EXAMPLE 1 SECURITY ASSIGNMENT

EXAMPLE 1 SECURITY ASSIGNMENT - 1. Executive

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 1. Executive summary…………………………………..…………………..2 2. Case…………………………………..…………………………………..3 3. Introduction………………………………………………………………4 4. Issue identified……………………………………………………………4-5 5. Analysis 5.1. Planning Security……………………………………………………….5 5.2. Contingency planning…………………………………………………..6 6. Information Security Policy and program policy ……………………….6-7 7. Program…………………………………………………………………..7-8 8. Assessing risk……………………………………………………………..8 9. Controlling risk……………………………………………………………9 10. Mechanisms used…………………………………………………………9 11. People and projects personnel……………………………………………10 12. Conclusion……………………………………………………………….10 13. Recommendations……………………………………………………… 11 14. Reference………………………………………………………………..12 1 1. Executive summary This report aims to identify the issue regarding the hacking of eBay’s Web Site and analyse eBay’s security policy, including their security planning; contingency planning; policy and program policy; program protection; assessing risk; controlling risk; mechanisms use and people and projects personnel. Also, it includes recommendations for eBay’s system which could help to avoid potential hacking in the future. Nowadays, technology has improved rapidly at the same times more and more security issues arise. It is not enough to prevent these issue by technology people in the organisation but every employee in the organisation have to aware of security and deal with those problems. How these issues can avoid is to have appropriate policy and implement the program and train the people. If eBay would have had better or suitable security planning, they could have avoided or at least reduced the damages. The solution needs a new security framework with a wide, generic protection from harmful attacks that ideally should be low cost and easy to implement and effectively protect the weak points of the organisation’s system. 2. Article: Hacker Cracks Ebay’s Web Site 2 On 22 March, 1999, “A hacker reportedly infiltrated the Web site of Internet person-to-person auctioneer eBay Inc”(FindArticles,2005). The entire site was taken down and access was gained to other content during the process. The cracker was 22-year-old college student going by the name “MagicFX”. After hacking the site he decided to change auction prices, display fake adverting and re-direct traffic to other Web sites (FindArticles, 2005). MagicFx said he had root access to eBay’s computers and copies of eBay’s hacked web pages are on a computer security consultant’s Web site. He took down their home page for two minutes and replaced it with the message: “…you can’t always trust people…not even huge companies. Do you know who has your credit card information? (FindArticles, 2005)”. In regard to the hacking, eBay officials were unavailable for comment as card information was not compromised. EBay has continued working with law enforcement to prevent further hacking attempts (FindArticles, 2005). MagicFX modified the system's software so that instead of providing administrators with a secure way to work from a remote machine, it logged that information to a hidden file, so that not only could he intercept passwords and log in names, but actually watch everyone's keystrokes. He said that he hacked eBay, the organization capital is worth $18 billion, to see a how a large e-commerce site worked from the inside. Also, it was discovered that eBay uses a proprietary system to do its trading and the source code is highly prized in the hacker community (FindArticles, 2005). The hacking incident affected eBay’s business so catastrophically that 60 per cent of the organisation’s share price was wiped out in 12 weeks. In November 1999, the share-dealing service was suspended as customers were able to access other people’s accounts cause of faulty system design (Mi2g Limited, 2005). 3. Introduction 3 Nowadays organisations suffer from an ever increasing amount of security problems and attacks, in particular the organisation’s assets such as private customer information and confidential data, are being targeted. In order to minimise risks, a chief information officer or a chief security officer should be developing contingency plans and conducting risk assessments. Security flaws are easily found by hackers who are quick to take advantage of them. The act of hacking is illegal but in many ways it has proven to be helpful in developing new technology and creating new operating systems. However, hacking can be unethical and harmful to organisations. One way to minimise the chances of being hacked is by protecting the computer system and developing more secure systems. This report aims to identify the issue regarding the hacking of eBay’s Web Site and analyse eBay’s security policy, including their security planning; contingency planning; policy and program policy; program protection; assessing risk; controlling risk; mechanisms use and people and projects personnel. Also, it includes recommendations for eBay’s system which could help to avoid potential hacking in the future. 4. Identified the Issue The biggest issues are that the hacker had root access to eBay’s computers and could change prices or place fake advertisements and divert traffic to other sites or even take down the entire their network (ADDS Secure.Net Inc). Experts assessing the cause of the disaster cite eBay's failure to build redundant, scalable web architecture. eBay’s outage was prolonged because of its database files become corrupted and required the files to built again before the system could be brought back to online. A lot of these web sites including eBay can not keep up with their growth as they are luck of skills to maintain the site running all the time without any treats (Office of NYS Attorney General Eliot Spitzer, 2001). 5. Analysis 4 5.1 Planning Security It is important to have planning security in order to provide direction for the future of the organisation, increases efficiency and reduces waste, as well as duplication of error. (Whitman & Mattord, 2004, pp28-29). eBay is a popular consumer-oriented online auction site which has responsibility to provide a secure trading environment and preserve participant’s privacy safely. However, "Large systems like eBay are focused on keeping the money machine running smoothly, but this has come at the expense of security. Users should realize that just because a site says their personal information and credit card numbers are secure doesn't necessarily make it so" (HWA.haxOr.news, 1999). In the past compromises have been made which has resulted in some so called secure information falling into the wrong hands. However as internet commerce matures it is becoming increasingly clear that Hacker attacks on Web sites effect the business and the threats can and sometimes do result in big losses. If eBay would have had better or suitable security planning, they could have avoided or at least reduced the damages (HWA.haxOr.news, 1999). 5.2 Contingency planning 5 Contingency planning is the process of preparing for unexpected events. It consists of three components; Incident response plan, Disaster recovery plan, Business continuity plan (Whitman & Mattord, 2004). eBay has established the contingency planning that it does not matter why or how it happed. They just need contingency plans to take care of customers. For instance, to prepare for the natural disaster, they enforce co-location facilities, spread out important applications such as e-mail on different servers, and found backup providers for Web hosting and other essential jobs (CNET News.com, 2002). As a largest auction site, eBay must have sophisticated security system and contingency plans as the site is in possession of huge amounts of confidential customer data. It is important to establish an emergency-response team that knows how to protect key records and systems, build redundancy into the network infrastructure, and place servers in separate locations so that they can't all be damaged at once (Massachusetts Institute of Technology, 1977-2005). 6. Information Security Policy and program policy Policy can be the essential foundation of an effective information security program. For instance, system administrator can not install a firewall without receiving information security policies. There are guidelines can apply following. - Polices designed to contribute to success of the organization. - Management ensures the reasonable sharing responsibility for use of the system. - End user should be involved. (Whitman & Mattord, 2004) eBay put massive effort into enhancing security. However, new threats require 6 education of the end-user, technology improvements, information sharing and analysis to reduce their impact. . The main focus of effort for eBay was to develop advanced applications to identify potential spoofed or hacked web sites and established a full time team dedicated to identifying threats and notify other organizations when they were found. It is essential for every organsiations to have better security policy and program against non stop cyber security attacks (eBay Inc, 2004). The mission in eBay is to provide all user are able to buy and sell as security as possible. The chief information security office believed that they got hacked due to poor management of user’s account. That gave someone an entry point to the eBay network. Developing security system is essential but not only that also employee should awareness of security and contributes to security operation (Infoconomy, 2005). 