Risk Management

Risk Management

Assessment item 2 - Develop a Security Policy & Program

By Lisa Christian

1. Security Policy Overview

Globex Corp were attacked and we helped them recover and isolate the problem.

In this report, I will discuss how they can be a market leader with their precision farming software. How they can be confident and feel strong in the software they are offering.

Farming is an essential component within the economy. It provides us with crops for our food supply and clothing.

What is precision farming software?

Farming software or agricultural precision software allows farms to analyse when their seeds should be planted, the conditions of the soil, depending on the weather and the type of insects that may be found in the ground. It helps them predict accurately when they can yield their crops for consumption, market or supply.

The Director of Globex, is unsure of whether it is worth the expense.

From experience and research, we know that precision farming software can aid the goal of increasing profits and provide significant green improvements.

Some examples include:

Prevention of the soil degradation and preservation of soil minerals
Optimisation of effective water use
Create planting schedules
Coordinate fertiliser use
Early detection of plant diseases and what steps to take

It helps increase sustainability.

Agriculture has been around for 10 000 years, but its been in the past 50 years that precision farming software has lead a large turn around in how farming is conducted in modern times.

Now that every farm can have access to a computer, it means the software can be used to time when crops are planted and monitor their growth. However internet technology doesn’t reach all farms, so this gives Globex a leading edge, they can have custom new software to help look after their crops in particular and have the internet to research new farming solutions to help grow and look after their crops. “…Precision farming in agriculture is a data-driven approach to improving the survival and fertility of the food we grow and cherish.”(Intellias, 2022.)

In ancient times, people relied on praying to ancient gods, but now we know that software can help us to effective track plant growth.

“Precision agriculture software includes a combination of technologies and solutions:

GIS-based tools for collecting, visualizing, and analyzing land data
Drone piloting solutions for inspection, data collection, and farming
IoT devices and other sensors to collect data points from fields
Remote control systems for farming equipment
Farm management modules powered by big data analytics
Predictive analytics units for advanced forecasts
VAR- and GPS-enabled solutions for semi-autonomous equipment” (Intellias, 2022.)

By using precision farming software, we can aim to boost the agricultural food supply by double. In past, productivity has been achieved by using harmful solutions, but this is a natural way to time and harvest food products.

Climate change is one issue effecting the food supply. So is an increasing population.

Here is some more:

(Intellias, 2022) Source: Deloitte — From Agriculture to AgTech: An industry transformed beyond molecules and chemicals

“The big promise behind emerging and field-ready precision farming technologies isn’t just helping us grow more food but doing so with greater intelligence.”(Intellias, 2022.)

“Precision agriculture technology essentially empowers agricultural leaders with tools to plant smarter at scale. Connected farming machines, sensors, and in-field measurement tools already collect a ton of valuable data. But oftentimes, it remains siloed in storage systems and never put to use. “(Intellias, 2022) – Globex can take advantage of that intelligence and use it to plant and harvest more fruit and vegetables.

“Many crop management software solutions are customized to the needs of an agricultural producer.”(Intellias, 2022) - So too, can Globex have their software customised.

“[Our] system features web and mobile interfaces and collects data from IoT devices, connected machinery, and third-party big data analytics sources to empower decision-makers with comprehensive intelligence for decision-making.”(Intellias, 2022). This is my proposed plan for Globex’s software as well, an online web and mobile application.

An encouraging perspective from Climate FieldView…

“Farming is honest work. Just like nothing can take away the satisfaction of a well-earned harvest, we also don’t get any shortcuts or do-overs. As farmers, we always need to adapt to changing conditions, so it’s important that we are honest with ourselves. We can’t see an underperforming field and say everything’s going great. We can’t talk our way out of a bad thunderstorm heading our way or a season with no rain. And we certainly can’t just tell ourselves what we want to hear and expect everything to go well.

The fact is that your farm always tells the truth. And when you know how to hear it, that truth is one of the most powerful tools a farmer can have.

“(Climate FieldView, 2022.)

From Adna…

“Our programs and services are grounded in research, experience and expertise to achieve tangible and sustainable performance improvements.”(AgDna, 2022.) - A good point to act on.

“The innovative farmers we’ve profiled throughout the years shared how their investment in advanced precision ag tools have generated significant return. And many cited the support of their precision ag point person as essential to capturing ROI.

So how much is quality precision service worth today?

We posed the question to a variety of farmers, precision ag service providers and manufacturers. While their answers came from different perspectives, each had one thing in common – reliable, reputable precision service is an investment today’s farmers can’t afford to squander.

“(PrecisionAgReviews.com, 2022.)

So Precision Ag Reviews, is definitely saying if resources are used conservatively in the right spot, in the right time and the right amount, then crop harvest return is more plentiful.

