SlideShare ist ein Scribd-Unternehmen logo

86_IJAR-6956

K
Kumari Ankita
1 von 3
Downloaden Sie, um offline zu lesen
ISSN 2320-5407 International Journal of Advanced Research (2015), Volume 3, Issue 8, 1280 – 1282 1280 Journal homepage:http://www.journalijar.com INTERNATIONAL JOURNAL OF ADVANCED RESEARCH RESEARCH ARTICLE Risk Assessment & Mitigation for Interactive Voice Response System Kumari Ankita, Mohini Mehta, Dr. Priti Puri Symbiosis Centre for Information Technology, Hinjewadi, Phase-1Pune – 411057, Maharashtra, India Manuscript Info Abstract Manuscript History: Received: 22 May 2015 Final Accepted: 25 July 2015 Published Online: August 2015 Key words: Risk, Vulnerability, IVR, Threat, Security, Confidentiality *Corresponding Author Kumari Ankita In the today’s computer world, information is just a telephone call away. In this paper, we have tried to identify vulnerabilities, risks, their corresponding likelihood related to Interactive Voice Response (IVR) and their impact on the given organization. We also tried to suggest few control methods in order to mitigate those risks. Copy Right, IJAR, 2015,. All rights reserved INTRODUCTION Interactive voice response (IVR) systems are the systems by which people may link with computer databases in an robotic manner, via voice or touch-tone phones. These IVR systems handles confidential data such as credit card numbers, user PIN information, and other personally identifiable information (PII). In order to do the risk and vulnerability assessment, the most important task is to identify critical assets, risk, vulnerabilities and threats related to IVR system especially for voice recognition.Vulnerability of any system is the weakness/flaw in that particular system,and threat is exploitation of that vulnerability by threat source. At the same time,risk is the probability of occurring that threat and impact is the loss happened by that incident to the organization. Risks &Vulnerabilities Assessment for Interactive Voice Response system We have considered the Risk assessment Matrix given by NIST 800-30. Some initial Vulnerabilities for IVR based on our findings and some others are from literature, also mentioned in the table. We have also tried to provide some mitigation controls for all the vulnerabilities mentioned. Impact rating is given-High-h, Moderate-M and Low-L Table 1: Vulnerability, Threat & Risk Summary for Interactive Voice Response (IVR)s Vulnerability Threat Risk Summary Impact Rating Mitigation Techniques Improper system configuration e.g.- if the requirement of Windows+MySQL & configurationused is Windows+SQLServer. Denial of Service. Loss of Availability H Proper Checks & validation points at the time of development, senior technical team also check the system requirements Platform dependency, variation in Loss of H IVR system should be platform independent
ISSN 2320-5407 International Journal of Advanced Research (2015), Volume 3, Issue 8, 1280 – 1282 1281 e.g. whether deployed on Linux or Windows, they are not giving same result. output Confidentiality Proper Checking and matching the platforms then start operating Loss of pre-existing functionality due to enhancement Functionality Manipulation Loss of important customers data M Agile approach should be considered for future additional functions Improper Voice Recognition Engine system crash Damage important data H Proper audits, inspections and periodic checking for engines Mismatch between Voice Recognition Engine &Voice Packs versions System cannot recognize particular voice packs Improper functioning M Proper employee training, compatibility check for voice recognition engine & voice pack versions Generation of personal information in log files(credit cards,PII) information theft Compromises integrity & confidentiality M User id, Account Number and password should be confidential, use encryption mechanism to encrypt data in logs. Proper log monitoring and backup is required Telephone related vulnerability (Hossein Bidgoli, 2006) Malicious use by unauthorized user customers data loss M Proper employee training should be given Session Initiation Protocol (SIP) system is vulnerable to general IP and VoIP attack(Mark Collier ,2005) Unauthorized access Confidentiality loss/data theft H 24/7 monitoring should be done and logs