7. Program How big the organization and available resources affects the size and structure of the information security program. Organizing an information security program involves managerial challenges. Function of the information security program are including risk assessment and management, system testing, policy, planning, Measurement and training (Whitman, 2004, p159-p161). “The goal of organisation’s information security program is to cost-effectively provide the appropriate degree of security to critical information assets”. Information security program includes security policies and provide resources for carrying out the program and support the program. Big organization like eBay should have provided new employee a security awareness program in the first orientation to minimize the risk. (Citadel Information Group, Inc, 2001) “A security awareness program keeps information security at the forefront of users’ mind on a daily basis.” (Whitman & Mattord, 2004) There are some important to ideas to help success of the security awareness program. - Avoid using technical jargon. - Clear document mentioning their roles in information security. - Focus on people both as part of the problem as well as solution. (Whitman & Mattord, 2004) 7 8. Assessing risk Risk management is the process of discovering and accessing the risk to an organisation’s operations and determining how those risks can be controlled or mitigated. Security risk management is one of the key responsibilities of an Information security manager in many organisations. There are five categories of networked information system security threat such as Trespass, Disclosure, Modification, Repudiation and Denial of service. Some hackers practice for financial gain, but most hackers want to intellectual challenge like MagicFX (Mi2g Limited, 2005). eBay know that there are one of the hacking target and attack will never have the end. An identified asset of eBay is like following diagram. It system components Risk management component People People internal ,People external Data Transmission, Processing, confidential, private information Software Application, Operating systems, security component Hardware System, Security device Networking Intranet and Internet component, (Whitman & Mattord, 2004) 9. Controlling risk 8 Controlling risk begins with what risk mitigation strategies are and how to formulate them. Avoidance, transference, mitigation and acceptance are basic strategies to control the risks. For example, mitigation attempts to reduce, by means of planning and preparation, the damage caused by the vulnerability. The approach also includes the incident response plan, the disaster recovery plans and business continuity plan. As leading auction site, eBay have to detect any attacks and respond to an attack as quick as possible. After control strategy has been selected and implemented, the controls must be monitored and measured on an ongoing basis. Also, it is important to analyze whether the security controls and safeguards is economic feasibility or not (Whitman & Mattord, 2004, pp332). . 10. Mechanisms used Technical controls are essential part of information security program to ensure a secure IT environment. There are several common widely used technical security mechanisms such as; Access controls, Firewalls, Dial-up protection, Instruction systems, Scanning and analysis tools and Cryptography. Big organisation such as eBay must have sophisticated firewalls and other preventive measures to keep hackers out of their systems (BusinessWeek online, 2001). The Hacker did not divulge his real name gaining access to eBay’s computers by figuring out what accounts existed and trying simple passwords. He tried words like “e-commerce,” and “eBay”. . The hacker was quite amazed that eBay did not use standard password protecting schemes which consist of mixture of numbers and letters (HWA.haxOr.news, 1999) as it is such a simple security measure for one of the world’s biggest eCommerce sites. It is so important to have a long and not obvious password. Also, the password should be at least eight characters long and contain at least one number and one special character (Whitman, 2004, p287). 11. People and projects personnel 9 Maintaining and developing the secured system needs to be the responsibility of selected people in the Information Security department. The organisation needs individuals who have abilities to recognize that information security is a management task which can not be handled with only technology, to have a good communication skills among a variety of people and to understand how technical controls such as firewalls and antivirus software work (Whitman & Mattord, 2004, p415). However, eBay still has not yet found enough experienced people with a combination of firewall, authentication, operating system and network security skills. Most chief information officers believe that holding certifications alone is not good enough, having real experience and the right attitude is important. Many organizations are aware of their security system and spend huge money to protect themselves against hackers, but what is most important to maintain a secured system is to improve employee’s level of awareness, education and having an operational plan for what to do if some specialists leave (Network World, 1994-2005). 