Cybersecurity Vulnerability Faced by IT Managers Today - Term Paper Example

 Cybersecurity Vulnerability Faced by IT Managers Today Abstract In modern times Information technology holds the backbone for large number of organizations. Information enabled departments are part of nearly every organization, especially the technology related firms. The entire communication and proceedings of the firms rely on the use of technology. Having highlighted the reliance, it is a no hidden fact that these managers and departments are at forefront of the threats being posed in terms of the security. Since it involves contact with an open world that is enriched with enormous amount of anonymous connections, all sorts of possible threats are faced by the I.T mangers. Although different forms of weaknesses can result in various vulnerabilities there is one particular threat which can be side lined as the most potent threat, its scope of impact is relatively large and can create havoc and destroy the purpose of I.T firms and managers. The possible vulnerability can be mitigated through safe practices and protective layers of security that ensures authentication. This can be achieved through multi- tier protective layers within the system. The scope of cyber security governance is so large that it encompasses all the processes, inside the firm and outside, along with the personnel involved in the incumbent department. This paper looks into the different dimensions of the vulnerabilities and responsibilities on behalf of the respective departments. This paper would help identifying and further creating a mechanism for safe operations and security of the organizations, their clients. Note: the body of this paper should include at a minimum a complete description of the vulnerability, the reasons why it is the most important, the impact of this vulnerability on organizations and how organizations can best address its potential impacts. Cyber security Vulnerability Faced by IT Managers Today The single most important cyber security vulnerability faced by IT managers at the present is cyber security governance. There are weaknesses that that exist in cyber security governance to include personnel management, policies, and procedures. The weaknesses of cyber security governance have been noticed at all scales, levels, and sectors such as inadequate procedures, undertrained personnel, and failure of leadership at all levels. These weaknesses of cyber security governance have been identified by the Department of Homeland Security and proposals have been initiated to bring about change. Problems with Organizational Governance Cyber security consists of three fundamentals such as personnel, operations, and technology. In order for all three fundamentals to be successfully implemented, active involvement is required by personnel who are responsible for the governance of that organization. Vulnerabilities may be created or exist when there is an imbalance among the three cyber security fundamentals. The personnel aspect of cyber security governance requires organizational leadership to be absolutely committed to security, selective when assigning appropriate responsibilities and roles to staff members, practice stringent implementation of personnel and physical security measures to monitor and control access, implement proper training that is suitable for the echelon of responsibility and access, and practice strict accountability. The operations aspect of cyber security deals with procedures and policies such as management, assess controls, assessments, and certifications. Organizations have the tendency to place too much emphasis on the technology aspect of cyber security governance which focuses on the implementation of hardware and software such as acquisition and development. Key Aspects of Governance Effectual cyber security governance should consist of formulating transparent and computable goals, strategies for attaining those goals, and procedures and policies to execute those strategies. This would comprise both personnel management and operations assigning appropriate responsibilities and roles to all staff members of the organization, assisting with recruitment and training, and being accountable for them. Governance is known to be the most vital and intricate weaknesses to elaborate on. Goals A cyber security framework should consist of a transparent depiction of its goals, which would be the preferential outcome or condition. An array of goals can be set with some possibly being more and tangible and feasible than others. It would be helpful to differential goals on separate levels such as sectoral, organization-specific, and national. Strategies Strategies consist of an extensive array of approaches or plans for achieving cyber security goals. An information assurance strategy called Defense-in-Depth (DID) was developed by the National Security Agency which focuses on personnel, operations, technology, and also outlines a set of practices and principles for these fundamentals. The DID strategy highlights the concept of layered protection and defense. Nonfederal entities such as industry groups, corporations, and international organizations have also managed to come on board with similar cyber security strategies. Policies A policy is a body of principles that governs how cyber security strategies