Organization Name:
Purpose:
Insomniac Games is an American
Game Development Company and was founded by Ted Price in 1994. It was originally named “Xtreme
Software” but was renamed within only a year due to copyright issues. Their current name was picked
from several brainstorm ideas such as “Ragnarok” and “Ice Nine”. It is a privately owned company with
about 275,000+ employees and their headquarters reside in Burbank, California, and have been operating
for about 24 years. This firm is part of the computer and video game industry, and has created some well
known console games such as 2018 “Spider-Man” along with several early Playstation game titles such as
“Ratchet and Clank”, “Spyro the Dragon”, and the “Resistance” series.
Their mission is simple and that is to provide the best video games out there. The founder, Ted
Price, knew that he wanted to be in the video game industry since he was nine years old and with the help
of Universal Studies, he was able to make his dream come true. This company has gone through many
ups and downs, but despite their setbacks, they managed to keep their independence. The company found
that being controlled by another company would be very frustrating even to the point when working with
Sony, the people Insomniac Games made sure that they held complete control. This company have
received numerous awards including “Best Small & Medium Companies to work for in America” in
2005, 2006, and 2007 and having their game “Marvel's Spider-Man” nominated for “Most Anticipated
Game during the 2017 Game Awards.
Employees:
There are 275,000+ employees in total between their headquarters in Burbank, California and
another branch of their company in Durham, North Carolina.The main headquarters property is around
10,000 square feet which serves as an administration and development facility. It includes two
development offices, a design facility, a couple of conference room, a computer/server center, a cafeteria,
and a welcome area. The departments are also separated by floor (IT on one floor, HR and Sales on
another, etc…)
The employees in this company are well taken care of since the company has won many awards
in this area such as “California’s Best Places to Work” in 2008, ranked 69 in “Best Workplaces for
Millennials” in 2017, and ranked 6 in “Best Small and Medium Workplaces in Southern California 2017”
.
These awards are well deserved as some of the company perks include a fully stocked
complimentary kitchen, discounted gaming events, onsite fitness facilities, a full in-house masseuse,
chiropractor, acupuncturist, and good healthcare and benefits including coverage for dental and vision
expenses. Another interesting fact about their employees is that they are rewarded for their loyalty by
using a Seniority Award Program and a Loyalty Bonus Plan which help employees stay true to the
company goals and expectations.
The types of employees this company has include
● Senior Production Manager
● Associate DevOps Engineer
● Game Writers
● Game Designers
● Various Visual and Audio Artists
● QA Testers
● Game/Computer Programmers
● Researchers
● HR Generalists
● Chief Technology Officer (CTO)
● Chief People Officer (CPO)
● Chief Financial Officer (CFO)
● Chief Executive Officer (CEO)
● Chief Information Officer (CIO)
● Internal communicators
● IT Staff
They have more programmers, artists and designers than any other position in the company since they are
a gaming company. From research, there may be a lack of security professionals in the company and there
may be no Chief Information Officer.
Departments:
IT
Sales
HR
Management
Production
Graphical Design
Audio Design
Finance
Merchandising
Development
Security
Internal Affairs
Assets:
1. Commercial Buildings: Office Buildings and Design Studios.
2. Financial services: Money Management, Accounting, Insurance, Investment Funds, Payroll
3. Computer Assets: Computers and Laptops, Computer Hardware, Printers, Software Programs,
Patents, Monitors, Tablets, Mice, Keyboards
4. IT Assets: Any company-owned information
5. Network Software and Hardware: Networking products (communication boards, Modems,
Network security, Routers LAN, WAN), Software( Backup/Archive/Storage, Business, Database,
Business Intelligence,Management, OS,Security, visual, utility software)
6. Mail Servers: Mail Transfer Agent, Mail Router, sends and receives mail from local and remote
users
.
7. Database Servers: Servers that house database applications that provides services to other
computer programs or computers through the client server model.
8. Web Servers: Program or electronic device that uses HTTP to serve files to form Web pages to
users, by responding to requests by users
State Street: General
9. Application Software Licenses: Workstation Licenses, Proprietary Licenses, End User
Agreements
10. Employees: A person employed for wages or a salary
11. System Admin: A person who is responsible for the upkeep, Configuration, and Operation of the
Computer Systems
12. Proprietary Property: Something owned or a brand protected by intellectual property rights
Threat/Attacks:
Sabotage/Vandalism: Hacktivist, Destruction of Property, DOS, Arson
Technical Software Failures: Buffer overruns, Cross site scripting, Command injection
Forces of Nature: Fire, Floods, Earthquakes, Lighting, Severe Storms, Snow
Software Attacks: Malware, Virus, Worm, Polymorphic threat,Rootkits, Trojans
Human Error: Phishing, Pretexting, Spear phishing, Info extortion
Espionage: Hackers, Social Engineering
Compromises to Intellectual Property: Software Piracy, Provider issues, Blackout
IA State and Goals:
This is a company that is currently growing IA in place, we understand that the companies’ client
information, assets, and services that is provided to them are integral to their business and must be
appropriately secured. This can be done by reducing the risk of potential financial, reputational, and
operational damage to the company and protect clients from the growing risk of compromise and
information breach. The company's solution to security is very narrow and needs a program that involves
more information security, rather than a technical security goal that needs to be put in place.
