Individual Assignment Essay
Types of Vulnerabilities ? 5 Important Vulnerability, Impact & Solutions . 8 References ћ 12 Cyber-security demands are ever increasing in the field of Information Technology with the globalization of the internet. Disruptions due to cyber- attacks are affecting the economy, costing companies billions of dollars each year in lost revenue. To counter this problem corporations are spending more and more on infrastructure and investing to secure the cyber security vulnerabilities which range nap. Here from software to hardware to networks and people that use them. Due to the complexity of information systems that interact with each other and their counter parts, the requirement to meet specific cyber security compliances have become a challenging issues for security professionals worldwide. To help with these issues, security professionals have created different standards and frameworks over the years for addressing this growing concern of vulnerabilities within enterprise systems and the critical information they hold (“Critical Security Controls,” n. D. ).
Before we get into the details let iris examine what exactly is a security vulnerability. By definition a security vulnerability can be flaws in hardware, software, networks or the employees that use them which in turn can allow hackers to compromise the confidentiality, integrity and availability of the information system (“Common Cybernetic,” 2011). To thoroughly discuss this topic in more detail I will first discuss Confidentiality as it is one of the three main goals of IT Security. Confidentiality is as simple as it sounds, limiting access to resources for only those that need it.
Confidentiality vulnerabilities occur when hackers try to exploits some nakedness or flaw within information system and view information that they are not normally allowed to. In this case the confidentiality of the documents have been compromised. The second goal of IT security which can also be affected if security vulnerabilities are present is Integrity. Integrity by definition can mean many different things for different topics but for the IT world it solely relates to the trustworthiness of a document or resource.
This means that the document or file has been unhindered or changed and is still in its original form. This is very important because if data has been hindered r changed it can cause substantial damage to corporations due to the possible wrong decisions being made like investments or unintended publications or even trouble with the law if tax audits are not adding up properly which would all result in a net loss. The last goal of IT security which can be compromised if security vulnerabilities exist is Availability of the information system.
Availability refers to the idea that a resource is accessible by those that need it, whenever they need it. In my personal opinion I believe availability is probably the most important out of the three security goals. I say this simply because there are many mission critical applications out there that need to be online 24/7 and any downturn can result in catastrophic results. One prime example of this is the air traffic control towers at LAX; they were having problems with the system a few months back due to the IS-2 spy plane flying over their airspace.
This caused major panic which grounded taxied planes that were ready to take off and forced the manual tracking of planes already in air (Leers, 2014). Throughout this the paper I intend to report on the many different types of cyber-security vulnerabilities available and their effects. I will also describe in detail the vulnerability I feel is the most important facing IT managers today, its impact on organizations and the solution. As I stated before there are many different types of security vulnerabilities out there which can affect the integrity, availability and confidentiality of a resource.
So the question still remains what exactly are these types of vulnerabilities? Especially since they range from software, hardware, networks and the people that use them. Firstly I will discuss the software vulnerabilities, more specifically in terms of web applications. This is because ore than half of the current computer security threats and vulnerabilities today affect web applications and that number is ever increasing. (Offense, Axis, Viral, Madeira, 2014).
When considering the programming language used to develop web applications you have PH which is considered a weak language, on the other hand you have Java, C# and Visual Basic which are considered strong languages. It is important to note that the language used to develop the web applications is very important because although the different programming languages are similar overall, each one has different rules of how data is stored, derived, the execution methods, tables and so on.
For example when I say how data is stored and retrieve, I am basically regarding to data types and data structures and how the programming language that is being used maps their values into type fields like strings for names, Into for numbers, or even Boolean for true and false statements. Overall though even if you are using a strong typed language like Java, it does not always guarantee itself free from defects because the language itself may not be the root cause of the vulnerability but possibly the implementation methods used or even insufficient testing (Offense, Axis, Viral, Madeira, 2014).
Vulnerabilities in web applications invite ASS exploits and SQL injection which are the most common types. Below you can see in the image the evolution of reports caused by SQL injection and ASS exploits over the years. This next section we will discuss some more types of security vulnerabilities, more specifically vulnerabilities with regards to hardware. Many people assume that hardware vulnerabilities have the lowest security concern compared to other types of vulnerabilities like software, networks and people that use them simply because they can be stored up in secure environments.
The truth is even hardware vulnerabilities can be easily susceptible to attacks. Hardware in general have a longer lifespan than software because simply with software you can upgrade it and install new patches/builds even after deployment. With hardware you once you purchase it, you are most likely going to keep it for a while. When it does become obsolete and ready to be disposed a lot of organizations make the simple mistake of not securely disposing the old hardware properly which in turn opens up the door for intruders.
Old hardware have software programs installed n them and other things like ICC transistors which can help hackers learn a lot more about the organization and help lead to future attacks (Bloom, Leonie, Maharani, Simms, 2012). The most recent example of hardware vulnerability which caused one of the biggest Cybernetic breaches in history was most recently with Target. 40 million credit and debit cards with customer information was stolen simply because a mallard was introduced to the point of sale system through a hardware encryption vulnerability (Russo, 2014).
Although hardware vulnerabilities are not normally the root cause for majority of the exploits and reaches out there, it is always still good to follow best practices. Network vulnerabilities will be the next topic of discussion and my personal favorite. Vulnerabilities through network systems are very common especially with the all the resources available to hackers today. There are many open source software programs on the market which can help intruders learn critical information about an organization.
Just to name a few of the most popular and commonly used ones include Map security scanner and Wirehairs. Map security scanner was originally developed to be used for security and system administration purposes only, like mapping the network for vulnerabilities. Today it most commonly used for black hat hacking (Weston, 2013). Hackers use it to scan open unused ports and other vulnerabilities which in turn helps them gain unauthorized access to the network. Wirehairs on the other hand is also similar to Map as it was originally developed for network analysis and troubleshooting.
It allows administrators to view and capture all packet resources that passes through a particular interface. Over the years hackers have started using Wirehairs to exploit unsecured networks and gain unauthorized access (Shaffer, 2009). Although scanning unused open ports and capturing packets are a great way for intruders to gain access to a network, the most popular method by far to breach a network is USB thumb devices. Most enterprise networks are very secure in the sense that they use a DMZ (De-militaries zone) and outside penetration becomes very difficult.
In a demoralized zone outside network traffic must go pass through two different firewalls to get to the intranet of the organization. The first firewall includes all the commonly used servers like FTP, ESMTP and all other resources that can be accessible by the public. The second firewall has the actual intranet of the organization which includes all private resources (Rouse, 2007). Below is the diagram of a DMZ. So the question still remains, since most enterprise organizations use DMZ which in turn helps prevent port scanning or packet analyzing, why is USB thumb devices the most popular network vulnerability? Marker, 2013) The answer is very simple “Social engineering”. We as human beings, through social conditioning do not stop and ask questions when were not familiar with someone, which in turn has become one of the major causes for the cybernetic breaches that occur today. Just to give one example from my own personal experiences at work, each floor has an authentication swipe policy to gain entry. Every time I enter the office area, there are a few people with me and only one person in the group usually swipes his/her badge to open the door.
This is a huge security vulnerability because anyone can just follow the group and gain access to the entire intranet of the organization. In my case in particular work for United Airlines headquarters in Chicago at the Willis tower which is more than 100 stories high and the fact that the entire building is not ours lone, this becomes a huge security concern. While have briefly explained the vulnerabilities in software, hardware, networks and the people that use them, the question still remains, what is the most important security vulnerability facing IT managers today?.
This answer to this questions differs person to person, and one must take into consideration the actual vulnerability, its threat source and the outcomes. A person with a small home business might only be concerned with denial of service attacks, since they may not have enough cash flow to properly secure their network. On the other hand an enterprise organization with large cash flow might have a different prospective and probably does not concern itself with denial of service attacks but instead is focuses on making sure all the systems are update using windows server update services.
In my personal opinion though, you might have guessed it but it’s definitely us human beings because we have the tendency to fall victims and contribute to the successful security breaches that occur in today’s society. Mate in his essay “TCP/IP Suite” stated that vulnerabilities occur because of human error. A study by Symantec and the Phenomenon institute showed that 4 percent of data breaches in 2012 were resulted due to human mistakes (Olivares, 2013).
