BYOD Risk Assessment

The foremost determination of this security consultation report focusses on the cyber security issues related with the Southern Cross University. The paper focuses on the cyber security threats faced by the educational institution and the new policy adopted by the college authority is causing lots of problems regarding the security issues of both the students and the college authorities. The risks from the new policies are considered in this document with prime importance. Based upon the security issues as a cyber security consultant few recommendations are suggested to the college authorities. The top cyber threats faced by the college is discussed which will be helping the readers of this document to get along with all the possible risks associated with that particular issue. The different aspects of the top most threat are examined in the later sections of this consultation report. The document also guides its readers the methods by which the cyber risks are mitigated.

This section of the report will be focussing on the importance of the risk assessment policy adopted by the college authorities of Southern Cross University. The most critical components of the university information system is the admin module of the official website where all the shareholders of the college accesses, any sort of data alteration may cause huge damage to both the reputation of the college as well as for the future of the students (Crossler et al., 2014). The other important component is the library management system incorporated in the student module of the website, it has all the examination schedules, syllabus according to the required departments, all the previous marksheets and other essential documents. Any changes in the data of this particular module will have a direct negative impact on the university status (Byrom et al., 2018). The threats may come from the internal stakeholders of the college authorities as well as from external influence also. The internal stakeholders include all the users who are accessing the university portals and the external influence comes from the third parties who have the limited access to the university portals. The third parties may alter data for their personal benefits.  The new BRING YOUR OWN DEVICE policy adopted by the college has some security concerns as it increases the chances of the intrusion and other criminal activities (Afreen, 2014). This policy will be very much insecure for the college authorities as wide range of personal devices will be connected to the college systems as it may have a negative impact on the security of the data. As a security consultant the issue related after the incorporation of the new policy is examined by the qualitative risk analysis. This technique used in the analysis is the brain storming as it can quantify the level of the risk and defer the risk mitigation process so that the organisation does not face similar situations due to the same issue (Dhingra, 2016). The risk assessment process involves development of a security panel who will be dedicatedly focussed on the cyber security issues of the university, they will be harnessing all the possible cyber security threats and the threat agents manually as well as by the risk assessment software’s such as ballast (Garba et al., 2015). The other most significant objective of the security panel is to combine the likelihood and impact values of the risks in a specific matrix chain while is a very important step in managing the IS issue of any organisation (Bruder, 2014). After considering all the risk associated with the new policy it can be said that this policy is not at all suited for this organisation as it has more limitations than benefits.

Certificate-based Authentication

This section of the report will be focussing on the replacement of the existing password-based authentication schemes with the certificate-based authentication (O’Neill et al., 2017).  The password-based systems are very much insured these days as it involves the private key cryptography and the advanced threats have all the capabilities to impact the password-based systems (Zink & Waldvogel, 2017). The use of the public key cryptography along with the digital certificate for authentication purposes is one the main reasons behind its worldwide acceptance (Verma, Kumar & Sinha, 2016). The security issues related with the server is also mitigated with the use of the certificate-based authentication as the cybercriminal do not always validates their true identity in the network hence they will not be allowed to enter any private area so in a way it can be said the certificate-based authentication should be incorporated in to the systems of the university campus in order to maintain the security (Hendershot, 2016). There are differences between the two types of certificate authentication techniques such as:

Table 1: Difference between certificate based and password-based authentication

Created by the author

The server validation of these systems is generally done with the help of the digital certificates who makes the network more secure (Li, Mu & Zhang, 2018). The threats obtained after the incorporation of the new policy adopted by the authorities can be combatted using this certificate-based authentication as it will provide more security to the university network (Hinarejos et al., 2018). Considering all benefits, this type of authentication has few disadvantages such as the cost of maintenance is little bit on a higher side compared with the password-based authentication techniques (Lu et al., 2017). The other limitations of this techniques are the usability issue of the certificates.

This section of the paper will be focusing on the anti-spam guideline as spam is found to be the top threats of the university. The concept of Antispam arrived in 2003 when the Spam Act was passed in the Australian parliament which involves unsolicited commercial electronic messages sent by the spammers for their personal business and benefits. The spam messages consist of an email header an empty field, an invalid email address, malformed message ID, list of the recipients to and in cc and bcc (Rakhra & Kaur, 2018).  It consists of an illegal HTML page with out a plain text body part. The most common type of spam attack are the Negative SEO attack, Bots and DDoS attacks and email spam. It is very important for the stakeholders of the college authorities to know about the different techniques which handle the spam issues. One of the most important risk mitigating step of this process is the awareness of the issue as it solves half of the problems, people should be aware of all the messages they are replying to, they should not be clicking on untrusted links, the internal security of the university campus should be maintained with the help of the risk mitigating teams (Shin, 2018). The computer systems used in the college campus should be having improved security by installing the anti-spam applications. All these steps are very important for minimizing the threats obtained from the spam.

Anti-spam Guidelines

There are different techniques by which users can safely handle a spam attack as described below:

Users should not be buying anything from the spam messages, users should not be tempted to reply to all the spam messages, when the threatened messages are identified users should not threaten the spammers, avoid the unsubscribe option as it will notify the spammers, using of a disposable email address is the main way to avoid getting spammed (Sirivar & Wolch, 2017).

