The Wall Street Journal's article entitled, "Target Hackers Used Stolen Vendor Credentials", provides an in-depth look at the infamous breach of Target's IT security that resulted in the theft of 40 million card numbers from Target customers. Paul Ziobro's collaborative piece with Danny Yadron and Charles Levinson explains that sophisticated hackers stole electronic credentials and tapped into the retailer's interconnected system and navigated their way towards valuable financial information. Given the high-profile status of Target and the relevance of IT in modern business operations, companies across the world are now on advanced notice regarding the importance of maintaining top-quality IT protection.
While the article does not disclose exactly how the credentials were taken, the story does reveal that hackers are targeting specific vendors and skimming for various financial payment data. Given the fact that investigators now have a stronger sense of the hackers' plans, perhaps companies can begin to make security adjustments specific to these types of attacks. To be more specific, it appears that hackers are inclined to target "low-level employees or outside contractors" ("Target Hackers Used Stolen Vendor Credentials" Paul Ziobro) before working towards the desired financial data, so why not initiate IT security education for the employees that are at the greatest risk? If the commonly breached IT areas are given more attention, then hackers will have to look for a more difficult entry into any company's network. A high-scale security attack such as the one detailed in the article is bound to reveal some potential steps towards preventing a repeat occurrence, and major companies like Target should take some proactive efforts to make it increasingly difficult for hackers to break in.
Target may be the most recognizable company to face a heavy cyber attack, but they are by no means the first company to fall victim to an IT security breach. The articles lists "Bashas, an Arizona supermarket, Sprout's Farmer's Market, and Zaxby's Franchising Inc." (Ziobro) as three companies that experienced major attacks in early 2013. The point that the author's tried to make by detailing these instances is that no company is totally safe from the risk of IT infiltration from malicious hackers. Unfortunately, smaller companies likely do not have the resources to implement as advanced of an IT protection program as Target, but this should not serve as an excuse. Cyber attacks have far-reaching damages that go beyond the physical company that experienced the direct attack, and every business with IT operations should have an opportunity to protect itself from hackers. In light of the increased prevalence of hackings, the widespread implementation of a cyber attack awareness program could spread the word and even provide some funding for companies that cannot afford sufficient protection. These crimes tap into the personal information of every consumer, and the time is now for appropriate efforts to take shape and ensure the privacy of shoppers and protect all payment data within stores across the world.
Unfortunately, awareness for economic and personal threats do not catch the public eye until a popular company like Target falls victim. Despite this reality, the world of IT security now has an opportunity to move forward and kick-start new efforts that will prevent future attacks such as the ones highlighted in this article. In the ever-growing world of Information Systems, the risk of losing valuable data increases significantly every day, but a collaborative and cognizant effort to prevent these attacks will serve to benefit many people involved in the world of consumerism.
Ziobro, Paul. "Target Hackers Used Stolen Vendor Credentials." Wall Street Journal. 29 Jan. 2014.
Sunday, February 2, 2014
New York's Worry About Database Security
In February 2013, New York has
started on a database project with a non-profit technology organization, inBloom,
to create a statewide database system that stores student information on to the
cloud. The project is expected to go live by March 2014. The mission of the system
is to improve education technology. Features of the system include the ability
to track student progress, personalize instruction, and easy parental access. For
example, from applying this database, parents will have greater and easier interaction
with their children’s academic career, and the schools will also be able to
identify students who are in danger of not graduating. However, this innovative
gesture faces unsatisfied parents, they refuse to use the system due to concerns
about the information security and privacy.
Before addressing the public
concerns, we should understand the reason for using a database system. Database
systems tolerates high flexibility in the environment of growing data, it also
allowing users to manipulate and extract desiring queries while operates at a
lower cost comparatively to traditional systems. In short, users are able to
preform data analysis on massive data sets in an efficient and less expensive
way. In this case, the database will be serving education purposes – The portal
“offers educators, students and their families the ability – for the first time
– to view and verify information and data,” said Ken Wagner, associate state
education commissioner (New York Parents Furious at Program, InBloom, That
Compiles Private Student Information for Companies That Contract with It to
Create Teaching Tools).
Although database system sounds
like the “way to go,” it has its downfalls such as vulnerable information
security. Since database contains large quality of data, it becomes a key
target for cybercriminals to attack and plunder data. An article in relation (The Top Ten Most Common Database Security
Vulnerabilities – Charlie Osborne) addressed the common issues of database
security. From the article, we can analyze the details of a database and gain
insights about the security concerns. The top ten vulnerabilities includes:
1.
Deployment Failures
A common problem of database is the lack of care at the moment of data
deployment. Many databases are tested for their proper function, but few are
tested for things they should not do.
2.
Broken Database
The SQL Slammer worm of 2003 was able to infect thousands of vulnerable
database systems within minutes. The worm was able to take advantage of a bus
that was found in the Microsoft’s SQL database software system. Few businesses
installed a fix for the bug. As a result, the worm damaged 90 percent of the
databases. However, due to the lack of time or resources, many businesses today
still do not regularly patch their systems.
3.
Data Leak
Many businesses considers database as back end software, and is secure
from the Internet threats. Therefore, not encrypting and secure the system.
However, database has contains networking interface, which hackers are able to
make their attempts.
4.
Stolen Database Backups
Although external factors are a major threat to businesses, internal
factors such as theft were also a common cause of information leak.
5.
The Abuse of Database Features
A research shows that over the past three years, every database exploit
has been based on the misuse of a standard database feature. For example, a
hacker can gain access through legitimate credentials before forcing the
service to run arbitrary code.
6.
A Lack of Segregation
From distributing the administrator and user powers, as well as duties,
it will become more difficult for internal fraud or theft.
7.
Hopscotch
Rather than gaining complete access to a database in the first stage,
cybercriminals often play a game of Hopscotch – finding a weakness inside the
infrastructure that can be used as leverage for more serious attacks until
reaching the back-end database system.
8.
SQL Injections
Applications are attacked by
injections of unclean variables and malicious codes, which are inserted into
strings and passed to an instance of SQL server for parsing and execution.
9.
Sub-standard Key Management
Research found many encryption keys are stored on company disk drives.
Leaving these important keys in an unprotected state can leave systems
vulnerable to attack.
10. Data
Inconsistencies
Inconsistencies are a common
thread that brings all vulnerabilities together. It is an administrative
instead of a database technology problem.
These are the ten most common
database vulnerabilities. However, I believe there are actions that can prevent these problems. Businesses can to develop a consistent
practice to look after databases systems for vulnerabilities and threats. Actions such as documentation and automation tracking can improve and ensure the
security of the information contained within the system. In addition, applying limitation, distribution, and segregation powers to both internal administrations and external users will also prevent threats. Although the process
may be costly, the outcome is also rewarding. If enterprises can commit to
resolve these database issues, I believe we can see more success in the New
York and inBloom project.
On the other hand, information
privacy may be another crucial factor that comes between the project’s
successes. Who and of what purpose will businesses be granted with the access
to the student information? How much of the individuals’ information will they
be granted? This is a discussion we can expect to learn in the future, which are
currently being addressed by the parents and their lawyers.
Works Cited
Chapman, Ben, and Corrine Lestch. "New York Parents Furious
at Program, InBloom,
That Compiles Private Student Information for Companies That
Contract with It
to Create Teaching Tools." NY Daily News. New
York Daily News, 13 Mar. 2013. Web. 01 Feb. 2014. <http://www.nydailynews.com/new-york/student-data-compiling-system-outrages-article-1.1287990>.
Lane, Adrian. "What Is Big Data?" Dark Reading.
Dark Reading, 07 Dec. 2012. Web. 01
Feb. 2014.
<http://www.darkreading.com/views/what-is-big-data/240144074>.
Osborne, Charlie. "The Top Ten Most Common Database Security
Vulnerabilities." ZDNet. Zero Day, 26 June 2013.
Web. 01 Feb. 2014.
<http://www.zdnet.com/the-top-ten-most-common-database-security-vulnerabilities-7000017320/>.
Walsh, George M. "NY Parents, Districts Worry about Database
Privacy." The Wall
Street Journal. Dow Jones &
Company, 15 Dec. 2013. Web. 01 Feb. 2014.
<http://online.wsj.com/article/AP13ee0bb213b542be859cec885b1ab857.html?KE
YWORDS=database>.
Target Hacker
The article, Target Hackers Used Stolen Vendor
Credentials[1],
provides an update as to the circumstances surrounding the cyber attack on
Target’s POS that compromised the credit & debit card information. The current findings indicate that Target’s security
was breached through the use of a vendor’s stolen electronic credentials.
The initial finding was that
malware was introduced into Target’s systems that allowed it to store and later
transmit the account numbers and security codes of the various credit cards and
debit cards used over a period of time.
It was originally speculated that the malware was introduced by enticing
an employee to download a file or open a link that provided a gateway into
Target’s secure system. However, this
latest information introduces another source of vulnerability where secured
systems are made available to outside vendors.
Although outside vendor access may be limited to select databases or
tables within a given database, the ability to remotely access a secure system
may be sufficient to introduce a malware and allow the malware to navigate
itself to various areas of the system, and allow it to locate and transmit
sensitive data.
The malware found in Target’s
system have been traced to a generic malware that is being sold on the open
market for approximately $2,000 per copy[2]. The source code is then modified by the buyer
to customize it for their specific needs and introduced in the target
system. This generic malware has been
linked with other cyber attacks in various other companies within the United
States. It seems that the U.S. is being
targeted primarily due to the use of the archaic magnetic strips that retain
the account number and security codes that are revealed during the
swiping/authorization process. European
and Asian countries utilize embedded chips that provide a higher degree of
encryption that makes it more difficult to acquire.
It seems that credit
card/debit card companies such as Visa and MasterCard, along with the various
vendors such as supermarkets and other stores, are placing costs ahead of
security, since the technology does exists and has been proven to be a more
viable secured system than the magnetic strip technology. However, the capital cost necessary to
convert all the existing credit cards and debit cards to the embedded chip
technology, along with the need to either retrofit or replace the existing card
readers within the various stores that accepts these cards will be a major
tasks that will likely cost the industry millions of dollars, if not
billions. It is unlikely that Visa and
MasterCard will be willing to forego profits to ensure that better security
becomes available to its users. The
likelihood for change will occur only if there will be a greater cost to the
industry through liability lawsuits or if there is legislative changes that
will require these changes to be effected in the short run.
http://online.wsj.com/news/articles/SB10001424052702303973704579350722480135220
http://online.wsj.com/news/articles/SB10001424052702304856504579337151250298262
Cloud Security Risks
According to Reuters, Larry Ellison, CEO of Oracle Corp,
recently addressed the concerns individuals have been having regarding the
security of business customer’s private data.
Edward Snowden, a former NSA contractor, revealed a PRISM surveillance
program had been in operation by the NSA since 2007. These revelations confirmed a fear held by
many individuals, a fear that the government could access data stored on any
U.S. server. Oracle “and other major
Silicon Valley companies are increasingly offering Internet-based business
service…in a trend known as cloud computing” (Randewich 1). This cloud computing can save companies a
great deal of money, as companies no longer have to maintain “there own servers
and other IT infrastructure” (Randewich 1).
Analysts say that these concerns regarding government involvement in
privacy, however, may cost technology vendors “billion of dollars in lost sales”
(Randewich 1). David Litchfield
reaffirmed individuals of the safety of Oracle’s product, stating “an Oracle
database hasn’t been broken into for a couple of decades by anybody” (Randewich
1).
There are
numerous benefits of utilizing cloud computing.
Utilizing a cloud to store information is cost efficient, relieves companies
of unnecessary hardware, and accessing and backing up information can be done
with incredible ease. The advantageous
of cloud computing are apparent, however, the question companies must begin to
ask themselves is whether or not these advantageous outweigh the noticeable
threat to information. The reality is
that clouds are not secure enough to hold the sensitive data being stored in
them from possible hackers, especially from government agencies.
If the NSA
can access data stored on any cloud, it is highly likely that other, foreign
governmental agencies possess the same capabilities with regards to accessing
data within a cloud. While utilizing
hardware to store information may be more expensive, outdated, less accessible,
and overall more of a hassle than clouds, one thing is certain; data stored in
hardware is secure, due to its lack of accessibility. If one were to extract data from hardware,
one would have to physically be at the storage location, creating difficulties
for those attempting to acquire information.
A cloud, conversely, may be accessed by anyone with an Internet
connection; therefore, an individual anywhere in the world may extract one’s
data.
Reverting
back to hardware is clearly not a viable solution to this dilemma; however,
companies must find new means of securing their cloud computing software, for
the sake of maintaining profits and securing valuable information. Oracle CEO spoke of Oracle’s security due to
the fact that David Litchfield, an established security expert, stated that
hackers gained access to Oracle systems “regularly” (Randwich 1). Oracle must now focus on improving security
of their cloud computing systems in order to remain competitive in the
market. A means, by which companies such
as Oracle may improve security of their clouds, is to implement scanning and
encryption procedures. By initially
scanning information in the cloud, companies can detect and take action to
solidify information by encrypting information deemed incredibly
important. Encrypting important
information can will provide an additional layer of security should a hacker
enter a cloud. In addition, a company
can encrypt information as it is being sent to the cloud, in order to prevent
an individual from intercepting data on its way to the cloud. Scanning and Encrypting information will not eliminate
security risks entirely from a cloud, however, these measures would reduce
security risks considerably.
Saturday, January 11, 2014
Class Blog
Welcome everyone to the IS353 Spring 2014 class blog at Loyola University. Some of you have
blogged in other classes so you know the process. Everything that
you write here can be read by everyone in the world - not just the class. The goal of this blog is to
provide a collaborative forum for students (and those outside the class who
share an interest in this subject) to share stories and insights regarding the
world of information systems. All blogs are a work-in-progress and the
information on this website is no different. Over the course of the next few
weeks, students will be posting items of interest to the blog. This could be
news reports or other items of interest that speak directly to the how companies
are using data or to data management issues. If you have any doubts as to
whether the article you want to blog about is relevant, please speak with me
ahead of time. Students are expected to pay close attention to what their peers
have posted on the blog and to make comments on what they read. The use of this
blog will hopefully prove to be a valuable learning tool for everyone in the
class. By sharing our knowledge with one another through an open and interactive
forum, we can learn much more both individually and as a class. Please ensure
that whatever materials you post to the blog are appropriately cited. If you
find an article on the web which you would like to bring to our attention,
please post the exact URL with reference to where the article has come
from.
Thanks everyone - let the blogging commence!
D. Harris.
Thanks everyone - let the blogging commence!
D. Harris.
Subscribe to:
Posts (Atom)