StudyDaddy Article Writing Resource: Risk and Threat Assessment from Week OneWrite a 1,750- to 2,100-word paper in which you apply the concepts of organizational behavior and management in designing an organizational security p

Resource: Risk and Threat Assessment from Week OneWrite a 1,750- to 2,100-word paper in which you apply the concepts of organizational behavior and management in designing an organizational security p

Running head: RISK AND THREAT ASSESSMENT UNITED STATES NAVY

0

Risk and Threat Assessment United States Navy

Jeremia Hall

SEC/481

December 3, 2018

George Jabra

Risk and Threat Assessment

A risk assessment is used to identify protentional threats and analyze the impact the damage could have in the event a threat occurred. The information from the assessment is then used to make informed decisions on what actions must be taken to mitigate the threats and reduce the probability of any adverse actions. In the case of the United States Navy which is an organization that prides itself with defending the country through the deep oceans and leans on the motto a “Global Force for Good”. The Navy can only conduct these types of operations through a sound security structure that is predicated on the belief that the hierarchy from the most senior sailor to the most junior sailor maintains the necessary integrity.

Organizational Overview

The US Navy which was founded by Congress in 1775 has grown into a global power and leading the way through cutting and emerging technology in sea power and cyber operations. The Navy is comprised of more than 300,000 sailors, thousands of government workers along with a handful of contracted companies that employ thousands of people globally. The Navy being a global organization brings with it a varying degree of sophisticated threats from every corner of the continental United States, foreign operating base and port where personnel is deployed or stationed. It is the mission of the Navy to show a mighty force through sea, air, land and space missions to ensure the mission is being accomplished. Accompanied with all of the missions are a plethora of high-level information systems and information that is processed at the highest level. The Navy must ensure that these missions’ integrity is maintained has created different departments to help maintain the security of intelligence, communications, information, and physical security.

Possible Threats

Cyber-attacks are the number one emerging threat to the Navy that has continued to grow rapidly over the last decade and has subsequently become one of the Navy’s top priorities. Admiral Johnson said, "The threats reach well beyond what you would consider a traditional computer or information technology network into the control systems, and indeed almost every aspect of our lives and of our Navy mission”. The Navy has to rely on its security team of cyber specialist and information technology specialist to mitigate the attacks on the networks used. However, the security is only as good as the weakest link. Back in June of this year according to NCBNEWS (2018), reported, “Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines” (par. 1). These types breaches are predicated by an employee clicking on a phishing link and have malicious software uploaded to servers with the ability to steal classified information.

For a malicious activity to take place like hacking, the following steps must be accomplished. In the beginning, the cyber-criminal will look for an entry point into the system then into the network. Next, the hacker is going to look for the most vulnerable spot on the network and identify where the most damage could occur with a minimal amount of effort. Additionally, the hacker will want to configure the workstation that can be used for the malicious activity that is within the organization and then exploits it and destroys it and any other hardware. According to Rouse (2016), “the amount of damage that malicious insider threat actor can inflict is incalculable”.

Due to the navy being comprised of more than 300,000 sailors and thousands of civilian personnel the second biggest threat to the Navy is an insider threat. An insider threat is an individual inside or outside the company that poses as an employee and is granted access that may cause harm to their organization. There is no blanket definition of what defines an insider threat as they come from different walks of life, however, should be taken very seriously. Since the Navy does have a major footprint in the cyber community and has a plethora of ethical hackers, it is not complicated for them to maliciously harm the Navy. This includes employees that may be disgruntled and want to expose the secrets of the organization or an ex-sailor that was separated from the military for other than honorable reasons. Apart from the personnel, information is the most vital asset that the Navy has; and there is always someone looking to receive excessive amounts of greenbacks for it (terrorists, foreign governments etc.). Most of the information the navy works with daily ranges from unclassified for official use only all the to top secret information. There is no real way to assign a value to the data as it is intangible. It is best to value the potential loss in missions being compromised along with systems development.

