AT&T is one of the leading telecommunication companies in the world that provide converged services and other IP-based solutions to customers. It prides in provision of cutting-edge products and services, whose reliability, quality and innovativeness is second to none. The company has the biggest 4G cellular network coverage in the United States, with a customer base of over 275 million people. AT&T has led the way in redefining and transforming the manner in which people can access internet solutions. For instance, in the past, Wi-Fi and broadband connectivity was limited to specific areas especially homes, institutions of learning, working places among others (AT&T , 2013). However, through innovative services, AT&T has managed to provide its customers with high speed internet access wherever they are in the United States. Thus, mobility and internet connectivity are no longer issues of concern for AT&T customers. It is worth to note that AT&T is the first company in the United States to allow the citizenry to enjoy convergence services seamlessly. It became the first one to provide full IP-based television to Americans through its U-verse service (AT&T , 2013).
The recent increase in number and complexity of malware has rendered defensive technologies such as firewalls almost irrelevant. Technological advancement has made it easy for hackers to by-pass conventionally known network security protocols (Robinson, 2012). This issue has raised concerns from different stakeholders starting from service providers to customers, who are the end users. It is an issue that makes people feel insecure especially when they do not trust security mechanisms that are put in place to ensure their safety. Various researches indicate that despite having laws that have been put in place to secure the information and systems, organizations have not done enough to secure their information systems (AT&T, 2013). The security management of companies strive to provide a secure online protection of their databases because if this is ignored, it would lead so serious vulnerabilities that can damage their data and systems. If a customer loses his or her trust with an organization due to these threats, it would lead to serious challenges for the organization in terms of its market share and its goal (Solomon & Kim, 2010).
Purpose of the report
Risk management forms an essential component of security management at AT&T. This is the reason why AT&T has invested a lot of its resources in the design and implementation of cutting edge security policies that are second to none (AT&T, 2013). This report outlines the process and mechanisms carried out by the company in detecting, minimizing or total elimination of threat-sources. It gives a step-wise procedure which ensures safety of the employees, clients and customers at AT&T.
This step is very important in the entire process of risk assessment. It is where restrictions of the IT system are marked, together with the resources that make the entire system. The significance of characterizing an IT system is to come up with a risk evaluation strategy, which will give the necessary information needed to describe the risk. Part of the information needed while carrying out system characterization is to understand the type of hardware or software as well as personnel that will help in describing the scope of the risk (Stoneburner, Goguen, & Feringa, 2002).
In addition, before carrying out a risk assessment in an organization, it is crucial to establish the kind of system interfaces available in the system. Interfaces refer to the manner in which the IT system is interconnected internally and externally. Furthermore, the personnel carrying out risk assessment requires to know the system mission, which entail the processes done by the security system for ensuring safety and integrity of confidential information (Stoneburner, Goguen, & Feringa, 2002). Finally, it is prudent to establish the criticality and sensitivity of both the system and the information contained within. The value of information helps to classify the degree of threat to the system.
AT&T has developed exceptional assets comprising of both hardware and software that runs three types of network protocols for provision of quality services to its customers. These types of networks include cabled residential broadband, Wi-Fi as well as wireless networks (AT&T , 2013). This implies that customers can enjoy connectivity at home or in the office through wireless or cabled broadband services and even while on the move through wireless and Wi-Fi connection services. There are over thirty thousand Wi-Fi access points in most of the stores across the country and many others in foreign countries that allow roaming services (AT&T , 2013).
There is more information that may be relevant while carrying out risk assessment such as the usefulness of the system, security structure, institutional as well as government policies that relate to security threats. Moreover, there is need to know the management and operational controls employed in the IT system (Solomon & Kim, 2010). Physical and environmental measures used in the organization helps to give a good illustration of how the firm protects its IT systems against water, fire break out, chemical damage, pollution among others. All the above information can be collected from an organization through conducting interviews, questionnaires, or reviewing policy documents about the structure and design of the system (Stoneburner, Goguen, & Feringa, 2002). Also, network scanning tools are helpful in collecting relevant information regarding security in the IT system.
