Data Protection: The Future of Privacy - Report Example

? Full Paper Introduction Cyber threats are becoming a dominant and challenging factor for organizations, as it leverages many risks that are constantly changing. Every now and then, there are new security breaches resulting in stolen credit card records, stolen personal information and losses in terms of customer confidence, as well as revenue. NO matter how advanced the security controls are, still incidents and security breaches are on the rise. There are numerous cases where IT managers have failed to provide or define adequate security for enterprise wide infrastructure of an organization. Likewise, they emphasize more or external security threats rather than internal vulnerabilities. As per Gartner, 70% of security incident occur internally i.e. from the organization premises (Dickerson, 2004). Likewise, in September 2004, HFC bank that is one of the largest banks in the UK sent an email to their 2600 customers mentioning that an internal operational error has made recipients email address visible to everyone within the email. Consequently, ‘out of office’ feature was triggered from some of the customers and their personal phone numbers and other details were shared with each other (Dickerson, 2004). This shows that even simplest of mistakes can lead to an even bigger problem. As information systems are now considered as the fundamental function, every organization acquires information systems for business automation, better customer service and ROI (return on investment). Moreover, electronic commerce has also introduced many businesses that are only virtually present. For instance, Amazon that is an online store for selling books generates revenue from the Internet. Customers pay via credit cards for the purchased books that are delivered to them. In this scenario, any sort of security breach may inject an SQL injection or cross site scripting attack on the website can affect the business as well as customer confidence. Therefore, securing the systems as well as data communication on the web is essential to protect. This also implies to personal or customer data that is maintained and managed by the organization. For instance, E- commerce based organizations stores information of their customer related to credit card numbers, telephone numbers, address, bank details etc. It is the responsibility of the organization to protect and secure data privacy. However, there is not a single law that states how to handle customer information. For this reason, organizations sell or trade customer information with business partners and even to third parties. Likewise, sometimes the sole purpose of this personal data exchange is funds. Although, every online organization has a privacy policy which states how they will handle and secure customer data but at the same time there is no verification criteria. In the following sections, we will critically evaluate a single most cyber security weakness for IT managers within an organization. Likewise, our main argument will cover different domains i.e. the local area network, applications, hardware, transmission media, enterprise networking, intranet, extranet etc. As per (Libicki, 2009): “In theory, all computer mischief is ultimately the fault of the system’s owner if not because of misuse or misconfiguration, then because of using a system with security bugs in the first place. In practice, all computer systems are susceptible to errors. The divergence between design and code is a consequence of the complexity of software systems and the potential for human error. The more complex the system and they do get continually more complex the more places there are in which errors can hide” Association and Weakness The above mentioned argument is indicating to a vulnerability resides within the system that can be utilized for hackers to gain access and is known as exploit. Apart from this inherent risk resulting from inadequate coding practices, human element is also considered as a serious threat that is not limited to hardware, applications and interfaces that provides accessibility to information systems. In the same context, (Das, Kant, & Zhang,) The United States Computer Emergency Readiness Team (US-CERT) has published a “high level overview” document reflecting weaknesses foe control systems. Likewise, the published report includes wireless access point vulnerabilities, network access vulnerabilities, SQL database vulnerabilities, misconfigured firewalls, in adequate security for peered networks etc. correspondingly, the National Institute of Standards and Technology (NIST) has also published a risk management guide for information systems. The guide provides a step by step system analysis that can be utilized by IT managers to access system and network vulnerabilities along with calculating the probability of occurrence and impact for identified vulnerability along with continual risk assessment of the rapidly changing risk environment. Likewise, NIST risk management guide access vulnerabilities with respect to potential concerns of an exploit. From an IT manager’s perspective, these two guides can leverage to get insights for the enterprise level information systems and network along with its weaknesses. However, there is no guidance of tacking an external threat that may want to exploit a computer network. Most Significant Issues Before safeguarding the network and application architecture, IT managers must understand the both, the technical as well as the management aspect. Likewise, IT managers must define baselines, standards, procedures and guidelines for every process associated with security, in order to minimize the impact of the threat at the beginning and remove vulnerabilities as well. We have seen that even today, organizations are seeking technical gurus instead of an IT manager possessing management as well as technical skills. If we elaborate management skills further, an IT manager must develop a strategic framework by liaison with key stakeholders as key members in a strategic committee. These key stakeholders will provide a business oriented view of vulnerabilities that cannot be addressed by the IT