Another threat the Navy is faced with is the possibility of an active shooter at one of its facilities. According to the Alice Training Institute (n.d.), “an active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area”. The Navy does not only employee sailors and civilians but also has contracts with various companies such as BAE, Leidos, Khaki etc. The Navy does not have the oversight such as background investigations on employees that are contracted through these companies. For example, in 2013 there was an active shooter that had access to the building but was a sub-contractor that worked on the printers. The Navy didn’t know that he had mental problems that eventually lead to the death of 12 personnel inside BLDG 197 in the Washington District Yard. Most active shooters are unpredictable, develop quickly, and end in a short period of time. It is important for employees to be able to recognize signs of an escalation of employees or personnel that may seem out of place and report it.

The navy takes an active approach to help prepare all commands for an active shooter situation to include training all employees. The Navy requires that all commands afloat or ashore conduct active shooter drills, complete computer-based training as well as have graded annual assessments on the drill. This ensures that all personnel has the understanding on what actions to take during an active shooter event and they are educated on what to do in the event of an active shooter and are able to notice signs of a possible incident. According to Alice Training (2014), “workplace violence is the 2nd leading cause of on-the-job fatalities, behind automobiles, businesses and government facilities are the most common location for active shooter attacks” (par. 1). It is prudent that employees are aware of the proper procedures that have been created by the security team.

Vulnerabilities

Some of the vulnerabilities that the navy faces are unauthorized access to naval bases, ships, secured access areas, information systems infrastructure etc. With these different vulnerabilities, any individual that has access to these types of areas is able to gain access to systems and classified information and exploit what they feel is necessary to their mission. From there they are able to sell the information gained to organizations that are looking to cause severe damage to the Navy (i.e. terrorist groups and cybercriminals). The risk of this taking place is very high especially with the amount of personnel employed by the Navy from all different walks of life and backgrounds. An employee that has become disgruntled overtime may want to hurt the Navy and will do everything in their power to ensure that it happens. Other’s may have a change of heart on the job they are doing especially in the intelligence community and feel it is their duty to get the information out, for example, Snowden and Winter’s cases over the last few years.

Strengths

The Navy has a good security goal and it is to protect the organization from internal and external threats with the ultimate goal of protecting critical assets. They have implemented Information Security Programs, Personnel Security Program and Physical Security programs that regulate how each command will address their security posture on a daily basis. The polices establish the baseline standards, however, leaves the commanding officer with the authority to impose more stringent requirements where the situations may warrant (SECNAV M5510

.36, 2006). At a minimum, all programs are reviewed on an annual basis along with conducting drills that must be accounted for to ensure that all employees are getting the necessary training. When dealing with hundreds of thousands of people all personnel such as contractors, consultants, and outsourced personnel must be viewed as a potential risk. The following methods are some tactics used to help reduce the risk of a potential threat: All employees that have access to classified information must sign a nondisclosure agreement, all personnel must have an investigation completed to the level dependent on clearance. The background check can range from a NACLC to an SSBI, all personnel will encrypt emails and digitally sign them and should limit printing emails with sensitive information when conducting backup procedures access will be limited to specific personnel and thumb drives are restricted from being placed into computers.

Additionally, the Navy has a standard for buildings that house sensitive information. For example, a Sensitive Compartmented Information Facility (SCIF) that is used to process up to Top Secret information is required to go through an initial certification process that consist of a TEMPEST inspection that measures the emanations that may be coming from inside the space that can be used to construct intelligible data (Rouse, 2018). All SCIF’s shall be outfitted with Intrusion Detections Systems that are independent of any servers that may become compromised that sends an alarm to the local and regional dispatch centers. Lastly, all personnel that is cleared to come into space are on security access list that and are issued specific badges to display the clearance level read into. SCIF’s and sensitive spaces must be protected from anyone and anything such as emissions from coming in out that may compromise information systems and classified material.

