Chief Security Officer, Term Paper Example

As a Chief Security Officer at the local university it is important to understand how critical this role is. The responsibilities include establishing and maintaining an enterprise wide information security program to ensure that all information and data assets are not compromised. The role requires a development and implementation of a plan to carry out a security program that prevents computer crimes, establishes a process for investigation and outlines laws that are applicable for the possible offenses. This position is the pivotal point of security within the university and cannot be taken lightly. By exploring all potential avenues of attack and ensuring the proper security is in place at all times will provide a success operation at the local university.

Computer Hackers

Recently there has been a numerous amount of computer hacker attacks on higher educational institutions. The hacker group call APT1, a Shanghai-based Chinese group, had recently set their sights on two higher educational institutions within the United States. This attack was intercepted by Mandiant, a security firm. Mandiant published a report called “APT1: Exposing One of China’s Cyber Espionage Units. Within the report is showed that over 141 government agencies, business, and other types of organizations have been hacked by the group APT1. As a result they have obtained a massive amount of data since the beginning of their operations in 2006. It is believed that APT1 is a Chinese military group that is specifically comprised of army unit 31398, people’s liberation. “The test NIE fingered China “as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” (Nagel, 2013) This also makes higher educational institutions a target for hackers like this.

It has become more and more common for higher educational institutions to outsource. The cost associated with maintaining websites, emails, and even student financial aid information is extremely high. There becomes a growing risk with the university to ensure that the companies used for outsourcing have the highest strategies for protecting and preventing security breaches. As a result of the outsourcing the company can save an excessive amount of money on technologies. Educational institutions also tend to utilize open or free source software instead of the costly alternative of tailored which is far more effective.

Process

Higher educational institutions have processes in order to prevent these crimes from reoccurring. The techniques that cyber attackers use are not new methods by any means. PHP file include, SQL Injection, click jacking, cross-site scripting, and other methods have been analyzed and prevented on numerous occasions. The fix is a common practice to prevent the potential vulnerabilities, many universities overlook the reason for the problem. Due to the critical need to protect from cyber-attacks, higher educational companies have to predict and identify the vulnerabilities prior to being exploited as a result. Using software applications will provide the university a clear path to identify the vulnerabilities early on.

Universities use application developments, as Chief Security Officer, security is the primary element, not just a functionality addition. The development and security team at the university will be required to have an increased knowledge on the necessity to build secure processes. This will evolve from the development stage in order to prevent potential hacking. The application security is not as well known of a discipline in the security industry, however there are improving technological processes in place. There is a lot of work still needed in this area however.

An example that the higher educational institution can reference in the app development stage. The vote-hackers attack in D.C. used a remote shell injection vulnerability that allowed them to command the system’s command. This is something that could have prevented during the development stage. The primary focus is often on the requirements of the code associated with the app instead of the potential manipulation that can occur. There has to be a greater knowledge and awareness at the University for the Security during the development stage. The Chief Security Office has to provide the training and education to build a better and more secure software. This would require both external and internal training programs.

The security is needed to be integrated in a development process because of activities like third-party code or even peer review, security testing, penetration testing, and security requirements. There is no way to bypass the checks and balances because they verify the necessary controls input into the application. This is a very vital security process that the university must adhere to. Using external sources to ensure that the process is secure will help prevent from the potential cyber-attacks.

Universities and other organizations can also consider third-party apps as well. It is a common practice for these libraries and codes to be generated from third parties or outside vendors. The security and development departments need to have a method to keep track of code that are coming from external sources. They also have to check the risk that the third-party could potentially be exposing them to. “When building critical applications, it is important to take a step back and put into perspective why it is being developed. It isn’t just about the technology, it is about building secure systems that keep our country safe, protect our parents against identify theft, ensure our children’s safety and much more.” (Kim, 2012) This requires the necessary security controls in place when developing the process will allow the universities to safeguard their organization by building a wall against cyber-attacks.

Methodologies

As discussed earlier in this paper there are many processes, methodologies, and technologies that can be used to lower computer crimes and threats. Depending on the type of technology needed will determine the price tag associated with it. Most prevention methods provide support and maintenance when necessary. The cost associated with the preventative methods vary based on the services provided. This was not readily disclosed for public information or accessibility.

Laws

There are current laws and government agencies that exist to the address the threat of computer cyber-crimes. “The Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) is the main federal criminal statute regulating hacking and other computer crimes. The CFAA generally criminalizes: Accessing computers without authorization, or in excess of authorization. Using such unlawfully accessed computers to obtain information that causes loss, damage or defrauds another or the US government.” (Farhat,et al., 2011) This governs situations that involve protecting computers however they have strict criteria’s. First it has to be used by the US government or financial institution. Affecting or used in foreign or interstate communication or commerce.

