SPEAKER ONE • Introduction to cybersecurity and hacking. • What is cybersecurity? Give background information on the topic • Engage class with a short video explaining cybersecurity; afterwards ask class for questions. • https://youtu.be/JdfmV2KW11I INTRODUCTION • Cybersecurity involves the specialized mediations taken to upgrade the trustworthiness, secrecy, and protection of information in computer systems. • There are various ways persons can be deceived through phishing, pharming, or spoofing to giving away critical data about an organization. • There are three key components to consider when studying on security concerns in cybertechnology. These are: privacy, trustworthiness, and availability. KEY ELEMENTS IN CYBERSECURITY • Confidentiality is all about restricting unapproved persons from gaining access to private information in the context of cyberspace in an institution. • The integrity element is about the maintenance of data in its original form by preventing a hacker from modifying this data. • Accessibility ensures that information is easily available to the approved users only, therefore, there must be measures in place to make sure of this. CYBER-ETHICS, AND CYBERSECURITY • Cyber-ethics are the moral choices individuals make when using Internet capable devices. • It is important to adhere to copyright restrictions when downloading proprietary software online. It is also morally unethical to break into someone else’s computer. • It is also unethical to manipulate someone’s computer to a point that it is unusable by infecting it with viruses or worms. • It is also paramount to realize that the stealing of information from the Internet and claiming that it is yours is a violation of cyber-ethics. CYBER-SAFETY • Cyber-safety involves the making people aware on how their behaviors can contribute to the spread of malware. • It is essential to learn about the various ways persons can be tricked through these Internet-capable technologies, for instance, phishing, pharming, and spoofing. • It is also important to set boundaries on the kind of information to post online through turning privacy settings on. Not all information needs to be consumed by the public. CYBERSECURITY AS RELATED TO CYBERCRIME • It is important to note that not every crime in the cyberspace involves a breach or a violation of cybersecurity. Such crimes are like a pedophile using a computer to solicit sex from young children, or a person using an electronic device to pirate copyrighted music. • These crimes are illegal but they don’t necessarily mean that they involve insecure computer systems. • These cyber-assisted crimes are as a result of security flaws in computer system design. SECURITY AND PRIVACY • When discussing basic human rights and civil liberties, it is indistinguishable to separate between privacy and security. • In America, the Fourth Amendment on the right to privacy forms the basis to secure a person from physical intrusion of searches and seizures. • A primary concern to people using cyber-technology is privacy in regards to the control over personal information that can be accessed by organizations who may have legitimate reasons to using this information in order to make critical decisions. CLASS ACTIVITY • The class will watch a YouTube video on how cybersecurity works: https://youtu.be/JdfmV2KW11I • Questions from the class are highly appreciated. SPEAKER TWO • Present, expound and discuss the case study on the data breach in Adobe that affected 150 million user records. • Categories of cybersecurity. • Cloud computing and securing user data residing in the cloud. • Case study Smith v. Maryland (1979). • Engage class with this discussion CASE STUDY: ADOBE DATA BREACH • In a data breach first announced by Brian Krebs in his blog on October 3, 2013, Adobe said that hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. • Later that month, AnonNews.org posted a huge file that indicated that more than 150 million username and hashed password pairs were taken from Adobe (Krebs, 2013). • The Adobe breach involved the theft of source code for Adobe Acrobat, Adobe Photoshop, and Reader, as well as its ColdFusion web application platform (Hustad, 2013). CATEGORIES OF CYBERSECURITY • The three categories of cybersecurity are data security, system security, and network security. • For data security, one can secure data that resides in the computer databases, or that is transmitted between computer systems. • For system security, one can either secure hardware and operating system resources or secure application software and programs. • For network security, one can secure the infrastructure of privately owned networks, or secure the infrastructure of the internet. a. Data security • Information security alludes to the way of shielding data from unapproved access and information debasement all through its lifecycle. • Information has to be secured from both modification by and from access to unauthorized persons. • Data can reside in one or more computer storage devices or it can be from the transmission of data between two or more computer systems. Data that needs to be protected has to be either proprietary or sensitive. b. System security • Viruses, worms, and Trojan Horse malware can disrupt and potentially destroy computer systems. • Viruses are self-replicating pieces of software code that attach themselves to other programs, normally requiring human action to propagate. • Worms are self-replicating code that spread through the network and don’t require human intervention nor needing a host program. • A Trojan horse appears as a benign program, however, it does significant system damage in the background. c. Network security • The computer networks, from privately owned networks to the Internet, need to be protected and secured from attacks. • It is important to note that disruptions in the network can be due to a failure in the network infrastructure or from hackers who target the network through malicious malware. • Many countries depend on a secured cyberspace for their physical infrastructures like power grids making concerns over threats from international hacking groups which may be state-sponsored to increase. THE GHOST-NET CONTROVERSY • In 2009, the Information Warfare Monitor (IWM), a Canadian organization that monitors cyberespionage discovered a network of at least 1,295 compromised computers in 103 countries. Approximately 30% of these were considered high-value targets which included ministries of foreign affairs, embassies, international organizations, and news agencies. • The compromise was in ways that suggested that China was responsible. • The IWM report referred to the cyberespionage system as GhostNet because it resembled the ghOst RAT Trojan Horse malware that was traced to Hainan, China. • The report concluded that the discovered activities should serve as a warning to policy makers that network security requires serious attention. CLOUD COMPUTING AND SECURITY • According to the National Institute of Standards and Technology (NIST), cloud computing is defined as a model that enables on-demand availability of computer system resources like servers, storage, or applications through an ubiquitous network access to a shared pool of configuration. • The deployment models for cloud computing are: private, community, public, and hybrid cloud. • Cloud computing provides important services models which are: software as a service (SaaS), Platform as a service (PaaS), and Infrastructure as a service (IaaS). SECURING USER DATA RESIDING IN THE CLOUD • Currently, users have limited control over their data with very little direct knowledge about how their information is transmitted, processed, or stored. Also can a user deny access to own data? • Another concern about cloud computing is data integrity, for instance, what happens to users’ data in the event that a host company goes out of business. Users are also concerned on who actually owns the data stored in the cloud. • The cloud, with all these concerns, offers flexibility and security to users since they don’t need to worry about how to protect their data. CASE STUDY: SMITH V. MARYLAND (1979) • A the request of the police, a telephone company installed at its central offices a pen register to record the numbers dialed from the telephone at the petitioner’s home. Prior to his robbery trial, the petitioner moved to suppress all fruits derived from the pen register. • The Maryland trial court denied this motion holding that the warrantless installation of the pen register did not violate the Fourth Amendment. The Petitioner was convicted and the Maryland Court of Appeals affirmed. • It was held in the case of Smith v. Maryland that the installation and use of the pen register was not a search within the meaning of the Fourth Amendment, and hence no warrant was required. CLASS ACTIVITY: DISCUSSION QUESTIONS • What is cybersecurity? • When we look at the GhostNet controversy, what kind of actions should sovereign nations take against countries that engage in cyberespionage? • In the case study of the data breach in Adobe that affected 150 million user records, discuss on how cybersecurity relates to privacy. • Discuss the case study Smith v. Maryland (1979) and how it relates to the right to privacy. SPEAKER THREE • Explain ethical hacking in detail as illustrated in this video: https://youtu.be/_BSlzCjlSMA. • Is hacking providing society with an important service? • Should information be free? What information a company can store from users that can be considered proprietary or free to use. • Does hacking do real harm or only virtual harm? • Engage class with this discussion. HACKING • A hacker refers to a person who finds weaknesses in a computer network and uses it to gain access to the system. • A cracker (black hat hacker) uses their hacking skills for harmful purposes whereas an ethical hacker (white hat hacker) is employed or contracted to do penetration testing to check for vulnerabilities in the computer systems. • There are several phases of hacking which include the reconnaissance or foot printing, scanning, gaining access, maintaining access, and clearing tracks (Reddy, 2018). WHITE HAT HACKER • White hat hackers are ethical hackers who could be paid employees or contractors working for companies as security specialists attempting to find security holes through hacking. • They perform penetration testing, test-in-place security systems, and vulnerability assessments for companies. • There are a lot of certifications and courses for ethical hacking. BLACK HAT HACKER • Black hat hackers have extensive knowledge about breaking into computer networks and bypassing security protocols. • The biggest motivation for black hat hackers is financial gain, although they are involved in cyber espionage, hacktivism, or thrilled by cybercrime. • These hackers, not only do they seek to steal data, but also to modify and destroy this data. GREY HAT HACKER • Grey hat hackers look for vulnerabilities in a system without the owner’s permission or knowledge. If they discover issues in the system, they report them to the owner at a fee to fix the issue. • If the owner doesn’t comply to the demands, these hackers will post the weaknesses online for anyone to see. • Normally these type of hackers aren’t malicious and may not exploit the found vulnerabilities to their advantage, however, it is still illegal since they don’t have permission from the system owners. a. Phases of hacking: Foot-printing • This is the process of gathering information about the target. • There are several methods for this reconnaissance