The Future of Cyber Security, Dissertation Chapter – Results Example

Results of the Study

The purpose of this qualitative research study is to examine the future outlooks of cybersecurity on corporate and government networks. The research evaluated historical and current data on the topic of cyber security to determine the evolution and effectiveness of this enterprise. Due to the very nature of technological developments and advances, it remains a difficult task to predict the effectiveness of cyber security combat measures with complete accuracy. However, it is safe to say that technology will become more sophisticated in the years to come, and so will criminal trends designed with the intent to attack corporate and government computer-based systems. Throughout this study, the researcher utilized a set of questions to guide the research.

The research questions that guided this study are:

RQ1: How is the currency of cyber security maintained on business systems, in order to provide a high level of sustained risk mitigation?

RQ2: What policies and procedures need to be put in place to eliminate the threat of espionage against business system computers and networks?

RQ3: What are the specific skills and educational training required for the modern security manager in order to combat cyber-crime?

RQ4: What are the risks and implications for business that have relaxed computer security policies?

This chapter is organized according to these research questions. Data collected through the examination of historical and current literature on the topic of cyber security will be used to resolve the research questions. In other words, this chapter will discuss research findings on the topic of the effectiveness and evolution of cyber security measures.

Results to Research Question 1

RQ1: How is the currency of cyber security maintained on business systems, in order to provide a high level of sustained risk mitigation?

The most effective means to combat cyber security threats are to implement security systems that cannot be compromised by any unauthorized personnel. Security measurements have made significant progress over the course of the last 10 years. However, as stated in the previous chapters, corporate or government computer systemsare only as protected as its weakest security link. The United States Department of Homeland Security stipulated various practices to protect corporate and government systems from unwanted attacks. Through the implementation of new protocols, such as the development of modern operating systems, a business system can be better protected against cyber security threats, such as trojans and other malicious attacks (Shackelford, 2010). The U.S. Department of Defense argues that a new operating system should be designed around six key aspects:

First, the organization should know the exact risks that it faces. In other words, a bank, for instance, will know that its most vulnerable asset is access to its funds and related customer information. It should therefore employ a system that would make it impossible for attackers to access that information. Second, the organization should quantify and qualify its risks. This means that the bank should evaluate how likely a cyber-attack will be, and what it will mean to the organization if such an attack should occur. Third, the organization should employ key resources to mitigate security risks. Fourth, it should adhere to any and all security standards (emerging and existing), for specific controls. Fifth, the organization should define each of its resource’s core competencies, and should be able to identify any overlapping areas. Lastly, given all the previous information, the organization should develop and customize a security system that meets the unique needs of the organization (U.S. Department of Homeland Security, 2009). A bank, therefore, will have a different computer security system than an ice cream shop would.

Results to Research Question Two

RQ2: What policies and procedures need to be put in place to eliminate the threat of espionage against business system computers and networks?

Organizations can also protect itself against non-physical threats by performing a risk mitigation. Risk mitigation refers to the identification, assessment, and reduction of security breaches against company assets. A bank, for instance, would incur significant financial damage if its file serves is compromised by cyber attackers. To prevent against that, the bank should implement multiple hard drives and power supplies to support fault tolerance. In addition, it should implement an effective backup system, as well as effective antivirus software. The antivirus software should be equipped with intrusion detection encryptions, so that unauthorized access can be terminated as soon as it is detected (Feigelson, & Calman, 2010). In essence, an effective cyber security system is designed on the premise of being part of a whole. In other words, the most effective security systems are the ones who are multi-dimensional, or multi-layered. Such a security system has the capability of protecting various sections of a whole, simultaneously (Nalla & Morash, 2002). In other words, a multi-layered system will only function effectively, if all levels are accessed by authorized personnel through the appropriate avenues. So, if one part of the system is compromised, the other parts will not work. That means that even if a breach does occur, hackers will not be able to do much damage, because the other parts of the system will automatically shut down. Layered protection, according to the U.S. Department of Defense, is the most effective means for an organization to protect its assets (U.S. Department of Homeland Security, 2009). A multi-layered computer system consists of single, multi-homed, dual, and cascading firewalls, configured switches, routers with access control lists, dedicated communications media, and static routes and routing tables (p. 18).

Results to Sub-question Three

RQ3: What are the specific skills and educational training required for the modern security manager in order to combat cyber-crime?

It is crucial that the modern security manager received comprehensive training to effectively administer computer networks and systems of any given organization. The U.S. Department of Defense (2010) argues that proper training is a core component of a comprehensive and effective security program. The security manager should have completed cyber security training programs, in conjunction with security awareness programs (Digital Bond, 2007). Security awareness programs are comprised of several key components to ensure that the security manager receives adequate training. For instance, these programs teach the purpose and scope of cyber security, implementation strategies of security systems, appropriate means to monitor security systems and provide feedback on its effectiveness to system developers, and means to measure its success. In addition to the successful completion of these programs, the security manager must undergo continuous training to ensure that he or she is up to par with latest technological developments. Continuous training focuses on IDS configurations, new firewall features, and the latest network architectural designs (Digital Bond, 2007).

Although formal training is often a costly procedure, experts argue that it is far more cost effective than paying for a breach in organization’s security. The security manager is also responsible for training other network users on the dos and don’ts of the company’s network. These training sessions often offer operational level training and awareness to secondary or tertiary users, executive level training and awareness to primary level users, and technical level training and awareness to authorized personnel who have access to critical cyber assets (O’Regan, 2001).

The modern security manager’s training teaches him or her how to respond appropriately in the event of a security breach. In other words, the security manager must be able to accurately and effectively report any incident which compromises the integrity of the organization’s computer systems. He or she must then be able to initiate activities that will mitigate the breach, so that the system can resume accordingly. Such an incident response will also teach other personnel about the appropriate response in case of a network security breach. The National Institute of Standards and Technology (NIST) has released a Computer Security Incident Handling Guide, SP 800-61, which guides security personnel in their efforts to report a security breach. Furthermore, the Department of Homeland Security developed US-CERT, which is a comprehensive guide that aids security managers in their reports of extensive network security breaches (Nash, 2005). The security manager is required to undergo yearly training on both these publications to ensure that he or she is appropriately prepared for any unwanted incidents.

Other roles of the modern security manager include the protection of the company’s intellectual property, adhering to the company’s ethical policies, oversight of due diligence, and maintaining export control compliance (Cadwell, 2003).

Results to Sub-question Four

RQ4: What are the risks and implications for business that have relaxed computer security policies?

Any business that has relaxed security policies faces the risk of unwanted cyber-attacks. These attacks can compromise the integrity of the entire business can subsequently incur significant costs associated with repairing security breach damages. The most prominent threats include susceptibility to malicious software, such as worms and viruses, unauthorized intrusions into the company’s network, and data gathering (Digital Bond, 2007). Modern systems with slack security systems also face the added threat of hostile mobile code. This means that the system could be compromised through malicious active content that involve VBScript, Active-X, JavaScript, and applets. In addition, companies could face reverse engineering of control system protocols. This means that hackers could infiltrate the company’s computer network and control some of the system’s functions from a remote location. This is a particularly serious threat for banks or other financial institutions, because hackers could access customer information and allocate funds to different locations (Nash, 2005).

Any vulnerabilities within a company’s network gives attackers ‘backdoor’ access to privileged information. These backdoors come to fruition when a company’s architecture parameter has certain basic shortcomings. In most cases, hackers do not require physical access to a company’s domain in order to gain access to it. A network’s shortcomings often originate in the system’s network perimeter; although they are also created when insufficient security analyses are performed, giving access to hackers. Network perimeters of modern IT systems include public facing services, firewalls, and wireless access. Each of these components are responsible for enhancing communications between affiliated networks of one complex information infrastructure. When one of these components is operating at subpar levels, a hacker could gain access to all the connected networks. Hackers are most often attracted to interconnected networks because they can infiltrate interconnected sources through one single point of compromise (Denning & Denning. 2010).

A large number of networks are also connected through wireless communications. For instance, an ice-cream shop may not store any of its sales information on a computer or network that is physically located on the store’s premises. Instead, it may communicate wirelessly with a credit card company who stores sales information of customers who pay by credit card. A hacker could therefor access the ice cream shop’s vulnerable network and subsequently gain access to the credit card company’s information. An increasing number of modern businesses choose wireless communications because it easier to employ than traditional wired infrastructures (Nalla, 2005). A hacker can easily influence the intrinsic functionality of wireless networks because it is easy for them to discover wireless communication points. The alarming aspect of hackers who gain access through a wireless communication point is that they can often bypass all other security perimeters, because they are essentially operating the system as an authorized network user (Feigelson, & Calman, 2010).

Summary

This chapter discussed the data collected, primarily from historical and recent literature on the topic of the future of cyber security. Research findings indicate that the future of cyber security is predominantly dependent on the security measures that a company is willing to implement. Because technology is constantly changing and becoming more enhanced, so are the security breaches associated with it. The most prominent discovery of this research study is that, despite the rapid evolution of modern technology, certain effective measures can be employed to ensure the security of a company’s computer network system. The implementation of a layered network infrastructure will significantly reduce the risks associated with unauthorized access to a company’s network. A layered system will automatically shut down all parts of the whole if one aspect of its entirety is unduly compromised. It, therefore, remains the responsibility of the company to invest in a modern, multi-layered network system. In addition, it is crucial that organizations invest in the proper training of its security managers. Doing so will ensure competent personnel who are able to effectively implement operate the company’s security system, as well as diffuse any issues related with its unauthorized compromise.

The next chapter will draw conclusions from the information gathered for the four research questions discussed in this chapter. All the information presented in the next chapter will be presented and discussed in the context of the four research questions.

References

Cadwell, R. (2003) ‘The Changing Roles of Personnel Managers: old ambiguities new uncertainties’, Journal of Management Studies 40 (4): 983- 1004.

Denning, P. J., & Denning, D. E. (2010). The profession of IT discussing cyber-attack. Communications of the ACM, 53(9), 29-31. doi:10.1145/1810891.1810904

Digital Bond. (2007, July 27). Understanding OPC and How it is Deployed. Retrieved September 29, 2012, from British Columbia Institute of Technology, and Byres Research: http://csrp.inl.gov/documents/OPC%20Security%20WP1.

Feigelson, J., & Calman, C. (2010). Liability for the costs of phishing and information theft. Journal of Internet Law, 13(10), 1-26.

Nalla, M.K. (2005) ‘Assessing Corporate Security Department’s Internal Relationships and Linkages with other Business Functions’, Journal of Security Education. Vol. 1(1): 57-68.

Nalla, M.K. & Morash (2002) ‘Assessing the Scope of Corporate Security: Common Practices and Relationships with Other Business Functions’, Security Journal 15: 7-19.

Nash, T. (2005, August). Backdoors and Holes in Network Perimeters. Retrieved September 29, 2012, from Control Systems: http://www.us-cert.gov/control_systems/pdf/backdoor0503

O’Regan, D. (2001) ‘Genesis of a profession: towards professional status for internal auditing.’ Managerial Auditing Journal 16(4) 216- 226.

Shackelford, S. J. (2010). Estonia three years later: A progress report on combating cyber-attacks. Journal of Internet Law, 13(8), 22-29.

U.S. Department of Homeland Security. (2009). Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies. Washington, D.C.: U.S. Department of Homeland Security.