Significant Growth and Development of the IT Industry - Coursework Example

? IT SECURITY MEASURES The IT industry has recorded a significant growth and development rapid development in a large network integrity and interoperability of advanced technology systems giving rise to numerous security problems. Various organizations that have interdependent systems and work on data sharing are under constant threat to security. Hence, in the modern business world, where technology and is associated security issues are becoming a grave matter of concern, it becomes mandatory for organizations to assure their customers or clients regarding the implementation of well proof security measures. Pre defined and anticipated risks have to be assessed meticulously and the adequacy of safety measures has to be ascertained to incorporate all the necessary and change and improvements required in the security systems. This current study aims to identify the various security issues that have blemished HSBC’s image and status in the recent past. The report also features the security policy that has been redefined by the organization in order to mitigate the anticipated risks along with the advanced security features that have been installed in the systems for assuring safety and security to its clients. INTRODUCTION HSBC has encountered numerous instances of data theft that has affected thousands of customers. Data reveals that almost 24,000 clients have suffered financial losses. In the year 2006, almost 9000 customers holding an account in HSBC Switzerland had their account data pilfered (Barrett L, 2010). After such incidents, it became necessary for the bank to incorporate significant improvements to its data security measures and the system as a whole involving technology in order to upgrade the current status. Such revisions added to the overall cost burden of the organization almost $93 million (Barrett L, 2010). Not only HSBC but other banking organizations have faced similar threats in terms of data infringements on high profile accounts in the past years. For instance, a similar data theft was reported by a US based financial service provider group named ‘Lincoln National Corp’, where over 1.2 million customers data was affected by such criminal acts ( Barrett L, 2010). The hackers were successful in extracting information regarding the client’s username and password. However such information was shared between the administrators and home office staff that created unwanted problems for the firm. After analyzing the current case, it can be said that security issues have greatly tarnished the organization’s reputation and image. A huge amount of fine the largest fine ever imposed in UK, approximately 5% million dollars was forced on three HSBC firms for implementing ineffective and inadequate security measures (Barrett L, 2010). LITERATURE REVIEW There are numerous threats faced by an organization in the modern times, but till now there has been no single or uniform strategy that could be adopted by organizations as one comprehensive policy to resolve the issues or mitigate the challenges right from hardware to software, from core to application and from local issues to broad network problems ( Chen L, Dan Feng D & Ming L, 2007). With the rapid advancement and growth in the IT sector, parallel developments have also been witnessed in their illegal and unethical use (Ditzion R, Geddes E, & Rhodes M, 2003; Maher M K & Thompson J. M, 2002). The negative consequences of cyber crime are tremendous causing financial and economic loss both to the organization as well as the economy. The irony is that such crimes require too less a resources and equally low technical expertise. Past data reveals that almost 5percent of US based organizations including banks have been attached by computer virus and hackers which have caused huge losses to the firms and their clients (Barr K, Beiting M & Grezeskinski A, 2003). In a research conducted by Meier D, Mackman A, Dunner M, Vasireddy S, Escamilla R & Murukan A (2006), a systematic process of an attacker’s methodology was analyzed in-depth and the result of the analyzes is displayed in the figure below. The organizations need to understand the various threat areas so that the counter measures for the same can be adopted. Such threats can be in the form of stride threats, network threats, host threats etc which further comprise of spoofing, tampering, repudiation, information theft, denial of service, password cracking, foot printing etc. Authentication and authorization are prime concerns for most of the firms. Such threats often result in Bruce force attacks, dictionary attacks, credential stealing etc and can be well avoided by making use of encrypted passwords and strong ACL’s. Apart from the above, the organization must install latest operating systems and software to combat advanced threats. All the non-required and non essential ports must be protected by firewall. Authorization susceptibility can result in form of elevated privileges, manipulation of data; ensnaring attacks etc. such threats can be eliminated by restricting use and incorporating .NET platform for security purposes (Fujiwara B, 2006). Use of role based security is highly beneficial in holding people accountable for certain acts and also in differentiating clients who are permitted to view data and others who are granted special rights to modify it as well. (Meier D, Mackman A, Dunner M, Vasireddy S, Escamilla R & Murukan A, 2006) HSBC SECURITY FEATURES In order to revive back and recreate its image, the organization has understood that security remains a prime concern for its survival and longevity in the industry. The organization has redrafted its security policy and adopted certain features that would help the organization to mitigate possible risks. All internet transactions are entertained with the help of internet browser that is backed up by the SSL (Secure Socket Layer) encryption via a 32 bit secured path used specifically for the protection of data. Proper monitoring systems and firewalls have been installed to eliminate unauthorized and illegal access to information. The security measures adopted by the organization are in full compliance with the centralized standards of the banking industry. As per the risk assessment, there are seven kinds of risks that the organization mainly caters to: Vulnerability Risk Physical Risk Legal Risk Trust Issues Identity Concern Human Intervention Geopolitical Problems After considering the above mentioned risks, the organization has imbibed the under mentioned security features: 1. Strong and vigorous authentication procedure. 