Discuss about the Information Security.
As discussed by Andress, (2014), Information Security refers to the protection of sensitive and confidential data of an organization or its clients from malicious intrusions and mishandling. In the case of federal information handling and financial organizations, the digitization of the client database extends beyond just the information of the credit and debit cards and other user data and hence requires safeguarded actions, due to intrusive operations and critical embezzlements (Silver-Greenberg, Goldstein, & Perlroth, 2016).
The report critically evaluates two cases of data security breach that resulted in the compromise of about one billion client’s information. The fundamental aim of the report is to provide insight into the cases of the Home Depot data security breach and the hacked case of JPMorgan Chase Bank. The report contains the results, the immediate reasons for the attack to happen and the probable solutions to prevent further cases of data leakage and security breach (Silver-Greenberg, Goldstein, & Perlroth, 2016).
The home Depot data breach resulted in the compromise of the information regarding the details of nearly fifty-six million credit cards and even debit card data. The cost of the compromised data accounted to about One Ninety-four million dollars for every compromised information. The data breach caused the home depot heavy costs for both the investigation of the case and also the prevention of further such attack. The investigation cost had caused them nearly 43 million expense and that too pre-tax (Banjo, 2016). The average money spent on the investigation of every record in the compromised database is approximately Sixty million. The notification costs had to be undertaken for carrying out the information transfer to the customers about the data breach. The home depot had to inform about 60 million clients about the incident and had to undergo an expense of about 27.44 million for the single instance information to the clients (Sans.org, 2016).
Stealing of the credit card data and making revenue from the stolen items: The hackers stole the information regarding the credit cards of the customers and sold it on the “Darknet”. The cyber criminals then made money from this, by selling the information to the cyber crime intermediaries (Nordstrom & Carlson, 2014).Then came the “carders” who traded the stolen card information from phishing websites and other retail breach stores. The attackers then used the details to carry out online trading at sites like Amazon and Best Buy (Sans.org, 2016).
Phishing websites: Once the cyber criminals bought the items for resale, they became untraced. The key malware that was used by the criminals was Memory Scrapping Malware. They used this malware to read the information of the RAM and the Point of Service terminal that provides the attackers with plain text versions of the credit card information (Kim et al., 2013).
0-Day vulnerability: The intruders utilized the 0-Day vulnerability of the Windows, to shift from the vendor surroundings to the corporate network (Armin et al., 2014). On reaching the Home Depot corporate network, the intruders deployed the memory-scraping malware. All these processes helped them to gather the information about the credit and debit cards (Sans.org, 2016).
Firstly, the most essential of all the Information Security components is ensuring the security of the workstation hardware and the software. Though the Home Depot system had the Symantec End Point Protection, they did not include the Network Threat Security. The Network Threat Security provides an environment for the Host-based Intrusion Prevention System. The organization also lacked Point-to-Point encryption. The module ensured the encryption ends such as swiping (Sans.org, 2016). The home depot also did not have a secure software on the Point of Service at the Operating System. The Windows X embedded SP3 was highly vulnerable to the attacks. The home depot should have advanced to the newer versions of the Windows platform (Virvilis et al., 2013).
Point-to-Point Encryption: The module could have overcome the attack, even after the infiltration to the Point of Service network and the deployment of the memory-scraping malware. The P2P technique encrypts the card at the point of swiping of the credit or the debit card, by safeguarding the four-digit PIN code, and ensures that the process is completed before the code reaches the memory. This involves a unique key for the encryption, but the technique differs in the cases of the credit card and the debit card (Elovici & Altshuler 2013). The basic algorithm to be utilized is the P2P encryption technique (Sans.org, 2016).
Figure 1: Point-to-Point Encryption and Decryption
(Source: As created by the author)
As it is evident from the diagram, this type attacks for stealing, credit cards can be stopped (Sans.org, 2016).
Network segregation and role-based control of access: The network segregation may have turned useful in fragmenting the internal network into some segments so that the intruders do not get an extensive zone to affect through the breach of a single layer (Sans.org, 2016). It fundamentally aims at protecting the critical data contents and not making them visible to unwanted intruders. The segregation implies the deployment of the Virtual Local Area Network (VLAN), which contains the critical and sensitive servers. This provides control of access at the TCP level, apart from securing the sensitive corporate data and firewalling at the network boundaries. The role based access control or RBAC removes the previous role on the enrollment of a new role, on a one role at a time basis (Burke et al., 2013).