manager. Likewise, risk management will also be carried out with the provision of these stake holders who are in fact the owners of applications and systems. Considering information security solely as a technical issue will result in a failure for providing adequate security to the organization’s infrastructure. As technical controls can only prevent threats and vulnerabilities via a specific set of technical configurations, there is a requirement of management skills that will demonstrate the performance and measurements of security metrics. Some of the examples include dashboard, balanced scorecards etc. that will show the current and required security state of the organization. However, implementing security governance at the top level cannot resolve issues, as it is a multi-dimensional discipline. This is because managing overall organizational security is a responsibility of all personnel and a complex issue that must be reviewed and maintained on a periodic basis. Moreover, IT managers having less insights of the business will not be able to understand business requirements and consequently, will not be successful to get management buy in for purchasing security expenditures and tools to track, mitigate and monitor threats and vulnerabilities to business. This is an area where significant improvement is required. IT manager must align IT objectives to the business objectives for getting management buy in. Moreover, to analyze vulnerabilities within third party or local applications, code review is an essential part for analyzing backdoors or security vulnerabilities before implementing in the live environment. Furthermore, frequent changes to hardware and application can be managed by configuration and change management to avoid software and hardware vulnerability. We have also seen a recent Wiki leaks breach in which a huge amount of data is stolen from the United States highly classified servers. It all started from a soldier who started stealing highly classified data for so long without detection (Metadata is key to preventing wikileaks security breaches.2010). This may lead to a failure of physical controls that were neither effective nor present at the location from where the data has been stolen. Likewise, U.S government was not able to access threats and vulnerabilities associated with the human element and oversight issues still exist. However, it does not relate to the main topic, still has importance, as the stolen data may contain the network security configurations diagrams becoming a cyber-threat later on. As mentioned earlier, effective risk management should be in place so that organizational risks are identified in order to establish an effective information security management plan. Organizations must maintain a minimum acceptable standard that will be considered as the recommended best security management practices. However, corporate information security enforcement is essential that will act as a management control and define purpose, scope, ownerships, standards, configuration requirements, enforcement and revision history. Likewise, this policy will demonstrate comprehensive details and will include all aspects of protecting information of the organization. Furthermore, in spite of security governance, risk management, policy and policy enforcement along with user awareness is essential. As risk environment is constantly changing, every employee must be aware of practices effective procedures for information security. A comprehensive training and awareness program by NIST address three levels of users i.e. beginners, intermediate and professionals (Whitman, Mattord , n.d). Each group is addressed by customized user awareness training sessions that also includes computer based testing environment. Some of the critical issues that must be addressed by the IT manager that utilize organization’s application and wired and wireless network vulnerabilities are explained in detail below: Phishing A simple definition is available on network dictionary which states that ” it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords”. The data is the blood life of every organization; precisely financial institutes conduct their business online. ‘Phishing’ shows the fake identity of the website and collect the credentials from users online. This is a business loss as well as the negative impact of the customer regarding the organization’s trust. 33 people were caught in “Operation Phish Phry”. Two million dollars were stolen from the bank accounts within 2 years’ time. The website of “bank of America” was represented as a fake replica and the users were prompted to enter classified credentials to steal money from there account online (Feigelson & Calman, 2010). TCP Session Hijacking Whenever a packets travels from the source to the router, the router analyze parameters of data packets. After extracting the destination address from the data packet, the router sends it on its way to the destination available in the data packet. However, there are several other parameters in the data packet, where all the amendments take place. The data packets from the source workstation, except from the destination address, may lie regarding other parameters, and can trick the router easily. Moreover, the source may change the destination address in to consideration that the data packet is from a trusted source. In order to eliminate these kind of attacks, implementation of better authentication methods is recommended. Furthermore, architecture of a typical TCP packet contains port numbers, sequence numbers indicating serialization of the packet. An intruder can easily learn these values in order to construct an attack. In addition, if an intruder learns the state of the TCP data packet, which is associated with it, the TCP session will be hijacked. Moreover, hacker may inject malicious code in TCP session between two or more than two nodes. Victims can easily download and install a virus, assuming that it has come from a trusted source. If assuming, that the TCP session is created between a web server and a web client, and a malicious user replaces the authentic web server by intercepting the TCP session, client may