Security, Risk, and Compliance - Research Paper Example

This paper addresses network security, in the context of risk analysis and federal guidelines. The first part introduces the problem. The second part of the paper is a literature review, in which the current research regarding this problem is explicated and condensed. An analysis of the problem and the solutions follows. After that a discussion about the important issues, and how solutions might be implemented. Lastly, a conclusion that wraps up the entire paper. Introduction Network security is crucial to any organization. There are many threats that come from sources, both inside the organization and outside the organization that make a network vulnerable to attack. Attacks can be devastating, as they might compromise sensitive information, such as customer data, leaving the customers open to identity theft, or they might cripple the organization itself. Employees also make network vulnerable when they abuse the Internet, as it leave the organization open for attacks that might occur when unsafe websites are visited, as well as leave the organization vulnerable for other things, such as copyright infringement when employees download copyright materials, such as songs and software. To this end, it is crucial that an organization conduct a thorough risk analysis that identifies vulnerabilities and proposes solutions to these vulnerabilities. The solutions might take the form of firewalls, ciphering data, passwords, or a system that actively identifies threats, or some combination of the above. Employee screening and monitoring is also vital for an organization to properly identify individuals who might put the organization at risk either by malice or ineptitude. To be safe, an organization must implement all of the above, keeping mind federal guidelines – proper employee screening, proper security measures, and timely risk analyses. Literature Review The threats to network security There are many threats to network security. One of these threats is the threat that communication will be intercepted. The interception may occur in different forms, such as physically accessing network lines, to surveillance by radio-transmission. Internet communications are particularly vulnerable at network concentration points, such as routers, gateways, network servers and switches. (Di Nepi, p.43). When information is illegally intercepted, it creates a privacy violation, or a way to use the intercepted information, such as a password or credit card data, to sabotage or loot. Another threat is unauthorized access to computers and networks. This can take place when passwords are deciphered, and by other methods, such as social engineering, front attacks (exploiting the tendency to use predictable passwords), and password interception. (Di Nepi, p. 45). Although this is often used as an intellectual exercise, information networks are vulnerable because of these actions, and pirates with criminal intentions exploit these weaknesses. (Di Nepi, p. 45). Attacks can occur to the domain name servers, which causes problems because web sites become unlocalized, e-mail may be disrupted, and the network may be paralyzed; and to the router, which causes information to not be verified. Another attack is the denial of service attacks, which paralyze the network by overtaking it with artificial messages, similar to flooding fax devices. Malicious software may be planted in vulnerable networks, destroying data and disabling the computer. (Di Nepi, pp. 47-48). Viruses are swiftly moving, growing swifter every year – where the “Melissa” virus took three days to spread across the Internet in1999, the “Code Red” virus in 2001 took just minutes. (Cukier, et al., 2005). The major risk that is borne of these attacks is that of a data breach, which results in “the distribution of personal information beyond the bounds of...consent and expectations.” (Sprague & Ciocchetti, 2009, p. 97). 50% of the data breaches are committed by employees of the company that is breached. (Citron, 2007, p. 251). Breaches can lead to identity theft and fraud, such as when TJX Companies, Inc., the operator of TJ Maxx and Marshall stores in the United States, announced in January 2007 that it was the victim of a security breach, which exposed 94 million credit card records to outsiders, and these outsiders made fraudulent credit card purchases with this information about TJX customers. (Sprague & Ciocchetti, 2009, p. 97). Since the cardholders had to pay for the fraudulent charges, not the individual customers, the banks who issued these cards filed suit against TJX an won a $41 million verdict ordering TJX to pay reimburse them for their losses. (Sprague & Ciocchetti, 2009, p. 99). Moreover, since up to 400,000 of the TJX records included their customers social security numbers and drivers license numbers, the thieves were able to steal identities as well. (Sprague & Ciocchetti, 2009, p. 99). Stealing social security numbers is an infinitely more serious problem than accessing the individuals credit cards, as identity thieves are able to use the social security number to open up new accounts for which the