A threat can be defined as the probability of successful occurrence of danger from a certain source that can lead to susceptibility. There are various factors that can pose threat to AT&T Company. However, in order to establish the possibility of occurrence of a threat, its source must be established, areas that are most susceptible and the mechanisms that are in place for its control. There are natural causes of threat mainly categorized as natural calamities such as storms, earthquakes, and hurricanes among others (Stoneburner, Goguen, & Feringa, 2002). They are sometimes unpredictable and their effect unfathomable. Other threats originate from humans and can be directed towards the company either knowingly or unknowingly. People can make deliberate attempts to physically attack the company’s network or use malicious software to gain illegal access to classified information at AT&T (Stoneburner, Goguen, & Feringa, 2002). Dissatisfied, terminated or dishonest employees usually pose a threat to the company through trade of confidential or personal information. They can also engage themselves in a plan to sabotage or intercept the security system of the organization.
Just like in any IT based or telecommunication company, AT& T faces the threat from potential attacks. These attacks are not physical but instead through malicious programs that are aimed at corrupting the integrity and confidentiality of data in the company. Emergence of innovative communication technologies comes along with some potential risks (Jennings & Boyce, 2002). When new technologies are adopted, institutions usually give a room for later improvement. This is what gives malicious people an opportunity to execute their missions. AT&T has always been taking a leading role in provision of state of the art technologies to its clients and customers. For instance, the company has the largest 4th generation cellular technology, which helps customers to enjoy convergence services (AT&T , 2013). A considerable number of AT&T clients have migrated to converged networks. However, some customers felt that new technology inventions usually open new doors such that an organization can be caught unawares even before it comprehends all security complications (Solomon & Kim, 2010).
Besides hackers who, there are other potential threats which AT&T faces such as terrorism. A terrorist will resort to information warfare in order to blackmail or exploit individuals or an organization. Business rivals can also penetrate into the company’s security detail for the purpose of gaining a competitive edge through illegal means in the field (Stoneburner, Goguen, & Feringa, 2002). Consequently, AT &T has developed a threat statement, which comprises of a list of causes of threat that could lead to susceptibility of its entire system.
Vulnerability refers to the presence of a defect in the internal control mechanism and security process or structure of an organization, which if exploited, can lead to a destruction of the entire security policy. It is therefore important for a company to develop a list of vulnerable areas that could pose as potential targets of attack by a threat source. Examples of vulnerabilities include failure to remove an employee’s identification from the company’s database containing systems identifiers. Such an employee can be compromised by terrorists or other criminal groups and persuaded to access classified information in the company (Stoneburner, Goguen, & Feringa, 2002). Another thing that displays vulnerability in a company is when network firewall allows unauthorised access to its system using guest identification methods. Furthermore, an organization can be aware of a defect in its security system but the situation remains uncorrected. Delay to manage flaws within the security system poses a great security threat to the company through unauthorised access from cyber criminals.
All the above vulnerabilities can occur at AT&T and therefore pose as potential sources of threat to the institution. However, AT&T has put in place network security measures in its system to pin point vulnerabilities through a number of approaches (AT&T, 2013). For instance, the company runs security checks on its system as well as improvement of security necessity checklist among others (AT&T, 2013). There are a number of security checks that are done on the AT&T system to test on available vulnerabilities. They are proactive methods for checking the efficiency of a security system. The company also runs a web based reporting mechanism from the citizenry in case they identify vulnerabilities in its operational and security systems. They are required to report to AT&T scenarios that display vulnerabilities in the company’s network throughout the country (Robinson, 2012). Reporting is done using high encryption methods for confidentiality purposes and to avoid information tapping.
During this step for risk assessment, controls that are already achieved or are in the process of implementation are evaluated. This is done in order to reduce the possibility of occurrence of a threat into the system. There are technical as well as non-technical control techniques. Technical methods refer to the safety measures that are integrated into computer hardware and software for security purposes (Stoneburner, Goguen, & Feringa, 2002). For instance, these methods include use of authentication procedures, access control through use of passcodes to security clearance levels, and use of encryption software to encrypt classified information among others. On the other hand, non-technical methods of security control include operational measures and policies in an organization, physical as well as ecological security measures.
