Information Security
Introduction
In order for the organisations, agencies to combat cyber crimes such as hacking, and virus spreading, many programs are being installed. These programs are used to safeguard the network system of these companies from unscrupulous acts. In this modern time, corporate worlds such as banks, production companies, and Information Technology companies are greatly dependent on computers and internet programs to assist and expedite their daily operation. However, very beneficial maybe to the current times – speeding up transactions from hours to split-second intervals, and providing comfort and easy-to-use features – computers and internet also pose vulnerable likelihood to be abused by some unscrupulous conmen. Somehow, people being so unfamiliar with data and computer securities are one reason why fraud and security leaks occur.
And with this, top corporations and agencies nowadays are now so hell-bent on fortifying security counter-measures in order to prevent and combat these dilemmas. Time matters as to finding solutions how to hinder these kinds of anomalous activities. One of the solutions created by the government was through the implementation of laws and legislation concerning cybercrimes.
Take for example huge computer-hacking incidents in the world today. Citibank, SunTrust, credit unions to community and America’s financial institutions are scrambling now to deal with the largest recognized case of debit-card scam to date. Apparently, a huge hacking occurrence took place in 2006 that led to millions of dollars loss to the companies mentioned. These nation’s banks have softly tried to quench the problem by closing hundreds of thousands of debit-card accounts and giving customers new cards, account numbers and PINs (Burnett, 2006). Furthermore, confidential information being passed around because of the lack of tough security measures among government agencies and corporate companies. Bank of America suffered the same way like the loss of its government worker data and fused to it a dash of Choicepoint’s “data leaks” happening in April. Not to mention the Troj/BankAsh-A virus – a Trojan set up that stole bank account passwords (Bielski, 2005). And in accordance to this event and in order to prevent this in ESCWA region, they created policies and legislations that will prevent information hacking and increase security of data. For instance in Dubai, Federal and local laws have in general accepted the electronic proof of documents and divulgated the validity of e-contracts. Law No. 2 of 2002 (Dubai) requires the formation and validity of e-contracts. In the area of e-signatures, the Law demands that an e-signature stands as a written signature with the identical evidential power when the said signature complies with authentication conditions mentioned in the Law.
And not only that this Information Technology we have is also vulnerable with different computer viruses – intentionally or intentionally made. One of the most astounding computer virus that swept around the globe, across the country and into Hampton Roads was the virus slyly titled ‘ILOVEYOU”. Suspected of originating in the Philippines, the nefarious e-mail message staggered electronic communications, with effects ranging from minor inconvenience to a complete halt of email systems and the destruction of audio and graphic files (Lewis, 2000). The virus had been reported to have had caused America billions of dollars. And from this event, the Council of Europe created several measures to prevent this. Actually, they initiated the so-called Convention on Cybercrime (Budapest, 23.XI.2001). This convention aims to battle head-on the cybercrimes occurrences. The convention was convinced of the need to pursue, as a matter of main concern, a common criminal policy aimed at the security of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation.
Discussions
The application of information technology (IT) in organizations is a tremendous success, its maintaining competitive advantage has already been discussed earlier. IT can either be a product or service provided by the company, or a part of the organizational support for a product or service. Companies using IT as a product or service pursued to remain competitive (Heide, 1992).
But, as what have been established earlier, the joys of having Information Technology helping in our daily tasks has also been tarnished and endangered with different malicious acts with just as malicious people. Thus the need for security among institutions – public and private – is needed.
We can define security to be the condition of being free from peril and not open to harm from catastrophes or assaults, or it can be defined as the process for achieving that desirable state (Bosworth, & Kabay, n.d.). It is indeed one of the major concerns in Information Technology nowadays. The lack of security always undermines the integrity of data which has a direct impact on the organization itself. Virtual businesses require that proper and adequate security systems be in place to ensure that threats can be brought down to a minimum.
Moreover, computer security simply conforms to the procedure of denying unlawful persons access to information whereas a total security strategy matches the need-to-know constraints of a user to the secrecy of the information he or she is permitted to access (Crawford, 1992).