process like using search engines, email, DNS records, WHOIS, or social engineering. • Hackers may extract information from email headers like the sender and receiver mail address, timestamp, and IP addresses to send Trojan horse applications to the target’s server. • A WHOIS query will provide information about the server for example the creation dates and contact details of the admin (Reddy, 2018). b. Phases of hacking: Scanning • There are three types of scans used: port scan, network scan, and web application scan. • The port scan is used to find open, closed, and filtered ports present in the computer network system. • The network scan is used to find the topologies of the network system. • The web application scan is used to find the vulnerabilities present in a website. • To protect from these scans, the use of firewalls and packet filtering is important. It is also essential to close all unwanted ports in the network system (Reddy, 2018). c. Phases of hacking: Gaining access • Once access is gained, several vulnerabilities will be tested by the hacker, like the SQL injection, cross site scripting, session hijacking, and cross site request forgery denial of service. • If a vulnerability is found, the hacker will use it to their advantage (Reddy, 2018). d. Phases of hacking: Maintaining access • The hacker will want to maintain access once in the system. • They do this through creating backdoors to enter the system whenever they feel like in the future (Reddy, 2018). e. Phases of hacking: Clearing tracks • The aim is to erase everything they have done in the process of gaining access to the system. • They want to throw off their scent when it is discovered that a breach may have happened (Reddy, 2018). HACKER ETHIC • The hacker ethic is based on three principles: information should be free, hackers provide society with a useful and important service, and activities in cyberspace are virtual in nature and thus do not harm real people in the real world. • According to Pekka Himanen in 2001, the hacker ethic can be said to be a work ethic that can be contrasted to the Protestant Work Ethic a phrase originally coined by Max Weber. SHOULD INFORMATION BE FREE? • Proponents of information should be free view proprietary systems as obstacles to a free Internet where everyone would have total access to information. They argue that any information that needs to be public, should be made freely available. • However, according to Eugene Spafford in 2007, if information were free, the privacy aspect in cybersecurity would be gone since nobody would have control over how private information was gathered and used. HACKERS PROVIDE SOCIETY WITH AN IMPORTANT SERVICE • There are claims by hackers that they provide an essential service for society by exposing security holes in cyberspace. • This rationale claims that hackers are doing society a favor by pointing out security flaws thus those responsible to maintain cybersecurity can fix them. • Eugene Spafford counters this argument with analogies of thanking a criminal for doing a crime then wanting to be thanked for exposing a security inadequacy that led to the ease of crime. DOES HACKING CAUSE REAL HARM? • Cyberbullying has seen a large number of people commit suicide which is a real statistic. • When it comes to hacking, the illegal intrusion to a computer system and damaging the data integrity through cyberspace can really cause harm to a company. This could be reputational harm or losses attributed to this hack • Ethical hackers may argue that they help identify abuses of power by content providers on the Internet thus reduce the degree of harm that can be caused. ARE COMPUTER BREAK-INS EVER ETHICALLY JUSTIFIABLE • Computer break-ins always cause harm, therefore, they are ethically unjustified. • Instances like when a vital medical data is needed for an emergency but resides in a computer whose owner cannot be located, may entail breaking into the computer. • This discussion brings forth the argument of whether certain non-malicious hacking ought to be legally permissible, and justifiable through moral grounds. CLASS ACTIVITY: DISCUSSION QUESTIONS • Should information be free? • Is hacking providing society with an important service? • Does hacking do real harm or only virtual harm? • What information can a company store from users that is considered proprietary or free to use? • Is it ethical that users’ information should be hacked and be in access to unauthorized persons who can use or sell it? SPEAKER FOUR • Explain cyberterrorism, information warfare, and hacktivism. • Analyze operation payback attack, and the Olympic Games operation. • Extend by discussing how in learning cyber-technology and ethical concepts, cybersecurity comes into play. • The future of cybersecurity: https://youtu.be/ZENOIh4L54E CYBERTERRORISM • Dorothy Denning in 2004 describes cyberterrorism as a convergence of terrorism and the cyberspace. • This means that politically motivated hacking operations are carried out with the intention to cause great harm that could lead to loss of lives or grave economic loss. • It is good to note that it is extremely difficult to know whether a case is of malicious hacking or an act of cyberterrorism. It is also possible that a computer network disruption was caused by a system failure in either the hardware or software of the system. CYBER-TECHNOLOGY AND TERRORIST ORGANIZATIONS • Members of Al Qaeda were found to using highly sophisticated computer devices, while communicating through email, days before the attack on the Twin Towers of the World Trade Center. • There is evidence that these terrorist groups are interested in conducting cyberattacks. There is also evidence to suggest they have at least some capability to carry out such attacks, and are currently training