To manage the spammed messages users should use the blocker sender frequently (Alsaleh & Alarifi, 2016). All the unwanted marketing emails should be filtered and moved into specific folders before managing those fielders (Bushan & Lavanya, 2017). Attention should be paid to the technicalities so that the risks involved to the cyber securities can be effectively mitigated.

Conclusion

From the above security consultation report it can be concluded that there are different types of cyber security issues related with the network in a university campus. This guideline document helps in understanding the different types of issues related cybercrimes. The document is prepared from the perspective of a cyber security consultant. The new security policy adopted by the university is heavily criticized in this paper. The risks are analyzed by with regards to the BYOD policy. The paper also focused on the importance of the certificate-based authentication rather than the password-based authentication. All the differences between the two types of authentication methods are described in details. This document stressed on the top threat in terms of the spam. This report focuses on the development of a guideline for the university students and staff to combat with the threat. The guideline includes the definition of the spam and the different types of spam emails. The report also focuses on the different risk mitigation against the spam threats. Instructions are given to the IT administrators on the different ways to minimize the spam threats.  The anti-spam guideline is developed on the basis of the Spam Act 2003.

Reference

Afreen, R. (2014). Bring your own device (BYOD) in higher education: opportunities and challenges. International Journal of Emerging Trends & Technology in Computer Science, 3(1), 233-236.

Alsaleh, M., & Alarifi, A. (2016). Analysis of web spam for non-english content: toward more effective language-based classifiers. PloS one, 11(11), e0164383.

Bruder, P. (2014). Gadgets go to school: The benefits and risks of BYOD (bring your own device). The Education Digest, 80(3), 15.

Bushan, B. R., & Lavanya, A. J. (2017). PROTECTED ESTIMATION OF GUIDELINE CLASSIFICATION UNDER PHYSICAL ASSAULT. IJITR, 5(5), 7213-7220.

Byrom, B., Gwaltney, C., Slagle, A., Gnanasakthy, A., & Muehlhausen, W. (2018). Measurement Equivalence of Patient-Reported Outcome Measures Migrated to Electronic Formats: A Review of Evidence and Recommendations for Clinical Trials and Bring Your Own Device. Therapeutic innovation & regulatory science, 2168479018793369.

Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle, B. S. (2014). Understanding compliance with bring your own device policies utilizing protection motivation theory: Bridging the intention-behavior gap. Journal of Information Systems, 28(1), 209-226.

Dhingra, M. (2016). Legal issues in secure implementation of bring your own device (BYOD). Procedia Computer Science, 78, 179-184.

Garba, A. B., Armarego, J., Murray, D., & Kenworthy, W. (2015). Review of the information security and privacy challenges in Bring Your Own Device (BYOD) environments. Journal of Information privacy and security, 11(1), 38-54.

Hendershot, T. S. (2016). Towards Using Certificate-Based Authentication as a Defense Against Evil Twins in 802.11 Networks.

Hinarejos, M. F., Almenárez, F., Cabarcos, P. A., Ferrer-Gomila, J. L., & López, A. M. (2018). RiskLaine: A Probabilistic Approach for Assessing Risk in Certificate-Based Security. IEEE Transactions on Information Forensics and Security, 13(8), 1975-1988.

Li, S., Mu, Y., & Zhang, M. (2018). Certificate-based Smooth Projective Hashing and Its Applications. International Journal of Network Security, 20(2), 266-277.

Lu, Y., Zhang, Q., Li, J., & Shen, J. (2017). An Efficient Certificate-Based Authenticated Key Agreement Protocol without Bilinear Pairing. Information Technology And Control, 46(3), 345-359.

O’Neill, M., Heidbrink, S., Ruoti, S., Whitehead, J., Bunker, D., Dickinson, L., … & Zappala, D. (2017, August). Trustbase: An architecture to repair and strengthen certificate-based authentication. In Proc. of the USENIX Security Symposium (USENIX Security).

Patil, M. S., Megharaj, P. R., Sindhu, V., Sushma, H. S., & Sowmya, M. (2018). Secured Certificate Based Authentication. In 3rd National Conference on Image Processing, Computing, Communication, Networking and Data Analytics (p. 148).

Prasad, M., & Manoharan, R. (2017, January). A secure certificate based authentication to reduce overhead for heterogeneous wireless network. In Advanced Computing and Communication Systems (ICACCS), 2017 4th International Conference on (pp. 1-5). IEEE.

Rakhra, M., & Kaur, D. (2018, January). Studying user’s computer security behaviour in developing an effective antiphishing educational framework. In 2018 2nd International Conference on Inventive Systems and Control (ICISC) (pp. 832-836). IEEE.

Shin, J. (2018). Regulation against Nuisance Calls in Korea. International Information Institute (Tokyo). Information, 21(1), 41-50.

Sirivar, J., & Wolch, S. (2017). A Look at Canadian Privacy and Anti-Spam Laws. Def. Counsel J., 84, 1.

Verma, U. K., Kumar, S., & Sinha, D. (2016, March). A secure and efficient certificate based authentication protocol for MANET. In Circuit, Power and Computing Technologies (ICCPCT), 2016 International Conference on (pp. 1-7). IEEE.

Zink, T., & Waldvogel, M. (2017). X. 509 user certificate-based two-factor authentication for web applications.