Larry Phenomenon the founder of security research at Phenomenon Institute and chairman stated that “Eight years of research on data breach costs has shown employees behavior to be one of the most pressing issues facing organizations today”, up by twenty two percent since the first survey” (Olivares, 2013). A prime example of this is when I stated earlier about how anyone can just enter my office area without swiping their card, just by simply following the group. This is a form of human error when employees are too intimidated to ask questions and request authorization from someone they believe does not work for the organization.
The intruder can just walk in the front door pretending to be a salesperson, repairman or even a white collar businessman and may look like someone legitimate but in fact they are not. This intruder now has direct access to the intranet and can install malicious mallard on to the computers to disrupt daily operations or even steal sensitive data like confidential project information, release dates, trade secrets and many more. A very good example of this is the Stunned worm which infect the Iranian nuclear facilities and caused a to of damage internally which in turn delayed Iran’s nuclear development.
All of the security measures that were put in place by Iran’s cyber defense team were circumvented simply by just one employee because the worm was introduced through an infected USB drive. This simply shows how the direct access from unauthorized users due to employee negligence can cause such tremendous damage and that all the perimeter defense become completely useless. Another prime example of human errors was the RASA breach in 2011 where cybernetics’s thought instead of just sending millions of pushing emails to efferent random mailboxes, let’s send personalized emails to specific employees.
The employees at RASA thinking since it’s a personalized message its “safe” and clicked on the links unknowingly which in turn caused the mallard to be downloaded on to the network. To counter this problem firstly IT managers need to properly train employees and give them specific guidelines to follow. Symantec has issued a press releases with the guidelines on how to properly secure sensitive data which includes information on how to train employees for these types of intrusions.
Human error is not just limited to intimation or foolishness, t also expands too many different areas because after all it is us humans who manage the cyberspace, grant physical access to the terminals and systems that are connected to the intervention. We setup the protocols used for communication, set the security policies and procedures, code backbend server software, create passwords used to access sensitive information, maintain updates on computers and so on (“Security 2011,” 2011 ).
The human element matters very much possibly more than the software, hardware or the network systems especially when it comes to properly securing an intervention from tat breaches. The impact on the organization always depends on what type of business it is and what it is engaged in. For example if an organization is very popular and has bigger presence in the online commerce (Amazon and New Egg) compared to one that does not use the internet quiet often will be more concerned with web based attacks and vulnerabilities.
The impact though regardless of the type of organization will always be tremendous. Once a breach occurs not only are you spending on recovering from its effects but you are also spending on beefing up your current security measures by installing new vices, hiring new employees so the same occurrence does not occur again (Hobnobs, 2008) Sometimes at the end of the day some of the cost are not even recoverable like sensitive data, trade secrets, personnel information or even customer information.
Another major cost and headache that occurs once an organization becomes a victim of cybernetic is lawsuits. Many customers who feel that the organization could not protect their confidentiality will sue the corporation for millions of dollars which in turn can cause major loss. IT managers can do many things to help prevent breaches due to human errors. The first thing they can do is properly train the employees as stated above on a periodical basis and use current guidelines like Symantec to properly secure their intranet from any type of intrusion.
IT managers can also establish a safe harbor in the sense that they can force employees to periodically change their passwords and establish rules so the password must be certain characters long and must include other types of characters besides just the typical alphanumerical ones. Employee negligence also due to bad habits like sending sensitive data over an unsecured email and IT managers must ensure that they intentionally educate their employees. There are many different types of security vulnerabilities out there in today’s world that are affecting organizations.
Use Porter’s Value Chain
When problems arise with the network, or the software, how can they be identified and resolved? How do we set up an IS group to solve problems and help users? (4 marks) 4. How has Rebook been hampered by its information system? (2 marks) 5. Write a report (10 marks) to management that describes the primary cause of the problems, a detailed plan to solve them, and show how the plan solves the problems and describe any other benefits it will provide.
Use Porter’s Value Chain and Competitive Forces models in your analysis of the cause of the problems. Use labels on the diagrams (4 marks) that are specific to this case, not just generic labels from the textbook or the Internet. Include explanatory text (4 marks) to support your labeling of the diagrams. General Comments Assign meet Structure The assignment should be written in the form of a business report, with the following characteristics: It should start with a report title and table of contents.
