The dynamic nature of crime in modern society has transformed the way in which criminal activities are executed and has led to increment in cyber and computer related criminal activities. Due to the soaring increases in cyber crimes, various states have put more emphasis on computer forensics as a means of protecting and curbing such crimes.
While computer forensics have played a major role in reducing cases of cyber terrorism and corporate crimes in most countries, the process have faced major challenges which emanate from data accuracy and associated costs of storage, searching and indexing as well as the efficiency of data retrieved using various techniques.
The study addresses one of challenges faced by computer forensic experts, retrieval of audio information. While corporate entities and other organizations struggle to identify the relevant data that needs to be preserved and the associated costs, the technology used by forensic experts to retrieve such information are often inaccurate and inefficient which minimizes the strength of such evidence in court.
Introduction
Advanced technology in the modern society has contributed to the increase in computer and computer supported criminal activities due to the soaring increases in the number of internet users across the world and computerization of business processes which has created opportunities for computer criminals and terrorists to execute crimes.
Numerous studies have revealed that crimes such as cyber attacks, hacking, and other computer based criminal activities have been costing business organizations and governments a considerable amount of money each year which has prompted the development of Computer forensics to preserve, identify, extract, and document computer evidence. Computer forensics can be defined as the process through which information is extracted from a computer crime scene while guaranteeing its accuracy and reliability through retrieval and storage as data or magnetically encoded information.
Literature Review
Audio files present a major challenge for computer forensics during the criminal justice process. Data presented in form of email, instant messaging, faxes, text messages, data derived from business computer applications as well as voice messages sent through network avenues and digital devices are commonly used in business organizations due to their ability to cut down costs (Vacca, 2005). However, on occurrence of computer related crimes, such voice based files may be difficult and expensive for computer forensic experts to retrieve.
Although numerous systems have been put in place to facilitate storage and indexing of data within organizations, these systems are very expensive which prompts companies to outsource the role to other companies (Caloyannides, 2009).
Furthermore, despite the fact that the tools for searching and storing data are often effective and accurate, with audio data, such levels of accuracy and efficiency have not yet been achieved. Indeed, the three current means of searching audio data; phonetic search, transcribing by hand, and automatic transcription (Ewechia, 2011) have been found lacking to some extent.
Phonetic search technology extracts audio information through wave patterns and often results in false hits due to the wide variations in people’s mode of speech, accent, pronunciation and dialectics. In addition, this method does not have the ability to transcribe audio messages into texts and hence solely relies on the hearing ability of experts and other concerned stakeholders (Ewechia, 2011).
Manual transcription of audio data which facilitates in conversion of audio messages to text is effective but its time consuming since it depends upon the listener to transcribe the words as they are hear which makes the process more labor extensive hence expensive. Machine transcription, which is an automated means converting audio data to text, is a faster means of retrieving audio data but it suffers from accuracy issues emanating from factors such as differing pronunciation and clarity of recordings (Ewechia, 2011).
New federal rules of civil procedures have been put in place to ensure that companies identify key communications and data sources which should then be saved for future references. As requirement for retention of data increases, identifying the type of data to be preserved has become a major challenge for organizations which impacts on future data availability.
In addition, computer forensic experts are expected to prove beyond reasonable doubt that that the information they have extracted through these methods is exactly as it was on the computer or other digital device in order to guarantee accuracy and reliability (Lucas & Moeller, 2004). Failure to guarantee such aspects in audio data reduce the strength of evidence hence decreasing the likelihood of success in a court of law.
Conclusion
Computer forensics has become an increasingly important component in the fight against crimes. This is primarily due to its ability to retrieve, and present the data required for criminal investigations in a clear and precise form. The data retrieved through computer forensic technology has played a major role in availing evidence which has provided lead to many cases and has also prevented cases of false incrimination.
Despite the challenges that the process faces, the technology continues to evolve and advance as time progresses. We can only anticipate a future where more advanced methods of data retrieval will be developed in order to guarantee accuracy and validity of such data.
Reference List
Caloyannides, A. M. (2004). Privacy Protection and Computer Forensics. Massachusetts: Artech House.
Ewechia, (2011). Audio Files Present Challenges for Computer Forensics and E-Discovery. Web.
Moeller, B., & Lucas, J. (2004). The Effective Incident Response Team. New York: Addison-Wesley.
Vacca, R. J., (2005). Computer Forensics: Computer Crime Scene Investigation Vo. 1. New York: Cengage Learning.
As the current society advances through massive usage of computer networks, various legal issues and regulations have been developed to ensure sustained protection of sensitive information and intellectual property among organizations. According to Lloyd (2008: 118), cyberspace remains an eminent issue in the current society dominated by massive increase in IT, where statutory amendments and rational precedents need to be reconciled with the existing laws.
Particularly, computer network security issues are becoming focal considerations with regard to the computer abuse in cyberspaces, where accurate legal and ethical formalities needs to be incorporated to protect the information and data relayed in networked environments. This paper will discuss the legal framework governing computer networks in UK, with regard to the legal obligations facing Hayes International operations.
Data protection refers to the measures and strategies incorporated in the information system to safeguard data within a networked environment. Data protection is a very complex strategy incorporating all processes and structures installed within networks to prevent any data damage or leakage within the network. With the introduction of cloud computing, the need of data protection has been rising significantly within computer networks to facilitate the protection of Intellectual Property among the users.
Brief History of Computer Network Legal Framework
Considering the reportedly increasing cyber crimes and fraud, the need of information security has been necessitated. Security education has been one of the major areas of specialization among scholars in order to enhance development of adequate information systems security. In the year 1985, fraudulence over the computer through internet was detected. As a revealed by Barry (2009: 541), Computer Fraud and Abuse Act was developed ; in which individuals who were found conning others or intimidating other online were to be prosecuted. The government intervened and instructed on development of systems to investigate on the crimes committed over the internet through the use of computer forensics science.
Notably, the law required the establishment of accurate evidence of any information which could be considered as involving fraudulence to be used in the court for prosecutions of the accused. As reported by Michele and Stokes (2010: 571), any individual found guilty of the offense was to be fined according to magnitude of the fraud case, or be imprisoned for two years. According to Data Protection Act of 1998, unauthorized access to private competitor information in a networked environment is illegal and the firm regulating the online network should be liable for the offense.
On this basis, Hayes International Company should reinforce its network security in order to facilitate privacy for the sensitive information relayed across its networks by its clients. This is an obligatory legal duty for Hayes Company to ensure safeguard its clients’ data.
The Legal Framework of Computer Networks in UK with Regard to Hayes International Company
As revealed in the 2002 Social Networks Act, various security analyzers suggested the incorporation of extra elements in the information security systems including authenticity and possession. In this case, confidentiality has been upheld in the currently used security system since the encryption of personal credit cards and other confidential information have been limited to appear in very few places. This has greatly reduced fraud since various personal codes have not been publicly displayed. For instance, (2000: 22) reports on how online transactions using credit cards would only involve the displaying of the card data to limited number of places.
This would reduce the chances of the number being tracked reducing the chances of confidentiality breaching. In this regard therefore, confidentiality in information security systems has been uplifted which have increased privacy among individuals while making online transactions. On this basis, Hayes International Company should consider updating its network system, by having specific data for its clients be displayed at limited places with an aim of reducing the chances of any data leakages.
Since Hayes International Company owns a number of leading online retailers from the global society, its concerns on the data security for its clients should be a priority. According to UK Copyright Law, comprehensive protection of Intellectual Property requires businesses to honor and respect patent and copyright policies provided by data producers or developers. Since it has become easy and faster to copy digital information, the law prohibits not only the interference of any information on a networked environment, but also the tendency of making it available to the public without the consent of the owner.
On this basis, the Hayes International Company should ensure that the information relayed across its networks for its clients is not interfered with or tampered at the slightest point. Further, the information control center of the company should ensure no leakages of the information relayed, as it may interfere with the performance of its clients. By so doing, Lloyd (2008: 123) reveals how coherence and consistency in the network system would be achieved, which will enhance the ultimate achievement of the goals and objectives set by all parties within the system.
In the year 2005, information security integrity was established. This meant that, any data encrypted online should not be modified or changed without being detected. With regard to Michele and Stokes (2009: 577), this strategy has been enhanced through the involvement of ACID classic models which provide unique codes to the original data provided in which its modification amounts to its rejection in the process of decrypting the data. One of the most important aspects of this strategy is that, organizations which have adopted the strategy would be having more security of their information since it would not be easy for interrupters to make any alterations and modifications.
In order to ensure guaranteed security for its clients’ data, Hayes International Company ought to conform to high-tech information system capable of ensuring un-interruptible information system in cases of data leakages. As noted by Farr and Oakley (2010: 89), this is a legal obligation entrusted to all data companies, since they are eligibly liable for any inconveniences arising out of data leakages within their network system. As a central point of data processing for its clients, Hayes International Company should establish computer software capable of monitoring all the transactions carried out by its clients in order to produce evidence for its clients in cases of any suspected crime of fraud.
Authenticity is another element that has been of late introduced in the information security as a result of development of e-commerce and international transactions. In this case, the parties involved in any transaction ought to provide genuine information which must be validated after the parties involved come into consensus. As held by Barry (2009: 544), this particular reinforcement of the information security systems in the year 2005 was found to impact positively on the development of international business transactions since there were low chances of fraud and other internet evils.
In order to facilitate efficiency among retailers and their clients, Hayes International Company need to establish a system capable of validating any transaction, only when the parties involved come into consensus. This strategy conforms to the 1998 Cyber Crime Act in the sense that, all online transactions ought to be facilitated sequentially with an aim of reducing cases of fraud among online businesses. In order to facilitate the policies presented in this Act, Hayes International Company should establish validation strategy in its systems in order to reduce cyber crimes among international businesses.
According to Brazell (2008: 56), the reinforcement of information security has been accompanied with ‘non-repudiation’, where each party involved in any transaction ought to fulfill the obligations of the contract. This acts as a guarantee for the clients to indulge into the transaction. This has enhanced lower chances of any act of fraud since each party can not breach the contact without a mutual consensus with the other.
In this respect therefore, information security has been reinforced to a great extent. Having full understanding of the virtual nature of many online businesses, Hayes International Company should ensure the establishment of non-repudiation strategy in order to curb any chances of fraud cases among the clients involved in the online transactions. Since the company is in control of the network system for all transactions, it would be quite reliable to have its businesses come into contract fulfillment before facilitating the transactions made between the parties.
Further, the introduction of cryptographic technology in information security has been one of the most reliable strategies. As noted by Lloyd (2008: 127), cryptographic strategies are meant to secure data and information displayed online by converting the data into unreadable form by other people apart from the user alone. Though various information infrastructures apart from the computer are being developed, the computer remains the main infrastructure among the others as it ultimately controls a number of processes.
Since this technology has been proved to be quite reliable, Hayes International Company should ultimately consider it as an ultimate reinforcement for the security of its clients’ data. Particularly, the law provides for network businesses to employ the best strategies possible to enhance the highest level of security among its online clients who might be relying on such networks.
According to Computer Fraud and Abuse Act of 2001, it is illegal to access and retrieve information of another individual or organization without prior permission from the owner. Since Hayes International Company deals with facilitating communications between businesses and their clients, it is unlawful for its employees to access any information relayed within its systems belonging to such businesses. As reported by Macdonald and Rowland (2000: 17), in cases of abuse of the Act, the individual or organization alleged will be liable to pay $ 10,000 to the plaintiff. In this case, the Act acts as a safeguarding strategy to confidential information and data among organizations to enhance efficiency and coherence in the achievement of the organizations’ goals and objectives.
As reflected in Cornell and O’Connor (2006: 97), this Fraud Act of 2001 inhibits intentional alteration of computer programs within a networked environment which may cause damages resulting into threatening or loss of people’s lives. More so, if the alteration of the programs results in losses of data stored within a networked environment, the individual or organization responsible is held guilty and liable for compensating the victim of the information loss amount not less that $ 5,000.
In the former case where the alteration of the programs involved results into loss of lives, the individual or organization responsible is held guilty of an offense, and liable to pay a fine not less than $ 9,000. On this basis, Hayes International should ideally control the programs facilitating the process of relaying information of its online clients in order to avoid any dangers resulting into either data of lives loss. By having the law restricts program alterations; it makes it possible to reduce the risks associated with information system’s security within a networked environment.
Further, according to the Computer Fraud and Abuse Act the action of knowingly defrauding or trafficking of sensitive information like passwords in a networked environment without permission is considered as illegal. As held by Bainbridge (2007: 39), if an individual or organization gets involved in an act of trafficking encrypted data belonging to other individuals or organizations trough using software to transform the encrypted information into readable form without prior permission from the authorities is considered as guilt.
In this case, Hayes International Company should ultimately safeguard the information relayed within its networks without getting involved in act of trafficking any of such sensitive information. More specifically, the organization should have its staff be aware of the legal obligations associated with such actions and consider respecting and safeguarding intellectual property belonging to other organizations or individuals.
In response to the invading viruses, the software security law restricts the introduction of any malware to another computer in a networked environment intentionally. Since most of the known malware softwares like viruses have been known to interfere with the stored information in a computer, it is considered as an offense to infect other computers within the networked environment. In order to reduce the rates of viruses infection within the system, Linux and UNIX security wares have been necessitated since the invasion of viruses in the computer files goes to the UNIX and Linux systems and interfere with the entire computer system (Farr and Oakley 2010: 87).
In this respect therefore, the development of encrypted viruses by the Hayes International should be facilitated in order to enhance reliable security against malware infections within the networked environment.