Figure 2: Network Segregation
(Source: Sans.org, 2016)
Managing the third party Vendor Credentials: The technique is implemented to maintain the identities of the internal and external employees, and the process restricts the shift of the attackers from the vendor-specific surroundings to the corporate network environment (Beck & Swensen, 2015).
The cyber attack caused the compromise of a collection of database applications and a certain list of programs that are designed to run on the computers of JPMorgan, rather a sorting map to the addresses. The next step of the intruders involved the validation of the roadmaps with the susceptible points of the programs and network applications that they had already discovered. The prime intension of the intruders was to find out a point of entry into the bank’s database systems. The intrusion resulted in the compromise of Personal Identifiable Information of nearly seventy-six million households and about seven million ancillary commercial firms (Silver-Greenberg, Goldstein, & Perlroth, 2016). The PII that was hacked included the identities, contact details such as the residential address, the contact numbers and e-mails and the organization specific data regarding the PII of the users. Nevertheless, the evidence did not include the compromise of other details like the Login IDs., Social Security Numbers or the user passwords. Since there was no record of any fraudulent activity, mapped to the compromised addresses, the company declared a non-liability clause on the victimized account’s end (Ahmed et al., 2014). Thus, the fundamental problem of the attack was the unauthorized access to the user accounts of the clients.
The direct victims of the JPMorgan Chase hack case were the clients, who had to compromise their user credentials like the Social Security Number, passwords and other sensitive PII like the names, contact addresses, and details. The attack had affected about seventy-six million household accounts and compromised the corporate data of nearly seven million small business firms. The evidence does not have any embezzlement currently. However, the JPMorgan Information Security officials suspect the utilization of the compromised information for a major attack may be in the shortcomings. The bank had to pay millions to settle the case on the non-liability clause on the client’s end (Sans.org, 2016).
The intruders infected an employee’s personal workstation with malware and stole the login credential of the employee. The hacker attained the access to the internal organizational network when the employee connected remotely to JPMorgan chase’s corporate network through the organization’s virtual private network. The hacking rationale took off through overcoming the hurdles of the multi-layered security by infecting each layer with malicious codes, which were already developed with the aim of perforating the chase’s network (Sans.org, 2016). Thus, the hackers gained the privileges of the administrative controls of the topmost level and got hold of ninety server commands by utilizing more than one 0-Day vulnerability programs. The intruders carried out the acquiring of the information over an outstretched span, to avoid early detection. The usurped administration credential would be futile if the overlooked server could manage the update of the two-step verification method for security (Brenner & Lindsay, 2015).
Figure 3: Steps of the attack to reach the topmost level of the servers
(Source: As created by the author)
The hackers deleted most of the footprints of the attack by omitting some of the login files and programs. The intrusion was detected when it was deployed in charity channel of JPMorgan Chase. Hold Security that detected about one billion hacked user credentials, highlighted the attack.
The steps that should have been taking to stop the attack are-
Host-based IPS and whistling: The host-based Intrusion Prevention System could stop the attack at the VPN layer. It makes use of system calls to detect human-computer interactions through the correlation of application activities. A detected suspicion stops or halts activities. It is preferred over Network-based IPS that it performs monitoring over the individual computer layer (Sans.org, 2016).Whistling approves applications on the list and denies those with denial of approval. One effective implementation of whistling is the code-signing of the applications. Besides maintaining the integrity of the software through publisher signs, whistling requires updating and the fine-tuning of the application. HIPS and whistling could have detected malware at the applications layer in the JPMorgan Chase hack case (Glass & Callahan, 2014).
Network segregation and role-based control of access: The network segregation may have turned useful in fragmenting the internal network into some segments so that the intruders do not get an extensive zone to affect through the breach of a single layer (Sans.org, 2016). It fundamentally aims at protecting the critical data contents and not making them visible to unwanted intruders. The segregation implies the deployment of the Virtual Local Area Network (VLAN), which contains the critical and sensitive servers. This provides control of access at the TCP level, apart from securing the sensitive corporate data and firewalling at the network boundaries. The role based access control or RBAC removes the previous role on the enrollment of a new role, on a one role at a time basis (Burke et al., 2013).
Proxy usage with outbound traffic and defense to 0-Day vulnerability: The intruders utilized the command-and-control encryption algorithm to overcome all the security hurdles and get hold of the VPN server connection. The outbound traffic proxy is capable of decrypting or the verifying the cryptographic keys and detecting the unauthorized keys, on the company register of keys (Kamiya et al., 2015).The best set of defenses against the 0-Day vulnerability includes the analysis based on statistics, digital signatures, interactions and even the organization size (Kaur & Singh, 2014).
Conclusion:
The report has succeeded in providing a detailed study of the data security breaches of the Home Depot and the JPMorgan Chase hack case. The primary reason for both the cases is the compromise of effective measures of protection of the sensitive data both at the vendor specific environment and the network layer. However, the report has provided feasible solutions to prevent further data leakage and security attacks.
References
Ahmed, M., Litchfield, A. T., & Ahmed, S. (2014). A Generalized Threat Taxonomy for Cloud Computing. ACIS.
Andress, J. (2014). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Armin, J., Foti, P., & Cremonini, M. (2015, August). 0-Day Vulnerabilities and Cybercrime. In Availability, Reliability and Security (ARES), 2015 10th International Conference on (pp. 711-718). IEEE.
Banjo, S. (2016). Home Depot Hackers Exposed 53 Million Email Addresses. WSJ. Retrieved 4 June 2016, from https://www.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
Beck, J. M., & Swensen, C. L. (2015). U.S. Patent No. 8,973,122. Washington, DC: U.S. Patent and Trademark Office.
Brenner, J., & Lindsay, J. R. (2015). Correspondence: Debating the Chinese Cyber Threat. International Security, 40(1), 191-195.
Burke, J., Gasti, P., Nathan, N., & Tsudik, G. (2013, April). Securing instrumented environments over content-centric networking: the case of lighting control and NDN. In Computer Communications Workshops (INFOCOM WKSHPS), 2013 IEEE Conference on (pp. 394-398). IEEE.
Elovici, Y., & Altshuler, Y. (2013). Introduction to Security and Privacy in Social Networks (pp. 1-6). Springer New York.
Glass, R., & Callahan, S. (2014). The big data-driven business: how to use big data to win customers, beat competitors, and boost profits. John Wiley & Sons.
Kamiya, K., Aoki, K., Nakata, K., Sato, T., Kurakami, H., & Tanikawa, M. (2015, August). The method of detecting malware-infected hosts analyzing firewall and proxy logs. In Information and Telecommunication Technologies (APSITT), 2015 10th Asia-Pacific Symposium on (pp. 1-3). IEEE.
Kaur, R., & Singh, M. (2014). Automatic evaluation and signature generation technique for thwarting zero-day attacks. In Recent Trends in Computer Networks and Distributed Systems Security (pp. 298-309). Springer Berlin Heidelberg.
Kim, D., Achan, C., Baek, J., & Fisher, P. S. (2013, June). Implementation of framework to identify potential phishing websites. In Intelligence and Security Informatics (ISI), 2013 IEEE International Conference on (pp. 268-268). IEEE.
Nordstrom, C., & Carlson, L. (2014). Cyber Shadows: Power, Crime, and Hacking Everyone. ACTA Publications.
Sans.org, S. (2016). Home Depot Data Breach. Sans.org. Retrieved 4 June 2016, from https://www.sans.org/reading-room/whitepapers/dlp/data-breach-preparation-35812
Sans.org, S. (2016). Sans.org. Retrieved 4 June 2016, from https://www.sans.org/reading-room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822
Silver-Greenberg, J., Goldstein, M., & Perlroth, N. (2016). JPMorgan Chase Hacking Affects 76 Million Households. DealBook. Retrieved 4 June 2016, from https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/?_r=0
Virvilis, N., Gritzalis, D., & Apostolopoulos, T. (2013, December). Trusted Computing vs. Advanced Persistent Threats: Can a defender win this game?. In Ubiquitous Intelligence and Computing, 2013 IEEE 10th International Conference on and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC) (pp. 396-403). IEEE.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download