Managing and Using Information Systems

Anonymous
timer Asked: Feb 25th, 2019
account_balance_wallet $10

Question Description

Please find the attached chapter 7 including case study Case 7-2 Sony pictures: The criminals won in the end of the chapter. Please read the chapter 6 and Case 7-2 Sony pictures: The criminals won case study and write case report on the case study by following below instructions. Case reports should be no more than 5 pages of double-spaced text, and no smaller than one-inch margins and 12-point Times New Roman font ( Please follow APA guidelines for formatting citations and references as well). Please check for plagiarism before sending.

Each student will write a case report, which synthesizes their analysis of the assigned case study Case reports should demonstrate excellent understanding of the case study along with accurate application of appropriate frameworks and tools that have been discussed in class and highlighted in the readings. Case reports should also offer a clear, direct analysis as well as a well-argued position (again, supported by course material). You should acknowledge in the report(s) when you are making assumptions and/or predictions. Ultimately case reports should demonstrate your ability to assess a situation and develop strategies on how to improve the situation and avoid future problems. Case reports should be no more than 5 pages of double-spaced text, and no smaller than one-inch margins and 12-point Times New Roman font ( Please follow APA guidelines for formatting citations and references as well).

Please write the paper where it includes below topics.

Executive summary

Findings

Discussion

Alternative Solutions

Conclusion

Recommendation

Implementation

References & Citation

Security Information technology (IT) security is one of the top issues of concern to businesseshacked systems or stolen data can put a company out of business. General managers must understand the basics to ensure continuance of operations. This chapter explores managing security in five areas: strategy, infrastructure, policies, training, and investments. Lessons from some of the largest and most well-known breaches are covered as well as how they occurred according to security experts. The chapter also discusses common tools that aim to secure access, data storage, and data transmission to prevent these breaches and their advantages and disadvantages. Policies general managers can implement to decrease risk of security issues and economic damage are presented followed by a discussion of education, training, and awareness issues. During lunchtime on June 6, 2015, a white van pulled in front of the U.S. Office of Personnel Management in Washington, D.C. A team of three expert hackers entered the front door, displaying the credentials of three janitors who were bound and gagged back at their office. As the hackers stood at a supply room door next to a highly secure server room, the target of their attack, one feigned having to crouch to tie his shoe, the other two stood in the way of the security cameras, and the crouching bandit used a lock-picking tool to gain access to the supply room. They figured they had only a few minutes to clip a monitoring device to the network wires that led to the servers containing security clearance information for millions of employees and past employees. The device monitored electrical activity right through the insulation and transmitted it to the van. The hackers closed and relocked the supply room door, exited the building, and re-entered the van just as the clock struck I P.M. The tallest of the three declared "right on schedule!" and set a timer for IO minutes. He tuned his laptop into the monitoring device and the other two did the same. They watched communications to and from the server, waiting for an employee, any employee, returning from lunch to log-in. Monitoring was risky due to random sweeps for rogue wireless connections, so after 10 minutes they would abort the mission. The three typed frantically at their keyboards but nothing seemed to work for several agonizing minutes. Ten seconds before their time was up, one of the perpetrators hastily wrote some computer code and then smiled. He was just in time to reveal a log-in conversation complete with password. The hackers set the timer for another 10 minutes, which they had budgeted for the next phase. The hackers searched frantically for large files that might contain the security clearance information they were hired to obtain. One of them found a large file called "SecurClearRecs," and the three cursed when they saw that the file was larger than anticipated. They immediately typed commands to upload the file through the Internet to a server in Shanghai, China. They kept one eye on the building and the other eye on the red "progress bar" that indicated "5% complete" for 20 full seconds before it changed to "10% complete." The time required for each 5% seemed to vary widely; moving from 15% to 20% took almost an entire minute. They realized it would take the entire 10 minutes they had allocated or more. They could almost hear their own pulses pounding as chapter Im Security they anticipated the million dollar reward that awaited them if they were successful but also dreaded the fact that their overall budgeted 20 minutes might not be quite enough. Maybe they could chance it and go just a little longer. A few terror-filled minutes past the budgeted 20 minutes, at 90% complete, they saw a guard step outside of the building and point at the van. Another officer joined him, and the pair started walking cautiously toward the van, trying to talk into his radio. The hackers had wisely jammed police channel communications and flattened the patrol cars' tires, but they wanted to avoid physical contact as much as possible. Trouble was certain to loom ahead; one of the officers turned to run back to the building. The tallest hacker jumped into the driver's seat and started the van. The hackers looked down at the progress bar, which said "99% complete," just as an alarm sounded. The remaining guard began running to the van. Four flat tires would mean a I 0-minute delay waiting for another officer from the security firm's headquarters. The hackers waited 5 more seconds for "100% complete" and then screeched away to a secluded clearing a one-half mile away in the woods where a blue turbocharged Hyundai Sonata awaited them. They pushed a red "self-destruct" button in the van to start a timer, jumped in the Hyundai, and sped down back roads as distant sirens blared and the van exploded. Two weeks later, on June 20, 2015, an article in Computerworld stated that "The U.S. government still isn't saying how much data it fears was stolen." 1 This story is notable for two reasons: (1) It is exactly the type of story that we would all imagine when hearing about data breaches, largely thanks to big-budget Hollywood movies. However, (2) the story is almost completely false; the only true parts are that a large number of private security clearance files were indeed stolen from the Office of Personnel Management, and the June 20 article in Computerworld did display the preceding quote. If managers expect only such "urgent and frantic" physical attacks, they will focus their attention on the wrong threats. It is important to learn the true story of this very real breach. Governmental officials learned in May 2015 that at least 4 million records likely had been stolen several months earlier. Subsequent estimates placed the number at 14 million records. 2 The records contained much more than names, addresses, and social security numbers of current and former employees, possibly as far back as the 1980s. The 127-page dossier for each person also included information on alcohol and drug use, financial, psychological, employment, and criminal history as well as sensitive personal information about contacts and relatives. There were even comments from acquaintances, which could include neighbors, enemies, and potential enemies of each person. 3 In short, according to the International Business Times, the stolen information was "invasive enough to ruin potentially millions of American lives." 4 As a consequence, the Chairman of the U.S. House Oversight Committee asked for the resignation of the person in charge, the Director of the Office of Personnel Management. 5 In reality, the following important issues are true for this case as well as many others: 1. The hackers were far away and did not need any physical contact or any escape plan. 2. They were able to spend an extended period of time-possibly over a year-to carry out their attack. 6 3. It took the victim organization months to discover the breach, which enabled the hackers to cover their tracks. In fact, a 2015 report from consulting firm Mandiant revealed that the median time that it took in 2014 for firms to detect a threat group's presence was 205 days, and the maximum was a whopping 2,982 days (11 years). 7 4. The hackers exploited a stolen password, likely obtained by various means described later in this chapter. ' O'Connor, Fred, "Hackers Had Access to Security Clearance Data for a Year," Computerworld (June 20, 2015), http://www.computerworld.com/ article/2 938654/cybercrime-hacking/hackers-had-access-to-security-clearance-data-for-a-year.html (last accessed June 22, 20 15 ). 2 Kim Zetter and Andy Greenberg, "Why the OPM Breach ls Such a Security and Privacy Debacle," Wired (June 11, 2015), http://www.wired. com/2015/06/opm-breach-security-privacy-debacle/ (accessed June 22, 2015). 3 Ibid. " Jeff Stone "Hacked US Security Clearances Are Giving Beijing Insanely Personal Information about American Citizens" (June 12, 2015), http://www. ibtimes.com/hacked-us-security-clearances-are-giving-beijing-insanely-personal-information-about-1964882 (last accessed August 25, 2015). ' Erin Kelly, "House Oversight to OPM Chief: 'Time for You to Go,"' In Brief(June 26, 2015), 2A. 6 "Blackmail Looms after Government Cyber Breaches," WNO.com (June 13, 2015). http://www.wnd.com/2015/06/blackmail-looms-after-govemmentcyber-breaches/ (accessed June 22, 2015). 7 "M-Trends: A View from the Front Lines," Fireeye.com, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf (last accessed June 24, 2015). ..,,,J IT Security Decision Framework B Many other firms have been victimized, and hundreds of millions of records filled with personal information have been stolen just over the last two years. Security consulting firm FireEye estimates that 97% of all firms have been breached. 