should be maintained . Use SIP optimized firewalls, which help to use the standards-based security and provide the best possible protection. (Mark Collier ,2005) Stolen credentials (Thorsten Holz, Herbert Bos,2011) Unauthorized access Compromises confidentiality M Proper information should be send to corresponding department to stop that credentials used, allow new credentials, proper training to employees Poor disaster recovery (Avaya Inc™,2003) Unavailability of IT infrastructure/data. Data loss/business loss H Proper Disaster recovery planning and Business continuity planning should be there Weak password protection (Thorsten Holz, Herbert Bos,2011)1 Poor authorization Compromises confidentiality H Proper training to employees, strong password policies ,alphanumeric ,special characters should be mandatory ,password renewal after regular time interval should be done Ineffective access controls (Thorsten Holz, Herbert Bos,2011)5 Unauthorized access Integrity loss , loss of confidentiality M Role based access control, biometric should be for employees Improper handling of Calling cards(Hossein Bidgoli, 2006) Hackers can easily break password loss of confidentiality H Strong password, proper employee training, audits Improper Voice mail system Thorsten Holz, Herbert Bos(2011) hackers might enter into a system Due to poor credentials, hackers might be easily enter into a system, confidentiality loss H Proper User access control, role based access control
ISSN 2320-5407 International Journal of Advanced Research (2015), Volume 3, Issue 8, 1280 – 1282 1282 Conclusion: In the present era of information technology, it can be possible that human and system interaction at each and every step using Voice Recognition Methodology. As far as security is concerned, no such systems can be entirely free from the risk of unauthorized use. However, it is possible that by diligent attention to system management and to security can reduce that risk considerably. In this paper we have tried to find out some vulnerabilities and provide risk assessment. Here we have also tried to mitigate those risks by providing some control techniques. References: Avaya Inc™ (2003): Avaya Interactive Voice Response Security. Hossein Bidgoli(2006): Handbook of Information Security, Threats, Vulnerabilities, Prevention. Ruishan Zhang , Xinyuan Wang , Ryan Farley , Xiaohui Yang , Xuxian Jiang (2009):On the Feasibility of Launching the Man-In-The-Middle Attacks on VoIP from Remote Attackers David Persky (2007): SANS Institute InfoSec Reading Room- VoIP Security Vulnerabilities Mark Collier (2005): Basic Vulnerability Issues for SIP Security Foundstone, A Division of McAf ee ( 2014-2015)Interactive Voice Response (IVR) Assessment man-in-the-middle telephone attacks, “Voice phishing or vishing (Ruishan Zhang , Xinyuan Wang , Ryan Farley , Xiaohui Yang , Xuxian Jiang ,2009) unauthorized access Financial loss and loss of important customers data H Customer database should be maintained and Sound verification of authentic customer should be done. Data should be stored encrypted wherever possible to avoid Man in the middle attack Sensitive Information Disclosure issues such as Internal IP Revealed (Foundstone,2014- 2015) Internal unaware or frustated employees Confidentiality loss, availability loss M Internal IP should be used by role based approach, only authentic and authorized people should allow to use and monitoring is required, audits & validations, employee trainings Source code disclosure (Foundstone,2014- 2015) Unauthorized access Integrity loss H Encrypted and secure source code implementation is required Application Logic Bypass vulnerabilities (Foundstone,2014- 2015) accidentally done by unaware employee Improper results M Checkpoints at various position in application, proper validation and employee awareness Input Validation vulnerabilities (Foundstone,2014- 2015) Misused by hacker Unauthorized access unavailability M Proper input validations,24/7 monitoring of logs Brute Force attacks (Foundstone,2014- 2015) Misused by hacker Unauthorized access unavailability M Network monitoring 24/7,latest firewalls in place ,logs maintenance DOS attack s (Foundstone,2014- 2015) Done by hacker unavailability M Backup pocilies,24/7 monitoring of logs and proper logs maintenance

