The Future of Cyber-Security, Research Paper Example

Abstract

This paper examines the concept of Cyber-Security as it applies to the setting of Corporate / Government networks in business.  A basic definition of Cyber-Security is provided and this is placed into context with Information Technology in a business setting.  Particular focus is placed upon aspects of causation and the need for remedial measures.  In particular how business has created the role and need for the Corporate Security Manager and how this has become a paramount function in modern business structures.  The paper examines the process and need for Cyber-Security and equally considers the ramifications of not having the preventative measure in place.

Introduction

Internet Crime and particularly illegal entry into other computer systems i.e. hacking is deemed to be a Federal Offence in the USA and falls under the investigative jurisdiction of the Federal Bureau of Investigation (FBI).  Criminal computer hacking has been legally defined as any person who willingly and knowingly commits an act of cyber terrorism, credit card fraud, malicious vandalism, identity theft or other cyber-crime by hacking into a Corporate or Government system.  Such criminal acts are treated very seriously in the USA and will be subject to harsh penalties.  Such intrusions are capable of creating a tremendous amount of malicious damage. They may potentially threaten national security, may cause serious service disruptions e.g. hospitals, emergency services etc.  May create economic and financial instability by intrusions to Banks or large Corporate Offices.

Such Cyber-Crime has resulted in the need for Organizations to have a specific function i.e. A Security Manager, to oversee security and procedural compliance over computers, networks, technology, communications and premises.  This paper explores the realm of this function in greater detail and examines the preventative measures that modern businesses have to put in place.

Background

Perhaps most people think of computer hacking as the ability to decipher code and invade other systems through the internet.  Unfortunately some of the worst recent incidents have been amazingly simple.  Consider the massive amount of damage that was caused by Wiki Leaks where 90,000 classified military documents were downloaded onto a USB pen drive and smuggled out of a secure establishment.  The leak of this information into the media was an act of insane criminal irresponsibility and may have resulted in putting thousands of active duty service men and women in harm’s way.  Media Companies need to be more responsible in the handling of such information.  The freedom of the press and publishing sensationalist material must have some bounds.  The view that the people have a right to know what is going on is not realistic where Defence or National Security information is concerned.  Citizens have a moral duty of social responsibility and responsibility to the welfare of the country and those who serve in the military.  It was Mike Mullen of the Joint Chiefs of Staff who announced in Iraq that those who leak  US military documents place soldiers’ lives at risk (Knickerbocker, B. 2012)

Information Technology has become the life-blood of virtually every organization. Most large business operations contain  Data Centre’s of expensive computer and communication systems (hardware) and important client information and programs (software). Together they provide the central back-bone of the organization and as such any threat to these systems can be extremely disruptive and costly to the business.  Security Managers are responsible for the overarching strategy that provides coverage of these important assets.

IT Security services normally are structured into three separate categories:

• Management Services: Management of the computer risks and security of information technology in the firm. The function works closely with the IT Executive of the firm and Head of Internal Audit. The objective to ensure that all corporate security policies are properly carried out and fully implemented.
• Operational Services: These are more focused upon the human interface and the controls that are the responsibility of people.  Automated control functions are also examined. It is the man/machine interface and the security controls of same.
• Technical Services: Focuses on the in depth security controls within the overall Information Technology and computer systems of the banks. Ensuring there are no loop holes or potential breaches in security.  (Kovacich, G. 2003).

Problem Statement

There is a considerable threat imposed upon the interception of communications particularly that associated with electronic media.  One of the more common threats relates to that of e-mail. The threat here is two-fold: (i) the interception of messages and communication by hackers and others who are intent on theft of intellectual copyright or business confidential information (ii) incoming messages from the outside that may have attachments and carry harmful viruses that can penetrate the Banks firewall and impose serious damage to the computer network.

The first of these represents a criminal offence and is punishable under the law.  The second may be harmless or careless use of communications that have not been checked with anti-virus software.  The policies here become a little more complex but certain precautions can be taken.  The first is for the system not to accept any external e-mails that contain attachments. In addition those that contain any graphics or graphic files which are often used to harbour Trojans.  Only allow access to the network to those that have security clearance and are deemed to be authorised users of the system. Restrict external file attachments to addresses outside of the system (prevention of data transfer or theft).

The research addresses the following key questions:

• How is currency of Cyber-Security maintained on business systems in order to provide a high level of sustained risk mitigation ?
• What policies and procedures need to be put in place to eliminate the threat of espionage against business system computers and networks?
• What are the specific skills and educational training required for the modern Security Manager in order to combat Cyber crime?
• The risks and implications to business of having a relaxed computer security policy.

Professional Significance

The special significance of cyber security has been enhanced by the need to deal with Cybercrime over wireless networks. This has left business systems more vulnerable to penetration than ever before.  Consider the following areas:

Rogue Wireless Area Networks:  This is where someone may introduce an additional router to your network and thereby gain access to the wider network.  This is essentially a hardware intrusion.  Software applications like Network Magic will detect and report such intrusions to the network administrator.

Spoofing Internal Communications:  This is a direct attack and intervention from outside computers wishing to gain access to your system.  They simulate internal domains and essentially look harmless on the network maps.

Direct Theft of network resources:  This is where your system is hacked and the intruder steals bandwidth to surf the internet.  They can then indulge in a variety of illegal activities that indicates the source as your network.  i.e. downloading pornography, music, video clips etc.  Degradation of your network performance is an indication of this type of attack.

Local Area Network segmentation is one means of improving security whilst offering better operational advantages over the efficiency of the network. (Bradley, T. 2007).

Whilst segmentation is a useful step you will also require wireless encryption which is essentially a means of preventing eavesdroppers on to your personal wireless network.  The early method used WEP (Wireless equivalent privacy) but this was later discovered to be flawed as anyone who gained the key access could join the network.  It was also easily cracked by professional hackers.  We quickly moved over to WPA (wireless protect access).  This used temporary key integrity protocol and provided a much tougher code system to decipher. Even this was not good enough for large enterprise networks that required a much higher degree of sophistication and security.

Overview Methodology

The approach will be one of qualitative research methods. Qualitative research has a number of different focal points but in essence attempts to address a perspective of the attitude of people towards their behavioural traits, their value systems, their lifestyle and culture and their needs or desires.  The diagram to the right illustrates how these concepts inter-relate with one another.   The idea of this research method is to add shape or abstraction to unstructured states.  In summary qualitative research seeks to answer questions by the collection of evidence and accompanying research in an orderly and systematic way.  Such finding not having a pre-determined result and may cover research that extends beyond the immediate bounds of the study.  There are a number of different components in terms of how qualitative research studies are conducted but they include: (i) Participant Observation – this is the collection of data or information that occurs from a behavioural context (ii) Interviewing – normally in depth interviews that collect or gather personal data and provide such information as personal experiences, viewpoints or historical data (iii) Focus groups – essentially study groups that tend to elicit data on a broad overview of cultural norm topics.  Such data normally takes the form of field notes, audio tapes, transcripts and more recently notes captured on computer tablets.

References

Bradley, T. (2007, 12 6). Secure your wireless network. Retrieved 11 25, 2011

Knickerbocker, B. (2012, 8 18). WikiLeaks: How did the Pentagon lose track of 91,000 documents? . Retrieved from Christian Science Monitor: http://www.csmonitor.com/USA/Military/2010/0729

Kovacich, G. (2003). The Information Systems Security Officers Guide. Burlington MA: Elsevier.