Home >> Free Essays >> All Subjects >> IT

IT Examples and Topics

Creating And Communicating A Security Strategy

Creating and Communicating a Security Strategy

Your Name

Institution

Creating and Communicating a Security Strategy

Being an IT professional, author has to find out vulnerabilities in the company's network security. Once the vulnerabilities are found, they will be related to security policies and standards. In the end, recommendations and action needed to address the security issue will be discussed. Purpose of this memo is to find security risks, to provide a network security framework for hardware and software solutions developed within the company. The company provides online financial services to various banks within the State. Company is currently providing portals and server for the banks. Servers have sensitive data of loyal bank customers. As the company is dealing with confidential financial information, there are several security threats that it can face. Company’s network infrastructure is most vulnerable to cyber-attacks. Company’s network is based on Wireless Area Network (WAN), interconnecting many Local Area Networks (LANs).

Two major security risks which are associated with the company's network are shutting down of a system and loss of sensitive data. These losses can be caused by computer viruses, rogue security software, Trojan horse, adware or spyware, network worm, DDoS attack, Rootkit, and SQL Injection attack. Company’s servers store the sensitive data which makes them the primary target of cyber-attack. Suggested security measures in this memo must ensure the safety of servers from the internal and external breach. To address such cyber-attacks, a company needs a good security policy to ensure the safety of its network.

Security policy

Any secure network can be breached either form external or internal attack. To secure a system, different layers of security should be applied. The primary objective of layered security secures the primary asset, even if the attacker manages to breach the system. The policy will be designed by following the recognized standards which most of the private companies and government offices follow. There will be two main part of the suggested policy; security measures, strategies. Security measures are the steps which will help in securing the safety of the system. Strategies are the steps which will help when the security is compromised. These steps are designed by following the guidelines of the National Institute of Standards and Technologies (NIST) and National Security Agency (NSA). NIST provides supporting guidelines for NSA standards.

Security Measures

To address all security threats and concerns, we have to search for weak spots within the network. The skilled workforce is essential for the security of the network, they should have technical skills and expertise over network security tools. There are network security courses and certification offered by CISCO. If a worker doesn't have such certifications, an enterprise should sponsor such courses for their IT technical staff.

A company should take the following key actions to prevent any internal or external cyber-attacks.

Understand common attacks. Good knowledge of cyber-attacks which targets weak network can be very helpful.

Establish a list of potential vulnerabilities, and look for anything suspicious or unknown to your network

Use vulnerability and network scanning tool

In case of an attack, the company should be able to access the risk and should be able to take reliable actions in such events.

Strategies

Suggested defense strategy for the company's network is multi-layers of protector from external intruders. If one layer is compromised, there are more barriers that a hacker has to overcome before gaining excess to the company's servers or other components. This layer system not only slows down the hacker, but they can also be detected before achieving their goals. This section will briefly explain in this layered strategy

Every Component of the system should be VPN cable.

secure cables with a firewall

As shown in figure 1, install a firewall in every layer of the network. Separate firewall for each server, and each layer.

Install network security tool which will monitor the traffic within the server

Create strong passwords for every network devices

Only allow data to travel within the network in encrypted form

Install firewall management software

Strong authentication parameters, either NetScreen or F5 employ user-based authentication

For added security, access control and authentication should be as close to network as possible

Use XMP mapper in every IDSN adapter

Install NIC at the maximum number of junctions possible

Use network gateways even at endpoint access

These parameters/ measures are listed after careful understanding of NIST security testing guidelines publication 800-115All the parameters mentioned above a crucial for enterprise network security

Two techniques are used for security examination and testing. First one is white box testing, which associate examination of the application's source code. It is an efficient technique to detect security defects. Performing a white box technique is quite easy as the source codes of the applications are usually available. White box testing cannot detect thread during the compilation of the program. In addition, security threads linked between components are also hard to detect using white box testing.

The second Testing technique suggested by NIST is black-box testing, which involves analysis of an application's binary executable. This technique used to examine the security of individual components which have a high risk of getting infected/ attacked. This type of test also challenges the threats handling capabilities of the system, which results in finding out the limitation of the network system and its security status. Both white box and black box techniques can be used simultaneously in a combination called grey-box testing.

A person performing this kind of security assessment should have certain skills. He should have a good understanding of programming languages and network security protocols. Familiarity with application development, secure coding, and being able to use other security tool are great perks of a skilled employee which benefits the company.

Subject: IT

Pages: 3 Words: 900

Creating And Communicating A Security Strategy

[Title Here, up to 12 Words, on One to Two Lines]

Author

Institution

Creating and Communication a Security Strategy

The efficiency of system administration hinges upon the network security. There are numerous cyber threats being faced by business networks in contemporary time. However, to avert such threats network security is pivotal for designing security strategy. No matter how big or small the business is, it has to be ensured that the network is secure enough to avert spoofing and data stealing. One of the latest incidences of data breaches is ‘WannaCry Ransomware’. Data was locked on thousands of servers across the world due to ‘WannaCry Ransomware’. The development of sophisticated hacking skills by hackers necessitates all business to strive for effective network security. Most of the security breaches are testament to such sophisticated skills.

This essay intends to discuss the security strategy of Dropbox business. Dropbox Business is a package offered by Dropbox for file sharing, and most companies and enterprises use Dropbox. Any company or enterprise, as a client, can use Dropbox to sync and share files easily. Besides, Dropbox also provides its clients with abundant space for data storage, and collaboration between the employees of the company or enterprise. The essay will be focused upon the protection and security of cloud computing that Dropbox uses for file sharing and storage. The potential threats to the cloud system and how could such threats be averted will be discussed as well.

Potential Threats to Cloud Computing

Ransomware is a threat to any company’s cloud storage as that is just an extension of its network. Ransomware seeks out connections and exploits them. If the company maps a drive to its cloud storage then it will become infected along with the rest of its computer and/or network. If the company uses a Sync tool to synchronize its local files to cloud storage (One Drive, Dropbox, and others do this) then that too will become infected. Another potential threat to the cloud is crossover traffic bleed. Crossover traffics bleed happens when a company has a memory overflow in a shared cloud computational space. Owing to crossover traffic bleed data could be obfuscated.

Security Strategy

Equipment glitches and installation of piracy software invite most of the breaches in network security, however, inadvertently. Some default security holes of TCP/IP protocols and operating systems can also lead to a network security breach. And then, we have the advanced evasion techniques (AET), which combines different evasion methods to devise a new technique to bypass an information security system. Hackers can breach business network security in number of ways such as; password attacks, spoofing of IP address, social engineering, and Denial of Service attacks. However, the steps for effective security strategy are as follows:

Secure data sharing: A sound network security infrastructure in place could ensure secure data sharing.

Managing data traffic: Systems exposed to a high level of traffic are more prone to network security attacks. So, for an improved user experiencing without putting a website or system on risk, reliable network security is important.

Data breach would not surprise any company as it is not something very unique, and most of the companies have witnessed security breaches in their networks. However, the way by which hackers encroach on business security is worth mentioning. More often than not companies would themselves caught in the undertow following the data breach, because undoing its aftereffects is very difficult. Undoubtedly, prevention is the best cure! If any company’s employee loses his/her unencrypted laptop, or the employee witnesses a hacking attack on the device, then network and data breach would be easy. Besides, if there is not CASB solution in place then tracing data breach would be much more difficult and time consuming. In addition, company may find itself in zero-solution zone sans any adroit security solution. By integrating multiple layers of defense in the network, and by implementing controls by each network security layer such network security breaches can be averted.

Subject: IT

Pages: 2 Words: 600

CSIA 360 Project 3 Government Mobile Apps Security Assessment

Project 3: Government Mobile Apps Security Assessment

Malintha Liyanage

School or Institution Name (University at Place or Town, State)

Government Mobile Apps Security Assessment

Introduction and Background:

Information and communication technologies have brought up the revolution in mobile communications. Mobile phones are now turned into powerful computing devices capable of replacing mainframe computers in typical business environments. Modern mobile devices are equipped with powerful hardware components. They are capable of performing tasks that require massive computing powers. Given the fact that mobile phones and other mobile computing devices are now exponentially penetrated into the daily life of people, governments and businesses are going to be more mobile friendly in their digital services ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aj9bidk78o","properties":{"formattedCitation":"(Shovon, Roy, Sharma, & Whaiduzzaman, 2018)","plainCitation":"(Shovon, Roy, Sharma, & Whaiduzzaman, 2018)"},"citationItems":[{"id":2438,"uris":["http://zotero.org/users/local/gITejLE9/items/FJPRIVVZ"],"uri":["http://zotero.org/users/local/gITejLE9/items/FJPRIVVZ"],"itemData":{"id":2438,"type":"paper-conference","title":"A restful e-governance application framework for people identity verification in cloud","container-title":"International Conference on Cloud Computing","publisher":"Springer","page":"281-294","author":[{"family":"Shovon","given":"Ahmedur Rahman"},{"family":"Roy","given":"Shanto"},{"family":"Sharma","given":"Tanusree"},{"family":"Whaiduzzaman","given":"Md"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Shovon, Roy, Sharma, & Whaiduzzaman, 2018). Depending on the requirement for the mobile-friendly digital infrastructure in government institutions a regulation was enforced in 2017 by the federal government of the United States. The regulation is also known as the connected government act that provides initial guidelines for federal and state government agencies to make their websites mobile friendly. They are also required to provide the general public with mobile applications of corresponding digital government services.

As a result of the connected government act of 2017, government agencies are making their digital infrastructure more mobile friendly by developing useful mobile applications. Mobile applications provide similar functionality in an intuitive user interface that provides better user experience to end users. To reduce the gap between the public and their elected representatives, many government institutions have already published their mobile applications ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a23ggj8jjhf","properties":{"formattedCitation":"(Sharma, Al-Badi, Rana, & Al-Azizi, 2018)","plainCitation":"(Sharma, Al-Badi, Rana, & Al-Azizi, 2018)"},"citationItems":[{"id":2439,"uris":["http://zotero.org/users/local/gITejLE9/items/ZYBBL8ZZ"],"uri":["http://zotero.org/users/local/gITejLE9/items/ZYBBL8ZZ"],"itemData":{"id":2439,"type":"article-journal","title":"Mobile applications in government services (mG-App) from user's perspectives: A predictive modelling approach","container-title":"Government Information Quarterly","page":"557-568","volume":"35","issue":"4","author":[{"family":"Sharma","given":"Sujeet Kumar"},{"family":"Al-Badi","given":"Ali"},{"family":"Rana","given":"Nripendra P."},{"family":"Al-Azizi","given":"Laila"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Sharma, Al-Badi, Rana, & Al-Azizi, 2018). Depending on the functionality provided by these mobile applications, there is no need for an individual to visit the physical office of the agency. All of the services can be availed by using the designated application of that particular department. One such application is developed by the federal government known as MyTSA. The application provides useful information about the things that can be included in the air travel luggage. People can get useful information about their favorite items that whether they can be taken to the airport or not. The user interface of the application is shown in the following figure.

To educate people about food safety an amazing application has been developed by the Department of Agriculture known as Ask Karen. The application provides information such as how to check if certain fruits or vegetables are fresh or not. A huge collection of such questions can be answered by the application without any issues. The user interface of the application is shown in the following figure.

Many other useful applications are available to the public by the government such as “Find a Health Center” app provides people with an initiative way of finding nearby health centers actively funded by the federal government. FEMA application not only trains citizens for emergency conditions but already affected citizens can register for help from designated government agencies as well. The paradigm shift for moving more and more information to mobile applications and other mobile-friendly information resources will continue to grow in the future as well. Mobile applications that are linked to the information technology infrastructure of the government, usually process personally identifiable information of the users ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"avfs9ihh7s","properties":{"formattedCitation":"(Matthews, Uzairue, Noma-Osaghae, Enefiok, & Ogukah, 2018)","plainCitation":"(Matthews, Uzairue, Noma-Osaghae, Enefiok, & Ogukah, 2018)"},"citationItems":[{"id":2440,"uris":["http://zotero.org/users/local/gITejLE9/items/RT6JJ2F8"],"uri":["http://zotero.org/users/local/gITejLE9/items/RT6JJ2F8"],"itemData":{"id":2440,"type":"article-journal","title":"Implementation of a Community Emergency Security Alert System","container-title":"Implementation of a Community Emergency Security Alert System","page":"475-483","volume":"3","issue":"6","author":[{"family":"Matthews","given":"Victor O."},{"family":"Uzairue","given":"Stanley Idiake"},{"family":"Noma-Osaghae","given":"Etinosa"},{"family":"Enefiok","given":"Morgan Kubiat"},{"family":"Ogukah","given":"Praise Jude"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Matthews, Uzairue, Noma-Osaghae, Enefiok, & Ogukah, 2018). Personally identifiable information collected by such applications may include names, physical addresses, sexual orientation, and social security numbers, etc. Processing of sensitive information and connections to the critical government infrastructure has made mobile applications a potential target of the cyber-criminals. Any possible breach of personal data collected by such applications can bring severe consequences and public reaction for the government. Therefore, it is the sole responsibility of the government to make the mobile application ecosystem secure to provide useful services to the public. The federal government has already issued guidelines for mobile applications developers to create secure applications that can be used with critical information infrastructure.

Government’s Requirements for Mobile Applications Security:

Mobile applications intended to be used in critical information technology infrastructure of the government must be developed with security in mind. The federal government issued comprehensive guidelines for security engineers to ensure that mobile applications for government services are secure enough to be trusted with personal and critical information. Testing an application in real-world environments is a key task in mobile application development. As per the government approved regulations any applications before its general public release must go rigorous testing both in laboratories and in the limited general population as well. Security experts may use authorized penetration testing tools to verify the security code implementation in the application. Cybercriminals use available security holes in applications as an attack vector. Security testing of the applications can ensure that there are no known security holes in the application. Any programmer rushing towards the publication of the application without appropriate testing may invite a disaster for the critical infrastructure of government agencies. Typical testing requirements are shown in the figure below.

It may not be feasible for some critical applications to perform beta testing with limited public exposure of the application. However, to overcome such problems in application development, pre-examined and approved software development kits can be used by the government agencies as a baseline development method for their application ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"ap8a66uanr","properties":{"formattedCitation":"(Stickle, Moses, & HOLLAND, 2019)","plainCitation":"(Stickle, Moses, & HOLLAND, 2019)"},"citationItems":[{"id":2441,"uris":["http://zotero.org/users/local/gITejLE9/items/N7QVCKPG"],"uri":["http://zotero.org/users/local/gITejLE9/items/N7QVCKPG"],"itemData":{"id":2441,"type":"book","title":"Computer security threat correlation","publisher":"Google Patents","author":[{"family":"Stickle","given":"Thomas Charles"},{"family":"Moses","given":"Carl Jay"},{"family":"HOLLAND","given":"Ryan Christopher"}],"issued":{"date-parts":[["2019"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Stickle, Moses, & HOLLAND, 2019). Use of approved development kits will reduce the risk of security loopholes in application algorithms that can otherwise slip through the testing procedure. It is required by the government regulations for the mobile application developers to model threats for the intended application usage as accurately as possible following the testing cycle. Most of the applications require integration of API to connect with backend government infrastructure. The integration must be tested and firmly deployed without any known security holes in the integration of API's. Potential security loopholes can be compromised by the criminals to damage the reputation and information technology infrastructure of the government institutions ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2i5o2tf2tr","properties":{"formattedCitation":"(Williams, Levi, Burnap, & Gundur, 2018)","plainCitation":"(Williams, Levi, Burnap, & Gundur, 2018)"},"citationItems":[{"id":2442,"uris":["http://zotero.org/users/local/gITejLE9/items/YVU7IPFJ"],"uri":["http://zotero.org/users/local/gITejLE9/items/YVU7IPFJ"],"itemData":{"id":2442,"type":"article-journal","title":"Under the corporate radar: Examining insider business cybercrime victimization through an application of routine activities theory","container-title":"Deviant Behavior","page":"1-13","author":[{"family":"Williams","given":"Matthew L."},{"family":"Levi","given":"Michael"},{"family":"Burnap","given":"Pete"},{"family":"Gundur","given":"R. V."}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Williams, Levi, Burnap, & Gundur, 2018).

Industry’s Requirements for Mobile Applications Security:

As compared to government agencies, private business entities are also developing mobile applications. Software engineers working in the industry are well aware of possible security threats to mobile applications. To create mobile ecosystem more secure for end users, industry experts have outlined secure practices for mobile application development as well. OWASP project is a well-known project by the industry that is intended to help mobile application developers with the security standards and requirements ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aj9eio6fjc","properties":{"formattedCitation":"(Goldsmith et al., 2018)","plainCitation":"(Goldsmith et al., 2018)"},"citationItems":[{"id":2443,"uris":["http://zotero.org/users/local/gITejLE9/items/EVUHVNGP"],"uri":["http://zotero.org/users/local/gITejLE9/items/EVUHVNGP"],"itemData":{"id":2443,"type":"book","title":"Mobile communications device providing heuristic security authentication features and related methods","publisher":"Google Patents","author":[{"family":"Goldsmith","given":"Michael Andrew"},{"family":"Papo","given":"Aleksandar"},{"family":"LOMBARDI","given":"Robert Joseph"},{"family":"Mulaosmanovic","given":"Jasmin"},{"family":"Almalki","given":"Nazih"},{"family":"McBride","given":"Brian Everett"},{"family":"RABINOVITCH","given":"Peter Mark"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Goldsmith et al., 2018). OWASP and the European Network and Information Security Agency have collaborated and outlined ten essential controls for secure mobile application development. The following figure shows the essential controls required by the industry in mobile application development.

As the threat landscape for mobile applications is evolving consistently, it is required by the industry that the mobile applications must be compliant with CIA triad. CIA triad is ensuring the confidentiality, integrity, and availability of the data either in rest or in transit. Mobile applications must use sophisticated encryption algorithms such as the advanced encryption standard (AES-256-bits) encryption mechanism to comply with CIA triad. Many applications send data and communicate with the server maintained either by the developer itself or any third party ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aq3jlmh5h9","properties":{"formattedCitation":"(Kartikadarma, Listyorini, & Rahim, 2018)","plainCitation":"(Kartikadarma, Listyorini, & Rahim, 2018)"},"citationItems":[{"id":2444,"uris":["http://zotero.org/users/local/gITejLE9/items/T548HG3I"],"uri":["http://zotero.org/users/local/gITejLE9/items/T548HG3I"],"itemData":{"id":2444,"type":"article-journal","title":"An Android mobile RC4 simulation for education","container-title":"World Trans. Eng. Technol. Educ","page":"75-79","volume":"16","issue":"1","author":[{"family":"Kartikadarma","given":"Etika"},{"family":"Listyorini","given":"Tri"},{"family":"Rahim","given":"Robbi"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kartikadarma, Listyorini, & Rahim, 2018). Server and backend connectivity in mobile applications is often governed by integrating various API's into the application. Before implementing a particular API, it is the responsibility of the developers to check for security measures on the server side as well. Cybercriminals can exploit poor API integrations for distributed denial of service attacks. In a distributed denial of service attacks, attackers use a network of infected devices known as the network of bots to create fake traffic targeted at a particular computer. The fake traffic generated by the botnet will block the access of legitimate users to the service due to the congestion on the communication link. Developed applications must have inbuilt security mechanisms to render such cyber-attacks useless.

Recommendations:

Most of the time mobile applications transmit sensitive information on wireless networks that pose serious risks to privacy and security of information. Encryption algorithms must be used to encrypt sensitive information before transmitting it over insecure wireless channels such as WiFi networks. Most of the modern mobile devices include a hardware chip known as trusted platform module that is used to generate and store critical cryptographic keys. As any of the encryption systems are as secure as the keys associated with the encryption algorithm. Therefore, mobile applications must be compatible with the trusted platform module. In earlier days of internet a stream cipher known as Rivest Cipher 4 was the most common algorithm of encryption. However, severe security flaws have been discovered in the cryptography algorithm by the RC4NoMore project ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a27kk7c0l0i","properties":{"formattedCitation":"(Huq, 2015)","plainCitation":"(Huq, 2015)"},"citationItems":[{"id":2430,"uris":["http://zotero.org/users/local/gITejLE9/items/2ZW6GUS4"],"uri":["http://zotero.org/users/local/gITejLE9/items/2ZW6GUS4"],"itemData":{"id":2430,"type":"article-journal","title":"Follow the data: Analyzing breaches by industry","container-title":"TrendLabs Research Paper","author":[{"family":"Huq","given":"Numaan"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Huq, 2015). It must not be used in mobile applications connecting to government services. The algorithm is considered to be flawed in all conditions because it repeats the same key of encryption after every five thousand IP packets. The algorithm can be cracked in just four hours by analyzing sniffed packets from wireless networks. More sophisticated and modern algorithms must be used in application development as required by the industry standards as well.