According to Bosworth, & Kabay, (n.d.), computer security is broken down to different components namely: Physical and environmental security, personal security, operations security, communications security, and network security. Physical and environmental security responded to the cases about protection of the physical items, objects or areas of an organization from not permitted access and/or damage, misuse, and interference to business grounds and information.
On the other hand, personal security is more on the protection of individual or group of individuals who are permitted to have access in the organization and its functions. This means that operations security focuses on the security of a certain operation or chain of actions. Apparently, communications security addresses the defense of an organizations communications technology, media, and content.
Network security, on the other hand, is the security of elements, links, contents, systems, and hardware that are used to store up, and broadcast information. Misuse of technology by hackers as well as employees has presented a threat to financial institutions from the earliest days of computers. In his 1989 book The Cuckoo’s Egg, Cliff Stoll, formerly an astrophysicist/systems manager at the Lawrence Berkeley Laboratory in California, describes how, in tracking down a 75-cent irregularity in an accounting program, he ended up fighting an international group of spies who were cracking computer systems across the United States. (The group exploited the program s system of rounding dollars to deposit small amounts from numerous accounts into a private account, which over time added up to big money in the account set up to receive the rounded cents.) (Spivey, 2001).
In Europe, different ways and means have been implemented by different organizations to counter measure anomalous activities and also to respond to the legislation of Council of Europe concerning “Offences against the confidentiality, integrity and availability of computer data and systems”. Different organizations have made stringent measures in their computer system to prevent hackers entering the organizations’ systems, they have installed different anti-virus computer programs to fortify the “wall” of the system they are using from viruses, and, again, from hackers.
It is inevitable, as well, that some of the banks or any organization’s personnel need to have high-level access to the network by the nature of their work for they will be the ones who will be operating it. Thus institutions must very well know the firms they hire as well as the backgrounds of the individuals who will handle the job (Spivey, 2001).
With regards to the accounting systems of every firm, there will be system of checks and balances to protect from hacking attacks. For instance, bank use a dual control system similar to the one they use in money handling, teaming up a contractor with an internal employee. The two would work together, but the company employee would be responsible for reviewing and remaining aware of what the contractor was doing.
Password Policy
Banks, government offices, and private sectors often have stringent measures when it comes to passwords for their vaults, computers, and online records. Some of these policies are: sharing passwords is a security risk. In Albert Einstein Cancer Center, the administration made it a point that sharing passwords will have their accounts disabled. Storing passwords in a file on any computer system (including Palm Pilots or similar devices) without encryption is absolutely disallowed. The same with the use of the same passwords for AECOM accounts as for other access, or using ‘remember password” feature of applications (e.g. Eudora, Outlook, and Netscape Messenger (Password Policy, n.d.).
Furthermore, in the same institute, passwords for their employees are requested to truncate at eight (8) characters, with an acceptable password of at least seven (7) characters, shorter passwords are easier to guess, longer passwords are harder to guess; with five alpha-numeric characters, repeated characters can make for palindromes and reduce the seek out room; with an acceptable password that have characters from at least three (3) different character sorts –lower case, upper case, digits, punctuation, etc., a password that comprises an example from a rich character set is not easy to crack, as the seek out space is extremely huge.
Also the acceptable password for the institute to their employees must have alphabetic series any longer than three (3) characters, the aim is to male sure that dictionary words are avoided; a digit series any longer than two (2) characters, long digit series decrease the search plate; and a few characters that will cause troubles if used in a password, for example, the “delete” character is one of the evident ones. Passwords that should not be are the following: dictionary terminology (including foreign and technical dictionaries), anyone’s or anything’s name, a place, a proper noun, pattern of letters on keyboards, a phone number, any of the above upturned or concatenated, and any of the above with digits prepended or appended. The potential method for selecting a good password is to create some acronym. For example: gPanth2c, it is hard to choose. As with the rule of the thumb no one should write down a password, someone might discover the password. For the access codes inside the bank, passwords and access codes are changed daily, for example when it comes to authorization codes for their employee to gain access to their tasks. Banks would perhaps use the four seasons of the year and the current day’s date. Like today was the tenth of May: Summer 10.
Moreover, reusable, or static, passwords offer weak security. To address that problem, banks are turning to dynamic passwords, which are created by a user token and verified using an algorithm synchronized with a central computer server. The user’s token generates a password that can only be used in a one-minute span. If this password were stolen by someone looking over a coworker’s shoulder or monitoring the system electronically, the network would not be at risk, because the password’s usefulness would expire before it could be used by the thief (Spivey, 2001). From this illustration, Albert Einstein Cancer Center was actually following the legislations illustrated in Convention on Cybercrime (Budapest, 23.XI.2001).
Internet access policy
And as for the internet access policy, banks like Citigroup Private Bank used “cookies”. A “cookie” is a tiny piece of information that a web site stocks up on web browser of PC and can afterward recover. These cookies are used for a number of administrative purposes, including storing the client’s choices for definite types of information. No cookie, however, will be set by the website on the web browser that will enclose information that could allow any third party to make contact with the client via telephone, email, or postal mail. Basically, there are relevant legislations that can be applied in this case, i.e. written in Article 10 of Convention on Cybercrime (Budapest, 23.XI.2001) which is about the offences related to infringements of copyright and related rights.
According to Citibank’s Private and Security guidelines the methods how to protect online security is strong encryption, securing user name and password (the client preferred user name and password for the client website, and these items must be entered every time the client sign-in to the Priva, automatic “time-out” (when there is no activity 15 minutes, the session will be terminated to help protect against unauthorized access, and Client-Driven Authentication Questions. (with questions about the web-site, the bank must first confirm the client’s identity on the phone before discussing his account information.
Other methods to combat fraud and malicious assaults against are encryption, firewalls, authentication, and dial-back, among others. Encryption is used by most banks to ensure the security data during transmission and transactions. It is used for in-house protection as well as for online banking services. Not only financial information but also account information being encrypted while being stored and in transit (Spivey, 2001). It involves the translations of data into secret code, in such a way that merely the computer with the key can decipher it. For the most part computer encryption systems are either symmetric-key encryption or public-key encryption (Plant Engineering, 2002).
Authentication, on the other hand, is another data security process being used by different agencies to confirm that the information comes from a reliable source. This is very important especially in banks so as to know the message come from the allowed correspondent and no other data is being disclosed to a culprit. It involves adding an extra field to a record, with the contents of this field derived from the remainder of the record by applying an algorithm that has previously been settled between the senders and recipients of data. Moreover, encryption and authentication work hand-in-hand to produce a protected environment. Verification can be completed using passwords, passcards, or digital signatures (Plant Engineering, 2002). The digital signature standard (DSS) is based on a form of public-key encryption system that uses the digital signature algorithm (DSA).
And as for Firewall, it is being used by some big organization to prevent unwelcome intrusions into company systems. A firewall is an instrumental component in helping to formulate secure corporate communications. It can be furnished with parameters to make sure that repeated attacks formed around the same code cannot be successful, so it is a useful damage limitation tool (Communicate, 2000). Or, the company could somehow install Virtual Private Networks. VPN is a private network that’s surreptitiously owned and used. Meaning, it’s a network that’s not open to the public. Most office networks are private networks. As a company grows, it might expand into several countries. The main drawback, however, with VPN is that it’s public, one that raises question of data security. In order to solve the problem, security measures such as encrypting the data are used to protect the integrity and security of the data transferred from one office to another.
Furthermore, dial-back is necessary for the organizations to have security that operates by requiring the person wanting contact to the system to dial into it and identify themselves first. The system then dials the person back on their authorized number before allowing them access.
