows:
- Security Assessment Report (SAR): This report should be a 7-8 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Nontechnical presentation: This is a set of 8-10 PowerPoint slides for upper management that summarizes your thoughts regarding the findings in your SAR.
- In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab.