Cyber Security in Business Organizations
Robin P. McCollin
CIS 500 Information Systems – Decision Making
The terms information security, computer security, and cyber security are all terms that are sometimes used interchangeably. To better understand the similarities and differences between the terms, one must first understand what exactly is being secured. For example, Information security is generally regarded as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Computer security consists of measures ...view middle of the document...
Complexity is the enemy of security (Johansson, 2009).
Additionally, another area of complexity is the disconnect between security and the business. In his article The Challenge of Information Security Management, Part 1, Johansson provides an example.
We walk into a meeting with the business executives. The executives say "we need you to help secure our product." The security guys say "OK, tell me about the product." The business folks say "It's a widget"; at which point the security guys immediately start telling them how to secure widgets. What is missing here? Sure, the security guys tried to learn what the product was. But what is the business objective? What is the business trying to achieve with this widget? How valuable is it to the business? How strategic is it? How important is it? How much risk is the business willing to accept to get it done? Do the business folks even want to build it? The security group so rarely knows the business. […] It is not our job as InfoSec professionals to tell the rest of the organization how to run a business. It is merely our job to inform the business as to the correct set of lights to turn on, and which ones must stay off, in accordance with the business' tolerance for risk and its needs. We support and advise the business on how to achieve its objectives with an acceptable level of risk—but the objectives are still owned by the business, not by the InfoSec group (Johansson, 2009). Herein lies the problem.
In 2013, the retailer Target and its consumers were involved in one of the largest retail hacks in history. What is most interesting and perhaps appalling about this breach is the simplicity of the attack. Following is a brief synopsis of the events, the alerts that were missed or overlooked, and the reasons why.
Six months prior to the attack, Target spent $1.6 million on a malware detection tool created by FireEye. In an article written in Bloomberg Business, authors report the following:
Initially funded by the CIA and used by intelligence agencies around the world, FireEye works by creating a parallel computer network on virtual machines. Before data from the Internet reach Target, they pass through FireEye’s technology, where the hackers’ tools, fooled into thinking they’re in real computers, go to work. The technology spots the attack before it happens, then warns the customer. Unlike antivirus systems, which flag malware from past breaches, FireEye’s isn’t as easily tricked when hackers use novel tools or customize their attack (Riley, Elgin, Lawrence, & Matlack, 2014).
One of the largest security breaches in history began when intruders gained access to Target’s system by using stolen credentials from a third party vendor. Several days before Thanksgiving Target’s antivirus system indicated suspicious activity and later pointed to a server in question. This I believe was the first red flag missed or overlooked by network security. Had this initial vulnerability been...