Fundamentals of Network Security, Essay Example

 [Ch 1, Project, no. 1]—Look up the PCI-DSS control objectives on the Internet. Give its URL. Which ones did TJX violate? Justify your list.

PCI-DSS control objectives include building and maintaining a secure network.  Protect cardholder data.  Maintain a vulnerability management program.  Implement strong access control measures.  Regularly monitor and test networks.  And maintain an information security policy.  http://www.securityprocedure.com/six-control-objectives-pci-dss

The TJX security breach of 2007 shows exactly how much a company can lose if they fail to comply with the necessary security measures.  The failure to protect and this breach ended up costing 94 million dollars in accounts being violated and the total loss in excess of 70 million dollars.  TJX violated all six areas listed in the website found above.  These security measures were mandated by the Payment Card Industry Data Security Standard (PCI-DSS).   If the companies had maintained a secure network, they would not have fallen victim to such a breach.  Protecting cardholder data and maintaining management program would have prevented or allowed the breach to have been caught much earlier, potentially saving millions of dollars.  By implementing strong access control measures there would have been no means for the breach to have happened in the first place.  Regularly monitor and test network could have shown early on the improper security measures and allowed them to catch it in a timely manner.  And finally maintaining an information security would have prevented millions of consumer’s information from being accessed and used fraudulently.

Listed herein are some of the primary principles of the PCI-DSS control objectives that TJX did not comply with at the time:

Failure to properly configure the existing wireless networks

Under this clause, the evidences point out to the fact that TJX administrators knew that their network system is insufficient especially in determining security options for their clients utilizing the internet to access their bank information. Others who access the data through the bank vestibules are also in danger as the network of TJX run through the said connections as well. In short, TJX failed to comply with the data-network segregation process that PCI-DSS imposed at the time.

As a result to such negligence, it has been reported that more than 80GB of information on cardholder data was transferred to another site in California before the breech happened. Because of not looking through the problem and the process of operation their systems take into account, TJX administrators failed to see that such transfer was even occurring. This meant that the company has also violated the specific direction of putting up a security system that would enable them tosee what is occurring in the network as a means of precaution. Such negligence is a direct insult to the supposed attention they are to give for the sake of their clients’ security, especially that they are running a money-management-related organization.

Failure to segment networks carrying cardholder data from TJX’s network

A traffic capture program was found to have been installed within TJX’s networks in 2006. Considerably, such program operates to capture the data of each cardholder as the users enter the information through the portal. These data are sensitive and it is the responsibly of the company to make sure that such information about their clients is not leaked out as it could be used for theft and monetary mismanagement breeches. The information illegally transferred was noted as the Track 2 storage data that was directed to be protected separately by organizations like TJX.

PCI-DSS control suggests such information to be segregated apart from the common data that is shared through banking or other monetary operating organizations’ networks. The segregation of such data is expected to be separated from other information through encryption; failure to do so will put the clients’ security in danger as intruders often find ways to bring out the information from the sytem to exploit access systems directing them to gain control over the assets of the clients that the organization serves to protect.

Storage of prohibited data

The Track 2 information is also considered a source of prohibited data under the PCI-DSS directives. It is considered that these information are unnecessary and should be discarded [not stored] immediately after being used in the system. This information include card verifications codes, personal identification numbers that are not needed to be kept; most often than not, they are only used to determine the validity of the information provided by the clients as they open their accounts with the business.

[Ch 1, Thought Questions, no. 4]—Addamark Technologies found that its Web servers had been accessed without authorization by an employee of competitor Arcsight.  Arcsight’s vice president for marketing dismissed the hacking, saying, “It’s simply a screen that asked for a username and password. The employee didn’t feel like he did anything illicit.” The VP went on to say the employee would not be disciplined. Comment on the Arcsight VP’s defense.