will be executed and can be categorized into different levels such as issue-level, program-level, system-level, and mission-level. An issue-level policy outlines rules for a particular issue or area of concern. A program-level policy outlines rules for a specific program or set of activities. A system-level policy gives guidance on securing a particular system or subsystem. A mission-level policy gives guidance for an enterprise. The purpose of cyber security policies of an organization is to give guidance on achieving a set of goals. Noncompliance with an organization’s policy may result in legal consequences. Procedures Cyber security procedures are formulated to execute cyber security strategies and policies. For example, they may include steps that provide guidance on minimizing the risk of intrusions, how to respond if an intrusion occurs and the procedures to report it, and effective techniques for evaluating possible security risks of potential employees. Procedures typically are the most customized and organization-specific of governance components across many establishments. Personnel Organizational personnel are the most critical of the fundamentals of cyber security. It is people who are depended on to execute and reinforce security procedures and policies and provide protection and defense against cyber attacks. If Information Technology and Cyber Security personnel are not effectively trained and skilled in their career field, they may lack the competence to prevent, detect, and react when faced with security breaches, and they may be a perfect target for a “social engineering” attack, which entails discovering and taking advantage of weaknesses in how people interact with IT systems. Security professionals prioritize employee education and training as a top priority. Effective cyber security governance demands a solid commitment from organizational leadership at all levels of management. The National Strategy to Secure Cyberspace (NSSC) has publicized that the development of a competent cyber security workforce in the United States is a priority. Public Knowledge and Perception Many experts think that several establishments and home computer users, particularly small businesses, aren’t properly prepared to take essential defensive actions, even though there seems to be minute evidence on public preparedness and awareness concerning cyber security. There are a number of likely justifications for this lack of preparedness such as: Many people don’t feel comfortable with cyber security due to its greater level of technical proficiency. Many people may be unaware of and affected by a cyber intrusion unless they have been affected as a result of financial fraud or theft, which normally would be discovered far after the intrusion took place; because cyber attacks are easy to hide. User education and training may not keep pace with the continuous rise in threats and technology. For a number of reasons, several establishments don’t always report security incidents and cyber attacks due to concerns about negative impacts on public trust in the establishment. There are considerable economic disincentives for investing toward cyber security; because cyber security is preventive, and is not profit making; cyber attacks are somewhat rare; and effects may be disseminated, such as, a compromised computer or IT system may be used as a method to launch an attack against targets, instead of being a target itself. High Computer User Expectations The faster computer users can solve a problem, the sooner they can be productive; as a result, computer help desks are under intense pressure to respond very quickly to users’ questions. Under duress, help desk personnel sometimes forget to verify user’s identities or to check whether they are authorized to perform a requested action. In addition, even though they have been warned against doing so, some computer users share their login ID and passwords. This can enable workers to gain access to information systems and data for which they are not authorized. Analyze and Differentiate among Types of Social Engineering Attacks The easiest way to discover someone’s password often is simply to ask for it. Social engineering is defined as using and manipulating human behavior to obtain a required result. A user might be easily led to reveal his password or to provide personal information that might reveal his password. For example, someone might call a user on the phone, pretending to be from another department, asking for the user’s password to retrieve a file. The user, thinking he knows who he is talking to might give the unauthorized user the password without officially authenticating who the caller is or why he needs the information. The caller might make small talk with the user and trick him into revealing names of family members or his birth date, so the attacker can try out this information as a password to the user’s account. Another typical example of this type of security breach occurs when an unauthorized user calls a help desk operator and impersonates a high-level user, and asks to reset his password. The user insists he is a high-level manager who needs access into his account immediately. The helpdesk operator, if not trained properly, could instantly give this user a new password without properly identifying the user. Now the hacker