INFORMATION SECURITY
1
Report 1 – Risk Management
Note: There was a miscommunication and Edwards initial work for the report was combined into what the
document is now, there is an attached file submitted with this document where you can see his initial
responses alone.
1. Risk Identification
Asset Analysis Worksheet
Weighted Factor Asset Analysis
Worksheet
30
Criteria 3:
Impact to Public
Image
Weighted Score
40
30
Commercial Buildings
0.4
0.5
0.3
41
Financial Services
0.8
0.9
0.6
78
Computer Assets
0.9
0.7
0.9
86
IT Assets
1
1
0.9
97
Network Software and Hardware
1
1
0.7
91
0.4
0.3
0.2
30
1
1
1
100
Web Servers
0.8
0.8
0.9
83
Application Software Licences
0.8
0.7
0.7
73
Employees
0.5
0.7
0.8
67
Information Asset
Criterion weight (1-100)
Criteria 1:
Impact to
Revenue
Mail Servers
Database Servers
Written Explanation
1) The criteria you have chosen to use.
Criteria 2:
Impact to
Profitability
INFORMATION SECURITY
2
When looking at the information, the group agreed to seeing profitability and revenue as very
important components in a business both generally and financially. To proceed and to continue being a
fruitful game development company, Insomniac Games must produce adequate income to take care of its
expenses both physical and technological wise and be able to make a profit. Likewise, the association
should try to enhance its public image by giving its fans, lovers, and employees alike the experience that
they are after.
2) The weighting of each criterion.
Each criterion has been assigned a weight showing its relative importance. After looking into the
company and from what we had in the proposal, it was decided that profitability should rank the highest
at 40 in weight while image and revenue each have a weight of 30. In total, it is pretty rounded for the
three categories since all three share quite a bit of importance.
3) The value chosen for the impact on the criterion of losing the asset (From Least to greatest)
Each asset has been assigned a score of 0.1-1.0 for each critical factor, with 0.1 being the lowest
and 1.0 the highest. Below is a list from lowest to highest with their total weighted score to make it easier
to see.
●
Mail Servers- 30
●
Commercial Buildings- 41
●
Employees- 67
●
Application Software Licenses- 73
●
Financial Services- 78
●
Web Servers-83
●
Computer Assets- 86
●
Network Software and Hardware- 91
●
IT Assets- 97
●
Database Structures- 100
Vulnerability Assessment Worksheet
Vulnerability
INFORMATION SECURITY
3
Assessment
Asset
Commercial
Buildings
IT Assets
Threat
Possible Vulnerabilities
Vandalism
Denial of service, Spyware
Forces of
Nature
Fire, floods, earthquakes, severe storms
Human
error
Phishing, pretexting
Software
attacks
Malware
Technical
Failures
Buffer overruns
Network Software
and Hardware Sabotage
Employees
Hacktivist, arson
Human
error
Information extortion
Natural
Hazards
Fire, Severe storms, floods
Technical
Failures
Buffer overruns
Computer Assets Vandalism
Defacement
Written Explanation
●
Each threat and each vulnerability and why you think they may cause harm to the organization.
○
○
○
Vandalism
■ Denial of Service : would hurt availability of the company
■ Spyware: passwords, emails, usernames and more could be stolen
■ Defacement: The organizations image could be harmed
Forces of Nature
■ Fire, floods, earthquakes, severe storms : property damage could lead to
evacuation, and loss of data in example server farms that were damaged
Human error
■ Phishing: companies information could be stolen do to employes lack of
knowledge on phishing attacks
INFORMATION SECURITY
○
○
○
○
4
■ pretexting
Software attacks
■ Malware: could hard software, or take control and use software against the
organization
Technical Failures
■ Buffer overruns: could cause a halt on the server and hurt organizations
availability
Sabotage
■ Hacktivist: could harm the company in order to gain public gratitude on a
policatial topic.
■ Arson: potential to destroy information, harm employees, possible potential to
put the organization out of business due to size.
Natural Hazards
■ Fire, Severe storms, floods: potential to destroy information, harm employees,
possible potential to put the organization out of business due to size.
Acts of human error or failure can occur when employees cause an outage if configuration errors are
made. In addition to this, deliberate acts of vandalism or sabotage may leave the organization vulnerable
to denial of service attacks. All assets and information in the organization are vulnerable to extreme
forces of nature unless suitable measures are put in place. Deliberate software attacks can leave the
company vulnerable to malware attacks and can even reveal sensitive information while hardware may be
subject to defacement.
2.
