StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Study of Cyber Attacks - Essay Example

Cite this document
Summary
The paper "Study of Cyber Attacks" discusses that attacks that exploit security holes in hardware and software systems are quite common. Apart from the above-described incident, the company was subjected to a second attack as a direct outcome of a security hole in its Cisco IOS router…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER93.7% of users find it useful
Study of Cyber Attacks
Read Text Preview

Extract of sample "Study of Cyber Attacks"

Malware Memo Bill Sparrowhawk, Phoenix Office CISO 05/18/2007 Re: Malicious Software I'd like to begin by clarifying that there are two reasons for our susceptibility to malicious software. The first is the presence of holes and security vulnerabilities in both our operating system and our hardware. The second is the very nature of our identity as a profit-making company. I'll now explain both in turn. Prior to our transition to Windows NT Service Pack 4, we were vulnerable to a significant security flaw which Microsoft had not informed its users of. Pre-Service Pack 4 Windows NT had a security hole, a bug, which rendered it highly vulnerable to DoS, or Denial of Service Attacks. The consequence was that the company suffered a land attack which subsequently forced our networks into a "ping of death" (Liu, Yu, and Jing, 2005). This means that the network was forced into the continued and repetitive transmission of packages which exceeded the allowable size. As you may well recall, the DoS attack paralyzed our systems and cost us in excess of $150,000. Attacks which exploit security holes in hardware and software systems are quite common. Apart from the above described incident, the company was subjected to a second attack as a direct outcome of a security hole in its Cisco IOS router. This, the most popular corporate router, had a serious security flaw which the company only identified after the release of the router and even then did not inform users about (Zetter, 2006). Consequently, our company, just like countless others was attacked through this security hole. In the second place, our identity renders us the target of attacks. It is unlikely that any hacker would deliberately target your daughter's computer and infect it with a Trojan Horse but where we are concerned, the issue is quite different. As a profit-making organization, we represent potentially financially lucrative information (Rhodes-Ousley, Bragg, and Strassberg, 2003). We are targeted by professional hackers who seek out security flaws in our system for the explicit purpose of infecting us, either in order to access our data or to bring our networks to a halt (Rhodes-Ousley, Bragg, and Strassberg, 2003). The fact of the matter is that our department has protected our networks as much as is possible. The fact that we send out malware alerts or often engage in the cleaning up of the system is quite simply because we cannot afford any viruses on our networks. Malware could undermine the integrity of our data and, therefore, we often resort to the exercise of extreme precaution. Indeed, it is quite probable that your daughter's computer has some malware on it but that she is not able to identify it. We, on the other hand, identify and remove all malware. Lastly, Windows OS is ore vulnerable to malware than is Macintosh OS. This is because of security holes in the latter which are not present in the former and because hackers target Windows much more than they do Macintosh (Rhodes-Ousley, Bragg, and Strassberg, 2003). Migrating to Macintosh, however, is not an option both because it would be too costly and because it does not have the software range that we need. P2P Memo To: Salamanika Giorgiopolis, Corporate Counsel From: CISO Date: 05/18/2007 Re: Peer to Peer and Piracy Irrespective of the popularity of Peer to Peer Networks and regardless of the fact that everyone is doing it,' company employees are explicitly prohibited from running P2P programs on company computers or from using the company's network connection to download files through these programs. Apart from the aforementioned being explicitly forbidden under company policies and regulations, it comprises an immoral and illegal violation of copyright laws which the company is not going to abide by. Copyright laws are very precise, leaving little room for manoeuvring or interpretation. As Paradise (1999) clarifies, this body of legislature, determines the fortification of ownership rights over intellectual, and other non-tangible, properties To access and exploit the said property without the owner's permission and without paying the requisite price, if any, constitutes theft and is treated as such both by national and international law. Indeed, in response to the fact that information and computer technology have significantly facilitated the ability of people to steal copyrighted material and to violate copyright laws, copyright laws have been updated. As Powers (2005) explains the Digital Millennium Copyright Act (1998) explicitly outlines the illegality of exploiting ICT for the infringement of copyright laws and the consequences of doing so. In other words, downloading copyrighted material through P2P networks is theft and is regarded as such by the law. Certainly, millions habitually engage in the violation of intellectual copyright laws through P2P networks. In so doing, they are committing a misdemeanour which places them at risk of paying a substantial monetary fine per copyrighted piece downloaded (Whelan, 2003). Within the context of corporate entities, given that management, leadership and corporate policies are responsible for the regulation of employee behaviour, the company is held liable for infringements (Whelan, 2003). Apart from the financial cost involved in settling such cases, the pall which it casts upon a company's public image means that few, if any employees, are worth the company's sacrificing its reputation over. Accordingly, employees found guilty of violating company policies on P2P networks and piracy will be terminated. Law and corporate policies, however, should not function as the safeguard against employees' violation of intellectual copyright laws but basic morality should. As employees of a company which invests in research and development and encourages employee creativity and, itself, copyrights designs and innovations, you are fully cognizant of the time, effort and investment expended into each and every piece of intellectual property. Can you honestly persuade yourselves that stealing that effort is moral Added to that, are you willing to take personal responsibility for the consequences which may arise from the continued theft of copyright material through P2P networks Artists, be they musicians or film producers, software designers and innovators are loosing money and some are even loosing out on the original investment made to produce and create the piece of intellectual property which is constantly being illegally swapped and stolen through P2P networks (Whelan, 2003). The motivation to create, innovate and invest the requisite time, effort and financial resources in either is decreasing because of habitual theft. The problem is not only a legal one but a moral one. Our personal moral codes should prevent us from engaging in this practice. Keys Memo To: Thomas Pollux, Accounting From: CISO Date: 05/18/2007 Re: These *%$(% keys I would first begin by thanking you for drawing our attention to the fact that we implemented the said encryption system and offered employees a training session without really explaining, in layman terms, how these keys function or why, indeed we need them in the first place. To help clarify these issues, I will first offer a simple definition of public key cryptosystem and ten respond to each of your questions in turn. The system implemented is known as a public key cryptosystem. Common to all such systems, it uses two interrelated keys, one of which is private and secret and the other which is public. The public key is known to all message senders. This system enables encryption using the public key and decryption using the private key, thereby ensuring the privacy of all messages (Rubin, 2005). While I am sure you must still think of this as an unjustified annoyance, an explanation of the functions and imperatives of cryptography may change your thinking. In brief, cryptography is a process by which data is rendered into indecipherable code as a strategy for ensuring both its integrity and privacy. Decryption is only possible using the secret key (Juels, 003). The imperatives of encrypting data are determined by the medium of storage and transmission. Our servers, on which we store our data, are liable to infiltration irrespective of precautions taken. Similarly, as data is transmitted across networks it basically enters into public space, implying that it is vulnerable to interception. Decryption can, subsequently, only proceed by entering the secret, private key (Oliva et al., 2004; Matsuura, 2006). This is the reason why you have been, as all employees, assigned a private, secret key. Among the questions you've raised is why secret keys should be guarded and their secrecy preserved. There is a simple explanation. It is an extremely common oversight for people to leave their secret keys lying about, exposed to others. Should that happen and should another have access to your key, he/she will not only be in impossible to decrypt your private data but for those employees/managers which have security access to sensitive company data, access to corporate data (Matsuura, 2006). The emphasis we placed on guarding the secrecy of your public key was, therefore, instigated by concern for both the security of company data and your own privacy. Another of the questions you raised is why have two keys, especially when one of them is public and, therefore, accessible to all. This is a good question and the answer is quite straightforward. The public key is used for encryption and the fact that it can be accessed by anyone is unimportant given tat decryption is contingent upon possession of the private/secret key (Oliva et al., 2004; Matsuura, 2006). In other words, each of the two keys fulfils a specific function in the cryptographic process and the nature of these functions is such that it is imperative to keep the one private and the other not. I hope the above has answered your questions and please contact me if not. PKI Memo To: Amaryllis Swain, CTO From: CISO Date: 05/18/2007 Re: PKI Public Key Infrastructure (PKI) is a technology with antithetical effects. On the one hand, it has the power to ensure the authenticity of any transaction, is available to all users and, importantly, facilitates the implementation of e-commerce applications (Adams and Lloyd, 2002). On the other hand, PKI is extremely expensive, can enable fraud and its implementation necessitates the active restructuring of both hardware and software, if it is to be effective. Upon weighing the pros against the cons, the aforementioned could influence one towards opposition to the implementation of PKI. This, however, is not really an option. Quite simply stated, PKI is integral anywhere where powerful authentication has been identified as an imperative and, indeed, within the context of companies which have opted for an online presence, is as important as are firewalls. PKI is essential for all of the human resource data management and communication, business to business transactions and bank exchanges (Adams and Lloyd, 2002). The fact that we need to implement a PKI is inarguable, with the only question being whether we should buy or make it. Designing, or making, a PKI is a daunting task. Apart from the fact that it requires that network professionals expend a tremendous amount of time and effort going through countless acronyms and algorithms, the question always remains whether the network personnel have the requisite qualifications to manage all possible security issues. One of the most common, and most serious problems, which arise from PKI's which have been deigned and built in-house, is compromised certificates. The aforementioned is a direct outcome of network, physical and/or personal security which is not up to specifications/qualifications (Housley and Polk, 2001). Bearing the aforementioned in mind, therefore, I would strongly recommend the purchase of a PKI, as opposed to making it. By recommending purchase, I am not claiming that this option does not have its own set of concerns or that it is completely devoid of disadvantages. As Housely and Polk (2001) argue, concerns, most naturally, stem from the fact that we are ultimately exposing our security to a third party or, to an extent, placing or security in the hands of another. Many companies often fear doing so, believing that delegating so much trust to another is simply too risky. That is not entirely true. It may be risky but given that we are ultimately dealing with reputable companies, the risk is minimal in comparison to what we will go through were we to design our own system. Proceeding from the above stated, I recommend that we establish contact with a third party and bring them in to study our network, and current and future requirements. The PKI has to be customized to our network and needs and building it is a time-consuming task. I assure you that were we to select this option, my department will monitor every step of the process and double-check everything, ultimately ensuring the privacy and security of the company's data. Bibliography Adams, C. and Lloyd, S. (2002) Understanding PKI: Concepts, Standards and Deployment Considerations. NJ: Addison-Wesley. Housely, R. and Polk, T. (2001) Planning for PKI. NY: Wiley. Liu, P., Yu, M. and Jing. I. (2005) Information assurance. Matsuura, J.H. (2006) Security, Rights and Liabilities in E-Commerce. New York: Artech House. Olvia, L. (2004) E-Commerce Solutions: Advice from the Experts. New York: Cybertech Publishing. Paradise, P.R. (1999) Trademark Counterfeiting, Product Piracy and the billion Dollar Threat to the US Economy. New York: Quorum Books. Powers, D.M. (2005) Cyberlaw: The Major Areas, Development, and Information Security Aspects. Rhodes-Ousley, Bragg, and Strassberg (2003) Network Security: The Complete Reference. New York: McGraw-Hill. Rubin, B.S. (2005) Public key algorithms, Wheelan, E.P. (2003) My Mom's Making History: The Story of Computer Software Copyright and Creativity. Chicago: Copyrights Creativity Promotion Project. Zetter, K. (2005) Cisco security hole a whopper. Wired. Retrieved 5 April 2007 from http://www.wired.com/politics/security/news/2005/07/68328 Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Responding to Memo Essay Example | Topics and Well Written Essays - 2000 words”, n.d.)
Responding to Memo Essay Example | Topics and Well Written Essays - 2000 words. Retrieved from https://studentshare.org/miscellaneous/1520563-responding-to-memo
(Responding to Memo Essay Example | Topics and Well Written Essays - 2000 Words)
Responding to Memo Essay Example | Topics and Well Written Essays - 2000 Words. https://studentshare.org/miscellaneous/1520563-responding-to-memo.
“Responding to Memo Essay Example | Topics and Well Written Essays - 2000 Words”, n.d. https://studentshare.org/miscellaneous/1520563-responding-to-memo.
  • Cited: 0 times

CHECK THESE SAMPLES OF Study of Cyber Attacks

Cyber Security

(National Vulnerability Database (2011)) Some of the weaknesses of the information technology that managers still have to face in today's world are: Software that remains unprotected even today- Email attacks has always been a susceptible part of the information technology system.... These targeted attacks are also known as ‘spear phishing' which take a rather negative advantage of clients.... Of the total attacks conducted on the internet, about sixty percent of them are through un-trusted websites....
10 Pages (2500 words) Coursework

Enhancing Cyber Situational Awareness through Active Defence

It focused solely on data management to prevent cyber attacks.... According to Endsley (2000), the central tenet of cyber operation is to convert quality situation awareness into successful performance, which in turn requires treating SA as a separate stage of functions.... Dynamic Risk Assessment for Mission Assurance However, Cyber Situation Awareness is still considered a new field of research that made its mark with Denning's (1987, 2002) pioneering work on using expert systems to detect computer attacks in 1987, followed by a plethora of experiments thereafter....
7 Pages (1750 words) Research Proposal

Conducting Cyber Intelligence and Restricting Cyber Attacks on Organizations

The top managements within these organizations are considering how to solve the problem of cyber attacks because these take over the control of the systems and computers, and therefore bring down the financial success of the company where they attack.... From the paper "Conducting Cyber Intelligence and Restricting cyber attacks on Organizations" it is clear that much needs to be learned from the discussions of growth and development within any organization of the world, and the role that is played by the security concerns remains an important topic....
12 Pages (3000 words) Essay

Reverse Social Engineering Attacks in Online Social Networks

n Reverse Social Engineering (RSE) attacks, the perpetrators are not so well known, this is due to the fact that the victim is tricked into contacting the attackers and in building a solid trust relationship and once this launch attack is successful, series of cyber frauds follow, mainly due to leak of sensitive information, involving identity thefts, blackmailing, malicious status updates and others.... The writer of the essay "Reverse Social Engineering attacks in Online Social Networks" suggests that in order to minimize the effects of RSE, the networking sites should only suggest possible friends when there is a strong connection that exists between them....
4 Pages (1000 words) Essay

Targets for Cyberterrorism

It pertains to premeditated, politically motivated assaults carried out by subnational groups or clandestine agents which in turn intend to cause chaos and conflict by carrying out a series of attacks to institutions, computer programs, computer systems, and data.... The lack of a definition for hacktivism and cyberterrorism is the cause for such ambivalence; as such even the word 'cyber' is being debated among scholars, as to what its true meaning is....
42 Pages (10500 words) Research Paper

Enhancing Cyber Situational Awareness through Active Defense

It focused solely on data management to prevent cyber attacks.... According to Endsley (2000), the central tenet of cyber operation is to convert quality situation awareness into successful performance, which in turn requires treating SA as a separate stage of functions.... owever, Cyber Situation Awareness is still considered a new field of research that made its mark with Denning's (1987, 2002) pioneering work on using expert systems to detect computer attacks in 1987, followed by a plethora of experiments thereafter. ...
7 Pages (1750 words) Research Paper

Cyber Security Issues

Meanwhile, these have also acted as the very media through which the spread of cyber attacks take place.... This report "Cyber Security Issues" presents cyber attacks that have often been individuals, corporate institutions, and in worse cases, governmental institutions.... major contributing factor to the sophisticating growth of cyber-attacks has to do with the corresponding growth of the internet and information communication systems.... With this, attackers combine the characteristics of different components of IT threats including viruses, malicious code, worms with the server, client-side, and internet vulnerabilities to launch various attacks....
38 Pages (9500 words) Report

Treatise on International Criminal Law

espite the difference in types of cyber attacks in armed conflict, the strictness on the geographical location, as set in the Geneva conventions, is a major requirement.... This study also appreciates the fact that the international law of armed conflict does not explicitly identify non-international conflicts and cyber attacks as armed conflicts per se.... Managing cyber attacks in international law, business, and ... That is the aspect of cyber blockade, geographical limitations in cyber warfare and non international armed cyber conflicts....
13 Pages (3250 words) Coursework
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us