It is worth to note that the above control mechanisms can either be preventive or detective. Control methods that inhibit intruders from profaning security procedures and measures are classified as preventive in their making. They include authentication procedures, encryption among others. On the other hand, detective control measures are those that caution about interruption and intended damage or abuse of security policies (Stoneburner, Goguen, & Feringa, 2002). They include intrusion recognition mechanisms and checksums. As already stated above, the main aim of control analysis is to analyze the implementation of security control mechanisms in an organization that will prevent the possibility of vulnerability and also minimize the effect of such hostile occurrence.
AT&T has put in place a threat management structure, which helps to scan and pin point emerging problems, find out their origin and take preventive measures. It is one of the methods that the company uses to safeguard customer networks. Furthermore, AT&T through its managed security services includes a strong protective layer in its network security system to its customers are safe while accessing the internet (Stoneburner, Goguen, & Feringa, 2002).
In order to ensure safety over a converged IP system, AT&T has implemented security features that protect its customers, clients and employees from cyber-attack and business disturbances. For example, in the deployment of VoIP services, virtual private networks among other services, AT&T factors in security features during the process of planning the entire structural design of the service (AT&T, 2013). The company employs a “defense in depth” concept in its network structure to quickly establish threats focused at their network. Consequently, such threat can be eliminated before they affect the system and therefore the customer remains safe as well as information being sent across the network (AT&T, 2013). There are many security measures that AT&T has implemented to safeguard the interests of both voice and data customers. They include AT&T secure E-mail gateway, AT&T firewall security, AT&T web application firewall, DDoS defense, AT&T encryption services, AT&T mobile security among many others (AT&T, 2013).
At AT&T, security control measures have been greatly enhanced. The company employs control methods discussed above to safeguard the confidentiality of its customers and employees. Protection against intrusion of company’s security system is a key priority at AT&T in a bid to win its customer’s trust that their privacy and data are safe (AT&T, 2013).
This refers to the measure of possibility of occurrence of a potential vulnerability in a company. A source of threat is rated as low, medium or high depending on where it originates, its nature, and availability of effective control measures (Stoneburner, Goguen, & Feringa, 2002). Threat source is considered low if it does not have the ability to cause a danger, and there are control mechanisms to prevent vulnerability from being carried out. A medium threat source is one that is motivated and can cause danger, but the available controls mechanisms may or may not prevent vulnerability successfully (Stoneburner, Goguen, & Feringa, 2002). Finally, a high threat source is the one which is adequately able, and the control mechanisms to prevent vulnerability are not effective. A source of threat is therefore identified and rated according to the scale outlined above following continuous monitoring and reporting of the network. AT&T has put in place mechanisms that help to detect and pin point threat sources, alert relevant stakeholders in the company for mitigation purposes.
This is a significant step of calculating the level of risk in order to establish the effect that follows a successful intrusion into security system of an organization. There are a number of things that help a company to establish its impact analysis. Firstly, it is important to understand the mission of the security system in the Company. This is what will assist in understanding the processes that are done by the security system in the institution. Secondly, impact analysis involves determining the criticality of data that has been compromised and the security system’s value to the Company (Stoneburner, Goguen, & Feringa, 2002). Lastly, evaluation of the impact will be concerned with the sensitivity of the system and data that has been compromised. The only way to meet the above requirements is through carrying out a criticality assessment of the available assets. This type of assessment focuses on the hardware, software, technology and the entire system that help in protecting the organization from security threats.
Some of the impacts of a compromised security system are described below. There is loss of integrity of the system and the data when unauthorized access to the system happens, thereby leading to manipulation or destruction of sensitive information. There is loss of assurance in the company’s security detail. Another impact of a compromised security system is loss of availability. Information can become compromised and therefore rendered unavailable, or the system loses its operational usefulness. Lastly but not the least, a security breach can lead to loss of confidentiality by the general public (Solomon & Kim, 2010). Confidential information is supposed to be protected against disclosure to unauthorized people. In case of a security event due to vulnerability in the Company, confidential information becomes jeopardized. The degree of impact following a security breach is qualitatively classified into low, medium and high levels.
AT&T operates a virtual service for analyzing the magnitude of threat in case of security events. This service is also concerned with management of a security event once it occurs. The service collects information from all devices that are used within the Company’s or individual network; it evaluates the associated events and gives alerts depending on their criticality. This department has state of the art tools and expertise to offer a simultaneous and near real-time representation of everything that happens within a client’s network all round the clock (AT&T, 2013). It is mandated with a proactive role of managing the client’s network to identify and also eliminate interruptions before they harm their business operations. It also focuses on quick response in case of a security event.