The title immediately tells the reader what is the subject of the report. The table of contents can be scanned quickly to get an idea of the approach taken in the report, and where to look for particular content. The body of the report should start with an Executive Summary. This should fit on one page, and capture the essence of the report. In some assignments, a Recommendations section should also be included. Look for authorities to quote, using footnotes, and use a bibliography to list any references.
Use headings and sub-headings to structure the report. This helps to put your comments into context, and give them relevance. The reader starts with some understanding of what it is you are setting out to say. Use diagrams and tables to represent concise representations of complex ideas or data. The specific requests asked for in the assignment Be sure to respond to each specific request made in the assignment. In the overall sense, the request is for an analysis of a case study, so the answer needs to be written in those terms.
Individual Assignment Essay
An article was chosen from the University Library to evaluate the issue of unethical business research conduct. The article chose is called Flacking for Big Pharma: Drugmakers Don’t Just Compromise Doctors; They Also Undermine the Top Medical Journals and Skew the Findings of Medical Research . The identification of the unethical business research involved in the article is given. The parties involved along with effected party is mentioned. The evaluation of the article also identifies how the unethical behavior affected the organization, injured party, and society. A proposition of how the unethical behavior could be avoided is proposed. The article is based on how pharmaceutical companies are using medical research in advertising and medical journals (Washington, 2011). The medical advertising has an influence on the medical articles in the journals along with supplying the journals with financial support to keep publishing (Washington, 2011). Health care professionals use medical journals for use in diagnosing and treating patients. This is not the only issue mention the article. The pharmaceutical companies are using techniques in medical research of drugs to supply the consumer with information that makes the bad drugs look good (Washington, 2011). The companies use small groups, placebos, and test on only minimal and maximum doses (Washington, 2011).
The research only allows the drugs to be tested against benefiting variables for the drug. With the statistics provided for research for medical articles, the unethical boundaries has been breached. Because of the unethical boundaries that were breached many pharmaceutical companies have pending and tried lawsuits. The parties involved in the article is the pharmaceutical companies, health care professionals, and patients. The pharmaceutical companies are the provider of the medical research to the prescribing health care professional. The inaccuracy and unethical research provided to show how the drug is affected gives health care professionals the wrong information to prescribe to his or her patients. The consumers receive the biggest lost because the use of wrong drug and doses can lead to other illness and even death. The unethical behavior has effected the organization, injured party, and society. The organization is effected because of the unreliability of new drugs brought to the market. With past issues with unethical practices in medical research, the prescribing health professionals are reluctant to use product.
The organization loses profit and reputation because of the unethical practices some companies use. The injured party, the patient, is affected because lost of life or developed illnesses that are not able to returned to normal state. With illness and death the individual places hardship on other family members creating a wealth of economic instability. Society is effected because new drugs are not developed to help with incurable diseases because of the past experiences, and if developed the health care professionals do not want to prescribe the medication because of potential lawsuit. Society is trying to gain a healthier community but can not because the trust in pharmaceuticals is no longer valid. To avoid the unethical behavior in pharmaceutical companies a law should be proposed that sets guidelines and standards to pharmaceutical practices in medical research. The laws can govern how many different research analysis has to performed before a drug enters the market along with what information the consumers have to be supplied with when prescribing medication. Such information could be the side effects of minimal and maximum doses and the time of how long the drug is used.
A regulatory agency should be appointed to ensure that pharmaceutical companies are following new laws along with imposing consequences to those companies that do not. This will detour the pharmaceutical companies from applying unethical practices to research. In summary a unethical business research conduct article was chosen. The article chosen was Flacking for Big Pharma: Drugmakers Don’t Just Compromise Doctors; They Also Undermine the Top Medical Journals and Skew the Findings of Medical Research. The article was an analysis of ethical research practices performed by pharmaceutical companies and the consequences of the action. The parties involved were pharmaceutical company, health care professionals, and patients. The effects of the unethical practice on each party was given. A proposition of what could be done to eliminate unethical practices was proposed as well.