1. Potential Malicious Attacks

Three specific potential malicious attacks that could be carried out against the organization network structure could be a passive attack, active attack and a phishing attack. The passive attack would monitor traffic that is unencrypted and look for sensitive information and passwords which are clear text, so that the acquired information can be used for further attacks. This attack would analyze traffic, monitor unprotected communications, decrypt the traffic which is weakly encrypted, and acquire the authentication data such as passwords. The active attack against the organization's network infrastructure would try to break into secure systems (using worms, viruses, etc.) to circumvent the features that protect the network in an attempt to modify or steal information, or introduce malicious code (Shabtai et al, 2012). The phishing attack would create a fake internet web site that would appear similar to a well-known website and send a message or e-mail to try to trick the user to visit the site using a dialog box and record the username and password if user attempts to log on.

2. Potential Impact of Malicious Attacks

Using a passive attack, a hacker could record the authentication data of users (i.e. passwords) and disclose data files or other private information of the user without the user's knowledge or consent. The active attack could result into the dissemination or disclosure of data files or the modification of data. Moreover, the phishing attack could lead to the disclosure of the account information like username and password (Shabtai et al, 2012). Thus, malicious attacks would highly impact the end users of organization's network structure.

3.  Security Controls

In order to protect the organization's network infrastructure from malicious attacks, the organization has to design a safer network. Now days, anyone can attack the network structure just through downloading software from internet. The availability of this software has substantially increased the number of attacks on network structure of organization. The easiest way to protect the organization's network infrastructure is by closing the network completely from the external world. A better and adequately closed network would provide connectivity only to internal employees (Phua, 2013). Moreover, the network should allow the employees to only visit sites related to their job so they do not visit web sites which may harm the organization's network infrastructure.

4. Concerns for Data theft and Data Loss

The three potential concerns for data theft and data loss that may exist in the organization network structure include unauthorized use of applications, misuse of corporate systems, and misuse of passwords (Ouellet, 2012). Most IT professionals believe that the use of unauthorized applications or programs is the main reason behind the data loss incidents in an organization. The use of personal email is an example of such unauthorized use. Social network sites (also banned), are also commonly used within organizations. Other unauthorized applications include instant messaging, online shopping, and online banking applications or web sites. The misuse or sharing of corporate computer systems without authorization or supervision can also lead to data loss or disclosure of the privacy of organization. Additionally, deliberate infiltration of the corporate system by employees to alter settings of the corporate system can lead to data theft or loss (Ouellet, 2012). Some restricted activity includes watching/downloading porn, online gambling, paying bills and downloading music or movies. These actions of internal employees disclose the computer systems to hackers who take advantage through phishing or other methods. The sharing of passwords is another reason behind data loss incidents. Usernames and passwords are provided to each employee so corporate systems are secure and can be monitored, but when employees share their information with others it leaves the company at risk.  A large number of employees engage in these actions, so it is the responsibility of organization to make them employees aware of these potential dangers and enforce compliance to standards. 

5. Potential Impact of Data Loss

There are various types of data involved in organizational operations. These include client data, internal process data, customer accounting data, customer relationship data, marketing materials, and correspondence data. The main potential impact of data loss or data theft is privacy loss. Every organization has its own confidential information, which may include authenticated username or passwords, private marketing strategies, recipes of products, or information about the various stakeholders. The loss of sensitive data can also create a feeling of distrust in the minds of stakeholders and decrease the profitability and reputation of an organization (Ouellet, 2012). The data theft or data loss can also lead the organization to its end as privacy, at times is the only thing that separates the company from its competitors or rival companies.

6. Security Controls

The security controls for preventing the data theft or data loss are similar to that of preventing malicious attacks on an organization's network infrastructure. However the organization can also prevent data loss through adequate management, monitoring and protection standards. Organization have to put forth policies regarding data usage so that end users properly use the network and don't violate the standards which may lead to data loss or data theft. The issue of data loss should not be just considered as a technological issue but also a policy management issue. Employees engage in the unauthorized actions, thus it is the responsibility of organization to make the employees aware of the security issue so that they act accordingly and the privacy of organization is maintained (Phua, 2013). The sensitive or private data within an organization include client data, internal process data, customer accounting data, customer relationship data, marketing materials, and correspondence data. The data usage policies of an organization should be able to address the fundamental issues so that the access of data is authenticated for each employee. The functionalities of end users have to be efficiently managed so that in the situation of data loss, it is reported as soon as possible. The sensitivity of organizational private data is to be properly ensured. The use of private data of organizations is to be correctly monitored so that the organization has visibility upon the same. The organization also has to inspect the network communications properly so that if any violation occurs, they can act accordingly. Effective monitoring refers to the overview of the use of CDs, Pen drives or downloads. Monitoring is necessary as internal employees may also be responsible for data theft and data loss in an organization. Finally the security policies of an organization need to be enforced strictly. The strict enforcement of policies ensures the prevention of the loss of privacy or private data (Phua, 2013). The organization can achieve this by using automatic protection software which safeguards private data or information across the storage systems, networks and endpoints. Moreover, restricting the downloading, moving, accessing, copying, saving and printing of sensitive data can ensure the privacy of organizational data and reduce the cases of data theft or data loss in an organization.

Identifying Potential Risk, Response, and Recovery

A videogame development company recently hired you as an Information Security Engineer. After viewing a growing number of reports detailing malicious activity, the CIO requested that you draft a report in which you identify potential malicious attacks and threats specific to your organization. She asked you to include a brief explanation of each item and the potential impact it could have on the organization.

After reviewing your report, the CIO requests that you develop a follow-up plan detailing a strategy for addressing all risks (i.e., risk mitigation, risk assignment, risk acceptance, or risk avoidance) identified in Assignment 1. Further, your plan should identify controls (i.e., administrative, preventative, detective, and corrective) that the company will use to mitigate each risk previously identified.

Write a four to five (4-5) page paper in which you:

1. For each of the three or more malicious attacks and / or threats that you identified in Assignment 1, choose a strategy for addressing the associated risk (i.e., risk mitigation, risk assignment, risk acceptance, or risk avoidance). Explain your rationale.

2. For each of the three or more malicious attacks and / or threats identified in Assignment 1, develop potential controls (i.e., administrative, preventative, detective, and corrective) that the company could use to mitigate each associated risk.

3. Explain in detail why you believe the risk management, control identification, and selection processes are so important, specifically in this organization.

4. Draft a one page Executive Summary that details your strategies and recommendations to the CIO (Note: The Executive Summary is included in the assignment's length requirements).

5. Use at least three (3) quality resources in this assignment (no more than 2-3 years old) from material outside the textbook.