Conclusion
As it has been revealed, the current advancement of information system requires a regulation and control measures in order to enhance efficiency and consistency through the use of computers. Particularly, the legal system has been found quite significant to reinforce the information systems regulation in order to protect intellectual property among organizations, which may be considered as the central nerve for their profitability or performance.
On this basis, Hayes international has an obligatory role of safeguarding its network system with an aim of upholding Intellectual Property for its clients. Quite importantly, its conformity to the legal requirements in computer networks forms a basis for its prosperity. As it has been revealed, the 1998 Cyber Crime Act and 2001 Computer Fraud and Abuse Act have been quite important in governing computer processes in networked systems in UK.
Since the law stipulates on misuse of information systems to interfere with other people or organization’s sensitive information, coherence and consistency in the information system has largely been achieved. More so, any computer program which may pose danger to other people’s lives within a networked environment has largely been addressed in the Computer Law. As a result, the information system’s law is not only concerned with data security, but also on human welfare.
Reference List
Bainbridge, D. (2007) Introduction to Information Technology Law, 6th Edition. London: Longman Publishers, 24-51.
Barry, S. (2009) Contemporary Legal Issues Facing Information Technology. Computer, Internet and Electronic Commerce Terms, (February Issue): 543-571.
Brazell, L. (2008) Information Technology Law and Regulation. Oxford: Oxford University Press, 37-81.
Cornell, D. and O’Connor, M. (2006) EU Communications Law. Manchester: Sweet & Maxwell Publisher, 95-132.
Farr, S and Oakley, V. (2010) Internet Law and Regulation. London: McMillan Publishers, 57-93.
Lloyd, I. (2008) Information Technology Law. Oxford: Oxford University Press, 103- 141.
Macdonald, E and Rowland, D. (2000) Information Technology Law, 3rd Edition. England: Routledge Publishers, 5-38.
Michele, R. and Stokes, S. (2009) Information Technology Law. Computer and Telecommunications Law Review, (Issue): 357 – 404.
The attack on RSA is in a class known as APTs (Advanced Persistent Threats). These threats are mainly aimed at stealing valuable information and unlike other forms of attacks; these are implemented over a period of time. First the attacker makes a series of trials before gaining access to the system and then once access is gained, information siphoning is done over time quietly in the background to avoid being noticed by legitimate users. This makes it difficult to determine what compromised the system at the start, but generally, spear phishing is the most common method that is used by hackers in this type of attack.
It may be pretty difficult to avoid such attacks completely but it is important to keep measures in place to detect them in their earliest stages. However, we cannot sit back and wait for it to happen so that we can detect it and do something. Precautionary measures such as these listed below should be implemented. Strong passwords and PIN policies coupled with regular changing of the same should be enforced while at the same time monitoring changes in user privileges and system access both remotely and locally. The security and use for social media applications should be placed on high priority. The target victims of these hackers are mostly those high in authority as they are likely to have better privileges, therefore the rule of least privilege should be followed in role assignment. Operating systems and security applications should be maintained up to date and employees should be educated on social engineering tactics and how to avoid them.
The time loss associated with this attack includes the time spent trying to figure out the weak points in the system and the time spent communicating with clients and discussing mitigation measures. These processes also involve monetary expenses that otherwise could not have been incurred.
It may be difficult to fend off this type of attack by any hardware device implementation but some antimalware software have capabilities such as anomaly detection, pattern discovery, malicious IP tracking and many others which can help detect an upcoming threat.
No. All are equally susceptible, what matters is the precautionary measures in place.
The local user should avoid opening emails and messages from suspicious senders as well as pop up windows and links. He should also avoid giving out information except to authorized personnel only, (William, 2011).
Peer-to-peer app DC++ hijacked for denial-of-service attacks
This attack is known as a Distributed Denial Of Service attack. From the given information, it is clear that the computers that were used to implement the attack are those whose IP addresses had been compromised through out of date client applications. This means that the Initial problem was failure to update the client application.
To avoid such an attack in the future, it is advisable to keep both the client and server applications up to date. Also using self updating applications especially when it comes to third party applications, such as the peer to peer application in this case. Packet filtering techniques should be employed to ensure that all packets that get into the network are legitimate. Use of IP verification features on the interface, to verify the legitimacy of the source of requests is advantageous.
The monetary or time value lost in the attack may not be clearly quoted, but we know that in any DOS attack, there is a major system downtime involved. This time has got monetary value in terms of IP hosting, system restore, employee idle time and many more. Also there may be need to hire experts to help in system restoration which translates to additional monetary expenses. In cases where the attacker is after extortion benefits then the organization under attack may be in for bigger losses. The affected companies may not have been exceptional.
Packet filters, Firewalls and Software patches are measures that can be put into place to fend off such an attack in the future.
No. All systems are equally susceptible.
The local user should ensure that third party applications that he is using are maintained up to date. Also any abnormal delays in server access should be reported to the person in charge, (Jeremy, 2007).
63 percent of schools suffer IT security breaches
This is not about a specific case but a general study hence it is hard to determine what went wrong. However, we can be justified to conclude that many school attacks are malware and virus attacks propagated through the social media networks. This means that the major compromise of such systems is lack of proper antivirus programs and firewalls.
To avoid future attacks, it is important for schools to put self updating antivirus and antimalware applications in place. External media introduction into the network should be discouraged and in the event that they have to be used, then security measures should be enhanced. Internet usage should be monitored and any suspicious websites blocked. Use of firewalls and IP filters should be emphasized. User authentication measures should be employed while at the same time educating users on the benefits of securing the network as this encourages user responsibility.
Significant system downtime is experienced every time there is an attack and time meant for other businesses especially education related issues which is the core business for schools, is sometimes spent in restoration. Also there is monetary value incurred in system recovery, that is, money spent to hire experts and sometimes to replace parts such as hard drives that have been completely destroyed by viruses.
Installation of Firewalls, antimalware and Antivirus software can help fend off such attacks in the future.
Yes. Certain operating systems like Linux are less vulnerable to virus attacks.
The local user can avoid use of vulnerable external media such as USB devices if the organization does not have proper mitigation measures in place to control virus transmission into the network. Also they can avoid connecting personal computers and laptops to this network. (Panda Security, 2011)
I have chose an article that is based on a technological innovation or application of technology. The article was published in the New York Times on 28th September, 2011. It highlights the way the technological companies are going to stop cell phone hacking. There are recent increased incidences of phone hacking that have led to the innovation of software by different anti hack and malware protection companies to protect phones from such incidences (Pierce, 2007).
There are many issues of the article that are related to the concepts discussed in the text. The article firstly stresses out the concept of demand as explained in the textbook whereby the increased hacking activities have led to increased demand of computer protection and mobile protection software (Miller, 2011). In the recent past, hacking activities have mostly been involved in computers. They include desk top computers, work computers or laptops where hackers send viruses that siphon up one’s information (Kroenke, Gemino and Tingling, 2008).
However, due to the establishment of companies that have designed software to prevent us from the effects of these viruses, this problem has been kept at bay. This has, therefore, created a business opportunity and a highly profitable industry as well as business opportunity within the Information technological world. However, now the hackers have taken step forward and began to hack cell phones. It was only recently that hacker hacked the phones of famous people such as Scarlet Johansson and Prince William and were able to siphon out photos and messages to make money out of them (Pierce, 2007).
This, therefore, means that these hackers are able to hack into any cellphone and still any information saved within the cellphone. In today’s world people are using cell phones more regularly and it has become more of a necessity than just a luxury. People save their important dates there, their regular time schedules, all their contacts, their appointments, their email addresses sometimes even their passwords (Kroenke, Gemino and Tingling, 2008). Cell phones are being designed today to make them as personal as possible allowing a user to save all their important details in there. Thsu, if a hacker could hack someone’s cell phone with his social security number, his passwords and other important information, they would be able to do a lot of harm to a victim (Miller, 2011). That is why, antivirus software companies such as Kaspersky, AVG, McAfee, Sophos, Symantex have come up with a way to protect phones from being hacked (Pierce, 2007).
This article directly put emphasis on the concept of forces of demand as per the Textbook whereby the growing trends of insecurity in storing information in the phones has led to a need of people to feel safe with storing information in their phones. Therefore, this has led to a demand of software or a way to protect phones from being hacked. Hence, this has led to more software security companies coming up such as Kaspersky and Avira (Miller, 2011).
McAfee has released software that protects your PC and smartphone at the same time from malicious malware and also against being hacked. AT&T limited in conjunction with another Information The department of defense has also encouraged these antivirus software companies to come up with a way to protect devices especially mobile phones that possess android software from hacking and malware attack as they are the most vulnerable software (Kroenke, Gemino and Tingling, 2008).
The article under analysis dwells on the issue of increasing returns as the cases of phones’ attacks by hacker’s increases; there will be a sharp increase in the demand of this antivirus software to phones, therefore, the antivirus software companies will raise the price of this commodity. Although it is in the view of many that their phones cannot be hacked as they only protect their computers from hacking, mobile phone operators are more predisposed to being hacked since a mobile operator is more prone to downloading fishy applications and clicking on malicious links.
References
Kroenke, M., Gemino A. & Tingling P. (2008). Experiencing MIS. Updated Second Canadian Edition. Web.
Pierce, C. (2007). Information Technology and Business. Cambridge, MA: Harvard University Press. Web.
Miller, Cain C. (2011). Technology companies see opportunity in stopping cellphone hackers. New York Times. Web.
Société Générale Bank was established in 1864 in France by a caucus of moguls and investors with the aim of improving and bolstering their commercial ventures. Over the years, the bank has tremendously improved its financial outlay. This has enabled it to extend its presence in many nations. Today, the bank is among the successful financial institutions globally.
The bank offers retail banking, savings schemes and intercontinental banking services. Thus, the bank handles thousands of varied transactions daily. Despite its success in the corporate arena, it has experienced a myriad of fraudulent cases which have affected its corporate profile and are likely to retard its future growth. This paper identifies and discusses the policies, vulnerabilities, risks and internal controls of Société Générale.
Fraudsters have pervaded the financial sector with the banking subsector being the hardest hit. It has been quite challenging to track fraudsters because they apply sophisticated technologies which banks cannot keep pace with. In simple terms, bank fraud refers to the unlawful mechanisms of accessing or being in possession of money or other properties that belong to a financial company.
Bank fraud can also be practiced in form of receiving money from shareholders by purporting to be a genuine financial institution. Destabilization of the financial base of an organization is one the most devastating effects of fraud.
With reference to the banking sector, fraud can lead to a mass exodus of potential depositors who may no longer trust the bank with their savings. Second, fraud can cause serious liability to a bank; hence, culminating into a collapsed bank situation. Fraud in the bank can either be conducted by the staff or outsiders. In some cases, the two can conspire to siphon out assets and money from the bank.
“The most serious incidence of fraud that Société Générale has ever witnessed occurred on 24-1-2008, when Jérôme Kerviel (a single futures dealer) allegedly lost close to US$7.2 billion” (NBC News, 2008). This was the worst case of fraud the bank has suffered since its inception (CBS News, 2009). Kerviel is believed to have coordinated and executed a chain of fake transactions, which the bank could not trace.
The management of the bank revealed that Kerviel exploited every loophole to hack the computer operations at the bank. He mainly focused on tampering with security control systems to pave way for his illegal transactions. The changes Kerviel effected on the computer systems helped him to get rid of credit controls; hence, the risk personnel could not easily track his huge transactions.
He was also reported to have stolen the secret codes of his workmates that served at the trading section and department of technology. Kerviel possessed vast technical control procedures that enabled him to manipulate the security installations.
Thus, he was able to access important information that was out of reach to many employees. Having served in the back office for roughly six years, Kerviel learnt how the control systems of the bank operated. Finally, he gained privileged access codes that he used to eliminate five control systems before executing his transactions.
An in-depth security analysis of the fraud incident revealed that lack of proper information control systems prompted the hacking of the privilege codeword. Privileged user accounts are one of the most secure IT venture settings, and are used to secure sensitive databases and servers.
The secret codes are “generic in character; they encompass, but are not restricted to generic accounts such as administrator on Wintel platforms, root on UNIX systems, and hard-coded passwords” (Bishop, 2009, p. 345). One disadvantage of this kind of data security system is that in case the secret code is revealed to many individuals, several operating systems can easily be hacked.
The bank was probably using a single security code to secure several systems. This kind of security system creates loopholes, which can easily be misused by fraudsters. System prowlers apply authentic codes to access systems just like privileged users. They like attacking systems because they are often secured using weak secret codes that can easily be conjectured or have remained unchanged for a long time. An application like Weblogic that is secured with embedded privileged secret codes has high chances of being hacked.
Reviewing Current Policies
The establishment of appropriate and reliable security policies at Société Générale needs a clear approach that will facilitate the identification of the current computer vulnerabilities. The status of the current security policies can be established by analyzing current documents and detecting parts of the system that lack appropriate policies.
“The critical areas of the system that need to be reviewed include: physical access controls, network security policies, data security policies and contingency and disaster recovery plans and tests” (Gollmann, 2011, p. 123).
“In addition, documents that have confidential data like computer BIOS secret codes, router configuration secret codes and access control documents should also be reviewed” (Gollmann, 2011, p. 125). Examining the security requirements of Société Générale should also involve finding out the extent of its exposure to known threats. This analysis encompasses identifying the nature of the bank’s assets because they determine the type of risks it should be protected from.
It is also important to list the potential risks because it enables the security personnel to determine techniques such as email hacking and viruses that can be applied in the attack. Therefore, the security personnel at Société Générale Bank should improve their skills of tackling such challenges.
Improving Security Strategies
A good security system is supposed to include both proactive and reactive approaches. A proactive strategy has a number of procedures that mitigate potential security risks and build up emergency plans. Determining the destruction that an onslaught will cause on a given data assists in creating a strategy that is proactive. On the other hand, a reactive plan assists in examining the extent of damage on a system after it has been hacked. This helps in making decisions such as repairing the corrupted system or implementing emergency plans.
The first step towards securing the system is developing effective mechanisms for identifying potential risks and developing mechanisms to resist the potential risks. Start by securing the system against common threats. It is easier to prevent threats than to reconstruct the system after an attack.
All potential threats that may destabilize the system should also be scrutinized by the security administrators. These potential threats include malevolent prowlers, non wicked threats, and natural calamities. Consider all of the possible threats that cause attacks on systems. Most of the attacks are caused by employees.
Reactive Strategy
A reactive strategy could offer the best solution to deal with the fraud case at Société Générale because the proactive strategy failed to secure the system.
The reactive plan identifies the procedures that should be followed during and after intrusion. “This strategy detects the extent of the destruction caused and the loopholes that were taken advantage of in the attack, it establishes why it occurred, refurbish the spoilt systems, and execute an eventuality plan if available” (Pfleeger, 2008, p. 657). Reactive and proactive strategy work hand in hand to buildup security controls to mitigate intrusion and the destruction caused during such incidences.
Assess the Damage
Identify the destruction that occurred during the intrusion. This process should be executed very quickly so that reconstruction of the system can commence as soon as possible.
Establish the Source of the Damage
This can be achieved by analyzing the system logs because they give clue about the origin of the attack. System and audit logs can also be examined because they are also instrumental in tracing the source of an attack.
Repair the Damage
Reconstruction of the system should be done immediately after detecting the source of the attack to facilitate the execution of usual operations and whatever information misplaced during the interruption.
Document and Learn
Where feasible, all attack situations must be analyzed and documented to identify the most appropriate security steps and controls that can secure the system. The security group should handle cases such as insider attacks and viruses. Such efforts generate skills that a company can apply and data to give out before and after incidents.
In addition, the security team is supposed to examine any unfamiliar occurrence which may involve system controls. Documentation must encompass all the facets of the attack which can possibly be identified. Documentation will assist in adjusting proactive strategies for curbing potential intrusion or reducing destructions.
Implement Contingency Plan
If there is a contingency arrangement, it can be put into operation to avoid time wastage and to maintain business operations. In a situation whereby there is no emergency plan, create a suitable plan based on the evidence from the previous step.
Review Outcome
“Examining the outcome is important and should involve: loss in efficiency, information or mislaid, and the used to reorganize the system” (Pfleeger, 2008, p. 678). If possible, list the type of attack, its source, the mechanisms that were used to execute it, and the loopholes that were exploited.
Review Policy Effectiveness
If there are policies to guard against an intrusion that has occurred, they must be examined, reviewed and tested out for their efficiency. New polices must be created if they have not been used before to reduce potential attacks.
Amend Policy Properly
If the policy is of poor quality, it must be upgraded properly. Updating of polices should only be undertaken by an authorized personnel that deals with system securities. Moreover, a security policy can be configured in a manner that it only allows the users to access the system during the normal working hours. This reduces hacking incidences.
Conclusion
The security managers of Société Générale should determine the amount of time and resources that can enable them to create effective security controls. Apart from setting up an efficient security strategy, security auditors need to realize that security is a full time need in the organization. Hence, they should always update their security system regularly.
Cyber security is one of the major concerns of governments in the contemporary world. President Obama calls cyber threat “one of the most serious economic and national security challenges” (as cited in Bodenheimer, 2012, n.p.). Cyber-attacks can take down financial systems, government systems, banking systems and power grid (Bodenheimer, 2012).
Stuxnet is a cyber-worm which has confirmed various researchers’ opinion that cyber wars are people’s nearest future. Farwell and Rohozinski (2011) note that Stuxnet infected more than 60 thousand computers (over 50% of them in Iran). This breach of security is regarded as one of the most serious as it could have led to catastrophic outcomes.
Type of Breach
This virus is far from being an average cyber worm It had a complicated code which targeted PLC (programmable logic controllers). It is necessary to add that PLCs are integral parts of important industrial systems which are controlled by potent security systems (Brown, 2011). This virus was designed “to penetrate and establish control over remote systems in a quasi-autonomous fashion” (Farwell and Rohozinski, 2011, p. 24).
It did not require the use of the Internet. USB sticks were devices used for the spread of virus. Stuxnet targeted Siemens equipment and Windows operating systems. Notably, if some of the major requirements were not met, the virus did not operate and even self-removed within a particular time.
How the Breach Occurred
Notably, Stuxnet “destroyed supposedly secure equipment” without being detected for months (Nicol, 2012, p. 71). The virus was discovered in July 2010 (Brown, 2011). It was discovered at the Bushehr power plant. The virus was also traced in Indonesia, India, China, the United States and some other countries. The cyber worm destroyed about 1,000 Iranian nuclear centrifuges (Bodenheimer, 2012). Many researchers believe that this cyber worm could not be a product of a hacker as it is a sophisticated virus.
The major peculiarities of the worm (which confirm the viewpoint that the virus was created by a group of hackers who had the necessary equipment) are as follows. It is estimated that “10,000 man-hour of programming time” was necessary to write Stuxnet (as cited in Bodenheimer, 2012, n.p). The virus uses four Microsoft Windows security vulnerabilities. The use of all four vulnerabilities is unprecedented. Finally, it is acknowledged that to develop Stuxnet, Digital Certificates were stolen.
The Stuxnet ‘ceased’ control over the plant and “bumped” the speed of centrifuges up to about “1,000 miles per hour, past the point where the rotor would likely fly apart” (Nicol, 2012, p. 71). What is more, the virus affected control systems which indicated that everything was fine. It is necessary to point out that official Tehran announced that there was a cyber-attack, but analysts agree that the government did not reveal exact level of damage.
Losses of Confidentiality, Integrity, and Availability
Clearly, Stuxnet shows that cyber threat is real. Cyber-attacks can result in really serious and even devastating aftermaths. The virus revealed vulnerability of industrial systems which heavily rely on software. Pfleeger and Pfleeger (2006) single out three major aspects of computer-related systems when speaking of cyber security: confidentiality, integrity and availability.
It is important to note that in case of Stuxnet the three aspects prove to be vulnerable. Thus, there was no need to undermine the three aspects. The virus was available online and it could penetrate personal computers of those who have access to the systems.
People who had access could bring the virus to the plant (without noticing it) while using USB sticks. Therefore, it is possible to note that Stuxnet passed over the three major aspects which are addressed while designing security systems. The virus did not require the Internet. More so, the virus did not operate unless a number of requirements were met. Therefore, the cyber worm was difficult to detect until it was too late.
