Job Seeker Information Compromised - Case Study Example

Data Hack at Monster.com: Job Seeker Information Compromised Contents Introduction 3 Problem ment 5 The Compromising of Customer Data 8 Monster.com Online Security Before and After the Breach 10 Could it Happen Again' 11 Conclusion 12 References 14 Introduction In August, 2007, there was a major security alert at the online job web site Monster.com after hackers stole 1.6 million online records from the internet job search site, including the personal information of several hundred thousand job seekers. The candidates' personal details, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, were then uploaded to a remote server under the control of the attackers. "The remote server held over 1.6 million entries with personal information belonging to several hundred thousands candidates, mainly based in the US, who had posted their resumes to the Monster.com Web site." (news.bbc.co.uk, 2007, para 5). The company provides recruitment services and has a number of related services, including a career centre. The types of service offered include help with resumes, cover letters, company research, networking, and advice targeted to individuals whose careers are currently in a transitional state. Career-management advisors are on hand for daily chats if required. The site is well organized and easy to navigate. The site is well established and has been in existence since it was formed in 1999. It has the largest job search engine in the world. As this hacking case proves however, the security aspect of the site has left a lot to be desired. Monster.com has addressed these issues. However, nothing in internet security is foolproof as will be seen in this report. Organization and Background The hackers had stolen the login credentials by use of "phishing" (the cloning of websites) techniques, and managed to extract several personal details. The BBC claimed in their news article on the topic that the stolen data would most likely be used to send phishing and spam emails. However, this was not the true purpose as was later discovered. The fraud in operation was typically, identity theft, as opposed to a lapse of security on the Monster.com website. This occurred via a Trojan. This is a common technique used to obtain personal information, including login and email details. Problem Statement There are numerous lessons to be learned from this incident. Monster.com has over 75 million visitors to its site. It offers a wide breadth of services. It also has approximately 5,200 employees and operations in 36 countries. Therefore it has a huge responsibility for the welfare of both its employees and the personal data of every person who registers on the site. The data was used for phishing and spam attacks, and a "phishing blackmail scam" (Stokdyk, 2007, Para 1). The victims were persuaded, by a very realistic phishing campaign that the emails and the site they were associated with were genuine. They were fooled into downloading a job research tool, named the "Monster Job Seeker Tool." This was in fact a program that encrypted files in the victims' computer. The next stage was to demand a ransom note for money to provide the decryption. In this instance, no amount of security or encryption on the site could have prevented the hackers gaining access to the personal data. They had access to all the information required throughout. Identity theft refers to the stealing of personal information with a view to using it in an illegal manner. This might be to use someone's credit card details or to apply for bank loans using false papers. There are several ways in which a stolen identity can be used for illicit purposes. The identity theft can be paper, or non-paper based. New ways and means of stealing personal data are being concocted on a daily basis. Identity theft is rife in other areas of the business world, including the financial sector, and has caused numerous problems: "Growing numbers of identity theft related incidents included phishing and pharming (attempting to obtain customer log-in details) attacks and moves to obtain advance fees by fraudulently seeking to use the organisations' brands." (Identity Theft Fears of ,2006, p. 26) Part of the problem lies with internal staff. It is a simple matter for a wayward employee to steal personal data and sell it on to external parties for a price. Some employees have all the advantages of being in a position to do this and bypass technical controls. This not only apply to an organizations' customer details however, as staff are known to steal the details of other fellow members of staff! The increase of work outsourcing is another area where data can be stolen and used for fraudulent purposes. As a bare minimum a non-disclosure agreement should be put in place. This places a degree of responsibility on the outsourcer should they choose to use company data for illegal purposes. It is not totally foolproof, but it is safer than having no NDA in place stating that company data should not be disclosed to any external parties. Until recently, the shoulder of responsibility for security matters was almost, always assumed to be the network administrator. Organisations simply place the onus on the network administrator and those maintaining the system. However, this trend is changing especially within the