8 Managers must understand how large breaches occur to clarify the picture of what is going on out in the wild frontier and to protect their own company from similar fates. Only when threats are more fully understood can management begin to formulate and implement effective security plans. IT Security Decision Framework The first step on the road to an effective security plan is for management to adopt a broad view of security. This can be done by establishing an information security strategy and then putting the infrastructure (tools) and policies (tactics) in place that can help the organization realize its strategy. To round out the picture, users need to become familiar with security, and investments need to be made. The whole security picture can be reflected in five key information security decisions. Understanding these decisions and who is responsible for them (that is, who has the decision rights for them) is presented in Figure 7.1. We introduced decision rights in Chapter 3, and we use the concept to illustrate appropriate roles of business and IT managers in making a company's security decisions. Information Security Decision ~·--·-··--- Who Is - Re,ponoble Business leaders Security Strategy -----·---- -···--· ... . ------ >--- Infrastructure Security Policy -·-·-··--···-·-···· -- I Rationale ~ ·-··--·---- IT leaders (CISO) I Shared: IT and business leaders -·- · -~ +- -~1 I Business leaders have the knowledge of the company's strategies on which security strategy should be based. No detailed technical knowledge is required . -----·-··---·-------··--·---------·-- In-depth technical knowledge and expertise are needed. Technical and security implications of behaviors and processes need to be analyzed, and trade-offs between security and productivity need to be made. The particulars of a company's IT infrastructure need to be known. -··-·······-· ·--·-·-·------··--·-·-----------·---··-- Major Symptoms of Improper Decision Rights Allocation Security is an afterthought and patched on to processes and products. .. I'"'"'"" There is a misspecification of o, aod oetwo,k typologles a misconfiguration of infrastructure. Technical security control is ineffective. Security policies are written based on theory and generic templates. They are unenforceable due to a misfit with the company's specific IT and users. --·---·------ Security Education, Training, and Awareness Shared: IT and business leaders Business buy in and understanding are needed to design programs. Technical expertise and knowledge of critical security issues are needed to build them. Users are insufficiently trained, bypass security measures, or do not know how to react properly when security breaches occur. Investments Shared: IT and business leaders They require financial (quantitative) and qualitative evaluation of business impacts of security investments. A business case has to be presented for rivaling projects. Infrastructure impacts of funding decisions need to be evaluated. Under- or overinvestment in information security occurs. The human or technical security resources are insufficient or wasted. FIGURE 7.1 Key information security decisions. Sources: Adapted from Yu Wu, "What Color is Your Archetype? Governance Patterns for Information Security," (Ph.D. Dissertation, University of Central Florida, 2007); Yu Wu and Carol Saunders, "Governing Information Security: Governance Domains and Decision Rights Allocation Patterns," Information Resources Management Journal 24, no. 1 (January-March 2011), 28-45. 8 Bill Whitaker, "What Happens When You Swipe Your Card?" 60 Minutes (November 30, 2014), transcript, http://www.cbsnews.com/news/swipingyour-credit-card-and-hacking-and-cybercrime/ (accessed June 24, 2015). & Security 1. Information security strategy: A company's information security strategy is based on such IT principles as protecting the confidentiality of customer information, strict compliance with regulations, and maintaining a security baseline that is above the industry benchmark. Security strategy is not a technical decision. Rather, it should reflect the company's mission, overall strategy, business model, and business environment. Deciding on the security strategy requires decision makers who are knowledgeable about the company's strategy and management systems. An organization's information systems (IS) likely need to provide the required technical input for supporting the decision. 2. Information security infrastructure: Information security infrastructure decisions involve selecting and configuring the right tools. Common objectives are to achieve consistency in protection, economies of scale, and synergy among the components. Top business executives typically lack the experience or expertise to make these decisions. For these reasons, corporate IT typically is responsible for managing the dedicated security mechanisms and general IT infrastructure, such as enterprise network devices. Thus, corporate IT should take the lead and make sure that the technology tools in the infrastructure are correctly specified and configured. 3. Information security policy: Security policies encourage standardization and integration. Following best practices, they broadly define the scope of and overall expectations for the company's information security program. From these security policies, lower-level tactics are developed to control specific security areas (e.g., Internet use, access control) and/or individual applications (e.g., payroll systems, telecom systems). Policies must reflect the delicate balance between the enhanced information security gained from following them versus productivity losses and user inconvenience. As security attacks become more sophisticated, obeying security measures to deflect those attacks places cognitive demands on users. For example, they may need a different password for every account, and these passwords must often be long and hard to remember because they must have special characters. Productivity of users is often sacrificed when they have to come up with new passwords every month or when they have to spend time judging the legitimacy of dozens of e-mails each day. Not surprisingly, both IT and business perspectives are important in setting policies. Business users must be able to say what they want from the information security program and how they expect the security function to support their business activities. On the other hand, IT leaders should be consulted for two reasons: (1) their judgment prevents unrealistic goals for standardization and integration and (2) policy decisions require the ability to analyze the technical and security implications of user behaviors and business processes. If either users or IT leaders are not consulted, unenforceable policies will probably result. 4. Information security education, training, and awareness (SETA): It is very important to make business users aware of security policies and practices and to provide information security education, training, and awareness (SETA). Training and awareness programs build a security-conscious culture. To promote effectiveness and post-training retention, training and awareness programs must be linked to the unique requirements of individual business processes. Business user participation in planning and implementing training and awareness programs helps gain acceptance of security initiatives. However, IT security personnel are in the best position to know critical issues. Thus, both IT security managers and business users must be actively involved in planning SETA activities. 5. Information security investments: The fear, uncertainty, and doubt ("FUD") factor once was all that was needed to get top management to invest in information security. As information security becomes a routine concern in daily operations, security managers increasingly must justify their budget requests financially. But it is difficult to show how important security is until there has been a breach-and even then it is hard to put a dollar amount on the value of security. As when determining business needs, different units within the company may have rival or conflicting "wish lists" for information security-related purchases that benefit their unique needs. The IS organization also should have a significant say in these decisions because it is in the best position to assess whether and how the investments may fit with the company's current IT infrastructure and application portfolio. Thus, both IT and business leaders should participate in investment and prioritization decisions. One way to ensure this joint participation is to use executive committees/councils .,.J Breaches and How They Occurred IEII composed of business and IT executives, such as the IT steering committee and budget committee, with the CIO having overlapping memberships in both. These committees are where IT and business leaders make business cases for their proposed investments and debate the merit and priorities of the investments. These decisions about the appropriate level of investment are made with the company's best interests in mind. Breaches and How They Occurred In 2013 and 2014, before the Office of Personnel Management's attack, the most famous breaches infiltrated the systems at EBay (twice), Target, Home Depot, and Anthem Blue Cross. See Figure 7.2 for the magnitude and cause of each breach. Password Breaches It is important to emphasize the damage that can be done by password breaches. As the following descriptions indicate, trusting and trustworthy users might have no idea they are opening a security hole by clicking on an attachment, using public WiFi, or following a link to an authentic-looking site. Executives should not believe that employees who use their personal laptops away from the office are harmless to the firm. When employees whose systems are infected log onto work e-mail systems or intranets, a hacker can gain access to the firm. 60 Minutes reported in 2015 that 80% of breaches are conducted by stealing a password. 9 There are many ways to steal a person's password. One common method is to conduct a successful phishing attack, 10 which sends a person a counterfeit e-mail that purports to be from a known entity. The e-mail includes either a virus-laden How Date Detected November 2013 40 million debit and credit card account numbers• ! 145 million user names, e-mails, physical i addresses, phone numbers, birth dates, I encrypted passwords' EBay #1 May 2014 September 2014 \ EBay #2 s-e-p-te-,;;b;;,Q,1"Z,;;;D;,;-at January 2015 ~ -c:::!:: :::::,~~:~" Anthem Blue Cross i Small but unknown i 80 million names, birthdays, e-mails, I social security numbers, addresses, and Contractor's opening of an e-mail attachment containing a virus, revealing a passwordb Obtaining an employee's passwordd Cross-site scripting -·-----··-·-··--····· -------·------·-·-~ Obtaining a vendor's password and exploiting an operating system's vulnerability• Obtaining passwords of at least five high-level employees9 i employment data (including income) 1 'Brian Krebs, "Target Hackers Broke in Via HVAC Company," Krebs on Security (February 14, 2014), http://krebsonsecurity.com/2014/02/target-hackers-broke-invia-hvac-company/ (accessed June 22, 2015). 'Brian Krebs, "Home Depot: Hackers Stole 53M Email Addresses," Krebs on Security (November 14, 2014), http://krebsonsecurity.com/2014/11/home-depothackers-stole-53m-email-addreses/ (accessed June 28, 2015). 'Andy Greenberg, "EBay Demonstrates How Not to Respond to a Huge Data Breach, Wired (May 23, 2014), http://www.wired.com/2014/05/ebay-demonstrateshow-not-to-respond-to-a-huge-data-breach/(accessed June 22, 2015). 'Bill Whitaker, "What Happens When You Swipe Your Card?" 60 Minutes (November 30, 2014), transcript, http://www.cbsnews.com/news/swiping-your-creditcard-and-hacking-and-cybercrime/ (accessed June 24, 2015). • Ashley Carman, "Windows Vulnerability Identified as Root Cause in Home Depot breach," SC Magazine (November 10, 2014), http://www.scmagazine.com/ home-depot-breach-caused-by-windows-vulnerability/article/382450/ (accessed June 28, 2015). 'Michael Hiltzik, "Anthem Is Warning Consumers about Its Huge Data Breach. Here's a Translation," LA Times (March 6, 2015), http://www.latimes.com/business/ hiltzik/la-fi-mh-anthem-is-warning-consumers-20150306-column.html#page=l (accessed June 28, 2015). "Ibid. FIGURE 7.2 9 10 Well-known breaches. what was stolen, and how. Ibid. Brian Honan, "Reactions to the EBay Breach," http://www.net-security.org/secworld.php?id=l6905 (accessed June 22, 2015). 1 I ' IEfJ Security attachment or a link that invites the user to click and visit a page to either solve a problem or accomplish a task (as described in detail at the end of this chapter). The only limit is the phisher's imagination to create a scenario that would motivate a user to click on a link. The attachment or link in a phishing message often initiates a key logger, or software that traps keystrokes and stores them for hackers to inspect later. A key logger can even be hidden on a thumb drive plugged into a public computer in a hotel's business center. A key logger might also be triggered by visiting an unfamiliar Web site. Just by clicking on a search result, a user might inadvertently download and install the key logging software. Asking the user to log-in will reveal his or her user name and password, opening a world of opportunity for the hacker. Another way to obtain a password is simply to guess it. Experts warn that large breaches can be caused by using a weak password, such as "123456," which, incredibly, won again as the most common password of all in 2014. 11 Passwords can be troublesome. Creating a strong password that cannot be guessed results in a hard-to-remember string of nonsense characters. The name of a hometown, a team, an employer, or a family member would be among the first guesses of a hacker. Also, even if it is difficult to guess, many people use the same password for multiple purposes, and if one account is breached, all of their other accounts are then wide open. It is challenging to keep track of difficult passwords that are different for every account. Tools such as LastPass, Dashlane, and Sticky Password allow access with one password to a set of highly complex and impossible-to-remember passwords synchronized across Windows and Mac computers as well as Android and iOS smartphones. 12 Yet another way to open a firm to a large breach is for employees to use an unsecured network at a coffee shop, hotel, or airport. 13 Many users do not realize that, even if the network's name matches the coffee shop's name, someone in the shop might have set up a so-called evil twin connection WiFi connection and that all incoming and outgoing Internet traffic becomes routed through the perpetrator's system. Without the proper tools or training, most users can't validate a public WiFi connection. Once connected, the unwitting users' keystrokes, including their user names and passwords, are captured as they shop online, do Internet banking, or log into their company's intranet site. 14 The only solution might be for companies to establish policies forbidding their employees to use public WiFi and use their smartphones as their PC's sole Internet connection even when tempted by free WiFi in public places. Other Attack Approaches Cross-Site Scripting As shown in Figure 7.2, a second EBay breach is another important attack for management to understand. It was discovered in September 2014 by an astute user who nagged EBay to fix the problem for over a year. 15 He even created a surprising YouTube video to show how it worked. 16 The damage is unclear, affecting only the users who clicked on one particular search result that was eventually removed. However, the cause is clear in this case:17 cross-site scripting (XSS), which involves booby traps that appear to lead users to their goal, but in reality, they lead to a fraudulent site that requires a log-in. EBay permits users to install some computer code in their listings to make their items in EBay search results grab shoppers' attention. It is intended to allow animation in listings, but malicious code was inserted instead, designed for a nefarious purpose: to alter the listing's address to point to a bogus log-in screen. Users assumed they needed to log-in once again for security purposes, but in reality everyone who "logged-in" that second time provided the crooks with user names and passwords. 11 Jamie Condliff, "The 25 Most Popular Passwords of 2014: We're All Doomed," Gi~modo (January 20, 2015). http://gizmodo.com/the-25-mostpopular-passwords-of-2014-were-all-doomed-l 68059695 l (accessed June 22, 2015). 12 Neil J. Rubenking. "The Best Password Managers for 2015," PC Magazine (June 2, 2015), http://www.pcmag.com/article2/0,28l7,2407168,00.asp (accessed June 25, 2015). 13 Sergio Galindo. "Reactions to the EBay breach," http://www.net-security.org/secworld.php?id=l6905 (accessed June 22, 2015). 14 Andrew Smith, "Strange Wi-Fi Spots May Harbor Hackers: ID Thieves May Lurk Behind a Hot Spot with a Friendly Name," Dallas Morning News (May 9, 2007), http://cloud-computing.tmcnet.com/news/2007/05/09/2597106.htm (accessed August 25, 2015). 15 Chris Brook, "A Year Later, XSS Vulnerability Still Exists in EBay," Threatpost (April 29. 2015), https://threatpost.com/a-year-later-xss-vulnerabilitystill-exists-in-ebay/l l2493 (accessed August 27. 2015). 16 Paul Kerr, "Ebay Hacked Proof!" (September 16, 2014), https://www.youtube.com/watch?v=WT5TG_LvZz4&feature=youtu.be (accessed June 22, 2015). 17 Phil Muncaster, "EBay Under Fire After Cross-Site Scripting Attack." lnfosecurity (undated), http://www.infosecurity-magazine.com/news/ebayunder-fire-after-cross-site/ (accessed June 22, 2015). Breaches and How They Occurred llil Third Parties Several breaches have involved third parties. The Target attackers broke into the network using credentials stolen from a heating, ventilation, and air conditioning (HVAC) contractor and installed malware on the retail sales system. The malware captured and copied the magnetic stripe card data right from the computer's memory before the system could encrypt and store it. Why would an HVAC contractor have access? Security expert and blogger Brian Krebs reports that it is common for large retailers to install on their systems temperature and energymonitoring software provided by contractors. HVAC companies need to update and maintain their software, and are given access to their main systems so they don't have to endure delays in those updates. Access to the retailing system enabled the malware to spread to a majority of Target's cash registers, collecting information from debit and credit cards and sending it to various drop points in Miami and Brazil to be picked up later by hackers in Eastern Europe and Russia. 18 Home Depot's story echoed that of Target from a year earlier. Logon credentials were stolen from a vendor that had access to Home Depot's system, and the same malware was unleashed to cash registers. Target's story motivated Home Depot to update its system but the attack occurred before the company could complete all of the improvements. 19 The attack at Anthem Blue Cross demonstrates that stealing high-level user names and passwords can provide quick access to large and important files. Target and Home Depot hackers had to wait until transactions were recorded to gain valuable information, which takes several days. But at Anthem, being able to download important employment and identity information from 80 million people at one pass was easy with the high-level passwords. Log-in credentials of lower-level employees would involve transaction-by-transaction data collection. Therefore, log-in accounts of executives need special attention, and their activities should be monitored regularly. System Logs and Alerts Early news reports of Target's hack outraged customers when it was revealed that the newly installed, state-of-theart $1.6 million security system detected what was going on. It sent several warnings to the IT department, even before the first files were transferred, but those alerts were unheeded. 20 However, some security experts explain that there are perhaps hundreds of generic alerts each day, and it is difficult to follow up on every one. One expert was quoted aptly: "it is completely understandable how this happened." 21 The Cost of Breaches A Ponemon study places the cost of a data breach in 2015 to be at an all-time high, between $145 and $154 per each lost or stolen record containing sensitive information. 22 If a breach exposes 100 million records, the costs could escalate to about $15 billion. Many firms facing such costs would be put in serious jeopardy. The Target breach cost $61 million in just two months, 23 $162 million a year later, 24 and potentially billions of dollars in damage control over the long run. 25 The CIO resigned, fourth quarter profit fell 46%, and revenue declined 5.3%. 26 The Home Depot 18 Brian Krebs, "Target Hackers Broke in Via HVAC Company," Krebs on Security (February 14, 2014), http://krebsonsecurity.com/2014/02/targethackers-broke-in-via-hvac-company/ (accessed June 22, 2015). 19 Shelly Banjo, "Home Depot Hackers Exposed 53 Million Email Addresses," The Wall Street Journal (November 6, 2014), http://www.wsj.com/ articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282 (accessed June 22, 2015). 20 Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It," Bloomberg Business (March 13, 2014 ), http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data (accessed August 25, 2015). 21 Joel Christie, 'Target Ignored High-Tech Security Sirens Warning Them of a Data Hack Operation BEFORE Cyber-Criminals in Russia Made Off with 40 Million Stolen Credit Cards," http://www.dailymail.co.uk/news/article-2581314/Target-ignored-high-tech-security-sirens-waming-data-hackoperation-BEFORE-cyber-criminals-Russia-40-million-stolen-credit-cards.html (last accessed June 24, 2015). 22 Ponemon Institute. "2015 Cost of Data Breach Study," IBM, http://www-03.ibm.com/security/data-breach/ (accessed June 23, 2015). " Riley, Elgin, Lawrence. and Matlack, "Missed Alarms and 40 Million Stolen Credit Card Numbers." " PYMNTS@pymnts, "How Much Did the Target, Home Depot Breaches Really Cost?" PYMNTS.com (February 26, 2015), http://www.pymnts.com/ news/20 l 5/target-home-depot-reveal-full-breach-costs/#.VYr_6EZZV34 (accessed June 24, 2015). 25 Christie, "Target Ignored High-Tech Security Sirens." 26 Associated Press. "Target's Tech Boss Resigns as Retailer Overhauls Security in Wake of Massive Payment Card Breach," Financial Post (March 5, 2014 ), http://business.financialpost.com/fp-tech-desk/cio/target-cio-resigns?_lsa=O 11 c-800 I (accessed August 27, 2015). B Security breach cost $33 million (after insurance proceeds of $30 million reduced the initial outlays of $63 million), 27 and the company's stock price fell 2.1 % the day after the breach was announced. 28 Sales were not affected, however, which might indicate that customers have become numb to these announcements. 29 The Impossibility of 100% Security To obtain 100% security for an organization, a first step would be to list all of the potential threats, and the second step would be to obtain tools that would guard against them. However, as in our personal lives, the challenge would be overwhelming and the solution untenable. To keep ourselves completely safe and injury free, we would need thick steel walls and air bags around us not only when we drive but also when we run, walk, and even just sit at home. We would avoid germs by spraying disinfectants on all surfaces, including our own skin before touching anything. But paradoxes exist that make it impossible to be completely safe: We would want to be high on a hill to avoid floods but low in a valley to avoid lightning strikes-an impossible paradox. We learn quickly that it is perhaps impossible to be l 00% safe, 24/7. Likewise, data stored in a firm would be easier to protect if they would just "stay still" as well and not be connected to the Internet. Although some paradoxes exist in locating the data, the security closest to l 00% would be to place them in a remote area, removed from Internet access, and under several locks without any keys at all. In short, the closest we can get to perfect safety is to make data inaccessible. But this is not feasible. Just as we accept some degree of risk to our safety even when we move from the living room to the kitchen, management must accept some level of risk as well when it makes any part of its treasure trove of data accessible to even a single person inside or outside an organization. Wider data accessibility entails great risk. Back in 1995, the late L. Dain Gary, former manager of the U.S. Computer Emergency Response Team (CERT) in Pittsburgh appeared on an episode of 60 Minutes and let the public in on a unpleasant fact with a sobering statement: "You cannot make a computer secure. You can reduce the risk, but you can't guarantee security." 30 Because of the futility of seeking 100% security, many companies take out insurance policies to mitigate the financial impacts of a breach. It is important to also consider the so-called "Paulsen's law" that states that information is secure when it costs more to get it than it's worth. 31 This is a good rule to remember, and the role of management is to work with the IT function to make it harder to break in than it is worth. And stolen information is worth a lot. A security expert reported that in 2014, stolen credit cards sold for between $1 and $50 each, depending on the type of card (e.g., platinum, silver, suggesting its credit limit) and expiration date. Of the 40 million Target credit card numbers stolen, about 2 million (5%) were sold at an average price of $20, yielding $4 million to the hackers. A member of a street gang who bought one of those credit cards for $20 was likely to yield $400 in purchases of gift cards and electronics. 32 Further, a complete identity-theft "kit" containing not only a card but social security number and medical information is worth far more-between $100 and $1,000 each on the black market. 33 The value is high because identity-theft information can be used to open new credit cards again and again, generating quite a bit of revenue. The hackers do not keep stolen credit cards or identity theft information for their own use, given the staggering volume they acquire. They quickly sell them online to others all over the world who use them before they are ..,,j 27 PYMNTS@pymnts, "How Much Did the Target. Home Depot Breaches Really Cost?" Hiroko Tabuchi, "Home Depot Posts a Strong 3rd Quarter Despite a Data Breach Disclosure," The New York Times (November 18, 2014), http://www. nytimes.com/2014/11/19/business/home-depot-reports-strong-third-quarter-growth-despite-data-breach-disclosure.html (accessed June 23, 2015). 29 Anne D'Innocenzio, "4 Reasons Shoppers Will Shrug Off Home Depot Hack," USA Today (September 11, 2014), http://www.usatoday.com/story/ money/business/2014/09/l l/4-reasons-shoppers-wi!l-shrug-off-home-depot-hack/15460461/ (accessed June 23, 2015). 30 60 Minutes, "E-Systems" (February 26, 1995). 31 "Anything Made by a Man Can Be Hacked," DSL Reports (March 6, 2006), http://www.dslreports.com/forum/remark,15623829 (accessed September 15, 2015). " Whitaker, "What Happens When You Swipe Your Card?" " Tim Greene, "Anthem Hack: Personal Data Stolen Sells for !Ox Price of Stolen Credit Card Numbers," Networkworld (February 6, 2015), http://www. networkworld.com/artic le/2880366/ securi tyO/anthem-hack-personal-data-s tolen-sells-for- I Ox-price-of-stolen-credit-card-numbers.html (accessed June 24,2015). 28 J ..., What Should Management Do? Im reported as stolen. Those cards even come with a return policy in case they are declined, because the black market shops need to maintain their reputations. However, the guarantees come with a warning that they run out after only a few hours. 34 One final discouraging word is important. A study by the Software Engineering Institute in 2002 revealed that over time, the knowledge needed by an intruder for an attack reached an all-time low whereas the potential impact of the intruders' attack reached an all-time high. 35 The intruders' tools have not only become more sophisticated but also have actually become user friendly. Automated tools can be purchased on the Deep Web, which is a part of the Internet that is reputed to be 400 times larger than the public Web. The Deep Web includes unindexed Web sites that are accessible only by a browser named "Tor," which guarantees anonymity and provides access to sites offering both legal and illegal items. Examples of illegal items offered are passports, citizenship, and even murders for hire. 36 Also for sale are tools that can scan for vulnerable systems, exploit the weaknesses found, and even generate viruses. Payment could reach hundreds of thousands of dollars, usually made through Bitcoin, an electronic currency that is difficult to track. The outlook is certainly grim, but some of the clues in the stories told here can provide some prescriptions for management. What Should Management Do? Five critical elements to build security described earlier include security strategy, infrastructure, policies, training, and investments. Security strategy needs to come first, and top management must determine the general strategy as well as investments that are needed. Infrastructure, policy, and training decisions have to be made in more detail, and these three areas will now be discussed. Fortunately, general managers can easily understand key issues for each of these elements and participate fully in design and implementation of the resulting security plans. Infrastructure Hackers have significant tools to breach security barriers as previously described. In this rapidly escalating cyber war, management must use its own set of technologies and specialists to reduce risk and increase security. Many firms employ a chief information security officer (CISO), described in Chapter 8, to keep abreast of new threats that emerge and manage the policies and education necessary to reduce risk. In other firms, this responsibility falls to the CIO or simply the facilities security staff. Even with specialists, managers need to have a broad understanding of these tools to communicate effectively with them. Tools can be divided into two categories: those that provide protection from access by undesired intruders and those that provide protection for storage and transmission. See Figure 7.3 for a list of common system tools to prevent access and their advantages and disadvantages and Figure 7.4 for a list of common storage and transmission tools and their advantages and disadvantages. Passwords are by far the most popular security tool even though they have proven to be the cause of most breaches. Some security specialists claim that passwords are obsolete and should be discontinued. 37 Also, all access protection tools have the disadvantage of requiring an additional access method if it fails. For instance, because users often forget a password, firms need to make additional investments to create an automated resetting mechanism through an alternate method, such as an e-mail to a known address or a text message to a mobile phone. " Aaron Sankin, "Inside the Black Markets for Your Stolen Credit Cards," The Kernel (September 28, 2014), http://kemelmag.dailydot.com/issuesections/features-issue-sections/ I0362/inside-the-black-markets-for-your-stolen-credit-cards/ (accessed August 27, 2015). " Howard F. Lipson, "Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues," Special Report CMU/SEl-2002-SR-009, http://www.sei.cmu.edu/reports/02sr009.pdf (accessed August 27, 2015). " Nyshka Chandran, "From Drugs to Killers: Exploring the Deep Web," CNBC Technology (June, 2015). http://www.cnbc.com/id/102782903 (accessed June 25, 2015). 37 Justin Balthrop, "Passwords Are Obsolete," Medium.com (April 12, 2014), https://medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb (accessed June 24, 2015). Im Security - Access Tool Concept Physical locks Physically protect computing resources . ···-··· -----11·--------·· i Ubiquity ----·-···--···--··1--·-----------·--·- ----, ~Notable Advantages _____j_Notable Disadvantages Very high [ • They are excellent as , long as the lock is highly I secure and guarded I • Few criminals can access I physical devices [ .~~;;;;;;;-;-~-to_f_ __,_!-V-ery high • They have very high acceptance and familiarity • They are easy to use unless forgotten • Mature best practices replace forgotten passwords (no longer a need to call the help line to reset) characters known only by the user 1 1. I I I 8;ometcks I Scan a body , characteristic, such 1 as fingerprint, voice, iris, head, or hand geometry 1 Medium overall; popularized byiPhone • Many popular locks can be I picked with tools sold online j • Most information resources do , not require physical access i • Users often lose keys or J combinations ! \ • They prove to be poor by themselves • They are sometimes forgotten • They are sometimes derived from key loggers or social engineering • They can be guessed by "brute force" software I • It is somewhat better than 1 i i 1 1 I I I • It can present false positives passwords and false negatives (e.g., voice; [ • It can be very reliable facial recognition) (e.g., iris scanning) • It can be relatively expensive I • It cannot be forgotten and intrusive techniques (e.g., • It cannot be derived from iris scanning) key loggers or social I • It is possible to change engineering characteristics over time, • It can be quite such as voice · • It can result in lost limbs inexpensive (e.g., voice, fingerprint) • It can create "loopholes" such as using a photo of a face or ····--------------·---------- _________ ___!i~_:r:~int on paper:_____ I • Some answers can be derived Medium / • The answers are usually [ follow-up question overall; I not forgotten from social network sites • Some answers can be derived such as "model of very high in Shuffling through several first car?" , banking · different questions can by those who know the user • Spelling inconsistencies can be enhance security ' . 1 a nuisance 1f-~-o-k_e_n----+--U-se_s_m__a_ll_____,_L_o_w_o.-v_e-ra-l-l;-+I • Even if passkey is stolen, ·, • Access requires physical possession of token device electronic very high in I the system is still secure • If the device is lost, access is device that highly secure i when the passkey I lost until a new one is obtained changes generates a new environments I • Alternative access control (e.g., supplementary passkey at password) is essential if token frequent intervals I device is i-------· I Challenge questions I i Prompt with a ' I I• I I J I I Text message FIGURE 7.3 Send a text message with a passkey i Medium I • Even if a password is stolen, the system is still secure I • Home phone option requires • Mobile phone saturation text to speech hardware/ is very high; no additional software equipment is needed I • Alternative access control (e.g., password) is essential if mobile • It is very useful when password is forgotten device is___________________ stolen , Common system access security tools and their advantages and disadvantages. What Should Management Do? Access Tool I Concept Notable Advantages >---------+----~-- Multifactor authentication Couple two or more access techniques, for instance • Passwords and tokens • Biometrics and follow-up questions • Passwords and text messaging FIGURE 7.3 overall; very high in banking and other high-security environments It enhances security greatly Even if a password is stolen, the system is still secure lliJ Notable Disadvantages • It requires an additional access authentication technique if one or more of the techniques fails • Users might be tempted to use an easy password, which removes the advantage of a second factor (Continued) Storage and/or Transmission Tool j Concept Ubiquity ' Notable Advantages Notable Disadvantages Very high , • Products block known threats very effectively • Products have a large database and can detect hundreds of thousands of patterns that reveal a virus , • Some products reveal a limited set of zero-day threats (brand-new outbreaks) by tracking suspicious behavior • Products sometimes slow down the device • Products are not as effective for a clever zero-day threat (brand-new outbreak) , Antivirus/ antispyware periodic state of the whole system to detect threats of secret software , 1 ' that can either destroy data or inform a server of your activity Firewall , Software and sometimes , hardware-based tilter I prevent or allow outside : traffic from accessing the I network High • ls flexible and can prevent traffic from a particular user, device, method, or geography • It can filter only known threats • It can have well-known "holes" System logs ' They keep track of system activity, such as successful or failed login attempts, file alterations, tile copying, file deletion, or software installation Very high • If an irregularity occurs, the IP address of the attacker could be discovered • The extent of the irregularity can be estimated • Some anonymizing software can hide the true IP address of the attacker • Some attackers erase or disable the logs • Logs can be huge and difficult to wade through • Some firms fail to inspect logs regularly System alerts System detects unusual activity, such as scores of unsuccessful log-in attempts, log-ins from countries without any I branches, alterations of : files, or copying of files High • They can aid in combing through logs more quickly • Administrators can be alerted to an irregularity while it is occurring • Many breaches can be detected this way• (high sensitivity) • Many firms receive hundreds of alerts each day • It is difficult to discern real attacks from false alarms (low selectivity) FIGURE 7.4 Common storage and transmission security tools. Im Security Storage and/or Transmission Tool Concept ···········--··--··-·····-······ Encryption WEP/WPA (wired equivalent privacy and wireless protected access) Ubiquity I Notable Advantages .......... System follows a complex formula, using a unique key (set of characters) to convert plain text into what looks like unreadable nonsense and then to decode back to plain text when presented with the decoding key Very high Encryption is used in a wireless network Very high • • • • • Software provides a trusted, encrypted connection between your site and a particular server It is very difficult to use or read a stolen computer file without the key Long and complex keys would take years of computer time to break • • -··-·----·- - The key can be unnecessary if access password is known If the key is not strong, hackers can uncover it by trial and error I I Virtual private network Notable Disadvantages ....... !··········· ·······-·-------··-····· Medium It is same as encryption Nearly all modern user devices have capabilities It provides a secure connection between the user's device and the WiFi router • Trusted connection works as if you are connected at your office; it is useful for mobile workers • Eavesdroppers cannot easily decrypt VPN communications I --·---·---1 • I • It is same as encryption Some older devices might not be able to be connected • WEP is not secure yet is still provided for compatibility • • , If the device is stolen while connected, the hacker has access to all resources It sometimes slows the connection or complicates use • Vi nod Khosia, "Behavioral Analysis Could Have Prevented the Anthem Breach," Forbes.com (February 24, 2015), http://www. forbes.com/sites/frontline/2015/02/24/behavioral-analysis-could-have-prevented-the-anthem-breach/ (accessed June 28, 2015). FIGURE 7.4 ..,,,,j (Continued) A study in the United Kingdom found that 39% of IT professionals admit that passwords are the only IT security measure in their firms, and one-third believes that biometrics are likely to be used in five years. 38 There is a general trend toward multifactor authentication, or the use of two or more authorization methods to gain access. Examples are use of a password followed by a passkey sent to a mobile phone as a text message or a password followed by a challenge question. Between 2013 and 2014, the organizations around the world using multifactor authentication increased from 30% to 37%, and this number continues to increase rapidly. 39 Fears of making passwords intrusive or lowering convenience are likely to factor into IT's reluctance to adopt multifactor authentication. For instance, in Apple's "I'm a Mac" campaign in 2008, Apple poked fun at Microsoft Vista's "Cancel or Allow" messages, 40 emphasizing the diminished convenience caused by security warnings. Security and convenience are indeed generally at odds with each other, 41 but our current state of convenience is untenable over the long run, and the days of single-factor authentication using a password are undoubtedly going to become a distant memory. Not only access controls are important, but also the way that information is stored and transmitted requires security tools. Figure 7.4 provides a representative list of those tools. Although these tools are likely to help limit security problems, managers also need to provide a strong security policy as described in the next section. 38 SecureAuth, "The Password's Pulse Beats On. Hackers Still One Step away from Your Information," SecureAuth.com (March 18, 2015), https://www. secureauth.com/CompanyIN ews/March-2015/The-Password %E2%80%99s-Pulse-Beats-On-Hackers-Still-One-St.aspx (accessed June 24, 20 15 ). 39 SafeNet, "More Enterprises Plan to Strengthen Access Security with Multi-Factor Authentication," SafeNet Survey Report (May 21, 2014), http:// www.safenet-inc.com/news/20l4/authentication-survey-2014-reveals-more-enterprises-adopting-multi-factor-authentication/ (accessed June 24, 2015). 40 Renee Quinn, "Comparative Advertising: Mac vs. PC," IP Watchdog (November 16, 2008), http://www.ipwatchdog.com/2008/ll/16/comparativeadvertising-mac-vs-pc/id=268/ (accessed June 24, 2015). 41 David Jeffers, "Why Convenience ls the Enemy of Security," PC World (June 18, 2012), http://www.pcworld.com/article/257793/why_convenience_ is_the_enemy_of_security.html (accessed June 25, 2015). ~ What Should Management Do? Im Security Policy Management needs to approach security in a way that expresses its importance and instructs users on what they need to do to achieve safety. Without sound management policy, access and storage technologies will be useless. If employees write their passwords on sticky notes and put them near their workstations, passwords will be ineffective from the start. Figure 7 .5 provides a list of management policy tactics to prevent security weaknesses. Several of these policy areas are quite interesting. For instance, some managed security services provider (MSSP) firms offer the services of white hat hackers who break into a firm's systems to help it uncover weaknesses. White hat hackers lie in sharp contrast to black hat hackers, who break in for their own gain or to wreak havoc on a firm. Grey hat hackers test organizational systems without any authorization and notify a company when they find a weakness. Although they can be helpful, what they do is nevertheless illegal. Another interesting area is that of social media. We are still in the early stages of understanding the impacts of being on social media for employees and firms themselves. Companies continue to set up policies about acceptable behavior on social media including the appropriateness of sharing company secrets, security procedures, and --·-··-----·----·--····--·-··.. ·-----·--·-·· --,--··-···----···--··-- PoUcy Concept Perform security updates promptly Make sure all security updates are applied as soon as possible / • Most operating systems Separate unrelated networks Disconnect distinct and unrelated parts of the network. For instance, Target's HVAC system should have been disconnected from the financial system i • Protect one part of the Keep passwords secret Forbid users from sharing passwords i• Perform mobile device management Provide a BYOD (bring your own device) policy on permitted products and required connection methods Data policies Require disposal of e-mails and other documents of a certain age \ Notable Advantages -··t····· have automatic updates system when the other part is attacked : Notable Disadvantages ! !• Sometimes the added security causes some older , applications to "break" : • There is an option to prevent automatic updates • Sometimes there are connections that are unknown or unexpected • Each requires different log-in credentials, complicating its usage If everyone complies, any activities on the site will be traceable to one user's access • It will be harder if the user is on the road and needs an assistant to help with something • It will prevent, or at least allow IT to trace, potential security problems • It will restrict users to apps they might not wish to use • It might restrict users to certain devices they might not desire to use II Data that are not owned cannot be stolen \ • Legal liability is dramatically reduced by destroying memos and e-mails that can be taken out of context • Workers might be unable to refer back to the details of a previous successful assignment for guidance , • It will prevent misrepresentation and , confusion I • It will limit liability by ! avoiding errors • It might appear restrictive to workers • It might appear to be , meddling in workers' personal use of social media 1 • I ') j' - - - - - - - - - - - - - - - - ----,--------------------- ----+------------------- Social media management Managed security services providers (MSSP) Provide rules about what can be disclosed on social media, who can Tweet, and how employees can identify themselves Consultants who bring their expertise and checklists, most often to medium and large enterprises • It can help build a comprehensive security plan I ~ can be too expensive for-~ very small company • It can provide a bewildering set of options ~ - - - - - - - ~ ~ - - - - - -------'---------··------~---------FIGURE 7.5 Commonly used management security policies. ' I - B Security personal information that could be linked back to a company. Given the large size of some firms, it is difficult to control personal behavior. But lacking policy, devastating impacts of uncontrolled behavior can be high. Education. Training. and Awareness Users' behavior cannot be expected to change unless they are aware of security policy and tools, understand them, and know what to do. Merely dictating rules to employees and providing the required tools will not guarantee compliance. Security education, training, and awareness (SETA) can provide well-rounded preparation to users. Because 50%-75% of security incidents originate from within an organization, researchers have found that SETA was effective in reducing IS misuse and that severity of punishment was more potent than certainty of punishment if users were caught. As one might expect, the researchers also found that monitoring behavior was quite important. 42 Each component of SETA is discussed next. Awareness Although awareness comes at the end of the SETA acronym, it is an important first step merely to let users know that security is a complex but important issue and that there are consequences when policies are not followed. Users must see the importance of the security policies and the need to use the appropriate tools. Awareness includes an explanation of what might occur if users are relaxed about security, such as in the cases discussed in this chapter. Awareness creates attitudes, and researchers note that attitudes are important in predicting compliance. Importantly, users' feelings of efficacy (ability to comply) and normative beliefs (social pressure to comply) are both important for forming favorable attitudes toward compliance, 43 suggesting that the awareness stage is crucial for security success. Managers should be cautious not to overwhelm users all at once; this is where education programs can help. Education and Training Education provides frameworks, reveals concepts, and builds understanding. Training usually provides procedures to follow and practice in following them. For example, 69% of company breaches have been discovered by outsiders, not insiders. 44 In some cases, customers complain of irregularities in their accounts, such as unauthorized charges. However, it takes time for that information to reach the breached firm, if ever, as the unsettling recent 60 Minutes interview revealed; after hacking, Visa and MasterCard do not reveal which retailer was involved. Further, in the case of Home Depot, it took Brian Krebs to notify the firm after seeing credit cards for sale on Deep Web sites. He says he did some "detective work" and tracked the stolen cards to Home Depot. 45 Apparently, insiders do not always notice signals that might indicate a problem. Some of that can be alleviated through education. Users need to be educated about the potential for different types of suspicious activities, such as strange cars parked with the motor running, which might indicate tapping into a company's WiFi, or strangers standing near active equipment, which might indicate surveillance or potential invasive action. Employees must be trained to make sure active equipment is watched and suspicious activity reported. Training also instructs on powering down equipment, logging users out of systems, closing browser windows, and frequently updating passwords. In a recent alarming situation, a security researcher claimed on Twitter to have tapped into the avionics system through the entertainment system on an airplane, causing the plane to go into a brief, unscheduled climb. While on the plane, the person bent over and wiggled and squeezed the under-seat electronic box's cover to pry it off. 46 The person then attached a modified Ethernet cable to an open port in the entertainment equipment below two passenger seats. Although pilots were able to quickly take over in this situation, the FBI took his Tweet seriously. 42 John D' Arey, Anal Hovav, and Dennis Galletta, "Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research 20, no. I (March 2009), 79-98. 43 Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat, "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly 34, no. 3 (20!0), 523-48. 44 Mandiant, "M-Trends 2015: A View from the Front Lines," https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf (accessed June 24, 2015). 45 Whitaker, "What Happens When You Swipe Your Card?" '° Kim Zetter, "Is It Possible for Passengers to Hack Commercial Aircraft?" Wired (May 26, 2015), http://www.wired.com/2015/05/possible-passengershack-commercial-aircraft/ (accessed June 25, 2015). What Should Management Do? Ill . Subject Sample Educational Activities Access tools Advantages and limitations of passwords How to choose a password Why passwords should be complex and long How to change your password Bringing your own devices (BYOD) ---· - -·-·· ... - Social media ·--··-··-··---·- - How often passwords should be changed How to use multifactor authentication Strengths of multifactor authentication How to use a password manager Why there are rules What the rules are --····-·-···--·····--------- ···-· How to follow the rules --- -·-·----·-···--- ---··---··· -··-·--·-···· -- --···-·-·--···--- Why there are rules Examples of issues that have occurred in the past Vigilance Sample Training Activities What to do if something goes wrong -----··--···-----··------··-------··-··-····-- - --·---· ··-·-What to do in particular situations on social media How those issues could have been avoided What to do if you need help or clarification on an issue What signals you might see under certain situations (warning messages; phishing e-mails; customer complaints) Where and how to look for warning signs What physical intrusions look like What the signals mean Which pieces of equipment have ports (USB, ethernet) ······-···--·-----·-··-----·-·--- What to do when you see the various signals (for instance, a number to call or way to shut down) How to protect your laptop when traveling -··----------·------·-· FIGURE 7.6 Major areas for education and training. with examples. Agents seized the plane's equipment to investigate his claims and found evidence that boxes under his seat and under the seat in front of him on one of his flights had indeed been tampered with. 47 Had flight attendants been educated that this was the possible action of a hacker and been trained to notice passengers preoccupied with something below the seat, the hack might have been stopped earlier. See Figure 7.6 for a list of areas for education and training along with possible activities for each. New employee onboarding processes include education in security policies including vulnerabilities and the tools and practices used to avoid problems. Types and levels of passwords or other access tools should be described to employees. "Dos" and "Don'ts" of social media should be presented in a well-organized manner so they are understood. And these policies must be reinforced at regular intervals to ensure compliance. The goal of education is to avoid the consequences of phishing by helping individuals identify ways to recognize these scams. There are certain "classic" signs of a phishing message: • An e-mail or bank account is closed, and the user needs to click to log-in and reactivate it. • An e-mail inbox is too full, and the user is asked to click to increase storage. • The user just won a contest or lottery and is asked to click to claim the prize. • A user just inherited a fortune or will receive a commission to administer an inheritance after clicking to claim it. • A product delivery failed, and the user needs to click to retry. • An odd or unexpected Web address shows up when hovering a mouse pointer over a link in an e-mail. • A familiar name in the "from" box is followed by an odd e-mail address. • Poor grammar and spelling are in a note that purports to be from a large company. • Goods or services are offered at an impossibly low price. • An attachment is executable, often with an extension such of ZIP, EXE, or BAT. 47 Even Perez, "FBI: Hacker Claimed to Have Taken Over Flight's Engine Controls," CNN.com (May 18, 2015), http://www.cnn.com/2015/05/17/us/ !bi-hacker-flight-computer-systems/ (accessed June 25, 2015). lrfJ Security Paypal customer Viewonline ~ PayPal We Need Your Help Dear Customer, We need your help resolving an issue with your account. To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved. We understand it may be frustrating not to have full access to your PayPal account. We want to work with you to get your account back to normal as quickly as possible. Why my PayPal™ account is limited? We recently noticed a pattern of account activity that, in our experience, is usually high risk. For more information, see Restricted Activities identified in our User Agreement. What can I do to resolve the problem? It's usually pretty easy to take care of things like this. Most of the time, we just need you to verify your account. Click the link below Please mark this email as "Not Spam" to enable link, if this email appears in your spam or junk mail . Ve 11/y your Account FIGURE 7.7 Actual phishing message received February 21. 