It is important to add that the code of Stuxnet is now available online. Nicol (2012, p. 72) notes that such “less technologically sophisticated groups” as al Qaeda are unlikely to make use of the virus. However, non-state actors in China or former Soviet Union as well as in the USA can modify the cyber worm to adjust it to another target. Thus, it is crucial to work out particular tools to prevent re-occurrence of the virus.
Technological Improvements
The case with Stuxnet shows that it is not enough to address the three major aspects of computer-related systems. One of the easiest and, maybe, most efficient ways to secure industrial software is to make sure employees cannot use USB sticks at their working places. This rule should apply to all employees including top management as the virus can penetrate any computer which has access to the Internet or already has the virus which is inactive. Thus, the plants (or any other strategic facilities) should be equipped with computers (or similar equipment) which do not even have outputs for USB sticks. Of course, users should not ignore possible threats coming from the Internet. Strategic objects should have specific networks and systems which are isolated from the World Wide Web.
More so, there should be several systems operating. In fact, such objects should not rely on computer-related systems only. When it comes to power safety, employees should be able to check whether all processes are taking place properly.
It is important to note that these measures alone are insufficient to ensure security at such strategic objects as power grids. Each strategic object should have a sufficient security system which should periodically check software as well as hardware. The security system should also be updated regularly. Of course, the system should be capable of detecting and neutralizing such cyber worms as Stuxnet (the code of the cyber virus is already available).
Apart from this, the case with Stuxnet shows that security measures should not be confined to software (and users only). Companies producing hardware should also address the problem. Thus, Siemens as well as other companies should make sure their products are not vulnerable to such cyber worms as Stuxnet (or other known cyber viruses).
Conclusion
On balance, it is possible to note that Stuxnet has shown that cyber wars are real. The cyber virus has shown that objects relying on software as well as certain hardware are vulnerable as any security system can fail to detect a new cyber threat. Therefore, people should reconsider efficiency of existing security systems. Perhaps, people should not rely on computer-related systems so much. Clearly, people should take action. IT specialists should analyze the code of the cyber virus and work out efficient security systems. Stuxnet has shown that this attention to security is not the responsibility of users only as hardware producers should also make sure their products are not vulnerable to various cyber threats.
Reference List
Bodenheimer, D.Z. (2012). Cyberwarfare in the Stuxnet age: Can cannonball law keep pace with the digital battlefield? The SciTech Lawyer, 8(3). Web.
Brown, G.D. (2011). Why Iran didn’t admit Stuxnet was an attack. Joint Force Quarterly, 63, 70-73.
Farwell, J.P. & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53(1), 23-40.
People tend to spend more time online because communication, financial transactions, and other operations can be performed on the Internet. However, with the increasing number of internet users the number of cybercrime activities has also surged. More importantly, cyberattacks are widely used by different nation-states to achieve various purposes. In this regard, the two U.S. Presidents, namely Donald Trump and Joe Biden, have sought to address this problem, but their efforts seemingly only exacerbated the issue.
Literature Review
According to Schreider (2020), “Cybercrime is a criminal act in which computer-based equipment, automated services, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses” (p. 18). Conversely to traditional crime, the regulations that govern Internet usage mainly focus on promoting the safety of the user’s data (Galaitsi et al., 2022). However, very few laws have been established to control Internet life, mainly due to the volatility and evolution of technology (Galaitsi et al., 2022). There are many examples and specific actions to be considered cybercrimes, including electronic theft, cyberbullying, data breach, hacking, blackmail, and espionage (Lukings & Lashkari, 2022).
Research Question, Hypothesis, and Method
Research Question: Is there a significant connection between the US President’s approach to cybersecurity and the actual presence of the given phenomenon? Hypothesis: The US President’s more aggressive approach to fighting against cyberattacks results in a higher number of cyberattacks. Research Method: Systematic literature review. Analyzed Sources: ÞScholarly articles and books; ÞOnline studies, news articles, and expert organizations’ reports. ÞFederal legislation pieces and executive orders.
Conclusion
Regarding the offered hypothesis and a systematic review, Trump’s and Biden’s approaches were directed to solve problems and protect the country. Still, their decisions and attitudes differed in all senses, except for one point – the more attention is paid to cyberattacks, the higher prevalence could be observed. Several claims have supported the assumption of administrative changes in the government, overtasking at lower levels, and poor coordination between the local, state, and federal organizations.
References
Boussios, E. G. (2020). Hacking back: Trump’s ‘madman theory’ approach to cybersecurity. Journal of Applied Security Research, 16(4), 514-525.
Galaitsi, S., Trump, B. D., Keisler, J. M., Linkov, I., & Kott, A. (2022). Cybertrust: From explainable to actionable and interpretable AI (AI2). IEEE Computer, 53, 91-96.
Lukings, M., & Lashkari, A. H. (2022). Understanding cybersecurity law and digital privacy: A common law perspective. Springer Nature.
Mhajne, A. (2021). A human rights approach to US cybersecurity strategy. Carnegie Council for Ethics and International Affairs. Web.
Schreider, T. (2020). Cybersecurity law, standards, and regulations (2nd ed.). Rothstein Publishing.
The current report is designed to articulate the cybersecurity breach causes and threats to data safety of the engineering company Sifers-Grayson. The company that starts a new contract with a federal agency is eligible to comply with strict security requirements that must be tested, problems uncovered, and improvements addressed and implemented. For the purpose of the incident outcome assessment, the report presents an analysis of the company’s system penetration by a hired consulting firm. The lessons learned after the firm conducted the testing of Sifers-Grayson current cybersecurity measures and incident response procedures are discussed. Finally, the recommendations, as per the improvement of the incident response capability, are introduced to ensure the elimination of the identified drawbacks and the compliance of the engineering company with the security requirements presented by the federal agency.
Analysis of the Incident
Sifers-Grayson is a company that is operating in the sphere of electronic engineering. The new cooperation opportunity for the company entails integration with a federal agency that necessitates updated and improved cybersecurity measures that comply with the standard guidelines and regulations. The company hired a consulting firm specializing in cybersecurity to enhance compliance with the federal agency’s demands. To allow the consulting company to run their testing, Sifers-Grayson allowed it to inspect the databases in place. The Red Team of the hired consulting agency penetrated Sifers-Grayson’s system and accessed the engineering center, hacked the network, and stole files and documents related to the development and engineering of the AX10 Drone System. This happened because there was no effective technology set up and maintained to provide a sufficient level of security for the engineering system and employee accounts on software, as well as hardware stored information.
In addition, the Red Team managed to steal login information of the employees and was able to enter the facilities by interacting with friendly workers employed at Sifers-Grayson, who welcomed outsiders to the buildings. This occurred due to the unprotected data on the servers used by the company. Also, the lack of employee awareness about the threats of cyber-attacks and outsiders’ presence inside the facilities of the company caused the ease of penetrators’ access to the information and resources. The Red Team used the stolen logins to install malware and disrupt the work of the laboratory. As a result, the Red Team was able to control test vehicle of the drone. This illustrates that cyber criminals have an opportunity to hack into the system and steal both engineered products and the designs, which is significantly dangerous for a business entity (Huang et al., 2018). In addition, the Red Team sent Phishing Emails to employees and successfully obtained their reaction to them, which is how the IP addresses were tracked for further manipulation.