individual is responsible, and gives the thief “virtual keys” to the victims financial life, (Citron, 2007, p. 252) enabling the thief to “empty bank accounts, obtain credit cards, secure loans, open lines of credit, connect telephone services, and enroll in government benefits in the victims name,” (Citron, 2007, p. 252) while merely stealing credit card information only leaves the individual with the inconvenience of having to close that particular account. Moreover, “[i]dentity thieves also commit crimes in the victims names. A victim of criminal impersonation risks arrest and a criminal record for an identity thiefs transgression” (Citron, 2007, p. 252). Breaches resulting in thefts of social security numbers are very expensive and time-consuming for the victims, as they spend an average of $1,000 in out of pocket expenses and 600 hours in personal time cleaning up the mess, and lose on average $16,791. (Citron, 2007, p. 252). The risks of social security numbers and other personal information falling into the wrong hands can also be deadly, as in the case of the information broker who sold a womans social security and employment information to the womans stalker, who used this information to track her down and kill her. (Solove & Hoofnagle, 2005, p. 10). TJX was only the largest security breach of 2007, although its breach did account for 74% of the total 128 million exposed records for that year. (Sprague & Ciocchetti, 2009, p. 100). However, millions of other records were also compromised. For instance, LPL Financial, out of Boston, MA fell victim to hackers who stole the passwords of fourteen of its financial advisors, which gave the hackers access to 10,000 customer accounts. (Sprague & Ciocchetti, 2009, p. 100). A LPL laptop was stolen out of its San Diego, CA office, which gave the criminals access to another 1,400 personal identifying information (PII). Six other laptops were stolen out of different locations, enabling access to another 3,200 PII. (Sprague & Ciocchetti, 2009, p. 100). These kinds of data breaches led to 1.8 million surveyed American adults reporting that their personal information was used for fraud, such as opening accounts in their names, and the median value of goods stolen by thieves in this manner was $1,350. (Sprague & Ciocchetti, 2009, p. 101). The victims also had to deal with countless hours of hassle, including dealing with bill collectors, correcting credit bureaus, being denied loans, having their utilities cut off and being criminally investigated. (Sprague & Ciocchetti, 2009, p. 100). These breaches can be expensive to companies and government agencies. For instance, the Department of Veteran Affairs had to pay $20 million to veterans and current military personnel after a laptop that contained data on 26 million veterans was stolen, even though the DVA maintained that no information was accessed (Romanosky & Acquisti, 2009, p. 1065). Choicepoint faced $26 million fines and fees because of a 2005 breach (Romanosky & Acquisti, 2009, p. 1065). Heartland Payment Systems, which is one of the largest credit card processing company in the US, faced fines and fees totalling $12.6 million in 2008 because of a breach that affected 665 financial institutions (Romanosky & Acquisti, 2009, p. 1065). A. Solutions There are a number of solutions to network vulnerabilities. One is to cipher data and voice signals, which makes the data “incomprehensible for anybody but the authorised receiver”, even if the data is intercepted. (Di Nepi, p. 42). Ciphering can be accomplished by using ciphering software or hardware, and e-mail may be ciphered by using dedicated software, or ciphering modules that are integrated in word processor and e-mail software. (Di Nepi, p. 42). Of course, the receiver must be able to decipher the message, so the software and hardware must be inter-operative, and the receiver must possess the ciphering key. (Di Nepi, p. 43). Another device is the secure socket layer, which is a protocol that ciphers communications between users browsers and the web server. The best and most common way to protect against unauthorized access to a computer is installing a firewall and/or password. These need to be used in conjunction with other devices, such as a device for attack recognition and application intrusion detection. (Di Nepi, p. 45). The firewall controls traffic between untrusted and trusted networks. Two kinds of firewalls are boundary protection, which refers to protecting the network from the outside world; and internal protection, which protects the networks communication within the organisation. (Di Nepi, pp. 115-116). A network intrusion detection system (IDS) is an active protection system. It is divided into to main categories: pattern matching, in which it finds sequences that are associated with known attacks; and statistical/traffic anomaly based, in which threats are identified by analysing the differences between typology and traffic quantity, using thresholds that identify normal or standard for the situation. (Di Nepi, p. 117). The IDS may be network based, in which it analyses data coming into a network or host-based, in which it analyses data