Study of Cyber Attacks - Essay Example

Malware Memo Bill Sparrowhawk, Phoenix Office CISO 05/18/2007 Re: Malicious Software I'd like to begin by clarifying that there are two reasons for our susceptibility to malicious software. The first is the presence of holes and security vulnerabilities in both our operating system and our hardware. The second is the very nature of our identity as a profit-making company. I'll now explain both in turn. Prior to our transition to Windows NT Service Pack 4, we were vulnerable to a significant security flaw which Microsoft had not informed its users of. Pre-Service Pack 4 Windows NT had a security hole, a bug, which rendered it highly vulnerable to DoS, or Denial of Service Attacks. The consequence was that the company suffered a land attack which subsequently forced our networks into a "ping of death" (Liu, Yu, and Jing, 2005). This means that the network was forced into the continued and repetitive transmission of packages which exceeded the allowable size. As you may well recall, the DoS attack paralyzed our systems and cost us in excess of $150,000. Attacks which exploit security holes in hardware and software systems are quite common. Apart from the above described incident, the company was subjected to a second attack as a direct outcome of a security hole in its Cisco IOS router. This, the most popular corporate router, had a serious security flaw which the company only identified after the release of the router and even then did not inform users about (Zetter, 2006). Consequently, our company, just like countless others was attacked through this security hole. In the second place, our identity renders us the target of attacks. It is unlikely that any hacker would deliberately target your daughter's computer and infect it with a Trojan Horse but where we are concerned, the issue is quite different. As a profit-making organization, we represent potentially financially lucrative information (Rhodes-Ousley, Bragg, and Strassberg, 2003). We are targeted by professional hackers who seek out security flaws in our system for the explicit purpose of infecting us, either in order to access our data or to bring our networks to a halt (Rhodes-Ousley, Bragg, and Strassberg, 2003). The fact of the matter is that our department has protected our networks as much as is possible. The fact that we send out malware alerts or often engage in the cleaning up of the system is quite simply because we cannot afford any viruses on our networks. Malware could undermine the integrity of our data and, therefore, we often resort to the exercise of extreme precaution. Indeed, it is quite probable that your daughter's computer has some malware on it but that she is not able to identify it. We, on the other hand, identify and remove all malware. Lastly, Windows OS is ore vulnerable to malware than is Macintosh OS. This is because of security holes in the latter which are not present in the former and because hackers target Windows much more than they do Macintosh (Rhodes-Ousley, Bragg, and Strassberg, 2003). Migrating to Macintosh, however, is not an option both because it would be too costly and because it does not have the software range that we need. P2P Memo To: Salamanika Giorgiopolis, Corporate Counsel From: CISO Date: 05/18/2007 Re: Peer to Peer and Piracy Irrespective of the popularity of Peer to Peer Networks and regardless of the fact that everyone is doing it,' company employees are explicitly prohibited from running P2P programs on company computers or from using the company's network connection to download files through these programs. Apart from the aforementioned being explicitly forbidden under company policies and regulations, it comprises an immoral and illegal violation of copyright laws which the company is not going to abide by. Copyright laws are very precise, leaving little room for manoeuvring or interpretation. As Paradise (1999) clarifies, this body of legislature, determines the fortification of ownership rights over intellectual, and other non-tangible, properties To access and exploit the said property without the owner's permission and without paying the requisite price, if any, constitutes theft and is treated as such both by national and international law. Indeed, in response to the fact that information and computer technology have significantly facilitated the ability of people to steal copyrighted material and to violate copyright laws, copyright laws have been updated. As Powers (2005) explains the Digital Millennium Copyright Act (1998) explicitly outlines the illegality of exploiting ICT for the infringement of copyright laws and the consequences of doing so. In other words, downloading copyrighted material through P2P networks is theft and is regarded as such by the law. Certainly, millions habitually engage in the violation of intellectual copyright laws through P2P networks. In so doing, they are committing a misdemeanour which places them at risk of paying a substantial monetary fine per copyrighted piece downloaded (Whelan, 2003). Within the context of corporate entities, given that management, leadership and corporate policies are responsible for the regulation of employee behaviour, the company is held liable for infringements (Whelan, 2003). Apart from the financial cost involved in settling such cases, the pall which it casts upon a company's public image means that few, if any employees, are worth the company's sacrificing its reputation over. Accordingly, employees found guilty of violating company policies on P2P networks and piracy will be terminated. Law and corporate policies, however, should not function as the safeguard against employees' violation of intellectual copyright laws but basic morality should. As employees of a company which invests in research and development and encourages employee creativity and, itself, copyrights designs and innovations, you are fully cognizant of the time, effort and investment expended into each and every piece of intellectual property. Can you honestly persuade yourselves that stealing that effort is moral Added to that, are you willing to take personal responsibility for the consequences which may arise from the continued theft of copyright material through P2P networks Artists, be they musicians or film producers, software designers and innovators are loosing money and some are even loosing out on the original investment made to produce and create the piece of intellectual property which is constantly being illegally swapped and stolen through P2P networks (Whelan, 2003). The motivation to create, innovate and invest the requisite time, effort and financial resources in either is decreasing because of habitual theft. The problem is not only a legal one but a moral one. Our personal moral codes should prevent us from engaging in this practice. Keys Memo To: Thomas Pollux, Accounting From: CISO Date: 05/18/2007 Re: These *%$(% keys I would first begin by thanking you for drawing our attention to the fact that we implemented the said encryption system and offered employees a training session without