12. Conclusion In conclusion, this report identified the issues of hacking Ebay’s Web Site and analysed their security policy, including their security planning; contingency planning; policy and program policy; program protection; assessing risk; controlling risk; mechanisms use and people and projects personnel as well as recommendation for the any incident. The analysis of their security policies or programs was quite difficult to research on as normally an organisation does not talk about incidents. Because it seems the organisations are reluctant to admit the failure of their security system due to the fear of losing the trust of its users. However, organisations can learn and develop their security system more efficiently from previous cases in many organisations. 13. Recommendations 10 Organisations should cover all aspects of organisation security from physical access to the site including network and Internet access. The security policy or planning for eBay should be powerful enough to support the feature administrator’s needs such as automatic incident reporting to inform administrators when a security system is breached and secure management of the firewall itself. So, hackers would not be able to reconfigure the firewall and create security issues (NSS Group Ltd, 2005). Moreover, the solution needs a new security framework with a wide, generic protection from harmful attacks that ideally should be low cost and easy to implement and effectively protect the weak points of the organisation’s system (NSS Group Ltd, 2005). Even eBay put a lot of effort to protecting their infrastructures, protecting against for denial-of-service attack or traditional threats, they still need to looking at what more they can do to help out and looking at different ways of mitigation of the risks in the future is challenge for every organisation. Since eBay was a target for hacking, strong authentication is their solution that technology allows users to sign into an account once and use that identity among many different sites and networks (Infoconomy, 2005). 14. Reference ADDS Secure.Net Inc, Media Examples of Security Breaches, viewed 5 June,06, http://www.addsecure.net/breach.htm Whitman. M., & Mattord. H., 2004, Management of Information Security, Thomson UK FindArticles, 2005, Hacker Cracks EBay’s Web Site, viewed 26 May, 2006 11 http://www.findarticles.com/p/articles/mi_m0NEW/is_1999_March_22/ai_54188087 NSS Group Ltd, 2005, Securing Your Business Mi2g Limited, 2005, Is the UK prepared for Cyber Warfare?, viewed 26 May, 2006 http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.com/cgi/mi2g/press/170100.php Rong-Ruey.D, Karim.J, Shyam.S, 2002, Control and Assurance in E-Commerce: Privacy, Integrity, and Security at eBay, 26 May, 2006, http://66.102.7.104/search?q=cache:Hrh13G8MDI0J:www.som.yale.edu/Faculty/sunder/eBay/eBayOct1602.pdf+failure+of+secu rity+policy++eBay+security+1999&hl=en Network World,1994-2005, Seeking security skills, 5 June, 2006, http://www.networkworld.com/careers/2002/1028man.html Office of NYS Attorney General Eliot Spitzer, 2001, A. Points of Reference: E-Commerce Failures, viewed 9 June, 2006 http://www.oag.state.ny.us/investors/1999_online_brokers/points_reference.html#157 BusinessWeek online, 2001, Your Web Site Might Be Playing Host to a Hacker, viewed 9 June, 2006 http://www.businessweek.com/smallbiz/content/mar2000/sb20000306_426.htm HWA.haxOr.news, 1999, viewed 9 June, 2006 http://packetstorm.linuxsecurity.com/mag/hwahaxornews/HWA-hn11.txt eBay Inc, 2004, GOVERNMENT REFORM SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS viewed 9 June, 2006p://64.233.187.104/search?q=cache:dPhaUBUGQdIJ:reform.house.gov/UploadedFiles/Schmidt1.pdf+eBay+Information+se curity+system+policies+policy&hl=en CNET News.com , 2002, Bracing for an Internet disaster, viewed 9 June, 2006http://news.zdnet.com/2100-1009_22-945050.html Massachusetts Institute of Technology, 1977-2005, Sure, You Can Trust Us, viewed 5 June, 2006, http://www.sloanreview.mit.edu/smr/issue/2001/fall/1g/ Citadel Information Group, Inc,2001, Defending Critical Information Assets From Cyber-Criminals, viewed 4 June, 2006 http://66.102.7.104/search?q=cache:H7pQgSycmRIJ:www.citadel-information.com/information-security-primer.pdf+how+eBay +information+security+program+&hl=en Infoconomy, 2005, eBay, viewed 2 June, 2006, http://www.infoconomy.com/pagrs/security-management/group103206.adp 12 ...
View Full Document

This note was uploaded on 02/15/2010 for the course ITC 594 taught by Professor Peterdalmaris during the Three '10 term at Charles Sturt University.

Ask a homework question - tutors are online