Crime and Criminology Assessment

The Navy due to its limited areas of where it can place naval bases throughout the US does not have the bases located in places that are known for low crime rates. Three major naval bases within the continental US such as Norfolk, San Diego and Everett all three have high crime rates. Out of the three different bases, Naval Station Everett has the highest crime rate but does not pose a major threat to the base itself. However, the personnel who do live in Everett are subject to the crime that takes place. According to AreaVibes (n.d.), “it is 97% higher than the national average when it comes to violent crimes and 110% higher than the national average when it comes to property crimes”. Everett is relatively low for foreign tourist however since it is close to Russia and Canada there can be a presence of spy’s in the area. The military bases have strict policies and procedures that are required to gain access to the base as well as badging systems to sensitive areas. All visitors are required to conduct a basic background check prior to entry into the base with their state I.D. to ensure there is no criminal activity on their record. The processes that are in place help ensure that safety of personnel as well as the warships at the base. Even with these access controls in place, they do not prevent insider threats or active shooter situations, as a result, can still occur inside of the workplace by personnel who have access.

Global Issue

The Navy is an organization that is stationed and deployed worldwide and faces many threats to its assets such as personnel, ships, aircraft, and bases. The top two enemies the Navy faces are cybercriminals from foreign governments as well as terrorist attacks. The USS COLE that was attacked in Yemen forever changed the way the US Navy pulled in an out of ports. More watches were put into effect as well as roaming security in and out of the water to help thwart these sorts of attacks. Additionally, China, Russia, and other prominent countries are continuously trying to hack their systems to gain access to databases, plans, mission information and information on the troops. Another tactic used by foreign powers is through social engineering. They look for personnel deployed to foreign ports to target for information. In most cases, an individual may never know that they divulged information such as ships movement, the range of a specific weapon system etc. This exploited information is used against the Navy as a whole and can have severe ramifications. If the information is obtained by these countries grave damage can be done not just to the Navy but employees and their family members. In the case of the Office of Personnel Management being hacked foreign entities have information on more then 21 million records that contain clearance levels, socials, immediate family members information etc. which has changed the landscape on how people and the Navy handle this type of information. The information that personnel have access to could cause exceptionally grave damage to national security.

Conclusion

The Navy is made up of ships, planes, spacecraft and physical buildings all over the world that are manned and operated by personnel from all walks of life and have their own agenda. So, this places the Navy organization at risk 24/7 and can be threatened by an insider, terrorist or foreign power in a matter of seconds. The protection of data will always be an ever-changing topic and security must be updated on a routine basis to ensure to keep up with the rapid cyber threats. The possibility of an insider threat is extremely high, due to the number of employees within the US Navy and the nature of their jobs. It is important that all personnel go through background investigations and are equipped with the proper training to help minimize the threats and vulnerabilities (One team One Fight).

References

Alice Training Institute. (2014). Is Your Workplace Prepared for Violence? Retrieved from

https://www.alicetraining.com/resources-posts/blog/workplace-prepared-violence/

 Alice Training Institute. (n.d.). Active Shooter. Retrieved from

https://www.alicetraining.com/active-shooter/

 Area Vibes. (2017). Reported Annual Crime in Everett. Retrieved from

https://www.areavibes.com/everett-wa/crime/

NBCNEWS. (2018). Chinese hackers steal sensitive data from U.S. Navy contractor, report

says. Retrieved from https://www.nbcnews.com/news/world/chinese-hackers-steal-

sensitive-data-u-s-navy-contractor-report-n881641

Rouse, M. (2018). TEMPEST. Retrieved from

https://searchsecurity.techtarget.com/definition/Tempest

Secretary of the Navy. (2006). SECNAV M5510.36. Retrieved from

https://doni.documentservices.dla.mil/SECNAV%20Manuals1/5510.3

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!