Empfohlen

Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies viaIJNSA Journal
 
Augment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetAugment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetIRJET Journal
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringaizazhussain234
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureMohit Rampal
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
50320130403001 2-3
50320130403001 2-350320130403001 2-3
50320130403001 2-3IAEME Publication
 
IT Security and Management - Security Policies
IT Security and Management - Security PoliciesIT Security and Management - Security Policies
IT Security and Management - Security PoliciesMark John Lado, MIT
 
Pramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav
 

Empfohlen

Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies viaIJNSA Journal
 
Augment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetAugment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetIRJET Journal
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringaizazhussain234
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureMohit Rampal
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
50320130403001 2-3
50320130403001 2-350320130403001 2-3
50320130403001 2-3IAEME Publication
 
IT Security and Management - Security Policies
IT Security and Management - Security PoliciesIT Security and Management - Security Policies
IT Security and Management - Security PoliciesMark John Lado, MIT
 
Pramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav
 
An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsIRJET Journal
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comamaranthbeg55
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWcscpconf
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comPrescottLunt386
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetijctet
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216William Linder
 
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...researchinventy
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureDavid Sweigert
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1Nutan Kumar Panda
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network IJECEIAES
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy LogicCurrent Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logicijdpsjournal
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
82e GOCC wo 2 dec Indoor Soccer Centre
82e GOCC wo 2 dec Indoor Soccer Centre82e GOCC wo 2 dec Indoor Soccer Centre
82e GOCC wo 2 dec Indoor Soccer CentreWerkgevers Servicepunt (WSP) Drenthe
 
85499254 ee
85499254 ee85499254 ee
85499254 eehomeworkping3
 
870 240 qnbfs_daily_marketreportjan022013
870 240 qnbfs_daily_marketreportjan022013870 240 qnbfs_daily_marketreportjan022013
870 240 qnbfs_daily_marketreportjan022013QNB Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsIRJET Journal
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comamaranthbeg55
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWcscpconf
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comPrescottLunt386
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetijctet
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216William Linder
 
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...researchinventy
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureDavid Sweigert
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network IJECEIAES
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy LogicCurrent Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logicijdpsjournal
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 

Was ist angesagt? (19)

An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection Systems
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.com
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEW
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manet
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216
 
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructure
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend Them
 
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy LogicCurrent Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 

Andere mochten auch

870 240 qnbfs_daily_marketreportjan022013
870 240 qnbfs_daily_marketreportjan022013870 240 qnbfs_daily_marketreportjan022013
870 240 qnbfs_daily_marketreportjan022013QNB Group
 
84984907 case-analysis-final
84984907 case-analysis-final84984907 case-analysis-final
84984907 case-analysis-finalhomeworkping3
 
88 regione marche nota 12 febbraio 2013 - criticità attività medico competente
88 regione marche nota 12 febbraio 2013 - criticità attività medico competente88 regione marche nota 12 febbraio 2013 - criticità attività medico competente
88 regione marche nota 12 febbraio 2013 - criticità attività medico competentehttp://www.studioingvolpi.it
 
85575963 erd
85575963 erd85575963 erd
85575963 erdroohihoor
 

Andere mochten auch (8)

82e GOCC wo 2 dec Indoor Soccer Centre
82e GOCC wo 2 dec Indoor Soccer Centre82e GOCC wo 2 dec Indoor Soccer Centre
82e GOCC wo 2 dec Indoor Soccer Centre
 
85499254 ee
85499254 ee85499254 ee
85499254 ee
 
870 240 qnbfs_daily_marketreportjan022013
870 240 qnbfs_daily_marketreportjan022013870 240 qnbfs_daily_marketreportjan022013
870 240 qnbfs_daily_marketreportjan022013
 
84984907 case-analysis-final
84984907 case-analysis-final84984907 case-analysis-final
84984907 case-analysis-final
 
854 - Colombia
854 - Colombia854 - Colombia
854 - Colombia
 
88 regione marche nota 12 febbraio 2013 - criticità attività medico competente
88 regione marche nota 12 febbraio 2013 - criticità attività medico competente88 regione marche nota 12 febbraio 2013 - criticità attività medico competente
88 regione marche nota 12 febbraio 2013 - criticità attività medico competente
 
84654 led touch controller
84654 led touch controller84654 led touch controller
84654 led touch controller
 
85575963 erd
85575963 erd85575963 erd
85575963 erd
 

Ähnlich wie 86_IJAR-6956

Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
 
RequirementQuestionExamine (see below) your classmates propos.docx
RequirementQuestionExamine (see below) your classmates propos.docxRequirementQuestionExamine (see below) your classmates propos.docx
RequirementQuestionExamine (see below) your classmates propos.docxaudeleypearl
 
Computer security priciple and practice
Computer security priciple and practiceComputer security priciple and practice
Computer security priciple and practiceYUSRA FERNANDO
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data LeakagePatty Buckley
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxMohanPandey31
 
ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...
ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...
ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...Shanmuganathan C
 
ch01_overview_nemo.ppt
ch01_overview_nemo.pptch01_overview_nemo.ppt
ch01_overview_nemo.pptvikasVEVO
 
ch01_overview_nemo.ppt
ch01_overview_nemo.pptch01_overview_nemo.ppt
ch01_overview_nemo.pptssuser6602e0
 

Ähnlich wie 86_IJAR-6956 (20)

Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
 
WPCCS 16 Presentation
WPCCS 16 PresentationWPCCS 16 Presentation
WPCCS 16 Presentation
 
