US Ports and Cybersecurity - Research Paper Example

? Cybersecurity for US Ports Technology has affected every human activity. Science and medicine and organizational functions, even individual tasks, benefit from technology. We can communicate to anyone whose location maybe in any part of the globe through the power of the internet. Individuals and organizations welcome this opportunity. This phenomenon is known as “technological ecosystem or technium” which motivates our imagination into new versions and maximizes technology’s benefit. But humans have to lead where technology wants to go. Kevin Kelly1 (2011) asks this intriguing question, “What does technology want?” If certain aspects of the technium are preordained and certain aspects are contingent upon our choices, how do we know which are which? Systems theorist John Smart has suggested that we need a technological version of the Serenity Prayer.” The serenity prayer, written and popularized in the early 1930s by theologian Reinhold Niebuhr, asks God to help in changing the things which are difficult to change or “courage to change the things I can, and wisdom to know the difference.”2 According to Kelly, “Technology was invented from the time we were born”. But technology is under threat every second of the day. Individual files and organizational documents and secrets are under threat of losing with the click of a finger, if we are not careful. This essay is about the many problems of technology, specifically information technology (IT) infrastructures of US ports, and how it can survive amidst threats of viruses, worms, spams, malicious software and cyber criminality. Organizations must have installed technology and IT infrastructures in their systems, otherwise, they will lag behind in the stiff competition. Organizational information systems should also have anti-viruses and other necessary protection before they see themselves vulnerable to a new kind of attack, the virus attack. Ports are one of the busiest areas for businesses around the world. With an installed IT, tasks and activities are made easier. IT enables organizations to conduct multiple operations simultaneously, but the infrastructure must be secured because without security, viruses and the various risks will make the infrastructure a mess. Ports operate a network of businesses and firms, movement and distribution, processing and many activities, which must be applied and inputted to an effective software and IT. Function IT, as it is called in the literature, refers to information systems that help improve users’ functions and productivity in performing individual tasks. This important feature includes applications like computer-aided design (CAD) software, spreadsheet, word processors, and other e-learning tools and systems. In a port where ships dock and load and unload cargoes, where countless activities happen every minute and every second of the day, computers and softwares are a normal phenomenon. In a workplace where engineers constantly introduce product innovations and people depend on coordinated programs of activities, ports should have effective computer infrastructures. But there are people with criminal minds who, second by second, devise plans to penetrate on other people’s computers, other people’s wealth, that they send viruses, worms, spam emails and malwares to the internet and destroy ports’ valued files. The role of the manager is significant to the attainment of the organization’s goals and objectives. Managers should have good and effective rapport with employees, but they have to understand what IT is and its role in the ever changing world of business. One of the important responsibilities of the manager is to manage the company’s information system. New business opportunities involving IT and the different functions of business are coming at a fast pace.3 Security awareness Studies have found that about 90% of organizations face information security investigation almost annually.4 Organizations have made moves to improve their information management systems and policies, but many organizations seldom comply with information security processes and techniques. Their IT infrastructures, both physical and virtual, are jeopardized. Physical assets are also at risk. There is also the concern of privacy. Information technology was only used as an aid or tool in business, but now it is the mainframe because of the complexity and interconnectedness of businesses and organizations. Hackers continue to find ways to illegally penetrate vulnerable websites. There is no safe or trusted network. The “untrusted” network which refers to the external connection of organizations will continue to expose the privacy of peoples and organizations.5 Employees’ security awareness is significant in information systems’ security management. Employees of an organization can be risk or assets of information security. Some commentators consider the employees as the weakest link to information security, but some studies found that employees can be assets in reducing risk to information security. A study by Ernst & Young stated that most organizations depend on technology-based solutions in reducing risks to information security.6 However, relying on technology-based solutions should not be the ultimate solution. Organizations must also rely on people, particularly employees, to ensure IT security. Studies have found that security risks have been increasing even if organizations spend much for the protection of their infrastructure. Cyber security can be enhanced involving technical and socio-organizational factors. That means people and organizations have to work hand in hand. Boss and Kirsch asserted that success can be achieve through on employees’ compliance with information security policies (ISP).7 The subject of cyber security encompasses risks, threats and protection of IT infrastructure. Cyber threats can refer to viruses, worms, malware, cybercrimes and terrorism. These various forms of computer “enemies” destroy operating systems which make computers work. Security applications have to follow government laws and government guidelines for their proper implementation. Risks and threats are multiplied because of the endless interconnection of computers through the internet. Some terms associated with IT security include “hacktivists”, information warfare specialists, “insiders”, malicious