coming into a specific host. (Di Nepi, p. 118). Wireless networks, which are especially vulnerable because of their “intrinsically open nature”, also need security measures, one of which is the wired equivalent privacy, which “defines methodologies both for the encryption of data exchanged between a mobile client and an Access Point, and the authentication of mobile devices.” (Di Nepi, p. 120). Another is the IEEE 802.1X, which employs a central authentication system that authenticates a user on a wireless network. (Di Nepi, p. 121). The Human Factor Another issue is the human factor, which takes into account that humans are behind the computers, and they can “make vain” any attempts to armour a security system. (Piraino, p. 34). Employees are naturally a part of any network security scheme, particularly employees who abuse their e-mail and Internet privileges. As employee abuse of e-mail and Internet privileges can have severe consequences - in addition to lost productivity, such abuses also open the employer up to security breaches, viruses and hacking, not to mention that employees commit crimes against their employers more than third parties (Kesan, J.P. 2002, p. 311) - there is a definite need for employers to subject their employees to surveillance. Another problem that employers face is the doctrine of respondeat superior, where employers can be liable for their employees misdeeds. Employees use electronic communication for mischief such as deliberate interception of competitors secrets, and the employers are likewise liable for this misdeed under respondeat superior (Kesan, J.P. 2002, p. 312). Other problems include liability for employees accessing sexually explicit website, especially if the websites involved child pornography; liability for employees downloading copyrighted material, such as downloading music and videos from peer to peer websites; liability for patent infringement when employees download patented programs; and liability when employees send obscene materials (Kesan, J.P. 2002, p. 312-313). Moreover, an employer may experience unwanted publicity when employees visit inappropriate websites, as the employers name is what is captured when these websites are visited (Kesan, J.P. 2002, p. 313). Thus, when the employee visits a child pornography site, the feds will come looking for the employer, as this is the name that is captured by this site. A. Solutions As employers cannot reasonably take the Internet and e-mail away from their employees without hurting the companys efficiency, there must be a balance between the need for employers to provide the Internet for business-related functions and reasonable personal use, and the employees tendency to abuse their privilege. Therefore, employers increasingly turn to tools such as monitoring employee e-mail and Internet usage, and disciplining employees who abuse the privilege (Kesan, J.P. 2002, p. 291). Employers typically do this with software that reads, intercepts and monitors employees electronic e-mail and Internet usage, much to the consternation of many employees. (Kierkegaard, 2005, p. 226). At present, “American employers can lawfully intercept, search and read any messages stored in workplace computers because courts have ruled that employees have no expectation of privacy in workplace electronic communications.” (Rustad & Paulsson, 2005, p. 2). Another way of combatting this problems is filtering URLs. For instance, access to certain URLs will be denied if they are on a “black list” of what the employer deems unauthorized sites and by using a URL database, in which web addresses are classified into special groups, and entire categories can be restricted, such as pornography. (Di Nepi, p. 125). Because of the problems caused by employees abusing work computers, employers have a right to monitor their employees. Of course, the employees have a right to privacy, but this right is not absolute and employers must only have “reasonable suspicion” to constitutionally intrude upon the employees privacy concerns. Monitoring grants many benefits to employers. It enhances productivity by “facilitating more efficient resource scheduling, more immediate feedback, and more meaningful evaluations ” (Kesan, J.P. 2002, p. 318). This improves quality, customer service and leads to lower prices for business goods (Kesan, J.P. 2002, p. 318). Monitoring is the backbone of some safety initiatives, which leads to lower insurance premiums and workers compensation pay outs (Kesan, J.P. 2002, p. 318). Monitoring leads to reduced payroll and equipment costs, as employees use of company equipment and taking excessive breaks is reduced (Kesan, J.P. 2002, p. 318). Monitoring also enhances the ability to watch data flow in and out of employees computers, thus an employee who is transmitting sensitive data or attempting to hack the system may be more easily caught (Kesan, J.P. 2002, p. 319). Moreover, some states laws require employers to monitor employees (Kesan, J.P. 2002, p. 319). Employers usually choose electronic monitoring of their employees, as it is lower cost than having a human monitor the employees, is impersonal and free of bias, and is accurate (Kesan, J.P. 2002, p. 319). Barriers to electronic monitoring are diminishing in the modern workplace, as the influence of unions is on the wane, and employers, who are generally at-will, often make submission to electronic monitoring a condition of employment (Kesan, J.P. 2002, p. 319). Therefore, there must be a balance. On the one hand, employers need to reasonably monitor employees on-line activities for the panoply of reasons outlined above. On the other hand, excessive and abusive monitoring is detrimental to employees. One way that employers can balance the competing interests is by having a carefully crafted policy that is articulated to employees when the employees begin working at the company. That way employees know what to expect, and, if they find the employers policy overly restrictive, they do not have to accept employment. These guidelines should include the following: an outline of what is appropriate business and personal use of computers and the Internet; what content and sites are forbidden and specifying the right to access employee e-mail; a definition of the employers monitoring policies and procedures; and how monitoring is set up (Kesan, J.P. 2002, p. 330-331). Also included in this written policy is an education about the risks – for instance, employees might not know that employers are responsible for their misdeeds, such as when they download illegal copyrighted material. Likewise, they might not know that e-mail is irretrievable and that Internet activity can be trace by third parties. Another risk that they must be informed about is the risk of viruses from their activities, and the risk of slowing down the companys servers by their excessive Internet use (Kesan, J.P. 2002, p. 331). The policy guidelines should also include a section that explains to the employees exactly how employers are liable – such as opening the employer up to copyright infringement claims and revealing confidential information. Also important is a policy of using technological means to protect the companys trade secrets and keeping confidential files from being transmitted; mandating encryption for sensitive information and creating an approval policy for publishing information on the Web (Kesan, J.P. 2002, p. 331). This information should probably be continuously presented to every employee, through the use of seminars and meetings, as employers cannot expect employees to remember every policy that is presented to them and employees no doubt rarely read their handbooks. The key is letting the employee know exactly what is acceptable and what is not. That way, the employee will feel respected, as they are informed about what to expect, and they can also conform their behavior to the expectations. Not every employee realizes that, say, downloading copyrighted songs is illegal, and they certainly cannot be expected to automatically know that the employer is also on the hook for their behavior. If they are educated about these and other issues, this will cut down on a lot of problems and might reduce the employers need to monitor. Risk Analysis A risk analysis is one of the critical duties of the IT department, the security officer or the auditor, and it involves identifying assets and the threats to those assets. (Luker & Peterson, 2003, p. 32). The identification of assets consists of categorizing assets as critical, meaning that if the asset was attacked, the organization would cease to function; essential, which means that the organization would be crippled by the asset attack, but could function for a week or so without that asset; and normal, meaning that the loss of the asset would result in some inconvenience. (Luker & Peterson, 2003, p. 34). A critical risk is one either be extremely expensive to fix; would result in a critical service loss; would result in heavy, negative publicity; or has the high probability of occurring. (Luker & Peterson, 2003, pp. 35-36). There are two major kinds of risk analysis – operational and conceptual. The operational risk analysis is focused on the person who is charge of the IT, and this analysis addresses technology and operators. Conceptual risk analysis is focused on management, and addresses the organization itself and the organizations processes. (Di Nepi, p. 95). Conceptual risk analysis defines the risk at an organizing and strategic level; defines the threats to the organization and the macro areas that are critical; defines an enterprise intervention plan; and defines general security policy. Conceptual risk analysis basically informs the corporate top management about why security management is important, and how to implement it. (Di Nepi, p. 95). Operational risk analysis targets threats, vulnerabilities and risk to which single technologies, such as application platforms, networks and systems are subjected; defines technological standard and security architectures; checks system management procedures and policies; proposes measures for the weaknesses that have been identified; and achieves compliance to the best practice for security technologies. (Di Nepi, pp. 95-96). Federal Guidelines There are a number of federal guidelines that need to be