Cyber Criminals and Other Data Security Dangers - Term Paper Example

Executive summary This paper will demonstrate information security issues by giving real world examples in the introductory paragraphs. Likewise, security vulnerabilities are also discussed comprehensively, as they can be exploited by hackers or cyber criminals. Moreover, information security management issues are also discussed, as they can lead to significant weaknesses in the security architecture. A proposed solution i.e. ISO 27001 Information Security Management Standard is comprehensively illustrated for rectifying and mitigating threats and vulnerabilities. Furthermore, by risk management, every asset value is calculated and prioritized. Introduction There are numerous cases where IT managers have failed to provide or define adequate security for enterprise wide infrastructure of an organization. Likewise, they emphasize more or external security threats rather than internal vulnerabilities. As per Gartner, 70% of security incident occur internally i.e. from the organization premises (Dickerson 34-41). Likewise, in September 2004, HFC bank that is one of the largest banks in the UK sent an email to their 2600 customers mentioning that an internal operational error has made recipients email address visible to everyone within the email. Consequently, ‘out of office’ feature was triggered from some of the customers and their personal phone numbers and other details were shared with each other (Dickerson 34-41). This shows that even simplest of mistakes can lead to an even bigger problem. As information systems are now considered as the fundamental function, every organization acquires information systems for business automation, better customer service and ROI (return on investment). Moreover, electronic commerce has also introduced many businesses that are only virtually present. For instance, Amazon that is an online store for selling books generates revenue from the Internet. Customers pay via credit cards for the purchased books that are delivered to them. In this scenario, any sort of security breach may inject an SQL injection or cross site scripting attack on the website can affect the business as well as customer confidence. Therefore, securing the systems as well as data communication on the web is essential to protect. This also implies to personal or customer data that is maintained and managed by the organization. For instance, E- commerce based organizations stores information of their customer related to credit card numbers, telephone numbers, address, bank details etc. It is the responsibility of the organization to protect and secure data privacy. However, there is not a single law that states how to handle customer information. For this reason, organizations sell or trade customer information with business partners and even to third parties. Likewise, sometimes the sole purpose of this personal data exchange is funds. Although, every online organization has a privacy policy which states how they will handle and secure customer data but at the same time there is no verification criteria. In the following sections, we will critically evaluate a single most cyber security weakness for IT managers within an organization. Likewise, our main argument will cover different domains i.e. the local area network, applications, hardware, transmission media, enterprise networking, intranet, extranet etc. As per (Caton 148-150): “In theory, all computer mischief is ultimately the fault of the system’s owner if not because of misuse or misconfiguration, then because of using a system with security bugs in the first place. In practice, all computer systems are susceptible to errors. The divergence between design and code is a consequence of the complexity of software systems and the potential for human error. The more complex the system and they do get continually more complex the more places there are in which errors can hide” Association and Weakness The above mentioned argument is indicating to a vulnerability resides within the system that can be utilized for hackers to gain access and is known as exploit. Apart from this inherent risk resulting from inadequate coding practices, human element is also considered as a serious threat that is not limited to hardware, applications and interfaces that provides accessibility to information systems. In the same context, (Research 148) The United States Computer Emergency Readiness Team (US-CERT) has published a “high level overview” document reflecting weaknesses foe control systems. Likewise, the published report includes wireless access point vulnerabilities, network access vulnerabilities, SQL database vulnerabilities, misconfigured firewalls, in adequate security for peered networks etc. correspondingly, the National Institute of Standards and Technology (NIST) has also published a risk management guide for information systems. The guide provides a step by step system analysis that can be utilized by IT managers to access system and network vulnerabilities along with calculating the probability of occurrence and impact for identified vulnerability along with continual risk assessment of the rapidly changing risk environment. Likewise, NIST risk management guide access vulnerabilities with respect to potential concerns of an exploit. From an IT manager’s perspective, these two guides can leverage to get insights for the enterprise level information systems and network along with its weaknesses. However, there is no guidance of tacking an external threat that may want to exploit a computer network. Most Significant Issues Before safeguarding the network and application architecture, IT managers must understand the both, the technical as well as the management aspect. Likewise, IT managers must define baselines, standards, procedures and guidelines for every process associated with security, in order to minimize the impact of the threat at the beginning and remove vulnerabilities as well. We have seen that even today, organizations are seeking technical gurus instead of an IT manager possessing management as well as technical skills. If we elaborate management skills further, an IT manager must develop a strategic framework by liaison with key stakeholders as key members in a strategic committee. These key stakeholders will provide a business oriented view of vulnerabilities that cannot be addressed by the IT manager. Likewise, risk management will also be carried out with the provision of these stake holders who are in fact the owners of applications and systems. Considering information security solely as a technical issue will result in a failure for providing adequate security to the organization’s infrastructure. As technical controls can only prevent threats and vulnerabilities via a specific set of technical configurations, there is a requirement of management skills that will demonstrate the performance and measurements of security metrics. Some of the examples include dashboard, balanced scorecards etc. that will show the current and required security state of the organization. However, implementing security governance at the top level cannot resolve issues, as it is a multi-dimensional discipline. This is because managing overall organizational security is a responsibility of all personnel and a complex issue that must be reviewed and maintained on a periodic basis. Moreover, IT managers having less insights of the business will not be able to understand business requirements and consequently, will not be successful to get management buy in for purchasing security expenditures and tools to track, mitigate and monitor threats and vulnerabilities to business. This is an area where significant improvement is required. IT manager must align IT objectives to the business objectives for getting management buy in. Moreover, to analyze vulnerabilities within third party or local applications, code review is an essential part for analyzing backdoors or security vulnerabilities before implementing in the live environment. Furthermore, frequent changes to hardware and application can be managed by configuration and change management to avoid software and hardware vulnerability. We have also seen a recent Wiki leaks breach in which a huge amount of data is stolen from the United States highly classified servers. It all started from a soldier who started stealing highly classified data for so long without detection ("Metadata is Key to Preventing Wikileaks Security Breaches." 27-27). this may lead to a failure of physical controls that were neither effective nor present at the location from where the data has been stolen. Likewise, U.S government was not able to access threats and vulnerabilities associated with the human element and oversight issues still exist. However, it does not relate to the main topic, still has importance, as the stolen data may contain the network security configurations diagrams becoming a cyber-threat later on. As mentioned earlier, effective risk management should be in place so that organizational risks are identified in order to establish an effective information security management plan. Organizations must maintain a minimum acceptable standard that will be considered as the recommended best security management practices. However, corporate information security enforcement is essential that will act as a management control and define purpose, scope, ownerships, standards, configuration requirements, and enforcement and revision history. Likewise, this policy will demonstrate comprehensive details and will include all aspects of protecting information of the organization. Furthermore, in spite of security governance, risk management, policy and policy enforcement along with user awareness is essential. As risk environment is constantly changing, every employee must be aware of practices effective procedures for information security. A comprehensive training and awareness program by NIST address three levels of users i.e. beginners, intermediate and professionals. Each group is addressed by customized user awareness training sessions that also includes computer based testing environment. Some of the critical issues that must be addressed by the IT manager that utilize organization’s application and wired and wireless network vulnerabilities are explained in detail below: Mitigation of these Vulnerabilities Threat Description Impact Mitigation 1 Unauthorized Invasion Using port sniffing for invading unused ports Loss of Data, Damage to critical asset Registering ports and Hardening servers 2 Application Layer Threats Words, Malicious code, Trojan Unauthorized access to confidential data sources, loss of data Patch Management, Update Antivirus 3 DoS Attacks Unnecessary broadcast seizing the overall network Business loss, production operations halted, Setting threshold in Routers, Intelligent Firewall rules 4 Human Errors Un intentional mistakes, mismanaging security procedures, processes Threat originating from un intentional practices by staff such as Phishing, spam emails User awareness and Training, Policy enforcement 5 Wireless Threats Fabrication, Invisible node attack, DOS attack Unauthorized access to confidential data sources, loss of data Encryption, Virtual Private Network Figure 1.1 What is ISMS? The ISMS consists of Policies, Processes, Guidelines, Standards, and tools. Likewise, in order to make this system a successful part of information security management system, it contains five key elements. The first component is CONTROL. The control establishes a framework and distributes responsibilities in order to develop an environment for implementing the ISMS. The next key element is PLAN. The Plan defines the service level agreements as per business requirements, foundation of contracts, operational level agreements, and policy statements. All these components included in the planning are based on the requirements of the business. After the completion of control and plan, the next key element is to IMPLEMENT all these components. Implementation involves creating knowledge and consciousness along with categorization and listing of assets. Moreover, personnel security and physical security related to theft is implemented. Likewise, implementation element also involves security related to network, applications and computing devices. In addition, configuration and management of access rights and contingency planning of security incident processes is also a part of this element. All of the three elements control, plan and implement lays a foundation of a structure. After the deployment of ISMS structure, the next key element is EVALUATE. The evaluation consists of internal and external auditing of the processes that are implemented in the previous three phases. Moreover, self-assessment is also conducted, along with security incident evaluation. For instance, if there is a breach in security, the security management processes ensure to deal with security incidents. The last key element is MAINTAIN. This phase frequently monitors processes including security management, new threats, vulnerabilities and risks. These elements, do not only monitors these processes, but also improve processes where required , and if there are certain processes that needs to be improved, the ISMS cycle start from the first key element i.e. CONTROL. Risk Assessment and Analysis Before conducting risk assessment, core factors are considered. The identification of information assets is vital before conducting risk assessment. Information assets are defined as the entities that hold organization data. A good definition is available on ‘www.ibm.com’ which states it as, “information assets are specific to your business functions and business strategies, they may be contained within broad categories such as contractual and legislative compliance, those needing virus prevention, those critical to business recovery following security compromises, etc.” The information assets for an organization will be technology assets, data asset, service asset and people asset. In this scenario, the owners for server hardware will be the server administration group. The owners for the applications running on the servers will be the application support group and the owners for the data, which is stored on the server, will be system development group. The risk assessment table is required to identify the assets, CIA profile, Likely hood, impact, and source and risk summary. Figure 1.2 demonstrates the risk assessment table below. Figure 1.2 Defining Asset Value for Sales Server The asset value is the process, which includes availability, confidentiality, and integrity. Availability If the sales server stops responding or suffers from a hardware or software failure, the sales outlets of Organization will not be able to send sales data to the servers. The sales process will be halted, as the system will not process any data from these outlets. On the other hand, the customer connected to Wi-Fi will not be able to access services related to Organization sales. As there is no backup available for the sales server, it is very critical. It will be marked as three (critical) Confidentiality It is possible for any employee to gain access of the sales server, for amending sales figures related to any particular sales outlets. This is possible because no firewall rules are defined and no access mechanisms are set for each employee. Furthermore, a hacker may intrude in the sales server and extract all the sales figures of Organization. The hacker can then sell this information to the competitors, as they will be delighted to know which product is on the top list. This is the most critical issue as data leakage is not acceptable at any level. It will be marked as three (critical) Integrity An employee can amend sales figures before sending them to the sales server, resulting in a revenue loss for the bakery. A hacker may also disrupt the transmission of data, from the sales outlets to the ‘sales server’ located at the head office. This issue is under control, as the transmission between the sales outlets and the head office are encrypted due to VPN deployment. It will be marked as two (medium) Asset Value for Sales Server Sales Server Value = 3 + 3 + 3 = 9 (Critical) Sales Server Value = 3 + 3 + 2 = 8 (Critical) Threats associated with the Sales Server Hardware Failure Power failure Fire Virus Hacking Data corruption Unauthorized access Network failure Risk Treatment as per ISO 27001 Standards Threats ISO Complaint 27001 Controls Deployment Hardware Failure A.9.2.4 AMC Power Failure A.9.2.2 Generators, Alternate source of Electricity Fire A.9.1.4 Roof Sprinklers, Fire extinguishers Virus A.10.4. Anti spyware, antivirus, Trojan removal tools DOS attacks / Hacking A.6.2.1, A.6.2.3, A.10.6. Appropriate network controls, IDS implementation Data corruption A.10.5. Backup data servers Unauthorized access A.11.2.2, A.11.2.4, A.11.5. Deploying Active directory, defining policy for user rights Network failure A.14.1 Business Continuity Planning Figure 1.2 1.1 Security Policy: The security policy would enable the organization. to follow certain set of control policy, which will give a type of broad idea of how the organization should function on daily basis. Also after implementing of the rules, they need to be checked at a periodical basis in order to keep up with the latest threats and vulnerabilities. The following are the guidelines to control the security policy of the organization: 1) All data must be identified as confidential and should be managed by using access rights. 2) Any unauthorized software found on the system would be deleted with due effect. 3) Internet access should only be granted, to selected authorized personals only. 4) Access of certain ports and proxy must be granted to certain authorized people only, which would help in identifying the individual if any damage or illegal activity is monitored. 5) Passwords of profile of each employee must contain at least 8 to 15 characters with minimum of one capital character, one special character and one number. 6) Passwords will expire within duration of 3 months without repeating the previous ones. 7) This is mandatory for all workstations to have an anti-virus and firewall system. 8) The workstation will have write protection enabled and would not allow any executable to run except for the required software. 9) There must be a black list created for any IP addresses from external source to be logged and blocked if found trying to scan, penetrate or exploit the network. 10) All the installation and maintenance of the workstation must be performed by system administrator only. 11) If any problem is faced in the network or workstation or servers, a note must be taken and the risk treatment plan appropriate for that problem must be started. 12) All kinds of removable media must be disabled to increase the security and to prevent any unwanted software (viruses, spyware) to be installed on the local system jeopardizing the entire network’s security. 13) The open wireless bridge must be closely monitored in order to stop any malicious activity and prevent any risk to the organization’s network security. 14) Each and every staff needs to be acquainted with the Security Policy and should keep in mind if any inappropriate activity is triggered, would lead to severe penalties ISMS Scoping A good definition of ISMS is available on www.praxiom.com, defined as “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system”. The goal is to protect the information of the organization itself as well as its customers. The ISO/IEC has established two standards that emphasize of ISMS. The ISO/IEC 17799 is a code for information security management. It is the framework or a system that is based on certain processes, to ensure that organizations achieve their information security management objectives i.e. ISMS. The second standard is ISO/IEC 27001 is associated with several different factors including ("ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements "): Implemented in the organization to originate security requirements and goals Implemented within the organization in such a manner that security risk management bears less cost Implemented within the organization for guaranteed deployment of compliance with laws and regulations Implement a process framework within the organization for deployment and management of controls in order to meet particular security objectives Defining new processes for information security management The scope for ISMS can be implemented on one or more than one department. The managing director has clearly identified issues, related to mismanagement of network, data, assets, and database security. The data is synchronized on a daily basis from each outlet of Organization to the file server. The Sales server is the most crucial as far as both clients and organization is concerned, as it contains all the financial data related to daily sales, products sold etc. The outlets are connected to the head office via virtual private network. Coordination of each employee, whether the internal staff or the sales outlet staff, is conducted by emails relayed from the email server located at the head office. The ISMS is applicable in the head office servers for ensuring data security. The reason for implementing ISMS on the servers is that both the organization and clients are accessing information from these servers. If any threat or security breach is triggered on these servers, both clients and the customers will suffer. The scope does not protect the overall network. Moreover, the servers are vulnerable due to no protection between the workstations and the wireless connectivity. In order to protect these servers from threats and vulnerabilities, deployment of firewall is required. Conclusion There is no single significant weakness for an IT manager. However, he must be address security as an overall organizational responsibility rather than just considering IT itself. Moreover, robust and standardized procedures must be handled proficiently. This may include: Change management Patch management Enforcement of security policies Configuration management User awareness training Periodic risk assessment Establishing baseline Standards Encryption For addressing overall security issues of the organization, a comprehensive security risk assessment is essential for evaluating critical information assets. The ISO 27001 information security standard will cater all the requirements by considering an holistic approach for safe guarding critical information assets. Work Cited Caton, Jeffrey L. "Cyberdeterrence and Cyberwar." Strategic Studies Quarterly 5.1 (2011): 148-50. Print. Dickerson, Chad. "The Top 20 IT Mistakes." InfoWorld 26.47 (2004): 34-41. Print. "ISO 27001 and ISO 27002 Information Security Definitions "Web. 10/6/2012 . "ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements "Web. 10/6/2012 . "IBM - Security policy definition "Web. 10/6/2012 . Libicki, M. C. (2009). Cyberdeterrence and cyberwar . Santa Monica, CA: RAND. "Metadata is Key to Preventing Wikileaks Security Breaches." British Journal of Healthcare Computing & Information Management (2010): 27-. Print. Research, and Markets. "Research and Markets: Handbook on Securing Cyber-Physical Critical Infrastructure." Business Wire (English) (2012) Print. Republicaninvestor.com » new york times Retrieved 5/13/2011, 2011, from http://republicaninvestor.com/?cat=240 Wong, R. (2011). Data protection: The future of privacy. Computer Law & Security Review, 27(1), 53-57. doi:10.1016/j.clsr.2010.11.004 Read More