code writers, and so on. Risk management includes analyzing risks that are expected to happen in the course of using and operating the system. Security risks pertain to unauthorized access to information, like data leakage, privacy and fraud. Computer virus is the most common. A virus attack can spread so rapidly over the internet, destroy files and maliciously collect private and confidential information and data. Security risks have caused about $17 million to $28 million for every occurrence of attack, according to a study by Ernst and Young.8 (Suduc, Bizoi, & Filip, 2010) A survey/study on computer viruses conducted with the help of 522 experts in the United States showed that computer virus penetrated 49% of the respondents’ organizations and their respective IT infrastructures. Other risks involved insider abuse by employees and users within the organization (44%), followed by simple theft of laptops and cell phones.9 IT infrastructures must be protected from two types of risks: physical risks and logical risks. Physical risks refer to the equipments which must be protected from natural disasters like earthquakes, hurricanes or floods. Man-made disasters include bombings, theft, power surges, etc. Equipments can be through controls like locks, insurance coverage, performing daily backups of the information system and data, disaster recovery procedures, and so forth. Logical risk refers to the system itself.10 A security risk known as “downstream liability” occurs when two or more organizations using Information Systems are attacked by criminals with the use of virus or malware. For example, if Organization A’ software is attacked and is used to attack another, say Organization B’s information system, under the law Organization B has the right to file for damages against Organization A. Any organization has the duty to keep its information systems secure so that it cannot be used by criminals or hackers.11 “President Barack Obama is dead!” This was one alarming news feed in which many of those who know about hacking would like to ignore. It came out in one twitter account belonging to Fox News. Fox News right away acknowledged the hack and thereafter it corrected the story by informing netizens of the “false tweets”.12 The term virus is a euphemism for the biological virus which penetrates living cells. The behavioural pattern of a virus, which copies and degenerates living cells, is the euphemism in the computer virus. Viruses and malicious software (malware) are classified into “no threat, low, medium, and high threat”. No-threat refers to a malicious software that is not functioning. It might be a fake one, designed to fool people. The low-threat requires human manipulation in spreading the virus from computer to computer. The medium threat is of low-infection or little damage. The high-threat can provide big damage with great speed.13 A computer virus refers to all types of malicious codes. Technically, this is a piece of computer software or programming, disguised as good programming but causes unexpected events inside the computer system with legitimate programming. A virus is usually attached to a file or document. When the file is opened, the virus makes its move. Other viruses penetrate the computer’s memory so that when computer opens or makes or creates files, the virus attacks. Viruses act maliciously which can be said as criminal in nature. A virus may display a certain message on the screen, delete documents, or copy files and passwords. However, viruses do not spread by themselves. They propagate through emails. When they are attached through emails, they spread like wildfire. The computer user now spreads the virus.14 The virus that hacked Fox News was done by a group of youths known as “script kiddies” who hack computers using simple scripts. The most common type of virus is “macro virus” which is created with the use of macro language (e.g. visual basic or VBScript). The virus is attached on documents and templates so that when the templates are used, the virus wreaks havoc by inserting words, numbers or phrases on files, and also by altering various functions of the computer being hacked. The virus that attacks twitter accounts first gain access to a free account using a login user and a password, and once inside it introduces a malware as in the case of Fox News twitter account. Worms, like viruses, are computer programs that reside in active computer memories. They are different from viruses in that they can propagate without human intervention. By themselves, worms send emails to other computers, or what they call Internet Relay Chat (IRC). The damage that can be done by worms depends on the codes programmed into the worms. Some are so harmful that they consume large amounts of system contents as they go on and create damage from computer to computer. Other worms delete data and install malicious software on computers without knowledge of the owners. Some worms create considerable damage on an organization’s data base, delete data and programs, and most of all disturb productivity among the employees of the organization. It has been estimated that a billion dollars were lost on damage done by worms named Code Red, SirCam, Melissa, and ILOVEYOU.15 Malicious code attackers are criminals. They violate the law by penetrating organizations’ websites, or even government websites. Once viruses or malwares penetrate systems, like any other criminal who has penetrated a domicile, they can do what they want to do – steal or destroy files. On the other hand, “conscience-stricken” criminals counter and complain that they only attack big organizations and greedy capitalists. Cyber criminals are classified according to objectives. Hackers test limits of systems and want to gain publicity. Crackers cause problems, steal data, or corrupt the computer. Insiders gain financially and disrupt the company’s activities. An industrial spy seizes computer data and trade secrets to gain competitive advantage. A cyber criminal steals and gains financially. A hacktivist attacks for political motives. A cyber terrorist wreaks havoc, destroys information systems of financial institutions, utilities and emergency units.16 Denial of Service Attack on US Port of Houston Another type of virus attack is known as distributed denial-of-service (DDOS). It creates countless demands for data that legitimate users cannot