Book Report: Cyberphobia
BOOK REPORT: CYBERPHOBIA
2
Book Report: Cyberphobia
Many people express a relaxed attitude when it comes to cybersecurity. However, the
cyberspace is as dangerous an accident at crossroads or an aircraft crash. In response to the
matter, Edward Lucas’s book Cyberphobia where he lays bare the cyber threats people face,
terming space as an insecure zone and carefully proposing safety measures to users. The book
brings out the notion that people are becoming rapidly dependent on computers than the ability
to envision the possible threat they expose themselves to in the cyberspace. Criminals and other
malicious people are capable of gaining unauthorized access to information that may be critical
in destroying individuals, businesses or governments. Lucas makes it clear that cyber-security is
not just a technical issue but also a concern that need a comprehensive strategy. The book
addresses humans rather than machines by suggesting a behavioral modification of habits that
compromise safety, freedom, health, and happiness while online. The primary objective depicted
in the book is to resolve the cyber-security problem through sensitization and education of the
end-user. This paper will report on Edward Luca's book Cyberphobia (Lucas, 2015) detailing the
plot, context, effectiveness and the take on the context.
In his book, Edward Lucas condemns the attitude towards cyber-security. People think
and hope that passwords are adequate to protect their information however they are no obstacle
to malicious internet hooligans as they have developed strategies to get past them maintaining
anonymity. The intention behind the internet was design a system to make information sharing
easier and faster; it has become an information superhighway and a providence of invisibility for
those seeking it. As more people are dependent on the Internet and smartphone technologies, the
aspect of anonymity translates to the capabilities of infringing privacy of others by malicious
information predators. The number of victims associated with identities and personal information
theft is increasing; criminals wipe out banks and max credit cards. Moreover, stolen information
is even trading in black markets. Again, some daring criminals hack national systems
compromising national security and economy at large. For this reasons, people should track and
cover their activities online and focus on targeting cyber-criminals to decrease the traumatic
experience.
Lucas outlines his book with numerous examples and demonstrations of how easy it is to
attack the internet. For instance, he states that free sites like Facebook and LinkedIn sell user
data to advertisers who enable the hacker to infringe without working hard to obtain access.
Lucas concedes that publishing campaigns like fake emails, links and download attachments that
can install malware on the user's device that can un-code personal information. He is keen to use
fictional characters like in the case of Chip and Pin Hakhett, a couple to illustrate how they took
great precaution in real life but none on the internet such that a hacker tricks them easily which
has the devastating aftermath. The characters not only serve as a real-life example to help the
reader comprehend better but also break the boredom in the literature. On another instance,
Lucas utilizes first-person interviews and other primary sources to support his information. For
example, he cites Game Over Zeus components which claimed close to a million computers as
well as more than $100 million in financial damages. However, the indictment against its
administrator went unsealed despite the documents from the authorities pertaining direct clues to
the scheme. Such narratives evoke a change in attitude by the reader when the extent of potential
BOOK REPORT: CYBERPHOBIA
3
damage is unleashed. Moreover, by sourcing evidence to support his claims, Lucas readily
convinces the reader on the reliability and accuracy of the information in the book. Again, such
narratives draw the attention of the reader by cultivating interest while simultaneously impacting
the intended knowledge.
Furthermore, Cyberphobia is ideal for cyber novices as the author, Edward Lucas touches
on the basics that people usually encounter, may ignore or are not aware (Chon, 2015). He slows
down the pace of the reader by familiarizing botnets and service attacks step by step, Whether an
IT wizard or technophobic. The book highlights simple procedure for self-protection, for
instance the author indirectly shows the importance of installing "patches" to software with plug
gaps. However, since an old computer may be slow, get frozen or give instructions to wait, the
user gets impatient and ignores it all. Unknown to them, the unpatched software (out-of-date)
creates a potential loophole for attackers. No matter how dull the process may be, it is
inconsiderate to ignore it. Exploring such simple but easily dismissed situations makes the book
efficient as the reader can relate to the scenarios and be enlightened to take the necessary action.
On another note, in addition to exploring the dangers, the book recommends possible
solutions to winning the information war. According to Lucas, anyone present on the cyberspace
is vulnerable to malicious attacks. Therefore, he points out simple tools such as search engines
and issuance of electronic IDs by the government for online banking to make it harder for
unauthorized access. Edward Lucas is critical of the tech norms and ready to spread the geek
feathers to ruffle the cynicism he terms as online openness and anonymity. He urges masses as
well as the authorities to get real about tech security and embrace rigorous models such as
infection control and aviation to restore freedom in the cyberspace. He also recommends national
strategies for tracking the transgressors to keep them in check and user consciousness while
interacting with the Internet.
