University of Lincoln Assessment Framework
CMP9809M- Information Systems Security
Name
Student ID
Email Address
Usama Ahmed
29523887
29523887@students.lincoln.ac.uk
Abstract
The security of information systems has become a paramount concern in the digital era,
particularly in maintaining the pillars of Confidentiality, Integrity, and Availability (CIA).
Emerging technologies like Blockchain have shown exceptional promise in addressing these
challenges. This report critically analyses the integration of Blockchain technology within
Estonia’s national e-Health system, focusing on its application to enhance CIA security goals.
It presents the techniques, methodologies, benefits, and challenges observed, followed by a
critical evaluation and suggested enhancements. Furthermore, reflections are offered to
underline the broader learning outcomes from the case study, thus strengthening the
understanding of information system security.
Introduction
Background
Information systems are increasingly under threat from sophisticated cyber-attacks, human
errors, and systemic failures. Protecting the CIA triad is essential for ensuring that information
remains confidential, unaltered, and available to authorized users. Traditional centralized
security systems often create single points of failure, becoming attractive targets for attackers.
This has led to the exploration of decentralized solutions like Blockchain technology, which
inherently offers immutability, transparency, and distributed control.
The case selected for this analysis is the pioneering integration of Blockchain in Estonia’s
national e-Health system. Estonia has earned global recognition as a leader in digital
governance, and its application of Blockchain to secure sensitive healthcare data provides rich
insights into the real-world challenges and successes of Blockchain-based information system
security.
Analysis Method Rationale
This study utilizes a qualitative, critical evaluation approach. By examining Estonia’s system
through industry reports, academic papers, and government publications, this method ensures
that the analysis is grounded in practical evidence while reflecting theoretical frameworks. It
focuses on linking the Blockchain application directly to the enhancement of the CIA triad and
provides proposals for optimizations based on gaps identified in the current system.
Analysis Discussions
Techniques, Methodologies, and Frameworks Applied
Estonia’s e-Health system leverages Blockchain via KSI Blockchain (Keyless Signature
Infrastructure), developed by Guardtime. Key components of the system include:
•
Immutable Ledger Architecture: Every event access, update, modification is
cryptographically linked and recorded immutably, ensuring traceability and auditability.
•
Zero Trust Security Model: The system assumes no inherent trust in any internal or
external actors. Continuous validation and verification mechanisms protect data
access at every layer.
•
Decentralization: Verification nodes are spread across multiple institutions. This
prevents reliance on a single server and enhances resilience to attacks or
infrastructure failure.
•
Encryption and Keyless Signatures: Rather than relying on traditional PKI (Public
Key Infrastructure) methods, the system uses blockchain hashing techniques for data
validation without needing decryption, preserving confidentiality.
•
Role-Based Access Control (RBAC): Access to health records is strictly controlled
based on user roles and operational needs.
•
Multi-node Redundancy: Health records are continuously backed up and
synchronized across several nodes, guaranteeing availability even during cyber
incidents.
Benefits Observed
The use of Blockchain has delivered several measurable benefits:
•
Enhanced Confidentiality: Health data remains encrypted and accessible only to
authorized parties.
•
Verified Integrity: Any unauthorized changes become immediately detectable.
•
Improved Availability: Distributed architecture allows the system to recover quickly
from attacks or malfunctions.
•
Public Trust: Citizens feel confident engaging with digital health services, knowing
that their data privacy and security are protected.
•
International Recognition: Estonia’s success has influenced other nations, like the
UAE and Australia, to explore blockchain solutions for national data management.
Challenges Encountered
Despite the benefits, significant challenges persist:
•
Maintenance Costs: Managing distributed systems and regular cryptographic
validation processes is resource-intensive.
•
Scalability: Expanding blockchain security models beyond health records to sectors
like education or transportation introduces significant complexity.
•
User Behavior Risks: Even the most secure systems are vulnerable to poor user
practices, such as weak passwords or accidental disclosures.
Estonia’s experience reveals that technological robustness must be complemented with
operational and cultural safeguards to be truly effective.
Evaluation
Discussions
and
Proposed
Solutions
Evaluation of Existing Security Strategies
Estonia’s Blockchain architecture excels in addressing the CIA triad:
•
Confidentiality is strongly protected via encryption and RBAC, ensuring only intended
recipients can access sensitive data.