large corporate organisations. Security should be a shared responsibility. The technical administration staff should only provide guidelines from a technical perspective. This is only a small percentage of security related aspects. The policies and procedures for security should be a team and organisational effort. Security covers all of the scope, policies, priorities, standards, and strategies required to implement security management. The goals of the "environment" should be agreed upon by all parties who have a vested interest. The goals to be achieved from a security program should be clearly identified. Management, technical staff, customers and end users all have a vested interest in the security policies of an organisation. No one single department or individual can be ruled out. The Compromising of Customer Data Customer data can be compromised in a number of ways. There are various levels of risk. (Raval & Fichadia, 2007) state: "Risk represents the possibility of a loss or harm to an entity. Such an entity can be a person, an organization, a resource, a system, or a group. There is hardly any entity that does not face some type of risk." Therefore it can be seen that identify theft of customer data is only a part of the whole security problem. The risks to customer data in large organisations such as Monster.com are generally well managed. The problems occur as the risks continually shift as new tactics emerge in a dynamic fashion. Monitoring breaches of confidential data is made more complex due to the nature of the beast. The areas of risk to be covered are organizational, environmental, technological and sociological. Monster.com is an established organization with bases throughout the world. Inevitably, this implies that security is more of a widespread issue. It also means that organisations of this size are more likely to be attacked by hackers and fraudsters. Monster.com is mainly based in North America, Asia, and Europe. The aim of the organization is to match employers with prospective job seekers. This is done at an international level. Monster Worldwide is a member of the S&P 500 Index and the NASDAQ 100. The organization holds details for millions of individuals and organizations. Therefore it is important that customer data is always secured and unable to be hacked into at will. If a small company has a few hits on its data it may affect a few hundred users, but with a company the size of Monster.com it can and has, affected millions. Fortunately, the majority of hacking activities by the "would be" hacker seem to be more about feeding egos. In other words, someone would write something just to prove to themselves and others that they had the power, if needed to disrupt and interfere with company data and activities. However, the Monster.com incident had a more dangerous intent, i.e. blackmailing people to gain money. Data can be stolen for a host of reasons. Theft of company secrets, plans for new products prior to release, damage to well established web sites, and the stealing of customers are all "fair game" for things to do with stolen data. In the majority of cases where websites have been compromised, it is due to carelessly developed websites and inadequate controls, plus a lack of verification schemes. One of the most dangerous situations is where military personnel information has been compromised. With conflicts occurring in many parts of the world it is possible for terrorists or enemy organisations to hack into personal data (not generally stored on the internet, however) and find out where service personnel live. This could have all kinds of catastrophic consequences, not only for the victim of an identity theft, but for the family of a victim. Therefore, modern military tactics not only include the battlefield and physical aspects of warfare, but on counter-terrorist activities in relation to internet and computer activity. Monster.com Online Security Before and After the Breach Since the data theft, Monster.com has taken a number of steps to protect against a re-occurrence of the hacking incident. Monster.com is now working with law enforcement authorities to ensure that incidents of data theft are minimised. The new aspects of security include the monitoring of websites 24/7 for unusual activity, anti-phishing monitoring and the introduction of a security team (including senior management) dedicated to the task of providing a secure environment to users of the site. The security team monitor and recommend enhancements of the security measures as/when required. This may include the development of the internal infrastructure of the Information Technology services. A number of other inclusive measures are the use of SSL, CAPTCHAs (which prevent malicious programs from being able to navigate or use the Monster.com site), and the improvement of passwords and strengthening of account security via profiling and new authentication technology. Additional measures taken from the security incident may have included disabling affected accounts, although (probably for security reasons), this was not actually confirmed by Monster.com. Education is an important part of the overall security scenario. The first line of security lies with the educated user. Users should be aware of the dangers of identity theft and take appropriate precautions to minimise the