This step focuses on the magnitude of risk to the information technology system. It is determined by considering a number of functions. They include the possibility of a particular source of threat to exercise a specific vulnerability. Another factor is the degree of impact which a source of threat manages to exercise vulnerability (Stoneburner, Goguen, & Feringa, 2002). Moreover, determining risk involves having an adequate plan for minimizing or eliminating risk. Measurement of risk is done through developing a risk-level matrix. The matrix is obtained by multiplying the values given for probability of threat and the related impacts. After calculating risk levels, the outcome is represented in the scale of low, medium and high levels. This information is obtained from real-time values and therefore can only be exercised real-time. However, security experts at AT&T employ this strategy to determine risk levels for their company and clients.
Control recommendation step is important during the process of assessing risk. It involves recommending the most effective security controls that will help to stop and eliminate detected risks. Recommending effective security controls should consider the following factors. To begin with, effectiveness of the control option should be put into considerations. This is because the control measure should be compatible with IT system in the organization (Stoneburner, Goguen, & Feringa, 2002). Recommended control should also work within the available legal framework. It should go against the policies of the company.
Also, the recommended control measures should work within the operational limits of the company. This implies that when control measures are way above the operational budget of a given firm, it becomes hard to finance the control processes ( Krishnamurthy, Tipper, Qian, & Joshi, 2010). More so, it is important to determine whether the recommended control brings any effectiveness to a security event and if it affects the general performance of the system. Finally, before settling for a particular control measure, it is prudent to ensure that such a move is safe and reliable for use. When all these factors have been met, it brings trust into the equation because victims of a security event are able to understand that the recommended control measure will revert any possible threat posed by vulnerability (Kovacich & Blyth, 2006).
AT&T prioritizes the safety of its clients and their data among other things. It uses effective security control measures that makes its clients to feel safe and in control of their lives (AT&T, 2009). It is worth to mention that earning this kind of trust from clients has come with a heavy cost because AT&T employs cutting-edge technology in surveillance, detection, and elimination of threat sources ( Krishnamurthy, Tipper, Qian, & Joshi, 2010). The company has been focusing on its network security for the better part of its history. It has been on setting the pace in many technological developments that continues to remain the best network security practice in the modern world (AT&T, 2010). They include development of a security governance strategy model, risk management procedures, firewalls, protection in depth security policy among many others (Jennings & Boyce, 2002).
Also, the concept of threat analysis has been developed by them. AT&T has a preventive style to security with aim of mitigating detected interceptions before they cause any considerable damage (Apgar, 2006). It has skillful personnel that is concerned with gathering, evaluation, clarification and convey of information to clients in almost real-time. This is what facilitates fast response to events.
AT&T is always committed to detecting security irregularities as well as cyber-attacks with an aim to pinpoint them in their early stages (Apgar, 2006). Consequently, the client is alerted to take action early enough to prevent possible harm that can be inflicted by an attack. Effectiveness of network safety at AT&T is achieved because security measures are addressed at both the macro and micro levels. This means that at macro level, the company focuses on the routers, firewalls as well as gateways (AT&T, 2013). On the other hand, malware and other specific security attacks are addressed at the micro level.
Individual customers and businesses in the United States require internet connectivity that guarantees safety round the clock. Minor flaws in the security system causes vulnerability, which can translate to huge losses through manipulation or loss of confidential information, integrity of information and even resources especially now that most of payments are done online (Jennings & Boyce, 2002). AT&T has established and developed a legacy for providing security solutions, which address protection against threats in a complex network architecture at information as well as network levels, of the ISO model.
There are many internal and external forces that poses a big threat to the operations and success of AT&T. This report has reflected on the measures that the company has implemented in a move to survive amidst challenges and maintain a leading role with the current demands of the market. AT&T can be trusted as a dependable provider of network security solutions that allows its clients to carry out integrated network solutions in their corporate environments (Robinson, 2012). Its surveillance systems operate round the clock to offer reliable security solutions to its clients. This report has established that AT&T has a very complex and tight security system. Also, its preparedness and response to security threats is satisfactorily excellent, a quality that makes its clients feel that their information is secure with AT&T.