2. ‘Key-logging’ and ‘denial-of-service system attacks’ are considered to be highly risky, hence tough security protection measures have been executed for mitigating the above risk. 3. The communication between the bank and the client is encrypted for protection of data. 4. A double authentication scenario is imbibed which includes a single password and use of smart card technology. 5. The client’s details are kept highly confidential and the data used in the transfer process and storage is protected from all possible threats. 6. The centralized and common standards that are followed by the industry are made part of the company security policies as well to safeguard the IT infrastructure. 7. The security systems are updated on a continuous basis along with a consistent review system which is free from all personal or individual biases. 8. The policies are also changed from time to time to incorporate new technology and updated systems. 9. A broad range of alternate plans for combating future incontingencies are pre-designed. 10. A continuous monitoring system is out into action for detecting any unusual or suspicious event. A cohesive management team is formed for tracking of such events. 11. Regular security audits are practiced for ensuring authenticity of administrative and other activities A security policy of an organization is a transcription that helps to set certain procedures, well defined strategies and policies along with guidelines that facilitate employees and other stakeholders of the firm in understanding the do’s and don’ts about the organization’s work culture and IT patterns (Hubbard W D, 2010). The security policy clearly reflects the kind of resources required for maintaining privacy and confidentiality of client’s data along with the procedure and methods that can be used to protect the allocated resources. In absence of a well drafted security policy, the organization may suffer in various ways such as data loss, time bereavement, and deficiency in productivity. HSBC involves three main areas where security features are applied to the optimum. These areas comprise of: Authenticity Data Transmission Data Privacy Security Identification and Authorization Authentication is a process whereby the identity of a particular entity is validated or in other terms certain credentials have to be presented by clients in order to ensure that they are the same person as represented in the ongoing transaction while authorization is a common term associated with ascertainment of permission and certain rights that a user is granted and the related resources that he requires for the accomplishment of end result or target. The organization has incorporated special features which are based on a certain and specific set of documentation to ensure authenticity of users who log into the system. The system designed by the organization is such that all the risks associated with the identity issues of its clients are well tackled. The user’s identity is protected in a number of ways depending upon the kind of risk associated with each function. Security measures such as usernames, passwords, addition of memorable questions etc are the conventional methods through which unauthentic and illegal service attacks can be restricted. The implementation of smart cards for realizing a two-factor authentication is an effective method of safeguarding user’s details incorporated by the organization. Such kind of advanced methodology helps the firm to adopt stringent methods whereby a unique PIN number is extended to the user. This makes the entire process much more complicated for the hacker who must obtain the smart card as well as its unique PIN code to initiate any unethical and illegal transaction. The organization has also entailed several control tools and techniques to combat the anticipated user oriented risks. Such techniques include the use of: Access Control Matrix and List that comprise of rows that represent subject and columns that reveal objects. Role-Based and Rule-Based Access Control are methods through which specific roles are assigned to particular people to ensure there accountability and responsibility. Rule based controls assign roles and their rights to the users. Restricted Interfaces are used were the users can obtain private and confidential data only when he passes through the link or the interface. Any third party may also obtain data but on a special request, for which detailed forms need to be filled and permission to be taken from the concerned authorities. The line of control set by the organization decides the kind and quality of data that can be reclaimed by the person, based on data filtration and set rules for maintaining the integrity and confidentiality of data. Record of Illicit Access Attempts If an outsider tries to access the account without obtaining the correct details, the system automatically locks the specific account and also includes a special feature known as ‘denial-of-service’ for those customers who have genuinely forgotten their passwords and are aware about their username. Transfer of Data All the data that is highly sensitive is encrypted through SSL before transmission of it to the bank account. Even the administrators or the concerned authorities responsible