Having a secure log in, regardless of the complexity of the system is intended to monitor and prevent unauthorized users from accessing information not intended for their use.  In addition it allows companies to monitor their employee’s actions and performance while logged onto the network.   Regardless if the logon is complex or simple, it is intended for that specific user and accessing it any other way is unauthorized.  Most companies have written expectations for employee logons that include disciplinary actions in the event they are used inappropriately.  The VP dismissing the employee’s actions not only shows his personal integrity, but it shows that the company willingly acts in unethical manner as a means of business practices.  Competitors who hack their competitions servers to find out information in order to get the upper hand probably have little reservation for other questionable or unethical acts.  Addamark Technologies perhaps needs to implement a better security network that way next time a simple username and password will not be a dismissive measure for hacking their network.

Although Arcsight VP’s defense was weak, it could be understood that he did have a point in saying that he might not be disciplined by the administration regarding this act as they have gotten so much from him; in a way, he feels that they are indebted of him. While this may be true, the administrators should also think of the fact that if it were not for his miscalculations and his misconduct, the possibility of them being sued would be non-existent.

Ch 1, Thought Questions, no. 6]—Give three examples of social engineering not listed in the text.

Online social engineering is a good way for social engineers to get users passwords.  This is valuable because many users repeat their passwords for many accounts, allowing access to other information other than what it is being used for.  A common way that hackers get this information is from online forms that are sent out for sweepstakes or other similar questioners.  Another type of social engineering is baiting.  This is when the Trojan horse uses the physical media as a way to spark curiosity and greed with the victims.  It puts malware in flash drives or CD ROM’s waiting on the user to use it and infect their computer.  And lastly, is tailgating.  This is when access is sought through restricted areas and an individual simply follows behind someone who has real access.  It is simply a failure to validate information and accept the attacker has a valid reason for their entry.

[Ch 2, Thought Questions, no. 2]—Chapter 2 discussed three ways to view the IT security function—as a police force, as a military organization, and as a loving mother. Name another view and describe why it is good.

Another view is that of a business owner.  This is as important as military, police, and parental security as well.  This controls access of confidential and important information by restricting access to authorized individuals.  This security protects the company’s information and allows only necessary access in the workplace.   In business, it is important to allow access to individuals who need it, and prevent unauthorized access.  It is also important to eliminate the potential for altering and destruction of important information.

Provide definitions for each of the following terms and indicate any negative (or positive) experiences you have had:

Viruses – viruses are malicious software programs that, by definition, exist on local disk drives and spread from one computer to the next through infected files.  A negative experience is when my computer was infected and it deleted several programs on it.

Spyware – is defined as software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. Personally I had spyware that redirected my homepage and excessive pop-ups occurred.

Spam and spim – spam is defined as disruptive messages; especially commercial messages posted on a computer network or sent as e-mail.  Spim is defined as a type of spam that is sent by means of instant messaging.  This is something everyone has experienced. The fifty emails sent out soliciting or selling a product that you did not request information about.

Botnets – is defined as a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g. to send spam messages. I had apparently sent out “male enhancement pills” email to everyone in my address book.

Phishing – is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Personally I have never had an experience with this.

Cookies – is a packet of data sent by an Internet server to a browser, which is returned by the browser each time it subsequently accesses the same server, used to identify the user or track their access to the server. I clear my cookies and history on a daily basis in the event that my computer is accessed.

Worms – a software program capable of reproducing itself that can spread from one computer to the next over a network; “worms take advantage of automatic file sending and receiving features found on many computers”. As stated earlier with the emails sent from my email address, there were worms attached to this email which caused the computer to continually restart.

Trojan horses – is a program that appears desirable but actually contains something harmful; “the contents of a Trojan can be a virus or a worm”.  Again the only personal experience was linked to the email “I sent” regarding male enhancement pills.

Explain what information security auditing is and any exposure or experiences you have had with it. Information security auditing is when an organization addresses its technologies to ensure they are up-to-date and the proper infrastructures are being applied.  It audits tests that make sure all information security is up to day with the requirements of the organization. It also interviews the employees and their role in this security.

I personally have not had any personal experience with information security auditing. Nevertheless, my understanding of its concept brings me into a point of realization that when it comes to information security, the ones handling the responsibility of segregating and categorizing them according to the function they serve for the users of any particular portal or network ought to take matters seriously as it would determine their competence in handling the role of being the protector of sensitive data that might endanger the safety of the users and clients utilizing the program.