Security of Information in Commercial or Business Organisations - Literature review Example

Table of Contents Table of Contents 1 Introduction 2 Definitions 2 Types and categories of Athreats and countermeasures 4 Recon (reconnaissance) 4 Access attacks 7 Malware 12 Denial of Service (DoS) Attacks 14 Conclusion 15 References 16 Introduction The management of vulnerabilities in and threats to assets is a major challenge for business organizations. Vulnerabilities in assets can be understood as weaknesses in these assets, which can be exploited in order to cause harm to them. Such harm to assets can occur in the form of disclosure, destruction, interruption, data modification, as well as Denial of Service (DoS). The effect of such threats on firms is potentially great because of the risk of financial loss and lack of business continance services. As threats to and vulnerabilities in assets may not be fully avoided, it is crucial that both should be suitably mitigated. Therefore, this paper intends to explore some significant security concepts, as well as the existing categories of threats to commercial assets. It also aims to outline some of the physical, human, and technological countermeasures to the security threats discussed. Definitions According to Onwubiko and Lenaghan (2007), computer security refers to the protection accorded to computer systems to achieve the basic goals of upholding integrity, confidentiality, availability, non-repudiation, and authenticity of information network resources, including software, hardware, firmware, data or information, and telecommunications. Therefore, the basic goal of handling vulnerabilities and threats is to safeguard computer systems and to ensure that computer communications adhere to certain requirements as outlined below. First, it is necessary to maintain the confidentiality of communications and systems. Confidentiality refers to the conditions necessary in the avoidance of unlawful disclosure if communications and systems are accessed either inadvertently or intentionally (Wheeler 2011). Secondly, Maliapen (2012) argues that it is vital, too, to maintain the integrity of computer systems, information, or data. This is a requirement so as to ensure that computer systems and the services offered by them are complete, accurate, authentic, timely, and consistent. Thirdly, it is critical to maintain the availability of computer systems and the services offered. This requirement is crucial in ensuring that computer systems and their services are accessible at established stages to rightful entities (Wheeler 2011). Additionally, computer security is indispensable in handling threats to computer systems. Threats refer to events, entities, or circumstances with the ability to cause harm, or alter standard security operations through the exploitation of system vulnerabilities (Onwubiko & Lenaghan, 2007). In contrast, harm refers to a breach or an abuse of integrity, confidentiality, or availability of computer systems, in terms of disclosure, destruction, interruption, or modification of DoS or data (Colwill, 2009). Onwubiko and Lenaghan (2007) contend that computer security is also necessary in maintaining authenticity of computer networks. Authenticity is important in ensuring that transactions, data, communications, or physical and electronic documents are valid. It is also critical to authorize that parties engaged in transactions are truly who they allege to be. Moreover, Durdağı and Buldu (2010) assert that computer security helps in ensuring that there is non-repudiation. Non-repudiation entails one’s intention to honour obligations in an agreement. By extension, it means that one transaction party cannot refute having entered into a transaction nor may the other party refute having offered a transaction (Yeh & Chang, 2007). In addition to the concepts above, Smith, Friese, Engel, Freisleben (2006) claim that an asset refers to anything that is of importance and value to the owner, including data, information, network, programs, and communication infrastructures. The aforementioned conceptual framework is useful to business in gaining full understanding of the requirements for protection of assets from threats, associated risks, and vulnerabilities, as well as ways of protecting information systems (countermeasures) (Rountree, 2011). This framework is also essential to businesses in the identification and recognition of which assets are significant to them. It thereby helps in determining what needs to be protected, as well as the weaknesses existent in these assets (Onwubiko & Lenaghan, 2007). Moreover, Theoharidou, Kokolakis, Karyda, and Kiountouzis (2005) argue that such a framework is indispensable in the assessment of who can utilize vulnerabilities; hence covering risks related to possible threats and vulnerabilities in order to decide what to put in place in order to bar and/or mitigate such recognized vulnerabilities and threats. Types and categories of Athreats and countermeasures There are several types of threats to the security of assets, which fall into distinct and specific categories. The