While the book is quite impressive, it is a little bit too long with 264 pages, which may
make it tasking for a genuine reader to obtain the needed information. Secondly, Lucas applies a
rather complex technical language, which may be incomprehensible to a layperson. Cyberphobia
follows suit as many technological kinds of literature, while specialists may find many
technology books exciting and a handy handbook, a technophobic person may find it hard to
follow the context demanding difficult burden for interpretation consistently. Nevertheless, there
are several real-life examples and illustrations that even the layman may relate to or introduce
them to the cyber-security issue. More so, the book encompasses on a variety of problems that
develop new topics of discussions and a broad range of information. It covers foreign spying,
identity, ransom-ware, vulnerabilities, and politics. The blend of the subjects creates a broad
framework of information useful for a comprehensive knowledge and capable of furthering
future research on Cyberphobia.
In conclusion, Edward Lucas illuminates the distressful problems glaring our security in
every passing second both at an individual and national level. He unleashes the uncomfortable
truth in his context in a spiteful tone of the norms people continue to embrace that jeopardize
cyber-security. The book outlines numerous case studies depicting the complacency, diagnosing
previous evidence on damages caused and possible future outcomes if nothing is done. Also, the
BOOK REPORT: CYBERPHOBIA
4
literature creates urgency on the matter by comparing cyber-security issues fatality to automotive
tragedies in the transport systems. It recommends that just like strong regulations are there to
govern road safety and protect road users, so should controls be instituted to protect the user in
the cyberspace. Furthermore, he strongly supports online behavior change to initiate the entire
process. On the other hand, the book's downside; that it is lengthy and incomprehensible by
laypersons is overshadowed by the educational aspect. Evidently, Lucas is compelling since
complacency and carelessness on the Internet purport for digital foes. Lastly, the context is
relevant as it puts forth a necessary alarm in today’s society and prescribes bold resolutions to
the concerns.
BOOK REPORT: CYBERPHOBIA
5
References
Lucas, E. (2015). Cyberphobia: identity, trust, security and the Internet. Bloomsbury Publishing.
Cyber Security
Research Paper
Abstract
More than 40 million credit cards were stolen from about 2000 Target stores by getting to data
on purpose of offer (POS) frameworks. This paper will investigate issues causes in the Target
breach and consider the critical controls that could have been utilized to both keep this breach
and alleviate misfortunes. There were various variables that prompted data breach: sellers were
liable to phishing assaults, system isolation was deficient with regards to, purpose of offer
frameworks were helpless against memory scratching malware and recognition methodologies
utilized by Target fizzled. A conceivable answer for forestalling and moderating comparative
breaches utilizing a protection as a part of profundity model will be introduced utilizing a multilayered security procedure.
Introduction
Between 27 November and 15 December 2013, Target was the subject of a data hack at its stores in the
US. Upwards of 40 million clients saw their credit and check cards get to be liable to potential extortion
after malware was acquainted with the POS framework in right around 1,800 stores. On 19 December, the
organization openly recognized the breach for the first run through, one day after the story was uncovered
by media. Target said the breach was being examined and those clients' names and installment card subtle
elements, including card expiry dates and encoded security codes, had all been gotten. The following
day, the retailer uncovered that early reports of credit card extortion emerging from the breach were few
and far between as it tried to create some great PR by offering clients 10% off pre-Christmas in-store
buys. After the celebrations had gone, on 27 December, the organization uncovered that scrambled PINs
had additionally been gotten to in the breach, however it stated that the real PINs stayed secure. (Baldwin,
H. 2014)
Criminals could offer data from these cards by means of online bootleg market gatherings known as "card
shops." These sites list card data including the card sort, termination date, track data (account data put
away on a card's attractive stripe), and issuing bank. The banks regularly have not had adequate time to
recognize and drop bargained cards. Those acquiring the data can then make and utilize fake cards with
the track data and PIN numbers stolen from credit and platinum card attractive stripes. Fraudsters
regularly utilize these cards to buy high-dollar things, and if PIN numbers are accessible, the criminals
can separate a casualty's cash from ATMs. Taking into account a perusing of underground discussions,
hackers might endeavor to unscramble the stolen Target PIN numbers. On January 10, 2014, Target
uncovered that non-money related individual data, including names, addresses, telephone numbers, and
email addresses, for up to 70 million clients was likewise stolen amid the data breach. (Clark, M. 2014)
Detail of Attack
On January 12, Target CEO Gregg Steinhafel affirmed that malware introduced on purpose of offer
(POS) terminals at U.S based Target stores empowered the burglary of money related data from 40
million credit and check cards. The malware that used a supposed RAM scratching assault, which took
into account the gathering of decoded, plaintext data as it went through the contaminated POS machine's
memory before exchange to the organization's installment preparing supplier. As indicated by reports by
Brian Krebs, a customized form of the Black POS malware – accessible on bootleg market digital
wrongdoing discussions for in the middle of $1,800 and $2,300 – was introduced on Target's POS
machines. This malware has been depicted by McAfee Director of Threat Intelligence Operations as
"completely unsophisticated and uninteresting." (Clark, M. 2014). Target breach is an example that
illustrates how the remote hacking uses the third parties information to find a port to enter the Target
system. Rapid changing in IT models make the security systems ineffectual and unprofitable, such as
cloud data, networking, variety of credit cards provider and mobile sale points. (Pham, T. 2014)
This appraisal is interestingly with the announcement of Lawrence Zelvin, director of the department of
Homeland Security's National Cybersecurity and Communications Integration Center, who portrays the
malware utilized as a part of the assault as staggeringly complex. Throughout the following weeks
attackers could gather more than 11 GB of stolen data using a Russia-based server. Investigation of the
malware by Dell Secure Works found that the aggressors exfiltrated data between 10:00 a.m. also, 6:00
p.m. Focal Standard Time, probably to darken their work amid Target's busier shopping hours. Different
sources portray an assortment of outer data drop areas, incorporating traded off servers in Miami and
Brazil. The 70 million records of non-money related data were incorporated into this robbery, yet open
reports don't clarify how the assailants got to this different data set. Risk management assessment and
security needs relied on the causes of damage to an organization and legal standard compliance in
information security sector (Radichel, T. 2014)
Data breach cost
Target uncovered that it has booked $162 million in costs crosswise over 2013 and 2014 identified with
its data breach, in which hackers broke into the organization's system to get to credit card data and other
client data, influencing somewhere in the range of 70 million clients. The figure, uncovered in the
organization's Q4 profit distributed, incorporates $4 million in Q4, and $191 million in gross costs for
2014, and in addition $61 million gross for 2013. Target says that the gross number was balanced to a
limited extent by protection receivables of $46 million for 2014 and $44 million for 2013. Banks
discounted most subsidizes stolen from credit and platinum cards, yet fraud was at a record-breaking high
in the principal portion of 2014 because of substantial data breaches including Target. More than 140
claims have been documented against Target. Banks sued Target's PCI consistence inspector, Trustwave.
Target is managing examinations including the Department of Justice, the FTC and SEC (Michaels,
2014). Singular state laws might bring about fines and lawful procedures far beyond PCI consistence
fines. States are passing significantly stricter laws as an aftereffect of late breaches. Benefits dropped 46%
in the final quarter of 2013 amid the basic Christmas season. General Target posted incomes of $21.8
billion, beating examiner gauges, and balanced profit per offer of $1.50, beating its direction. The
organization likewise recorded a pre-charge loss of $5.1 billion identified with the organization hauling
out of working in Canada. In pre-market exchanging, the organization's shares were up somewhat more
than 1% to $77.85 per offer. (Krebs, B.2013).
Security Strategy to prevent attack
Target's security breach wasn't precisely the most virtuoso hacking ever, and could have been anticipated.
Various levels of carelessness happened, and uncovered one in three Americans to fraud. Endless supply
of what truly turned out badly, the FireEye security framework they utilize demonstrated that the notices
had been there from the start, which means the security group in Bangalore missed them, or disregarded
them. When they at long last let group in Minneapolis think about the breach, the notices went unnoticed.
So as to keep a comparative event, Target's CEO Gregg Steinhafel claims they are amidst a noteworthy
examination and "have effectively made huge strides, including starting the upgrade of our data security
structure and the quickening of our move to chip-empowered cards.
For organizations that have data resources, such as client data, licensed innovation, competitive
advantages, and restrictive corporate data, the danger of a data breach is currently higher than any time in
recent memory. To screen and shield data from hackers, malignant and good natured insiders,
associations ought to choose arrangements taking into account an operational model for security that is
danger based and substance mindful. Here are some stages that any association can take; utilizing
demonstrated answers for altogether diminish the danger of a data breach. (Mellow, Jr. 2014)
•Stop invasion by targeted assaults the main four method for hacker attack into an organization's system
are through abusing framework vulnerabilities, default watchword infringement, SQL infusions, and
targeted malware assaults. To avoid attacks, it is important to close down each of these parkways into the
association's data resources.
•Identify dangers by associating constant cautions with worldwide knowledge To recognize and react to
the risk of a targeted assault, security data and occasion administration frameworks can hail suspicious
system action for examination. The estimation of such continuous cautions is much more prominent when
the data they give can be connected progressively with ebb and flow exploration and examination of the
overall danger environment. (Keith and Jason 2014)
•Proactively secure data in today's associated world, it is no sufficiently more to protect the edge.
Presently you should precisely distinguish and proactively secure your most delicate data wherever it is
put away, sent, or utilized. By upholding brought together data insurance strategies crosswise over
servers, systems, and endpoints all through the venture, you can logically decrease the danger of a data
breach.
•Automate security through IT consistence controls To keep a data breach brought about by a hacker or a
good natured or pernicious insider, associations must begin by creating and implementing IT
arrangements over their systems and data insurance frameworks.
•Prevent data exfiltration In the occasion a hacker invasion is fruitful, it is still conceivable to keep a data
breach by utilizing system programming to identify and hinder the exfiltration of secret data. Goodnatured insider breaches that are brought on by broken business procedures can in like manner be
distinguished and halted. Data misfortune counteractive action and security occasion administration
arrangements can join to avoid data breaches amid the outbound transmission stage.
•Integrate counteractive action and reaction systems into security operations so as to avert data breaches,
it is key to have a breach anticipation and reaction arrange for that is incorporated into the everyday
operations of the security group.
Conclusion
Target put intensely in security spending, and sadly hackers were still ready to discover a route through
their protections. This breach makes it clear that PCI consistence, lawful and industry commands don't
give satisfactory security to data because of confinements in extension and a continually changing risk
scene. Progressed persistent threats are going to search out and abuse the weakest connection in any
framework, system or procedure. They will utilize unpredictable and protracted assaults to mine data from
organizations any way they can. They are continually updating their technique and looking for gaps in the
defensive layer of business security usage. The enemy can adjust speedier than the regulations can be
placed set up. Security must be drawn closer all the more deliberately as an approach to ensure basic
resources, business notoriety and gainfulness. The security system for a business ought to consider the
particular needs of that specific business. A substitute result for the Target situation was given Critical
Controls set up. Steps taken by the assailants could have been halted at various focuses amid the assault.
Isolating the POS frameworks, end-to-end encryption, stock of frameworks and detailed logging would
have kept hoodlums far from credit card data. Appropriate encryption would have kept card data from
being perused in memory. Sufficient, well trained staff with time to fittingly break down logs would have
revealed the malware and system movement to moderate misfortunes had the breach still happened.
References
Pham, T. (Nov & Dec 2014). A Modern Guide to Retail Data Risks. Retrieved from
http://www.ciosummits.com/Online_Assets_Duo_Security_Modern_Retail_Security_Risks.pdf
Cornell, B. (2014). Target 2014 Annual Report. Retrieved from
https://corporate.target.com/_media/TargetCorp/annualreports/2014/pdf/Target-2014-AnnualReport.pdf?ext=.pdf
Baldwin, H. (Mar, 2014). The other shoe drops for Target's CIO. Retrieved from
http://www.forbes.com/sites/howardbaldwin/2014/03/11/the-other-shoe-drops-for-targetscio/#536026e60ca0
Aorato Labs. (Aug, 2014). The Untold Story of the Target Attack Step by Step. Retrieved from
https://aroundcyber.files.wordpress.com/2014/09/aorato-target-report.pdf
Clark, M. (May, 2014). Timeline of Target's data breach and aftermath: How cybertheft
snowballed for the giant retailer. Retrieved from http://www.ibtimes.com/timeline-targets-data-breachaftermath-how-cybertheft-snowballed-giant-retailer-1580056
Horton, T. & McMillon, R. (2011). Security technologies: Encryption and tokenization.
http://files.firstdata.com/downloads/thoughtleadership/primer-on-payment-security-technologies.pdf
Mellow, Jr., John. P. (Mar, 2014). Target breach lesson: PCI compliance isn't enough.
Retrieved from http://www.technewsworld.com/story/80160.html
Experis ManPower Group (2014). Security Breach: Is Any One Safe? Retrieved from
http://experis.us/WebsiteFilePile/Whitepapers/Experis/experis_security_breaches_white_paper_may_2014.pdf
Purchase answer to see full
attachment