In particular, the analysis shows that the processes at Sifers-Grayson are disconnected from one another, where the IT department is thought to be responsible for cybersecurity, and no other entities on the company team are entitled to protect data from criminals. No clearly introduced a policy that would regulate the algorithm of steps in the case of a security breach or a threat to data and information. People involved in the implementation of cybersecurity are scarce in number and limited in expertise, which disrupts the effectiveness and timely implementation of incident response and incidence prevention strategies. No effective technology is implemented, which is why unprotected network connection exists and allows for hacking opportunities.
Lessons Learned
Based on the checking and testing conducted by the Red Team, Sifers-Grayson obtained a full picture of the weaknesses that their cybersecurity system has and the requirements that the company needs to comply with to maintain a proper level of data safety. Firstly, in regards to the technology domain, Sifers-Grayson’s protective technologies are ineffective in eliminating network connection by external devices. Since the Red Team was able to hack into the system by means of unprotected network connection, there must have been a technological solution that would have prevented such an incident. Also, since there was no additional authentication feature for logging in to the lab database, the Red Team was capable of accessing login information and obtaining control over the testing drone. Therefore, there should have been better and more secure protecting technology in place for the company to avoid the incident.
Secondly, within the realm of people, the limited number of employees working in the IT department does not suffice the requirements of the security guidelines. The incident has demonstrated that the implementation of the technologies was not consistent and was inappropriately used within the context of the company’s business processes. Therefore, the IT department employees should have been more proficient in the execution of their responsibilities when responding to the incident. Nonetheless, not only the competence but the number of employees should have been increased to eliminate the threats to system security. In addition, the lab workers and other employees whose actions related to welcoming outsiders to the facility and responding to insecure emails also contributed to the breach in the data security system. These issues also relate to the policy implementation within the organizational structure at Sifers-Grayson.
Thirdly, the policies pertaining to cybersecurity were ineffective or were completely lacking. Once the Red Team penetrated the network and started conducting criminal actions against the company, a series of steps within the company policies must have been taken. The IT department should have identified the area that has been hacked, and the employees should have been more cautious as per the outsiders on the company territory and the suspicious emails. Fourthly, the processes inside the IT department were not in place according to the necessary policies. No algorithm of response to incidents has been implemented, which ultimately diminished the capability of the company to prevent and respond to the breach in security. A centralized well-aligned team might have increased the company’s chance to timely detect and eliminate the threat.
Conclusion and Recommendations for Improvements to Incident Response Capability
In response to the identified lessons learned and weaknesses detected, the following recommendations for improvements might be introduced. The policy aimed at training the IT department for timely and effective responding to cyber-attacks should be developed and implemented. In addition, the policy should be disseminated to all employees having access to digital information, especially in lad designing and engineering. The knowledge of the employees about the threats and possible ways of cyber intrusion will increase the level of awareness and help to eliminate similar incidents in the future. The development of a centralized team that would be responsible for monitoring the processes inside the network and report the identified inconsistencies to the related entities would improve the incident response capability. The alignment of the processes of detecting and automated reporting of cyber threats would be a beneficial asset to the company’s cybersecurity and lab information protection.
One of the technological solutions that might prevent cyberattacks and protect employee accounts and the overall data related to the company’s engineering processes is the implementation of multi-factor authentication. This solution necessitates the insertion of a one-time code that is uniquely generated per every entry to the system (Lamba, 2019). In addition, another technological solution that might protect the company’s laboratory database from unwanted entries is the intrusion prevention system. By means of two-layer protection from wireless device access, an intrusion prevention system allows for providing the business with a high level of cyber security (Oke et al., 2018). Moreover, an additional option that is capable of protecting the engineering and designing data is introduced by the National Institute of Standards and Technology (2020) and entails role based access control (RBAC). The CEO and the employees at the leading positions at the company in possession of the vulnerable and pertinent information might be assigned specific roles that would allow for additional protection of the data within the provisions of RBAC.
Within the perspective of people’s involvement in the policy, technology, and process implementation, there are several specific recommendations for Sifers-Grayson. In particular, the recruiting of new IT staff members with expertise in cybersecurity is required. Further training of the IT department team for the utilization of the new technologies and the implementation of improved policies is recommended. Finally, the overall company employee cybersecurity awareness-raising interventions and training are necessary to ensure consistency in policy implementation.
References
Huang, K., Siegel, M., & Madnick, S. (2018). Systematically understanding the cyber attack business: A survey. ACM Computing Surveys (CSUR), 51(4), 1-36.
Lamba, A. (2019). API design principles & security best practices – accelerate your business without compromising security. Cybernomics, 1(3), 21-26.
Oke, J. T., Agajo, J., Nuhu, B. K., Kolo, J. G., & Ajao, L. A. (2018). Two layers trust-based intrusion prevention system for wireless sensor networks. Advances in Electrical and Telecommunication Engineering, 1, 23-29.
A hacking attack is a set of actions to find insecurities in digital systems, such as computers, smartphones, tablets, or even entire computer networks. It should be noted that hackers do not always engage in harmful activities. Today, however, the term ‘hacking’ is generally used in the context of illegal behavior. Hackers are cybercriminals who try to obtain financial gain, protest, gather certain information (i.e., engage in cyber espionage), or want to have entertainment.
Black Hats
A Black Hat hacker is a personality who tries to find disruptions in computer security and applies them for personal and monetary profit or other malicious reasons. This differs from white hat hackers – security specialists who use vicious methods to find security flaws that Black Hat attackers can exploit (Kempen, 2020). Black crackers can cause major destruction to both private network users and great institutions by taking private business reports, hazarding the protection of major operations, or sealing down or modifying the capacity of websites and systems.
Hackers engaged in blackhat activities can range from teenage adventurers expanding network viruses to networks of offenders who steal account card numbers and other valuable securities data. Black Hat hacker activities include infusing keystroke monitoring software to steal data and beginning attacks to disable access to Web sites. Attackers sometimes use non-computer methods to gain data, such as calls and identities, to collect a user’s password. Black Hat workers have their own conventions, among which the two better known are DEFCON and BlackHat (Kempen, 2020). Conventions on dark hats are often attended by security professionals and academics who want to know how to hack from Black Hats.
White Hats
White Hats, who are also called ethical or good hackers, are the opposite of Black ones. Their main aim is to identify security flaws in computer systems and networks and make recommendations for enhancement. White Hats apply their knowledge and experience to defend organizations from dangerous attacks. Sometimes they may be full-time employees or contractors working for a company as security specialists whose job is to find system imperfections. Their work is one of the reasons why large organizations tend to have fewer downtime and website queries. Most hackers know that infiltrating systems run by large companies is more laborious than those operated by small businesses, which probably do not have the resources to look for possible safety vulnerabilities (Martin, 2017). The ethical hacker group includes penetration testers who specialize in finding problems and assessing risks in operations.
White Hats apply the same hacking techniques as Black Hats, but the chief difference is that they first get the system owner’s permission, making the process completely legitimate. Instead of using vulnerabilities to spread code, White Hats work with network operators and solve the enigma before the attackers discover it (Porterfield, 2016). They typically use social engineering solely to discover weaknesses in the human aspect of an organization’s defenses and then fix them. Their principal goal is to get enough information to identify ways to legally bypass security tools and mechanisms without damaging or hacking anything. White Hats also create decoys to attract cybercriminals to confuse them or gain relevant information about them.
Conclusion
Thus, it can be concluded that the major distinction between Black and White Hats is motivation. Black hackers gain access to systems illegally, with malicious intentions, and often for personal enrichment. On the other hand, White Hats work with companies and help them identify weaknesses in their systems and fix relevant vulnerabilities to ensure that attackers cannot illegally gain access to data. Consequently, hackers should not automatically be associated with criminal matters because it all depends on the hat that they wear.
References
Kempen, A. (2020). Are all hackers bad? Servamus Community-based Safety and Security Magazine, 113(6), 38-39. Web.
Many companies strive to ensure their cybersecurity is under control by implementing the latest technology to protect systems and networks. However, even after integrating protection from cyberthreats, it is important to be confident in the ability to protect company systems from hackers. As a result, a cyber maturity assessment is critical to successful vulnerability and breach detection. Cybersecurity maturity is the capability and degree of readiness of an organization to mitigate threats and vulnerabilities from hackers. Padgett-Beale Financial Services can achieve an effective cybersecurity program by using a compliance-based management approach. Compliance management can refer to processes that ensure individuals or employees follow the required standards and rules (Garrett, 2018). Padgett-Beale Financial Services must choose the appropriate framework and standards, determine required regulations and laws to comply with, and identify the best practices for maturity assessment to achieve an impenetrable cybersecurity management program.
Analysis
Frameworks And Standards to Use
When companies develop cybersecurity plans, they must consider the standards or framework to use in their information technology management program. Padgett-Beale Financial Services can utilize the National Institute of Standards and Technology (NIST) framework while developing its cybersecurity management program. The NIST framework can be a powerful tool for organizations to improve and organize their cybersecurity programs (Christopher et al., 2014). It provides best practices and guidelines to assist a company like Padgett-Beale Financial Services in creating and enhance its cybersecurity management. The NIST framework can help Padgett-Beale Financial Services to better prepare in detecting and identifying cyber-attacks and offers guidance on how to recover from, prevent, and respond to cyber threats. The NIST cybersecurity framework will be important to Padgett-Beale Financial Services for various reasons. Firstly, the company will no longer be concerned about unseen vulnerabilities and risks. Secondly, the firm will have access to the correct asset inventories that need protection (Calder, 2018). Therefore, the framework can enable Padgett-Beale Financial Services to leverage the knowledge of professionals who have handled similar cybersecurity risks.
Compliance in the financial industry is extremely important; therefore, Padgett-Beale Financial Services should follow the Payment Card Industry Data Security Standards (PCI DSS) in the creation of a cybersecurity management program. PCI DSS refers to global standards that stipulate how an organization should handle information on credit cards. For Padgett-Beale Financial Services to comply with PCI DSS, it must maintain secure data networks and consistently monitor data in all networks to limit credit card data from being stolen and destroyed (Ukidve et al., 2017). However, it is critical to note that whereas PCI DSS requires companies to implement multifaceted security solutions, integration of security measures into existing systems can cause problems to the systems.
Laws And Regulations to Address
Financial services companies must comply with various laws and regulations to operate efficiently and avoid frequent violations of consumer rights. The cybersecurity management program for Padgett-Beale Financial Services must consider the requirements of the Gramm-Leach-Bliley Act (GLBA), Sarbanes Oxley Act (SOX), and the identity theft red flags rule. GLBA established rules that govern the use of consumer information by financial institutions. The regulation applies to firms that provide significant financial products, and it requires companies to inform customers of how consumer data is shared (Sheikh, 2020). In addition, customers are given a chance to opt-out of the data-sharing rules that a financial institution has with third-party vendors.
On the other hand, SOX requires firms to produce a system that can facilitate internal balances and checks to verify the correctness of financial records. Furthermore, SOX maintains that firms should have cybersecurity systems that sufficiently protect and monitor financial information. The identity theft red flags rule must be followed by all financial firms. It requires all financial institutions to implement written programs to mitigate, prevent, and detect identity theft regarding the maintenance or opening of accounts. Such accounts may include margin, credit card, savings or checking, and retail brokerage accounts (Sheikh, 2020). The three laws are important to protecting consumer information and ensuring financial processes are efficient.
Best Practices to Assess Program Maturity
Several practices can help to assess the maturity of the cybersecurity management program used by Padgett-Beale Financial Services. The program should aim to reach the adaptive tier of the NIST framework. When the systems are adaptive, the company will continually change cybersecurity practices based on current and previous activities such as predictive indicators and lessons learned. In addition, the risk management approach should use risk-informed procedures and policies to combat potential cyber threats. Padgett-Beale Financial Services should ensure security policies align with business and regulatory requirements to avoid lawsuits. The firm should confirm that vulnerability and threat management processes have the agility to stay ahead of evolving cyber-attacks. The company should further verify that security operations are diligent, swift, and active in protecting assets and identify system intrusions (Garrett, 2018). Such practices can ensure the firm looks beyond the present threats to build cost-effective and innovative solutions to cyber-attacks.
Summary
While creating its cybersecurity management program, Padgett-Beale Financial Services must select the framework and standards to use, determine required laws and regulations, and establish best practices to assess the program’s maturity. The finance industry faces growing cyber threats; therefore, Padgett-Beale Financial Services must invest in cybersecurity to avoid cyberattacks that hurt their business. The company should use a NIST framework and adopt the PCI DSS to protect credit card data. In addition, the firm must adhere to SOX, GLBA, and the identity theft red flags rule to secure consumer data and rights. The best practices ensure that the program complies with business and regulatory requirements and promote continual cybersecurity awareness.
References
Calder, A. (2018). NIST cybersecurity framework: A pocket guide. IT Governance Publishing Ltd.
Christopher, J. D., Gonzalez, D., White, D. W., Stevens, J., Grundman, J., Mehravari, N., & Dolan, T. (2014). Cybersecurity capability maturity model (C2M2). Department of Homeland Security, 1-76. Web.
Garrett, G. A. (2018). Cybersecurity in the digital age: Tools, techniques, & best practices. Wolters Kluwer.
Sheikh, A. F. (2020). CompTIA security+ certification study guide: Network security essentials. Apress.