As for the troubles of spam and virus contagion in the computers, so many antivirus programs and hardware have been developed to combat viruses by top corporations. Research for evidence of a virus program (by checking for appearances or behavior that are characteristic of computer viruses), isolate infected files, and remove viruses from a computer’s software. Other techniques to combat viruses and hackers are Adware/Spyware scanners. Spam e-mail, pop-up ads, worms and viruses make computing irritating enough at times. With “spyware,” a problem that isn’t new, but gains notoriety and attention as use of free, downloadable software increases. Spyware and “adware” describe software that ends up on computer, maybe without the knowledge that can track where you go online and report the trends back to a company or advertiser. This way, the user’s routine in his PC is recorded. Other way is to disable unnecessary services. Especially during online, it happens often that the site you visited asked you to install a program so you can go on with your surfing. It might be a virus-infected program, so it is better not to install it. So much connection online services have the wider chance to “catch” different viruses.
Evaluation
There are always a problem regarding security and more so, in computers. Now that computers play a bigger part in today’s technology, its role in the advancement of humanity is increasing, but just how increasing its role, its vulnerability has always been tested. Attacks like hacking, spamming, virus, and other malicious occurrences exaggerate too. Thus, the need of heightened cybercrime related laws should be considered by different nations around the globe.
It is vigilance among agencies in the knowledge of computer security to be able to combat. Without these, although programs/softwares like spyware, firewall, and encryption are there, hackers would always find their way to break into the system to sow destruction, and in a way, rob truckload of cash. Employees in the banks, financial firms, security agencies, among others, have to be well-trained about security.
Banks must continue to develop new methods for fighting cybercrime as the threat evolves. For example, cooperation between Internet service providers (ISPs) and financial institutions needs to increase. This way, there are ways how to combat hackers. And in this way, they can exchange information about methods. Also, e-commerce products created by financial institutions are not typically thoroughly tested for security hazards within the institution’s computer environment, a situation that will change as financial losses, as well as blows to banks’ reputations, encourage them to strengthen security systems worldwide.
Conclusion
Information Technology has come a long way. Before, computers were not so advantageous. Now, advantageous would be an understatement to describe the benefits of information technology like computers and internet. It is now necessary. Bank could no longer operate without computers nowadays.
And just how the information technology came in a long way, the threats of destroying it and taking advantage of this brilliant work has gone a long way also. No longer a hacker just peeped through someone else’s data and information, they can sabotage plethora of banks and earn them millions overnight.
And so, stringent measures are made to combat these unscrupulous people and malicious programs in sabotaging the system of today’s top corporations. Password policies are being implemented, anti-virus and hacking programs are being installed, and other stringent ways and means made to happen.
But even if a company invented the most powerful tool to safeguard their system from anomalous occurrences, without vigilance among their part, hackers and virus programs would always find their way to break through that system. It is continuous vigilance of today’s computer security that would prevent, if not solve, these cyber crimes.
References:
Bielski, L. (2005). Security Breaches hitting home: phishing, information leaks keep security concerns at red alert (Bank of America’s data leak). ABA Banking Journal. Michigan: Gale Group.
Bosworth, S. & Kabay, M. E. (n.d.) Computer Security Handbook, pp 1-2.
Burnett, R. (2006). Banks move to limit losses from security breach. Michigan: Gale Group. Orlando Sentinet Orlando, FL.
Communicate (2000). Assembling a line of defence (Computer firewalls and network security).
Crawford, P. (1992). Locking Up Open Systems. Security Management, Vol. 36. Michigan: Gale Group.
Heide, D. (1992). Information Technology and the new Environment: Developing and Sustaining Competitive advantage. SAM Advanced Management Journal. Michigan: Gale Group.
Lewis, K. (2000). BUG INFESTS WORLD’S EMAIL “ILOVEYOU” VIRUS DISRUPTS COMPUTERS, CAUSES BILLIONS IN DAMAGE. The Virginia Pilot. Michigan: Gale Group.
Password Policy. (n.d.) Article retrieved from Albert Einstein Cancer Center: Accessed: February 18, 2010, from http://www.aecom.yu.edu/cancer/new/cis/passwd_policy.htm
Plant Engineering (2002). How encryption works: Adapted from HowStuffWorks. Michigan: Gale Group.
Spivey, J. (2001). Bank Vault into Online Risk. Security Management, Vol. 45, Michigan: Gale Group.
Credit:ivythesis.typepad.com
0 comments:
Post a Comment