provide all the personal details to the hacker rather than the authentic web server. IPSec ensures a reliable way of communication by providing source authentication and performs encryption on the data before transportation. Stuxnet The most destructive virus or worm was discovered in June 2010 named as ‘Stuxnet’. It was classified as a ‘worm’. Network dictionary provides a comprehensive definition of a ‘worm’ that states as “A destructive program that replicates itself throughout a single computer or across a network, both wired and wireless. It can do damage by sheer reproduction, consuming internal disk and memory resources within a single computer or by exhausting network bandwidth. It can also deposit a Trojan that turns a computer into a zombie for spam and other malicious purposes. Very often, the terms "worm" and "virus" are used synonymously; however, worm implies an automatic method for reproducing itself in other computers.” As Sean McGurk the acting director of the National Cyber security and Communications Integration Center in the U.S. Department of Homeland Security identifies Stuxnet’ as a game changer for every sector or industry that is equipped with a computer network. ‘Stuxnet’ is fully compatible to conduct a data theft, by modifying the files of the applications that are incorporated with industrial systems, without showing its presence (GROSS, 2010). He further said, “We have not seen this coordinated effort of information technology vulnerabilities and industrial control exploitation completely wrapped up in one unique package” (GROSS, 2010). The virus was developed to target a specific type of equipment installed in the industry. For instance, it can affect high frequency convertors contribute massively for Uranium enrichment. The density level of ‘Stuxnet’ is considered by the fact including a report demonstrating the initial discovery of this virus consisting of more than half the instances. Moreover, the report identified the emergence of this virus from Iran. As previously, some problems were identified in Iran’s uranium enrichment facility. These facts concluded by some analyst were to relate this virus from an example of ‘cyberwarfare’ that was purposely built for Iran’s controversial nuclear facility. However, Iran’s government refused for any possible issues due to ‘Stuxnet’ (Stuxnet (computer virus).2010). ‘Stuxnet’ is a software program or ‘Worm’ that infects the industrial control systems. The complexity of the virus indicates that it has been developed by the group of expert hackers funded by a national government. The software does not indicate that it has been developed by hacker or cyber criminals (The meaning of stuxnet2010). The security experts break the cryptographic code of the virus to peek in and identify the objective and working methodology. After analyzing the behavior of the virus, Initial thought of the experts were that the virus is tailored for stealing industrial secrets and factory formulas. The formulas can be used to build counterfeit products. This conclusion went wrong when Ralph Langner, who is an expert of the industrial system security revealed that the virus targets Siemens software systems. He also published that the virus may have been used to sabotage Iran’s nuclear reactor. Langner simulated Siemens industrial network to test the activity of the virus (Stuxnet virus may be aimed at Iran nuclear reactor - ComputerworldUK.com ). This proved to be right as an article was published on ‘www.computerworld’ regarding “Officials in Iran have confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday.”Langner reveals that when the virus achieve its target at the last level, it modifies itself to a Siemens code named as “Organization Block 35”. The default functionality of this Siemens component monitors the vital factory operations within 100 milliseconds by modifying itself to a Siemens critical component (Stuxnet virus may be aimed at Iran nuclear reactor - ComputerworldUK.com). The ‘Stuxnet’ virus can cause a refinery centrifuge to malfunction. This is not the end as it can attack other targets too . The CRS synopsis consisting of eight pages warns analyst and researchers. "Depending on the severity of the attack, the interconnected nature of the affected critical infrastructure facilities, and government preparation and response plans, entities and individuals relying on these facilities could be without life sustaining or comforting services for a long period of time"(Clayton, 2010). The study further concluded, “The resulting damage to the nation's critical infrastructure could threaten many aspects of life, including the government's ability to safeguard national security interests” (Clayton, 2010). The integration of computing technologies to the industry contributing to the economy has facilitated to a great extent. “A SURVEY of more than 900 IT managers shows that adoption of encryption in their organizations is being driven by two main factors, anxiety about possible cyber attacks and the need to meet the payment-card industry (PCI) data security standards” (Wong, 2011). Cyber-attacks affect organizations in several ways. As the cyber-attacks become more dominant and aggressive, they can severely harm critical databases, Interrupt services running on a background and portray catastrophic financial damage (Financial sector « core security technologies). Worms affect financial institutions more than any other sector. The priorities for selecting financial institutions are the transactions that are conducted online. The objectives of hackers are to steal the credentials of the online shopper. That is why the financial institutions received the most Worm attacks. The economic impact of cyber threats would be the physical damage to the critical structure in terms of breaching security and taking control of the devices and equipment on the network. The impact would be to blow the power generators, oil refinery, chemical distribution pipes chemical leakage in to clean drinking water, disrupting the tunnel train by changing their routes, and killing people is also part of this process. Financial impact involves the theft of organizations critical data which