Risk Assessment
Ranked Vulnerability Risk Worksheet
INFORMATION SECURITY
5
Ranked Vulnerability Risk
Worksheet
Asset
Vulnerability
Asset Impact or
Relative Value
(V)
Network Software and
Hardware
Computer Assets
IT Assets
91
86
97
Vulnerabilit
y
Risk-Rating
Likelihood Factor (P *
(P)
V)
Hacktivist
0.5
45.5
Buffer overrun
0.2
18.2
Buffer overrun
0.2
17.2
Defacement
0.3
25.8
Malware
0.5
48.5
Phishing
0.8
58.2
Written Explanation
●
The likelihood specified for each vulnerability. Sometimes this can be found in statistical
information about threats. In other cases, you will have to make an educated guess at the
probability that the vulnerability will be exploited In either case, justify the values that you
specify.
○ The first asset, Network Software and Hardware has two vulnerabilities for the first
hacktivist, the likelihood specified is 0.4 we chose this due to statistical information
found in a Bit9 of 2,000 information technology professionals, 61% of respondents were
concerned about their organization becoming the target of a hacktivist attack. More data
found in this and other information from online scholarly articles shows that as political
prominent global hacktivists grow such as -- Anonymous and LulzSec, the probability is
much higher than in previous years.
○ The second vulnerability for the first asset, and also the first for Computer Assets, buffer
overrun, the likelihood is specified as 0.2 this is due to statics found in some advanced
tests articles of likely threats done in 2011.
○ The second vulnerability for computer assets we chose is defacement, this was specified
as a 0.3, this considering there is not much analysis done on the probability of a
defacement attack, this was done with an educated guess. Since defacement is simple to
do, and not very common we chose a 0.3, which gave us a risk rating factor of 25.8.
○ The third chosen asset , our IT Assets vulnerabilities were specified as malware and
phishing. Malware was given a 0.5 this is based off of the fact that newer tools are
rapidly ongoing, and threats are increasing due to this. On the other hand Phishing attacks
are very common this is well known in industry and so there are many articles on this
topic and also many reports of organizations, schools etc. this was more of a well
educated guess.
INFORMATION SECURITY
○
3.
6
A survey conducted in 2014 on types of attacks showed that malware infections have
been on the increase in recent years and thus cannot be overlooked (Jouini et al., 2014).
Buffer overflow can occur inadvertently, while phishing and defacement have a higher
likelihood of occurring. Computer systems have also been subject to malicious acts by
hacktivists trying to push through their own agendas.
Risk Control
Cost Benefit Analysis Worksheet
Cost
Benefit
Analysis
Asset
Asset
Value
Vulnerability Exposure Single
Factor
Loss
(EF)
Expectanc
y (SLE)
Network
Software
and
Hardware $118,000 Hacktivist
20%
$23,600
IT Assets
25%
$23,750
18%
$18,000
$95,000 Phishing
Computer
Assets
$100,000 Defacement
Annualized
Rate of
Occurrence
(ARO)
Annualized Control
Loss
Strategy
Expectanc
y (ALE)
ALE
(post)
Antivirus
and network
intrusion
0.25
$5,900 systems
$2,500
Regularly
change
0.45 $10,687.50 passwords
$5,100
Upgrading
security
0.25
$4,500 systems
$1,700
Annualized Final
Cost of
CBA
Control
$430
$2,970
$0
$5,587.5
0
$1,500
$1,300
Written Explanation
●
The Exposure Factor for each Asset/Vulnerability pair. This represents the percentage loss that
would occur from a given vulnerability being exploited.
○
The organization would incur a 20% loss if hacktivists were to gain access to the
systems and exploit them. In addition to this, the company can also suffer a 25% loss if
hackers were to successfully gain access to sensitive information regarding the software
INFORMATION SECURITY
7
or passwords to the system. Defacement of hardware equipment may also bring about an
18% loss to the company if adequate security measures are not put in place.
●
The Annualized Rate of Occurrence for each vulnerability. This may be found through statistical
information, or you may need to make an educated guess about how often to expect the
vulnerability to be exploited.
○ Attempts by activists to gain illegal access to the information in game development
companies occur 0.25 times per year, while phishing attempt occur more frequently at
0.45 times per year. Cases of defacement through vandalism are also few and far apart,
with occurring 0.25 times per year.
●
The computation of ALE (post). This represents the Annualized Loss Expectancy after the control
has been put into place. Since you have not implemented the control, you do not have this data.
However, you can estimate it by considering how the Exposure Factor will be reduced by
implementing the control. Please explain how you derived the value for ALE (post) for each
vulnerability.
○ Once the control strategies have been put in place, the annualized loss expectancy from
vulnerabilities activities is bound to reduce. The value of ALE (post) is derived from
multiplying the value of ALE (pre) by 50%.
Reference
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information
systems. Procedia Computer Science, 32, 489-496.
Byron Acohido, and USA TODAY. “Hacktivist Attacks Grow, Get Political.” USA Today. EBSCOhost,
uri.idm.oclc.org/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=J0E021369
519112&site=ehost-live&scope=site. Accessed 18 Oct. 2018.
INFORMATION SECURITY
8
JONES, J.; SHASHIDHAR, N. Ransomware Analysis and Defense: WannaCry and the Win32
environment. International Journal of Information Security Science, dez. 2017. v. 6, n. 4, p. 57–69.
Disponível em:
. Acesso em: 18 out. 2018.
Purchase answer to see full
attachment