It is important to remember that “there is no single, comprehensive set of federal laws mandating either specific privacy practices or information security measures of colleges and universities. Depending on the particular institution and the nature of the activity at issue, institutions may be required to comply with any number of potentially applicable federal laws and regulations. The list of relevant acronyms is daunting: FERPA, HIPPA, ECPA, and CFAA are just a few of the federal laws that include obligations applicable to educational institutions. Both the USA PATRIOT Act and the recent TEACH Act also have electronic privacy and security implications.” (University of West Georgia, 2013) These government agencies are all in place to hinder the potential effects of computer cyber-crimes.

The next area of consideration would be the laws in place that can convict potential offenders. Currently there is a considerable amount of question in place when it comes to the matter of cybercrimes. It is often dictated based on the area. “Federal law enforcement agencies often define cybercrime based on their jurisdiction and the crimes they are charged with investigating. And, just as there is no overarching definition for cybercrime, there is no single agency that has been designated as the lead investigative agency for combatingcybercrime.” (Finklea&Theohary, 2013) The laws in place vary around the world and have different jurisdiction based on the realms of the cyber-crimes.

The following is a substantive cybercrime list. This is laws the prevent identity theft online, intrusion in computer systems, hacking, child porn, online gambling, and intellectual properties.

18 U.S.C. § 1028 – Fraud and related activity in connection with identification documents, authentication features, and information

18 U.S.C. § 1028A – Aggravated identity theft

18 U.S.C. § 1029 – Fraud and related activity in connection with access devices

18 U.S.C. § 1030 – Fraud and related activity in connection with computers

18 U.S.C. § 1037 – Fraud and related activity in connection with electronic mail

18 U.S.C. § 1343 – Fraud by wire, radio, or television

18 U.S.C. § 1362 – [Malicious mischief related to] Communications lines, stations, or systems

18 U.S.C. § 1462 – Importation or transportation of obscene matters

18 U.S.C. § 1465 – Transportation of obscene matters for sale or distribution

18 U.S.C. § 1466A – Obscene visual representation of the sexual abuse of children

18 U.S.C. § 2251 – Sexual exploitation of children

18 U.S.C. § 2252 – Certain activities relating to material involving the sexual exploitation of minors

18 U.S.C. § 2252A – Certain activities relating to material constituting or containing child pornography

18 U.S.C. § 2252B – Misleading domain names on the Internet [to deceive minors]

18 U.S.C. § 2252C – Misleading words or digital images on the Internet

18 U.S.C. § 2425 – Use of interstate facilities to transmit information about a minor

18 U.S.C. § 2319 – Criminal infringement of a copyright

17 U.S.C. § 506 – Criminal offenses [related to copyright]

47 U.S.C. 605 – Unauthorized publication or use of communications

These are also the laws that directly affect the university and it technological safety and security. Understanding these laws is important in protection of the intellectual properties as well.

Forensic Technology

Computer forensic technology can be used by the University as well. This is an area of technologies that allow for locating, finding, and identifying legal evidence that could be stored on a computer. This is a vital role in locating and communicating potential violations internally and externally that is taking place on the system. The information located can be vital in legal cases against computer violations. For the most part investigations and legal crimes involve violations like hacking, viruses, and identity theft to name a few. It is a vital role to the university and needs to be taken seriously. It is a method of prevention and allows the university to know exactly what is going on within their own systems.

References:

Farhat, Vince; Bridget McCarthy; Richard Raysman; Holland & Knight LLP. (2011) Cyber Attacks: Prevention and Proactive Responses. Retrieved from http://www.hklaw.com/files/Publication/bd9553c5-284f-4175-87d2-849aa07920d3/Presentation/PublicationAttachment/1880b6d6-eae2-4b57-8a97-9f4fb1f58b36/CyberAttacksPrevent ionandProactiveResponses.pdf

Finklea, Kristin M.&Catherine A. Theohary. (2013) Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement.

Kim, Frank. (2012) Pitting Education against Cyber Attacks. Retrieved from http://infosecisland.com/blogview/20818-Pitting-Education-Against-Cyber-Attacks.html

Nagel, David. (2013) Chinese Hackers Targeted U.S. Higher Education. Retrieved fromhttp://campustechnology.com/Articles/2013/02/21/Chinese-Hackers-Targeted-U.S.- Higher-Education.aspx?Page=1

University of West Georgia Information Technology Security Plan. (2013) Retrieved from http://www.westga.edu/~its/policy/sphtml/page_04.htm