for data security are knot known about the specific encryption details. Privacy of Data The organization takes into consideration the best industry practices when it comes to safeguarding or protecting the personal details of the users. None of the related information is flashed onto the Internet Web Browsers; rather they are stored in databases in encrypted form with the help of specific security components. Like most of the other organizations, HSBC also includes firewalls to safeguard the online banking transactions from foreign attacks. Users do have the facility to make use of advanced anti-virus programs for combating the threat of dodgy viruses such as Trojan horses, key logging software etc. the customers or the clients are also required to be responsible enough and alert as well in terms of systems that are using. Shared systems must not be used for sensitive data transmission. SCOPE FOR IMPROVEMENT After considering the organization’s security features, a large gap is still seen to be visible. For instance, the organization has used Security Socket Layer encryption making use of a 32 bit data whereas much advanced standards can be applied that would enable the firm to enhance efficiency. For example HSBC can make use of Triple DES that embraces 128, 192 or 256 bits data transmission and is even supported by the National Institute of Standards and Technology (NIST). Such high end encryptions enhance privacy of data, ensure authenticity and integrity, and make certain that users do not repudiate the transmitted data. However there still persist certain problems when key encryptions or asymmetric encryptions are considered by any firm first and foremost being its sharing aspect between the sender and the receiver that creates room for data repudiation on the sender’s front and second is the speed that becomes a matter of great concern when compared with symmetric problem solving techniques. HSBC has implemented an effective two factor authentication system, yet the organization can further add to it the use of PKI that is an electronic signature used to confirm the sender’s identity. Other functions can also be incorporated such as the DSA (Digital Signature Algorithm) or the ECDSA (Elliptic Curve Digital Signature and Algorithm) that substantiate the digital signature and its process as well (Fennelly J L. (2003). HSBC must adopt advanced electronic observational methods for maintaining stringent control norms. Such tools include the use of video recordings, maintenance of system logs, application display devices, packet sniffers etc. With the help of video capturing called as webcam surveillance or monitoring, the activities at various control points can be well monitored. Such technology is motion-activated and helps to attain proper evidence and testimony for the transactions recorded from specific controlling points. Keystroke display devices can help to notify and capture all possible signal movement between each and every character typed on all keyboard devices, helping to keep track of all data transmissions and movement in correct path and directions. Packet sniffers on the other hand can help HSBC to track records at sensitive network packets. With the help of sniffers important information such as usage of web browser usage, frequency of usage, signal traffic etc can all be well monitored. CONCLUSION The organization must take into consideration the analysis of the complete security process that consists of auditing of the technical systems, susceptibility that the security systems are prone to, along with a full proof alternate plan for overcoming the loopholes in the security system. The organization must entail measures to mitigate risks that are linked with unusual and atypical security implementations run on interdependent networks within an organization. It is only through the means of awareness that the organization can be prepared to confront the challenges posed by attackers and also have a deep understanding about the goals and ambitions, in accordance to which counter measures can be adopted. Through a well planned counter strategy, a goal-based approach can be realized for reduction of anticipated risk. BIBLIOGRAPH Chen L, Feng D & Ming L. (2007). “The Security Threats and Corresponding Measures to Distributed Storage Systems”. Lecture Notes in Computer Science, 2007, Volume 4847/2007, Pg 551-559, Retrieved on 28th March, 2011. Available at http://www.springerlink.com/content/b82702835555kl75/ Barr, K., Beiting, M., & Grezeskinski, A. (2003). Intellectual property crimes. American Criminal Law Review, 40, 771–823. Barrett L. (2010). HSBC Confirms Massive Database Security Breach. Published on 11th March, 2010. Retrieved on 28th March, 2011. Available at http://www.esecurityplanet.com/news/article.php/3870071/HSBC-Confirms-Massive-Database-Security-Breach.htm Ditzion, R., Geddes, E., & Rhodes, M. (2003). Computer crimes. American Criminal Law Review, 40, 285–336. Hubbard W D. (2010). “How to Measure Anything: Finding the Value of Intangibles in Business”. 2nd Edition. Published by John Wiley and Sons. Fennelly J L. (2003). “ Effective Physical Security”. 3rd Edition. Published by Butterworth-Heinemann Fujiwara B. (2006). “Cyber Security “Threats and Countermeasures” . Published on 9th Nov, 2006. Retrieved on 28th March, 2011. Available at http://www.gbd e.org/ig/cs/CyberSecurityRecommendation_Nov06.pdf Maher, M. K., & Thompson, J. M. (2002). Intellectual property crimes. American Criminal Law Review, 39, 763–816 Meier D J, Mackman A, Dunner M, Vasireddy S, Escamilla R & Murukan A . (2003) “Improving Web Application Security: Threats and Countermeasures”. Retrieved on 28th March, 2011. Available at http://msdn.microsoft.com/en-us/library/ff648641.aspx Whitman E M & Mattrod J H. (2009). “Principles of Information Security”. 3rd Edition. Published by Cengage Learning EMEA HSBC, Privacy and Security, http://www.hsbccreditcard.com/ecare/privacy_nli . Read More