categories are based on the manner in which the attacks happen in computer systems. Additionally, each category has specific sub-divisions based on the way they occur. Recon (reconnaissance) This occurs when an attacker probes a computer system or network to find out what is there, and if possible, to map the owner’s systems and network for a future attack (Andress, 2011). Such methods of finding vulnerabilities are widespread and are made possible by scanning networks for accessible ports by use of commands like traceroute and ping in order to plan a path via the network (Wheeler 2011). In this category of threat, a hacker attempts to obtain information regarding a company or a user’s network, including its typology, devices residing within it, software operating on it, as well as the configuration applied to the devices. The hacker then employs this information in order to conduct more attacks like access attacks or DoS. There are different forms of reconnaissance attacks, including scanning, and eavesdropping (Gandotra, Singhal, & Bedi, 2012). a. Network and Port Scanning attack Choo (2011) maintains that scanning attacks are the most common kind of reconnaissance. A system scanning attack takes place when a hacker surveys the machines in a firm’s network for criminal purposes. Basagiannis et al (2009) propose that a hacker may undertake this by transferring an ICMP ping to each IP address in a user’s network, or may use a system ping, whereby he/she pings each IP address of the user’ s directed broadcast. Even though there are several ways of scanning a network, the aforementioned two are the most commonly used (Vacca & Ellis, 2005). Young (2011) asserts that a network scan can only show the hacker that there are computer in a user’s system with configured IP address. The scan, therefore, is unable to show which services are open on the machines. To establish which services are operating on a machine, a hacker can use a port-scanning function or utility. This utility surveys the port numbers of computers in order to sense if a service is operating. The use of this technique helps a hacker to determine if the machine is operating FTP, SMTP, WWW, Telnet, among other services. Consequently, a hacker can utilize this information to devise a plan for more attacks against a user’s machine (Azad, 2008). In order to prevent network and port-scanning attacks, it is imperative to employ filtering devices. This can be as easy as applying Cisco routers with entrance control lists or complicated firewalls (Vacca & Ellis, 2005). b. Eavesdropping attack Wiles et al (2012) define an eavesdropping attack as a process of analyzing packets as they travel between a starting point and the end machine. A hacker naturally employs protocol-analyzer equipment in order to conduct such eavesdropping. In the initial stage of eavesdropping, a hacker examines the traffic between the server and the user (Beal, 2005). The hacker then notes that the user has created a network connection and authenticated it with a password and a username. Since the network conveys the information in explicit text, the hacker is able to obtain the login details to the network, spoofing the user’s identity (Schneider, 2012). The protocol-analyzer, also known as packet sniffer, employed in eavesdropping may be a complicated hardware-based protocol analyzer like the Network Associates Sniffer items, or a software-based program operating on a PC (Andel & Yasinsac, 2008). Regarding software applications, the hacker requires a promiscuous Network Interface Card (NIC) that processes all frames. To eavesdrop, Kritzinger and von Solms (2010) assert that a hacker should be linked physically to the system somewhere between the destination and the source and ought to see the real packets. Another way of carrying out eavesdropping is by compromising a PC in the download and networking a packet-sniffing system to it. During eavesdropping, the hacker searches for passwords and account names, like Microsoft Windows login, Telnet login, and HTTP login. The hacker also use eavesdropping to analyze other information, like financial transactions or databases (Furnell, Bryant, & Phippen, 2007). In order to stop eavesdropping, it is crucial to apply some type of encryption on the user’s packets. Virtual Private Networks (VPN) enable a user to apply the Data Encryption Standard (DES), AES, and 3DES encryption algorithms to safeguard information. In the case of terminal access, the user must employ Secure Shell (SSH) programs which entail an encrypted Telnet form (Norman, 2012). Regarding web access, using HTTP with a secure Socket Layer (HTTPS) that employs Secure Socket Layer (SSL) encryption (Farmer, 2005) is the best deterrant. Notably, it is critical to encrypt certain information types, including credit card data, financial transactions, passwords and usernames, personal information, such as medical information, telephone numbers, driver’s license numbers, as well as company vital information and trade secrets (Wiles, Gudaitis, Jabbusch, Rogers, & Lowther, 2012). Another way of preventing eavesdropping is the use of a switched infrastructure, known as SPAN (switched Port Analyzer) by CISCO, (Andel & Yasinsac, 2008) which provides each machine with individual control port connections. The use of this design allows the hacker to see only the traffic controlled at the compromised PC or broadcast or multicast traffic. Access attacks This is another widespread form of attack on organizations’ or users’ information systems. Here, a hacker tries to gain unlawful access to a user’s system and its resources, specifically resources like e-mail, file, and web servers. A hacker undertakes this by attempting to access password files with the use of password-cracking programs, or inspecting traffic on the user’s network for faults in operating applications and systems like buffer overflows, all of which may allow a hacker accessibility without authentication. Upon breaking into a user’s network machines, the hacker always attempts to improve his/her privilege degree to the greatest possible level and then uses the account to access other network devices. A hacker may also change files on the user’s resources or erase all the data on the disk drive for criminal purposes or merely for his or her own amusement. (Furnell, Bryant, & Phippen, 2007). Just like reconnaissance attacks, access attacks exist in various forms: a. Unauthorized access attacks In this form of attack, a hacker attempts to acquire unlawful access to tools in the user’s network (Flick & Morehouse, 2011). To succeed in the attack, the hacker may utilize several tools, including use of social engineering and accessing of password files by use of password-cracking programs. He/she can also guess passwords for popular accounts like administrator and root. Additionally, a hacker can employ protocol analyzer to carry out an eavesdropping attack in order to inspect explicit text passwords within packets. In fact, the use of social engineering is the easiest way of attaining illegal access to resources in users’ network. Here, a hacker contacts different users in a network and pretends to be an administrator. He/she then informs the user about certain fictitious network security concerns and uses ingenuity and guile to collect data from users, which can be used in accessing the resources within the users’ networks. Alternatively, a hacker can disguise him or herself as a user and call a network administrator, acting as if he/she has forgotten his/her password. To prevent unauthorized access threats, Flick and Morehouse (2011) assert that it is advisable to use techniques in accordance with the methods used by the hacker to break into a user’s network. For example, if a hacker employs a system’s remote access (dialup) server, a user can implement certain solutions. First, the user can employ a Challenge Handshake Authentication Protocol (CHAP) or Point-to-Point Protocol (PPP), whereby the password cannot be given to the user through the wire but is tied to a certain user and verified by a security server (Norman, 2012). Second, a user can deploy double authentication. For instance, Cisco IOS routers contain two characteristics, including authentication proxy and Lock-and-Key access control lists (ACLs). In this case, the administrator first authenticates the user via CHAP and then via lock-and-key. In fact, lock-and-key can also function over non-dialup connections (Xenakis & Merakos, 2004). b. Data manipulation This entails a process whereby hackers alter information in a user’s network. These alterations can be as easy as changing the contents of a file on a file server, or as complicated as modifying the contents of packets as they travel from a source to a particular destination device. A regular attack, known as graffiti, is employed by attackers is to break into a user’s web server and change the content or web pages. This kind of attack has occurred in several organizations, commonly those related to government resources, whereby a hacker cracks a web server and substitutes the web material with political or pornographic content (Bidgoli 2002). To carry out such an attack, Xenakis & Merakos (2004) maintain that a hacker must first execute a reconnaissance attack, like eavesdropping, in order to see the user’s passwords and accounts and then conduct an illegal access attack. Creative hackers may apply ActiveX or Java, either to discover data about the user’s device, or to access it. Similarly, a hacker can attempt to exploit known vulnerabilities within a web server operating system or application. To protect against this type of attack, it is important to enforce a robust and centralized authentication and authorization system like Cisco Secure ACS. This solution can limit what users may access, regulate what they may perform on the service they access, and document incidents for security purposes (Stallings, 2009). In the case of file servers, there are tools available to utilize in taking snapshots of files, which can be kept in secure places. To optimally employ these snapshots, a user should occasionally compare the vital files on his/.her server with the snapshots taken previously. In case of a difference between them, the user can be said to have become a victim of a data-manipulation attack. The user can then use security tools like Tripwire to help in detecting the files that have been compromised, and fix them in time (Durbin, 2011). In addition, to stop ActiveX and Java attacks on users and web servers, a filtering solution that may filter ActiveX and Java scripts embedded in HTNL pages can be mobilised. There are several such solutions available, including the application of PIX firewall, as well as Cisco IOS routers (Stallings, 2009). Moreover, to stop hackers from exploiting known vulnerabilities in accessing a user’s system, it is critical to apply modern security patches on operating systems and applications. Security patches are software pieces meant for updating or fixing issues in a computer program or system (Bidgoli, 2002). Another form of access attack is known as session attacks and these are the hardest attacks for a hacker to execute (Holtsnider & Jaffe, 2012). In this form of attack, a hacker attacks a session layer link, expecting to employ the data yielded to create another attack, or to employ deception in order to control the session, which he/she disguises as either a destination or a source device. There four main classes of session attacks including repudiation, masquerading, session replay, as well session hijacking (Furnell, Bryant, Phippen, 2007). To add more detail, Xenakis and Merakos (2004) contend that masquerading attacks involve a technique used by a hacker to conceal his/her identity. The hacker masks a distinct device by modifying his/her source address in the IP packets. In IP, this kind of attack is considered to be IP spoofing, whereby a hacker utilizes a software program that alters the source address of the packets and the TCP series numbers for the TCP sections. Furthermore, Choo (2011) claims that a hacker always enforces a reconnaissance attack, entailing the application of a port scanner in order to see open ports, as well as an eavesdropping attack by use of protocol analyzer in order to discover the real traffic flow, including passwords and usernames. It is worth noting that an advanced hacker can utilize the IP address of a source, which stays within a user’s network, to conduct a masquerading attack. The offender can blend this with a routing attack in order to return the packets transferred to the destination, not to the source within the user’s system, but to his/her own (Flick & Morehouse, 2011). In terms of session-hijacking attacks, a hacker tries to control an existing session amid two machines. It incorporates some other attack methods like eavesdropping, masquerading, and data manipulation. In fact, skilled hackers can position themselves amid segments by use of a sniffing application in order to monitor conversations between the segments. On the other hand, Bidgoli (2002) holds that session replay attacks involve a hacker capturing packets from actual session information transfer amid two computers by use of a protocol analyzer. He/She then uses the data to conduct an attack on the destination source at a later stage. At times, a hacker can download ActiveX or Java scripts that capture web transactions like credit card data to use for personal purposes. A skilled hacker also employs cookies in order to masquerade as a site and then make a user’s device believe that the hacker’s device is the actual web destination (Stallings, 2009). Furthermore, Choo (2011) explains another type of attack called repudiation attacks, which involve a user’s inability to prove that a transaction has occurred between two units. The hacker’s aim in this is to execute repudiation when conducting session layer attacks. This is in contrast to non-repudiation concerns about having complete proof of the identities of transaction parties. This attack mode can be complemented by other attacks like masquerading, eavesdropping, port scanning utilities, ActiveX, and Java scripts. To prevent session attacks, a user can employ various solutions including use of VPNs, SSL for web browser links, and authentication with digital signatures. Users can also filter ActiveX and Java scripts or block e-mail from public e-mail websites (Bidgoli, 2002). Malware According to Bidgoli (2002), this is a class of malicious code comprising of worms, viruses, and Trojan horses, among others. A destructive malware utilizes known communication techniques to multiply, including worms that are sent via instant and e-mail messages; virus-infected documents downloaded from peer-to-peer links; and Trojan Horses from sites. In fact, these forms of malware aim at exploiting available vulnerabilities on networks by entering quietly and easily. a. Worms This entails a mean program category whose aim is to exploit heavily operating network vulnerabilities in order to multiply itself. This category was named based on the manner in which worms creep from one computer to the other via email and networks. This feature allows for a high rate of multiplication across networks. b. Viruses These refer to programs that affect other programs by adding their own system in order to achieve control of corrupt files as soon as they are opened. This ordinary definition describes the basic action that is performed by an infection of a virus. c. Trojans According to Korper and Ellis (2001), these threats refer to programs that conduct unauthorized activities on computers, like the deletion of data on disk drives, stealing private information, and creation of programs to hang among others. This category of malicious system is not just a virus in the conventional meaning of the word in that it does not contaminate other data or computers (Wheeler 2011). Trojans do not attack computers by themselves and are multiplied by hackers, who mask them as ordinary software. The loss of data experienced by individuals and businesses may exceed that caused by traditional virus infections many times over because of their ability to multiply themselves; hence causing extensive damage to information systems (Khan & Mustafa, 2009). d. Spyware This is another category of threat involving software, which collects data or information regarding a specific user or company without their awareness. An organization or a user may not know that it has spyware inserted in their computers; leading to eventual damage caused by the undetected threat. Spyware can damage a computer system in that they redirect web browsers, install extra software, or alter computer settings; hence, slowing the internet connections, and the software settings of the system (Korper & Ellis, 2001). e. Riskware This involves risky applications that include software which does not contain malicious characteristics. Nevertheless, the software can become part of the growing environment for malicious systems or programs, or can be exploited by hackers as supplementary constituents of destructive programs (Choo, 2011). f. Rootkits This class of threats entails utilities necessary in concealing destructive activities. The utilities disguise malicious programs in order to prevent anti-virus programs from sensing them. Besides this, rootkits are able to change the operating system on a computer and interfere with its fundamental functions in order to hide its own actions and existence on the contaminated computer (Choo, 2011). Denial of Service (DoS) Attacks Hunter (2002) holds that this category comprises a hacker attempting to deny lawful users and traffic access to a certain resource, or to lower the quality of service. Despite the numerous types of DoS attacks, the easiest to execute is the flood attack, whereby a hacker overpower a network or device with an ICMP packet flood. Common kinds of DoS attacks include an application attack that is a simple attack on a function operating on a server (Colling & York, 2010). Another variation of this threat, Andress (2011) asserts, is an email bomb, which involves a hacker using a tie-up e-mail resource on a network, or compromising the e-mail server’s security. In terms of CPU hogging, these attacks affect the service’s CPU cycle. I addition, there is another type of DoS attacks called charge, in which a character creator produces serialized character output. Usually, charge employs UDP, but may also be enforced with TCP (Colling & York, 2010). Furthermore, there is also packet fragmentation and reassembly attack which is an ingenious attack whereby a hacker transfers several fragments to a service destination with the hope that thedestination machine perceives them as legal links, thereby, wasting the CPU and buffer space cycles in processing them. Additionally, Hunter (2002) proposes that hackers can use Smurf attacks, in which they send ICMP traffic to a certain destination, but substitutes it with his/her source IP address within the packet title with the target device’s IP address. Other DoS attacks include TCP SYN flood attacks, rerouting attacks, ping of death, and WinNuke, among others. In order to prevent DoS attacks, it is imperative to use available solutions, including conducting packet filtering; using IDS (Intrusion-Detection System); using routing protocols containing authentication; and running detailed logs and audits (Bidgoli 2002). Conclusion Without doubt, many organizations are experiencing the major challenge of insecurity of their information systems. Research shows that human, physical, as well as technical assets are the most vulnerable to security threats. As a result, several businesses have lost vital information and subsequent losses to business continuance and critical services. Computer security is, thus, necessary in upholding integrity, confidentiality, availability, non-repudiation, and authenticity of information network resources including software, hardware, firmware, data or information, and telecommunications of commercial organizations. As has been outlined, there are several categories of security threats to information systems, which include DoS, reconnaissance, and access attacks. To prevent these attacks, many countermeasures are available including conducting packet filtering, encryption, use of routing protocols containing authentication, running of detailed logs and audits, use of a switched infrastructure, Challenge Handshake Authentication Protocol (CHAP), double authentication; and enforcing a robust and centralized authentication and authorization system like Cisco Secure ACS, among others. These countermeasures can be used depending on the type of threat, as well as the techniques used by hackers to break into networks. References Andel, T.R. & Yasinsac, A. (2008). Adaptive Threat Modeling for Secure Ad Hoc Routing Protocols. Electronic Notes in Theoretical Computer Science,197 (2), 3-14 Andress, J. (2011). Chapter 1 - What is Information Security? The Basics of Information Security. Pp. 1-16 Andress, J. (2011). Chapter 6 - Operations Security. The Basics of Information Security. Pp.81- 95 Azad, T.B. (2008). Chapter 1 - Introduction to Security. Securing Citrix Presentation Server in the Enterprise. Pp. 1-67 Basagiannis, S., Katsaros, P., Pombortsis, A., Alexiou, N. (2009). Probabilistic model checking for the quantification of DoS security threats. Computers & Security, 28(6) , 2009, 450- 465 Beal, B. (2005). IT security: the product vendor landscape. Network Security, 2005, (5), 9-10 Bidgoli, H. (2002). Chapter 11 - Security Issues and Measures: Protecting Electronic Commerce Resources. Electronic Commerce. Pp. 363-398 Choo, K.R. (2011). High tech criminal threats to the national information infrastructure. Information Security Technical Report, 15(3), 104-111 Choo, K.R. (2011). The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719-731 Colling, R.L, & York, T.W. (2010). Chapter 3 - Security Risks and Vulnerabilities. Hospital and Healthcare Security. Pp. 51-84 Colwill, C. (2009). Human factors in information security: The insider threat – Who can you trust these days? Information Security Technical Report, 14(4), 186-196 Durbin, S. (2011).Tackling converged threats: building a security-positive environment. Network Security, 2011 (6), 5-8. Durdağı, E. & Buldu, A. (2010). IPV4/IPV6 security and threat comparisons. Procedia - Social and Behavioral Sciences, 2(2), 5285-5291 Farmer, M.C. (2005). Environmental consequences of social security reform: a second best threat to public conservation. Ecological Economics, 53(2), 191-209 Flick, T., & Morehouse, J. (2011). Chapter 2 - Threats and Impacts: Consumers Securing the Smart Grid. Pp. 19-33 Furnell, S.M., Bryant, P. & Phippen, A.D. (2007). Assessing the security perceptions of personal Internet users. Computers & Security, 26, (5), 410-417 Gandotra, V., Singhal, A., & Bedi, P. (2012). Threat-Oriented Security Framework: A Proactive Approach in Threat Management. Procedia Technology, 4(2), 487-494 Holtsnider, B., & Jaffe, B.D. (2012). Chapter 8 - Security and Compliance. IT Manager's Handbook (Third Edition). Pp. 205-246 Hunter, P. (2002). VOIP the latest security concern: DoS attack the greatest threat. Network Security, 2002(11), Pp. 5-7 Khan, R.A., & Mustafa, K. (2009). From threat to security indexing: a causal chain. Computer Fraud & Security, 2009(5), 9-12. Korper, S., & Ellis, J. (2001). 10 - Secure Your Investment: Security threats and Solutions. The E-Commerce Book. Pp.189-210. Kritzinger, E., & von Solms, S.H. (2010). Cyber security for home users: A new way of protection through awareness enforcement. Computers & Security, 29(8), 840-847 Maliapen, M. (2012). Computer Security Encyclopedia of Applied Ethics (Second Edition).Pp.547-552 Norman, T. (2012). 19 -Security System Integration. Electronic Access Control. Pp. 263-279 Onwubiko, C. & Lenaghan, A.P. (2007). Managing Security Threats and Vulnerabilities for Small to Medium Enterprises. IEEE International Conference on Intelligence and Security Informatics. Pp. 1-6. Rountree, D. (2011). 4 - System Security. Security for Microsoft Windows System Administrators. Pp. 109-134 Schneider, D. (2012). The state of network security. Network Security, 2012 ( 2), 14-20 Smith, M. Friese, T., Engel, M., Freisleben, B. (2006). Countering security threats in service- oriented on-demand grid computing using sandboxing and trusted computing techniques. Journal of Parallel and Distributed Computing, 66(9), 1189-1204 Stallings, W. (2009). Chapter 36 - Physical Security Essentials. Computer and Information Security Handbook. Pp. 627,629-643 Theoharidou, M., Kokolakis, S., Karyda, M., Kiountouzis, E. (2005). The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), 472-484 Vacca, J.R. & Ellis, S.R. (2005). 14 - Internal IP Security Threats: Beyond The Firewall. Firewalls. Pp.231-248 Wheeler, E. (2011). Chapter 11 - Threat and Vulnerability Management. Security Risk Management. Pp. 215-237 Wiles, J., Gudaitis, T., Jabbusch, J., Rogers, R., & Lowther, S. (2012). Chapter 2 – Low tech vulnerabilities: Physical security. Low Tech Hacking. Pp. 31-49 Xenakis, C., & Merakos, L. (2004). Security in third Generation Mobile Networks. Computer Communications, 27 (7), 638-650. Yeh, Q. & Chang, A.J. (2007). Threats and countermeasures for information system security: A cross-industry study. Information & Management, 44(5), 480-491 Young, C.S. (2011). Chapter 1 - Security threats and risk. Metrics and Methods for Security Risk Management. Pp. 3-18 Read More