ITSECURITY1

IT Security: Threats and Solutions in Organizations

Thomas Curtis

14 March, 2015

ITSECURITY2

Abstract

Information security is a problem that plagues businesses. Organizations can protect

themselves from the lingering threat of would be data stealers, which mitigates liability

and helps keep data secret, but can also become industry leaders in the ever evolving

technological landscape. Organizations who embrace the necessity of security will have

armed themselves with the knowledge of attackers, methodology and law. Research will

be obtained through interviewing professionals in the field, industry white papers,

government knowledge and law. The data will be analyzed, summarized and illustrated

as appropriate.

Introduction

IT security continues to present a challenge to business organizations. According to

Khan, organizations do not have adequate security controls (Khan, 2014). Attackers

are hitting businesses hard these days. A business that understands the risks,

processes and methodologies of attackers, how to mitigate the attacks and laws

associated to cyber infrastructure have an advantage.

Data is the lifeblood of an organization according to Protiviti (Bridging the Data

Security Chasm). Lifeblood is what keeps things living. An organization will die without

its data. Imagine a business that lost its entire database of customer data due to an

attack. That organization would surely see ramification to that.

Ponemon Institute found that the average cost of a data breach in the US was $188

per record (2013 Cost of Data Breach: Global Analysis). That means every single

ITSECURITY3record stolen in a data breach cost $188. This kind of cost solidifies the need to be

proactive in protecting organizational data.

Fischer, a senior specialist in science and technology for the Congressional

Research Service, states that various experts have been growing more concerned over

cybersecurity for over a ten years (Fischer, 2013). Fischer further explains that this

growing concern has created legislative framework (Fischer, 2013). Understanding

these laws helps businesses know what protection can be put in place, as well as how

to identify an illegal cyber activity.

The Data Protection Compliance Report found that 94% of all breaches, in 2014,

were caused by a lack of information security. Integrating information security into

organizations can prevent nearly all cyber events. Clearly there is a need to further

understand how information security should be applied within organizations.

Proposed Research

Past research focuses on specialized areas of cyber security, but does not combine an

overarching focus on information security within an organization. This research

document will encompass multiple aspects of cyber security from a broad view point.

Real professionals in the field, white papers, and other industry accepted

documentation will be used to research and create a document that can be used for the

purpose of increasing security awareness and posture within organizations.

ITSECURITY4

Results

Expected results will be that most organizations do not have a security posture

adequate with todays standards. This will be backed up by research and statistics.

Discussion

This study will provide a great background for organizations. What it will not do is tailor

to an individual organization. Organizational leaders should expect to require a

personalized, in depth look at the current state of their organizations in order to properly

protect the data.

ITSECURITY5

IT Security continues to present a challenge to business organizations.

According to Khan, organizations do not have adequate security controls (Khan,

2014). Attackers are hitting businesses hard these days. A business that understands

the risks, processes and methodologies of attackers, how to mitigate the attacks and

specific laws related to cyber infrastructure have an advantage over organizations that

do not.

Data is the lifeblood of an organization according to Protiviti (Bridging the Data

Security Chasm). Lifeblood is what keeps things alive. If an attacker steals an

organizations data, the organizations lifeblood has been taken. The organization will die

without its lifeblood.

Ponemon Institute found that the average cost of a data breach in the United

States is $188 per record stolen (2013 Cost of Data Breach: Global Analysis). That

means that every single record stolen by an attacker costs an organization $188. If a

company with 300 employees is attacked, and the attacker steals only the employee

records, the cost would be $56,400. A pretty heavy hit just for losing employee records.

The Data Protection Compliance Report found that 94% of fall breaches in 2014

were caused by a lack of information security. Integrating information security into

organizations can prevent nearly all cyber events.

Organizational information security is protecting data from risk and threat

(Johnson & Goetz, 2007). It is important to keep your organizations secrets secret.

Would you leave plans for your new prototype sitting on your competitors conference

table? Why would you not lock up your digital data?

ITSECURITY6 Every organization needs to be cognizant of cyber security. Riley (2014) quoted

the FBI Director, James Comey. There are two kinds of big companies in the United

States. There are those who have been hacked and those who do not know they

have been hacked. Chances are every organization has been hacked at one point or

another. That is why any organization needs to respect cyber security.

In order to figure out where to start, you need to understand how an attacker

penetrates a network. An attacker will use a variety of methods to infiltrate. Baumann

(2002) says the way an attacker breaks into a network is to first perform

reconnaissance, then probe and attack, third, listening, then gain first access, then

advance access, perform stealth, takeover the network and finally erase tracks.

Protecting against the attackers methodology is crucial. There are ways to

defend against this methodic onslaught. The State of California Department of Justice

Office of the Attorney General (Protect Your Computer From Viruses, Hackers, and

Spies. n.d.) recommends a layered approach to defense: install a firewall, use anti-virus

software, use anti-spyware software, manage your system and browser, use a strong

password, secure your wireless network, use caution when sharing files, shop safely

online and finally take control of your systems. No singular defense is a panacea, and

the State of California recognizes this.

Many times organizations do not consider network security until after they are up

and running. In order to start enforcing information security from scratch, Jones (2000)

recommends that you address controlling system infrastructure through the use of

information security policies, organization of information security, asset management

and control, computer and network management, physical and environmental security,

ITSECURITY7access control, systems development life cycles and maintenance, personal security,

business continuity planning and policy compliance. It is a mouthful, but it should not be

intimidating. These security methods will be discussed.

When starting your organizational information security plan, you must perform a

risk assessment. A risk assessment component should be included in any change

management activity impacting the operating system environment, supporting network

infrastructure or applications residing on the network (Jones, 2000). Basically, any time

a system is altered, a risk assessment should be completed.

The first step in creating an information security plan is to identify threats to the

organization. A threat assessment considers the full spectrum of threats (i.e., natural,

criminal, terrorist, accidental or other undefined threats) for a given facility (Renfroe &

Smith, 2014). The chief information security officer should consider every possible

threat there could be to an organization through any means necessary. There is a

plethora of historical data for regions that can help determine these risks.

After assessing risk, an organization must assess how vulnerable the facility is to

each threat. There are a number of ways to conduct a vulnerability assessment. A good

method is to hire an unbiased, external organization to test your organization against

common threats. Once the vulnerability assessment has been conducted, the

organization should classify each threat based on impact (Renfroe & Smith, 2014).

Once vulnerability and risk assessment has been completed, the organization

should evaluate the risks. Some risks are too far-fetched to provide any real threat. A

sharknado would probably be devastating to an organization, but it is a highly unlikely

ITSECURITY8threat. Quantifying the impact associated with a threat is one of the most difficult

aspects of risk evaluation (Data Governance Risk: Challenges in Information Security.

n.d.).

After evaluating risk, the organization must determine what the impact to

business is. Sometimes it just is not worth the cost associated with mitigating a risk.

Risk should be balanced versus cost and versus inconvenience (Data Governance

Risk: Challenges in Information Security. n.d.). Senior leadership in the organization

may be helpful when determining impact to business.

The final piece to creating an organizational information security plan is to

actually prepare the plan. The plan should contain methodology for an incident

response team. Incident response procedures vary depending on the specific

organization of business functions, information technology, public information, law

enforcement and other business function types. The document outlines steps that

should be included in those processes and ensure appropriate responses to security-

related incidents (Information Technology Services, n.d.). Test plan members by

simulating disasters, and have them document the full process.

There are dozens of methods of penetration into a network. They can be

categorized into two categories: the internal threat and the external threat. Both are very

real threats and can both be disastrous when an event does strike.

Coleman (2014) quoted Alex McGeorge, senior security researcher at a Florida-

based provider of specialized offensive information technologies. McGeorge said

ITSECURITY9Corporations do not take their internal security as seriously as they should. Employees

are a very large risk to an organization.

According to an online survey by IT Governance, more than half of the

respondents agree that the greatest threat to an organizations data is the organizations

employees (Coleman, 2014). Not to say that these employees are malicious, but

because employees are generally unaware of the threat they may be causing.

SolarWinds survey found that over half of respondents to an independent survey

identified accidental inside breaches as a top security threat (Vicinanzo, 2015). Most

employees simply do not realize that they are causing a data breach. It could be

plugging in a USB drive with malware embedded, clicking an internet link to a malicious

website, opening a malicious document, or other apparently harmless end user

activities. These seemingly benign employee actions are one of the greatest threats to

an organization.

However, not all inside threats are accidental. Many times the disgruntled

employee can cause a significant risk to information system security. The United States

Department of Homeland Security announced that the exploitation of business

networks and servers by disgruntled and/or former employees has resulted in several

significant FBI investigations in which individuals used their access to destroy data,

steal proprietary software, obtain customer information, purchase unauthorized goods

and services using customer accounts, and gain a competitive edge at a new company

(Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and

Proprietary Information, 2014). Disgruntled employees can and will steal your data to

ITSECURITY10give to another company. They can and will sell your secrets. They can and will destroy

your data simply for revenge.

A final type of insider threat is one that may not seem like a threat at all;

misconfigured systems. Radichel (2014) reviewed a 2013 data breach at Target retail

stores resulting in over 40 million credit cards being stolen. Radichel found that the point

of sale system was vulnerable to attacks. Radichel further quoted a Mandiant security

report defining how the reconnaissance revealed misconfigured systems and

vulnerabilities in those misconfigured systems. It is essential to keep software patched,

up to date, properly configured and hardened.

There are a number of different types of external threats. FFIEC IT Examination

Handbook InfoBase Appendix C: Internal and External Threats (n.d.) categorizes

external threats as malicious activity, natural disasters, technical disasters and

pandemics. External threats are any disasters that do not originate from within the

organization. Threats such as fire, hackers, power outages and other disastrous threats

are specific types of external threats.

Pretty much anyone in this day and age has heard of hackers. Hackers are

people who use a variety of attacks to carry out their malicious activities. Hackers can

be good, bad, indifferent or scary (Long 2012). There are simply many different hacker

profiles that exist.

Long (2012) further classifies hackers into categories. There are hacktivists,

government sponsored hackers, black hat hackers, white hat hackers, grey hat hackers

and insiders. This is quite the gambit of names for what constitutes a hacker.

ITSECURITY11 One of the hacker profiles is hacktivists. Hacktivists are people who hack for a

cause. Thompson (2013) wrote an article about the late co-founder of Reddit, Aaron

Swartz, who committed suicide. Swartz was facing a lengthy prison sentence because

he allegedly hacked into a system and stole academic articles. The prosecutors claim

that Swartz intended to freely distribute these academic articles because he had often

spoken about the importance of making information freely available. Swartz hacked for

a cause; the freedom of information for the public at no cost. Whether Swartz was

justified in what he did or did not do is opinion, but Swartz was definitely a hacktivist

because he hacked for a cause; regardless of whether the cause was just or unjust.

State, or government, sponsored hackers are a real thing; almost like modern

day James Bonds. Government often hire state-sponsored hackers in order to ensure

security holes in their infrastructure. But often, this type of hacking can enter spy

territory as well (Rashed, 2012). Countries seek hackers to penetrate other countrys

networks and steal data.

Black hat hackers are hackers who illegally break into systems with the intention

of being malicious according to Chandler (2012). Black hat hackers have no intention of

being good when they attempt to penetrate a network. This is a dangerous type of

hacker. Many black hats have turned white hat in later years.

According to Hoffman (2013), white hat hackers are ethical hackers. White hats

use their knowledge of penetrating computer networks for purposes of helping

organizations. They test systems for organizations in order to help strengthen the

security of an organization. White hats can be contracted to legally break into a network,

ITSECURITY12find flaws and document them so the vulnerabilities can be fixed later by the

organization.

Hoffman (2013) further defines another hacker hat. Gray hat hackers fall in

between white hat and black hat. Just as we have gray areas in ethics of life, so are

there gray areas in the ethics of hacking. A gray hat may compromise a system, but not

for personal gain. The gray hat would compromise a system, then disclose the

information to an organization in an effort to help. The fact that the system was

compromised without permission makes the penetration unethical even if the action

could be arguably ethical.

Insiders are another type of hacker. Many people may not think of themselves

as a hacker, but the fact remains, if you have credentials to a system you could

technically be a hacker. Many people are familiar with the Sony hack leading to mass

exposure of the movie The Interview. According to Report (2014), the hack may have

been an inside job. There have been reports that a former employee helped with the

hack on Sony Pictures.

You can mitigate against all these hackers. Targeted Cyber Intrusion Detection

and Mitigation Strategies (2013) offer a variety of ways to help mitigate or even prevent

information security events. They recommend preserving data, performing credential

management, network segmentation, increased logging and auditing, access control,

application whitelisting and policies.

As a part of the Australian Government Initiative (n.d.), training personnel is also

a great way to mitigate attacks. If you teach users how to create strong passwords, be

ITSECURITY13smart with online activities and create an annual training plan, attacks could be

mitigated by your users. By users knowing what not to do, cyber security events will

become lessened.

Preserving data is essential when a network has been penetrated (Targeted

Cyber Intrusion Detection and Mitigation Strategies, 2013). If you restart a system,

some data may be lost. It is important to pull log data and live system data before

shutting down a compromised system. Detailed notes and observations should be kept

as they may be used in a criminal investigation. Personnel performing a cyber-incident

response should also avoid making any changes to operating systems or hardware as

this may overwrite information that pertains to the cyber incident.

Setty (n.d.) suggests a variety of methods to manage credentials. Passwords

should have an aging feature with a predetermined minimum and maximum password

age. You should also, never store a password on a device or write it down. Setty (n.d.)

further suggests that passwords should have a minimum length enforced and require a

mixture of upper case, lower case, symbols and numbers. Also, system administrators

should be conscientious about their passwords. Admins should choose stronger, more

complex passwords than users.

Logging capabilities should be enabled in all systems. According to Targeted

Cyber Intrusion Detection and Mitigation Strategies (2013), logging capabilities should

be maximized for firewalls, proxy servers, domain name servers, intrusion detection

systems, packet captures, flow data from routers and switches and host application

logs. It may require a lot of space to keep and maintain these types of logs, so ensure

you have adequate space before implementing these maximized logging capabilities.

ITSECURITY14Also, it may be important to note that logs require a person to read them. Logs will likely

not do any good without a properly trained person reviewing them.

Another method of mitigating damage caused by attackers is to segment the

network. Network segmentation is the process of separating a large network into

several smaller networks through the user of firewalls, switches and similar devices

(Harris, 2014). By segmenting the network you can make attacking significantly more

difficult, make intrusion detection easier and reduce the amount of data that can be

leaked in the event of a breach.

An organizations applications can also be whitelisted to enhance an

organizations security posture. Whitelisting is the process of allow only specific

applications to access the internet. You explicitly deny all others from having access

(Targeted Cyber Intrusion Detection and Mitigation Strategies, 2013). By explicitly

denying anything except what is permitted to run in an organizations network, security

is greatly enhanced.

There is a point at which an organization determines what an acceptable level of

risk is. Acceptable risk is determined by the actual risk and cost impact to an

organization. What is acceptable for one organization may not be acceptable for

another organization.

Acceptable risk is determined by management because management

understands the impact to the company if business objectives cannot be met (Harris,

2014). Management needs to rely on the security team because management may not

understand the probability of risk. Once the security team has conveyed the probability

ITSECURITY15of risk, management can determine if the impact is great enough to warrant securing

against.

If the threat is not great enough for management believe the risk is worth

securing against, it is known as an acceptable risk. Management makes the

determination that business impact is not severe enough and accepts the chance that

there may be a breach.

So far we have touched on a lot of information security thinking of it as a virtual

environment. However, physical security is an integral part of an organizations

information security. After all, if an attacker can walk right into a server, stick a drive into

a server and extract a companys data, what good is network and server security?

Giannoulis & Northcutt (n.d.) recommend a variety of physical securities. Server

room protection, workstation protection, building perimeter protection and immediate

areas around the building are all aspects of physical security to consider when planning

an organizations information security.

Shinder (2007) suggests locking the server room, using lockable server racks

and putting surveillance in place. Access control is also a great security method so you

know which authorized users accessed a server room. Good locks that cannot easily be

broken are essential here. If your locks can be knocked off easily, they are not

protecting much. Locking the server racks is just another layer in case the intruder does

get past the door locks. With surveillance, if anyone does attempt to brute force their

way past your locks, you will have a video of them doing it. Hopefully the intruder will be

identifiable for action by law enforcement.

ITSECURITY16

When securing workstations, it is a good idea to use physical locks, harden the

operating and BIOS and teach user awareness (Giannoulis & Northcutt (n.d.). Physical

locks can help keep people from stealing the workstations. User awareness teaches

users to ask questions if they see a stranger working on a laptop. Hardening the

operating system and BIOS can prevent unauthorized booting, stealing of data and

malicious software from being loaded onto the workstation via physical access.

The building perimeter defense is also an essential component to the physical

security of information systems. (Physical Security Handbook 440-2-H) suggests

physical barriers, fencing, gates, protective lighting, reinforced doors and windows and

security on entry/egress. Fences create a barrier around the building which may make

attempting to pass through inconvenient. Gates allow fences to be passed through by

authorized personnel and create a bottleneck for access. Protective lighting helps

security personnel detect intruders from a distance in the dark or poorly lit areas.

Reinforced doors are more difficult to break into than doors that are not reinforced.

Windows can also be made stronger preventing would be intruders from breaking the

glass to enter.