Summary:

Mobile devices have changed the way people perform everyday tasks. Today's population is relying on mobile devices for everything from shopping to driving their cars. Depending on the shift in the computing paradigm, governments across the globe decided to go digital as well ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"apl54jdkhm","properties":{"formattedCitation":"(Tripoli & Schmidhuber, 2018)","plainCitation":"(Tripoli & Schmidhuber, 2018)"},"citationItems":[{"id":2445,"uris":["http://zotero.org/users/local/gITejLE9/items/9WNA2KMT"],"uri":["http://zotero.org/users/local/gITejLE9/items/9WNA2KMT"],"itemData":{"id":2445,"type":"article-journal","title":"Emerging Opportunities for the Application of Blockchain in the Agri-food Industry","container-title":"FAO and ICTSD: Rome and Geneva. Licence: CC BY-NC-SA","volume":"3","author":[{"family":"Tripoli","given":"M."},{"family":"Schmidhuber","given":"J."}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Tripoli & Schmidhuber, 2018). Various government services are being offered by mobile applications developed by government agencies. Such mobile applications provide people with flexibility and ease of use ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"arovusamvv","properties":{"formattedCitation":"(Yan, 2018)","plainCitation":"(Yan, 2018)"},"citationItems":[{"id":2446,"uris":["http://zotero.org/users/local/gITejLE9/items/BHTU85ME"],"uri":["http://zotero.org/users/local/gITejLE9/items/BHTU85ME"],"itemData":{"id":2446,"type":"paper-conference","title":"Big data and government governance","container-title":"2018 International Conference on Information Management and Processing (ICIMP)","publisher":"IEEE","page":"111-114","ISBN":"1-5386-3656-5","author":[{"family":"Yan","given":"Zheng"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Yan, 2018). Mobile applications developed by government agencies often process sensitive information. Therefore, secure programming and design guidelines must be followed by the application developers to ensure the security and privacy of sensitive data. Experts in private mobile application industries have also prepared guidelines for developers to create secure applications. Encryption algorithms and secure key management must be used in mobile applications to create the mobile ecosystem more secure.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Goldsmith, M. A., Papo, A., LOMBARDI, R. J., Mulaosmanovic, J., Almalki, N., McBride, B. E., & RABINOVITCH, P. M. (2018). Mobile communications device providing heuristic security authentication features and related methods. Google Patents.

Huq, N. (2015). Follow the data: Analyzing breaches by industry. TrendLabs Research Paper.

Kartikadarma, E., Listyorini, T., & Rahim, R. (2018). An Android mobile RC4 simulation for education. World Trans. Eng. Technol. Educ, 16(1), 75–79.

Matthews, V. O., Uzairue, S. I., Noma-Osaghae, E., Enefiok, M. K., & Ogukah, P. J. (2018). Implementation of a Community Emergency Security Alert System. Implementation of a Community Emergency Security Alert System, 3(6), 475–483.

Sharma, S. K., Al-Badi, A., Rana, N. P., & Al-Azizi, L. (2018). Mobile applications in government services (mG-App) from user’s perspectives: A predictive modelling approach. Government Information Quarterly, 35(4), 557–568.

Shovon, A. R., Roy, S., Sharma, T., & Whaiduzzaman, M. (2018). A restful e-governance application framework for people identity verification in cloud. International Conference on Cloud Computing, 281–294. Springer.

Stickle, T. C., Moses, C. J., & HOLLAND, R. C. (2019). Computer security threat correlation. Google Patents.

Tripoli, M., & Schmidhuber, J. (2018). Emerging Opportunities for the Application of Blockchain in the Agri-food Industry. FAO and ICTSD: Rome and Geneva. Licence: CC BY-NC-SA, 3.

Williams, M. L., Levi, M., Burnap, P., & Gundur, R. V. (2018). Under the corporate radar: Examining insider business cybercrime victimization through an application of routine activities theory. Deviant Behavior, 1–13.

Yan, Z. (2018). Big data and government governance. 2018 International Conference on Information Management and Processing (ICIMP), 111–114. IEEE.

Subject: IT

Pages: 7 Words: 2100

CSIA 360 Project 4 Solving The Cybersecurity Workforce Crisis

Solving the Cybersecurity Workforce Crisis

Malintha Liyanage

School or Institution Name (University at Place or Town, State)

Solving the Cybersecurity Workforce Crisis

Introduction:

Information technologies play a central role in all the aspect of modern life. Information and communication technologies are being used by state departments as well as private organizations and businesses. State departments utilize information and communication technologies to process personally identifiable information of the citizens such as names, physical addresses, social security numbers, and passport information, etc. Processing personal information in such systems makes them the potential target of cyber-criminals. Headlines are filled with successful news of targeted attacks on both public and private sector organizations. Cyber-criminals are always developing sophisticated attacks to bypass existing security architecture of public sector organizations as well as leading state departments ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2a1unr47rk","properties":{"formattedCitation":"(Assante & Tobey, 2011)","plainCitation":"(Assante & Tobey, 2011)"},"citationItems":[{"id":1906,"uris":["http://zotero.org/users/local/gITejLE9/items/QAJXHX4Q"],"uri":["http://zotero.org/users/local/gITejLE9/items/QAJXHX4Q"],"itemData":{"id":1906,"type":"article-journal","title":"Enhancing the cybersecurity workforce","container-title":"IT professional","page":"12-15","volume":"13","issue":"1","author":[{"family":"Assante","given":"Michael J."},{"family":"Tobey","given":"David H."}],"issued":{"date-parts":[["2011"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Assante & Tobey, 2011). During the last decade, various state departments suffered sophisticated cyber-attacks such as the website of Oregon's state department of employment was breached. In another breach, hackers were able to breach millions of social security numbers form the state revenue department of Carolina. These events and many of the similar attacks on state departments emphasize the need for robust cyber security architecture for state departments.

Cybersecurity is the most important requirement of any state department in the modern world dominated by information and communication technologies. The building of strong security architecture to combat sophisticated cyber-attacks on critical information systems of the state departments a comprehensive amount of cyber security workforce is required such as malware analysts, network security experts, and ethical hackers. On the other hand, the situation of cyber security experts in state departments is not satisfactory to combat sophisticated attack weapons of modern cyber-criminals ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1fffott9v2","properties":{"formattedCitation":"(Evans & Reeder, 2010)","plainCitation":"(Evans & Reeder, 2010)"},"citationItems":[{"id":1909,"uris":["http://zotero.org/users/local/gITejLE9/items/TFMPBEVK"],"uri":["http://zotero.org/users/local/gITejLE9/items/TFMPBEVK"],"itemData":{"id":1909,"type":"book","title":"A human capital crisis in cybersecurity: Technical proficiency matters","publisher":"CSIS","ISBN":"0-89206-609-1","author":[{"family":"Evans","given":"Karen"},{"family":"Reeder","given":"Franklin"}],"issued":{"date-parts":[["2010"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Evans & Reeder, 2010). State departments suffered from various issues and challenges in hiring and retaining top cyber security professionals for the protection of the critical information assets of the nation. The paper discusses the challenges faced by the state governments and provides best practice recommendations to make information technology infrastructure more secure.

Difficulties Faced by State Governments:

State departments and governments deal with personal information of citizens using information technology systems. Having extensive amounts of valuable data in these systems make them a potential target of cybercriminals. These systems range from storing and processing health information by public health facilities to keeping records of criminal activities by the state police. Protection of such systems is to meet the basic security goals of confidentiality, integrity, availability, and non-repudiation of the data. To meet these goals, the extensive workforce is required by the state governments specializing in cyber security which is currently lacking due to various reasons ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"anm26m3367","properties":{"formattedCitation":"(Fraley & Cannady, 2017)","plainCitation":"(Fraley & Cannady, 2017)"},"citationItems":[{"id":1912,"uris":["http://zotero.org/users/local/gITejLE9/items/5LQL4HRW"],"uri":["http://zotero.org/users/local/gITejLE9/items/5LQL4HRW"],"itemData":{"id":1912,"type":"paper-conference","title":"The promise of machine learning in cybersecurity","container-title":"SoutheastCon 2017","publisher":"IEEE","page":"1-6","ISBN":"1-5386-1539-8","author":[{"family":"Fraley","given":"James B."},{"family":"Cannady","given":"James"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Fraley & Cannady, 2017). One of the most important reasons behind the lack of cyber security workforce in state departments is the lack of attractive salaries and pay grades. These are among the biggest challenges faced by the state departments in retaining and hiring the required talent for protection of critical infrastructure.

Private sector organizations have taken more serious approaches toward cyber security. Most of the developments made in cyber security are by private sector organizations. They have invested heavily in infrastructure development and hiring of top talent from educational institutions directly. They offered more attractive salaries than any of the state departments resulting in high turnover rates for them. There is another potential challenge that whenever a state hired a professional, then massive investments are made to train them up to the industry standard. After getting requisite training and experience from public sector organizations, the skilled persons are then recruited by private sector organizations offering better salaries. Eighty-six per cent of the states reported that they faced difficulties in hiring cyber security professionals for various vacant positions in state departments ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"adgg9fgl74","properties":{"formattedCitation":"(Vogel, 2016)","plainCitation":"(Vogel, 2016)"},"citationItems":[{"id":1915,"uris":["http://zotero.org/users/local/gITejLE9/items/GQ3EH9NW"],"uri":["http://zotero.org/users/local/gITejLE9/items/GQ3EH9NW"],"itemData":{"id":1915,"type":"article-journal","title":"Closing the cybersecurity skills gap","container-title":"Salus Journal","page":"32","volume":"4","issue":"2","author":[{"family":"Vogel","given":"Rebecca"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Vogel, 2016). It was never so difficult a few years ago. As targeted attacks have increased exponentially on large-scale organizations, cyber security professionals are in high demand that have increased their values for both the private and public sectors.

Moreover, the private sector has developed more secure systems as compared to the systems owned by the state departments by employing top talent in the industry. The results are obvious that state departments have to rely on private sector organizations in order to protect critical information assets of the nation. The private sector has made marvelous achievements in halting cyber-attacks as compared to state departments. They have incorporated big data analytics along with machine learning capabilities to fight against sophisticated attacks. Their processes and algorithms are mature enough or continuously improving at such a pace that many vendors are claiming that their solutions can protect against never before seen attacks ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aqmhhoju6","properties":{"formattedCitation":"(Newhouse, Keith, Scribner, & Witte, 2017)","plainCitation":"(Newhouse, Keith, Scribner, & Witte, 2017)"},"citationItems":[{"id":1918,"uris":["http://zotero.org/users/local/gITejLE9/items/NCNGE4BL"],"uri":["http://zotero.org/users/local/gITejLE9/items/NCNGE4BL"],"itemData":{"id":1918,"type":"article-journal","title":"National initiative for cybersecurity education (NICE) cybersecurity workforce framework","container-title":"NIST Special Publication","page":"181","volume":"800","author":[{"family":"Newhouse","given":"William"},{"family":"Keith","given":"Stephanie"},{"family":"Scribner","given":"Benjamin"},{"family":"Witte","given":"Greg"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Newhouse, Keith, Scribner, & Witte, 2017). Although it may not be the case as a recent wave of ransomware attacks both in private and public sectors caused a catastrophe. None of the available cyber security vendors was able to stop the attacks in first place. Lack of research facilities and modern algorithms in state departments provides a challenge in hiring and retaining cyber security talent as compared with the private sector.

Non-Cybersecurity Reasons behind the Workforce Crisis:

There is a plethora of technical issues results in a workforce crisis in the cyber domain. Along with many non-cyber security reasons as well such as salaries offered by the state departments. Most of the state departments have budgetary issues in offering attractive salaries as compared to the private sector organizations. The situation is not a result of a sudden increase in cyber-attacks on state departments. It is present due to a long-term lack of attention practiced by many state departments. It has been reported by ex-managers or project managers that it was difficult to convince governments to invest in a secondary system to protect an existing system when there were no obvious benefits to such investment ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1q5337uo7a","properties":{"formattedCitation":"(Jethwani, Memon, Seo, & Richer, 2017)","plainCitation":"(Jethwani, Memon, Seo, & Richer, 2017)"},"citationItems":[{"id":1921,"uris":["http://zotero.org/users/local/gITejLE9/items/6LBJPRHL"],"uri":["http://zotero.org/users/local/gITejLE9/items/6LBJPRHL"],"itemData":{"id":1921,"type":"article-journal","title":"“I Can Actually Be a Super Sleuth” Promising Practices for Engaging Adolescent Girls in Cybersecurity Education","container-title":"Journal of Educational Computing Research","page":"3-25","volume":"55","issue":"1","author":[{"family":"Jethwani","given":"Monique M."},{"family":"Memon","given":"Nasir"},{"family":"Seo","given":"Won"},{"family":"Richer","given":"Ariel"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Jethwani, Memon, Seo, & Richer, 2017). The result of this lack of attention has resulted in the current situation where it is becoming more and more difficult for state departments to hire and retain cyber security professionals.

Moreover, state departments are still not willing to invest in youngsters to train them for the required processes. They are looking for candidates having requisite skills as they apply against vacant positions in various departments. On the other hand, private sector organizations took a completely opposite approach. They selected fresh graduates and trained them to the required level of skills in cyber security. The reason behind this situation is again the budgetary issues. It is not possible for state departments to fund such pieces of training and most of the departments do not have the training facilities as well. All the issues combined together have resulted in a more vulnerable information technology infrastructure used by the state departments. It can be improved with public-private partnerships to make information technology ecosystem more secure for the nation.

Recommendations:

There are several recommendations for state governments that can help them to compete with the private sector in terms of hiring and retaining cyber security talent without competing in terms of salaries. State governments must promote and articulate a culture of flexibility as practiced by private organizations. Flexibility in working hours and remote work locations will help state governments to retain talent. They have to consider cyber security as an industry side problem and formulate strategies to overcome the problem. Latest developments in cyber security such as deep learning neural networks to find malicious patterns in network traffic have made it an industry side technology problem ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2ntm0c1et7","properties":{"formattedCitation":"(Newhouse et al., 2017)","plainCitation":"(Newhouse et al., 2017)"},"citationItems":[{"id":1918,"uris":["http://zotero.org/users/local/gITejLE9/items/NCNGE4BL"],"uri":["http://zotero.org/users/local/gITejLE9/items/NCNGE4BL"],"itemData":{"id":1918,"type":"article-journal","title":"National initiative for cybersecurity education (NICE) cybersecurity workforce framework","container-title":"NIST Special Publication","page":"181","volume":"800","author":[{"family":"Newhouse","given":"William"},{"family":"Keith","given":"Stephanie"},{"family":"Scribner","given":"Benjamin"},{"family":"Witte","given":"Greg"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Newhouse et al., 2017). Training programs can be arranged in partnerships with private organizations to equip fresh graduates with the required skills. Policies in state departments that restrict the hiring of candidates lacing formal education must be revised for cyber security domain. As it is not necessary that an ethical hacker will have a graduate degree as well. Without having any formal graduate degree, an ethical hacker having concrete skills will prove to be an essential asset for state departments. It will help state departments to discover vulnerabilities in existing systems and will help in designing cure as well. The gap in the workforce for cyber security related positions in state departments can be filled by making the hiring process and working conditions more flexible.

Summary:

Cyber security professionals are in great demand as compared to any other skill. It is due to the exponential growth in a number of sophisticated cyber-attacks on information technology systems both in the public sector and the private sector. State governments are facing difficulties in hiring and retaining top talent in cyber security to protect critical information systems of the nation. However, it can be solved without competing on salaries by making the working conditions flexible. Perks introduced such as training and flexible work location benefits along with career advancement structure by the state governments will help solve the workforce crisis being experienced by the state government at present.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Assante, M. J., & Tobey, D. H. (2011). Enhancing the cybersecurity workforce. IT Professional, 13(1), 12–15.

Evans, K., & Reeder, F. (2010). A human capital crisis in cybersecurity: Technical proficiency matters. CSIS.

Fraley, J. B., & Cannady, J. (2017). The promise of machine learning in cybersecurity. In SoutheastCon 2017 (pp. 1–6). IEEE.

Jethwani, M. M., Memon, N., Seo, W., & Richer, A. (2017). “I Can Actually Be a Super Sleuth” Promising Practices for Engaging Adolescent Girls in Cybersecurity Education. Journal of Educational Computing Research, 55(1), 3–25.

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National initiative for cybersecurity education (NICE) cybersecurity workforce framework. NIST Special Publication, 800, 181.

Vogel, R. (2016). Closing the cybersecurity skills gap. Salus Journal, 4(2), 32.

Subject: IT

Pages: 5 Words: 1500

CSIA 360 Project 5 Comp-Contr 2 State Govt IT Security Policies

Project 5: Compare / Contrast Two state Government IT Security Policies

Malintha Liyanage

School or Institution Name (University at Place or Town, State)

Project 5: Compare / Contrast Two state Government IT Security Policies

Introduction:

Information technology plays a role of utility not only in private sectors but in all of the state departments as well. It is hard to imagine a single department without the applications of information technologies. Most of the processes are now digital either related to management or policies. Increased reliance on information technologies has brought up many new challenges as well along with the benefits of usability of these technologies. Most of the information technology systems are being used to handle data sets that can be used to identify individuals. Such data sets are also known as personally identifiable information. It is the information that can be used to identify any biological subject. State departments rely on personally identifiable information for proper functioning ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2a2g3pqjkd","properties":{"formattedCitation":"(Collins, 2016)","plainCitation":"(Collins, 2016)"},"citationItems":[{"id":1890,"uris":["http://zotero.org/users/local/gITejLE9/items/JVLDKJZX"],"uri":["http://zotero.org/users/local/gITejLE9/items/JVLDKJZX"],"itemData":{"id":1890,"type":"book","title":"Contemporary security studies","publisher":"Oxford university press","ISBN":"0-19-870831-9","author":[{"family":"Collins","given":"Alan"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Collins, 2016). Earlier the records were maintained in paper-based registers. Now a massive amount of data is stored in digital systems. Previous paper-based records are being transformed into digital records.

Increased digitalization of personally identifiable information by state governments has made their systems potential target of cybercriminals. Headlines are filled with news of successful data breaches on organizations. The data stored in the information technology systems are considered as the most critical asset. Therefore, the protection of the critical assets of the state is the responsibility of the State Government. Most of the state departments have designated cybersecurity policies and defined frameworks to protect critical assets. Each of the department may have a different set of rules and policies based on the nature of information systems being used by the department. Information security policies define the role of institutes, organizations, software, and hardware requirements to secure the data processing and transfer of information over a network. Data stored in the systems of a state department is the critical asset to be protected from a wide variety of attacks; all of the state governments have information technology security policies. The paper evaluates the information technology security policies of Florida-Agency for State Technology and Michigan State Police for strengths and weaknesses of these security policies.

Similarities in IT Security Policies:

It is an agency of the State Government of Florida tasked with the protection of information of the Floridians. It describes the rules and policies for information technology systems of the State departments. Headed by the chief information officer of the state the agency was established in 2014. The agency provides the departments with guidelines and frameworks to protect critical information assets against cyber-attacks. After the initiative of the government to provide access to the open data, chief information officer issued a security policy standardizing the use of open data ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"af5pvi6ac7","properties":{"formattedCitation":"(Layton, 2016)","plainCitation":"(Layton, 2016)"},"citationItems":[{"id":1893,"uris":["http://zotero.org/users/local/gITejLE9/items/2XAMB9MQ"],"uri":["http://zotero.org/users/local/gITejLE9/items/2XAMB9MQ"],"itemData":{"id":1893,"type":"book","title":"Information Security: Design, implementation, measurement, and compliance","publisher":"Auerbach Publications","ISBN":"1-4200-1341-6","author":[{"family":"Layton","given":"Timothy P."}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Layton, 2016). Open data is the database of statistics and State-owned information that is being provided for research and development purpose. It provides a one-stop solution to researchers to collect large sets of data from the government which will help them in the formulation of the research.

However, as access to open data will increase interoperability of State agencies it may have potential issues as well. It will be the responsibility of the State government to protect the confidentiality, integrity, and availability of the data. Confidentiality of the data requires that the access to the data must be authorized. In other words, the data will be provided to requesting parties only. The integrity of the data requires the data to be protected against malicious manipulations. Availability requires the data to be available to concerned parties whenever requested. The agency has provided a framework that ensures these primary goals of information security. The data will be segregated for different parties', e.g. public and private organizations. Not all of the parties or departments will be having similar access to the data sets made available under open data initiative.

Michigan State Police have similar information security policy protecting confidentiality, integrity, and availability of the data. The department store and process personally identifiable information for criminal investigations and digital forensic analysis purposes. The information security policy of the department provides a framework in which limited access can be provided to the authorized parties only such a forensic investigator. Both policies are similar in the aspects of data segregation. Not all types of data are available to all the officials such as the records of computer crime units cannot be accessed by investigators of street crimes. However, special access can be granted to the officials based on state laws to help in criminal investigations ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1qhagldals","properties":{"formattedCitation":"(Shropshire, Warkentin, & Sharma, 2015)","plainCitation":"(Shropshire, Warkentin, & Sharma, 2015)"},"citationItems":[{"id":1896,"uris":["http://zotero.org/users/local/gITejLE9/items/FH6PC2E9"],"uri":["http://zotero.org/users/local/gITejLE9/items/FH6PC2E9"],"itemData":{"id":1896,"type":"article-journal","title":"Personality, attitudes, and intentions: Predicting initial adoption of information security behavior","container-title":"Computers & Security","page":"177-191","volume":"49","author":[{"family":"Shropshire","given":"Jordan"},{"family":"Warkentin","given":"Merrill"},{"family":"Sharma","given":"Shwadhin"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Shropshire, Warkentin, & Sharma, 2015). Moreover, data is protected using sophisticated encryption algorithms to protect the confidentiality of the data. It is mandatory to make the data storage equipment secure enough to prevent targeted attacks by hackers trying to gain access to the databases. Data protection is strictly compliant to the policies of Michigan State. Both the States have the mentioned similarities in their information technology security policies.

Unique Aspects of Florida-Agency for State Technology IT Security Policy:

There are many unique aspects of the open data security policy issued by the state agency. According to the framework, public agencies and departments can access open data by following legal restrictions. For private sector organizations, the data will be provided in only machine-readable format. It is mandatory to protect the confidentiality and integrity of the data as only authorized persons will be able to manipulate machine-readable data. It will not be possible for malicious actors to understand the data set contents. The information regarding data sets will be provided and well documented for all the parties. However, high-level details of metadata associated with the data sets will not be disclosed because it may provide malicious actors with enough information to compromise the system. The documented data will provide general instructions such as limitations of the data sets and the purpose of the collection of the data. This information will not be harmful to the system as it is not related to the underlying data processing system ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a198ec85rm","properties":{"formattedCitation":"(White, Fisch, & Pooch, 2017)","plainCitation":"(White, Fisch, & Pooch, 2017)"},"citationItems":[{"id":1900,"uris":["http://zotero.org/users/local/gITejLE9/items/AD4AMPCN"],"uri":["http://zotero.org/users/local/gITejLE9/items/AD4AMPCN"],"itemData":{"id":1900,"type":"book","title":"Computer system and network security","publisher":"CRC press","ISBN":"1-351-45872-8","author":[{"family":"White","given":"Gregory B."},{"family":"Fisch","given":"Eric A."},{"family":"Pooch","given":"Udo W."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (White, Fisch, & Pooch, 2017). Data sets will be updated as new data will be available to increase and maintain the value of data for research and development teams. These are the unique aspects of the information technology policy by the State governmental agency to protect the open data initiative.

