Abstract
The National Basketball Association (NBA) is an all men’s professional basketball league located in North America; founded in New York City on June 6th, 1946, as the Basketball Association of America (BAA). The league compromises of 30 teams (29 teams located in the United States and 1 located in Canada – Toronto Raptors). The teams are divided evenly into two conferences (Eastern and Western) with 6 divisions, 5 teams each. It is extensively considered as the greatest basketball league in the world. The NBA team that would be focused on this project is the Los Angeles Lakers.
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Los Angeles Lakers is an American professional basketball team based in Los Angeles. Founded in 1947, the Lakers are one of the NBA’s most famous and successful franchises. The Lakers are one of the most successful and popular professional franchises in all American sports. The Lakers compete in the National Basketball Association (NBA), as a member club of the league’s Western Conference Pacific Division.
The franchise has won a combined 16 Basketball Association of America (BAA) and National Basketball Association (NBA) titles. Their last being in 2010. The Laker’s fan base is believed to be one of the best in NBA because of their relentless support for their team during the winning and losing streaks. The key business area for the Lakers is the sale of merchandise, tickets, advertisement, and News. The goal of this project is to select key areas of the Laker’s website and assess it.
The key business area for the Los Angeles Lakers is the sale of merchandise, tickets, advertisement, and News. According to Forbes NBA valuation 2019, the Los Angeles Lakers is the second most valued team at 3.7 billion, coming behind the New York Knicks (4 billion) and Golden States Warriors (3.5 billion).
Table of Contents
STEP 1: SYSTEM CHARACTERIZATION
Information-Gathering Techniques
STEP 3: VULNERABILITY IDENTIFICATION
Development of Security Requirements Checklist
STEP 5: LIKELIHOOD DETERMINATION
STEP 8: CONTROL RECOMMENDATIONS
Executive Summary
The National Basketball Association (NBA) is an all men’s professional basketball league located in North America; founded in New York City on June 6th, 1946, as the Basketball Association of America (BAA). The league compromises of 30 teams (29 teams located in the United States and 1 located in Canada – Toronto Raptors). The teams are divided evenly into two conferences (Eastern and Western) with 6 divisions, 5 teams each. It is extensively considered as the greatest basketball league in the world. The NBA team that would be focused on this project is the Los Angeles Lakers.
The NBA had revitalized its strategy by giving players their own platforms such as doing advertisements for companies and having huge social media presence, leading to high ratings of each seasons. Through the organizations digital marketing strategy, the NBA creates content that fans crave. The NBA also employs several expert writers that create content on the league’s website (NBA.com) for those that are interested in everything happening league-wide. Each team also employs an expert writer that writes game recaps, articles, and other stories on their team website. Fans are able to go to their favorite team’s website and see everything that’s going on. (Adragna, 2018). On the NBA website, Fans can purchase tickets to the games. Also provided is
This project has been assigned to students in INFA 610 9082 Foundations of Information Security and Assurance, University of Maryland, University College. The goal of the project is to conduct a risk assessment of an organization and I have chosen National Basketball Association (NBA), specifically the Los Angeles Lakers. This risk assessment assesses the use of resources and controls to eliminate and/or manage vulnerabilities that are exploitable by threats internal and external to National Basketball Association (NBA) web sites. For the purposes of this risk assessment, the Los Angeles Lakers (developed by Turner sports digital). Though the NBA teams are stand-alone teams, the NBA provides, and overarching website and each team website is just an extension of NBA website. The focus will be on the NBA as all the teams will have a similar assessment when it comes to their information system.
1. INTRODUCTION
Purpose
The purpose of this risk assessment is to identify vulnerabilities and threats related to the Los Angeles Lakers franchise of the National Basketball Association (NBA). The risk assessment will identify major risk areas related to NBA team information technology systems.
Scope
NBA.com is part of Turner Sports Digital, part of the Turner Sports & Entertainment Digital Network. In order to avoid domain squatters trolling on NBA teams, the organization created a smart idea to have team’s website as an extension of the official NBA website. All teams’ websites though individually operated as part of the Turner Sports Digital but has a certain degree of uniqueness from other teams. Keeping this in mind Each NBA team is franchised and independently operated. Yet, this risk assessment will be of utmost importance for any of the thirty teams in the league. Due to the uniqueness of how the NBA teams website are setup, this risk assessment could be viewed as belonging to the Los Angeles Lakers but can also be considered to have relevance to any team of the NBA team as the website provides very similar content, merchandise and tickets pertaining to each team.
Background (Team Profile)
- Team Name – Los Angeles Lakers
- Team Location – Los Angeles, California
- Industry – National Basketball Association
- Stadium/Arena – Staples Center
- Company profile – Los Angeles Lakers Inc , LLC
- Website – https://www.nba.com/lakers/
Los Angeles Lakers Management
- Chief Executive Officer – Francis R. Mariani
- President and Chief operating officer – Tim Harris
- Senior Vice President – Joe McCormack
2. Risk Assessment Approach
Risk model
The risk model was conducted in accordance with the standard risk assessment methodology used within the U.S. federal government described in National Institute of Standards and Technology (NIST) Special Publication 800-30; Risk Management Guide for Information Technology Systems. Using the NIST 800-30 assessment framework to address an organization information security risk management will separate assets into distinct and integrated tiers that help streamline the risk assessment process and to reduce the organizations inventory of threats and controls. NIST provides guidance for categorizing determining impact levels and security control baselines. According to NIST, risk is view from three different levels; organization level, Business process level and Information system level. Using the NIST 800-30 framework, organizations can better grasp on how to keep their information as secure as possible.
Risk Assessment team
|
Role |
Name |
|
Chief Technology Officer |
|
|
Vice President, Technology & Product (Turner Data Cloud) |
|
|
Vice President, Software Development |
|
|
Technical Director, Software & User Experience |
|
|
Senior Technical Manager, Quality Assurance |
|
|
Vice President, Core Technology and Content Services |
|
|
Head of Media & Software services |
Table 1 – Risk assessment team
3. RISK ASSESSMENT
STEP 1: SYSTEM CHARACTERIZATION
The website of the Los Angeles Lakers is developed and maintained by Turner Sports Digital, part of the Turner Sports & Entertainment Digital Network. The company was founded by Ted turner in 1965 but merged with Time Warner in 1996. Currently, Turner sports is a part of Warner Media after the merger of AT&T and Time warner. The system is used to provide full coverage of the NBA’s Los Angeles Lakers via the NBA.com/warriors web site. The websites include news about the team, scores, schedule, stats, video recaps. The system is also used for e-commerce.
Information-Gathering Techniques
The information gathering techniques used to perform this risk assessment includes the use of document review, journals, the Internet and research information from NIST.
System-Related Information
The following components in Table 2 identify system-related information for Turner Sport Digital
|
Component |
Description |
|
Applications |
Web page developed by Turner Sport Digital Inc. Uses custom application development: Java, AWS cloud front |
|
Databases |
MySQL |
|
Server Configurations/Operating Systems |
AkamaiGHost, Nginx web server |
|
Protocols |
Uses TLS (Transport layer security) for transmission between client web browser and web server |
Table 2 – System Information
Data collected by the system
Data collected when purchasing NBA league pass/ tickets from the Los Angeles Lakers website is listed below
|
Data |
Description |
|
Account information |
|
|
Personal Information |
|
|
Ordering Information |
|
|
Financial Information |
|
Table 3 – Data Collected
System Users
|
Users |
Description |
|
Turner Sports Digital IT Personnel |
|
|
Customers |
|
|
Nba.com/warriors operations personnel |
|
Table 4 – System Users
STEP 2: THREAT IDENTIFICATION
Threat-Source Identification
Threat sources can be Natural, Human or Environmental threats. Natural threats are Floods, earthquakes, tornadoes. Human threats are events that are caused by humans deliberately for example, network-based attacks, malicious software upload, unauthorized access to confidential information or unintentionally, for example wrong data entry.
For this risk assessment, the major threat source is human threat.
