Sample Paper on Protecting Information Assets: Security and Ethics

Protecting Information Assets: Security and Ethics

Introduction

Most organizations today have to grapple with the challenge of ensuring information privacy on a daily basis. Over the past one year, a number of prominent organizations have been on the receiving end of hacker-instigated counterattacks. The frequency with which sensitive data is being stolen following the breaching of businesses’ computer system through hacking is worrying. Mega-breaches tend to grab headlines globally, but the smaller ones go unnoticed. The latest big culprits of these security breaches are Neiman Marcus, Target, e-Bay, and Sony. Clearly, these incidents have serious implications for not just the users, but for solution providers as well.

An Analysis of the recent hacker-instigated attacks

At e-Bay, user’ usernames, email addresses, dates of birth, encrypted passwords and personal names were stolen from the company’s database. e-Bay had encrypted the passwords of its users, but hackers still managed to crack and use them, thanks to poorly designed passwords.

Target, a discount retailer in the US, experienced a major hack attack just before Thanksgiving in 2013. Over 40 million debit and credit numbers of customers were stolen. In this case, security experts claimed that these hackers gained unauthorized access to customers’ debit and credit card numbers and customers names by either accessing the terminals used by customers to swipe their debit and credit cards (Riley et al., 2014), or they could have intercepted this data on transit from Target to the various credit card processors.

In the case of Sony, Anonymous, a self-proclaimed hacking group, launched a DDoS (distributed denial of service) on Sony, leading to a shutdown of a number of the company’s sites. This came hot on the heels of a decision by Sony to take to court hackers who had tried to modify its PlayStation 3 device (Mills, 2011). As such, the hacking attack by Anonymous was a form of retaliation to the decision taken by Sony.

An internal company investigation carried out at Neiman Marcus Group following a raiding of its credit-card payment system revealed that the hackers activated the company’s security system nearly 60,000 times, even as they conducted their unsolicited activities for over 8 months (Elgin, Lawrence, & Riley, 2014).The hackers were both sophisticated and organized, as exemplified by their action of using a similar name for their software as the one adopted for the payment software used by Neiman Marcus. In this way, the hacking alerts were hardly noticed by the security experts at the company.

Neiman Marcus’ POS (point of sale) system is characterized by the hub-and-spoke design, a design which experts believe made it easier for the hackers to initiate the cyber attack. The hub-and-spoke model enables organizations to relay information to a central, from where the information is evaluated and organized prior to its dispatch to other organizations.

Solutions

Public cloud computing systems store data in a shared environment where data from other customers is also grouped with it. It is important therefore that companies placing regulated and sensitive data into such public cloud computing systems endeavor to ensure accountability in the security and control of such data (Cloud  Security Alliance, 2011). One way of ensuring the security of such data is by encrypting it. However, this is not a solution in itself.  De-perimetirization (that is, having no control of data once it is outside the secured perimeters of the organization), which is common when moving data to the cloud, increases the risk of compromise, as well as the complexity in protecting it. It is not enough to just encrypt data as it is being transferred to the cloud. There is need to ensure that such data remains protected while in use and at rest.

Security experts believe that the Heartbleed Bug could have been responsible for the e-Bay hacking attacks. This is a security flaw that that has also affected the applications and services of some of the leading technology firms in the world such as Yahoo! And Google. This particular bug causes serious vulnerability to the OpenSSL software library (Pagliery, 2014).  Heartbleed is categorized as a buffer-over-read kind of vulnerability because it enables reading of more data that should be the case. Owing to this weakness, information that is supposedly protected using TLS/SSL encryption can be stolen.  With the Heartbleed bug, anybody on the internet can ready the memory of systems that the OpenSSL software is deemed to have protected as the bug has made them vulnerable. Consequently, the secret keys that aid in the identification of service providers is compromised. The same key is used to encrypt the passwords and names of users, traffic, as well as the actual content. Thus, attackers are able to steal data, eavesdrop on communication, and can even impersonate users and services.  In order to stop this leak, it is important that appliance vendors, operating system distributors and vendors all make use of the fixed OpenSSL that has now been deployed. When this has been done, users need to be notified.

The hub-and-spoke model is highly vulnerable to hacking. This should act as a wake up call to businesses such as Neiman Marcus to abandon such a network in favor of application specific networks, such as ADNs (Application Defined Networks). Besides ascertaining containment as a foundation, ADNs also enable discrete defendable parameters and simplified detection (Mills, 2011). Most of the large multinational corporations like Shell, Google and Exxon-Mobil have been using ADN based networks for quite a while now. ADNs offer customized networks policies and security to fulfill the needs of specific applications. Moreover, ADNs offer compartmentalization of data on transit from one application to another, as well as at connection end-points (Lanois, 2011). They also help to deal with security bleed, eliminate routing conflicts, and minimize problem-cascade using a virtual and dedicated application environment.

While finding solutions to safeguards organizations against unauthorized access or mitigating such attacks to acceptable levels, it is important to note that every organizations, application, and technology tends to be unique and as such, the safeguards to be put in place will likely be reliant on the nature of the information at stake, the organizations, level of risks, and vulnerability (Rudman, 2010).  In case of credit card processing a payment ADN is also available.

Conclusion

Over the past few years, we have witnessed countless hacking attacks on company’s websites and databases, leading to denial of services, shutdowns, and stolen user data. There appears to be a growing trend where these hackers are getting sophisticated and creative by the day, and this demands that governments and network security companies should act judiciously and quickly. This involves, among others things, the identification of the changing trends in the hackers attacks, so that new or existing solutions can be adjusted accordingly, to deal with the situation at hand.

Reference List

Cloud  Security Alliance (2011). Security Guidance for Critical Areas of Focus in Cloud Computing V

            3.0. Retrieved from

https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

Elgin, B., Lawrence, D., & Riley, M. (2014). Neiman Marcus hackers set of 60,000 alerts while     bagging credit card data. Retrieved from

http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-           alerts-while-bagging-credit-card-data

Lanois, P. (2011). Privacy in the age of the cloud. Journal of Internet Law. 15(6), 3-17

Mills, E. (2011). Attacks on Sony, others show it’s open hacking season. Retrieved from from       http://news.cnet.com/8301-27080_3-20069995-245/attacks-on-sony-others-show-its-open- hacking-season/#ixzz1PHwIH7dt

Mills, E. (2011). Who is behind the hacks? Retrieved from

http://news.cnet.com/8301-27080_3-20071100-245/who-is-behind-the-hacks-faq/?

Pagliery, J 2014. Heartbleed bug: What you need to know. Retrieved from

http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/

Rudman, R. J. (2010). Incremental Risks in Web 2.0 Applications. The Electronic Library, 28(2), 210

Riley, M., Elgin, B., Lawrence, D., & Matlack. C. (2014). Missed alarms and 40 million stolen credit

            card numbers: How Target blew it. Retrieved from

http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-   card-data

Ryan, M. (2014). California joins other states in investigation of EBay hack. Retrieved from            http://www.forbes.com/sites/ryanmac/2014/05/23/as-ebay-notifies-users-of-hack-states-launch

investigation/