2015. Even if the signals are not present, security experts recommend not to click on any link or open any attachment in an e-mail unless it was requested and expected from a known source. Unexpected e-mail, even from a known source could breed viruses because of any one of the following: (1) The e-mail might not really be from the known source, and someone is spoofing (counterfeiting) the address, (2) the e-mail might be from a known source's computer but the e-mail had a virus, which will infect the recipient's computer, or (3) the e-mail might have been sent from a familiar person who doesn't know that a virus is attached. Opening the attachment or clicking the link would likely infect the recipient's computer and continue the spread of the virus to her or his contacts. An actual phishing message received by one of the authors of this text on November 21, 2014, had the subject header of "PAYMENT OF A CONTRACT/INHERITANCE FUNDS" (all caps in the original), and the first sentence was "We have expected receiving you in the office, but no one has ever head from you" (italics added to highlight errors). Another recent phishing message (Figure 7.7) was more believable, but had some minor grammatical issues. Some messages are nearly flawless, looking identical to genuine ones from the named company, and making it critical to suspect every link or attachment in any e-mail. Education programs describe phishing and spoofing and how to guard against clicking on dangerous links. Users must understand that opening a virus-laden Web page or file leads to "catching" the virus. Education programs might also include the different types of threats and include training on how to avoid scams, the loading of key-logging software on unsuspecting users' systems, and the breach of security measures already put in place. Training would demonstrate how to examine a link, what cues to evaluate, and what to do if a site is suspicious. """' SUMMARY • Five key IT security decisions focus on security strategy, infrastructure, policies, training, and investments. • Perpetrators (hackers) most often work from a great distance, over long periods of time, and not by accessing data center buildings in person. • Of breaches, 80% are enabled by stolen passwords. Those passwords are obtained from phishing messages, cross-site scripting, weak passwords, key loggers, and evil-twin connections. • The statistics are staggering: It takes 205 days for the average breach to be detected, and the longest breach recorded took 11 years to detect. The message is that hackers have plenty of time to figure out how to steal files. Also, 97% of all firms have been hacked, and the average cost of a data breach is estimated to range from $145-$154 per stolen record containing sensitive information. Many breaches involve tens of millions of records. ,1//////1/11 CaseStudy g • Perfect security of data and digital assets is not possible. However, there are best practices for reducing risks by using tools, implementing tactics (policies) and providing training (and education). • Infrastructure technologies can limit access to authorized people ai1d protect data storage and transmission. • Policies need to be created to cover the need to install updates, separate unrelated networks, keep passwords secret, manage mobile devices, destroy data at the proper time, manage social media, and properly use managed security services providers. • SETA refers to security education, training, and awareness, each of which has a specialized purpose. KEY TERMS antivirus/antispyware (p. 157) biometrics (p. 156) black hat hacker (p. 159) challenge question (p. 158) cross-site scripting (XSS) (p. 152) deep Web (p. 155) encryption (p. 158) evil twin connection (p. 152) firewall (p. 157) grey hat hacker (p. 159) key logger (p. 152) mobile device management (p. 159) multifactor authentication (p. 158) phishing attack (p. 151) security education training and awareness (SETA) (p. 150) social media management (p. 159) spoofing (p. 162) token (p. 156) weak password (p. 152) white hat hacker (p. 159) zero-day threat (p. 157) DISCUSSION QUESTIONS 1. Did you change your shopping habits after hearing of the widespread breaches at Target, Home Depot, and dozens of other "'2. stores during 2013-2015? Why or why not? Evaluate your password habits and describe a plan for new ones. Explain why you chose the new habits and how they reduce the risk of compromising your system's security. 3. Across all access tools listed in Figure 7.3 which have the most compelling advantages? What are the most concerning weaknesses? Provide support for your choices. 4. What is the likely future of access tools? Will they continue to be useful security measures? In your discussion, predict what you believe is the future of passwords. 5. What is an evil twin WiFi connection? What should you do to increase your security in a coffee shop the next time you want to connect? 6. Name three commonly used management security policy areas and describe an example policy for each area. 7. Create an outline for a training session to help your team avoid phishing. What would you include in that training session? What are some typical signs that an e-mail might be fraudulent? • CASE STUDY 7-1 The Aircraft Communications Addressing and Reporting System (ACARS) On June 22, 2015, LOT, the state-owned Polish airline had to ground at least 10 national and international flights because hackers breached the network at Warsaw's Chopin airport and intercepted the flight plans that pilots need before taking off. The grounding affected about 1,400 passengers and lasted over five hours before the problem was solved. A month earlier, United Airlines was reported to have experienced the same problem in the United States, and pilots reported bogus flight plans repeatedly popping up on the system. A consultant explained that the radio network that carried flight plans did not need authentication and was designed to trust the communications. A committee was then set up to develop a proposed standard for flight plan security. Fortunately, the flight plan did not control the plane, and a pilot had to accept and enter the plan. A strange result, such as heading to a distant city in the wrong direction, would not be entered or accepted. Even if the bogus plan were entered and accepted by the pilot, there was no danger of collision or crash because of the fraudulent plans. Any changes received to the plan while in flight had to be confirmed with air traffic controllers, who analyzed the new plan for safety. Alarms would also indicate a possible collision. B Security Discussion Questions I. Which of the two aircraft breaches is more serious: the breach described here or the breach created by the hacker (described earlier in the chapter) who took control of a plane's throttle briefly through the entertainment system and then tweeted about it? Why? 2. Which of the access controls and storage/transmission controls would be most helpful for the ACARS problem? The entertainment system problem? Why? - 3. If password control is used to solve the ACARS weakness, what might hackers do next? Sources: Kim Zetter, "All Airlines Have The Security Hole That Grounded Polish Planes," Wired (June 22, 2015), http://www.wired. com/2015/06/airlines-security-hole-grounded-polish-planes/ (accessed August 25, 2015); and "Hackers Ground 1,400 Passengers at Warsaw in Attack on Airline's Computers," The Guardian (June 21, 2015), http://www.theguardian.com/business/2015/jun/21/hackers1400-passengers-warsaw-lot (accessed June 26, 2015). • CASE STUDY 7-2 Sony Pictures, The Criminals Won The Tech section in Forbes magazine reported that the "criminals won" in the Sony pictures breach. An anonymous threat posted on an obscure site warned that people who watch the to-be-released movie The Interview would be "doomed" to a "bitter fate" and recalled the tragic events of September 11. The threat said that the movie inappropriately made light of North Korean officials. As a result of the threat, five large theater chains in the United States and Canada canceled plans to include the film on their screens. Ultimately, Sony had no choice but to cancel the theater release of the film for reasons that are both economic and legal. The former was due to a lack of revenue given the small number of remaining theaters that might go ahead and run the film. The latter was driven by what would happen if an attack was carried out. A Steve Carell project that featured North Korea was also canceled. The Guardian reported that a group named the Guardians of Peace retaliated against Sony. They hacked into Sony's systems and stole over I 00 terabytes of files, including unreleased movies, social security numbers for thousands of Sony employees, and internal e-mails, some of which show embarrassing conversations between Sony employees. The hackers began distributing the files in various locations online, making them free for the taking. The officials of that government denied any involvement in the hack but said that it might have been a "righteous deed" of those who support the government. North Korean officials demanded some changes to the movie, including taming down a death scene of its leader. Sony initially refused but then decided to go ahead and edit the scene. The movie eventually opened without incident on a limited basis in some cinemas on Christmas Day and then was made available via online rental. According to the Mirror in the United Kingdom, neither the Department of Homeland Security nor the FBI could find evidence that the violence was a credible threat, but the FBI believed North Korea was behind the hacking. In tum, North Korea claimed that the U.S. government was responsible for creation of the movie. Discussion Questions I. Setting aside the political issues between North Korea and the United States, is there a reasonable way to respond to an anonymous threat found on the Internet somewhere? What elements would you require before canceling the film if you were CEO of Sony? If you were CEO of a chain of theaters? 2. What access and data protection controls would you recommend Sony use to provide better security for unreleased digital films and e-mails? 3. If you were a hacker, what approach would you have used to break into Sony's system? What do you think the most important SETA elements would be to prevent future hacker attacks against Sony or other media firms? Sources: Dave Lewis, "Sony Pictures: The Data Breach and How the Criminals Won," Forbes Tech (December 17, 2014), http://www. forbes.com/sites/davelewis/2014/12/17 /sony-pictures-how-the-criminal-hackers-won/ (accessed June 25, 2015); Oliver Laughland, "The Interview: Film at Center of Shocking Data Breach Scandal Opens in LA," The Guardian (December 12, 2014) http://www.theguardian. com/film/2014/dec/12/the-interview-sony-data-hack (accessed June 25, 2015); and Anthony Bond, "Sony Hack: The Interview WILL Be Released Despite Huge Cyber Attack Against Film Maker," Mirror (December 23, 2014), http://www.mirror.co.uk/news/world-news/ sony-hack-interview-released-despite-4868965 (accessed June 25, 2015). ..,,,,j