RequirementQuestionExamine (see below) your classmates propos.docx
RequirementQuestionExamine (see below) your classmates propos.docxRequirementQuestionExamine (see below) your classmates propos.docx
RequirementQuestionExamine (see below) your classmates propos.docx
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
Computer security priciple and practice
Computer security priciple and practiceComputer security priciple and practice
Computer security priciple and practice
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
 
ch01_overview_nemo.ppt
ch01_overview_nemo.pptch01_overview_nemo.ppt
ch01_overview_nemo.ppt
 
ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...
ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...
ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overview_nemo (1)ch01_overvi...
 
ch01_overview_nemo.ppt
ch01_overview_nemo.pptch01_overview_nemo.ppt
ch01_overview_nemo.ppt
 
ch01_overview.ppt
ch01_overview.pptch01_overview.ppt
ch01_overview.ppt
 
ch01_overview.ppt
ch01_overview.pptch01_overview.ppt
ch01_overview.ppt
 
Ch01 overview nemo
Ch01 overview nemoCh01 overview nemo
Ch01 overview nemo
 
ch01_overview_nemo.ppt
ch01_overview_nemo.pptch01_overview_nemo.ppt
ch01_overview_nemo.ppt
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
 
Esguf Profile Short V34
Esguf Profile Short V34Esguf Profile Short V34
Esguf Profile Short V34
 