•
Integrity is effectively preserved through immutable logging and real-time verification
mechanisms.
•
Availability is generally maintained, although the reliance on digital networks does
create a slight exposure to denial-of-service (DoS) attacks or internet outages.
However, vulnerabilities exist outside the technical system in organizational scalability and
user awareness.
Proposed Solutions for Improvement
Issue
Proposed Solution
High System
Employ a hybrid blockchain model, combining permissioned
Maintenance Costs
blockchain internally with public verification nodes, thereby
reducing operational overheads without compromising security.
Scalability Barriers
Introduce Layer-2 technologies like sidechains or state channels to
manage increased transaction loads without burdening the main
blockchain.
Human Error
Implement mandatory cybersecurity training programs for all users
Vulnerabilities
and administrators, covering secure authentication practices,
phishing awareness, and basic blockchain principles.
Additionally, integrating AI-driven predictive analytics to monitor blockchain operations
could help in early detection of anomalies, thus enhancing system resilience.
Potential Future Enhancements
Emerging technologies like Self-Sovereign Identity (SSI) frameworks could empower
citizens to control access to their data more granularly. Estonia could also explore QuantumResistant Cryptography to future-proof its blockchain solutions against quantum computing
threats.
Reflections and Conclusion
Analyzing Estonia’s Blockchain-based e-Health system has been a significant learning
journey, highlighting the multifaceted nature of information system security. This case study
clearly illustrates that while Blockchain technology can substantially strengthen the CIA triad
Confidentiality, Integrity, and Availability it is not a standalone solution. Effective cybersecurity
demands a holistic strategy that combines technological innovation with organizational
policies, human-centered design, and cultural transformation.
One of the key lessons I have learned is the importance of decentralization. Traditional
centralized models, while simpler to manage, inherently possess single points of failure.
Blockchain’s distributed ledger model offers resilience against various attack vectors,
providing a system that is inherently harder to corrupt or destroy. This architectural advantage
has significantly deepened my appreciation for the design principles behind secure information
systems.
Another critical insight involves the role of human factors in cybersecurity. Despite the robust
technical safeguards offered by Blockchain, vulnerabilities still exist due to user behavior such
as weak password management, phishing susceptibility, or negligence. It has become clear
to me that cybersecurity must go beyond technical implementation to include user education,
ethical standards, and operational discipline. Technology alone cannot secure a system;
informed and vigilant human actors are equally vital.
Furthermore, the case study emphasized the need for adaptability and scalability. Estonia’s
initial success highlights the importance of planning for future growth and changes. No system
remains static, and a security model must evolve alongside technological advancements and
emerging threats. This realization stresses the value of continuous improvement an essential
principle for any cybersecurity professional.
Finally, studying Estonia’s approach has reinforced the idea that public trust is a pillar of
cybersecurity. By transparently implementing strong, citizen-centric solutions, Estonia fostered
public confidence, which in turn strengthened the adoption and effectiveness of their systems.
Without user trust, even the most technically sophisticated system risks failure.
In conclusion, this assignment has broadened my understanding of Blockchain’s
transformative potential in Information Systems Security. It has also taught me that true
cybersecurity success is a synergy of technology, policy, culture, and education. These
learnings will significantly shape my approach as a future cybersecurity professional, ensuring
I advocate for solutions that are both technically sound and socially sustainable.
Social Engineering Attack Case Study Analysis
Description of the Social Engineering Attack
In the presented case study, the attackers successfully executed a physical social engineering
attack involving elements of impersonation and pretexting. Mr. Winkler and his accomplice
disguised themselves as legitimate contractors by simply acting confidently and purposefully.
By pretending to be busy on their mobile phones, they deliberately avoided direct interaction
with the receptionist, exploiting natural human tendencies to avoid confrontation or disrupt
someone appearing important.
Once inside, they made a strategic phone call, pretending to be the Chief Information Officer
(CIO) of the company, a tactic designed to create a powerful authoritative pretext. This allowed
them to manipulate the security desk into issuing them badges with broad access permissions.
With these credentials, they accessed sensitive systems, created administrative accounts,
and performed after-hours surveillance without raising suspicion.
The attack combined multiple social engineering tactics, culminating in full domain-level
access within just two hours a devastating breach highlighting the weaknesses in physical
and procedural security measures.