can log in using the account of a high-level person who could have access to sensitive information. Types of Perpetrators and Their Affects on Organizations Hacker –Test limits of system and/or gain publicity Cracker –Cause problems, steal data, and corrupt systems Malicious insider –Gain financially and/or disrupt company’s information systems and business Industrial spy –Capture trade secrets and gain competitive advantage Cybercriminal –Gain financially Hacktivist –Promote political ideology Cyberterrorist –Destroy infrastructure components of financial institutions, utilities, and emergency response units Hackers and Crackers The hacker, in effect, acts like a con man, who tries to uncover sensitive information through manipulating someone’s basic human nature. The term hacker has evolved over the years, leading to negative connotation today rather than the positive one it use to have. While there is a vocal minority who believe that hackers perform a service by identifying security weaknesses, most people now believe that hackers no longer have the right to explore public or private networks. Some hackers are smart and talented, but many are technically inept and are referred to as lamers or script kiddies by more skilled hackers. Surprisingly, hackers have a wealth of available resources to hone their skills –online chat groups, Web sites, downloadable hacker tools, and even hacker conventions (such as DEFCON, an annual gathering in Las Vegas). The micro blogging Web site Twitter has been hacked numerous times. One hacker took advantage of a vulnerability to force victims to join its Twitter follow list automatically. Other hackers created a Twitter account under the name of Vin Cerf (the person most often called the Father of the Internet) and used it for spamming. Hackers gained access to several high-profile accounts (Barack Obama, Britney Spears, and CNN’s Rick Sanchez) and sent out fake updates in their name. In a more serious example of hacking that borders on cyber terrorism, Chinese hackers have repeatedly hacked into systems to intercept e-mails between U.S. and UK government officials. Fortunately, the compromised computer network carried only unclassified communications. A separate, more secure network used to carry classified communications has not yet been compromised. Foreign-government sponsored hackers are a growing concern because they have access to millions of dollars, the most knowledgeable people, and the best equipment to attempt to hack into U.S. based Web sites. Cracking is a form of hacking that is clearly criminal activity. Crackers break into other people’s networks and systems to cause harm –defacing Web pages, crashing computers, spreading harmful programs or hateful messages, and writing scripts and automated programs that let other people do the same things. For example, crackers defaced a CERN (the European Organization for Nuclear Research) Web page, disparaging CERN’s IT security staff as a “bunch of school kids” and saying they had no plan to disrupt CERN’s operations but simply wanted to highlight the lab’s security problems. The crackers came very close to gaining access to a computer that controlled one of the 12,500 magnets that control the Large Hadron Collider built to perform particle physics experiments. Malicious Insiders A major security concern for companies is the malicious insider, an ever present and extremely dangerous adversary. Companies are exposed to a wide range of fraud risks, including diversion of company funds, theft of assets, fraud connected with bidding processes, invoice and payment fraud, computer fraud, and credit card fraud. For example, an employee in Accounts Payable may engage in collusion with a company supplier. Each time the supplier submits an invoice, the Accounts Payable employee adds $1,000 to the amount approved for payment. The inflated payment is received by the supplier, and the two split the extra salary Insiders are not necessarily employees, they can also be consultants and contractors. The risk tolerance of these employees depends on whether they are motivated by financial gain, revenge on their employers, or publicity. Industrial Spies Industrial espionage can involve the theft of new product designs, production data, marketing information, or new software source code. For example, Shekhar Verma was employed by Geometric Software Solutions Ltd. (GSSL), an Indian Company that provide outsourcing services, including software development. GSSL was awarded a contract to debug the source code of SolidWorks’ U.S. competitors for $200,000. (The value of the source code has been estimated to exceed $50 million.) A competitor contacted the FBI, a sting was set up, and Verma was arrested. However, Indian law at the time did not recognize misappropriation of trade secrets, so technically Verma did not steal from the employer, as the source code belonged to SolidWorks. Prosecutors were forced to charge Verma with simple theft; four years after those charges, he is still free and making a living as a programmer in India. Cybercriminals Information technology provides a new and highly profitable venue for cybercriminals, who are attracted to the use of information technology for its ease in reaching millions of potential victims. Because the potential for monetary gain is high, they can afford to spend