86_IJAR-6956

  • 1. ISSN 2320-5407 International Journal of Advanced Research (2015), Volume 3, Issue 8, 1280 – 1282 1280 Journal homepage:http://www.journalijar.com INTERNATIONAL JOURNAL OF ADVANCED RESEARCH RESEARCH ARTICLE Risk Assessment & Mitigation for Interactive Voice Response System Kumari Ankita, Mohini Mehta, Dr. Priti Puri Symbiosis Centre for Information Technology, Hinjewadi, Phase-1Pune – 411057, Maharashtra, India Manuscript Info Abstract Manuscript History: Received: 22 May 2015 Final Accepted: 25 July 2015 Published Online: August 2015 Key words: Risk, Vulnerability, IVR, Threat, Security, Confidentiality *Corresponding Author Kumari Ankita In the today’s computer world, information is just a telephone call away. In this paper, we have tried to identify vulnerabilities, risks, their corresponding likelihood related to Interactive Voice Response (IVR) and their impact on the given organization. We also tried to suggest few control methods in order to mitigate those risks. Copy Right, IJAR, 2015,. All rights reserved INTRODUCTION Interactive voice response (IVR) systems are the systems by which people may link with computer databases in an robotic manner, via voice or touch-tone phones. These IVR systems handles confidential data such as credit card numbers, user PIN information, and other personally identifiable information (PII). In order to do the risk and vulnerability assessment, the most important task is to identify critical assets, risk, vulnerabilities and threats related to IVR system especially for voice recognition.Vulnerability of any system is the weakness/flaw in that particular system,and threat is exploitation of that vulnerability by threat source. At the same time,risk is the probability of occurring that threat and impact is the loss happened by that incident to the organization. Risks &Vulnerabilities Assessment for Interactive Voice Response system We have considered the Risk assessment Matrix given by NIST 800-30. Some initial Vulnerabilities for IVR based on our findings and some others are from literature, also mentioned in the table. We have also tried to provide some mitigation controls for all the vulnerabilities mentioned. Impact rating is given-High-h, Moderate-M and Low-L Table 1: Vulnerability, Threat & Risk Summary for Interactive Voice Response (IVR)s Vulnerability Threat Risk Summary Impact Rating Mitigation Techniques Improper system configuration e.g.- if the requirement of Windows+MySQL & configurationused is Windows+SQLServer. Denial of Service. Loss of Availability H Proper Checks & validation points at the time of development, senior technical team also check the system requirements Platform dependency, variation in Loss of H IVR system should be platform independent
  • 2. ISSN 2320-5407 International Journal of Advanced Research (2015), Volume 3, Issue 8, 1280 – 1282 1281 e.g. whether deployed on Linux or Windows, they are not giving same result. output Confidentiality Proper Checking and matching the platforms then start operating Loss of pre-existing functionality due to enhancement Functionality Manipulation Loss of important customers data M Agile approach should be considered for future additional functions Improper Voice Recognition Engine system crash Damage important data H Proper audits, inspections and periodic checking for engines Mismatch between Voice Recognition Engine &Voice Packs versions System cannot recognize particular voice packs Improper functioning M Proper employee training, compatibility check for voice recognition engine & voice pack versions Generation of personal information in log files(credit cards,PII) information theft Compromises integrity & confidentiality M User id, Account Number and password should be confidential, use encryption mechanism to encrypt data in logs. Proper log monitoring and backup is required Telephone related vulnerability (Hossein Bidgoli, 2006) Malicious use by unauthorized user customers data loss M Proper employee training should be given Session Initiation Protocol (SIP) system is vulnerable to general IP and VoIP attack(Mark Collier ,2005) Unauthorized access Confidentiality loss/data theft H 24/7 monitoring should be done and logs should be maintained . Use SIP optimized firewalls, which help to use the standards-based security and provide the best possible protection. (Mark Collier ,2005) Stolen credentials (Thorsten Holz, Herbert Bos,2011) Unauthorized access Compromises confidentiality M Proper information should be send to corresponding department to stop that credentials used, allow new credentials, proper training to employees Poor disaster recovery (Avaya Inc™,2003) Unavailability of IT infrastructure/data. Data loss/business loss H Proper Disaster recovery planning and Business continuity planning should be there Weak password protection (Thorsten Holz, Herbert Bos,2011)1 Poor authorization Compromises confidentiality H Proper training to employees, strong password policies ,alphanumeric ,special characters should be mandatory ,password renewal after regular time interval should be done Ineffective access controls (Thorsten Holz, Herbert Bos,2011)5 Unauthorized access Integrity loss , loss of confidentiality M Role based access control, biometric should be for employees Improper handling of Calling cards(Hossein Bidgoli, 2006) Hackers can easily break password loss of confidentiality H Strong password, proper employee training, audits Improper Voice mail system Thorsten Holz, Herbert Bos(2011) hackers might enter into a system Due to poor credentials, hackers might be easily enter into a system, confidentiality loss H Proper User access control, role based access control
  • 3. ISSN 2320-5407 International Journal of Advanced Research (2015), Volume 3, Issue 8, 1280 – 1282 1282 Conclusion: In the present era of information technology, it can be possible that human and system interaction at each and every step using Voice Recognition Methodology. As far as security is concerned, no such systems can be entirely free from the risk of unauthorized use. However, it is possible that by diligent attention to system management and to security can reduce that risk considerably. In this paper we have tried to find out some vulnerabilities and provide risk assessment. Here we have also tried to mitigate those risks by providing some control techniques. References: Avaya Inc™ (2003): Avaya Interactive Voice Response Security. Hossein Bidgoli(2006): Handbook of Information Security, Threats, Vulnerabilities, Prevention. Ruishan Zhang , Xinyuan Wang , Ryan Farley , Xiaohui Yang , Xuxian Jiang (2009):On the Feasibility of Launching the Man-In-The-Middle Attacks on VoIP from Remote Attackers David Persky (2007): SANS Institute InfoSec Reading Room- VoIP Security Vulnerabilities Mark Collier (2005): Basic Vulnerability Issues for SIP Security Foundstone, A Division of McAf ee ( 2014-2015)Interactive Voice Response (IVR) Assessment man-in-the-middle telephone attacks, “Voice phishing or vishing (Ruishan Zhang , Xinyuan Wang , Ryan Farley , Xiaohui Yang , Xuxian Jiang ,2009) unauthorized access Financial loss and loss of important customers data H Customer database should be maintained and Sound verification of authentic customer should be done. Data should be stored encrypted wherever possible to avoid Man in the middle attack Sensitive Information Disclosure issues such as Internal IP Revealed (Foundstone,2014- 2015) Internal unaware or frustated employees Confidentiality loss, availability loss M Internal IP should be used by role based approach, only authentic and authorized people should allow to use and monitoring is required, audits & validations, employee trainings Source code disclosure (Foundstone,2014- 2015) Unauthorized access Integrity loss H Encrypted and secure source code implementation is required Application Logic Bypass vulnerabilities (Foundstone,2014- 2015) accidentally done by unaware employee Improper results M Checkpoints at various position in application, proper validation and employee awareness Input Validation vulnerabilities (Foundstone,2014- 2015) Misused by hacker Unauthorized access unavailability M Proper input validations,24/7 monitoring of logs Brute Force attacks (Foundstone,2014- 2015) Misused by hacker Unauthorized access unavailability M Network monitoring 24/7,latest firewalls in place ,logs maintenance DOS attack s (Foundstone,2014- 2015) Done by hacker unavailability M Backup pocilies,24/7 monitoring of logs and proper logs maintenance