Information Technology and Human Communication, Essay Example

Security and Privacy

Information technology and human communication issues happen on a regular basis with today’s technology-based applications. This is something that people experience every day. However, there are solutions to eliminating or lessening the threats associated with such problems. One common area of information technology and human communication that often results in issues is security and privacy. This is an area of information technology and human communication that people are most concerned about, as it is the seat of adequate technology processes and communication activities.

Problem Description

There are many potential problems associated with information security and privacy, and one of them is the issue of protecting the personal information of the public when people use their debit and credit cards. There have been numerous reports of security breaches of credit and debit card information over the years, such as the 2007 cyber theft of about 90 million debit and credit card numbers and personal data from T.J. Maxx customers, as well as 160 million from J.C. Penney, 7-Eleven, and JetBlue over the next several years. Additionally, Atlanta-based company, Global Payments reported theft of data from 1.5 million card accounts from their company in 2012 (Sidel, Yadron and Germano). It seems, this time of problem occurs on a regular basis, which is a problem in itself.

One of the most recent issues with debit and credit card security breaches is the Target stores data breach that happened last month, during the Christmas season. One would like to think that his financial and other personal information is secure when using a bank-issued debit or credit card. However, in this day and age, this is probably less likely that one would care to admit. There are people out there who are experts at criminally hacking into, even the most sophisticated, computer systems and stealing information, without being detected for quite some time before anyone realizes it has happened.

The Facts

Beginning mid-November 2013 through mid-December 2013 (Rosenblum), during the Black Friday weekend in the United States, more than 40,000 card devices at Target stores were breached, resulting in the theft of more than 70 million of consumer debit and credit card data. The breach occurred by thieves obtaining data stored on the back of debit and credit card through the magnetic stripes. This type of data is typically sold in the black market to counterfeit debit and credit card makers (Sidel, Yadron and Germano). This is a scary concept. The investigation into this situation revealed that thieves also gained access to pin numbers and other personal information such as names, addresses, phone numbers and email addresses (Rosenblum). This could potentially put people at risk for all types of criminal activity, including something as serious as someone breaking into their homes or possibly kidnapping their children, or just something as menancing as more spam email.

Causes of the Problem

It is a fact that information security breaches do not just happen, they are caused by some type of human error or glitches in a security system that allows criminal hackers to enter into the system and steal data. According to CIO, a study by Symantec (an information system security company), and the Ponemon Institute (an independent privacy, data protection and information security policy research firm), 64 percent of data breaches that occurred in 2012 were due to human error and system issues . These errors and issues include “application failures, inadvertent data dumps, logic errors in data transfer and more” (Olavsrud: para 1). Hackers have become increasingly more savvy in today’s technological world; however, this just means that security systems need to be continually maintained, monitored and upgraded to counteract the threats associated with systems breaches by hackers. This means that these internal threats are just as dangerous as the external threat of hackers having the know-how to gain access to “secure” systems.

It is reported that major data breaches, such as the Target store breach, result in a federal investiation by the Secret Service, to ensure the safety of the country’s payment systems and financial infrastructure (Sidel, Yadron and Germano). This is a good policy; however, there have been several other significant data breaches of this sort, so it seems that a more substantial way of safeguarding consumer information would have been made standard before this Target issue occurred. Or, perhaps the responsibility lies with each state in protecting the consumers’ online data and privacy.

Security breach laws exist in most states that require that consumers be notified of security breaches of their information, and Target has willingly noticed those affected by the breach. In addition, the attoney general in each state is advising consumers to change their pin numbers and passwords, even if they receive new debit and credit cards. Additionally, people are advised not to give out information to unsolicited emails or on recently registered websites posing as Target breach fix sites, such as targetsecuritybreach.com (Prah).

