The Future of CyberSecurity, Research Paper Example
Words: 3101Research Paper
The world is becoming modernized with advanced computing integration in almost every industry. In the developed countries, integration of advance computing infrastructure is installed for operating services related to E commerce, industrial and financial sector. New innovative integration of system control and data acquisition (SCADA), military defense systems, and financial systems operate on the Internet. The critical infrastructure of any country consists of extremely composite, self-governing and cyber based resources which is vital for the nation’s financial system and supervision. It is concerned with communications, transportation, water supply, energy, emergency services, and banking and finance. Information Technology has been evolved with new research and reinventions facilitating the critical infrastructure computerized. On the other side, vulnerabilities also emerged causing disruption to the critical infrastructure impacting in several ways. Although there are many vulnerabilities, cyber-attacks are the most prominent one. Cyber-attacks approach the target in a non-traditional way. Due to inequity in the military strengths, hackers attack this critical infrastructure affecting both the economy as well as the military sector of the country (SANS: Critical infrastructure protection). For addressing cyber-attacks, there must be a security framework that will address internal, external and technical system security. This paper will address security against potential and current cyber threats by introducing a framework along with mitigation strategies associated with organization wide security.
It could be operated by the government or the private sector, both Networks provide opportunities for hackers to intrude the destination remotely and take control of the capabilities and resources these devices has. The impact of hacking in these systems is devastating. For example, hackers may gain access to the military radar systems, credit card data stolen, data stolen from the Federal Bureau of Investigation (FBI) has revealed secret agents and now their life is at risk etc. The capacity of these attacks impact on the country’s economy, security and financial stability. They breach government networks which are directly related to national services. Thousands of new cyber-attacks categorized with ‘Major’ and ‘Minor’ are penetrated on the Internet daily. The focus is the power sector of the United States including websites of Poland, South Korea and United Kingdom. They all have witnessed cyber-attacks in past few months. Different schools in various states of America have lost millions of fraudulent wire transfers (Shackelford, 2010).
Cyber-attacks are intelligent as well as organized. Once the network is hacked, they install small lop holes or software intruders for giving hackers access whenever they want to access the network again. In simple words one can say that, it is a computer to computer attack to steal the confidential information, integrity or the data presently available on the network. The attack adopts a calculated approach to modify action against data, software and hardware in both computers and networks (Denning & Denning, 2010). It is essential to define a solid network defense for handling cyber-attacks. ‘Stuxnet’ is a software program that infects the industrial control systems. The complexity of the virus indicates that it has been developed by the group of expert hackers funded by a national government. The software does not indicate that it has been developed by hacker or cyber criminals (The meaning of stuxnet2010). The security experts break the cryptographic code of the virus to peek in and identify the objective and working methodology. After analyzing the behavior of the virus, Initial thought of the experts were that the virus is tailored for stealing industrial secrets and factory formulas. The formulas can be used to build counterfeit products. This conclusion went wrong when Ralph Langner, who is an expert of the industrial system security revealed that the virus targets siemens software systems. He also published that the virus may have been used to sabotage Iran’s nuclear reactor. Langner simulated siemens industrial network to test the activity of the virus (Stuxnet virus may be aimed at Iran nuclear reactor – ComputerworldUK.com ). This proved to be right as an article was published on ‘www.computerworld’ regarding “Officials in Iran have confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday.”Langner (Stuxnet virus may be aimed at Iran nuclear reactor – ComputerworldUK.com) reveals that when the virus achieve its target at the last level, it modifies itself to a Siemens code named as “Organization Block 35”. The default functionality of this Siemens component monitors the vital factory operations within 100 milliseconds by modifying itself to a Siemens critical component. The ‘Stuxnet’ virus can cause a refinery centrifuge to malfunction. This is not the end as it can attack other targets too .
For providing electric power from the power producers, the data related to transmission and distribution needs to be shared between them. In order to communicate, a network with different protocols containing the Quality of Service (QoS) is implemented. The infrastructure of the oil and electrical industry is built to provide performance rather than security. The software on which these equipment operate follows a proprietary standard emphasizing on functionality rather than security. The power grid development and installation is going on a rapid pace for meeting the demands. The automation systems in the oil and power industry is tailored from legacy and new modules. There is no room for added network functionality features the systems may support. The network security features are designed for the Information systems, and does not require performance requirements (Wei et al., ).
In the network dictionary, Trojan is defined as it “is similar to a virus, except that it does not replicate itself. It stays in the computer doing its damage or allowing somebody from a remote site to take control of the computer”. Financial institutions are affected by Trojans more than any other sector. The priorities for selecting financial institutions are the transactions which are conducted online. The objectives of hackers are to steal the credentials of the online shopper. That is why the financial institutions received the most Trojan attacks in 2005, 40% among the other fifteen sectors (Financial institutions receive most trojan attacks.2006). A simple definition is available on network dictionary which states that ” it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords”. The data is the blood life of every organization; precisely financial institutes conduct their business online. ‘Phishing’ shows the fake identity of the website and collect the credentials from users online. This is a business loss as well as the negative impact of the customer regarding the organization’s trust. 33 people were caught in “Operation Phish Phry”. Two million dollars were stolen from the bank accounts within 2 years’ time. The website of “bank of America” was represented as a fake replica and the users were prompted to enter classified credentials to steal money from there account online (Feigelson & Calman, 2010).
Financial impact involves the theft of organizations critical data which is also called business information. This is a critical threat because the organizations bear more cost for the missing data as compared to the online fraud of credit cards. The business theft portrays a severe damage to the organizations, they lose their business, they lose their customers, and their presence in the global economy.
Technical System Security
Before defining the security architecture or strategy, one question every organization must ask itself i.e. why I need information system security. After identifying the purpose, there is a requirement of identify weaknesses or vulnerabilities along with impact and types. Organizations have to consider the backdoors and the week points that may allow or trigger any threats to disrupt business operations by compromising an asset or information system. Moreover, a holistic approach is required to address all risks and vulnerabilities, as every minor vulnerability can expand by cascading other risks in the system. At a technical standpoint, what needs to be protected hardware, applications or data? That is a question that must be addressed by organization itself. The summary of this question can only be encountered by identifying and categorizing threats. As per (Dhillon 2007) threats are categorized as Modification, Destruction, Disclosure, Interception, Interruption and fabrication and implies on hardware security, data security and software security. Modification is associated with changes in data or alteration in data with or without purpose. This modification can be performed by an employee or by software as well. Effective change management and configuration management procedures along with documentation are the most effective controls for minimize security vulnerabilities that may arise from incompatible modules or hardware modification from the system. Destruction is associated with physical damage to a hardware device, network device or software. Destruction of a hardware or network device includes spilling of water, inadequate configuration, voltage variations etc. Whereas, software destruction can be from a malicious code, Trojan or unintentional deletion of a kernel of any application etc. Similarly, data can also be deleted intentionally or unintentionally and can also be cause by malfunctioning device. Disclosure of data is proportional to confidentiality i.e. need to know basis. Data is easy to be stolen because the original copy still seems intact, in spite of the data theft. Data types can be classified in to many types, again depending on organizational requirements. For instance, trade secrets, upcoming financial results or long term strategic plans of the organization can be classified as top secret, whereas, customer information can be classified as confidential. Organizations conducting business online collect customer information via websites. Data can also be intercepted by unauthorized access to computing and electronic resources. Moreover, unauthorized remote can also result in accessing information from a remote location. Interruption can also cause system availability that may result from malfunctioned hardware or power outage. Moreover, interruption of services can also be caused from broadcast storm or network congestion that may cause denial of service. Lastly, fabrication refers to a penetration of transactions to a database. Fabrication is often conducted by unauthorized parties in a way that is difficult to identify the authentic and forged transaction. One of the examples of fabrication is called as ‘Phishing’. However, in order to implement technical system security, encryption is the best control up till now for preventing integrity of data. Encryption encapsulates the data by ciphering it to another form by public and private key encryption. Likewise, asymmetric and symmetric encryption techniques are considered as per requirements. Moreover, non-repudiation can be prevented by third party certificate authorities.
Formal System Security
Management of information system security requires a development of organizational structure and processes for ensuring adequate protection and integrity. Likewise, for maintaining adequate security, an appropriate relationship organization is required for maintaining integrity of roles and responsibilities. Moreover, a major strategy and policy is required to maintain and manage information system security. However, information system security will not be effective if the organization does not realize that information security must be considered as a top level management responsibility. Likewise, information security management must be derived by the board of directors and must be aligned with corporate governance. Corporate governance is defined as “the system by which the corporations are directed and controlled” (R. von Solms, Von Solms et al., n.d). As, it is the responsibility of the board of directors, if a top down approach is not followed, there will be no effective security governance within the organization. Moreover, considering information security solely as a technical will result in a failure of an information security program. As technical controls can only prevent threats and vulnerabilities via a specific set of technical configurations, there is a requirement of information security management that will demonstrate the performance and measurements of security metrics. Some of the examples include dashboard, balanced scorecards etc. that will show the current and required information security state of the organization. However, implementing information security governance at the top level cannot resolve issues, as it is a multi-dimensional discipline. This is because information security management is a complex issue that must be reviewed and maintained on a periodic basis. Moreover, effective risk management should be in place so that organization wise risks are identified in order to establish an effective information security management plan. Organizations must maintain a minimum acceptable standard that will be considered as the recommended best information security management practices. However, corporate information security enforcement is essential that will act as a management control and define purpose, scope, ownerships, standards, configuration requirements, enforcement and revision history. Likewise, this policy will demonstrate comprehensive details and will include all aspects of protecting information of the organization. Furthermore, in spite of information security governance, risk management, policy and policy enforcement, user awareness is essential. As risk environment is constantly changing, every employee must be aware of practices effective procedures for information security. A comprehensive training and awareness program by NIST address three levels of users i.e. beginners, intermediate and professionals (Whitman, Mattord, n.d). Each group is addressed by customized user awareness training sessions that also includes computer based testing environment.
Informal System Security
Informal system security supports the formal system security naturally within the organization. Formal systems cannot be workable alone unless employees accept them. Likewise, user acceptance is directly linked with user acceptance. For instance, if a biometric attendance system is installed as a physical security control, user acceptance is necessary or else, the control will not be effective. However, the severity level of an improper informal system is not high as compare to formal and technical security. It is a fundamental concept that humans are resistant to change. Few of the examples for factors that may introduce issues to information security management are:
- department is now becoming computerized
- deployment of a ERP
- changes in management
- changes in reporting
In the above mentioned examples, there is a possibility that most of the employees may encourage changes and some may not. However, to address these issues is importantly because if an employee is repelling to change, there is a possibility that he/she may handle information security procedures inadequately, resulting in an introduction to security risk for the organization. Although, training sessions must be conducted targeting group of people to minimize these issues.
For addressing potential and current cyber threats, we have represented a framework. The three systems i.e. formal, informal and technical, and their coordination, demonstrated technical, management and human interaction and management factors. However, in protecting data and information in an organization is a collaborative effort i.e. technical systems acts as a core, including all the technical aspects, formal systems acting as a management aspect and informal system dealing with human element. The next section will address issues and acts related to data privacy and protection.
Denning, P. J., & Denning, D. E. (2010). The profession of IT discussing cyber attack. Communications of the ACM, 53(9), 29-31. doi:10.1145/1810891.1810904
In the introductory paragraphs, this source defines the internal semantics of cyber-attacks that utilizes vulnerabilities for attacking federal or government systems. Likewise, the source is used for explaining cyber-attacks in a simplified way and to make it interesting for the reader.
Shackelford, S. J. (2010). Estonia three years later: A progress report on combating cyber attacks. Journal of Internet Law, 13(8), 22-29.
This source was utilized in the work to throw light on the history of security breaches along with regions that are affected. Some of the statistical information is also represented. Likewise, this source backs the fact that preventing cyber threats is vital, as it may result in all sorts of issues for the people. For example, if electronic health records are damaged for a patient, how a doctor will treat him?
SANS: Critical infrastructure protection Retrieved 11/20/2010, 2010, from http://www.sans.org/security-training/critical-infrastructure-protection-12-mid
SANS source defines the focus area of these cyber threats, as they are more targeted towards federal or governmental system that may result in an uncalculated damage to the country as well as the nation. Again mentioned in the introductory paragraphs, this resource provides uncommon characteristics of a threat exploiting systems operational at critical infrastructure.
The meaning of stuxnet (2010). Economist Newspaper Limited.
This source makes the introductory section more interesting, as significant information has been provided due to the consequences of this virus. An extra ordinary virus that was developed by unknown group of experts was initially developed for disrupting operations at Iran nuclear facility.
Stuxnet virus may be aimed at Iran nuclear reactor – ComputerworldUK.com Retrieved 11/20/2010, 2010, from http://www.computerworlduk.com/news/security/3240458/stuxnet-virus-may-be-aimed-at-iran-nuclear-reactor/
This source provides evidence for the claim for targeting Iran’s nuclear reactor.
Iran confirms massive stuxnet infection of industrial systems – computerworld Retrieved 11/20/2010, 2010, from http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industrial_systems
This source provides evidence for mass destruction caused by Stuxnet virus.
Wei, D., Lu, Y., Skare, P., Jafari, M., Rohde, K., & Muller, M.Power infrastructure security: Fundamental insights of potential cyber-attacks and their impacts on the power grid† 1
Nations with an active critical infrastructure have integrated electricity systems with computerized systems. The Stuxnet virus disrupted these systems by changing voltages to wrong values resulting in massive damage to power grids. This source extends the impact of a single security threat that have caused issues throughout the planet.
Financial sector « core security technologies Retrieved 11/20/2010, 2010, from http://coresecurity.com/tag/financial-sector/
This source provides evidence for backing the fact of affecting the financial sector of any country. The main purpose is to give the reader an idea of the impact of cyber threats to the people, organization, countries and the planer as well.
Feigelson, J., & Calman, C. (2010). Liability for the costs of phishing and information theft. Journal of Internet Law, 13(10), 1-26.
This source describes another security threat known as Phishing. The source not only describes what Phishing is but also demonstrates the financial loss to a bank.
Phishing. (2010). Computer Desktop Encyclopedia, , 1.
To make the topic more understandable for the reader, simple definitions are included within the discussion paragraphs.
Trojan. (2010). Computer Desktop Encyclopedia, , 1.
To make the topic more understandable for the reader, simple definitions are included within the discussion paragraphs.
Financial institutions receive most trojan attacks. (2006). Point for Credit Union Research & Advice, 3-3
This source demonstrates the primary purpose of a Trojan that is directed towards financial institutions for stealing electronic transactions. For instance, wire transfers
DHILLON, G., 2007. Principles of information systems security: text and cases Hoboken, NJ: John Wiley & Sons.
This source has served as a basis for the literature mentioned in this coursework. As our main thesis was to address formal, informal and technical system security to prevent organizations from cyber threats, this source served the primary purpose.
- VON SOLMS, VON SOLMS, S.H. and VON SOLMS, R., n.d, Information security governance New York ; Springer, 2009.
This source defined ‘what is corporate governance?’, as the security framework requires integration with the business, readers can understand in an easy way.
WHITMAN, M.E. and MATTORD, n.d,H.J., Management of Information Security Course Technology.
This source address the most critical process for maintaining an information security program, as it requires continual training and awareness sessions for resources.
Time is precious
don’t waste it!