Why the Attack Worked
Several psychological and organizational vulnerabilities contributed to the attack’s success:
•
Authority Exploitation: By impersonating a senior executive (CIO), the attackers
leveraged the natural human tendency to obey perceived authority figures without
questioning them.
•
Urgency Creation: The attackers created a false sense of immediacy, preventing the
receptionist from thoroughly verifying identities.
•
Distraction and Confidence: Walking in during peak hours and appearing
preoccupied allowed them to blend in and avoid scrutiny.
•
Procedural Weaknesses: Lack of strict badge issuance policies and verification
procedures made it easy to bypass security checkpoints.
The company’s security culture appeared weak, relying heavily on physical presence rather
than systematic verification of individuals’ identities and intentions.
Social Engineering Principles Exploited
This attack exploited several classic social engineering principles:
Principle
Description
Authority
Trust in the perceived power or position of the attacker (CIO
impersonation).
Social Proof
The attackers blended with the crowd during the morning rush,
leveraging others’ behavior to reduce suspicion.
Urgency
Creation of a time-sensitive situation that discouraged verification
efforts.
Distraction
Diverting attention away from security protocols by acting busy and
confident.
Trust
Assuming trust among employees and security staff without proper
Exploitation
authentication processes.
These principles, when combined, form a powerful psychological toolkit that can compromise
even organizations with technical cybersecurity measures in place.
Impact on the Individuals Involved
The individuals directly involved, particularly the receptionist and the security guard, faced
significant consequences:
•
Reputational Damage: They were likely held partially accountable for breaching
security protocols, potentially facing disciplinary actions.
•
Emotional Stress: Feelings of guilt, embarrassment, or fear of professional
consequences can severely impact employees’ morale and confidence.
•
Loss of Trust: Management may lose trust in front-line staff's ability to enforce security
policies properly, affecting team dynamics.
•
Operational Disruption: Granting unauthorized access resulted in a full compromise
of the company’s network, creating widespread operational risks and requiring costly
incident response efforts.
This incident underscores how attackers can indirectly harm individuals beyond the primary
corporate target.
Security Measures That Should Have Been in
Place
Several preventive measures could have significantly mitigated the risk of such an attack:
•
Strict Identity Verification Procedures: Mandatory photo ID checks and supervisor
authorization before issuing access badges.
•
Visitor Escort Policies: All visitors, regardless of role, should have been required to
be escorted by an authorized employee at all times.
•
Security Awareness Training: Regular and mandatory cybersecurity training for all
staff, emphasizing social engineering risks and protocol enforcement.
•
Physical Barriers: Installation of access-controlled doors at entry points to prevent
unauthorized individuals from entering office areas without verification.
•
Badge Issuance Audit Trails: Every issued badge should have been logged, with
clear documentation of the requestor’s identity and authorization proof.
•
Segregated Access: Limiting access levels for newly issued badges to the absolute
minimum required for the task.
By implementing these measures, the company could have dramatically reduced the
likelihood of a successful breach.
Preventative Measures for Future Protection
Moving forward, the following strategies should be adopted to enhance protection against
social engineering attacks:
•
Regular Red Team Exercises: Conduct simulated social engineering attacks
(physical and digital) to test and improve staff readiness without prior warning.
•
Zero Trust Security Model: Treat every access attempt
physical or digital
as
untrusted by default, requiring continuous verification.
•
Clear Reporting Mechanisms: Employees should feel empowered and obligated to
report any suspicious behavior without fear of reprisal.
•
Security Culture Promotion: Reinforce a culture where following security protocols
is non-negotiable, even when dealing with authority figures or urgent requests.
•
Enhanced Surveillance and Access Logs: Use CCTV footage, biometric access
systems, and detailed audit logs to monitor and investigate all entry and exit activities.
Continuous education, coupled with systemic procedural improvements, remains critical in
defending organizations against sophisticated social engineering exploits.
References
•
Kask, V. (2017). Securing Estonia’s e-Society with Blockchain. Estonian e-Governance
Academy.
•
Nakamoto, S. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System.
•
Zyskind, G., Nathan, O., & Pentland, A. (2015). Decentralizing Privacy: Using
Blockchain to Protect Personal Data. IEEE Security & Privacy.
•
World Bank (2019). Blockchain for Development: Research and Practice Report.
•
Guardtime (2018). KSI Blockchain Overview.
•
ISO/TC 307. (2020). Blockchain and Distributed Ledger Technologies – Overview of
Standards.
0