How Target’s Security Breach Happened

The hackers breached Target’s security system by hacking the Point-of-Sale (POS) system. So, everytime someone used his or her debit or credit card at Target during the time of the breach, their card information and data was compromised. What is scary is that instructions on how to do this can be found for sale on various cybercrime forums for a couple thousand dollars (Rosenblum). If that is not scary enough, the fact that the U.S. government allows such forums to exist is the biggest threat of all. According to Rosenblum, the hackers took advantage of an open port into Target’s computer systems that allows for internet browsing. The breach occurred when the hacker program tricked Target’s computer firewalls they were safe to enter and allowed them to come in and roam around Target’s servers to steal the data.

Possible Solutions to the Problem

It is often the case that analysts find malicious activity in a system’s logs after a security breach has occurred. It would be good if these types of problems could be found prior to the actual breach occuring. The problem of hackers stealing information from point-of-sale terminals, such as in the case with the recent Target breach, is one that needs attention. Possible solutions can include retail establishments assigning passwords to all users, making frequent changes to passwords mandatory and not sharing system credentials with other vendors. Additionally, educating users and employees is important. According to Olavsrud, education can take the form of general security awareness training for employees and implementing data loss prevention technology to company systems. In addition, a strong plan of response for when and if any security breach incidences do happen is always a good idea. All establishments should also have an experienced and dedicated chief information security officer, as well to reduce the possibility of any threats breaching the system (Olavsrud). These are some common sense measures that could make a big difference in a firm’s security levels. One would think that these measures would be minimal requirements, considering the costs incurred by data security breaches.

According to CIO, the following best practices are ways of preventing or reducing the effects of system data breaches:

• Educating and training employees on handling confidential information
• Implementing data loss prevention technology
• Deploying encryption and authentication solutions
• Developining a solid incidence response plan

Recommended Solution

As mentioned, a good practice would be to catch security threats as they happen to prevent actual breaches to a data system. These threats can be eliminated before they cause damage if the security system provides real-time analyses of security events. Situations that are not ordinary can be flagged to alert information security teams that something malicious is in the process of damaging files and obtaining protected information. If the situation cannot be stopped completely, it should be mitgated at the very least to reduce the level of damage that might occur. This can all be done with security monitoring, just as an individual can get credit monitoring.

This recommended solution is a way to manage the security and identity process within a system so that it is protected by the intelligence of the monitoring system. Any thing out of the ordinary can be caught either before or just after it has engaged an attack on the servers of an organization to gain access to protected information. This way, data can be secured by users’ and administrators’ identity information secured so that the system can monitor who is doing what within the system at all times, as well as when any requests for authorization occur and where it occurs within the system (NetIQ). For example, a security monitoring system would have asked for specific credentials of the request of the Target hackers to enter the system. The program the hackers wrote convinced Target’s systems it was safe to let them in. This is the best way to block potential attackers at the port of entry into a system.

In addition, security monitoring is intelligent defense because it will keep tabs on system hosts, applications, network devices and databases and gives an organization a full, big picture view of the state of their security levels at any given time. “All of this helps you improve your security incident response, mitigate risk and protect your critical information assets” (NetIQ: para. 7). It only makes sense to spend the money to purchase enhanced security features and monitoring, as well as a solid information security team to reduce security risks that costs way more in the long run, in the event of a security breach, such as the Target incident.

Solution Implementation

The first step in implementing an upgraded security management system for any retail establishment that has experienced a breach in its security system resulting in stolen data and protected information  would be to assess the competence of the current information technology department. Additional training and update security procedures would be in order, as well as identifying whether everyone on the information technology team was up to date in their educational requirements. If not, measures should be taken to get them up to speed in those areas or moving them into different positions, while filling their positions with more qualified personnel.

The next step would be to overhaul the current information security system and ensure that all safety mechanisms are operational and that all firewalls are up-to-date and upgraded. Additionally, security access should be tightened. There should only be a minimum number of administrators who access on various levels of security within the system, and all ports in and out of the server system should be secured by detection software that asks for a set of strict credentials before allowing entry into or even out of the information system. To ensure this, an information security monitoring service should be hired to manage this aspect of security for the company.

