In my recent class of college, a Network and Information Security, I have tasked to do some analysis of a company and identify the information assets and also the threat of that company. So, I decided to write it here.
Before we jump, I will explain briefly what I learned so far regarding to Network and Information Security.
I will rephrase the definition from Satzinger, Jackson and Burd.
Information System is a group that are linked one to another in purpose of gathering, processing and storing information that can be used as an output to solve a business problem. (Satzinger, Jackson, Burd: 2010).
Assets in terms of Information System is an assets that is important as the fundamental block of the system.
Assets categorised into:
- Application software
- System software
Threats is an action or event in a company that can occurs in the form of harm, resulting in losses. It can be losses in money or costs, energy or effort and even opportunity, good reputation and bankruptcy.
The category of threats:
- Human resources failures
- Hardware failures
- Software failures
- External threats
- Internal threats
A value of information will be valued by the people if it can be trusted for:
Now we are back to the task, the company I picked is a local Indonesian hosting company, namely Rumahweb.
Rumahweb - Painless hosting solution, is a Platform as a Service (PaaS) provider that serves a web hosting as well as domain registration focusing in a low to mid-level online businesses. (https://www.rumahweb.com/).
I am not trying to promote Rumahweb, but it is worth to check due to cheap cost for your development test. So, let us analyse the assets and the threats of Rumahweb.
As a platform service, sure they had a lot of personnel. Let's just mention several of them. Customer supports, Accountant, and probably the whole IT departments such as IT support, Database Administrator, Back end Developer, Front End Developer and more.
The hardware is a server computer with a lot of VM's running and also a datacenter to store customer's data. It can be independent server, or partnering with bigger cloud company like AWS, Alibaba, Litespeed, Google Cloud or Digital Ocean.
In the client-area it will provide a web-based application of cPanel with tools and utilities.
Rumahweb provide a Virtual Private Server a.k.a VPS to handle system-level of business requirements.
They store a client's application data, the critical data of the company and other internal data such as financial data and services documentation.
The company essential facility of Rumahweb is the office building. They have 2 building, a headquarter and a branch buildings located in Yogyakarta and Jakarta respectively.
Support or helper assets of Rumahweb is the Indonesian Law to protect the client's data and the eligibility of the company itself.
No system is safe
No matter how secure a system, a failure can happen. Especially in the human's level, a social engineering is the common threats with a fatality depends on the target and the data leaked.
A hosting provider, typically can happen a failure from the non-IT staff due to Social Engineering. That does not mean an IT staff would not likely to be affected.
Hardware failures can happen like the server overheat, unnoticed damage in hardware, low quality hardware. I can not think anymore example.
This category of failures is the common one among many company, it can be causes by missed User Experience implementation, outdated application, and poor user-interface.
In a hosting provider scenario, the bad actor is going to target the client from the hosting provider because the client is the first-layer of the attack.
The threats can be a Remote Code Execution due to poor web application deployed to the hosting, a phising, DDoS, or a malware that steal the access token's users.
Internal threats from the perspective of the company would be a sabotage, human-error as well as non-technical problems among the staff.
The financial threats of Rumahweb would be can not afford an infrastructure to scale the client's business either by financial miscalculation, partner regulations, and wrong financial strategy.
The others would be lost to its own competitor.
This one is an easy analysis, if Rumahweb only relies on Regional or National data centre, the nature threats would be a Flood or a Earthquake.
Because those are the most common disaster that occurs in Indonesia.
Well, that's wrap all of it. I am sorry if you are ended up reading into this section and do not find it any useful. I wrote this as my part of college's task, so enjoy.
I hope you learn something new, thank you.