large sums of money to buy the technical expertise and access they need from unethical insiders. Hacktivism and Cyberterrorists Hacktivism, a combination of the words hacking and activism, is hacking to achieve a political or social goal. A cyberterrorist launches computer based attacks against other computers or networks in an attempt to intimidate or coerce a government in order to advance certain political or social objectives. Cyberterrorist are more extreme in their goals than hacktivists although there is no clear demarcation line. Because of the internet, cyberattacks can easily originate from foreign countries, making detection and retaliation much more difficult. Specific targets might include telephone-switching systems, an electric power grid that serves major portions of a geographic region, or an air traffic control center that ensures airplanes can take off or land safely. Successful cyberattacks on such targets could cause widespread and massive disruptions to society. Some computer security experts believe that cyberterrorism attacks could be used to further complicate matters following a major act of terrorism by reducing the ability of fire and emergency teams to respond. Cyberterrorist seek to cause harm rather than gather information, and they use techniques that destroy or disrupt services. They are extremely dangerous, consider themselves to be at war, have a very high acceptance of risk, and seek maximum impact. In early 2009, Israeli hacktivists made available malware dubbed Patriot. When downloaded to computers of Israeli sympathizers, this malware converts those computers into zombies, which launch a distributed denial-of-service attack intended to silence Hamas Web sites. Meanwhile, anti-Israeli hacktivists were also on the offensive. Bruce Jenkins, a consultant from the application security firm Fortify Security, stated that their observations suggest that a large number of Web sites had been defaced by a variety of hacker groups from Iran, Lebanon, Morocco and Turkey and the trend is accelerating. Malicious Insider Threat One of the biggest risks at any organization is its own internal personnel. Hackers work hard to gain what insiders already have, namely physical presence within the facility or a working user account on the IT infrastructure. When an insider performs malicious activities, the threat is significant, as they are already past most physical barriers and may have easy access to compromise logical security. Malicious insiders can bring in malicious code from outside on various storage devices, including mobile phones, memory cards, optical discs, and USB drives. These same storage devices can be used to leak or steal internal confidential and private data in order to disclose it to the outside world. (Where do you think most of the content on WikiLeaks comes from?) Malicious insiders can execute malicious code, visit dangerous websites, or purposefully perform harmful activities. The means to reduce the threat of malicious insiders includes thorough background checks, strong policies with severe penalties, detailed user activity auditing and monitoring, prohibition of external and private storage devices, and use of white lists to minimize unauthorized code execution. Conclusion In conclusion, the security of any information technology system entails a combination of technology, policy, and people and necessitates a broad domain of activities to be successful. Establishing a well constructed security program begins by making an effort to obstruct security breaches by evaluating threats to the organization’s IT system, pinpointing actions that focus on the most critical cyber security vulnerabilities, educating and instilling awareness in end users about the risks associated with compromised IT systems, and creating and enforcing security procedures and policies. A good security policy delineates responsibilities and the behavior expected of members of the organization and outlines what needs to be done. However, no security system is perfect, so systems and procedures must be monitored by the human element to detect a possible intrusion with a clear reaction plan. References Samuelle, T. J. (2011). Mike Meyers' CompTIA Security+ Certification Passport (3rd ed., p. 44). New York, NY: McGraw-Hill Companies. Stewart, J. M. (2011). CompTIA Security+ Review Guide (2nd ed., p.141). Indianapolis, IN: Wiley Publishing, Inc. Reynolds, G. W. (2010). Ethics in Information Technolgy (3rd ed., pp.74, 82-86, 89). Boston, MA: Course Technology, Cenage Learning. Bradley Manning . (2011, September 1). In The New York Times. Retrieved, January 20, 2012, from http://topics.nytimes.com/top/reference/timestopics/people/m/bradley_e_manning/index. html Fischer, E. A. (2005). Creating a National Framework for Cybersecurity: An Analysis of Issues and Options. In CRS Report for Congress (, pp. CRS 16-17, CRS 19, CRS 21-24). Washington, DC, MD: Congressional Research Service. Retrieved August 23, 2012, from http://www.fas.org/sgp/crs/natsec/index.html McConnell International a Clinton Rubin LLC Company (2003). Information Security Governance: Toward a Framework for Action. (,pp. 2, 5), Washington, DC, MD: Technology and Policy Consulting Firm. Retrieved September 02, 2012 from http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04C BD9D76460B4BED0E67.ashx Read More