risk. This has the affect of adding a new layer to overall security measures. Monster.com now has an active education policy in place to educate its users on the dangers of identity theft, and what can be done to minimise the risk. Monster.com provides support on an ongoing basis on security and other related issues. The URLs detailing Monster.com security provisions are shown below: http://help.monster.com/besafe/email/ http://about.monster.co.uk/14979_en-GB_p1.asp Could it Happen Again' This event could occur again, no question. As companies like Monster.com become more sophisticated at handling identity theft and phishing attacks, the hacker "terrorists" are doing the same. As one security crisis passes away, a new one will surface, sooner or later. This is an issue in the internet world with regard to virus software. As new viruses hit the internet, the security companies provide updates to their anti-virus databases to counteract the new threats. One of the problems is that some IT departments and network administrators have not kept their networks up to date. The book,"CISSP: All-in-One Exam Guide, Third Edition" states: "This proves that not enough network maintainers have kept up to date on security changes and installed the necessary patches or configurations." (Harris,2005). The problem being referred to here is that old methods of hacking into websites and data are still being used, but the known fixes recommended for these have not been implemented. With security gates like these being "left wide open" it would be no surprise if these types of event were to re-occur, especially in the small to medium sized organizations, having only limited resources and budget. Hacking is evolving constantly, as modern requirements dictate that people, business and countries rely more and more on the use of the internet. Unfortunately, the protective measures do no always follow at a rate which can deal with the problem in time. As a result the consequences of these kinds of attack are becoming more serious and in some cases, deadly. As the threats increase, so do the cost of preventative measures needed to combat them. Following the September 11th attacks in 2001, $2.12 billion of the security budget was allocated for technology and cyber security in the United States. Conclusion Since the identity theft incident occurred in August, 2007, Monster.com has had time to re-evaluate the incident and improve their security measures. The exact method used to steal personal data, and the motivations for the event have been clearly identified. Monster.com has responded with a range of new measures and technology designed to prevent hacking and phishing attacks. It is probably true to state that Monster.com is now more secure than other sites providing a similar service. . Even though the Monster.com security situation was well publicised, not all of the messages have been heeded. The problem is no matter how secure a site is, if someone obtains your personal details, such as username/passwords and keywords which identify you as being unique on a site, your personal data will never be completely safe. Identify theft is becoming increasingly more difficult to prevent. On the plus side only a small percentage of identity theft hacks succeed and any "open gates" are usually swiftly closed. Phishing sites were used to catch the Monster.com users unaware. The phishing sites were so realistic that users were fooled into providing personal details. This left those users wide open to exploitation. Monster.com has an active policy of seeking out, and destroying sites (via appropriate channels) claiming to be from Monster.com. Phishing is not uncommon. Ebay (an auction site) has frequently been cloned by hackers attempting to obtain personal and financial details of its users. Monster.com has now introduced more rigorous tools and methods/policies to define a security hierarchy and system, involving senior management. There seems to be an element of "in hindsight" about the (improved) approach, but generally security at Monster.com has improved massively. There are lessons to be learned from the past and the future. These lessons are not always acted upon. The war between hacker and anti-hacker goes on, and will continue to do so in the future, that much is certain. References Books Vasant Raval and Ashok Fichadia (2007). Risks, Controls, and Security: Concepts and Applications, 1st Edition: John Wiley & Sons. Shon Harris (2005). CISSP: All-in-One Exam Guide, Third Edition. Unknown: Mcgraw-hill/osborne. News Articles Identity Theft Fears of Industry Giants. (2006, April 28). The Birmingham Post (England), p. 26. Retrieved August 12, 2008, from Questia database: http://www.questia.com/PM.qst'a=o&d=5014843202 Internet News.bbc.co.uk (2007). Monster attack steals user data. Retrieved 11/08/2008, from http://news.bbc.co.uk/1/hi/technology/6956349.stm John Stokdyk (2007). US job hunters blackmailed in Monster.com hack. Retrieved 11/08/2008, from http://www.accountingweb.co.uk/cgi-bin/item.cgi'id=172236&d=1025&h=1020&f=1026&dateformat=%25o%20%25B%20%25Y Sal Iannuzzi (2008). Security Centre: Expert advice on avoiding online fraud. Retrieved 12/08/2008, from http://about.monster.co.uk/14979_en-GB_p1.asp Sal Iannuzzi (2008). Security Notice. Retrieved 12/08/2008, from http://help.monster.com/besafe/email/ Read More