complied with. Gramm-Leach-Bliley Act is one such guidelines, and it requires financial institutions to take positive steps to ensure the security of private information. However, as this Act only covers financial institutions – banks, credit unions, insurance companies, savings and loans and investment companies – it, too, has a limited scope. (Sprague & Ciocchetti, 2009, p. 107). Another federal measure is an amendment to the Fair and Accurate Credit Transactions Act (FACT Act), that states that merchants are required to truncate the credit card numbers on the credit card slips and cannot print the expiration date of these cards. (Sprague & Ciocchetti, 2009, p. 107). The FTC, which governs unfair trade practices, broadened its enforcement authority to cover and prosecute cases against “any private entitys failure to provide appropriate information security” (Citron, 2007, p. 256), which has led to successful prosecutions and consent decrees with companies who suffer security breaches (Citron, 2007, p. 256). It has also established a special division to deal with the problem, the Division of Privacy and Identity Protection, which “enhance[s] consumer outreach and enforcement”(Citron, 2007, p. 256). Even so, it is largely ineffective due to lack of resources and manpower, as it was only able to prosecute six data breach cases out of hundreds that occurred between February 2005 and September 2006 (Citron, 2007, p. 256). Another federal act is the federal Privacy Act that affects the government processing of private information, not private companies. It obligates governments to “1) store only relevant and necessary personal information; 2) collect information to the extent possible for the data subject; 3) maintain records with accuracy and completeness; and 4) establish administrative and technical safeguards to protect the security of records.” (Cate, 1999, p. 210). However, as emphasized, this Act only applies to governmental activities, so the private companies that collect data are unaffected by this statute. Analysis Network security is of paramount concern for any organization. There are a multitude of threats that can compromise network security, which might lead to data breaches or a crippling of the organization. Some of these threats come from outside hackers, some come from inside employees with criminal motives. Other employees who do not have criminal motives, but do have motive to abuse their Internet privileges is another source of vulnerability. The federal guidelines protect consumers when vulnerable networks are attacked, particularly when these networks involve financial institutions or federal governmental agencies. To combat the problem, organizations must commit to a risk analysis that should be done periodically, according to a schedule. This analysis defines assets and threats to those assets. After conducting this risk analysis, and identifying all potential threats, the organizations next duty is to combat the threats that have been identified. The security solutions might include employee monitoring or restricting employees visits to individual or grouped URLs; ciphering data; installing a firewall; or installing an IDS, which actively seeks out and destroys threats. Along with these are the standard anti-virus measures that must be constantly updated, and the use of passwords. Discussion One of the aspects of network security is the vulnerability that an organization suffers because of inattentive employees who abuse their Internet privilege. Perhaps this is what must be addressed before all else, as this problem is probably more widespread than other security issues. An organization can have all the firewalls and other security measures in place, and these are measures that are important, but it is also important that employees Internet usage be monitored and restricted. Employees can be “clueless” about the vulnerabilities that they are opening their organization up to when they visit sites that are high risk, such as music-sharing sites and other sites that rely on peer-to-peer sharing. Not to mention the people who get jobs at places with the explicit intention to infiltrate the network and make it vulnerable so that it can be exploited. In other words, this is one area that is worth pursuing for every organization. To this end, all employees must be subjected to intense scrutiny when they apply for employment. The brilliant computer tech who was first in his class just might have the ulterior motive of exploiting his expertise and intelligence for illicit gains. The 18-year-old girl, fresh out of high school, might have the idea that the Internet is there for her to play on all day instead of working, as she visits music-sharing sites and peer networking sites, such as Facebook and Twitter, blissfully unaware of the danger she to which she is subjecting her organization. These are just two categories of people who should be properly screened before employment is offered. It is unfortunate that an organization has to subject incoming employees to intensive screening, and might be hesitant to hire a particularly brilliant IT professional, for fear that this IT professional might use his skills to do harm, but this is something that an organization must do to stay safe. Perhaps a psychological examination might be given to employees who meet a preconceived criteria that an organization deems is indicative of somebody who might have criminal motives. As for the 18-year-old girl who wants to play on the Internet all day instead of working, she should be subjected to intense surveillance and URL blocking, in addition to intense training and education about the vulnerabilities that are lurking in the Internet. For that matter, all employees need to same scrutiny, because it is not just the young and immature who want to abuse Internet privileges. Beyond this, ciphering data, using IDSs and firewalls, as well as special security measures for wireless networking are excellent steps that an organization can take. Passwords are crucial, in case a laptop gets stolen. They must take these steps, and any other additional steps that are recommended by the professional who is conducting the risk analysis, lest they end up like TJX, which made all of its customer data vulnerable because of weak security, or worse, as in the cases of any organization that is completely crippled by an attack. CONCLUSION Network breaches are serious problems that can lead to a lot of headaches and heartaches not just for the organization itself, but for the people whose information is stored by the organizations network. Their data can be compromised by any attack, and this can open up the organization to serious liability. Therefore, it is paramount that an organization conduct a thorough risk analysis that underlines any vulnerabilities and proposing solutions, and organizations must also keep federal guidelines in mind when designing their security measures. Also of paramount concern is the proper screening and subsequent monitoring of employees, as employees are a source of vulnerability as well. If an organization stays abreast of threats by repeating the risk analysis on pre-set reoccurring basis, complies with federal guidelines for security measures, and carefully screens and monitors its employees, it just might keep any vulnerabilities at bay. Sources Used Cate, F. 1999, “The Changing Face of Privacy Protection in the European Union and the United States, Indiana Law Review, vol. 33, no. 173, pp. 216-232. Citron, D.K. 2007, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age,” Southern California Law Review, vol. 80. Cukier, K., Mayer-Schonberger, V. & Branscomb, L. 2005, “Ensuring and Insuring Critical Information Infrastructure Protection, Report of the 2005 Rueschlikon Conference on Information Policy, accessed 1 July 2010, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=832628 Di Nepi, A., “Network Security: From Risk Analysis to Protection Strategies,” accessed 2 July 2010, available at: http://www.isticom.it/documenti/news/pub_002_eng.pdf Kierkegaard, S. 2005, “Privacy in Electronic Communication: Watch Your E-Mail, Your Boss Is Snooping! Computer Law & Security Report, vol. 21, no. 3, pp. 226-236, web accessed 10 June 2010, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1144280 Kesan, J.P. 2002, “Cyber-Working or Cyber-Shirking?: A First Principles Examination of Electronic Privacy In the Workplace,”Florida Law Review, vol. 5. Luker, M & Peterson, R., 2003, Computer and Network Security in Higher Education, New York, NY: Jossey-Bass Inc. Romanosky, S. & Acquisti, A. 2009, “Privacy Costs and Personal Data Protection: Economic and Legal Perspectives,” Berkeley Technology Law Journal, vol. 24, no. 3. Solove, D. & Hoofnagle, C. 2005, “A Model Regime of Privacy Protection. Version 2.0.” Accessed 2 July 2010, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=699701 Sprague, R. & Ciocchetti, C. 2009, “Preserving Identities: Protecting Personal Identifying Information Through Enhanced Privacy Policies and Laws,” ALB L.J. Sci. & Tech., vol. 19, no. 1. Table of Contents Abstract.......................................................................................................................1 Introduction.................................................................................................................1 Literature Review........................................................................................................2 The threats to network security......................................................................2 The human factor.............................................................................................6 Risk analysis.......................................................................................................9 Federal guidelines..............................................................................................10 Analysis..........................................................................................................................11 Discussion......................................................................................................................12 Conclusion.......................................................................................................................13 Read More