Here’s some feedback, Sentera found from their customers:

Argosense claims, that their software, is about the farmer always knowing what’s happening.

1.1 The need for security policies at Globex Corp.

By Looking at the technicalities in section 1.2, Globex Corp can enhance their security to raise their level of security maturity. This means understanding, the weaknesses and vulnerabilities of their online software. The recent attack they suffered is proof enough that they have to be ready for action and have a solid security ready and in place in case they are faced with unwanted intruders again, hijacking, deforming or taking over their online software.

Market Research.

Farm works, SMS, MapShots, AgDNA, Sentera and ArgoSense are the top precision agricultural farming software downloads.

Software	Use and features
Farm works	“Farm Works® Mobile software streamlines data management in the field by bundling record keeping, mapping, scouting, soil sampling, and variable rate application into one software solution. The Mobile software operates on any field computer with the Windows Mobile®, Windows® XP, Windows Vista®, or Windows 7 operating system.”(Farm works, 2022.) “Data entry for field records can work independently or in conjunction with a GPS receiver to track planting dates, chemical and fertilizer usage, scale tickets, hybrid/variety location, weather, and more. Viewing the history of past hybrids, chemical applications, tillage practices, and yield is simple and efficient. Large buttons enable easy navigation, and the interface accommodates small screen displays. You can also use GPS for field mapping. Map field boundaries, sampling zones, rocks, pivots, broken drainage tile, no spray zones, and other points of interest. Capture scouting attributes such as weed and insect types, notes, tile diameter, and images from a digital camera. The Farm Works Mobile software is flexible enough to handle soil sampling by grid or by management zones.”(Farm works, 2022.)
Mapshots	Get Your Data in One Place Data Connectivity Data Visualization Uncover Valuable Field Insights Crop Performance Analysis Field Health Imagery Optimize Your Inputs Variable Rate Prescriptions Fertility & Crop Protection (Climate Fieldview, 2022.)
AgDNA	“AgDNA Prime is a mobile farming platform that combines record keeping, boundary mapping, scouting observations plus live equipment and activity tracking.”(Agdna, 2022.)
Sentera	“Starting with our ag drones and sensors, capture aerial imagery to turn into detailed analytics for visualization and analysis in our software platform, making it easy for agronomic leaders to act and validate outcomes.”(Sentera, 2022.) Monitor, capture, analyse, validate.
ArgoSense	“AgroSense is changing the technology of growing! It combines precise soil measurement, the observation of plant status, insect presence and irrigation with the latest scientific evidence on nutrient and pest management.“(ArgoSense, 2022.)

These software products are packed with features that make them resourceful and useful. However, they are subject to attacks and vulnerabilities and by having new software, Globex have the advantage of having new software released that is unknown yet to attackers. So that is one aspect of security that can be on their side.

In addition to that, I have decided to do this scenario on the basis, that I am creating this custom software for them myself.

I will use php and front-end web languages, to make an online, pay month to month, user friendly system.

The main benefit is that customers can share information with their suppliers and vice versa.

It will also allow tracking of crops, inventory and accounting.

The limitations may be in what I don’t know that hackers know about online applications, but as a benefit, I know a lot about coding web applications with features for cyber security.

By being made in php, the code is hidden from the users, so this helps protect intellectually property for the software as well as copyright labelling on the web application, which gives people a clear understanding of the intellectual copyright use, intended.

1.2 Outline of the following security policies:

Technicalities

A security policy that would act to preserve the Confidentiality, Integrity, and Availability of their data,

Quite simply, a plan to design and code a unique application with features that aren’t in competing software. I think I would like to code a compatible mobile app, so that users can jump from web page to their mobile and do updates wherever’s easiest. To protect it, I’d use logins, logouts, timeouts and qr codes.

The CIA triad is a foundation for cyber security policies. “The CIA triad is a model that shows the three main goals needed to achieve information security.”(Henderson, A. 2019.)

A security policy that would act to protect their data centre resources, and

I would use strong encrypted passwords and logins in the backend databases that their inventory and accounting details are stored in. This is important to be secure, because competing suppliers may source crops from the same farm and they need to keep their pricing strategies and product selection unique to have a competing edge or a niche market, I would think.

A security policy that would act to educate Globex Corp in how they can protect the company's data and resources.

Unique encrypted passwords, vague url extensions and secure post form logins are essential to making a php application secure, as well as SSL security certificates for online purchases, through payment gateways.

What is SSL?

It stands for Secure Sockets Layer, it is networking terminology for a transport protocol that protects communications through web pages and their forms.

By having a SSL certificate, you can build trust with the user.

It is shown in the browser url, under https addresses. The SSL certificate is installed by the website owner on the webhosting.

The SSL communications are encrypted. Some payment gateways, like Paypal, have their communications protected by SSL already, so you don’t have to purchase and install one.