Motivation and Threat Actions
|
Threat- Source |
Motivation |
Threat Actions |
|
Computer criminal |
Destruction of information Illegal information disclosure |
Fraudulent act such as interception Information bribery Spoofing |
|
Insiders |
Monetary gain Revenge Unintentional errors and omissions (e.g., data entry error, programming error) |
• Fraud and theft • Information bribery • Input of falsified System sabotage • Unauthorized system access |
|
Industrial espionage |
Competitive advantage Economic espionage |
Information theft System penetration Unauthorized system access |
|
Terrorist |
Blackmail Destruction |
System tampering Bomb/Terrorism |
Table 5
STEP 3: VULNERABILITY IDENTIFICATION
Vulnerability Sources
|
Vulnerability |
Threat- Source |
Threat Actions |
|
Operating System |
Hackers, terminated employees |
Obtaining unauthorized access to sensitive system files based on known system vulnerabilities |
|
Databases |
Employees, contracted support personnel, terminated personnel |
Gain unauthorized access to sensitive customer data. |
|
Applications |
Hackers, Organized Crime, and other Unauthorized Users |
Dialing into the company’s network and accessing company proprietary data |
|
Human Threat (Terminated employees) |
Unauthorized users such as hackers, terminated employees, computer criminals, terrorists |
Misusing known company secrets about the system by blackmailing the company |
|
Protocols |
Hackers, Organized Crime |
Using customers information to sign into the system |
Table 6 – Vulnerability Sources
System Security Testing
Turner Sport Digital system should perform vulnerability scanning, this process will
detect security loopholes within the system.
Development of Security Requirements Checklist
Table provides a checklist of security requirements suggested for use in determining Turner Sport Digital system’s vulnerabilities.
|
Security Area |
Security Criteria |
|
Operational Security |
|
|
Technical Security |
|
|
Management Security |
|
Table 7 – Security Requirements Checklist
STEP 4: CONTROL ANALYSIS
Control Methods
There are various control methods that can be used to mitigate potential threats. Risk can be reduced by improving risk information management and making changes in the Turner system design. Risk can also be neutralized through diversification across the system. Overall, some risks should be retained.
Control Categories
Vulnerability assessments help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Turner sports digital should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements. (FDIC 1999)
STEP 5: LIKELIHOOD DETERMINATION
|
Likelihood Level |
Likelihood Definition |
|
Low |
The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. |
|
Medium |
The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. |
|
High |
The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. |
Table 8 – Likelihood Determination
STEP 6: IMPACT ANALYSIS
|
Impact (Score) |
Definition |
|
Low (10) |
Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest. |
|
Medium (50) |
Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. |
|
High (100) |
Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. |
Table 9 – Impact Definition (NIST 800-30)
STEP 7: RISK DETERMINATION
|
Impact |
|||
|
Threat likelihood |
Low |
Medium |
High |
|
(10) |
(50) |
(100) |
|
|
Low Risk |
Medium Risk |
High Risk |
|
|
High = 1.0 |
10 x 1.0 = 10 |
50 x 1.0 = 50 |
100 x 1.0 = 100 |
|
Low Risk |
Medium Risk |
High Risk |
|
|
Medium = 0.5 |
10 x 0.5 = 5 |
50 x 0.5 = 25 |
100 x 0.5 = 50 |
|
Low Risk |
Medium Risk |
High Risk |
|
|
Low = 0.1 |
10 x 0.1 = 1 |
50 x 0.1 = 5 |
100 x 0.1 = 10 |
Table 10 – Risk Determination
Risk-Level Matrix
|
Vulnerability |
Low (10) |
Medium (50) |
High (100) |
Risk Level |
|
Applications = 0.5 |
25 |
Medium |
||
|
Databases = 0.5 |
50 |
High |
||
|
Server Configurations/Operating Systems = 1 |
100 |
High |
||
|
Protocols = 0.1 |
25 |
Medium |
Table 11 – Risk Level Matrix
Description of Risk Level
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)
|
Vulnerability |
Likelihood Level |
|
Applications |
Medium |
|
Databases |
High |
|
Server Configurations/Operating Systems |
High |
|
Protocols |
Medium |
Table 12 – Risk Level
STEP 8: CONTROL RECOMMENDATIONS
This section presents system related components with control recommendations to mitigate threats against Turner Sports Digital system vulnerabilities.
Applications– Application control gives Turner Sports Digital system knowledge about key areas regarding applications, web traffic, threats, and data patterns. Users can also benefit from application control by gaining a better understanding of applications or threats, applications’ key features and behavioral characteristics, details on who uses an application, and details on those affected by a threat. (Lord, 2019). Application control supports these processes and allows organizations to keep their finger on the pulse of what is happening within their network.