really explaining, in layman terms, how these keys function or why, indeed we need them in the first place. To help clarify these issues, I will first offer a simple definition of public key cryptosystem and ten respond to each of your questions in turn. The system implemented is known as a public key cryptosystem. Common to all such systems, it uses two interrelated keys, one of which is private and secret and the other which is public. The public key is known to all message senders. This system enables encryption using the public key and decryption using the private key, thereby ensuring the privacy of all messages (Rubin, 2005). While I am sure you must still think of this as an unjustified annoyance, an explanation of the functions and imperatives of cryptography may change your thinking. In brief, cryptography is a process by which data is rendered into indecipherable code as a strategy for ensuring both its integrity and privacy. Decryption is only possible using the secret key (Juels, 003). The imperatives of encrypting data are determined by the medium of storage and transmission. Our servers, on which we store our data, are liable to infiltration irrespective of precautions taken. Similarly, as data is transmitted across networks it basically enters into public space, implying that it is vulnerable to interception. Decryption can, subsequently, only proceed by entering the secret, private key (Oliva et al., 2004; Matsuura, 2006). This is the reason why you have been, as all employees, assigned a private, secret key. Among the questions you've raised is why secret keys should be guarded and their secrecy preserved. There is a simple explanation. It is an extremely common oversight for people to leave their secret keys lying about, exposed to others. Should that happen and should another have access to your key, he/she will not only be in impossible to decrypt your private data but for those employees/managers which have security access to sensitive company data, access to corporate data (Matsuura, 2006). The emphasis we placed on guarding the secrecy of your public key was, therefore, instigated by concern for both the security of company data and your own privacy. Another of the questions you raised is why have two keys, especially when one of them is public and, therefore, accessible to all. This is a good question and the answer is quite straightforward. The public key is used for encryption and the fact that it can be accessed by anyone is unimportant given tat decryption is contingent upon possession of the private/secret key (Oliva et al., 2004; Matsuura, 2006). In other words, each of the two keys fulfils a specific function in the cryptographic process and the nature of these functions is such that it is imperative to keep the one private and the other not. I hope the above has answered your questions and please contact me if not. PKI Memo To: Amaryllis Swain, CTO From: CISO Date: 05/18/2007 Re: PKI Public Key Infrastructure (PKI) is a technology with antithetical effects. On the one hand, it has the power to ensure the authenticity of any transaction, is available to all users and, importantly, facilitates the implementation of e-commerce applications (Adams and Lloyd, 2002). On the other hand, PKI is extremely expensive, can enable fraud and its implementation necessitates the active restructuring of both hardware and software, if it is to be effective. Upon weighing the pros against the cons, the aforementioned could influence one towards opposition to the implementation of PKI. This, however, is not really an option. Quite simply stated, PKI is integral anywhere where powerful authentication has been identified as an imperative and, indeed, within the context of companies which have opted for an online presence, is as important as are firewalls. PKI is essential for all of the human resource data management and communication, business to business transactions and bank exchanges (Adams and Lloyd, 2002). The fact that we need to implement a PKI is inarguable, with the only question being whether we should buy or make it. Designing, or making, a PKI is a daunting task. Apart from the fact that it requires that network professionals expend a tremendous amount of time and effort going through countless acronyms and algorithms, the question always remains whether the network personnel have the requisite qualifications to manage all possible security issues. One of the most common, and most serious problems, which arise from PKI's which have been deigned and built in-house, is compromised certificates. The aforementioned is a direct outcome of network, physical and/or personal security which is not up to specifications/qualifications (Housley and Polk, 2001). Bearing the aforementioned in mind, therefore, I would strongly recommend the purchase of a PKI, as opposed to making it. By recommending purchase, I am not claiming that this option does not have its own set of concerns or that it is completely devoid of disadvantages. As Housely and Polk (2001) argue, concerns, most naturally, stem from the fact that we are ultimately exposing our security to a third party or, to an extent, placing or security in the hands of another. Many companies often fear doing so, believing that delegating so much trust to another is simply too risky. That is not entirely true. It may be risky but given that we are ultimately dealing with reputable companies, the risk is minimal in comparison to what we will go through were we to design our own system. Proceeding from the above stated, I recommend that we establish contact with a third party and bring them in to study our network, and current and future requirements. The PKI has to be customized to our network and needs and building it is a time-consuming task. I assure you that were we to select this option, my department will monitor every step of the process and double-check everything, ultimately ensuring the privacy and security of the company's data. Bibliography Adams, C. and Lloyd, S. (2002) Understanding PKI: Concepts, Standards and Deployment Considerations. NJ: Addison-Wesley. Housely, R. and Polk, T. (2001) Planning for PKI. NY: Wiley. Liu, P., Yu, M. and Jing. I. (2005) Information assurance. Matsuura, J.H. (2006) Security, Rights and Liabilities in E-Commerce. New York: Artech House. Olvia, L. (2004) E-Commerce Solutions: Advice from the Experts. New York: Cybertech Publishing. Paradise, P.R. (1999) Trademark Counterfeiting, Product Piracy and the billion Dollar Threat to the US Economy. New York: Quorum Books. Powers, D.M. (2005) Cyberlaw: The Major Areas, Development, and Information Security Aspects. Rhodes-Ousley, Bragg, and Strassberg (2003) Network Security: The Complete Reference. New York: McGraw-Hill. Rubin, B.S. (2005) Public key algorithms, Wheelan, E.P. (2003) My Mom's Making History: The Story of Computer Software Copyright and Creativity. Chicago: Copyrights Creativity Promotion Project. Zetter, K. (2005) Cisco security hole a whopper. Wired. Retrieved 5 April 2007 from http://www.wired.com/politics/security/news/2005/07/68328 Read More