A payment gateway, is used to process online payments.

As part of the outline for each security policy my proposal is to discuss:

The intent and rationale and scope of the policy,

Obviously, to protect the application and its data.

The mandatory requirements for the rules or actions that you think are reasonable to place into this policy to meet its intent and rationale,

Well I think to be reliable in checking and monitoring the web application, web logs and any suspicious feedback from users. That should give clues to whether the application is safe or not.

Any exemptions that you think are reasonable to place into this policy to meet its intent and rationale.

The internet is a vast and open space where the more a website is marketed, then the more likely it may be challenged. Its not just meanies in cyberspace wrecking websites, you have to understand the mindset of the hacker, it could be just competing companies trying to have the best software, or disgruntled past staff, looking for revenge. It could people from family members or ex-partners who are angry and don’t want success of the company and its stakeholders as well.

What are the main hacks and vulnerabilities

The internet itself, has weaknesses, that a smart hacker knows how to get through, especially when they know how to access websites anonymously by using a tor browser on the dark web.

What are the strengths?

One strength is that online web application, doesn’t need to be downloaded, it can be instantly accessed after signing up with a registration form and payment.

Other agriculture precision software has been found to have been vulnerabilities.

How can it be protected?

By following the procedures mentioned before and also by analysing the web logs, monitoring the activity on the website and reviewing the application, regularly, checking for deformed pages or data.

What will it not do?

Well, it won’t have as many features as applications created in java, for example, but it will be online and quick loading which will make it a convenient application to use and I will use coding strategies that will make forms and logins secure. 2 step verification will make it more secure, as well as answering a secret question to gain access.

What will be the limitations?

I haven’t yet worked out how to connect bank accounts with backend databases, but that would be a good idea for the future.

Why would they go ahead with the software anyway?

Because it will be fun, it will give them a good reputation for producing software and they know how to hire staff to do this work and have the funds, even if its an elaborate task. Overall the outcome should be satisfying and financially worthwhile.

2. Information Security Program

2.1 InfoSec Program

Description of an Information Security Program and how it could benefit Globex Corp. In tabular format, defined by all the required functions to implement an InfoSec Program.

Summary of technical benefits.

Technical Feature	Benefit
Yield monitoring	Measuring the amount of seed to plant.
Accounting	Keeping track of costs and sales.
Field management	Crop yielding.
Labor management	Staff required and used. CRM.
Traceability	Which crop, where.
Weather records	Weather past and future predictions.
Collaboration	Summary of features and reports, with graphs.

2.2 InfoSec Organisational Diagram

An organisational diagram for Globex Corp to which I recommend their Information Security (InfoSec) can sit/report, justified.

SSL

Web traffic -> Web page

Backend database PHP/login/logout

What does the diagram mean?

This traffic follows through the flow diagram in the direction as shown above.

“The goal of the Information System/Data Flow Diagram is to capture the main components of an Information System, how data moves within the system user-interaction points, and the Authorization Boundary.”(University of Florida, 2022.)

“InfoSec encompasses physical and environmental security, access control, and cybersecurity.”(Microsoft, 2022.)

Key elements of Information Security:

Application security – practises and tools that will help to protect the applications and their data.
Cloud security – tools and practises that protect all parts of the cloud.
Cryptography – encrypted communications.
Disaster recovery – ability to bounce back after a cyber attack or natural disaster, eg. Fire.
Incident response – the ability to recover after a bad event or cyber attack.
Infrastructure security – the security of the entire infrastructure, that includes both hardware and software.
Vulnerability management - identifying vulnerabilities of software or networking.

Common security threats	Definition
Advanced persistent threat (APT) attack	Over a long period, the attacker, gains an entry to the enterprise and data.
Botnet	Malicious code that the attacker uses to control a computer like a ‘robot’.
Denial of Service attack (DdoS)	An attack that overwhelms the company website until it crashes.
Drive by download attack	Where a download is taken over and replaced with malicious code.
Exploit kit	Tools that infect with malware.
Insider threat	Where a person inside the organisation is a threat to the company website.
Man in the middle attack (MitM)	Where information in the communication process, eg email is stolen and is replaced with altered text, changing the meaning of the email.
Phishing attack	Stealing info while falsely presentling itself in email.
Ransomeware	Where a user is manipulated by having their info encrypted until they pay a certain amount.
Social media attack	Attacks tat come via social media.
Social engineering attack	Where a stranger pretends to be a person of trust and misuses the company’s information.
Viruses and worms	Malicious code that copies and propagates itself, spreading over the company network.

“Enterprises can employ information security management systems (ISMS) to standardize security controls across an organization, setting up custom or industry standards to help ensure InfoSec and risk management.”(Microsoft, 2022.)

“Once your security team has been altered to an InfoSec threat, complete the following steps: