Subordinate Communication in the Age of Informational Technology - Assignment Example

Terminology Memo Bob Rafalus, CEO CISO 04/13/2007 Re: Terminology Dear Sir, While the period that you arereferring to is barely three decades back, they may be identified as seminal decades within the information technology field and industry. Indeed, research and development within this field have propelled the industry forward and have revolutionized both information technology and its usage, whether measured in terms of scope or range. It is from within the context of revolutionary developments and expanded use of IT that new security threats have emerged and, as a direct reaction, new information assurance strategies an systems. In order to clarify how any of this pertains to our organization, I would like to draw attention to the fact that corporate data is stored on our networks, much of it highly sensitive, departments communicate with one another via the company' intranet system and, unauthorized intrusions could threaten the company's well-being. In some instances, as in Level II or III attacks, they have the potential to be catastrophic. Bearing this in mind, I will now restate what I discussed in the executive meeting regarding the three generation of IA technologies but shall better clarify their relevancy to our company. The first generation of IA technologies is exclusively focused upon the prevention of intrusion. As may be deduced from Liu, Yu and Jing's (2005) definition and analysis of the first generation of IA Technologies, it is imperative that any corporate entity, not just ours, have such a system in place. It involves the implementation of multiple levels of data securitization, seeking to protect information from both unauthorized physical and network access and attack. It is, thus, that our data is encrypted, for example. Encryption functions to maximize the security of data by rendering the deciphering of data retrieved through unauthorized access, difficult. The second generation of IA technologies is founded upon an acknowledgement of the fact that the first generation of IA technologies cannot prevent all forms and types of unauthorized access and subsequent retrieval of data. Indeed, as you yourself may recall, less than a year ago our company was subjected to several intrusion attempts. The IT department was effectively able to identify the intrusion attempts and to offset them precisely because the company has second generation IA technologies in place, whether firewalls or intrusion detectors. As you may recall from our meeting, I did not spend too much time discussing the first and second generations outlined in the above but focused on the importance, indeed, imperatives, of implementing third generation IA technologies. Even while conceding to the fact that the implementation of such a system of technologies is expensive, I would argue that not doing so can prove even more costly. To clarify this, I will define and discuss third generation IA technologies in specific relation to our company. The third generation of IA technologies withstands categorization into two groups, as Liu, Yu and Jing (2005) explain. These are intrusion making and defense in depth. Within the context of the first, the primary aim is to maximize the survivability of a system, even when it has been subjected to attack. It necessitates the redesigning of our current system around the following principles: "(a) redundancy and replication, (b) diversity, (c) randomization, (d) fragmentation and threshold cryptography and (e) increased layers of indirection" (Liu, Yu, and Jing, 2005, p. 112). This system will maximize, not only the company's ability to prevent and detect intrusions but, of greater importance, it will protect our data, hence the company, if violated. The second category of third generation IA technologies I mentioned at the meeting is defense in depth. It would involve our implementing technologies as "(a) boundary controllers, such as firewalls and access control, (b) intrusion detection and (c) threat/attack/intrusion response" (Liu, Yu, and Jing, 2005, p. 112) and, importantly, does not call upon us to redesign our current system. It is my recommendation, as stated in the meeting, that the company implement a third generation IA technology which focuses on proactive response to detected intrusions. Such systems react to suspicions of intrusion/unauthorized access and quite effectively protect data. Importantly, it is comparatively cost-effective and does not necessitate our redesigning our networks. Indeed, given that our company's primary asset is our data, I would strongly recommend the implementation of the advice presented in this memo. Once again, I do apologize for failing to have explained the relationship between information assurance technologies and our own well-being as a company more clearly. I hope that this memo clarifies the aforementioned. Hard Figures Memo To: Sandra O'Shaunessy, CFO From: CISO Date: 04/13/2007 Re: Hard figures for ROI on security Dear Ms. O'Shaunessy, Prior to answering your question, I would like to draw attention to the fact that there are no accurate figures on the cost of computer crimes. Rhodes-Ousley, Bragg, and Strassberg (2003) point out that many identity theft victims are not aware of the fact that their privacy has been violated and their identity exploited and more companies than imaginable do not report intrusion and data violation. As pertains to the first, individual users do not have the means/technologies to detect intrusion and are only made aware of identity theft when their credit scores are virtually destroyed. As pertains to the second, publicity concerns often dissuade companies from reporting violations to authorities. They fear that doing so would adversely impact their standing in the market and undermine customer trust. Accordingly, many prefer not to report incidents of attack. Even those who do sometimes betray a definite lack of transparency regarding the financial losses incurred as a result (Rhodes-Ousley, Bragg, and Strassberg, 2003). Hence, the figures which I will cite are not an accurate representation of the cost of computer crimes, although they are based on the latest data. Available prevalence figures are, again, estimates but, it is important to note that they are estimates forwarded by Symantec Corp., one of the largest and more prominent of the network security solution companies around. According to Symantec, in the first half of 2004 (at the time of the publication of the information) companies were subjected to at least 11 intrusion attempts every single day (Chen, Thompson and Elder, 2005). In relation to financial cost, FBI estimates that computer crimes, comprising all of viruses, spam and data intrusion, cost corporate America 67.5 billion dollars a year. In a survey of 2066 organizations, 67% revealed that they had been victims of a cyber attack/computer crime and the average financial cost per attack exceeding $24,000 (Evers, 2006). To get a clearer idea of the cost of different types of attacks/intrusions, please look at the table below: Threat Cost per annum Viruses and Security breach Virtually incalculable but estimated at $184 per record violated (Hines, 2006) Spyware $62 billion (Eazel, 2006) Spam $10 billion (Krim, 2003) As you may see for yourself, there is an inconsistency between the numbers reported in the table and the figure for total estimated crimes. This is because the figures are estimates reported by different agencies. What is known, however, and what is perfectly clear is that the cost of computer crimes is unsustainable. Therefore, as I mentioned in a memo sent to our CEO, I strongly recommend budgeting for the upgrade of our IT security system. Hiring Hackers Memo To: Dajilu Nderokali, Director of Human Resources From: CISO Date: 04/13/2007 Re: Hiring hackers I must confess that your questions both surprise and please me. Most people assume that hackers can only function as a security threat when, the fact of the matter is, they have extremely important and constructive security functions. Between you and me, a significant percentage of hardware and software bugs, bugs which render networks vulnerable to attack, were uncovered by hackers. Professional hackers, can be either a male or a female actually, are a source of invaluable information on both security weaknesses and network security procedures. I do support your idea and believe that it is something that we need to investigate. In order to better clarify my reasons, I would like to present a brief overview on who hackers are and precisely what it is that they do. Hackers, as Gold (2001) contends, may be divided into two broad categories. The first, primarily comprised of criminals in the sense that their only motivation for accessing a network unauthorized is to steal the data on it and use it for financial purposes or, to bring a network down for no other reason than to prove that they can, should never be considered for employment at this company. This group is primarily comprised of irredeemable criminals whom we cannot allow in our company and certainly not anywhere near our networks. The second group of hackers is very different. According to Gold (2001) and which you yourself may confirm by visiting one of their websites, such as Cult of the dead Cow and I Hack Stuff, this group has no criminal intent per se. Certainly, the fact that they search for and exploit security holes and, in some cases, illegally access data, is criminal in itself and a violation of privacy. Their intent, however, is not the exploitation of data for criminal purposes but the exposition of security bugs in networks and the design of strategies and systems which resolve these particular bugs. From a professional perspective, the hiring of IT security personnel from the second group of hackers would be the correct thing to do. As noted, professional hackers from this group have a proven track record when it comes to the detection of security holes and network vulnerabilities as would allow for intrusion and any one of the three levels of attack. More importantly, many have proven their ability, not only to resolve these weaknesses and vulnerabilities, hence enhance information assurance but have further established just how effective they can be when it comes to protecting corporate networks. Indeed, a German security firm, specializing in the design of firewall and intrusion detection systems, recently hired the teenage hacker suspected of being the author of the Netsky worm/virus. The company's rationale was simply that professional hackers possess a working and experiential knowledge of both the hacker community and of network vulnerabilities as would place them in a better position than most to enhance information assurance (Tech Web, 2004). Interference Memo To: Ernst Korniolovski, Director of Research & Development From: CISO Date: 04/13/2007 Re: Interference with productivity of R&D group Dear Sir, I would like to proceed with protestation at your tone of speech. In so doing, I am not objecting your decision to speak to a work colleague in such a way but to your failure to understand the interconnectivity of business processes within an organization. My department, yours and all others within this organization are intimately connected. We may believe that we function in relative isolation but the fact of the matter is that we do not. My department's actions impact on you, whether directly or indirectly and vice-versa. This is the same thing with network systems. Every workstation, every database and, indeed, every instance of access functions as one whole or, at least, should do so. The network, as you yourself know, communicates with its variant parts/databases. Therefore, when you tweak' a part of that whole to get it to do what you want, you are adversely impacting, no matter how minor the degree, the operation of the whole. Indeed, as Rhodes-Ousley, Bragg and Strassberg (2003) argue, the interference of non-authorized and non-specialized personnel in the way in which the network, or even a seemingly inconsequential database or program within it works, threatens the integrity of the entire network. While not intending to compare your tweaking' of programs on the network with the work of attackers, I should like to emphasize that insidious attacks are often based on that which you/your department did: the continued, albeit minor, irritating tampering with the integrity of programs and databases. When that needs to be done, should it need to be done, your department should contact mine. As regards your protestations over our securitization of the data, the question is not at all whether any one would be interested in your department's research or not. The question quite simply relates to the fact that your data belongs to the company, it is on the company's servers and its integrity must, accordingly be protected. I apologize for not being able to accommodate you but I have tried to explain, without using technical terms, the impossibility of acceding to your demands. We will, however, attempt to facilitate R&D intra-departmental communications. Bibliography Eazel, W. (2006, Feb. 10) Spyware costs firms $62 billion in 2005. SC Magazine. Accessed 10 April 2007 from http://scmagazine.com/us/news/article/540680/spyware-cost-firms-62b-2005/ Evers, J. (2006, Jan. 19) Computer crimes cost $67 billion. CNET. Accessed 10 April 2007 from http://news.com.com/Computer+crime+costs+67+billion,+FBI+says/2100-7349_3-6028946.html Gold, B. (2001) Infowar in Cyberspace: Researcher on the Net. New York: Booklocker. Hines, M. (2006, Oct. 20) Cost of data breaches rise sharply. E-Week. Accessed 10 April 2007 from http://www.eweek.com/article2/0,1895,2034667,00.asp Krim, J. (2003, Mar. 13) Spam's cost to business. Washington Post. Accessed 10 April 2007 from http://www.washingtonpost.com/ac2/wp-dyn/A17754-2003Mar12 Rhodes-Ousley, M, Bragg, R. and Strassberg, K. (2003) Network Security: The Complete Reference. New York: McGraw-Hill. Tech Web (2004, Sep. 20) German security firm hires hacker awaiting trial. Tech News. Accessed 10 April 2007 from http://www.landfield.com/isn/mail-archive/2004/Sep/0030.html Read More