When an external cyber actor attempts to penetrate an organizations network,

they use a very specific and methodic approach. Johansson & Riley (2005) identify the

steps an attacker takes to break into a network as recon and footprinting, network

scanning and enumeration, initial penetration, privilege escalation, maintain access and

cover tracks. These seven steps not only allow the actor to compromise an

organizations network, but also allow the hacker to remain in a network undetected for

a length of time.

ITSECURITY17 Recon and footprinting is the act of looking at a network and probing for

weaknesses (Johansson & Riley, 2005). The hacker may review company websites,

publically available information and look for executive information to create phishing

attacks during this phase. The first thing the hacker must know are the basics of the

organization and its people. Even things like a mission statement may give an attacker

information that can be used against the organization for penetration.

After the attacker performs recon and footprinting, the actor must perform

scanning and enumeration of the network (Johansson & Riley, 2005). This process

consists of doing things like creating a map of the network devices, internet protocol

addresses, network ranges, domain names, brands of network equipment and servers

as well as operating system information. With this information, the attacker can

determine what types of attacks would be most effective against a network through use

of vulnerability assessment software or other means.

Once an attacker has a plan in mind, based on the information discovered about

the network, the attack will commence. This may be a brute force attack, phishing

attempt, vulnerability or maybe even a social engineering attempt. This attack will give

the attacker at least basic access into a network (Johansson & Riley, 2005). The

credential stolen may be, and often is, from a low level employee. A low level

employees credential is enough for the hacker to begin wreaking havoc, though.

The next step for the bad actor is to escalate privileges (Johansson & Riley,

2005). There are a variety of ways to escalate privilege, but the end result is always the

same. The attacker wants root or administrative rights to the network. The hacker wants

ITSECURITY18to, for all intensive purposes, own the network. The attacker uses the basic credentials

he or she already compromised to further penetrate and dig hooks into a network.

Once the attacker owns the system, he or she will install a variety of malicious

software designed to keep access active (Johansson & Riley, 2005). The attacker may

create another hidden account for themselves to use, install back doors, reduce security

or employ a variety of other methods. The goal is to always have access even if the

system security administrators discover the breach.

The final step of an attacker is to cover their tracks (Johansson & Riley, 2005).

Maintaining access in a system is significantly easier if the attacker is not caught.

Covering tracks also makes prosecution more difficult for law enforcement. The attacker

may delete or modify logs, time stamps and more.

The number of malicious software attackers use are vast, but fit into some basic

categories. The malicious software categories are viruses, Trojans, bots, worms,

backdoors, and exploits (What Is the Difference: Viruses, Worms, Trojans, and Bots?).

Viruses are malicious software programs that are designed to make a system

perform negatively. They are designed to be destructive and self-replicating. Viruses

propagate from system to system through their host file (What Is the Difference:

Viruses, Worms, Trojans, and Bots?).

Worms are very similar to viruses. They can be just as devastating, and are self-

replicating as well. The major difference between a virus and worm is that a worm does

not require a host file to replicate. Worms may rely on an exploit in an operating system

or send themselves via email (What Is the Difference: Viruses, Worms, Trojans, and

ITSECURITY19Bots?)..

Trojans are malicious software designed to trick an operating system or user into

installing them. The installed Trojan then can do a variety of actions. It may simply

annoy a user or may be much more malicious. Trojans can do a variety of malicious

things under the guise of being legitimate programs (What Is the Difference: Viruses,

Worms, Trojans, and Bots?).

Bots are programs that automatically perform tasks. Bots can be legitimate

pieces of software used to automate mundane tasks or could be used for malicious

intents. A malicious bot installed on a computer may automatically log information and

send it to a server at intervals, or any variety of automated tasks the attacker may want

(What Is the Difference: Viruses, Worms, Trojans, and Bots?).

Backdoors are pretty much as the name says. Usually backdoors are dropped

with Trojans. Older backdoors sat dormant on a system and waited for a connection

from the attacker (What Is the Difference: Viruses, Worms, Trojans, and Bots?).

System administrators became wise to attackers connecting to their backdoors

and started using firewalls to block the connections. Newer more sophisticated

backdoors call out to an attackers internet address trying to connect home. Firewalls did

not block outbound connections as a general rule of thumb (What Is the Difference:

Viruses, Worms, Trojans, and Bots?).

Now security administrators may block the outbound ports. To circumvent

security, developers of backdoors have begun using legitimate ports to make backdoors

look like other legitimate traffic. If a backdoor used port 80, the hypertext transfer

ITSECURITY20protocol web service, it would blend in with normal traffic. Even if a system admin did

detect the backdoor, they could not block port 80 without blocking everyones access to

the web (What Is the Difference: Viruses, Worms, Trojans, and Bots?).

There are a variety of defense methods for the plethora of attacks in existence.

There is no panacea or singular defense that can be put in place. Information security

requires a layered approach, like an onion. As each layer is stripped away, the attacker

finds another piece of security. The goal is to make penetration into an organization so

difficult that the attacker will move on to an easier target. Good options for a layered

security approach are antivirus, anti-malware, firewalls, routers, switches and intrusion

detection and prevention systems.

An antivirus is a piece of software designed to detect viruses. Antivirus detects

viruses based on a signature detection method. In other words, it scans files looking for

a portion of the code to match what is known to be a virus. If a virus signature is

matched, the software may quarantine, delete or prompt a user for interaction

(McDowell & Householder, 2009).

Anti-malware is similar to antivirus in that it is a signature based detection

system. The big difference is that antivirus is designed to scan for viruses while anti-

malware scans for other types of malware like Trojans or bots (Henry, 2013).

Firewalls can be either software or hardware. Firewalls block network traffic

based on their configurations. It may be a port configuration, application, internet

protocol or network range. Firewalls can also be used to whitelist, or only allow,

specified traffic to enter or exit a network. While the premise is the same, whitelisting is

ITSECURITY21configured as if it is allowing the specified traffic, then blocking all other traffic

(Michigan CyberSecurity Hardware Firewall vs Software Firewall).

Hardware firewalls are used more for perimeter network defense and

demilitarized zones. Software firewalls are generally used on end points such as

workstations. Hardware firewalls protect entire networks. They can also be used to

enhance security when a resource must be externally facing, but require access to an

internal server such as a database (Michigan CyberSecurity Hardware Firewall vs

Software Firewall).

Routers can be configured to enhance security as well. An administrator can

manually create certain routes to networks. If the network does not have a route, traffic

can never access it. This allows an administrator to setup internal networks that never

face the external internet which increases security (Network Security Features for the

Enterprise Headquarters).

Switches have layer 2 security abilities. Switches can be locked down based on

MAC addresses and switch ports (Bhaihi, 2005). If a machine that is not authorized

even connects to a network, the port would be shutdown, preventing the would-be

attacker from even getting access to the network.

Intrusion detection systems are nodes that can be placed throughout the

network. And intrusion detection system could be placed at the entry/egress point of a

network to capture all data and to individual subnetted networks (Scarfone & Mell,

2007).

ITSECURITY22

By placing an intrusion detection system at the entry/egress point of a network an

administrator will create a lot of work. The logs must be reviewed by a person (Scarfone

& Mell, 2007).. Placing an intrusion detection system at the external point of the network

creates massive logs that may become unmanageable.

Placing intrusion detection systems at various points for individual networks or

network segments still requires a lot of work, but is easier for an administrator to read

(Scarfone & Mell, 2007). As the number of intrusion detection nodes increases, so does

the need for additional administrators.

Intrusion prevention systems work very similarly to intrusion detection systems.

The big difference is that intrusion prevention systems will actively drop network packets

the system determines as being malicious (Scarfone & Mell, 2007). The caveat with

intrusion prevention systems is they must be tuned or they will drop legitimate traffic. If

legitimate traffic is being dropped by a prevention system, the organizations productivity

will suffer.

There are a variety of different industry compliance organizations that dictate a

minimum requirement of information security that must be met for that organization.

Two major industry compliances are the Payment Card Industry (PCI) and the Health

Insurance Portability and Accountability Act (HIPAA). These two data compliances are

required for a large portion of businesses in the United States.

Payment Card Industry certification is required of any merchant or organization

that accepts, transmits or stores any cardholder data (PCI Compliance Guide). If an

organization plans on accepting even one credit card, they must meet Payment Card

ITSECURITY23Industry compliance. If the organization does meet Payment Card Industry compliance,

the organization could be subject to fines.

The Health Insurance Portability and Accountability Act dictates required security

required of health care providers (Summary of the HIPAA Security Rule). It is

designed to keep patient confidential data secure. Any organization in the health

industry must follow the Health Insurance Portability and Accountability Act.

In addition to industry compliance requirements, there are also laws in place that

are required of organizations. These laws dictate how data and information systems are

handled in the United States.

The Homeland Security Act of 2002 was enacted in an effort to prevent terrorist

attacks in the United States. The act is supposed to mitigate damages and minimize

vulnerability to the United States and its citizens (Fischer, 2013). The Homeland

Security Act also applies vaguely to technology as terrorists could use technology to

wreak havoc on the United States.

Another act introduced in 2002 was the Federal Information Security

Management Act (FISMA). This act was signed into law as a legislation that protects

United States government information and assets against threats (Fischer, 2013). The

act seeks to be an overarching, all-encompassing act for government information

security.

In 1999 the Gramm-Leach-Bliley Act (GLBA) was introduced. The GLBA was an

attempt to control how financial institutions protect and use the private information of its

clients (Fischer, 2013). Financial institutions were beginning to use information

ITSECURITY24technology more widely, thus creating the need for law to govern how the financial

institutions used and transmitted personal information.

Another act, introduced in 1994, was the Communications Assistance for Law

Enforcement Act (CALEA). This act forced telephone companies to redesign their

networks in order to make it easier for law enforcement to listen in on the wire (Fischer,

2013). The act was redesigned in 2004 to apply to communications over the internet

and voice over internet protocol systems as well.

The Department of Defense Appropriations Act was enacted in 1987. This act

was designed to give the United States military the authority it needed to undertake

military operations (Fischer, 2013). As information technology became more widely

utilized, the act started to apply to methods of cyber warfare as well.

The High Performance Computing Act, enacted in 1991, gave funds needed to

create a major internet network (Fischer, 2013). It allowed for faster internet speeds

fuelling economic growth, education and more. The creation of faster internet became

known as the information super highway.

The Privacy Act of 1974 has been called to in numerous industries. It applies to

technology as well. The Privacy Act of 1974 governs the collection, maintenance and

use of private information (Fischer, 2013). This act was huge because it created

accountability for the private information citizens are required to give out.

The E-Government Act of 2002 provided a framework for information security to

federal computer networks and systems (Fischer, 2013). The act established a

minimum requirement that had to be adhered to for government agencies.

ITSECURITY25

In the information age when attackers are relentlessly pounding on organizational

information security, well informed organizations will emerge victorious. Armed with a

variety of tools, organizations will be able to stand up to cyber bullies threatening to

steal data or cripple the organization. Understanding the risks, processes and

methodologies of attackers, how to mitigate the attacks and specific laws governing the

information age will put an organization on top.

ITSECURITY26

References

2013 Cost of Data Breach: Global Analysis. (2013, May 1). Retrieved January 30, 2015.

Baumann, R. (2002, November 24). Ehical Hacking. Retrieved February 9, 2015.

Bayuk, J. (2009, June 16). How to Write an Information Security Policy. Retrieved

February 10, 2015.

Bhaiji, Y. (2005, January 1). Layer 2 Attacks & Mitigation Techniques. Retrieved

February 10, 2015.

Business Owners. (n.d.). Retrieved February 9, 2015, from

http://www.staysmartonline.gov.au/business_owners

Chandler, G. (2012, May 8). Top 10 Notorious Black Hat Hackers. Retrieved February

24, 2015.

CIP Compliance. (n.d.). Retrieved February 10, 2015, from

http://www.nerc.com/pa/CI/Comp/Pages/default.aspx

Coleman, T. (2014, May 10). Cybersecurity Threats Include Employees. Retrieved

February 9, 2015.

Data Governance Risk: Challenges in Information Security. (n.d.). Retrieved February 9,

2015, from http://web-

docs.stern.nyu.edu/old_web/emplibrary/Stiglianese_Data_Governance_and_Ope

rational_Risk_Calculation_SLIDESHOW.pdf

Fischer, E. (2013, June 20). Federal Laws Relating to Cybersecurity: Overview and

Discussion of proposed Revisions. Retrieved January 30, 2015.

Giannoulis, P., & Northcutt, S. (n.d.). Security Laboratory. Retrieved February 9, 2015.

ITSECURITY27Grimes, R. (2013, September 30). 7 sneak attacks used by today's most devious

hackers. Retrieved February 10, 2015.

Harris, S. (2006, April 1). How to define an acceptable level of risk. Retrieved February

9, 2015.

Harrison, R. (2014, June 6). Network Segmentation Key To Good Network Hygiene -

Network Computing. Retrieved February 26, 2015.

Henry, A. (2013, August 21). The Difference Between Antivirus and Anti-Malware (and

Which to Use). Retrieved February 10, 2015.

Hoffman, C. (2013, April 20). Hacker Hat Colors Explained: Black Hats, White Hats, and

Gray Hats. Retrieved February 24, 2015.

Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and

Proprietary Information. (2014, September 23). Retrieved February 9, 2015.

Information Technology Services. (n.d.). Retrieved February 9, 2015, from

http://www.ucop.edu/information-technology-services/initiatives/resources-and-

tools/security-incident-handling.html

Johansson, J., & Riley, S. (2005). Anatomy of a Hack. In Protect your Windows

network: From perimeter to data (p. 608). Upper Saddle River, NJ: Addison-

Wesley.

Johnson, M., & Goetz, E. (2007, May/June). Embedding Information Security Into the

Organization. IEEE Security & Privacy, 16-24.

Jones, P. (2000, July 1). Organizational Information Security from Scratch -. Retrieved

February 9, 2015.

ITSECURITY28Khan, M. (2014). Effectiveness of Detective and Preventative Information Security

Controls in Information Systems Organizations. Canadian Journal of Pure &

Applied Sciences, 8(3), 3125-3129.

Long, L. (2012, January 26). Profiling Hackers. Retrieved February 9, 2015.

McDowell, M., & Householder, A. (2009). Security Tip (ST04-005). Retrieved February

10, 2015.

Michigan CyberSecurity - Hardware Firewall vs Software Firewall. (n.d.). Retrieved

February 10, 2015, from http://www.michigan.gov/cybersecurity/0,4557,7-217--

108698--,00.html

Network Security Features for the Enterprise Headquarters. (n.d.). Retrieved February

10, 2015, from http://www.cisco.com/c/en/us/products/collateral/routers/7301-

router/product_data_sheet0900aecd802c982b.html

Payment Card Industry (PCI) Data Security Standard. (2013, November 1). Retrieved

February 10, 2015, from

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

PCI Compliance Guide. (n.d.). Retrieved February 28, 2015, from

https://www.pcicomplianceguide.org/pci-faqs-2/#2

Pelgrin, W. (2015, January 1). 2015 Cyber Security Outlook. Monthly Security Tips

Newsletter, 1-2.

Physical Security Handbook 440-2-H. (2013, January 13). Retrieved February 27, 2015.

Protect Your Computer From Viruses, Hackers, and Spies. (n.d.). Retrieved February 9,

2015, from http://oag.ca.gov/privacy/facts/online-privacy/protect-your-computer

ITSECURITY29Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented

Target Breach. Retrieved February 9, 2015.

Rashed, T. (2012, April 18). State Sponsored Hacking and Cyber Security Policy.

Retrieved February 24, 2015.

Renfroe, N., & Smith, J. (2014, August 18). Threat/Vulnerability Assessments and Risk

Analysis. Retrieved February 9, 2015.

Report, P. (2014, December 30). New evidence Sony hack was 'inside' job, not North

Korea. Retrieved February 24, 2015.

Scarfone, K., & Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems

(IDPS): Recommendations of the National Institute of Standards and

Technology. NIST Special Publication, 800(94), 1-127. Retrieved February 10,

2015.

Setty, H. (n.d.). System Administrator Security Best Practices. Retrieved February 24,

2015, from http://www.sans.org/reading-room/whitepapers/bestprac/system-

administrator-security-practices-657

Shinder, D. (2007, July 16). 10 Physical Security Measures Every Organization Should

Take. Retrieved February 27, 2015.

Summary of the HIPAA Security Rule. (n.d.). Retrieved February 10, 2015, from

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Targeted Cyber Intrusion Detection and Mitigation Strategies (Update B). (2013,

February 6). Retrieved February 9, 2015.

Thompson, C. (2013, January 18). Hacktivism: Civil Disobedience or Cyber Crime?

Retrieved February 24, 2015.

ITSECURITY30Vicinanzo, A. (2015, January 26). DHS Accidental Insider Top Threat to Federal

Cybersecurity, SolarWinds Finds. Retrieved February 9, 2015.

Walters, R. (2014, October 27). Cyber Attacks on U.S. Companies in 2014. Issue Brief,

4289, 1-5. Retrieved February 9, 2015.

What Is the Difference: Viruses, Worms, Trojans, and Bots? (n.d.). Retrieved February

10, 2015, from http://www.cisco.com/web/about/security/intelligence/virus-worm-

diffs.html

Zients, J., Kundra, V., & Schmidt, H. (2010, April 21). Memorandum for Heads of

Executive Departments and Agencies. Retrieved February 10, 2015, from

http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-

15.pdf