Unique Aspects of Michigan State Police IT Security Policy:

As the department relies on extensive information processing systems the security policies implemented by the department are enough to achieve the basic security goals of confidentiality, integrity, and availability. The security policy enforces the department to use advanced encryption standard using 256-bit encryption algorithm. An asymmetric encryption model relying on public key infrastructure ensures the integrity and confidentiality of the data owned by the state police. It also protects the data against duplication. The databases are all encrypted and storing encryption application will keep the data secure even if the system is breached by hackers ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2jiria3051","properties":{"formattedCitation":"(Trautman, 2015)","plainCitation":"(Trautman, 2015)"},"citationItems":[{"id":1902,"uris":["http://zotero.org/users/local/gITejLE9/items/87KRHXJX"],"uri":["http://zotero.org/users/local/gITejLE9/items/87KRHXJX"],"itemData":{"id":1902,"type":"article-journal","title":"Cybersecurity: What about US policy","container-title":"U. Ill. JL Tech. & Pol'y","page":"341","author":[{"family":"Trautman","given":"Lawrence J."}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Trautman, 2015). As they will not be able to extract the data until the keys of encryption are kept secret. It requires a massive amount of computing resources to break encryption keys of advanced encryption standard that is theoretically impossible. Therefore, the security policies enforced is mature enough to protect the records and databases critical to the safety of citizens for a long period of time.

Better IT Security Policy:

As per the evaluation of security policies of both the state departments it can be considered that the security policy enforced by the Florida-Agency for State Technology is better than the security policy of Michigan State Police. Data segregation requirements imposed by the Florida-Agency for State Technology are more comprehensive as compared to the State Police of Michigan. It requires the data to be provided to private parties in a machine-readable format potentially protecting it against man in the middle attacks and eavesdropping if being transmitted on wireless channels. State-owned departments will have access to human-readable format as well as they will be protected by strict policies and data protection equipment. The problem is the access granted to private parties, and that is covered by changing the format of data rendering hacking attacks useless against the system. Security policies of other stats lack this requirement that is why it is better as compared to other nation states.

Conclusion:

Data is the most critical asset owned by the states that include personally identifiable information of citizens. Any compromise of information technology systems of a particular state may result in irreparable damage to the overall infrastructure of the government. Depending on the exponential penetration of information technologies in State operations and critical nature of data stored in these systems, it is inevitable for all the nation states to have a comprehensive information technology security policy to protect critical assets of the nation. Some states as discussed have stronger information security policies, and some have slightly weaker security policies as discussed in the paper. However, each state must have an information technology security policy enforced for the proper functioning of the departments.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Collins, A. (2016). Contemporary security studies. Oxford university press.

Layton, T. P. (2016). Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.

Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers & Security, 49, 177–191.

Trautman, L. J. (2015). Cybersecurity: What about US policy. U. Ill. JL Tech. & Pol’y, 341.

White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC press.

Subject: IT

Pages: 5 Words: 1500

CSIA 485 Project 1 - Cybersecurity Strategy And Plan Of Action

Cybersecurity Strategy and Plan of Action

[Author Name(s), First M. Last, Omit Titles and Degrees]

[Institutional Affiliation(s)]

Author Note

[Include any grant/funding information and a complete correspondence address.]

Introduction

Cybersecurity is one of re basic requirements of an organization and company or business is safe and secure these days without meeting modern cybersecurity requirements. Growing number of cyber-attacks and data breaches has raised significant threat at organizational level as the most important asset for an organization is data. Data has the potential of affecting company finances directly or indirectly on the basis of security or vulnerability. To ensure security of data and safe transactional procedure of finances, an effective and robust cybersecurity policy or strategy based on a complete plan of action is required. For same purposes, a cybersecurity policy is required for the new acquisition (PBI-FS) which is the acquisition of Island Banking Service by Padgett-Beale. Island banking service was forced to terminate its operations because of money laundering charges against the service and all the financial transactions, records, software and hardware infrastructures were sealed by bankruptcy courts. Padgett-Beale has decided to purchase these assets which include dedicated software systems for financial transactions processing, licensing operating systems for servers and database software for workstations. Padgett-Beale has successfully convinced and negotiated with criminal and bankruptcy courts for provisions of resuming the services again. Island Banking Service lacked a competitive and effective strategy for cybersecurity assessment and planning so a new strategy and plan of actions is required from scratch. Padgett-Beale’s team of Merger and Accountability is responsible for this task which is working with Chief Information Security Officer of Padgett-Beale under his direct supervision and instructions. This document provides a cybersecurity plan of action for M&A team for the acquisition (PBI-FS) by performing a gap analysis, requirements analysis in terms of legal and regulatory aspects and complete overview of the risk analysis. The plan of action or cybersecurity strategy is developed in accordance with the decision of operating this new acquisition as a separate but fully owned subsidiary of Padgett-Beale and acquisition plan is also amended accordingly.

Gap Analysis

An effective Gap analysis related to cybersecurity is very essential as it provides information and details about limitations and vulnerabilities that are responsible for lack of progress or security issues. In this case we will analyze the gaps from 2 perspectives, one from the issues and problems that were identified in Island Banking Services and resulted in its bankruptcy and secondly, expected loopholes or gaps in the new acquisition (PBI-FS) based on its new journey with Padgett-Beale.

Employees of the Island Banking services were involved in several criminal activities as identified in the report. Managers and company officers were involved in exercising illegal and criminal activities using IT assets of the company without getting detected. This identify the gap with respect to Accountability, AU-Audit and AC Access Control. The audit and accountability incorporate several controls which are helpful in developing audit capacity of the enterprise and also specifies what kind of assets and domains are to be audited. These reports are used to assist in investigations, show compliance and ensure that all the respective security controls are working and implemented properly.

It was found that after termination of the operation by law enforcements agencies, Island Banking Service had no business continuity plan or disaster recovery option in place. Due to loss of workstations and servers, the operation could not be performed again. This gap suggests that there was lack in contingency planning and it is required to apply controls of contingency planning family in order to be able to start the operation and working of the frameworks and systems in case termination due to power outage, theft physical damage, natural disasters or any related issue.

Another issue found in the gap analysis was lack of backup infrastructure on an off-premise location which made it impossible for the company to recover data and important information in case of seizure of operations from Law Enforcement agents.

PBI-FS is opening is shifting to a new place which is in the same town but 10 miles away from the previous position which is the location of Island Banking Service. The new acquisition requires hiring of 10 residents of island and also 2 supervisors for the call center which is being opened on the property owned by Padgett-Beale. Gap analysis of the acquisition has also identified issues related to intercultural communication differences. According to survey was focused on the relationship of communication context based on difference of culture and region. The survey conducted explained that the communication culture of Padgett-Beale was low context while new applicants of the jobs at PBI-FS were expecting a high context communication culture. Also, the applicants were expecting High power distance in the new company/acquisition PBI-FS while the power-distance was medium in Padgett-Beale.

Another issue found in gap analysis during the survey was lack of system life cycle for privacy and security. For this purpose a Risk management framework is required which must include a comparatively flexible process for valuation of organizational assets, a disciplined structure, assessment, authorizations and implementation.

Risk Management is also one of the important requirement of a cybersecurity of a company. Island banking service lacked an effective system for managing risk related to organization, IS view and overall mission of the business. A well-directed guidance is required for and integrated and organization-wide program for risks management of information security to organizational operations.

Another issue/risk found in the gap analysis of the PBI-FS is the lack of code of practice regarding important controls of cybersecurity. Effective guidelines are required in order to provide guidelines related to these guidelines especially for the cloud services.

Legal and Regulatory requirements

In making an organizational policy, procedures and standards, laws and regulations are major drivers. Cyber security standards are also one of the important factors to consider before adopting any policy. The responsibilities of a company’s CEO include ensuring compliance and compatibility of operations and services with these regulations. PBI-FS is also based on these regulations and standards and it is the responsibility of M&A team to understand these requirements and update CISO about the implementation of these standard and regulations. PBI-FS is organized to follow NIST standards of cyber security strictly to avoid exposure to illegal or crime related activity or attack. These standards are formed to provide a proper framework to help companies and organizations in building their programs of information security based on principles which are defined by a trusted community of the cyber security leaders. Basically, these standards are created and put in place by third-party organizations. A security policy is important to specifically address the extent of every one’s stake related to information security in an organization. Also, the information about privacy and confidentiality of the information, availability, and integrity, implementation of the security measures, information’s classification, and the balance of exposure of risk on cost of risk mitigation are discussed and determined in a policy. These policies and regulations are important t follow because companies entirely deal with internet and online business and are vulnerable to different types of scams and cyber threats. Concerns are there from both the ends but for the smooth operation and secure online business and transactions, compliance with rules and regulations is very important. An important thing to note in this regard is the fact that there is no federal law or regulations which is liable to be followed by everyone but there are standards which everyone is recommended to follow for safe and reliable transactions. One of the cybersecurity rules has importance on federal level as it is associated with CUI (Controlled Unclassified Information) generally from federal entities that are mainly handled by the contactors generally. It includes documents including information related to proprietary material, information about legal procedures and health-related content.

It is the job of M&A team of PBI-FS to ensure the implementation of cybersecurity standards and regulations based on specific requirements. Unlike other domains, cybersecurity of a company needs had to comply with more than one regulation or set of standards. The best approach is to outline and identify all the respective regulations that may affect the company primarily and then determine which of the security controls are required to be considered and implemented to get the desired results. Some of the important frameworks which we are going to use and adopt for compliance requirements in PBI-FS are given below.

NIST framework is the most popular and we are going to implement and use this framework more than any other regulatory entity. It is the acronym of National Institute of Standards and Technology and was created to provide a guide which is essentially customized pertaining to matters as how to reduce and manage the cybersecurity risks by combining the best practices, guidelines and standards. It assists in fostering the communication between the external and internal stakeholders by developing a common language of common risk between different organizations. We will implement several standard and guidelines of NIST in PB-FSI in order to mitigate the risks and solve different issues identified in the gap analysis in the above section of the project. NIST is a voluntary framework and any organization/company can opt to implement in order to minimize the overall risk.

Another very important act that is very important to consider in PBI-FS security is PCI-DSS. Island Banking service had experienced discrepancies regarding online transaction of finances and in the utilization of modern ways of transfer of finances and this aspect has also been mentioned and identified in the gap analysis. This has costed previous business significantly in terms of money, security and reliability. This Act is the solution to this problem and is going to be implemented PBI-FS services. It is acronym of Payment Card Industry Data Security Standard and is a set of regulations designed and out in place in order to reduce the frauds and secure the credit information of the customers and clients.

COBIT is another regulatory act that is to be implemented in PBI-FS cybersecurity strategy and to be included in the plan of action. This the acronym of Control Objectives for Information and related Technologies and the framework was introduced to assist the organizations to mage the IT governance by linking the goals of IT and business together. Areas included this regulatory act are assurance and audit compliance, risk and security management, IT operations governance.

These are some of the Legal and regulatory requirements and related standards and frameworks which are going to be implemented in order to ensure effective compliance management and adding security and reliability in operation.

Risk analysis and Risk Register

References

BIBLIOGRAPHY Last Name, F. M. (Year). Article Title. Journal Title, Pages From - To.

Last Name, F. M. (Year). Book Title. City Name: Publisher Name.

Subject: IT

Pages: 12 Words: 3600

CSIA 485 Project 2 - Implementation Plan

Implementation Plan

[Author Name(s), First M. Last, Omit Titles and Degrees]

[Institutional Affiliation(s)]

Author Note

[Include any grant/funding information and a complete correspondence address.]

Contents

TOC \o "1-3" \h \z \u Business context PAGEREF _Toc33960522 \h 3

Introduction PAGEREF _Toc33960523 \h 4

Goals and Objectives PAGEREF _Toc33960524 \h 4

Scope PAGEREF _Toc33960525 \h 6

Assumptions PAGEREF _Toc33960526 \h 6

Constraints PAGEREF _Toc33960527 \h 7

Project Management Plan PAGEREF _Toc33960528 \h 8

Strategy Implementation PAGEREF _Toc33960529 \h 10

System Development Life Cycle PAGEREF _Toc33960530 \h 11

Enterprise IT Architecture PAGEREF _Toc33960531 \h 16

References PAGEREF _Toc33960532 \h 18

Business context

The implementation plan presented in this document is about the financial services company PBI-FS. PBI-FS is the acquisition of Island Banking Services by Padgett-Beale which is a multinational organization having an extended business in different countries of the world. Island Banking Services was previously a reputable organization of financial services having clients in different parts of the United States and the world, a call center and a lot of financial resources. The banking services started getting frequent losses in the business and started getting legal charges against it so much so that its reputation and operational success started getting down. Island banking service was charged by regulatory authorities for not complying with the standard principles and regulations. The service was forced to be terminated along with all the operations by regulatory authorities due to charges of money laundering and other activities that come under financial crimes or misconduct. Not only were the operations terminated but all the resources including software and hardware infrastructure, financial records, and financial transactions were sealed by the Bankruptcy Court after proper hearing s of the case. Padgett-Beale decided to acquire the financial services by successfully convincing the regulatory bodies and bankruptcy courts to resume the service again from the beginning in the form of PBI-FS. After getting permission from the regulatory authorities and getting some of the resources of the previous business, Padgett-Beale is now looking to implement a state of the art cybersecurity plan of action to avoid situations faced by Island Banking Service. In the previous project, an extensive plan of action and strategy was presented to the Merger & Acquisition team of the business which is working under the supervision of CISO of Padgett-Beale. As the process of acquisition is moving from the stage of developing a strategy to the implementation, a thorough and effective plan for implementation of the cybersecurity strategy is going to be presented to the M&A team.

Introduction

The industry of financial services is at constant risk of cyber-attacks and data breaches based on observation of frequently related activities in the past few decades. These incidents and practices have raised a significant threat in organizations dealing with financial services and urged them to adopt effective techniques of data security and privacy. An effective cybersecurity plan of action is key to the success of any organization and its proper implementation is even more important. The implementation plan covers the objectives and goals of the implementation plan, scope, constraints and assumptions, an exclusive project management plan and a model for strategy implementation. In the end, the project implementation plan will also cover the schematic representation of IT infrastructure and security controls required as a comprehensive model of implementation for PBI-FS.

Goals and Objectives

In many organizations, there are some specific goals and objectives that are defined based on the nature of business. PBI-FS is a company related to banking and financial services, so the business strategy and the implementation plan is designed in order to fulfill the business requirements to achieve those specific goals. PBI-FS has three important and significant business goals which are considered while developing the implementation strategy. Three main business goals are marketing, sales, and IT systems. The main objective of marketing is to increase the number of sales and in the case of PI-FS, customers. This requires an inbound marketing strategy to be included in the plan of action which may include incorporation of marketing automation tools and new CRM. These steps will help the business to target a greater number of customers by using customer tracking tools and enabling targeted email campaigns. The second business goal is sales where it is necessary for the sales team to speed up the process of taking the order while attracting more and more customers. They may need an app developed by the developer team which can be integrated with the marketing automation tool or CRM to achieve the goal CITATION Cyb17 \l 1033 (Cybersecurity objectives, 2017). The third business goal of a financial services organization is IT systems. A significant increment in the storage capacity of the systems and operating capabilities is central to support growth and development. For this purpose, the IT department can come up with new tools and software programs based on specific requirements of the business. Also, for further improvements, cloud migration is also one of the options which can be considered to migrate all the key systems and software application to the cloud. These are business goals or objectives of PBI-FS and must be considered while developing the implementation plan for the company.

As far as project goals are concerned, there are three main goals that are under consideration while making the implementation plan. These goals are the security of the financial assets of the organization and customer’s data, secure IT infrastructure and compliance management. The first goal is very clear and understandable as securing resources is essential for a successful business and smooth operations throughout. The second goal is associated with the implementation of cybersecurity techniques and protocols to minimize vulnerabilities which are also discussed in detail in Project 1 (the plan of action). The third goals are compliance management that is also discussed in detail in the first project. The importance of compliance management can be understood from the example of Island Banking Services which could not manage compliance with regulatory requirements of the business which ultimately resulted in the termination of operation along with resources sealed by the Bankruptcy court. The goals for project implementation are in accordance with cybersecurity strategic plan that was presented to the M & A team and now, proper implementation is the next step.

Scope

Before the implementation of the cybersecurity plan of action, it is important to define the scope. The scope determines the areas which are going to be covered in a particular project and are under the domain. In the implementation plan, the detailed plan of action i.e. projects 1 will be considered for defining the scope of the project. The scope of the project is organizing the strategic plan using the system life cycle process model for the effective execution of the project in a systematic way. The process will be implemented by considering compliance management, risk assessment done in the previous project by assessing the risk register, and implementation of all the necessary controls analyzed and discussed for protecting the financial services of the PBO-FS and IT infrastructure (software and hardware).

The implementation of the strategic plan of action is the responsibility of the M & A team which comes under the supervision of COSI of Padgett-Beale. This indicates that issues and matters which may lie out CISO’s control are also out of the scope of this project. As an example, issues pertaining to the requirement of finance/funding are out of the scope of this project as it comes under CFO’s domain which is Chief Financial Officer.

Assumptions

In developing strategies and implementation plans, it is always important to have assumptions regarding the effectiveness of the program. CISOs make these assumptions in order to cross-check their implementation and recommendations by looking into the matter from a critical point of view. Assumptions in the implementation of the network security infrastructure can vary immensely especially when we are dealing with organizations in the banking sector. Since the market continues to vary in size and types of services being provided, the controls that are being implemented also continue to change with the passage of time. The assumptions that we should keep in mind while implementing this infrastructure plan are detailed as follows:

Processes such as international transactions are already happening inside the organization and the basic infrastructure already exists.

Networks exist in the organization working on the approved networking protocols.

The organization has mechanisms to forego international transactions with companies and individuals who have accounts in other accounts or countries.

The organization is willing to implement financial security protocols to stop corruption and other fraudulent activities from taking place (Tytarenko,2017).

The organization has a good record with the authorities in terms of audits with law enforcement agencies.

The organization is willing to let the Information security professionals implement the controls.

Constraints

Every project faces some considerable constraints which are inevitable to overcome. In the project planning or before the implementation, it is important to consider these constraints so that the project’s scope can be defined more exclusively to make the tasks easy and more predictable. Financial services provided by Padgett-Beale also have some constraints which are listed as.

The operation is primarily restricted to the local and national levels despite the fact that Padgett-Beale is a multinational level company.

The company was started from scratch as it was banned by bankruptcy courts which means that it does not possess self-generated revenue.

The company is only restricted to financial services so a focus on only one domain will be required exclusively.

The newly hired employees from the Island are not experienced enough to be included as effective members of the team for the implementation plan.

Project Management Plan

The implementation plan is a complete project which requires proper defined times and resources towards its completion. For an effective completion according to the estimated time, it is very important to consider different resources associated with the project including people, processes and time. In this section, details, and requirements about these resources are given across different stages of the project.

The first aspect to consider is the requirement of human resources in the project. In our strategy, after determining the regulatory and compliance management, key stakeholders are identified. Key human resources involved in the implementation plan project are.

Merger and acquisition team of PBI-FS and CISO of Padgett-Beale

10-12 new candidates hired from the Island along with one supervisor for the call center.

Stakeholders in the business having a share in revenue generation and resource management

A cybersecurity analyst/It technician for the implementation of new controls and practices on the IT infrastructure described in the strategic plan.

Important processes involved in the project are online financial services, implementation of NIST guidelines for an effective code of practice, and risk management. Risk management is thoroughly covered in the first part of the cybersecurity plan of action. In this project, several risks/gaps identified along with their solutions will be considered for implementation. Important processes include compliance management, risk mitigation, and implementation of proper budgeting and auditing.

The third important resource is technology. After reviewing the existing infrastructure used by the Island Banking Service, the M& A team of the PBI-FS has identified that the already deployed equipment is approximately 5 years old and can be used for operations after proper experiments and analysis. Instead of outsourcing, it is decided to use the equipment for PBI-FS and save unnecessary expenditure. The equipment is also included in the implementation plan and will be used according to the implementation strategy discussed in later sections. These technology resources or equipment include

Telecommunications, network equipment

Banking applications including their servers and databases

Data recovery and backup systems

Public Web Server and Electronic WebMail.

Computer workstations used by employees

The project of implementation requires the above-mentioned resources for the proper implementation of the strategy or cybersecurity plan of action.

Strategy Implementation

This is the most important section of the project where all the important steps and details are going to be discussed.

The implementation plan deals with several controls recommended by NIST. To assist the organizations in selecting appropriate controls for effective security management, NIST introduced baseline controls. These controls are actually the starting points for determining the selection process of security controls. These controls are of many types but for the project at hand, we have selected High-Impact Baseline controls which are usually incorporated to protect sensitive information related to financial services and for other organizations that deal with sensitive data. Baseline controls used and implemented in the plan include

AU-9 for protection of Audit Information

AU-11 for Audit-Record retention

CP-8 for telecommunication services

PE-2 for Physical Access authorization (Bodeau & Graubart,2013)

Compensatory controls are used to minimize the gaps in IT compliance management associated with financial services. These controls are also incorporated in the implementation plan of the cybersecurity strategy as discussed in the plan of action project.

System Development Life Cycle

In this section, the implementation plan is represented in the form of a system development life cycle to show the succession and organization of key steps that are going to be performed. In this development model, phases of a project are defined based on a time schedule to clearly specify the different steps of operation and time duration. The cybersecurity implementation plan for the PBI-FS is divided into different phases while breaking down the project into different steps. The development of life cycle is explained below.

System planning: This the first step of the project in which planning is finalized regarding new standards and techniques that are going to be implemented. Also, compliance management, selection of security controls and application of risk mitigation strategies are also discussed.

Analysis: In this step, the entire program is analyzed based on the scope, assumptions, and limitations of the project that are discussed in the above sections. Analysis of compliance management, auditing, risk mitigation techniques, and strategies and suggested security controls are done int his phase.

Design: This is the third phase of the program development life cycle and is characterized by adaption of a new design for the implementation based on system planning and analysis. The system design covers requirements of the software, hardware, cybersecurity defenses, and the network infrastructure.

Implementation: This is the central phase where all the planned controls and techniques are implemented according to the requirements. In the implementation plan of cybersecurity of PBI-FS, the plan of action is implemented in accordance with suggested security controls and techniques mentioned in the risk management and compliance management sections to protect the financial services.

Testing and Integration: In all the processes, implementation is followed by testing and integration phase. In the testing phase, the progress of the system/ project is determined after comparing it with the previous situation. As in the case of PBI-FS, the infrastructure used by Island Banking Service is used new security policy. In this phase, the progress of the systems and security is analyzed to check the integrity of the plan.

Maintenance: This is the last stage of the implementation plan in which the issues and problems identified in the testing and integration phase are addressed. In case of new updates to the systems or suggested controls, the implementation is considered to get the desired results.

Program development Life Cycle

Phase

Objective/Function

Milestone

Resources

Project planning

The first step of the project regarding new standards and techniques that are going to be implemented.

Compliance management, selection of security controls and application of risk mitigation strategies are also discussed.

The project milestone of this stage is making a complete plan based on the risk register and regulatory requirements in the first project.

Processes using guidelines, standards, and cybersecurity techniques.

Analysis

The program is analyzed based on the scope, assumptions, and limitations of the project that are discussed in the above sections. Analysis of compliance management, auditing, risk mitigation techniques, and strategies and suggested security controls are done int his phase.

Analyze the milestone developed at phase one by the M&A team of Padgett-Beale

People (M&A team, cybersecurity analysts

Design

This is the third phase of the program development life cycle and is characterized by adaption of the new design for the implementation based on system planning and analysis. The design covers requirements of the network software, hardware, cybersecurity defenses infrastructure

The milestone of this phase is system design development in just before proper implementation

People (M&A team, cybersecurity analysts) and resources include network software, hardware, cybersecurity defenses infrastructure and Telecommunications, network equipment

Implementation

The central phase of PDLC where all the planned controls and techniques are implemented according to the requirements. In the implementation plan of cybersecurity of PBI-FS, the plan of action is implemented in accordance with suggested security controls and techniques mentioned in the risk management and compliance management sections to protect the financial services.

To implement the recommended controls and all recommendations in this one phase

Telecommunications, network equipment

Banking applications including their servers and databases

Data recovery and backup systems

Public Web Server and Electronic WebMail.

Computer workstations used by employees

Testing

implementation is followed by the testing and integration phase. In the testing phase, the progress of the system/ project is determined after comparing it with the previous situation. As in the case of PBI-FS, the infrastructure used by Island Banking Service is used new security policy. In this phase, the progress of the systems and security is analyzed to check the integrity of the plan.

Testing frequently after proper implementation

M&A Team

Maintenance

The last stage of the implementation plan in which the issues and problems identified in the testing and integration phase are addressed. In case of new updates to the systems or suggested controls, the implementation is considered to get the desired results.

Addressing the problems identified in testing phase well in time

Cybersecurity analyst

Enterprise IT Architecture

IT infrastructure of PBI-FS for the financial services is comprised of hardware, software, and network elements. After a thorough analysis of the project planning, a comprehensive design is made for the implementation. Software requirements consist of several software implications of financial services like PCI-DSS and other basic security controls associated with the networking of the system. Firewalls are dedicated to virtual private networks that are incorporated to have control over the internet traffic. All the data including sensitive information goes through a proxy network which hides the address of host (company) computers and replaces it with the remote private network, In this way, the possibility of the man in the middle attacks or exploitation of the company’s network and ultimately data breach is minimized. NIST cybersecurity standards and guidelines and basic necessary security control related to Audit Information, physical Access Authorization, Audit record retention, and telecommunication services are also implemented. Hardware infrastructure shows telecommunication, routing path, firewalls, and configuration of banking and transactional data path. The IT infrastructure is made to show the access network and how a customer accesses the financial services of the PBI-FS.

References

Cybersecurity objectives. (2017). Retrieved from pakt: https://subscription.packtpub.com/book/networking_and_servers/9781788836296/1/ch01lvl1sec14/cybersecurity-objectives

Sabillon, R., Cavaller, V., & Cano, J. (2016). National cybersecurity strategies: global trends in cyberspace. International Journal of Computer Science and Software Engineering, 5(5), 67.

Bodeau, D., & Graubart, R. (2013). Cyber Resiliency and NIST Special Publication 800-53 Rev. 4 Controls. MITRE, Tech. Rep.

Tytarenko, O. (2017). Selection of the best security controls for rapid development of enterprise-level cyber security. Naval Postgraduate School Monterey United States.

Subject: IT

Pages: 12 Words: 3600

Cyber Attack

Case study: Cyber attack

Author’s name

[Institutional Affiliation(s)]

Author Note

Case Study: Cyber Attack

In the twenty-first century, organizations and governments are more concerned on the security on their cyber front then they are on their physical one. The thoughts of cyber-warfare have echoed throughout the world as the world witnessed one cyber-attack after the next. This paper will discuss a case study in which a gang of hackers disguising themselves as the notorious “fancy bears”, the Russian hackers who were involved in compromising the security of the white house in 2014. The goals and objectives of these hackers along with their techniques will also be discussed in this paper.

Attack Case Study

Overview

The part of the Russian establishment responsible for cyber-attacks is named as fancy bears. This name became a brand after devastating cyber-attacks on the white house in 2014. This attack was based on intimidating the enemy into thinking that the notorious group “fancy bears” was actually trying to attempt a DDOS attack on their server and thus tricking them to pay up ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"SlPAb6NT","properties":{"formattedCitation":"(\\uc0\\u8220{}RDoS attacks by fake Fancy Bear hit banks in multiple locations,\\uc0\\u8221{} n.d.)","plainCitation":"(“RDoS attacks by fake Fancy Bear hit banks in multiple locations,” n.d.)","noteIndex":0},"citationItems":[{"id":136,"uris":["http://zotero.org/users/local/DTmO0ro3/items/WCJX2UKW"],"uri":["http://zotero.org/users/local/DTmO0ro3/items/WCJX2UKW"],"itemData":{"id":136,"type":"webpage","title":"RDoS attacks by fake Fancy Bear hit banks in multiple locations","abstract":"New wave of RDoS attacks by Fancy Bear copycat","URL":"https://www.group-ib.com/blog/fakeapt28","accessed":{"date-parts":[["2019",12,7]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“RDoS attacks by fake Fancy Bear hit banks in multiple locations,” n.d.).

Perpetrators

Perpetrators of this attack remain anonymous to this day, as they attempted to perform this attack using already compromised bot networks.

Attack Scenario

Goals

The group aimed at exploiting financial firms through sending them an intimidating ransom letter in which it disguises itself as “fancy bear”. The demand of money usually two bitcoins is also mentioned in this ransom letter ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"EDg4nMt1","properties":{"formattedCitation":"(Bussoletti, 2019)","plainCitation":"(Bussoletti, 2019)","noteIndex":0},"citationItems":[{"id":138,"uris":["http://zotero.org/users/local/DTmO0ro3/items/CWREX2JB"],"uri":["http://zotero.org/users/local/DTmO0ro3/items/CWREX2JB"],"itemData":{"id":138,"type":"post-weblog","title":"Cybercrime, a fake Fancy Bear threats companies with DDoS attacks","container-title":"Difesa e Sicurezza (difesaesicurezza.com)","abstract":"Link11 cyber security experts: The crooks claim to be the APT and blackmail organizations for a 2 Bitcoin ransom. But, they don’t bluff warning attacks of up to 60 Gbps.","URL":"https://www.difesaesicurezza.com/en/defence-and-security/cybercrime-a-fake-fancy-bear-threats-companies-with-ddos-attacks/","language":"en-US","author":[{"family":"Bussoletti","given":"Francesco"}],"issued":{"date-parts":[["2019",10,28]]},"accessed":{"date-parts":[["2019",12,7]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Bussoletti, 2019).

Skills / Training

High level of knowledge in the field of network security especially exploit development and vulnerability analysis along with solutions to provide a high degree of anonymity.

Preparation Time

This is hard to estimate. The majority of the time would probably be required to gain the maximum amount of anonymity and to test the weakest point in the backend server. The DDOS attack will then not be much of an issue.

Personnel

A group of people who are highly trained in writing automated exploits on backend servers which have a lack of DDOS mitigation mechanisms.

Equipment

A group of systems or preferably a network of previously compromised bots which would provide the number as well as the anonymity required for the attack.

Timing Constraints

The basic time constraint for this attack will be equal to the time required by the company to install advanced DDOS mitigation mechanisms in its backend server.

How It Happens?

The gang sends a detailed and intimidating ransom letter stating their aim and identity. It at the same time, also sends a small-scale demo DDOS attack for the company to understand the severity of the situation. The ransom letter also mentions the deadline for the money and the time for the attack afterwards ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"IAEFl0M8","properties":{"formattedCitation":"(\\uc0\\u8220{}A DDoS gang is extorting businesses posing as Russian government hackers | ZDNet,\\uc0\\u8221{} n.d.)","plainCitation":"(“A DDoS gang is extorting businesses posing as Russian government hackers | ZDNet,” n.d.)","noteIndex":0},"citationItems":[{"id":140,"uris":["http://zotero.org/users/local/DTmO0ro3/items/NK57G9DR"],"uri":["http://zotero.org/users/local/DTmO0ro3/items/NK57G9DR"],"itemData":{"id":140,"type":"webpage","title":"A DDoS gang is extorting businesses posing as Russian government hackers | ZDNet","URL":"https://www.zdnet.com/article/a-ddos-gang-is-extorting-businesses-posing-as-russian-government-hackers/","accessed":{"date-parts":[["2019",12,7]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“A DDoS gang is extorting businesses posing as Russian government hackers | ZDNet,” n.d.).

Collateral Results

Several other groups started to use the same technique disguising themselves as a known hacker group and sending ransom letters to companies. Such groups tried to impersonate famous hacking gangs such as Anonymous, Armada Collective etc.

Recommended mitigation

In-time development and installation of DDOS mitigation mechanisms for backend servers to make sure that no downtime is recorded when the DDOS attack occurs.

Risk Management

Cyber-security architecture

The organization at risk for such an attack are those who have not prepared their back-end servers for such attacks. Cyber-security organizations which provide large scale network security services need to adapt quickly to be ready for such future incidents.

Privilege Controls

The authorized users of the bank or the organization should also be given restricted access to the bank’s resources i.e. privileged access can increase the chances of an attack manifold.

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY A DDoS gang is extorting businesses posing as Russian government hackers | ZDNet. (n.d.). Retrieved December 7, 2019, from https://www.zdnet.com/article/a-ddos-gang-is-extorting-businesses-posing-as-russian-government-hackers/

Bussoletti, F. (2019, October 28). Cybercrime, a fake Fancy Bear threats companies with DDoS attacks. Retrieved December 7, 2019, from Difesa e Sicurezza (difesaesicurezza.com) website: https://www.difesaesicurezza.com/en/defence-and-security/cybercrime-a-fake-fancy-bear-threats-companies-with-ddos-attacks/

RDoS attacks by fake Fancy Bear hit banks in multiple locations. (n.d.). Retrieved December 7, 2019, from https://www.group-ib.com/blog/fakeapt28

Subject: IT

Pages: 2 Words: 600

Cyber Security Threats, Vulnerabilities And Risk

Cyber Security Threats, Vulnerabilities and Risk

Nabin Poudel

INTRODUCTION

Nowadays technology has become an indispensable part of our lives. People are relying more on technologies to perform their daily tasks. Every machine has some vulnerabilities, that if, exposed can cause severe consequences. In computers and computer networks an attack can be described as an attempt to expose the vulnerabilities in the network of system or destroy and steal something from the system by gaining unauthorized access. Likewise, cyberattacks can be described as an attempt to target computer information and infrastructure to gain some benefits. The people involved in these attacks are known as attackers. They try to access data, restricted sites or confidential information without authorization. Cyber-attacks can be a part of cyberwarfare or can be very severe that can be described as cyberterrorism and is punishable by law. These attacks can be employed by individual groups, a person, and an organization [1]. Sometimes even the states are involved in cyberattacks as well. Due to the advancements in technologies attackers are also becoming advance making cyberattacks increasingly dangerous and sophisticated. There are several types of cyberattacks but the most prominent attack that came under the spotlight recently is ransomware attack. It is a type of an attack in which attackers target computers that are running Microsoft window operating system. They encrypt the data and demand ransom payments in the form of Bitcoins [4]. Several leading companies were affected by this attack as most of them were not prepared for this attack. This attack causes companies to lose millions of money as they had to pay the attackers. This paper will explain ransomware attacks by utilizing an example of a real-life company that was under the ransomware attack. Furthermore, the paper will discuss potential reasons for an attack, the amount of loss that a company suffered and the countermeasures that were taken to address the attack.

CYBERATTACK ON TOYOTA AUSTRALIA

Toyota is a Japanese automotive manufacturer that was founded on 28 August 1973. According to the statistics of 2017, it is one of the largest automotive manufacturers. It is also the world’s first automotive company that manufactured almost 10 million vehicles per year. Specifically discussing hybrid electric vehicles Toyota is considered as a leader of the world’s market sale of these vehicles. Toyota has several branches in many countries such as Australia, USA, Singapore, etc. Also, they have multiple branches in almost every city in each country. As Toyota is considered as one of the leading cars manufactures it therefore automatically became the priority target of the hackers. This is because hackers know that a company with high reputation will pay more to save their reputation. Also, hacking a reputable company and leaking the data can cause severe damage to the Company’s reputation while impacting their business in the global market.

Recently, Toyota Australia has suffered a cyber-attack due to which they faced severe consequences. One day on 21st February 2019 the employees at Toyota Australia complained that they are unable to login their emails. After some time they complained that they cannot even reach their phone as well. This raised concerns as even the company website was unreachable due to which they were unable to do business. The first step the IT department took was to inform all clients that they had some technical issues and they are constantly trying to fix these issues. After this, they start investigating the real cause of the problem. It was later identified that the company has suffered from a cyberattack. The shocking part was that on the same day a non-profitable hospital was also under cyberattack due to which they lost patient’s files that were extremely confidential. Initial reports suggested that the source of these attacks are from Russia or North Korea. Due to several speculations the Carmaker Company released a statement in which they accepted that they have suffered a cyberattack due to which clients’ data was lost however personal details of the clients are still protected. Although this time the company managed to combat the attack but again in May 2019 Company suffered a major data breach in which they lost the personal data of over 3.1 million customers and the only way to recover the data was to use some backup or to pay the money to the attackers.

ATTACKERS

Several factors contribute to cyber-attacks such as spectacularity factor, vulnerability factor and fear factor. The spectacularity factor can be described as the attack that causes direct losses while gaining negative publicity. The vulnerability factor can be described as an exploitation of the vulnerability of an organization’s security system. The last factor is the fear factor which involves fear of being hacked by the hackers [5]. While discussing the sources of attacks, an attack can be caused due to human error, system faults and malicious attack. There are several types of attacks such as botnet attack, syntactic attacks, denial of service attack, etc. However, the attack that has gained the spotlight in recent years is ransomware attacks. Ransomware attacks are behind 56% of malware attacks. Due to the raising concerns regarding data privacy and loses that occurred because of ransomware attacks many countries have found ways that can help combat the attack. In Australia, according to the Australian Information Commissioner, there were only two cases of ransomware attacks out of all the cybersecurity attacks that were reported in 2018.

Ransomware attacks can be described as a malware that threatens to leak the victim’s data or block their access to their account unless a ransom is paid in the form of Bitcoin cryptocurrency [4]. Typically, these attacks are carried out by using Trojan that is camouflaged as a legitimate file. Users fell prey to the trap and end up downloading or opening the file containing a virus. WannaCry ransomware attacks also known as high-profile ransom attacks are the cyberattacks in which the attacker target the computer that runs Microsoft windows operating system. The attackers launch the attack by using the WannaCry ransomware crypto-worm to gain access over computers [3]. After accessing the data hackers demands ransom payments in Bitcoins. This type of attack can spread itself in the system. It first checks the “Kill Switch” domain name and f the name is not found then the ransom encrypts computer’s data while attempting to exploit SMB vulnerability. Several companies have become a potential target of this attack that made them lose a massive amount of customers’ data.

Specifically discussing Toyota Australia, the company was targeted not once but twice in the same year. Initially, the company linked the attack to the Russian or North Korean hackers yet later it was identified that a group known as ATP 32 is involved in cyberattacks. The ATP 32 is a Vietnamese hacking group that is also known as Ocean Lotus group. This group is known for its sophisticated attacks on several private national and international companies, government agencies and journalists. This group started hacking Chinese entities in 2012 and then expanded across Asia and other continents. This group targets the most confidential information of the people and clients associated with specific organizations. As companies will do anything to keep their clients' information anonymous and will pay a huge ransom to get back the stolen data.

ATP 32 group was also behind the attack on Toyota Australia. The company was attacked not once but twice. The second attack was after a few weeks of the first attack. It was estimated that that almost 3.1 million customers data have been leaked due to the security breach. Previously, the breach occurred in Toyota Company Australia branch but the second attack occurred in the company’s head office that is in Japan. This was alarming as even the head office was not safe. The attack that occurred in the Australian branch was very severe and disruptive. As due to the attack Toyota Australia Company was unable to handle sales and delivery of the vehicles to the client. After several investigations, it was revealed that a notorious group known as ATP 32 was behind these security breaches. They used a combination of both open-source tools and some custom-build tools to breach the company. Following the breach, the company released a press statement that only the client’s personal information was stolen and their credit card details are still secure. Specifically, the Lexus car owners are more at risk as most of the information was stolen. After the Australian branch attack, the company is focused more on doing an internal audit of the IT department. Also, they are trying to build firewalls strong enough to combat cyberattacks.

SECURITY RESOLUTIONS

Toyota Company has suffered data breach twice which is alarming. It also highlights that the company lags at security and major interventions are needed to ensure the security of the data. The first thing the company should do is to accept the problem as most leading companies remain in denial that their security system has vulnerabilities. It is, therefore, necessary that cybersecurity training is conducted regularly so that every employee must be aware of the potential threats. Secondly, internal auditing and documentation are important this will ensure systems security. Additionally, the company should review their security policy by including a NIST framework. According to this framework, it is necessary to first identify a threat then protect system using several counter mechanisms. The next function is to detect in which an organization must identify the threats by monitoring the solutions that detect anomalous activity. The fourth function is responding which imply that an organization must create a response plan in case of an attack. The last function is recovered according to which the company must have a recovery plan to restore all the material that was exposed to the threat or attack [6]. Another model that help mitigate the attack is a SAFE model that comprises of three phases. The first phase is the capability phase in which security capabilities based on potential threats are analysed and applied to address attacks. The second phase is an architectural phase in which a security architecture is defined utilizing security capabilities. While the third phase is the design phase in which using security architecture a design consisting of cost, configuration and product list is created. All these security resolutions can help in combating any future attacks [7].

CONCLUSION

Due to the rise in technologies cyberattacks are prevailing widely. Therefore, there is an immense need to have strategies and policies that can mitigate the attacks. Cyber-attacks can be a part of cyberwarfare or can be very severe that can be described as cyberterrorism and is punishable by law. These attacks can be employed by individual groups, a person, and an organization. Recently, Toyota Australia suffered a major data breach due to which almost 3.1 million customer’s data was hacked. This raised several questions on the security system and policies of the company. However, after suffering from immense loss company also made several interventions not only in their security policy but in their security system as well. This will ensure the company’s data security and help in combating several security attacks. By looking at the case of Toyota Australia, every company must be prepared for cyberattacks by making new strategies and educate its employees regarding the importance of cybersecurity.

REFERENCES

[1] K. N. Sevis and E. Seker, "Cyber warfare: terms, issues, laws and controversies," 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security), London, 2016, pp. 1-9.URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7502348&isnumber=7502334

[2] A. Alzahrani, A. Alshehri, R. Alharthi, H. Alshahrani and H. Fu, "An Overview of Ransomware in the Windows Platform," 2017 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, 2017, pp. 612-617.URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8560864&isnumber=8560703

[3] A. Chuquilla, T. Guarda and G. Ninahualpa Quiña, "Ransomware - WannaCry Security is everyone's," 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), Coimbra, Portugal, 2019, pp. 1-4.URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8760749&isnumber=8760589

[4] S. R. Kumar, S. A. Yadav, S. Sharma and A. Singh, "Recommendations for effective cyber security execution," 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH), Noida, 2016, pp. 342-346.URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7542327&isnumber=7542293

[5] A. Ferreira, "Why Ransomware Needs A Human Touch," 2018 International Carnahan Conference on Security Technology (ICCST), Montreal, QC, 2018, pp. 1-5.URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8585650&isnumber=8585426

[6] N. Teodoro, L. Gonçalves and C. Serrão, "NIST CyberSecurity Framework Compliance: A Generic Model for Dynamic Assessment and Predictive Requirements," 2015 IEEE Trustcom/BigDataSE/ISPA, Helsinki, 2015, pp. 418-425.URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7345310&isnumber=7345233

[7] “SAFE Overview Guide: Threats, Capabilities, and the Security Reference Architecture,” http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/designzone-security/safe-overview-guide.pdf

Subject: IT

Pages: 6 Words: 1800

Cybersecurity

Cybersecurity

Name

School or Institution Name (University at Place or Town, State)

Suspicious Activity Report

Introduction:

Cyber-criminals are always trying to develop new and sophisticated attacks to compromise as many information technology systems as possible. Despite the continuous improvements in cybersecurity technologies, the cyber-attacks are continually increasing not only in numbers but in the strength as well. None of the departments or institutions powered by the information technology systems are immune to cyber-attacks. Most of the time cyber-attacks are carried out on large-scale organizations for monetary benefit. The financial services sector is one of the major targets of cybercriminals. pFinancial institutions develop a suspicious activity report if they observe any unusual activity within the system ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1i749h66ah","properties":{"formattedCitation":"(Fligstein & Roehrkasse, 2016)","plainCitation":"(Fligstein & Roehrkasse, 2016)"},"citationItems":[{"id":1753,"uris":["http://zotero.org/users/local/gITejLE9/items/FZ5546TC"],"uri":["http://zotero.org/users/local/gITejLE9/items/FZ5546TC"],"itemData":{"id":1753,"type":"article-journal","title":"The Causes of Fraud in the Financial Crisis of 2007 to 2009: Evidence from the Mortgage-Backed Securities Industry","container-title":"American Sociological Review","page":"617-643","volume":"81","issue":"4","author":[{"family":"Fligstein","given":"Neil"},{"family":"Roehrkasse","given":"Alexander F."}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Fligstein & Roehrkasse, 2016). The report helps in the detection and prevention of highly sophisticated attacks. Suspicious activities observed in a financial institution are often related to asset misappropriation, cybercrime, accounting, money laundering, bribery and, corruption. Each main category may have many subcategories with the varying potential of causing financial loss. Suspicious activity has been observed by the financial services sector details of which are listed below;

Threat:

Cyber-criminals are always trying to target financial institutions using sophisticated attack vectors infiltrating existing protection capabilities of the system. One such activity includes phishing attacks. Phishing is a form of cyber-attacks in which hackers and cybercriminals use look-alike web links to trick users to provide confidential information. Most of the institutions providing financial services to end users rely on internet-based technologies. Such as online accounts providing all of the banking facilities over the internet. End users can access their accounts and perform banking related activities by providing credentials to authenticate their identity to a remote server. Phishing attacks use the web links of online banking services to trick users to provide their confidential information such as usernames and passwords.

The motivation of Threat Actors:

Attackers have the motivation of collecting as many credentials as possible through their phishing campaigns for monetary benefits. Once, an attacker has access to username and password; he can use the details to access the system as a legitimate user. To broaden the scope the malicious activity, the attackers not only forged look-alike links but also utilized spam emails. Emails that look like legitimate ones by the financial institutions but actually were from the attackers ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2j3j0bv7cn","properties":{"formattedCitation":"(Levi & Burrows, 2008)","plainCitation":"(Levi & Burrows, 2008)"},"citationItems":[{"id":1752,"uris":["http://zotero.org/users/local/gITejLE9/items/XJW3SE2Y"],"uri":["http://zotero.org/users/local/gITejLE9/items/XJW3SE2Y"],"itemData":{"id":1752,"type":"article-journal","title":"Measuring the impact of fraud in the UK: A conceptual and empirical journey","container-title":"The British Journal of Criminology","page":"293-318","volume":"48","issue":"3","author":[{"family":"Levi","given":"Michael"},{"family":"Burrows","given":"John"}],"issued":{"date-parts":[["2008"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Levi & Burrows, 2008). Emails contain the links to reset the password for online accounts and end users were fooled by the criminals. Once the user clicks and opens the fake link, he is asked to provide existing username and password which is then sent to the attacker command and control server and nothing happen at the user's screen.

Incident was reported to customer services of different financial institutions by consumers that they are receiving many emails from their financial institution. After a large volume of complaints, the matter was investigated by the experts in the related sector, and they found that phishing attacks are targeting the financial services sector. Such campaign if successful can be used to fund terrorist organizations.

Vulnerabilities in System:

Most of the time cyber-attacks are successful due to inherent flaws of the software system. During early stage investigation, it was revealed that most of the critical machines in the sector were powered by outdated software abandoned by the vendor. Vendors were not releasing security patches for the software products as per the product support life cycle was ended for legacy systems. Targeted organizations failed to upgrade their system within the time frame of product life-cycle. Attackers exploited the security loopholes in the system to target innocent users. Financial institutions also noticed suspicious transactions using online systems that raised many concerns among information technology professionals working in the same sector.

Many systems were not having access to online update servers leaving them vulnerable to potential attacks. During the last two years, ransomware attacks used the vulnerabilities in the system to target the financial services sector of the governments in the world. Following snapshot shows the percentage of reported frauds in the financial sector during 2009 and 2011 ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"abt3dumv00","properties":{"formattedCitation":"(Cummings, Lewellen, McIntire, Moore, & Trzeciak, 2012)","plainCitation":"(Cummings, Lewellen, McIntire, Moore, & Trzeciak, 2012)"},"citationItems":[{"id":1751,"uris":["http://zotero.org/users/local/gITejLE9/items/9TQC569G"],"uri":["http://zotero.org/users/local/gITejLE9/items/9TQC569G"],"itemData":{"id":1751,"type":"report","title":"Insider threat study: Illicit cyber activity involving fraud in the US financial services sector","publisher":"CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST","author":[{"family":"Cummings","given":"Adam"},{"family":"Lewellen","given":"Todd"},{"family":"McIntire","given":"David"},{"family":"Moore","given":"Andrew P."},{"family":"Trzeciak","given":"Randall"}],"issued":{"date-parts":[["2012"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Cummings, Lewellen, McIntire, Moore, & Trzeciak, 2012).

It is evident from the above graph that cybercrimes account for most of the financial frauds in the financial services sector. It can only be reduced by useful risk identification and mitigation plans to overcome vulnerabilities in the system.

Impact on Critical Infrastructure:

Financial services sector represents a vital component of the nation's critical infrastructure. Any potential attack on this sector will cause severe loss to the overall critical infrastructure of the country as well. The department of treasury works with all relevant agencies either state or local and private sector to improve the ability of the sector to prepare for and mitigate humanmade threats to the sector including cybercrime ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"anmmodj51","properties":{"formattedCitation":"(Johansson & Carey, 2016)","plainCitation":"(Johansson & Carey, 2016)"},"citationItems":[{"id":1754,"uris":["http://zotero.org/users/local/gITejLE9/items/JWT7KG43"],"uri":["http://zotero.org/users/local/gITejLE9/items/JWT7KG43"],"itemData":{"id":1754,"type":"article-journal","title":"Detecting fraud: The role of the anonymous reporting channel","container-title":"Journal of business ethics","page":"391-409","volume":"139","issue":"2","author":[{"family":"Johansson","given":"Elka"},{"family":"Carey","given":"Peter"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Johansson & Carey, 2016). Financial institutions provide a broad array of services from the largest institutions to community-based banks. Allowing them to make deposits and transfer funds to other parties. Depending on the critical nature of the sector, any successful attack on the institutions such as observed in the phishing campaign will be able to shut down the whole financial system. Such a massive loss and risk is not affordable to any institution either public or in private sectors.

Actions Taken to Prevent the Attacks:

It was identified that the attackers could exploit the vulnerabilities in software systems of the sector, it was decided to update all of the existing software to mitigate the potential risks of cyber-attacks. The updates to the existing system were planned in different phases because it is not possible for large-scale organizations to update existing systems quickly. Moreover, backward compatibility issues were also accounted for legacy systems. During the first phase of corrective actions of the mitigation plan, systems running obsolete UNIX based applications were updated to the modern operating system.

Authentication mechanism for the internet-based services has been changed because traditional password-based authentication system can be infiltrated by the man in the middle attacks. In the identified activity criminals were able to collect credentials by fooling the end users. To overcome the problem, digital certificate-based authentication system and two-factor authentication have been made compulsory for all of the institutions in the financial services sector. Two-factor authentication has mitigated future attacks ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"avs8tpdnb2","properties":{"formattedCitation":"(Reurink, 2018)","plainCitation":"(Reurink, 2018)"},"citationItems":[{"id":1755,"uris":["http://zotero.org/users/local/gITejLE9/items/WL5JM7LU"],"uri":["http://zotero.org/users/local/gITejLE9/items/WL5JM7LU"],"itemData":{"id":1755,"type":"article-journal","title":"Financial fraud: a literature review","container-title":"Journal of Economic Surveys","page":"1292-1325","volume":"32","issue":"5","author":[{"family":"Reurink","given":"Arjan"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Reurink, 2018). Whenever a user tries to access an online account, a notification will be sent to the mobile device of the user with a one-time password. The expiry time of the one-time password will be very short to prevent brute force attacks as well.

Therefore, even if the credentials of a particular entity are compromised the attacker will not be able to authenticate on the server of financial institutions without the consent of the concerned party. The measure has eliminated the risk of all future attacks of this kind. User awareness campaigns will also help people to learn more about the tactics used by criminals to sabotage the system. Digital signature-based authentication at the application level will prevent online fraud activities by malicious and terrorist actors because the communication will be encrypted with advanced encryption standard using 256 bits length of the key. The attackers will not be able to compromise the system even if they exactly know the underlying algorithm used for encryption unless the encryption keys are kept secret. All of the preventive actions have mitigated the risks of suspicious activity observed for the future as well making the system more secure and robust in performance.

After Action Report

Financial services sector always remain a top target for criminals trying to use hacking tools for monetary benefits. Cybercriminals always try to invent sophisticated attack techniques to compromise a large number of computers and related information technology infrastructure. Phishing attacks are an important technique used by criminals to trick users of online services. Attackers made people click on forged links to obtain their login credentials. Stolen credentials were then sold on the black market and used by criminals to authenticate on servers of financial services. There were no restrictions on authentications of users by the servers. Reports by the users were investigated, and financial institutions found suspicious transaction happening in the network.

Attack campaigns were successful due to the vulnerabilities in the system. It was investigated that most of the information technology infrastructure in the sector was powered by obsolete software leaving them a potential target for cyber-attacks. Targeted attacks can break the whole financial system. Therefore, mitigation steps were taken to reduce the threat surface. During the first phase of the corrective actions, all of the outdated systems were updated to the latest available software programs available with the vendors of legacy systems. The move was helpful in patching the exploitable loopholes in the information technology infrastructure of the sector.

To specifically overcome the issue of phishing attacks, two significant changes were introduced in the system. The first change was the implementation of two-factor authentication for online financial services. In this way, whenever the user will try to access the online financial system, a one-time password will be generated and communicated to the owner of the service via a different channel, e.g. phone or email. The approach will render phishing campaigns useless. Even if the attacker has access to the login credentials of the user, he will not be able to authenticate his identity without having access to the one-time password. There can be a problem in the one-time password generation mechanism because the attackers can brute force the service to bypass the two-factor authentication. The risk of brute force attack was mitigated by the implementation of the synchronous clock at the server end to generate short lived passwords. Each password generated by the authentication server will be valid for a very short time only.

The second thing was the implementation of a digital signature based authentication system to prove the identity of the client to the server. The implementation of the measure mitigated the risk of man in the middle attacks to steal the login credentials of the users. With the implementation of the system, the password and other credentials of the end user are not transmitted over an insecure channel ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2qj5u2se3f","properties":{"formattedCitation":"(Moore, Dynes, & Chang, 2016)","plainCitation":"(Moore, Dynes, & Chang, 2016)"},"citationItems":[{"id":1757,"uris":["http://zotero.org/users/local/gITejLE9/items/XAJVQ75M"],"uri":["http://zotero.org/users/local/gITejLE9/items/XAJVQ75M"],"itemData":{"id":1757,"type":"article-journal","title":"Identifying how firms manage cybersecurity investment","container-title":"University of California, Berkeley","author":[{"family":"Moore","given":"Tyler"},{"family":"Dynes","given":"Scott"},{"family":"Chang","given":"Frederick R."}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Moore, Dynes, & Chang, 2016). All the details are first encrypted using a digital certificate using the private key of the sender. Digital certificates are issued by a trusted third party playing the role of authenticator. The sender encrypts the contents of the message with a private key corresponding to the digital signature. On the server side, the message is decrypted using the server private key along with the public key of the certificate. The public key is known to the overall system while the private keys are only known to individual machines.

The public key cryptographic mechanism has mitigated the risk of theft for the credentials of the user. The attackers will never be able to collect the original message even if they are aware of the underlying encryption algorithm as well. It is true as long as the private keys are kept secret. If this line of defense against cyber-attacks is somehow compromised then combined with the two-factor authentication system, the mitigation techniques will render most of the attacks useless ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a10a1j07vdt","properties":{"formattedCitation":"(Etzioni, 2011)","plainCitation":"(Etzioni, 2011)"},"citationItems":[{"id":1758,"uris":["http://zotero.org/users/local/gITejLE9/items/ZWV8FUVT"],"uri":["http://zotero.org/users/local/gITejLE9/items/ZWV8FUVT"],"itemData":{"id":1758,"type":"article-journal","title":"Cybersecurity in the private sector","container-title":"Issues in Science and Technology","page":"58-62","volume":"28","issue":"1","author":[{"family":"Etzioni","given":"Amitai"}],"issued":{"date-parts":[["2011"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Etzioni, 2011). The financial service sector is an essential component of the nation's critical infrastructure. Ensuring the confidentiality, integrity, and availability of the data in the financial services sector is inevitable. Without appropriate risk reduction and mitigation plans, these objectives are impossible to achieve.

With the improvement in protective and risk mitigation techniques, cyber threats are also increasing not only in their number but in complexity as well. During the last two years, ransomware campaigns caused billions of dollars in loss due to the encryption of critical data by the criminals. Criminals locked the institutions out of their systems and demanded ransom money to restore access ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a25rb50vgg4","properties":{"formattedCitation":"(Martin, Ghafur, Kinross, Hankin, & Darzi, 2018)","plainCitation":"(Martin, Ghafur, Kinross, Hankin, & Darzi, 2018)"},"citationItems":[{"id":1759,"uris":["http://zotero.org/users/local/gITejLE9/items/9RPUD4KP"],"uri":["http://zotero.org/users/local/gITejLE9/items/9RPUD4KP"],"itemData":{"id":1759,"type":"article-journal","title":"WannaCry-a year on","container-title":"BMJ: British Medical Journal (Online)","volume":"361","author":[{"family":"Martin","given":"Guy"},{"family":"Ghafur","given":"Saira"},{"family":"Kinross","given":"James"},{"family":"Hankin","given":"Chris"},{"family":"Darzi","given":"Ara"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Martin, Ghafur, Kinross, Hankin, & Darzi, 2018). The exponential increase in cyber threat landscape has made it inevitable for the financial services sector to implement rigorous mitigation techniques to protect critical infrastructure. User awareness campaigns must also be initiated to educate general users of the system that how to differentiate legitimate web links from fraudulent websites.

There will always be tradeoffs between the security and efficiency of the system. Too much security will also impact the system negatively. Appropriate measures must be devised to make the sector more beneficial to end users and governments as well. Latest innovations in cybersecurity such as artificial intelligence and machine learning algorithms will help in overcoming these potential issues. Careful risk identification and appropriate risk mitigation plans must be part of the strategic planning of institutions operating in the financial sector. Otherwise, any potential breach of financial information can cause severe damage to the nation’s critical infrastructure.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Cummings, A., Lewellen, T., McIntire, D., Moore, A. P., & Trzeciak, R. (2012). Insider threat study: Illicit cyber activity involving fraud in the US financial services sector. CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST.

Etzioni, A. (2011). Cybersecurity in the private sector. Issues in Science and Technology, 28(1), 58–62.

Fligstein, N., & Roehrkasse, A. F. (2016). The Causes of Fraud in the Financial Crisis of 2007 to 2009: Evidence from the Mortgage-Backed Securities Industry. American Sociological Review, 81(4), 617–643.

Johansson, E., & Carey, P. (2016). Detecting fraud: The role of the anonymous reporting channel. Journal of Business Ethics, 139(2), 391–409.

Levi, M., & Burrows, J. (2008). Measuring the impact of fraud in the UK: A conceptual and empirical journey. The British Journal of Criminology, 48(3), 293–318.

Martin, G., Ghafur, S., Kinross, J., Hankin, C., & Darzi, A. (2018). WannaCry-a year on. BMJ: British Medical Journal (Online), 361.

Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. University of California, Berkeley.

Reurink, A. (2018). Financial fraud: a literature review. Journal of Economic Surveys, 32(5), 1292–1325.

Subject: IT

Pages: 7 Words: 2100

Dark Data

Dark Data

Your Name (First M. Last)

School or Institution Name (University at Place or Town, State)

Dark Data

Dark data is a kind of data acquired via several computer network operations but not utilized to derive ken insights for decision making. Essentially, it is unstructured and thus cannot be used. It is persistently collected and stored with the challenge to organize in categories, organization tools or labels. Since the precious trove of unstructured data can hold keen insights when organized systematically, it is deemed to be in the dark state in the contemporary era ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"bth4U5aa","properties":{"formattedCitation":"(\\uc0\\u8220{}Dark data,\\uc0\\u8221{} 2017)","plainCitation":"(“Dark data,” 2017)","noteIndex":0},"citationItems":[{"id":71,"uris":["http://zotero.org/users/local/yvjivw9i/items/H4U47PKK"],"uri":["http://zotero.org/users/local/yvjivw9i/items/H4U47PKK"],"itemData":{"id":71,"type":"webpage","title":"Dark data: The two sides of the same coin","container-title":"Analytics Magazine","abstract":"Today, we live in a digital society. Our distinct footprints are in every interaction we make. Data generation is a default – be it from enterprise operational systems, logs from web servers, other applications, social interactions and transactions, research initiatives and connected things (Internet of Things). In fact, according to a Digital Universe study, 2.2 zettabytes of data was generated in 2012. This grew by 100 percent in 2013, and is slated to grow to 44 zettabytes by 2020 worldwide.","URL":"http://analytics-magazine.org/dark-data-two-sides-coin/","title-short":"Dark data","language":"en-US","issued":{"date-parts":[["2017",7,6]]},"accessed":{"date-parts":[["2019",4,26]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“Dark data,” 2017). Dark data is waiting indefinitely to be analyzed and evaluated through data analytics.

A prominent example of dark data is the customer call record. Primarily holding precious information on a customer’s geolocation and thoughts, these kinds of records are persistently stored and recorded ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"O8AueqWN","properties":{"formattedCitation":"(\\uc0\\u8220{}darkdata.org,\\uc0\\u8221{} n.d.)","plainCitation":"(“darkdata.org,” n.d.)","noteIndex":0},"citationItems":[{"id":73,"uris":["http://zotero.org/users/local/yvjivw9i/items/SNQQ4CGE"],"uri":["http://zotero.org/users/local/yvjivw9i/items/SNQQ4CGE"],"itemData":{"id":73,"type":"webpage","title":"darkdata.org","URL":"https://www.darkdata.org/","accessed":{"date-parts":[["2019",4,26]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“darkdata.org,” n.d.). However, it is an uphill task to analyze or organize them in detail. Likewise, a website log file is another example of dark data. These website logs possess the potential to hold precious information on traffic and visitor behavior. They can be, irrefutably, collected easily and persistently but there does not exist a process to analyze and organize these logs in a productive way.

As per a report published in 2011, more than 85% of the essential digital data is dark or unstructured ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"hTdpn1nW","properties":{"formattedCitation":"(\\uc0\\u8220{}5 Things Every IT Manager Should Know About Dark Data | Walden University,\\uc0\\u8221{} n.d.)","plainCitation":"(“5 Things Every IT Manager Should Know About Dark Data | Walden University,” n.d.)","noteIndex":0},"citationItems":[{"id":83,"uris":["http://zotero.org/users/local/yvjivw9i/items/HAAGHIWK"],"uri":["http://zotero.org/users/local/yvjivw9i/items/HAAGHIWK"],"itemData":{"id":83,"type":"webpage","title":"5 Things Every IT Manager Should Know About Dark Data | Walden University","URL":"https://www.waldenu.edu/online-masters-programs/ms-in-information-technology/resource/five-things-every-it-manager-should-know-about-dark-data","accessed":{"date-parts":[["2019",4,26]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“5 Things Every IT Manager Should Know About Dark Data | Walden University,” n.d.). The technological advancements and innovation have paved the path for low-cost solutions to storing and capturing the tremendous amount of information ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"Rs53MY2E","properties":{"formattedCitation":"(Kevin, Wanyaga, Kibaara, & Dinda, 2016)","plainCitation":"(Kevin, Wanyaga, Kibaara, & Dinda, 2016)","noteIndex":0},"citationItems":[{"id":78,"uris":["http://zotero.org/users/local/yvjivw9i/items/4ZRXM48A"],"uri":["http://zotero.org/users/local/yvjivw9i/items/4ZRXM48A"],"itemData":{"id":78,"type":"article-journal","title":"Dark data: Business Analytical tools and Facilities for illuminating dark data","page":"10","source":"Zotero","abstract":"The most important asset for any organization today is data. Organizations collect and store vast amounts of data every day relating to their various business activities. Understanding this data leads to better insights, less costs and risks and provides avenues in which the organization can improve its performance, offer better services to its customers and earn more revenue giving it a competitive advantage in the market. Advanced tools have been developed to gain this much needed insight into data that was previously considered irrelevant or inaccessible based on its unstructured form. These tools help an organization drill into its data and data from other external sources such as competitors, government reports, proprietary and other multi dimensional databases available from the internet to gain knowledge that can be applied to improve the organization’s competitive position. The aim of this research is to provide insights to organizations on how business analytic tools and software can be applied in lighting up previously unknown or ignored data. This is done through an in-depth analysis of secondary data and practitioner reports to provide an understanding of the various concepts and tools essential in identifying meaningful patterns and trends into an organization’s data.","language":"en","author":[{"family":"Kevin","given":"Njeru Mwiti"},{"family":"Wanyaga","given":"Felister Munyi"},{"family":"Kibaara","given":"David"},{"family":"Dinda","given":"Wilkister Atieno"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kevin, Wanyaga, Kibaara, & Dinda, 2016). Despite the enhanced awareness and utilization of data analytics with big data, the demand for organizing and harnessing the perks of dark data has accelerated. Various studies have postulated feasible solutions as opening data and making it available for each person to explore and analyze. The bottom line is that efforts are been put to discover and conquer the paradigm of dark data.

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY 5 Things Every IT Manager Should Know About Dark Data | Walden University. (n.d.). Retrieved April 26, 2019, from https://www.waldenu.edu/online-masters-programs/ms-in-information-technology/resource/five-things-every-it-manager-should-know-about-dark-data

Dark data: The two sides of the same coin. (2017, July 6). Retrieved April 26, 2019, from Analytics Magazine website: http://analytics-magazine.org/dark-data-two-sides-coin/

darkdata.org. (n.d.). Retrieved April 26, 2019, from https://www.darkdata.org/

Kevin, N. M., Wanyaga, F. M., Kibaara, D., & Dinda, W. A. (2016). Dark data: Business Analytical tools and Facilities for illuminating dark data. 10.

Subject: IT

Pages: 1 Words: 300

Data Security And Policy Assurance

Data Security and Policy Assurance

James Grey

Data Security and Policy Assurance

The electronic computers that progressed from small experimental initiatives in 1940s, became real-world data processors in the 1980s. They have become an integral part to store and process data in our everyday life but the concern about security and protection of valuable data has risen ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"EK1qJKk8","properties":{"formattedCitation":"(Robling Denning, 1982)","plainCitation":"(Robling Denning, 1982)","noteIndex":0},"citationItems":[{"id":216,"uris":["http://zotero.org/users/local/YgsdZK9k/items/BIQ76NKQ"],"uri":["http://zotero.org/users/local/YgsdZK9k/items/BIQ76NKQ"],"itemData":{"id":216,"type":"book","title":"Cryptography and Data Security","publisher":"Addison-Wesley Longman Publishing Co., Inc.","publisher-place":"Boston, MA, USA","source":"ACM Digital Library","event-place":"Boston, MA, USA","abstract":"From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.","ISBN":"978-0-201-10150-8","author":[{"family":"Robling Denning","given":"Dorothy Elizabeth"}],"issued":{"date-parts":[["1982"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Robling Denning, 1982). When computers became accessible to everyone and malwares started to effect computers. After viruses were discovered, programmers often generated to send a joke or to check programming capabilities. But soon it became a real concern when government operated computer systems were hacked, and confidential information started to leak.

Data security is the study of approaches to protect data stored in computer and communication systems from unauthorized disclosure and modification. Since 1975, data security has advanced rapidly. Data security provides a predefined set of technologies and standards which tend to shield data from accidental or intended damage, exposure, or modification. Data security can be applied in numerous ways to protect the data. They include a variety of methods and techniques like physical security, logical and administrative controls, structural standards, and more practices that stop unknown and unauthorized individual or processes to access the sensitive information.

Cryptography is used as a method for data security which involves the algorithm derived from mathematical concepts to convert the sensitive data to a code. In this way instead of raw data, the coded information is transmitted, and the chances of data theft are reduced significantly.

There has been considerable advancement in methods of cryptography which includes key safeguarding schemes, Data Encryption Standard (DES), digital signature, key distribution protocols, and public-key encryption. There are also algorithms developed to validate the programs to ensure that no confidential information is leaked, and level of security clearance is suitable. New and advanced controls are established to keep data in statistical databases safe, as recently several methods to attack and damage this data have appeared. A better understanding of hypothetical and practical drawbacks of current security is developed ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"FzKFERLr","properties":{"formattedCitation":"(Robling Denning, 1982)","plainCitation":"(Robling Denning, 1982)","noteIndex":0},"citationItems":[{"id":216,"uris":["http://zotero.org/users/local/YgsdZK9k/items/BIQ76NKQ"],"uri":["http://zotero.org/users/local/YgsdZK9k/items/BIQ76NKQ"],"itemData":{"id":216,"type":"book","title":"Cryptography and Data Security","publisher":"Addison-Wesley Longman Publishing Co., Inc.","publisher-place":"Boston, MA, USA","source":"ACM Digital Library","event-place":"Boston, MA, USA","abstract":"From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.","ISBN":"978-0-201-10150-8","author":[{"family":"Robling Denning","given":"Dorothy Elizabeth"}],"issued":{"date-parts":[["1982"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Robling Denning, 1982).

The information technology departments of many great mainframe computing companies of 1960s and 1970s created security approached which were applicable and effective in their era nut now they now gone outdated for two major reasons. One of the reasons, is that the number of dedicated users has increased significantly. The applications developed are user friendly so that everyone can use them conveniently. Among large number of users, many are not aware of the potential threats to their systems. Even those who know about these threats, are not capable to deal with them. The other factor, that has made the initial efforts to protect data ineffective, is development of Networked remote-access system. the devices are being interconnected for various communication purposes. Also, the number of people using the internet has increased significantly. Due to which the person operating a mainframe may not know one device is accessible to a huge number of users throughout the world. It has become important to comprehend risks and actions required ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"YooJ6hWT","properties":{"formattedCitation":"(Pfleeger & Pfleeger, 2002)","plainCitation":"(Pfleeger & Pfleeger, 2002)","noteIndex":0},"citationItems":[{"id":217,"uris":["http://zotero.org/users/local/YgsdZK9k/items/ISEQ86EZ"],"uri":["http://zotero.org/users/local/YgsdZK9k/items/ISEQ86EZ"],"itemData":{"id":217,"type":"book","title":"Security in Computing","publisher":"Prentice Hall Professional Technical Reference","edition":"3rd","source":"ACM Digital Library","abstract":"From the Book:PREFACE: When the first edition of this book was published in 1989, viruses and other forms of malicious code were fairly uncommon, the Internet was used largely by just computing professionals, a Clipper was a sailing ship, and computer crime was seldom a headline topic in daily newspapers. In that era most people were unconcerned about--even unaware of--how serious is the threat to security in the use of computers. The use of computers has spread at a rate completely unexpected back then. Now you can bank by computer, order and pay for merchandise, and even commit to contracts by computer. And the uses of computers in business have similarly increased both in volume and in richness. Alas, the security threats to computing have also increased significantly. Why Read This Book? Are your data and programs at risk? If you answer \"yes\" to any of the following questions, you have a potential security risk. Have you acquired any new programs within the last year? Do you use your computer to communicate electronically with other computers? Do you ever receive programs or data from other people? Is there any significant program or data item of which you do not have a second copy? Relax; you are not alone. Most computer users have a security risk. Being at risk does not mean you should stop using computers. It does mean you should learn more about the risk you face, and how to control that risk. Users and managers of large mainframe computing systems of the 1960s and l970s developed computer security techniques that were reasonably effective against thethreatsof that era. However, two factors have made those security procedures outdated: Personal computer use. Vast numbers of people have become dedicated users of personal computing systems, both for business and pleasure. We try to make applications \"user friendly\" so that computers can be used by people who know nothing of hardware or programming, just as people who can drive a car do not need to know how to design an engine. Users may not be especially conscious of the security threats involved in computer use; even users who are aware may not know what to do to reduce their risk. Networked remote-access systems. Machines are being linked in large numbers. The Internet and its cousin, the World-Wide Web, seem to double every year in number of users. A user of a mainframe computer may not realize that access to the same machine is allowed to people throughout the world from an almost uncountable number of computing systems. Every computing professional must understand the threats and the countermeasures currently available in computing. This book addresses that need. This book is designed for the student or professional in computing. Beginning at a level appropriate for an experienced computer user, this book describes the security pitfalls inherent in many important computing tasks today. Then, the book explores the controls that can check these weaknesses. The book also points out where existing controls are inadequate and serious consideration must be given to the risk present in the computing situation. Uses of This Book The chapters of this book progress in an orderly manner. After an introduction, the topic of encryption, the process of disguising something written to conceal its meaning, is presented as the first tool in computer security. The book continues through the different kinds of computing applications, their weaknesses, and their controls. The applications areas include: general programs operating systems data base management systems remote access computing multicomputer networks These sections begin with a definition of the topic, continue with a description of the relationship of security to the topic, and conclude with a statement of the current state of the art of computer security research related to the topic. The book concludes with an examination of risk analysis and planning for computer security, and a study of the relationship of law and ethics to computer security. Background required to appreciate the book is an understanding of programming and computer systems. Someone who is a senior or graduate student in computer science or a professional who has been in the field for a few years would have the appropriate level of understanding. Although some facility with mathematics is useful, all necessary mathematical background is developed in the book. Similarly, the necessary material on design of software systems, operating systems, data bases, or networks is given in the relevant chapters. One need not have a detailed knowledge of these areas before reading this book. The book is designed to be a textbook for a one- or two-semester course in computer security. The book functions equally well as a reference for a computer professional. The introduction and the chapters on encryption are fundamental to the understanding of the rest of the book. After studying those pieces, however, the reader can study any of the later chapters in any order. Furthermore, many chapters follow the format of introduction, then security aspects of the topic, then current work in the area. Someone who is interested more in background than in current work can stop in the middle of one chapter and go on to the next. This book has been used in classes throughout the world. Roughly half of the book can be covered in a semester. Therefore, an instructor can design a one-semester course that considers some of the topics of greater interest. What Does This Book Contain? This is the revised edition of Security in Computing. It is based largely on the previous version, with many updates to cover newer topics in computer security. Among the salient additions to the new edition are these items: Viruses, worms, Trojan horses, and other malicious code. Complete new section (first half of Chapter 5) including sources of these kinds of code, how they are written, how they can be detected and/or prevented, and several actual examples. Firewalls. Complete new section (end of Chapter 9) describing what they do, how they work, how they are constructed, and what degree of protection they provide. Private e-mail. Complete new section (middle of Chapter 9) explaining exposures in e-mail, kind of protection available, PEM and PGP, key management, and certificates. Clipper, Capstone, Tessera, Mosaic, and key escrow. Several sections, in Chapter 3 as an encryption technology, and Chapter 4 as a key management protocol, and in Chapter 11 as a privacy and ethics issue. Trusted system evaluation. Extensive addition (in Chapter 7) including criteria from the United States, Europe, Canada, and the soon-to-be-released Common Criteria. Program development processes, including ISO 9000 and the SEI CMM. A major section in Chapter 5 gives comparisons between these methodologies. Guidance for administering PC, Unix, and networked environments. In addition to these major changes, there are numerous small changes, ranging from wording changes to subtle notational changes for pedagogic reasons, to replacement, deletion, rearrangement, and expansion of sections. The focus of the book remains the same, however. This is still a book covering the complete subject of computer security. The target audience is college students (advanced undergraduates or graduate students) and professionals. A reader is expected to bring a background in general computing technology; some knowledge of programming, operating systems, and networking is expected, although advanced knowledge in those areas is not necessary. Mathematics is used as appropriate, although a student can ignore most of the mathematical foundation if he or she chooses. Acknowledgments Many people have contributed to the content and structure of this book. The following friends and colleagues have supplied thoughts, advice, challenges, criticism, and suggestions that have influenced my writing of this book: Lance Hoffman, Marv Schaefer, Dave Balenson, Terry Benzel, Curt Barker, Debbie Cooper, and Staffan Persson. Two people from outside the computer security community were very encouraging: Gene Davenport and Bruce Barnes. I apologize if I have forgotten to mention someone else; the oversight is accidental. Lance Hoffman deserves special mention. He used a preliminary copy of the book in a course at George Washington University. Not only did he provide me with suggestions of his own, but his students also supplied invaluable comments from the student perspective on sections that did and did not communicate effectively. I want to thank them for their constructive criticisms. Finally, if someone alleges to have written a book alone, distrust the person immediately. While an author is working 16-hour days on the writing of the book, someone else needs to see to all the other aspects of life, from simple things like food, clothing, and shelter, to complex things like social and family responsibilities. My wife, Shari Lawrence Pfleeger, took the time from her professional schedule so that I could devote my full energies to writing. Furthermore, she soothed me when the schedule inexplicably slipped, when the computer went down, when I had writerÕs block, or when some other crisis beset this project. On top of that, she reviewed the entire manuscript, giving the most thorough and constructive review this book has had. Her suggestions have improved the content, organization, readability, and overall quality of this book immeasurably. Therefore, it is with great pleasure that I dedicate this book to Shari, the other half of the team that caused this book to be written. Charles P. Pfleeger Washington DC","ISBN":"978-0-13-035548-5","author":[{"family":"Pfleeger","given":"Charles P."},{"family":"Pfleeger","given":"Shari Lawrence"}],"issued":{"date-parts":[["2002"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Pfleeger & Pfleeger, 2002).

Another method of data security is to implement steganography. In steganography, the important data is hidden with other data in such a way that unimportant bits in a computer file are replaced with invisible data. In this way, the hacker will not be able to extract the valuable data. It is a simple process however, it has some downsides regrading maintenance of security, extraction, strength, and capacity to embed data. Moon & Raut proposed technique where the image and audio are embedded as confidential data into the arbitrarily selected frames of video through multi frame using the modification direction (MFEMD) algorithm. This makes it hard to interpret which video part hides the data. A forensic tool for verification is implemented at the receiving end which enhances the data security. To improve the extraction and efficiency of the method, multiple attacks were applied during the transmission of video, including histogram, visual, chi-square etc. ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"3irPvs5a","properties":{"formattedCitation":"(Moon & Raut, 2018)","plainCitation":"(Moon & Raut, 2018)","noteIndex":0},"citationItems":[{"id":223,"uris":["http://zotero.org/users/local/YgsdZK9k/items/UT8EASUY"],"uri":["http://zotero.org/users/local/YgsdZK9k/items/UT8EASUY"],"itemData":{"id":223,"type":"article-journal","title":"Information security model using data embedding technique for enhancing perceptibility and robustness","container-title":"International Journal of Electronic Security and Digital Forensics","page":"70-95","volume":"11","issue":"1","source":"inderscienceonline.com (Atypon)","abstract":"Information concealing using steganography is simple, but to maintain its security, perceptibility, robustness, embedding capacity and better recovery of both covers as well as secret data are the major issues. This paper is focused on the improvement in all these major issues. The proposed technique embedded the image and audio as secret data into the randomly selected frames of the video using multi frame exploiting modification direction (MFEMD) algorithm. Hence, it is very difficult to understand in which part of video, data is hidden. At the receiver end, we have used the forensic tool for authentication to improve the data security. Furthermore the obtained simulation results are found to be better than any other existing methods in terms of good visual recovery of both original video and secret data, embedding capacity, security of hidden secret data. Different types of attacks are applied on stego video during transmission like visual, chi-square, histogram, etc. to improve the perceptibility and robustness of secret data.","DOI":"10.1504/IJESDF.2019.096528","ISSN":"1751-911X","journalAbbreviation":"International Journal of Electronic Security and Digital Forensics","author":[{"family":"Moon","given":"Sunil K."},{"family":"Raut","given":"Rajeshree D."}],"issued":{"date-parts":[["2018",12,6]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Moon & Raut, 2018).

Big data is a recent technology which deals with large structured or unstructured data and methods to process and analyze the data sets which cannot be processed with traditional computer systems. The importance of big data is now appreciated by tech companies, industries and government. The effective mining of Big Data provides viable benefits in various sectors like medical, social, economic and research etc. Usually it is observed that the aim of Big Data Security is to monitor data in real-time so that it can perceive liabilities, risks, and anomalous actions, casual access based on role, and showing indicators based on security level ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"YBRtjtdF","properties":{"formattedCitation":"(Fatima-Zahra Benjelloun & Ayoub Ait Lahcen, n.d.)","plainCitation":"(Fatima-Zahra Benjelloun & Ayoub Ait Lahcen, n.d.)","noteIndex":0},"citationItems":[{"id":221,"uris":["http://zotero.org/users/local/YgsdZK9k/items/4IZ2X26Q"],"uri":["http://zotero.org/users/local/YgsdZK9k/items/4IZ2X26Q"],"itemData":{"id":221,"type":"article-journal","title":"Big Data Security: Challenges, Recommendations and Solutions","container-title":"IGI Global","URL":"https://www.researchgate.net/profile/Ayoub_Ait_Lahcen/publication/278962714_Big_Data_Security_Challenges_Recommendations_and_Solutions/links/577bfc8808ae213761cab725.pdf","author":[{"literal":"Fatima-Zahra Benjelloun"},{"literal":"Ayoub Ait Lahcen"}],"accessed":{"date-parts":[["2019",11,18]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Fatima-Zahra Benjelloun & Ayoub Ait Lahcen, n.d.).

Information technology has greatly influenced the public sectors including finance and business. And hence the significance of data security is inevitable too. This becomes more significant when a disaster hits an area. The damage caused to assess also include loss of data at computing systems. It can be physical loss of data or at such vulnerable times, the hackers attack to steal data. It greatly effects the data security and business of numerous. For such incidents business continuity plans are prepared and implemented. These also includes plan to avoid security breaches during a catastrophe as there is huge need to address the issues of integrity and confidentiality of data. It is often noted that the major threat to business continuity is unavailability of services like bank’s payment gateway goes out of order. This disrupts the transaction process. In some situations, after the damages from disaster effect the banking system. Therefore, bank is not able to proceed with transactions due to data unavailability or administrative issues. This results in financial loss to the bank and dissatisfaction of clients. Apart from mismanagement, in certain cases the personal and confidential data is exposed. For this reason, there are cautionary measures to avoid the loss of data. The data can be transferred to a secure location and be recovered in better conditions. It is arguable that Data security is a significant part of Business Continuity Plans for any organization. It sets parameters of authorized access to systems and information during disaster and recovery period. It also defines the measures which are essential to stop intrusions. There are many cases where a company gets access to data center of its competitor and uses its information to drive it out of business. It is also very crucial for a company to implement BCP to protect the data of its customers. For a bank which does not protect data of its customer efficiently can face loss of millions through identity theft and hacking. Moreover, if bank does not have enough means to secure integrity of data and utilizes services of a third party for this purpose, the government can take strict action against it.

It is well-known fact that baking sector is perfect and easiest target for data theft and hacking. According to a survey conducted in 2016, it is stated that every year there is an average of 85 serious breach attempts on banks and 36% of them were successful in their aim. In response to this, the companies and industries are developing methods to have more control over cyberspace. One of the data threats is attack of malware. One of the malware types is Ransomware which operates in two ways. It either encodes data or it steals it. In order to release the data, the cybercriminal asks for money. It all happens in cyberspace hence it is more difficult to catch the criminal. This problems not only involves security of a single company but also has consequences on national and international levels ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"kDn8ncd0","properties":{"formattedCitation":"(Wilner et al., 2019)","plainCitation":"(Wilner et al., 2019)","noteIndex":0},"citationItems":[{"id":218,"uris":["http://zotero.org/users/local/YgsdZK9k/items/JH6NNSUU"],"uri":["http://zotero.org/users/local/YgsdZK9k/items/JH6NNSUU"],"itemData":{"id":218,"type":"article-journal","title":"On the social science of ransomware: Technology, security, and society","container-title":"Comparative Strategy","page":"347-370","volume":"38","issue":"4","source":"Taylor and Francis+NEJM","abstract":"Ransomware is a type of malware that either encrypts or steals digital data and demands a financial ransom from the victim in order to release or return them. While criminals have been linking theft and hostage-taking to ransoms for a long time, the frequency and severity of contemporary ransomware, the nature and motivation of the perpetrators who use these methods of attack, and the type of targets victimized by these attacks – from federal governments to city municipalities, and from private companies to private citizens – suggests that ransomware be afforded much greater scholarly attention by social scientists. Ransomware is not solely a computer science problem. It is a security problem that has international, political, intelligence, and diplomatic ramifications. This article provides a detailed description of ransomware tailored to the social sciences. Using seven ransomware case studies, the article breaks down the technology's technical barriers, making ransomware more accessible to public policy and national security debates and analysis.","DOI":"10.1080/01495933.2019.1633187","ISSN":"0149-5933","title-short":"On the social science of ransomware","author":[{"family":"Wilner","given":"Alex"},{"family":"Jeffery","given":"Anna"},{"family":"Lalor","given":"Jacqueline"},{"family":"Matthews","given":"Kathleen"},{"family":"Robinson","given":"Krystene"},{"family":"Rosolska","given":"Alexandra"},{"family":"Yorgoro","given":"Catherine"}],"issued":{"date-parts":[["2019",7,4]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Wilner et al., 2019).

One of the highlighted examples of such attack was ransomware attack on the City of Atlanta in March 2018. Due to this attack, the computer systems operated by government, city services, courts, parking services and other utilities were greatly affected. Many offices were compelled to complete the essential tasks manually as computer were out of services for 5 consecutive days. The attackers asked for $52,000 as ransom amount. After paying ransom and gaining control, the total cost spent to recover fully was $17 million. Out of which $3 million were paid to crisis management forms and emergency IT Consultants. After the regain of control, the complete recovery took several months. This incident revealed that the city of Atlanta was not prepared for this. An audit two month before this attack had revealed cyber-vulnerabilities ranging from 1,500 to 2,000. The reason was use of outdated softwares and IT applications through undocumented processes. This example became a significant lesson and reason to include Cybersecurity in BCPs of any organization ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"GLe0EMB7","properties":{"formattedCitation":"(Blinder & Perlroth, 2018)","plainCitation":"(Blinder & Perlroth, 2018)","noteIndex":0},"citationItems":[{"id":220,"uris":["http://zotero.org/users/local/YgsdZK9k/items/IHXHYW2J"],"uri":["http://zotero.org/users/local/YgsdZK9k/items/IHXHYW2J"],"itemData":{"id":220,"type":"article-newspaper","title":"A Cyberattack Hobbles Atlanta, and Security Experts Shudder","container-title":"The New York Times","section":"U.S.","source":"NYTimes.com","abstract":"Atlanta’s city government has been struggling for days with ransomware that has crippled its computer networks and forced it back to doing business with ink and paper.","URL":"https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html","ISSN":"0362-4331","language":"en-US","author":[{"family":"Blinder","given":"Alan"},{"family":"Perlroth","given":"Nicole"}],"issued":{"date-parts":[["2018",3,27]]},"accessed":{"date-parts":[["2019",11,18]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Blinder & Perlroth, 2018)

A rapid increase in cybercrimes in the past few years have enhanced the need to integrate data security measures in risk management systems and plans. Also, many companies have made teams of business continuity and disaster management as integral part of their companies. Backup solution might not be able to stop the loss of data but will provide means to recover the data quickly.

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Blinder, A., & Perlroth, N. (2018, March 27). A Cyberattack Hobbles Atlanta, and Security Experts Shudder. The New York Times. Retrieved from https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html

Fatima-Zahra Benjelloun, & Ayoub Ait Lahcen. (n.d.). Big Data Security: Challenges, Recommendations and Solutions. IGI Global. Retrieved from https://www.researchgate.net/profile/Ayoub_Ait_Lahcen/publication/278962714_Big_Data_Security_Challenges_Recommendations_and_Solutions/links/577bfc8808ae213761cab725.pdf

Moon, S. K., & Raut, R. D. (2018). Information security model using data embedding technique for enhancing perceptibility and robustness. International Journal of Electronic Security and Digital Forensics, 11(1), 70–95. https://doi.org/10.1504/IJESDF.2019.096528

Pfleeger, C. P., & Pfleeger, S. L. (2002). Security in Computing (3rd ed.). Prentice Hall Professional Technical Reference.

Robling Denning, D. E. (1982). Cryptography and Data Security. Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc.

Wilner, A., Jeffery, A., Lalor, J., Matthews, K., Robinson, K., Rosolska, A., & Yorgoro, C. (2019). On the social science of ransomware: Technology, security, and society. Comparative Strategy, 38(4), 347–370. https://doi.org/10.1080/01495933.2019.1633187

Subject: IT

Pages: 5 Words: 1500

Data-Based Changes

Data-Based Changes

Benedicta

[Institutional Affiliation(s)]

Author Note

Answer to Three Questions

Data-Based Changes

Big Data and Data Mining

Big Data is a word used to describe a large data set. Big data sets are larger than most databases and data handling designs that were used before their inventions CITATION Wha19 \l 1033 (Techopedia, 2019). It was when the big data sets were expensive to use and difficult to maintain. The classic example of big data would be the data that cannot be handled by Microsoft Excel.

Data Mining is a different story altogether. It refers to the whole activity of sorting through big data sets and looking for appropriate data. This is like “looking for a needle in a haystack”. The idea behind the concept is that certain businesses collect data sets that may be accumulated due to a predefined automated process. Decision-makers of these businesses need relevant data to make informed decisions that are crucial for the running of the company. This careful sorting of data uncovers relevant information for helping the leadership.

Data mining uses a variety of software for analysis. There are two ways in which this software is utilized. For one, they can be fully automated under a specific set of pre-programmed instructions. But the preferred way for data mining is the old fashion practice of using labor. This is when individuals scrutinize the data and send relevant queries until problems are sorted. Data mining involves a detailed and well-set pattern of targeted search that achieve well-defined results that are then used for specific goals and operations. Let us take the example of the discipline of accounting to clarify the matter. Accounts can be a nightmare for a person who is not related to the discipline, therefore data mining will sort out the data to produce relevant information and then produce the results for the management to use or quote as per their needs.

In a sentence, we can conclude that big data is an asset that is accessed through the medium of data mining to provide relevant results.

Business Continuity Planning

Business Continuity Planning, or BCP, is a detailed process that involves creating a detailed scheme of preventing and recovering from threats that are eminent to the company CITATION Ken192 \l 1033 (Kenton, 2019). The plan is usually multi-layered with several goals, chief of which is the idea that the personnel and the asset that are under the management's direct supervision must be protected. BCP is generally shaped after detailed meetings and discussions with key shareholders and related personnel.

The prime objective of the BCP is the definition and demarcation of all the threats that a company might face in its course of business. This makes the key component of the entire risk management program of an organization. These risks are related to the substance of the business of an organization. Generally, they may include threats like floods, fire or other weather-related events. Modern-day threats also include cyber-attacks. Once the risks are known, plans are made.

The plans usually comprise four points: Defining how risks affect the operations of an organization, implementing the required safeguards and procedure to eliminate or dampen the risks that are subsequently created, Testing the set procedure and finally reviewing and perfecting the entire process so that it can handle the risks when the time comes.

BCP is an integral part of any business. It is not new for a business to be under different types of threats and disruptions that would at best cause damage to the revenue of an organization and at worst threaten the running of a business or close it down permanently. These practices add a layer of security to any business, as this is a fact that the business cannot rely on insurance alone. This is true as insurances do not completely cover the losses that are incurred by the shareholders and the management. The practice of BCP ultimately establishes confidence in any business, which is central to any organization’s sustainability.

Healthcare Informatics

Healthcare informatics relies on the use of information technology to organize and perform an analysis of the health records of a patient to produce improved healthcare results CITATION Bon09 \l 1033 (Bonnie Ainsley, 2009). It usually deals with the devices, resources, and methods that are required to store, retrieve, acquire and use the relevant material in health and medicine. Some of the options that are used in this regard are communication and information systems, medical terminologies and computer technology. This system provides access to doctors, patients, nurses, insurance companies, hospital administrators and health information technicians. This field is currently growing with leaps and bounds and many educational institutions are offering degrees in this discipline at different levels.

There are many benefits to this technology. This technology gives access to information that can save lives to the saving of wastage of time. It also helps the physicians to make informed decisions related to the patients entrusted to their care. The framework of the entire system provides coordination among all the stakeholders involved in the ambit of healthcare as per their needs. This also reduces the cost that are often incurred in the maintenance of electronic medical records by physicians and hospital administrations. This decreases the problem of duplication and improves the accuracy of the overall system of healthcare.

There are also many problems with the implication of this system as well. For one, many physicians are reluctant to switch to this system. The chief cause of this predicament is that this system is poorly designed and therefore compromises the information that can cause serious damages in the wrong hands. Another problem is that although the patients gain form the implementation of the system, the physicians and the administration of a hospital must bear the cost of the system from their purses.

References

BIBLIOGRAPHY Bonnie Ainsley, A. H. (2009, June). The Impact of Informatics on Nursing Education: A Review of the Literature. The Journal of Continuing Education in Nursing, 40(5), 228-32. DOI:10.3928/00220124-20090422-02

Kenton, W. (2019, June 1). Business Continuity Planning (BCP). Investopedia. Retrieved from https://www.investopedia.com/terms/b/business-continuity-planning.asp

What is the difference between big data and data mining? (2019, May 21). Techopedia. Retrieved from https://www.techopedia.com/7/29678/technology-trends/what-is-the-difference-between-big-data-and-data-mining

Subject: IT

Pages: 3 Words: 900

Database

Full Title of Your Paper Here

Your Name (First M. Last)

School or Institution Name (University at Place or Town, State)

Database

The management of data on a computer has remained in a fluctuating state since the very inception of the data management and storage operations. The contemporary trends utilize the quick operational and flexible management fundamentals of the database systems. However, computers operated on a costly and much less elegant approach to managing data called the file-based system in the past decades. The file-based approach had several disadvantages and the data redundancy was the most prominent among them. Security, integrity, and isolation of the data further caused the need of establishment of a cohesive and organized mechanism known as the database management system.

At the beginning of the 1960s, companies advanced to sell the mainframe database management systems (DBMS) to cater to the issues deliberated above ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"VbURurcl","properties":{"formattedCitation":"(\\uc0\\u8220{}Chapter 1 Before the Advent of Database Systems \\uc0\\u8211{} Database Design \\uc0\\u8211{} 2nd Edition,\\uc0\\u8221{} n.d.)","plainCitation":"(“Chapter 1 Before the Advent of Database Systems – Database Design – 2nd Edition,” n.d.)","noteIndex":0},"citationItems":[{"id":1871,"uris":["http://zotero.org/users/local/H8YOvGFC/items/FPSR7W65"],"uri":["http://zotero.org/users/local/H8YOvGFC/items/FPSR7W65"],"itemData":{"id":1871,"type":"webpage","title":"Chapter 1 Before the Advent of Database Systems – Database Design – 2nd Edition","URL":"https://opentextbc.ca/dbdesign01/chapter/chapter-1-before-the-advent-of-database-systems/","accessed":{"date-parts":[["2019",1,12]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“Chapter 1 Before the Advent of Database Systems – Database Design – 2nd Edition,” n.d.). Various operational necessities were met after the establishment of the database management systems.

The efficient path to program complex functions without rewriting retrieval applications

Standard model to share data among multiple users and applications

The companies vested in the database management systems went public in the late 1970s and later became the largest independent software product enterprises

The customers and users were presented with the opportunity to move the applications across distinguished manufacturing platforms and operating systems

The primary features highlighted above were the major responses to the issues caused by the operational mechanism of the file-based system. By the mid-1960s, computers became popular and the users demanded a standard be established. The Database Task Group introduced the standard in 1971 as Common Business Oriented Language (COBOL). However, the standard was immensely complicated and thus required modifications. Other historic inventions included the Object-oriented database management system that attracted the users in the late 1990s ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"mcf4NOq8","properties":{"formattedCitation":"(Grad & Bergin, 2009)","plainCitation":"(Grad & Bergin, 2009)","noteIndex":0},"citationItems":[{"id":1873,"uris":["http://zotero.org/users/local/H8YOvGFC/items/JRURX9V3"],"uri":["http://zotero.org/users/local/H8YOvGFC/items/JRURX9V3"],"itemData":{"id":1873,"type":"article-journal","title":"History of Database Management Systems","container-title":"IEEE Annals of the History of Computing","page":"3-5","volume":"31","issue":"4","source":"Project MUSE","ISSN":"1934-1547","language":"en","author":[{"family":"Grad","given":"Burton"},{"family":"Bergin","given":"Thomas J."}],"issued":{"date-parts":[["2009"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Grad & Bergin, 2009). The unstructured ambiguities in the data were resolved by NoSQL and it addressed the scalability issues of the distributed database systems. In the modern era, technological innovations and robust developments have made database management system one of a kind.

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Chapter 1 Before the Advent of Database Systems – Database Design – 2nd Edition. (n.d.). Retrieved January 12, 2019, from https://opentextbc.ca/dbdesign01/chapter/chapter-1-before-the-advent-of-database-systems/

Grad, B., & Bergin, T. J. (2009). History of Database Management Systems. IEEE Annals of the History of Computing, 31(4), 3–5.

Subject: IT

Pages: 1 Words: 300

Database Security Assessment

Database Security Assessment

Chimene Tchokoko Diboma

School or Institution Name (University at Place or Town, State)

Database Security Assessment

Overview for Vendors:

The military hospital is a leading hospital providing healthcare services to not only military personnel but to the general public as well. Hospital has a main administrative department that is responsible for all of the management tasks related to hospital management. Administration department keeps the records of doctors and related staff. The accounts department of the hospital manages the payroll system and all financial activities ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"Q2urS6DN","properties":{"formattedCitation":"(Bertino, 2015)","plainCitation":"(Bertino, 2015)","noteIndex":0},"citationItems":[{"id":122,"uris":["http://zotero.org/users/local/BeyJjeak/items/64565X2B"],"uri":["http://zotero.org/users/local/BeyJjeak/items/64565X2B"],"itemData":{"id":122,"type":"paper-conference","title":"Big data-security and privacy","container-title":"2015 IEEE International Congress on Big Data","publisher":"IEEE","page":"757-761","ISBN":"1-4673-7278-1","author":[{"family":"Bertino","given":"Elisa"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Bertino, 2015). There are different sections related to the specific treatments of designated diseases such as cancer ward is only reserved for the treatment of cancer patients and related research. Coordination between the departments is managed by the administration department. The hospital currently has 700 employees including the doctors, nurses, paramedics, and administrative staff.

Hospital is using manual record maintenance methods to keep a track record of all management activities such as patient visits, appointments, and billing, etc. The hospital requires an automated hospital database management system. The required database management system must be able to handle massive workloads with a high quality of service. The central database will have records related to all departments. The database management system will be responsible for maintenance, usage, and operations of the central database. Critical information such as Patient medical history along with personal details, diagnostics, billing details, employees’ personal details, payroll history, and management will be stored in the database. As all the departments will have coordinated services, a relational database will always serve the purpose of keeping the records maintained ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aaJSqeDx","properties":{"formattedCitation":"(Dhillon, Torkzadeh, & Chang, 2018)","plainCitation":"(Dhillon, Torkzadeh, & Chang, 2018)","noteIndex":0},"citationItems":[{"id":123,"uris":["http://zotero.org/users/local/BeyJjeak/items/NR64LRET"],"uri":["http://zotero.org/users/local/BeyJjeak/items/NR64LRET"],"itemData":{"id":123,"type":"paper-conference","title":"Strategic Planning for IS Security: Designing Objectives","container-title":"International Conference on Design Science Research in Information Systems and Technology","publisher":"Springer","page":"285-299","author":[{"family":"Dhillon","given":"Gurpreet"},{"family":"Torkzadeh","given":"Gholamreza"},{"family":"Chang","given":"Jerry"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Dhillon, Torkzadeh, & Chang, 2018). It will enable all the departments to have up to date information records of a particular patient. Depending on the sensitivity of the information being stored in the database system, the hospital required the competing vendors to ensure compliance with the highest standards of cybersecurity. Despite the relational nature of the database, there must be appropriate levels of data segregation. So, the information related to the finance department cannot be accessed or manipulated by other departments beyond authorized limits.

Different departments and staff members will use the system as per their requirements. Nurses will use the system to view and update patient health records. The receptionist will use the system to arrange appointments of the patients with doctors. Ward boys will use the system to manage the patient visits to the hospital such as preparation of the discharge slips. Administrative staff will use the system to monitor activities of all the departments, attendance of the doctors, and other members of the hospital staff. The accounts department will use the system to establish payroll, salary management, and billing information of the patients. Overall the system will be the central management system of the hospital and will provide the stated functionalities.

The context for the Work:

The hospital requires appropriate segregation between the data elements stored in the database management system. As the system will provide users with an intuitive web-based user interface, the vendors must demonstrate the ability of their system that there are no critical security loopholes in the system. Web-based applications use error handling techniques to provide users with useful information and troubleshooting steps. However, such error handling if not implemented appropriately can be used by the attackers to infiltrate into the database and compromise sensitive information records ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"ZiMcVtim","properties":{"formattedCitation":"(Nazareth & Choi, 2015)","plainCitation":"(Nazareth & Choi, 2015)","noteIndex":0},"citationItems":[{"id":124,"uris":["http://zotero.org/users/local/BeyJjeak/items/47X85WIA"],"uri":["http://zotero.org/users/local/BeyJjeak/items/47X85WIA"],"itemData":{"id":124,"type":"article-journal","title":"A system dynamics model for information security management","container-title":"Information & Management","page":"123-134","volume":"52","issue":"1","author":[{"family":"Nazareth","given":"Derek L."},{"family":"Choi","given":"Jae"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Nazareth & Choi, 2015). The vulnerability in database management systems due to the improper handling of errors is known as the information leakage. Information leakage can happen when the database management systems fail to limit the amount of information provided with the error. Competing vendors must demonstrate the ability of the proposed system in the proposal that the web application is capable of sanitizing the messages generated by the sequential query language or database management system.

As the hospital requires a web-based interface to provide access to the central database to multiple departments, the system must be sufficiently protected against cross-site scripting attacks. In a cross-site scripting attack also known as the XSS attack, an attacker can inject the malicious code in a trusted webpage. The script is executed when the user loads the page embedded with the malicious script. Cross-site scripting attacks can allow the attackers to compromise the entire network of the organizations. XSS attacks may soon replace the injection attacks on SQL database systems ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"FGwJQuGF","properties":{"formattedCitation":"(Boulares, Adi, & Logrippo, 2015)","plainCitation":"(Boulares, Adi, & Logrippo, 2015)","noteIndex":0},"citationItems":[{"id":125,"uris":["http://zotero.org/users/local/BeyJjeak/items/DJ4W6CGR"],"uri":["http://zotero.org/users/local/BeyJjeak/items/DJ4W6CGR"],"itemData":{"id":125,"type":"paper-conference","title":"Information flow-based security levels assessment for access control systems","container-title":"International Conference on E-Technologies","publisher":"Springer","page":"105-121","author":[{"family":"Boulares","given":"Sofiene"},{"family":"Adi","given":"Kamel"},{"family":"Logrippo","given":"Luigi"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Boulares, Adi, & Logrippo, 2015). Therefore, the proposed system must be protected against XSS attacks. The proposed system must ensure that there will be no broken authentication vulnerabilities. As the data segregation requirements will be coupled with the authentication system, it must be secure enough to block man in the middle attacks. Strong authentication mechanisms must be used to overcome the authentication flaws of the relational database systems. Access control will also be an important assurance required from the participating vendors. The system must provide essential access controls to limit the information exposure as per the defines user rules in the system.

Vendor Security Standards:

It is a critical requirement of the hospital from all participating vendors to focus on the confidentiality, integrity, availability, and non-repudiation of the data stored in the system. To confirm with the security standards of the proposed system a security and processes checklist will be available for testing purpose. Proposed solutions will be tested against the common criteria that are a global set of rules and regulations to test the security performance of information management systems. Common criteria rules are mostly used to test the security products proposed for the implementation of critical government departments. However, depending on the sensitivity of information processed using the proposed system, it must comply with the common criteria ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"eFwi4kK0","properties":{"formattedCitation":"(Schinagl, Paans, & Schoon, 2016)","plainCitation":"(Schinagl, Paans, & Schoon, 2016)","noteIndex":0},"citationItems":[{"id":126,"uris":["http://zotero.org/users/local/BeyJjeak/items/H64TIDBX"],"uri":["http://zotero.org/users/local/BeyJjeak/items/H64TIDBX"],"itemData":{"id":126,"type":"paper-conference","title":"The revival of ancient information security models, insight in risks and selection of measures","container-title":"2016 49th Hawaii International Conference on System Sciences (HICSS)","publisher":"IEEE","page":"4041-4050","ISBN":"0-7695-5670-1","author":[{"family":"Schinagl","given":"Stef"},{"family":"Paans","given":"Ronald"},{"family":"Schoon","given":"Keith"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Schinagl, Paans, & Schoon, 2016). Vendors submitting proposals for the hospital must provide certificates confirming their solutions with both the key components of common criteria such as protection profiles and evaluation assurance levels. The vendor must provide the certification that the proposed solutions are configured for the highest standard profile of data protection.

The required protection profile is that the database must be encrypted using sophisticated encryption algorithms employing AES-256 keys. If the data is encrypted, then the attackers will not be able to compromise sensitive information of the patients even if they are able to break logical defenses such as firewalls and access control mechanisms. An encryption system is as secure as the keys associated with the encryption. Therefore, the management system of the database will ensure that none of the departments will have access to the complete key of encryption. Instead of having access to the full key of encryption, all the departments must have different chunks of the key to ensure non-repudiation of data ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"LoAqHN4E","properties":{"formattedCitation":"(White, Fisch, & Pooch, 2017)","plainCitation":"(White, Fisch, & Pooch, 2017)","noteIndex":0},"citationItems":[{"id":127,"uris":["http://zotero.org/users/local/BeyJjeak/items/QUPHYSC2"],"uri":["http://zotero.org/users/local/BeyJjeak/items/QUPHYSC2"],"itemData":{"id":127,"type":"book","title":"Computer system and network security","publisher":"CRC press","ISBN":"1-351-45872-8","author":[{"family":"White","given":"Gregory B."},{"family":"Fisch","given":"Eric A."},{"family":"Pooch","given":"Udo W."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (White, Fisch, & Pooch, 2017). The second component of the common criteria provides evaluation assurance levels. The scale used for evaluation assurance levels is from 0 to 7 with 7 being the highest level of evaluation. However, a product rated at 7 does not guarantee that it will have maximum security and performance standards implemented. It only provides information that the product has undergone a maximum number of security and performance evaluation tests.

The vendors must provide the information in the proposal about the security target of the product. Security target of the product provides information about the threats the product tested against. Vendor’s self-assessment results must also be attached to the proposal. If the product is tested by a third party testing agency, then the authorized certificate must be attached to the proposal. Even if the products tested against the vendor's self-assessment criteria, they will be tested for disaster recovery operations. The required evaluation level assurance is that the system must be able to recover itself from disaster state with a minimum time limit of one hour. Any system taking a long time for disaster recovery will not be suitable as per the service level requirement of the hospital. High level of continuity in operation is required from the proposed system.

Defense Models:

All the databases and systems will be connected using the internal network of the hospital. The internal network will contain ethernet connections and wireless connections for different systems. Enclave computing environment will be established in the hospital to protect against cyber-attacks. Each section of the hospital buildings will use a boundary defense mechanism for the networks. Each section will use a separate switch that will be configured with access control lists to block the outside access. A central firewall will protect the network against hackers. However, departmental firewalls will protect the wireless connections of the employee devices ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"24YW1EXr","properties":{"formattedCitation":"(McDougall & Woodruff, 2016)","plainCitation":"(McDougall & Woodruff, 2016)","noteIndex":0},"citationItems":[{"id":128,"uris":["http://zotero.org/users/local/BeyJjeak/items/ES6M3T7K"],"uri":["http://zotero.org/users/local/BeyJjeak/items/ES6M3T7K"],"itemData":{"id":128,"type":"chapter","title":"Physical security management","container-title":"Handbook of SCADA/Control Systems Security","publisher":"CRC Press","page":"286-307","author":[{"family":"McDougall","given":"Allan"},{"family":"Woodruff","given":"Jeff"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (McDougall & Woodruff, 2016). As the firewall defense is not enough against all of the hacking attempts, end devices will be equipped with host-based intrusion detection systems. A firewall only considers the attacks originating from outside of the network. The host-based intrusion detection system will halt the attacks originating from within the network.

Network equipment installed within a department will be considered as the boundary of enclave environment. Access control lists implemented in each department will help in the protection of data segregation level. As the general medical staff will not be able to access the information related to the finance department due to the blocking rules defined in the access control lists. Along with the access control lists, the officials working in the same department will have different levels of permissions such as read and write access to the databases. For example, the receptionist will have the read access to the information of the doctors but will not have the write permission to edit any relevant information. Each network will be separated from the other using a department level firewall. Such firewall configuration will allow the networks to be protected against hacking attacks. Even if the network of one department is compromised by the hackers infiltrating the network rest of the departments will remain separated from the malicious traffic. The hackers will not be able to compromise the entire network ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"58voM5FH","properties":{"formattedCitation":"(Roslan, Hamid, & Shamala, 2018)","plainCitation":"(Roslan, Hamid, & Shamala, 2018)","noteIndex":0},"citationItems":[{"id":129,"uris":["http://zotero.org/users/local/BeyJjeak/items/DHY59C2L"],"uri":["http://zotero.org/users/local/BeyJjeak/items/DHY59C2L"],"itemData":{"id":129,"type":"article-journal","title":"E-Store Management Using Bell-LaPadula Access Control Security Model","container-title":"JOIV: International Journal on Informatics Visualization","page":"194-198","volume":"2","issue":"3-2","author":[{"family":"Roslan","given":"Saida Nafisah"},{"family":"Hamid","given":"Isredza Rahmi A."},{"family":"Shamala","given":"Palaniappan"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Roslan, Hamid, & Shamala, 2018).

The defense model proposed must be able to defend the critical infrastructure against distributed denial of service attacks. In a distributed denial of service attacks, hackers use a large network of computing devices infected with the malware. Hackers cause congestion on the network links by generating fake service requests to the server. Legitimate traffic is blocked from accessing the service. As the hospital require high availability of the service, the vendors must ensure that the denial of service attacks will not be able to compromise the network.

Access control methods will be implemented as per the policies of the Department of Defense. The internal security policies of the hospital will also comply with the policies defined by the department of defense. It is crucial while designing the internal cybersecurity policies for different departments to understand the usability requirements of the system. There exists a tradeoff between the security and usability of the system. A most secure system will be the one disconnected from everything. If that system is then buried in a block of concrete that will be the most secure system on earth. As it will not be possible for anyone to access that system. However, the same system will be the most useless system on earth as well. Therefore, designing internal security policies of the hospital ill be all about finding the best balance between security and usability of the system.

Requirement Statement for System Structure:

The proposed system will be used by patients as well. The user interface and the web-based portal is required to be customized for each user group. The doctors must be provided with all access to alter the patient information such as diagnostic, medications, and comment on laboratory test results. Doctors must not be provided with permission to alter the details about the appointments. Appointments with the doctors will be altered by the administrative staff only. The restrictions must be enforced to ensure the continuity of operations ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"DTEFqoE5","properties":{"formattedCitation":"(Chapple, Stewart, & Gibson, 2018)","plainCitation":"(Chapple, Stewart, & Gibson, 2018)","noteIndex":0},"citationItems":[{"id":130,"uris":["http://zotero.org/users/local/BeyJjeak/items/DN5C3HUI"],"uri":["http://zotero.org/users/local/BeyJjeak/items/DN5C3HUI"],"itemData":{"id":130,"type":"book","title":"(ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide","publisher":"John Wiley & Sons","ISBN":"1-119-47595-3","author":[{"family":"Chapple","given":"Mike"},{"family":"Stewart","given":"James Michael"},{"family":"Gibson","given":"Darril"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Chapple, Stewart, & Gibson, 2018). If multiple users’ groups will be provided with similar rights, then there will be operational difficulties. The administrative staff of the hospital will be provided with the consolidated access to the databases as they have to monitor the functionalities of different departments. Receptionists and paramedics will be allowed to alter or update the records of appointments of patients with the doctors.

All of the departments will have strict regulations regarding data protection. None of the users must have permission to transfer data using external media devices. Such data exfiltration restrictions are inevitable to avoid the misuse of medical information. Cyber-criminals target employees of organizations using social engineering techniques. An employee may connect an infected external media device containing the malicious code to the system. Once, the malicious code is executed on the machine it will be very difficult to contain the damages caused by the malicious actor. The restriction may affect the usability of the system in rare cases. To prevent such usage restrictions the higher management must be provided with a feature to enable data transfer using external media devices for a short period of time.

Operating System Security Components:

Operating systems are the core components of any computing device. An operating system is responsible for the management of the hardware resources and it provides applications with a working environment as well. The operating system of the installed devices must use virtualization for processes so that processes executed on the machine by one application cannot alter the processes executed by a different application. Applications requiring administrative rights on a machine can bypass such restrictions. To avoid exceptions to this scenario, effective security policies must be implemented by the vendor to create a secure ecosystem for applications ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"rrmEXQ7M","properties":{"formattedCitation":"(Laracy & Marlowe, 2018)","plainCitation":"(Laracy & Marlowe, 2018)","noteIndex":0},"citationItems":[{"id":131,"uris":["http://zotero.org/users/local/BeyJjeak/items/RZPKMP7M"],"uri":["http://zotero.org/users/local/BeyJjeak/items/RZPKMP7M"],"itemData":{"id":131,"type":"article-journal","title":"Systems Theory and Information Security: Foundations for a New Educational Approach","author":[{"family":"Laracy","given":"Joseph R."},{"family":"Marlowe","given":"Thomas"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Laracy & Marlowe, 2018). Operating systems installed on end-user devices must be pre-configured to update all of the installed applications regularly. It is mandatory for the operational continuity of the hospital as most of the cyber-attacks happen due to the security holes present in outdated applications. Software level attacks can be prevented using strong security policies at the operating system level.

It is required by the competing vendors to ensure that all of the supplied devices have trusted platform modules installed and correctly configured to be used with mission-critical applications. Trusted platform module also known as the TPM, is a hardware chip that is used to store authentication credentials, user certificates, and cryptographic keys. TPM provides a tamper-proof environment for applications to store and manage the credentials. The space provided by the TPM for credential storage cannot be compromised by software attacks. TPM chips must be present in all the network devices as the encryption keys will be stored in them. End-user devices will have TPM chips pre-installed on their main circuit boards ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"CFQNemaO","properties":{"formattedCitation":"(Jacobs, 2015)","plainCitation":"(Jacobs, 2015)","noteIndex":0},"citationItems":[{"id":132,"uris":["http://zotero.org/users/local/BeyJjeak/items/Y3X2UEQU"],"uri":["http://zotero.org/users/local/BeyJjeak/items/Y3X2UEQU"],"itemData":{"id":132,"type":"book","title":"Engineering information security: The application of systems engineering concepts to achieve information assurance","publisher":"John Wiley & Sons","ISBN":"1-119-10479-3","author":[{"family":"Jacobs","given":"Stuart"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Jacobs, 2015). Such TPM chips are used by the operating systems to store sensitive information. The TPM chips can verify the hardware platform as well. For example, at the boot time, the contents of the TPM will be checked for integrity. In case of any tampering signs, the user will be restricted from accessing mission-critical applications on the device.

Trusted platform modules can protect encryption keys and other user authentication certificates. However, TPM chips cannot control the applications running on the machine. Meaning that a malicious application running on the machine may alter the contents of a TPM. Therefore. There must be security processes implemented at each level such as network and operating system ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"L0vutHS7","properties":{"formattedCitation":"(Wu, Chen, Yang, & Du, 2019)","plainCitation":"(Wu, Chen, Yang, & Du, 2019)","noteIndex":0},"citationItems":[{"id":133,"uris":["http://zotero.org/users/local/BeyJjeak/items/E64GUQ2K"],"uri":["http://zotero.org/users/local/BeyJjeak/items/E64GUQ2K"],"itemData":{"id":133,"type":"article-journal","title":"Reducing Security Risks of Suspicious Data and Codes through a Novel Dynamic Defense Model","container-title":"IEEE Transactions on Information Forensics and Security","author":[{"family":"Wu","given":"Zezhi"},{"family":"Chen","given":"Xingyuan"},{"family":"Yang","given":"Zhi"},{"family":"Du","given":"Xuehui"}],"issued":{"date-parts":[["2019"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Wu, Chen, Yang, & Du, 2019). All the logical measures such as operating system hardening tools, patch management applications, trusted platform modules, and firmware create a trusted computing environment. Each component of the infrastructure will be validated and checked for integrity by the system before allowing access to critical functions of the installed system including the storage databases.

Requirements for Multiple Independent Levels of Security:

Multiple independent security levels can be used by the vendors to control the authentication and access to the data. These multiple security levels are based on the Biba or Bell-LaPadula models of security. As per these models the user groups of one consolidated access. Users of one group cannot alter or access the files of users with higher rights. Similarly, the users of one rights group cannot alter or access the files of groups with lower user rights. Similar access restriction model is known as the Chinese wall model that restricts the access to file objects based on the conflict of interests. The models are explained in the orange book of the DoD ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"9DRuw6xO","properties":{"formattedCitation":"(McMillin & Roth, 2017)","plainCitation":"(McMillin & Roth, 2017)","noteIndex":0},"citationItems":[{"id":134,"uris":["http://zotero.org/users/local/BeyJjeak/items/834CVSAV"],"uri":["http://zotero.org/users/local/BeyJjeak/items/834CVSAV"],"itemData":{"id":134,"type":"article-journal","title":"Cyber-physical security and privacy in the electric smart grid","container-title":"Synthesis Lectures on Information Security, Privacy & Trust","page":"1-64","volume":"9","issue":"2","author":[{"family":"McMillin","given":"Bruce"},{"family":"Roth","given":"Thomas"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (McMillin & Roth, 2017). However, such models if not implemented with care can provide backdoor access to the attackers. The requirement of the hospital is to provide a system that is capable of insecure handling of files using the Biba model. Files must be tied to encryption algorithms and must not be transferred to any external medium. The hospital does not require the access mechanisms to be online as all the departments will access the central database locally.

Test Plan requirements:

Vendors will use the Biba model to restrict access to files for different user groups. The Biba model works on the principle that the user of the one group cannot access or alter the files of higher as well as lower rights user groups. Such implementation of access restrictions can be bypassed by the cross-site scripting attacks. The proposed solution will be tested for cross-site scripting attack for the insecure handling of data. A script will be injected into the critical web interface of a database and level of damage or access rights violation will be recorded. If the attack is recorded to be successful, then security measures will be implemented by the vendors to patch the vulnerability as soon as possible ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"7uqX7hlU","properties":{"formattedCitation":"(Cai et al., 2018)","plainCitation":"(Cai et al., 2018)","noteIndex":0},"citationItems":[{"id":135,"uris":["http://zotero.org/users/local/BeyJjeak/items/5KU4XC4X"],"uri":["http://zotero.org/users/local/BeyJjeak/items/5KU4XC4X"],"itemData":{"id":135,"type":"article-journal","title":"Survey of access control models and technologies for cloud computing","container-title":"Cluster Computing","page":"1-12","author":[{"family":"Cai","given":"Fangbo"},{"family":"Zhu","given":"Nafei"},{"family":"He","given":"Jingsha"},{"family":"Mu","given":"Pengyu"},{"family":"Li","given":"Wenxin"},{"family":"Yu","given":"Yi"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Cai et al., 2018). SQL injection using the user input method will also be tested for any visible security flaws. All of the discovered flaws will be patched by hardening the security policies regarding user input methods.

Authentication and access control systems are central to the overall security posture of the system. Any broken authentication or access system can lead to the overall compromise of the system. It would not be beneficial to invest in secondary systems for the protection of an already installed system of authentication and access control. In case of any broken system. Certificate-based authentication system will be implemented for all the users regardless of their rights. Secure access system will be enforced by using digital signatures-based file handling mechanism.

References:

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Bertino, E. (2015). Big data-security and privacy. 2015 IEEE International Congress on Big Data, 757–761. IEEE.

Boulares, S., Adi, K., & Logrippo, L. (2015). Information flow-based security levels assessment for access control systems. International Conference on E-Technologies, 105–121. Springer.

Cai, F., Zhu, N., He, J., Mu, P., Li, W., & Yu, Y. (2018). Survey of access control models and technologies for cloud computing. Cluster Computing, 1–12.

Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide. John Wiley & Sons.

Dhillon, G., Torkzadeh, G., & Chang, J. (2018). Strategic Planning for IS Security: Designing Objectives. International Conference on Design Science Research in Information Systems and Technology, 285–299. Springer.

Jacobs, S. (2015). Engineering information security: The application of systems engineering concepts to achieve information assurance. John Wiley & Sons.

Laracy, J. R., & Marlowe, T. (2018). Systems Theory and Information Security: Foundations for a New Educational Approach.

McDougall, A., & Woodruff, J. (2016). Physical security management. In Handbook of SCADA/Control Systems Security (pp. 286–307). CRC Press.

McMillin, B., & Roth, T. (2017). Cyber-physical security and privacy in the electric smart grid. Synthesis Lectures on Information Security, Privacy & Trust, 9(2), 1–64.

Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52(1), 123–134.

Roslan, S. N., Hamid, I. R. A., & Shamala, P. (2018). E-Store Management Using Bell-LaPadula Access Control Security Model. JOIV: International Journal on Informatics Visualization, 2(3–2), 194–198.

Schinagl, S., Paans, R., & Schoon, K. (2016). The revival of ancient information security models, insight in risks and selection of measures. 2016 49th Hawaii International Conference on System Sciences (HICSS), 4041–4050. IEEE.

White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC press.

Wu, Z., Chen, X., Yang, Z., & Du, X. (2019). Reducing Security Risks of Suspicious Data and Codes through a Novel Dynamic Defense Model. IEEE Transactions on Information Forensics and Security.

Subject: IT

Pages: 10 Words: 3000

DB Pyxis Supply System

BD Pyxis Supply System

Your Name Goes Here

American Public University System

BD Pyxis Supply System

Management Information systems are very central in determining the success and flourishment of any business and enterprise. The information systems are used to gather, store, process, and share the information for various business and management purposes. All the successful companies and businesses make use of the best possible management information system to bring efficiency and speed in their work. These systems are very helpful and important also in health science and hospitals to manage data of employees and patients with incorporating medical history management of patients and also pharmacy-related records. The management information system which s going to be discussed and analyzed in this essay is the BD pyxis supply management system. BD Pyxis supply station is a secure inventory management system that is used to provide access to the necessary supplies on a health care facility center and nursing floors. It helps the staff members to manage different tasks including supply usage documentation, clinical workflow improvement, documenting error reduction and reducing errors in documentation. It includes additional system configuration which includes Pyxis half-height unit supply station and EC system with extra capacity. The system with extra capacity is very useful for low-velocity items in a larger number that require the security of a higher level. The main source is the supply management system and BD pyxis supply center gathers data from this management system and provides the supply data related to the patient, user, item and procedure(“BD PyxisTM SupplyCenter server,” n.d.)

.

 The supply management system is very effective to use in medical stores and hospitals like other management systems in order to make the relevant tasks easy to perform. In this analytical essay, we will cover many important features of this supply management service and will also cover competitive analysis of the system to suggest further improvement in the management system.

                                    Server-Side Hardware Requirements

            An enterprise server of BD pyxis is used to manage all the related devices and technologies by using a flexible and scalable hospital server on a single environment that is web-accessible. These servers are mostly installed in the dedicated places of a hospital or places of relevant importance.  Various deployment models and techniques are used to meet various pharmacy and IT-specific criteria with software and hardware options. The hardware server requires a number of components related to computer and IT architecture which are essential to perform the required functions efficiently. The server used in BD Pyxis is not entirely static and fixed rather it is a flexible and scalable hospital server. It means that it can be extended and compressed according to the requirement. The server contains enough memory devices to support a back-up for a huge amount of data because it is very necessary to save the records and history for a longer period of time.    

Server-Side Software Requirements

            The software involved in managing the information and relevant data is running on the back end of the BD Pyxis supply system. The software enables data sharing between HIT systems and the BD Pyxis platform by integrating tools and technologies. HIT system is basically a company that works and provides solutions related to IT requirements of the healthcare section or department. They provide services including management of healthcare records, IT support, cloud computing and also providing remote servers for relevant processes and services. This is possible because of the installed dedicated protocols which are specifically developed to serve the required functions. The server side of the software integrate systems and technologies across the enterprise and store the data into the database. The database manages the record of medicines, equipment, patients and other related items according to the proposed instructions and requirements. The database managed as the server-side software is in accordance with the concept of a standardized formulary database. This renders the information system of pharmacy to act as a single formulary source. This formulary source supports the connectivity of the database with a front-end software portal and determines centralized management and standardization.

                                                Client-Side Hardware Requirement

The clients are mainly healthcare workers or IT professionals who are fulfilling their duties in managing pharmacy and medical records and other services related to software and IT. BD pyxis client-side hardware requires a desktop with its full accessories and is deployed with each bed in the award. The physician and medical officer can easily run the BD Pyxis software portal that is installed on each desktop computer. Internet service is connected with each computer and a printer is also attached. The printer is attached in order to print any report of medical records or pharmacy orders to save a lot of time and work.

 

Client-Side Software Requirements

            The management system of BD Pyxis supply system has its own dedicated software application and this application is installed on all the desktops specifically deployed for this management Information system. The software application has a state of the art designed graphical user interface providing all the necessary sections and options to enable easy and efficient use of the software portal. The records of individuals are maintained separately and each individual has a separate account on the portal which contains records and information about him/herself. Each user has credentials of login ID and password and their records are constantly managed and updated to ensure efficient and error-free processing and management.

                                    Competitive Analysis of the System’

            In this section, e will cover market the competitive analysis of the BD Pyxis system with other competitors. BD Pyxis is compared to another management system called MPI. MPI is Master Patient Index which is another information system used in hospitals and pharmacy that connects various patient records across backend databases. The index stores the records of patients at an organization of healthcare and indexes other records for that patient too. It is used to reduce inaccurate patient information and duplicate patient records that can lead to many problems.

            MPI is expected to eliminate near matches and duplicate files of patient’s records but in actual, there are many concerning issues. According to a study, MPI needs constant maintenance and vigilance by the department of HIM in order to render it work and function properly (Bresnick, 2013).  On the other hand, BD Pyxis has not yet reported observing such kind of behavior. It is a fully automated system and updates files and their data regularly without any issue pertaining to confusing close related files and patient records duplication. One merit of BD Pyxis system over MPI is its supply management service using IDN. IDN is a Internationalized Domain Name is very specific and hence there is a negligible chance of confusion between duplicate or close resembles in the record files of patients.

Recommendations for Improving the System

No matter how efficient and effective an Information Management System is, there are some issues and areas of improvement. In this section, we will analyze 3 main areas of improvements in BD Pyxis systems for future improvement.

One very important factor of any software application or information management system is its back-end database. The database can affect the working or operation of the management system in many ways. Errors in databases can result in mismanagement of the patient’s records and ultimately may result in any big issue in the future. In the BD Pyxis system, MySQL is used to manage the databases of the portal at the backend which is not as good and accurate are Postgres. MySQL is a relational database while Postgres is an object-relational one. This suggests that it includes functions including function overloading and table inheritance which is responsible for adding accuracy and correctness in dealing with data. So, I will recommend the use of Postgres database at the back-end for record management.            The second suggestion is related to the hardware-server side of the BD Pyxis supply management system. The use of portable servers is very expensive as it includes maintenance and expenses of wear and tear. Further, they consume a lot of energy and resources so it is recommended to acquire remote services for backup and data management like Amazon Web Services (AWS). This will definitely reduce costs and add efficiency in service.

The third suggestion for improvement is related to enabling remote access of software portal to the physicians, doctors and concerned persons. We know that matters pertaining to hospitals are often emergency-related, so it is recommended that a mobile application should be developed by linking it with the main database of the servers to enable remote login in case of an emergency.

 

Conclusion

            BD Pyxis supply system is an automated medication system of dispensing which is supported by decentralized management of medication. It assists clinicians and pharmacists to dispense the right medication efficiently and safely. It is very feasible to use because of platform flexibility because it provides open and secure inventory management. A console manages the facility by combining a network of secure stations for storage for easy utilization of the service. The measure of safety medication and enhancements help the doctors and paramedical staff to prevent harmful errors, adverse effects of drugs and also the risk of diversion. The information management system is a very reliable and trusted software and hardware solution which provides electronic updates, targeted reports, automation, and data consolidation.

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY BD PyxisTM SupplyCenter server. (n.d.). Retrieved December 15, 2019, from https://www.bd.com/en-us/offerings/capabilities/medication-and-supply-management/medication-and-supply-management-technologies/pyxis-supply-technologies/pyxis-supplycenter

BIBLIOGRAPHY Bresnick, J. (2013, 11 20). Healthcare analytics essentials: The master patient index. Retrieved from Health IT Analytics : https://healthitanalytics.com/news/healthcare-analytics-essentials-the-master-patient-index

McQuown, B. E. (2016). Automated Medical Supply Chain Management: A Remedy for Logistical Shortcomings. AIR COMMAND AND STAFF COLLEGE, DISTANCE LEARNING, AIR UNIVERSITY MAXWELL AFB United States.

Subject: IT

Pages: 5 Words: 1500

Develop An Electronic Web Protfolio , Using A Plain Text Editor

Write Bio as a writer

words: 150

Keyword: write essay for me

Subject: IT

Pages: 6 Words: 1800

Free Essays About Blog
info@freeessaywriter.net

If you have any queries please write to us

Invalid Email Address!
Thank you for joining our mailing list

Please note that some of the content on our website is generated using AI and it is thoroughly reviewed and verified by our team of experienced editors. The essays and papers we provide are intended for learning purposes only and should not be submitted as original work.