online on developing necessary skills. HACKTIVISM • This is the behavior where hackers with some particular political agenda want to prove a point through conducting cyber intrusions in major e-commerce websites. • Hackers are never viewed as hacktivists, rather as vandals and saboteurs. • The defacing of a website through this hacking can cause information property damage that can be analogous to physical property damage, therefore, hacktivism in a large degree could be considered as cyberterrorism. OPERATION PAYBACK ATTACK • In January 2012, a hacktivist group known as Anonymous launched a series of DDoS attacks against commercial and government websites in response to the taking down of Megaupload (a massive file-sharing site) by the US Department of Justice. This attack was called Operation Payback. • Anonymous also supported the coordinated January 18 online protest against two controversial legislative proposals in the US Congress: PIPA (Protect Intellectual Property Act) and SOPA (Stop Online Piracy Act). • While most proponents of the online protest used non-disruptive tactics, Anonymous launched DDoS attacks against supports of the PIPA and SOPA bills like Recording Industry Association of America (RIAA), Motion Picture Association of America (MPAA), US Copyright Office, and Broadcast Music, Inc. (BMI). INFORMATION WARFARE (IW) • To distinguish from cyberterrorism, IW includes cyberattacks that send misleading information to an enemy. • In as much as IW is disruptive and regularly destructive, it does not lead to economic loss or the loss of lives. • IW normally is launched by sovereign nations as opposed to rogue political organizations and terrorist groups. CONSEQUENCES OF NATIONS ENGAGING IN IW • Should the American government be worried about possible repercussions for its involvement in the Olympic Games operation? • There is a question to whether America’s infrastructure and commerce will become focal points of retaliation for its IW activities in the Olympic Games. • Another espionage tool called the Flame virus can be used to eavesdrop on data traffic, take screenshots, and record audio and keystrokes. According to Vitaly Kamlyuk (a security and malware expert at the Kaspersky Labs in Russia) in 2012 said that the Flame may be the most powerful computer virus in history since it universally attacks any device as a tool for cyberespionage. THE OLYMPIC GAMES OPERATION • In June 2012, The New York Times reported that America and Israeli governments had been cooperating on an initiative dubbed Olympic Games. It was developed during George W. Bush’s administration. • It aimed at disrupting Iran’s uranium enrichment program thus damaging Iran’s nuclear capability. • A cyber-weapon known as Stuxnet which was a worm allegedly responsible for sending misleading data to computer monitors in Iran, and causing several of that nation’s centrifuges to spin out of control. • According to Nakashima and Warrick in 2012, the Stuxnet attack is estimated to have destroyed approximately 1,000 of Iran’s 6,000 centrifuges. RISK ANALYSIS • Risk analysis is used in a wide range of sectors, for instance, banks can tolerate a considerable amount of credit risk because they know how to anticipate losses and how to price their services accordingly. • The ethical implications affecting risk analysis in the context of securing the national infrastructure are significant since they affect the public safety and can result to a significant loss of human lives. • It is not clear where moral responsibility to ensure cybersecurity lies, whether the private sector should pay to enhance security for their computer systems, or the obligation should be for the government. DE-PERIMETERIZATION OF INFORMATION SECURITY • Wolter Pieters and Andre van Cleeff in 2009 argue that the information security landscape has now spanned boundaries of multiple parties and they cross the security perimeters that these parties have put in place for themselves. • Pieters and van Cleeff argue that adequate cybersecurity can’t be achieved by building a digital fence around a single organization. • IT security has become de-perimeterized because many organizations outsource their information technology processes. THE FUTURE OF CYBERSECURITY • The next generation of cyber-technology will be highly focused on artificial intelligence. • Protecting systems using passwords will become a thing of the past, with highly sophisticated biometric verifications constantly updated to confirm authorized users. • The line between cybersecurity and privacy will be blurred since highly personalized details will be required to maintain this cybersecurity. • The rise in Internet of Things with a large number of interconnected devices will expose people to cyber attacks at an increasing rate, therefore, regular monitoring and detection of these attacks in real time will be the focus of capable automated systems cybersecurity in the future. CLASS ACTIVITY • The class will watch and digest the contents of this YouTube video on the future of cybersecurity: https://youtu.be/ZENOIh4L54E • Questions from the class will be appreciated. REFERENCES • Krebs, B. (2013). Adobe Breach Impacted At Least 38 Million Users — Krebs on Security. Retrieved 11 May 2020, from https://krebsonsecurity.com/2013/10/adobe-breachimpacted-at-least-38-million-users/ • Hustad, K. (2013). Hackers access Adobe’s source code, plus 2.9 million customer accounts. Retrieved 12 May 2020, from https://www.csmonitor.com/Technology/2013/1004/Hackers-access-Adobe-s-sourcecode-plus-2.9-million-customer-accounts • Reddy, P. (2018). Cyber Security and Ethical Hacking. International Journal For Research In Applied Science And Engineering Technology, 6(6), 1770-1774. doi: 10.22214/ijraset.2018.6261
Purchase answer to see full attachment