Information Systems and Identity Management

Information Systems and Identity Management

Information systems are essential in keeping individuals connected to information and support communication and productivity for individuals and businesses and their daily tasks. While ease in access facilitates these activities, security and privacy risks create an opportunity for negative actors to prey open weak security infrastructure and abuse access opportunities. Information security infrastructure must be closely monitored to ensure only authenticated users have access to proprietary information. Maintaining strict identity management processes will create a defense strategy that will guard proprietary information only to those who are authorized and protect sensitive information.

Defining the Information System Infrastructure

ABC Hospital is a $150 million-dollar facility that is part of the Mayo Clinic Care Network and shares an intimate 75-year history with its immediate community in Northern Virginia. Their mission is to be the best health system, and key points in their vision include providing the highest quality clinical care, to innovate in the use of information technology, and to serve the healthcare needs of their community.  

The hospital has acknowledged that a phishing cyber-attack provided unidentified attackers access to payroll account information, after an employee logged into their self-service human resources account to see that her direct deposit bank information had been altered and redirected to an unknown bank account. It was discovered that approximately 25 other employees were also affected.

Organization Structure and Business Units

ABC Hospital is run by a CEO, a board of medical directors, and a board of administrative directors.

Mission Critical Systems

Payroll within the medical system is critical. To operate efficiently, hospitals must ensure that employees are paid promptly and correctly to retain and attract healthcare workers. It is important to secure this information, as information such as the employee’s social security number, tax information, bank routing numbers, and employee portal access credentials are considered extremely sensitive. Access to this information should be limited by IT personnel. Employees should be trained on basic security tactics to prevent common threats such as phishing, malware, and trojan horse attacks.

Critical hardware, such as desktops, laptops, phones, tablets, and other storage components should be monitored and secured. Computers, servers, and networks that store sensitive information that are used should be kept in a place with restricted access and only given to individuals who are authorized. Any ports for removeable media should be properly disabled as necessary. Protected information should be secured not only physically, but virtually as well through regular preventative software implementations and detailed IT policies and procedures.

Employee information is usually stored within the human resources department and starts with information being stored from their initial online application on the hospital website. Once the candidate goes through their initial interviews in the recruiting department, information is manually inserted into the shared database with human resources. The OSI model provides one of the most basic ways to understand computer networking, allowing or seven layers of information to be processed between computers in an orderly manner.  The TCP/IP model condenses these layers into five layers to help the transfer process become more smoothed out.

Threats and Remediation

Multiple threats exist within a hospital’s information system infrastructure. When ABC hospital’s employee payroll information was stolen, it exemplified a model example for the needs of the hospital to invest in a stronger information system infrastructure. Attempts at remediation include installing additional password authentication mechanisms.

CIA Triad

The CIA triad is a model that was designed to help security professionals prioritize goals. It is consisted of three parts that represent its acronym: Confidentiality, integrity, and availability.

Vulnerabilities within ABC Hospital

Within this organization, the confidentiality and integrity of the employee’s information was compromised. The information was intercepted by an unauthorized party and was modified when the hacker changed the employee’s bank routing information to funnel their paychecks.           

Insider Threat

Insider threats have a unique set of challenges because any employee can access information about the business and its security practices. These challenges must be properly leveraged and mitigated.   

Hacker Psychology

Motivations can be fueled by military, political, or corporate motives, but within a hospital, most are financially based. Other psychologically motivating reasons for hackers can include ones that are motivated just for the sake of improving their own skills or establishing dominance, credibility, and sometimes celebrity amongst their hacker peers.

Identity Management

Identity management is a method of authenticating users to ensure they have the proper access to applications, systems, and networks. This allows for controls to be implemented to limit access.

Authentication

Ensuring that the proper individuals are authenticated can ensure that the risk of a data breach is reduced. Passwords are used to control access and are the primary means of authenticating users. Organizations should enforce strong passwords that are frequently changed at regular intervals to ensure they are protected. Setting multi-factor authentication is another way to grant access for control of secured information. This usually involved having more than one piece of information being submitted to verify that the individual is authorized. Usually it is done with a password, plus another piece information, such as a security token or a piece of biometric information. Authorization of least privileges is a way of managing data so that individuals should only have access to what they need, and no more.

Access Control

Access control is the process for which permissions are granted for certain given resources. There are different ways to achieve access control. 

Access control lists corresponds to a specified list of information that can be cross referenced and associated with certain qualifiers.  Role-based Access Controls are limited to the scope of the individual’s role in the organization. Database Access Control limits the amount of actions or operations a user can perform in a computer system.

Password Cracking Tools

Password cracking tools use algorithms to systematically reveal passwords using algorithms.  One type of password cracking tool involves Cain and Abel, which is a password recovery tool that is used in both Windows and Linux based systems. It can analyze encrypted protocols and can capture credentials and uncover cached passwords. Another tool that can be used is called Ophcrack. It is another password cracking tool that is based for the Windows operating system but can also be used on Linux or MAC systems.  The benefits of these tools are that it can assist in evaluating system security concerns but can also be used by negative actors to infiltrate systems with minimal effort.

Workspace Exercise Results

Comparing Software

Cyberattacks

Attack 1 (description)

Attack 2 (description)

Speed

Length to crack password

Precision

Password Strength

Results

Two hash algorithms

Benefits

Antivirus Software

Malware Detection

Conclusion

Your conclusion will include a summary of your findings and other findings discussed in the paper.

References

This is a hanging indent. To keep the hanging indent format, simply delete this line of text using the backspace key and replace the information with your reference entry.

Appendix A

This section will contain any appendices discussed in the paper. Appendices should be labeled in alphabetical order as they appear in the document (A, B, C, …). You Can Add the Lab Screen prints in here as an appendix or in a Separate Document