get in. It is just like a telephone line with many callers doing it simultaneously so callers hear a busy signal. This type of attack was used against a US port of Houston website by a teenager in 2003, just two years after September 11. The second biggest port in the US, the port of Houston, became the target of the attack after Aaron Caffrey launched a denial of service attack from his computer. Oil tankers and other ships entering the port of Houston were placed in a dangerous situation when the Houston website carrying important navigational information used by shipping pilots came to a halt. The data were about weather, tides, and water depths needed by pilots in steering large tankers containing oil and dangerous cargoes. The denial of service attack took opportunity of a security loophole which authorities knew but did not take any action. Denial of service software was found in Caffrey’s computer “designed to exploit a security vulnerability in Microsoft’s Internet Information Server software”. The port of Houston could have avoided this incident had it patched its servers with new Microsoft updates. Caffrey’s target was not the port but a girl who had upset him in an internet chat session. Caffrey discovered the girl’s IP address and fed it into a denial of service program. The attack hit the port of Houston’s web server.17 Prevention The best way in securing IT infrastructure is prevention. Prevention from risks and security threats must be incorporated into the system and identify the environment and the boundaries of the system. Ports should be able to conduct honest-to-goodness security examination taking into account the probability and possibility of the threat. Managers can evaluate “insiders” as there might be risks from malicious users, maybe employees. A trusted employee can be one of the biggest threats to a well-secured infrastructure. Competitors can buy the most trusted employee who may want a few dollars in exchange for information about the system. The U.S. government has been busy protecting government and private websites from cyber criminals. There is one company website known as iDefense whose primary objective is to protect governments and top businesses in the United States. But it is not enough. Criminals are more powerful than websites. The growth of organized crime and international terrorism which use the internet to raise funds, to penetrate other organizations, or to wreak havoc, is one big security risk that governments should take extra efforts to combat this growing menace. Organized crime is a billion-dollar business composed of cyber criminals with the skill of computer hacking or software developing. This criminal network has been earning hundreds of thousands of dollars, contrary to ordinary criminals who earn only a few hundreds or thousands of dollars. Criminals of this sort have no base. They have no weapons and can be found anywhere in the world with a computer and an internet connection.18 Over the years, information security has been much improved but many information systems are still vulnerable to attacks from outside sources. Advances in security include applications of subject/object access matrix model, users’ access control lists, multi-level security with the use of detailed information flow, public key cryptography, and many more.19 Application of security set up needs time and has nothing to do with the output needed from the IS application and, therefore, if the set up has not enough security measure, no one will notice that an attack has been committed unless an audit is executed. In this case, a regular internal audit is required for information systems in each organization. Security audit is best practice and a requirement for ISO certification. Security check can constantly monitor user access control, audit trail and monitoring of system activity. These measures should be applied permanently and regularly, while prevention and detection must be implemented at the soonest possible time. A significant security measure is to maintain a record of personnel who are doing activities in the computer system. The system auditor has to know all possible information in order to institute the necessary security measures. Bibliography Bisaerts, Danny. “President Obama is Dead, Says Fox News Through Their (Hacked) Twitter Account.” ITsecurity.be, July 4, 2011. Accessed October 6, 2013. http://www.itsecurity.be/president-obama-is-dead-says-fox-news-through-their-hacked-twitter-account. Bulgurcu, Burcu, HasanCavusoglu, and Izak Benbasat. “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness.” MIS Quarterly 34, no. 3 (September 2010): 523-548. Accessed October 9, 2013. ABI/INFORM Complete database. Goodwin, Bill. “Cyber Attack on US Shipping Exploited Known Security Hole: Teenager Accused.” Computer Weekly, October 14, 2003. Accessed October 9, 2013. ProQuest Computing. Haggerty, J. and M. Taylor. “FORSIGS: Forensic signature analysis of the hard drive for multimedia file fingerprints.” In New Approaches for Security, Privacy and Trust in Complex Environments, edited by Hein Venter, Mariki Eloff, Les Labuschagne, Jan Eloff, and Rossouw Von Sohns. United States of America: Springer, 2007. Michael Erbschloe. Trojans, Worms, and Spyware: A Computer Security professional’s Guide to Malicious Code. Oxford, Elsevier Butterworth-Heinemann, 2005. Kelly, Kevin. “Understanding technological evolution and diversity,” EBSCOHost, http://0-web.ebscohost.com.wam.city.ac.uk/ehost/pdfviewer/pdfviewer?sid=58574be6-0b1e-444d-b47e-c1e269605179%40sessionmgr115&vid=1&hid=119 (accessed 8 October 2013). Rainer, R Kelly and Casey Cegielski. Introduction to Information Systems: Enabling and Transforming Business. United States of America: John Wiley & Sons, Inc., 2011. Reynolds, George. Information Technology Management. New York, Cengage Learning, 2010. Siponen, Mikko, Seppo Pahnila, and Adam Mahmood. “Employees Adherence to Information Security Policies: An Empirical Study.” In New Approaches for Security, Privacy and Trust in Complex Environments, edited by Hein Venter, Mariki Eloff, Les Labuschagne, Jan Eloff, and Rossouw Von Sohns, 133-134. United States of America: Springer, 2007. Suduc, Ana-Maria, Mihai Bizoi, and Florin Gheorghe Filip. “Audit for Information Systems Security.” Informatica Economica 14, no. 1 (2010): 42-48. Accessed October 5, 2013. ABI/INFORM Complete. Read More