The next step would be to require mandatory security training for all employees, not just information technology employees, because there are times when security is breach through an individual employees computer. An employee my inadvertently open an email attachment that allows the entry of malicious code to enter a company computer systems. Everyone should be regularly reminded and trained on security issues, so that they know to bring any suspicious activity to the attention of their company’s information technology department for investigation.

Appendix

This final project was a lesson in itself. The experience developing the paper by doing Internet research was reading-intensive and brought out some things about data security that were most helpful, even in personal life that allowed for the answers to the following questions:

What did you learn by doing this project?

One thing I found out by doing this project is that data breaches costs a great deal more than I had imagined. According to CIO, a study found that globally the average cost of data breaches were $136 for each compromised record. That means, for example, the recent Target breach cost was at least $9,520,000,000 (70 million records), and later estimates say as many as 110 million records were compromised. This likely does not include the possible expenses of all the people that were actually the victims and had their information stolen. They may have to put out thousands of dollars themselves to fix identity theft issues. This is a scary concept to think about. It is important that everyone, in this day and age, have adequate identity theft monitoring on their credit files so that when something like this happens, it can have the least impact as possible on someone’s personal financial situation.

I also learned that all computers have ports that remain open and cannot be closed by security unless the Internet cannot be used, and this is a major function of firewalls. So this means that if someone’s firewall is not the best, then it is easy for cyber criminals to enter freely into their computer system, and this is the same for large systems such as the Target system. That is a little scary as well. It seems to me that with this being so, companies would spend more money on more sophisticated firewall software to catch something like this before it turns into a disaster.

What if any unexpected surprises did you encounter?

Another thing I learned by doing this project that was unexpected was the facts about the black market that buys and sells stolen credit and debit card information. I was unaware that an organized market for this type of theft existed as it does. Apparently, these underground markets buy malicious code from hack programmers for maybe a couple thousand dollars and then use the code to go out and commit cybercrimes, such as the Target breach. Also, the news states that the malicious code that hacked Target was written by some 17-year-old kid in the Ukraine wrote the malware and was paid for it. I also read where one can just visit any cybercrime forum and learn how to write malicious code. That is something I had not thought of before and was not really expecting, but I guess it is not too far-fetched when there are sites out there that can teach you how to make bombs and use them.

If you had to do this over again, what would you do differently?

Actually, there is not much I would do differently as far reseaching the Internet was pretty effective for finding the information that I needed for the project. However, I do think it would have been interesting to actually interview someone in a retail information technology department to get some information and their views on data breach threats and how it affects their jobs when something like this happens. I would think they may have something different to add other than what one reads in articles, because many times the articles are not written by information technology professionals.

References

NetIQ. Detect and disrupt data breaches quickly. 2014. 17 January 2014. <https://www.netiq.com/solutions/security-management/data-breach-threat-detection.html>.

Olavsrud, T. Most Data Breaches Caused by Human Error, System Glitches. 17 June 2013. Web. 17 January 2014. <http://www.cio.com/article/735038/Most_Data_Breaches_Caused_by_Human_Error_System_Glitches_>.

Prah, P. M. Target’s data breach highlights state role in privacy. 16 January 2014. Web. 17 January 2014. <http://www.usatoday.com/story/news/nation/2014/01/16/target-data-breach-states-privacy/4509749/>.

Rosenblum, P. The Target Data Breach Is Becoming A Nightmare. 17 January 2014. Web. 17 January 2014. <http://www.forbes.com/sites/paularosenblum/2014/01/17/the-target-data-breach-is-becoming-a-nightmare/?partner=yahootix>.

Sidel, R., D. Yadron and S. Germano. Target Hit by Credit-Card Breach. 19 December 2013. Web. 17 January 2014. <http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538>.