Tutor Answer

Overaltutor
School: Cornell University

Sony Hacking

Running Head: Case Report: Managing and using Information systems

Managing and using Information systems

Student Name

Course Name

1

Case Report Managing and using Information systems

2

Executive Summary
Sony Network was attacked in 2014 by the group referred to as Guardian of Peace.
They crippled the Sony pictures for days, and they extracted valuable information about the
employees. According to the FBI investigations, North Korea was responsible for the attack
on Sony, the allegations that North Korea denies.
The findings from the FBI investigations suggest that North Korea attack (Wells,
2014) was the hacker. This is based on the analysis of the Malware used in the attack which
was traced back to North Korea. The attack affected Sony badly and some of the possible
solutions their plight would be to enforce password policy, initiate data retention, better
policies on classified data and responding to employee complaints on security.
The report concludes by stating that company should install basic data protection
policies and conforming to the simple best practices can go a long way in protecting the
reputation of the organization and protecting the sensitive information of countless
employees. Some of the recommendations should be to limit logical access, reduce system
vulnerability and proper security governance. These steps can be implemented through
training, technology upgrade and incidence response.
Discussions
In November 2014 a group calling themselves Guardian of Peace (GOP) hack Sony
Network adding to a series of cyber-attacks and data theft (Lewis, 2014). The GOP crippled
Sony pictures for days and extracting terabytes data of valuable information. The information
on employees, unreleased films and private emails. Child (2014) alleges that the accusations
were leveled against North Korea because they were retaliating to prevent the release of the
upcoming movie The Interview.

Case Report Managing and using Information systems

3

The U...

flag Report DMCA
Review

Anonymous
Tutor went the extra mile to help me with this essay. Citations were a bit shaky but I appreciated how well he handled APA styles and how ok he was to change them even though I didnt specify. Got a B+ which is believable and acceptable.

Similar Questions
Hot Questions
Related Tags
Study Guides

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors