Evaluate Existing Security Models and Their Attributes and Ultimately Recommend a Custom Security Plan to Your Assigned Organization
Over the last few decades society’s need for convenience has made it increasing dependent on technology (Johansson, 2018). This technology dependency; the use of both information and communication technologies to perform daily tasks has dramatically increased the use of the internet and/or cyberspace (“Shibboleth Authentication Request,” n.d.). Cyberspace is “the notional environment in which communication over networks occurs” (“Cyberspace dictionary definition | cyberspace defined,” n.d.). According to Johansson (2018), the use of cyberspace provides almost boundless access to information, interactive communication and vast other resources. While this use of cyberspace has irreversibly changed the world, it comes with its own set of problems; cybercrimes. Criminals launch attacks designed to exploit the speed, convenience and anonymity of the cyberspace (“Cybercrime / Cybercrime / Crime areas / Internet / Home – INTERPOL,” n.d.). Between February and March 2014, the online commerce giant eBay was the victim of a successful cyberattack that compromised the Personal Identifiable Information (PII) of over 145 million of it user (“Cyber Thieves Took Data On 145 Million eBay Customers By Hacking 3 Corporate Employees,” 2014). eBay’s security posture at the time of the breach showed the companies lack of understand of cybersecurity and its inability to incorporate an enterprise cybersecurity process to protect its vital resources and those of its customers.
Today’s headlines are filled with reports of well publicized attacks on major corporations like Sony, Target, JPMorgan, Home Depot, and countless other smaller companies. Today’s cyber-criminals launch advanced cyberattacks like Phishing, Denial of Service and Ransomware to gain unauthorized access to. With these new and growing forms of cybercrimes, coupled with societies increased dependency on technology and cyberspace, gave birth to cybersecurity and enterprise cybersecurity.
Cybersecurity; companies like eBay have to protect vital resources in cyberspace. Cybersecurity is the process of protecting information assets by addressing the threat to information processes, stored and transported by internetworked information systems (“Shibboleth Authentication Request,” n.d.) eBay’s success, mostly based of the company’s ability to taking full advantage of the evolution of information technology and computer networks that enabled the efficient flow of data between and across diverse networks; proved to be one of its greatest strength during the 2014-2015 date breach. Hackers, despite their best efforts, were unable to access the company’s data as it transited between networks. Software was use to encrypt the data in transit make it unrecognizable and useless to anyone unable to decrypt it. Encryption is the process of converting both textual and non-textual data into code to prevent unauthorized assess. Even though eBay was able to protect its data in transit, the company’s lacked an effective enterprise cybersecurity policy.
Enterprise cybersecurity; is the process of implementing procedures designed to protect vital resources from unauthorized access. Companies that process, store, and transmit sensitive data have to ensure the Confidentiality, Integrity and Availability (CIA) of data. Confidentiality, limits access to information. Integrity, is the assurance that information is unchanged and trustworthy. Availability, ensures the information is accessible to authorized people (Eugen & Petrut, n.d.). eBay failed to ensure the confidentiality and integrity of its customer’s Personal Identifiable Information (PII).
.Information systems; software, hardware, people and polices are the key elements of companies like eBay’s success. Cybersecurity protects data, including non-textual as it has protection of data flow across networks which is essential for companies like eBay and other companies thatthe process of defending computers, servers and other vital resources from cyber-attacks.
EBay is a giant e-commerce company whose headquarters are in California, in the United States. The company was founded in 1995 during the dot com bubble. It is a digital platform where millions of buyers and sellers engage in trade every day. It is currently a billion dollar company with presence in more than 30 countries worldwide. EBay describes itself as the platform where the whole world shop and sells. In their mission statement, they aspire to be the world’s popular shopping place for unique and valuable selections.
Just like many multinational companies, eBay has also been a victim of cyber-attacks. Between February and March 2014, cyber attackers used the log in credentials of a few employees to gain access to the company’s corporate network (Finkle, Chatterjee, & Maan, 2014). The company released a statement notifying all users to change their passwords and added that customers’ details such as log in details, email addresses, mobile numbers, mailing addresses, and dates of birth had been potentially accessed by the hackers.
Background Summary: Cybersecurity
Cyber-security is currently considered a major national security issue; this is primarily because in the current digital era, information is considered an important component of power, armed conflicts, and power. The significance of information in international relations and politics has increased due to the onset and adoption of information and communication technology (ICT) (Finkle, Chatterjee, & Maan, 2014). The internet has simplified the art of accessing, managing, utilizing, and manipulating information to gain an upper hand in power since the control of knowledge, data, and vital information is regarded as a tool to control valuable resources such as raw materials, and military force. As a result, cyber security and the protection of vital information is a national security issue.
Cybersecurity is not to be contradicted with computer security because they are very distinct entities. Computer security is the basic security of computer hardware and also involves the backing up of information in the computer to an external storage unit (Finkle, Chatterjee, & Maan, 2014). Cyber security is more complicated and extensive as it entails all forms of attacks that can be carried out in the cyber world (online and offline cyber space). This wide field entails threats such as viruses and malware which steal information or crash computer systems or cyber fraud carried out by malicious individuals.
The major concepts of cybersecurity enables the assessment of protective measures and systems by analyzing threats and pointing out vulnerabilities in systems. The main concepts include: (i) Authentication: This is simply permission to gain access to a computer system which are mostly protected from unauthorized access using tactics such as passwords, biometrics, or electric tokens. Passwords are very vulnerable to attacks as they are easily guessed by guessing, use of deceptive techniques, or the use cracking tools (Finkle, Chatterjee, & Maan, 2014). (ii) Confidentiality: The primary objective of cybersecurity is ensuring information doesn’t fall into the wrong hands; this calls for high confidentiality amongst individuals holding key access details. This concept has seen the digital world evolve resulting in the emergence of several levels of encryption which makes it harder for hackers to access a system (Finkle, Chatterjee, & Maan, 2014). (iii) Information Integrity: ICT innovations has brought about technologies which detect when information is tampered with. Such integrity mechanisms sends out signals if vital data is compromised in any way.
The list computer vulnerabilities is long and always changing thus the need for vigilance in regards to cyber security. Every time an outsider connects to a network or a software (such as a website), the outsider can access the internal workings of the network if no restrictions are in place. Some of the most common vulnerabilities include lack of data encryption, OS command injection, lack of authorization protocols, and unregulated upload of files (Turk, 2005). Vulnerabilities can also be from within the network; breaches can occur from USB sticks, unsecured wireless access points, unchecked access by employees, and smart devices such as laptops, smartphones, printers and manufacturing robots.
The most common forms of cyber-attacks include:
- Malware: Hackers can introduce malware into your computer system disguised as antivirus alerts or file attachments. Once the user clicks on the pop-ups, viruses or ransomware is introduced into the computer and the attackers can potentially control the system or access important information.
- Phishing: Attackers sends emails to user which appear as if they are from someone trusted such as a known company. The emails seems legit but they contain malicious attachments (Turk, 2005).
- SQL Injection Attack: SQL (structured query language) is a programming language which is used in the management of databases. An SQL injection attack exploits SQL vulnerabilities allowing the servers to execute malicious codes (Turk, 2005).
Penetration testing (also referred to as pen testing or ethical hacking) is the act of testing the vulnerabilities of computer systems, web applications, or a network to find loopholes that can be used by attackers. It can be performed manually by ethical hackers or can be performed using automated applications. The information collected regarding possible vulnerabilities and weaknesses, an organization’s security policies, and employees’ cyber security awareness is submitted to the IT and system department of the organization to enable them to strategically make necessary security changes (Turk, 2005). Organizations are advised to perform pen tests as often as possible to make sure that their systems are secure throughout the clock. Additionally, pen tests may serve to add new applications to a network, make modifications and upgrades, and review security policies.
Network Forensic Analysis Tools (NFAT) creates reports of potential problems in a system by checking all computers in a network for vulnerabilities and checking all possible entry points that a hacker can use. NFATs provides a complete picture of everything that is happening in a system or network; their purpose is to gather information and evidence in the network by capturing data packets (Julian, 2014). NFATs then analyses the data and administrators can easily track any unauthorized activities. The NFATs are quite effective as they decrease the time spent by administrators on gathering evidence and tracking illegal activities on their networks.
The major enterprise cybersecurity concepts include:
- Integrate cyber-space risks with the general risk management approaches: Managing and mitigating cyber risks should be part of the organization’s risk management framework (Julian, 2014).
- Elevation of cyber security risk management to the executive level: Involving the top office in the management of cyber risks increases the awareness of the threat posed by cyber-attacks.
- Evaluation of the organization’s specific cyber security risks: It is important for an organization to identify its most valuable assets and run risk assessments test so that to prioritize protective approaches and measures (Julian, 2014).
- Provision of oversight and evaluation: The management should oversee and manage the management and mitigation of cyber security risks.
Principles that Underlie the Development of an Enterprise Cybersecurity Policy Framework and Implementation Plan:
- Proportionate and Risk-based: Cybersecurity framework should be founded on a detailed understanding of the vulnerabilities, threats, and the potential aftermath of a cyber-attack. The frameworks should be specifically designed to handle such threats (Johansson, 2018).
- Outcome-oriented: It is important that the framework regulations should achieve the projected results rather than being a means to an end.
- Prioritizing: Different threats have different degrees of importance. The most imminent and dangerous threats should be handled first.
- Realistic and Practical: Generating policies which aren’t executable because of various factors such as lack of resources doesn’t help in improving the cybersecurity of an organization (Johansson, 2018).
Big businesses and companies are a prime target of cyber-attacks because of their massive financial resources and the value of data that they hold. The most common cyber-attacks that such businesses experience are:
- Point of Sale (POS) Intrusions: Hackers install malware in the POS devices designed to collect data from clients’ credit cards. This threat is potent for all large brick and mortar retailers (Julian, 2014).
- Web Applications Attacks: Hackers look for weakness in the websites of organizations and exploit them to access personal information of users.
- Insider Misuse: Individuals working inside a company might access sensitive data and use for personal interests (Julian, 2014).
- Physical Theft: The hardware technologies that are installed in an organization to reduce cyber-attacks are prone to theft.
Analysis of Weaknesses
In the wake of the 2014 cyber-attack on eBay, a cyber-security vulnerability evaluation was conducted and, unsurprisingly, found major loopholes on their e-commerce platform which could facilitate a cyber-attack. It was noted that the flaws found in eBay’s platform gave malicious individuals an opening to go past the company’s validation checks enabling them to send malware to unsuspecting users (Turk, 2005). A manager at Check Point Software Technologies said that the eBay platform flaws gave attackers an easy way to attack users by sending them links of attractive products (which have embedded malware) to access and potentially steal their data. However, eBay’s management denied this assessment affirming and reassuring their customers that there information was secure. They, however, promised to evaluate and improve their cyber security infrastructure.
EBay, just like many organizations, are aware of the risk posed by cyber-attacks but are ignorant to the consequences and haven’t put up adequate cyber-security measures. These companies, eBay included, become aware of cyber-attacks after being notified by an outside party rather than their own security systems (Turk, 2005). Prior to the attack eBay operated on the notion that they can be attacked but weren’t convinced that they will actually be attacked.
Another weakness shown by eBay is that they weren’t willingly to publicly declare that they had been compromised. Such a move is aimed at protecting the company’s reputation and share price. However, it is unethical not to warn millions of users that their data, which can be used to steal from their bank accounts, is in the hands of malicious individuals.
EBay’s e-commerce platform is generally a soft target for hackers and, unfortunately, has very valuable users’ information. As an example, eBay stores shoppers’ personal information including bank account details which cyber-attackers consider valuable. With its customer base ranging in millions, the company is obviously a target for identity thieves.
At the time of the attack eBay was looking to simplify the customers shopping experience by reducing the number of authentication protocols involved. They wanted to incorporate electric tokens in their payment protocols so that the clients would just use their smartphones to pay without necessarily having to type the passwords. This was another serious mistake from the management (Finkle, Chatterjee, & Maan, 2014). They overlooked the fact that hackers can use the email addresses of customers and request a change of their bank password, and thus gaining access to the customer’s banks and consequently locking out individuals from their own accounts.
EBay is not yet safe from cyber-attacks; they face a very tough future in regards to cyber-attacks. The increase and ease of availability of technical information related to hacking have made hackers more sophisticated in their tricks and attacks. New forms of attacks can only be detected once an attacker or an ethical hacker penetrates a system thus eBay should continually test and upgrade their platform to prevent future attacks (Finkle, Chatterjee, & Maan, 2014). The company should create cyber-security awareness among its management and employees and also adopt multi-level security measures to mitigate the risks of attacks. Additionally, strong encryption and authentication protocols will ensure that the customer’s information is kept to a minimum.