is also called business information. This is a critical threat because the organizations bear more cost for the missing data as compared to the online fraud of credit cards. The business theft portrays a severe damage to the organizations, they lose their business, they lose their customers, and their presence in the global economy. Wireless Vulnerabilities Protocols that are associated with MANET wireless networks, do not consider malicious threats from intermediate network nodes that may result in breaching the network easily. Likewise, nodes that are compromised can edit or alter the routing message along with routing information. If the wireless router at the other end received wrong routing information, it may result in re directing the traffic to inappropriate network nodes, eliminating services on the network and may delay the time that is required by packets to reach destination, consequently, causing communication delays and disruptions. An example for a modification attack is the creation of a routing loop that is generated by the hacker in order to instruct the data packet to travel in a cycle, rather than sending it to the required destination (Ito, Iwama et al. 2003). Routing loops deteriorate transmission channels by utilizing additional bandwidth and network resources. Furthermore, by a transmission of false routing packets, the hackers may divert the overall traffic of the wireless network to some other wireless router or access point (Sreedhar, Madhusudhana Verma et al. 2010). Attacks using fabrication Routing protocols that are generally used within the wireless network are complex to identify in spite of receiving authenticated routing information. Consequently, the routing information that is constructed by any other user or wireless router on the network cannot be identified. Many attacks are associated with fabrication. One of them is the rushing attack that uses a malicious code in parallel to fabrication. Moreover, the rushing attack effects on demand routing protocol, as these protocols eliminate replication of messages at each wireless node on the network. Furthermore, a hacker can broadcast routing messages that may affect the complete wireless fidelity spectrum, as the nodes will discard the original router messages by considering them as replica of routing messages. Denial of Service Denial of service attacks can cause massive disruption in a typical domestic wireless and wired network setup. Spoofing is used to masquerade within the wireless network. For instance, information sent from a wireless router contains a malicious code that may penetrate within the wireless network for possible attacks to establish a connection with the hacker or extract confidential information by storing itself on the workstation. Malicious codes are stored within the system, hidden from the user. Likewise, they are activated in parallel to the loading of operating systems. Moreover, spoofing attacks can establish a routing loop that may degrade the performance of the wireless network. Invisible node Invisible node attacks are activated when a wireless router connected within the wireless network do not integrates its specific IP address to the route record field in the header of SRP (Sreedhar, Madhusudhana Verma et al. 2010). Likewise, the node becomes invisible on the wireless network, in order to attack or penetrate within the wireless network. Invisibility makes it relatively untraceable by existing security measures that may not be able to detect the node nor the threat associated with it. Mitigation of these Vulnerabilities Threat Description Impact Mitigation 1 Unauthorized Invasion Using port sniffing for invading unused ports Loss of Data, Damage to critical asset Registering ports and Hardening servers 2 Application Layer Threats Words, Malicious code, Trojan Unauthorized access to confidential data sources, loss of data Patch Management, Update Antivirus 3 DoS Attacks Unnecessary broadcast seizing the overall network Business loss, production operations halted, Setting threshold in Routers, Intelligent Firewall rules 4 Human Errors Un intentional mistakes, mismanaging security procedures, processes Threat originating from un intentional practices by staff such as Phishing, spam emails User awareness and Training, Policy enforcement 5 Wireless Threats Fabrication, Invisible node attack, DOS attack Unauthorized access to confidential data sources, loss of data Encryption, Virtual Private Network Conclusion There is no single significant weakness for an IT manager. However, he must be address security as an overall organizational responsibility rather than just considering IT itself. Moreover, robust and standardized procedures must be handled proficiently. This may include: Change management Patch management Enforcement of security policies Configuration management User awareness training Periodic risk assessment Establishing baseline Standards Encryption References Libicki, M. C. (2009). Cyberdeterrence and cyberwar . Santa Monica, CA: RAND. Das, S. K., Kant, K., & Zhang, N. Handbook on securing cyber-physical critical infrastructure Morgan Kaufmann. Clayton, M. (2010). Stuxnet 'virus' could be altered to attack US facilities, report warns. Christian Science Monitor, , N.PAG. GROSS, G. (2010). Stuxnet changed cybersecurity. Network World, 27(22), 10-10. Worm.(2011). Computer Desktop Encyclopedia, , 1. Stuxnet (computer virus). (2010). Background Information Summaries, , 7-7. Republicaninvestor.com » new york times Retrieved 5/13/2011, 2011, from http://republicaninvestor.com/?cat=240 The meaning of stuxnet (2010). Economist Newspaper Limited. Stuxnet virus may be aimed at iran nuclear reactor - ComputerworldUK.com Retrieved 11/20/2010, 2010, from http://www.computerworlduk.com/news/security/3240458/stuxnet-virus-may-be-aimed-at-iran-nuclear-reactor/ Wong, R. (2011). Data protection: The future of privacy. Computer Law & Security Review, 27(1), 53-57. doi:10.1016/j.clsr.2010.11.004 Metadata is key to preventing wikileaks security breaches.(2010). British Journal of Healthcare Computing & Information Management, , 27-27. Dickerson, C. (2004). The top 20 IT mistakes. InfoWorld, 26(47), 34. Read More