Databases – Recommend that users of the webserver provide authentication frequently
Protocols – Providing access control by assuring that only authorized users can access particular network resources. IPsec endpoints can also allow or block certain types of network traffic, such as allowing web server access but denying file sharing. Ensuring the confidentiality of data through the application of a cryptographic algorithm and a secret key, known only to the two parties exchanging data. The data that is transmitted can be decrypted only by someone who has the secret key. (Radack n.d.)
STEP 9: RESULTS DOCUMENTATION
This section provides the results of the risk assessment that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.
Risk Assessment Results
Item 1
- Observation – Server configuration
- Vulnerability/Threat source – System/ disaster recovery
- Existing Controls – none
- Likelihood – High
- Impact – High
- Risk Rating – High
- Recommended Controls – Require use baselining tools
Item 2
- Observation – Data modification
- Vulnerability/Threat source – Hackers
- Existing Controls – Limited validation checks on inputs
- Likelihood – Medium
- Impact – High
- Risk Rating – High
-
Recommended Controls – Guarantee the system parameters are validated before use
Appendix A. References
- Adragna, T. (2018, October 26). How Your Brand Can Use the NBA’s Brilliant Digital Marketing Strategy. Retrieved April 23, 2019, from http://www.primitivesocial.com/blog/how-your-brand-can-use-the-nbas-brilliant-digital-marketing-strategy
- Arul. (2019). Find the Web Server that a web site runs on. Retrieved May 01, 2019, from https://aruljohn.com/webserver/www.nba.com/warriors
- Elbert, E. (2009). Identify technology on websites. Retrieved from http://www.wappalyzer.com/
- FDIC – Federal Deposit Insurance Corporation. (1999, July). Risk Assessment Tools and Practices for Information System Security. https://www.fdic.gov/news/news/financial/1999/fil9968a.html
- How to determine if a browser is using an SSL or TLS connection? (n.d.). Retrieved from https://security.stackexchange.com/questions/19096/how-to-determine-if-a-browser-is-using-an-ssl-or-tls-connection/169418
- Kaufman, M. (2019, May 03). 5 Best Bass Headphones of 2019. Retrieved from http://www.forbes.com/sites/forbes-finds/2019/05/03/5-best-bass-headphones-of-2018/#cdf1ed52c57e.
- Laird, S. (2014, November 12). Revealed: The conniving domain-squatters trolling an NBA team. Retrieved May 01, 2019, from https://mashable.com/2014/11/12/nba-nets-domain/
- Lord, N. (2019). What is Application Control? Definition, Best Practices & More. Retrieved from https://digitalguardian.com/blog/what-application-control
- Metivier, B. (2017, April 17). 6 Steps to a Cybersecurity Risk Assessment. Retrieved from https://www.sagedatasecurity.com/blog/6-steps-to-a-cybersecurity-risk-assessment
- NIST – National Institute of Standards and Technology. (2002, July). Special Publication 800-30: Risk Management Guide for Information Technology Systems https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
- Radack, S. (n.d.). Protecting Sensitive Information Transmitted in Public Networks. Retrieved December 1, 2007 from http://www.itl.nist.gov/lab/bulletns/bltnapr06.htm
- Request a Demo. (n.d.). Retrieved from https://pages.discoverorg.com/Turner-Broadcasting-System-Product.html?CPN=70116000000sZh6
- Stone burner, G., Goguen, A., & Ferigna, A. (2015, June 19). Risk Management Guide for information Technology Systems. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30.pdf
- Basketball Reference (n.d). Los Angeles Lakers. Retrieved from: https://www.basketball-reference.com/teams/LAL/
- National Basketball Association. LA Lakers. Retrieved from:
- https://www.britannica.com/topic/National-Basketball-Association
- Orlov, S. (2009, January 9). LA Lakers Has a New Slogan. Retrieved from: https://www.dailybreeze.com/2009/01/09/la-has-a-new-slogan/
- Research – Understanding dementia research – Types of research – Research methods. (2009). Retrieved from https://www.alzheimer-europe.org/Research/Understanding-dementia-research/Types-of-research/Research-methods
- The Five Step Guide to Risk Assessment. (2013). Retrieved from
- https://rospaworkplacesafety.com/2013/01/21/what-is-a-risk-assessment/
- The First Game. (n.d.). Retrieved from https://www.nba.com/history/firstgame_feature.html
- The NBA — 1946: A New League. (n.d.). Retrieved from https://www.nba.com/heritageweek2007/newleague_071207.html
Cite This Work
To export a reference to this article please select a referencing style below:
