Data Breach
Introduction:
Data breach has always been a sensitive topic, let alone when the data breach is related to banking. In the mean time, there’s a breach was found happened to the online banking system of the competitive bank of First Union Bank, and the hacker had stolen quantities of customers’ personal information and data. It has been an alarm for all the banks, it reminds the whole society to be alert of the damage caused by the data breach.
The Chief Information Officer of the First Union Bank is aware of how much it would cost the bank if we don’t adopt a measure to avoid the similar attacks, so he requests security plan to the IT Department. This plan is aim to protect the First Union Bank from this type of incident, which the attack …show more content…
is taking database as target. With this plan, the bank could protect the personal information of the customers and the database at the most. It could also assist the bank to minimize losses.
Background:
Since The Security Policy of the First Union Bank is inadequate in terms of intrusion prevention and detection. Therefore the Bank steering committee has issued the instruction about it.
Later, there was a compromise was found in the important system used for nightly ACH funds transfer. Also, some of the normal transfer files are missing, and the system is identifying my most trusted administrator as a user without normal write privileges when he’s trying to log into this application, which uses Kerberos as the protocol. Since the important application has been broke into, Kerberos could no longer be fully trusted. There must be some solutions to be implemented to determine Kerberos is not going to compromise anymore.
There’s another fact about the attack. The LoanWrite, which is a loan-taking program runs on the Ipad tablets and used by the Bank loan officers team, has been compromised. All the loan officers have already had their data and access to the application stolen by the hackers.
Plan:
Initially, it’s necessary to indicate why the Bank Security Policy is inadequate. First of all, it says that a timeout value of a minimum 15 minutes before systems log out the user and request the user to login again. Fifteen minutes is too long for a system to log out the user automatically. Usually, if people leave the system keeps login more than 5 minutes without any operating with it, then the user must be using other resources to assist the work. Basically, it’s not safe to keep the system logging in since the work is done. It provides chances for hackers to find the interstice to break into the system.
When employees want to share computer-resident data, they should not use electronic mail, groupware databases, public directories on local area network servers, or other mechanisms as the policy recommended. This is because sometimes it takes much more time then people realized to discover the viruses, which have already broke into the system. Once the employee sends the infected file to another person, there’s much more chance for other user to be infected. Also, to transfer the data by e-mails or other kind of mechanism could be intercepted by the hacker and create danger to the bank by losing the data.
There’s one prescript from the policy says that First Union Bank may purge e-mail messages for technical reasons. The bank has the right to delete or retain any or all electronic files, which includes e-mail of a former First Union Bank employee, which means the employee is no longer employed by the bank. This prescript is dangerous for the bank from two ways. It could offer the chance for hackers to destroy the evidences from hacking the system, it also hard to track.
Also, the policy mentions appropriate reporting, including the reporting of abuse, policy violations and suspicious activities. Yet although it mentions the responsibility for reporting, but it not mentions other manners that should also be done during security incident management. Such as when defining the routines, it needs to contain measures to prevent repetition as one measure for minimizing the damage. It’s the CIO’s responsibility to ensure that routines are in place to define the cost of security incidents. Appropriate reporting also should include the method to collect the evidence of the incident.
At last, the policy is lack of continuity plan. Continuity plan is a plan for continuity and contingencies, which covers critical and essential information.
The continuity systems and the infrastructure that supports the continuity works should exist as well. The continuity plan should be based on risk assessments focusing on operational risks. To ensure adequacy, the continuity plan should be tested on a regular basis so that management and employees understand the implementation.
If you want to make sure your information assets are secured and protected, your best approach is using an integrated database security solution that is non-disruptive to existing software and databases, is easy to install and use, and provides extensive management reporting and audit trails, all without degrading responsiveness to users. Therefore, to ensure the system is totally secure and plug some of the security holes, the IT department would check all four: Network, application, operating system and database.
According to Bhasker (2013), a web environment has four layers that need to be protected: the network level, the application level, the operating system level and the database level.
Yet hackers could attack a Web environment at each level independently, and security issues at each level need to be addressed. Also, as an additional and important approach, it’s extremely important to update all the applications in use and to harden your web and database servers (p.253).
Although as the document of 2013 Data Breach Investigations Report mentions, “all kinds of organizations — from government agencies to iconic consumer brands, internet startups to trusted financial institutions — have reported major data breaches in the last year.” But beyond these kinds of organizations, the attacks that take commerce organization as targets are becoming more and more.
People can’t help to wonder why the hackers would like to take them as target. The document of 2013 Data Breach Investigations Report says there’s almost 75% of the attacks are opportunistic, which means those attacks were not aim at a specific individual organization or a company, but the huge majority of those are basically financially motivated.
When talking about who is most specious to be the attackers, there’re three types of them, activists, criminals, and …show more content…
spies.
Even if the activists are still using very basic methods to approach the attacking goal, but recent years there’re quite a lot notable and widely publicized successes for them. Such as Target and Neiman Marcus. It’s not hard to tell that they are tending to be opportunistic. In the case of commerce organization attacks, they are more willing to create embarrassment to their victims, and trying to maximize the disruption to their business.
Take Target as an example, on December 19th, 2013, Target reported that the payment data of the customers was stolen. It includes the credit and debit card information of 40 million customers who have shopped between November 27th and December 15th in the 1797 Target retail stores in the United States. Also, customers’ personal identification numbers had got stolen in the encrypted form. Few days earlier, as the investigation went further, Target said the victims of information data breach had risen to 70 million (Cheng, 2013).
This breach has inflicted heavy loss on the revenue of Target. Compare to the same time last year, the total amount of transaction of Target had dropped 3% to 4% one week before Christmas. More over, it’s also a terrible strike for the reputation of Target. After the data breach, the customer-perception level of Target dropped to negative 23, which was negative 16 before the breach. This means that 23% more shoppers have a negative image of the brand than have those who have a positive one (Cheng, 2013). Undoubtedly, this attack has verified and proved the saying of “Their aim is to maximize disruption and embarrassment to their victims (2013 Data Breach Investigations Report, 2013).”
To the spies, they are often sponsored by the state. The spies use the most complicated approach to maximum the attack damage for the target. Regularly, they have a clear mind of what’s their goal, which could be intellectual property, financial data or most important, insider information. They are always being persistent to succeed as they’re hired or supported by the state; it’s a demand for them to success (2013 Data Breach Investigations Report, 2013).
The last type of attacker, criminals. Typically, criminals are motivated by financial gain most of the time. As it concerns about how much profit they would make, they are more careful and sophisticated when valuing and selecting targets. They often use more complex techniques than activists. Once they’ve gained the access to the system, they would steal any data that might have financial value and easy for them to take advantage of (2013 Data Breach Investigations Report, 2013).
There’s also a huge chance for the attacker to be former employees. According to the 2013 Data Breach Investigations Report (2013), it says that over half of the insiders committing impairment were former employees taking advantage of the old method they used to get access to get inside to the system, or backdoors that have not be disabled.
Yet although the industries are most likely to be hacked and attacked, the likelihood of an espionage attack is still relatively low. The 33% of espionage attacks were aimed at the areas of manufacturing, professional services and transportation industries (2013 Data Breach Investigations Report, 2013).
In the case of the First Union Bank, we could track the intention of the hackers by analyzing the consequence it has or might cause to the bank. Since the system used for nightly ACH funds transfer and the LoanWrite has been broken into. The sensitive data of the bank and the private personal information of the customers seem like their major target of this attack. Therefore, the attacker of this incident has the tendency to be activists.
As mentioned in 2013 Data Breach Investigations Report, “the majority of financially motivated incidents we looked at originated in the US or Eastern Europe — particularly Romania, Bulgaria and the Russian Federation.” So there’s great chance for the attack to be originated in those areas.
The biggest threat of the attack is as the hacker has already taken down two important system of the bank, and all the loan officers have already had their data and access to the application stolen by the hacker, this means the hacker could continuing to attack other bank systems and steal much more information. This might cause a total paralysis in the bank, and all the business would be shut down by that time. Moreover, the consequence to the bank is more than losing money, it also affects the image of the bank, and the reputation the bank has been trying so hard to build and maintain.
People might ask, why does it take so long to release the remedies and recover measures for the attack happened so long ago. This is because most of the attacks take much longer than we though to be found out. There’s 62% of the breaches took months to discover, and 4% of the breaches in the 2013 report took years to discover (2013 Data Breach Investigations Report, 2013). For this case of bank data breach, if the hacker has got to the access of customer’s personal information, like their card number and security code of the card, which means they are able to use that unauthorized card. Illegally. By that time, it might be easier to discover the breach since the attack has affected the customer and caused their loss directly. Then the customer will become the role to discover the breach and report it to the bank.
In the other cases in the 2013 Data Breach Investigations Report, an external party spotted 69% of the breaches, and customers spotted only 9% of breaches.
Also, there’s 10% of breaches were spotted by users (2013 Data Breach Investigations Report, 2013).
As the last part of the 2013 Data Breach Investigations Report, it recommends few points of suggestions, to which I partly agree with.
I agree with the followings: Perform regular checks to ensure that essential controls are met. Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness. Regularly measure things like “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices. Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security. Don’t underestimate the tenacity of your adversaries, especially espionage- driven attackers, or the power of the intelligence and tools at your disposal (2013 Data Breach Investigations Report, 2013). All of above could help the bank to be fully prepared for the attack and moreover, it provides doable solutions to deal with the breaches.
Although, I disagree with the
followings:
Eliminate unnecessary data; keep tabs on what’s left.
It’s hard to determine the term of “unnecessary data”. Hackers could take advantages of what eliminated. Maybe the data seems useless for the bank, but it could be something hacker could take advantage of to attack the bank security system.
Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection. The process of sharing must be protected and secured, otherwise it could be dangerous, and might cause data loss to the bank. Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology. A blend of people, processes, and technology might be efficiency, but it’s also dangerous. It’s not hard to understand that it’s hard to supervise and conduct the whole process, once a little negligence is taken place, then the whole system is in danger, and it’s hard to track the problem is happening in which process and by which technology. Reference Bhasker, B. (2013). Electronic Commerce Framework Technologies and Applications (4th edition). New York, NY: Mcgraw Hill Higher Education. Cheng, A. (December 30, 2013,). Target’s reputation takes another hit. Market Watch The Wall Street Journal. Retrieved from http://blogs.marketwatch.com/behindthestorefront/2013/12/30/targets-reputation-takes-another-hit/
Høstland, K., Enstad, P. A., Eilertsen, Ø., & Bøe, G. (2010). Information Security Policy Best Practice Document. UNINETT led working group on security. Retrieved from http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-ufs126.pdf
Stamp, M. (2011). Information security: principles and practices (2nd edition). New York, N.J.: Wiley Press. Target Corporation Annual Report (2012). United States Securities And Exchange Commision. Retrieved from http://www.sec.gov/Archives/edgar/data/27419/000104746912002714/a2207838z10-k.htm The 2013 Data Breach Investigations Report (2013). Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com/DBIR/2013/
Data breach has always been a sensitive topic, let alone when the data breach is related to banking. In the mean time, there’s a breach was found happened to the online banking system of the competitive bank of First Union Bank, and the hacker had stolen quantities of customers’ personal information and data. It has been an alarm for all the banks, it reminds the whole society to be alert of the damage caused by the data breach.
The Chief Information Officer of the First Union Bank is aware of how much it would cost the bank if we don’t adopt a measure to avoid the similar attacks, so he requests security plan to the IT Department. This plan is aim to protect the First Union Bank from this type of incident, which the attack …show more content…
is taking database as target. With this plan, the bank could protect the personal information of the customers and the database at the most. It could also assist the bank to minimize losses.
Background:
Since The Security Policy of the First Union Bank is inadequate in terms of intrusion prevention and detection. Therefore the Bank steering committee has issued the instruction about it.
Later, there was a compromise was found in the important system used for nightly ACH funds transfer. Also, some of the normal transfer files are missing, and the system is identifying my most trusted administrator as a user without normal write privileges when he’s trying to log into this application, which uses Kerberos as the protocol. Since the important application has been broke into, Kerberos could no longer be fully trusted. There must be some solutions to be implemented to determine Kerberos is not going to compromise anymore.
There’s another fact about the attack. The LoanWrite, which is a loan-taking program runs on the Ipad tablets and used by the Bank loan officers team, has been compromised. All the loan officers have already had their data and access to the application stolen by the hackers.
Plan:
Initially, it’s necessary to indicate why the Bank Security Policy is inadequate. First of all, it says that a timeout value of a minimum 15 minutes before systems log out the user and request the user to login again. Fifteen minutes is too long for a system to log out the user automatically. Usually, if people leave the system keeps login more than 5 minutes without any operating with it, then the user must be using other resources to assist the work. Basically, it’s not safe to keep the system logging in since the work is done. It provides chances for hackers to find the interstice to break into the system.
When employees want to share computer-resident data, they should not use electronic mail, groupware databases, public directories on local area network servers, or other mechanisms as the policy recommended. This is because sometimes it takes much more time then people realized to discover the viruses, which have already broke into the system. Once the employee sends the infected file to another person, there’s much more chance for other user to be infected. Also, to transfer the data by e-mails or other kind of mechanism could be intercepted by the hacker and create danger to the bank by losing the data.
There’s one prescript from the policy says that First Union Bank may purge e-mail messages for technical reasons. The bank has the right to delete or retain any or all electronic files, which includes e-mail of a former First Union Bank employee, which means the employee is no longer employed by the bank. This prescript is dangerous for the bank from two ways. It could offer the chance for hackers to destroy the evidences from hacking the system, it also hard to track.
Also, the policy mentions appropriate reporting, including the reporting of abuse, policy violations and suspicious activities. Yet although it mentions the responsibility for reporting, but it not mentions other manners that should also be done during security incident management. Such as when defining the routines, it needs to contain measures to prevent repetition as one measure for minimizing the damage. It’s the CIO’s responsibility to ensure that routines are in place to define the cost of security incidents. Appropriate reporting also should include the method to collect the evidence of the incident.
At last, the policy is lack of continuity plan. Continuity plan is a plan for continuity and contingencies, which covers critical and essential information.
The continuity systems and the infrastructure that supports the continuity works should exist as well. The continuity plan should be based on risk assessments focusing on operational risks. To ensure adequacy, the continuity plan should be tested on a regular basis so that management and employees understand the implementation.
If you want to make sure your information assets are secured and protected, your best approach is using an integrated database security solution that is non-disruptive to existing software and databases, is easy to install and use, and provides extensive management reporting and audit trails, all without degrading responsiveness to users. Therefore, to ensure the system is totally secure and plug some of the security holes, the IT department would check all four: Network, application, operating system and database.
According to Bhasker (2013), a web environment has four layers that need to be protected: the network level, the application level, the operating system level and the database level.
Yet hackers could attack a Web environment at each level independently, and security issues at each level need to be addressed. Also, as an additional and important approach, it’s extremely important to update all the applications in use and to harden your web and database servers (p.253).
Although as the document of 2013 Data Breach Investigations Report mentions, “all kinds of organizations — from government agencies to iconic consumer brands, internet startups to trusted financial institutions — have reported major data breaches in the last year.” But beyond these kinds of organizations, the attacks that take commerce organization as targets are becoming more and more.
People can’t help to wonder why the hackers would like to take them as target. The document of 2013 Data Breach Investigations Report says there’s almost 75% of the attacks are opportunistic, which means those attacks were not aim at a specific individual organization or a company, but the huge majority of those are basically financially motivated.
When talking about who is most specious to be the attackers, there’re three types of them, activists, criminals, and …show more content…
spies.
Even if the activists are still using very basic methods to approach the attacking goal, but recent years there’re quite a lot notable and widely publicized successes for them. Such as Target and Neiman Marcus. It’s not hard to tell that they are tending to be opportunistic. In the case of commerce organization attacks, they are more willing to create embarrassment to their victims, and trying to maximize the disruption to their business.
Take Target as an example, on December 19th, 2013, Target reported that the payment data of the customers was stolen. It includes the credit and debit card information of 40 million customers who have shopped between November 27th and December 15th in the 1797 Target retail stores in the United States. Also, customers’ personal identification numbers had got stolen in the encrypted form. Few days earlier, as the investigation went further, Target said the victims of information data breach had risen to 70 million (Cheng, 2013).
This breach has inflicted heavy loss on the revenue of Target. Compare to the same time last year, the total amount of transaction of Target had dropped 3% to 4% one week before Christmas. More over, it’s also a terrible strike for the reputation of Target. After the data breach, the customer-perception level of Target dropped to negative 23, which was negative 16 before the breach. This means that 23% more shoppers have a negative image of the brand than have those who have a positive one (Cheng, 2013). Undoubtedly, this attack has verified and proved the saying of “Their aim is to maximize disruption and embarrassment to their victims (2013 Data Breach Investigations Report, 2013).”
To the spies, they are often sponsored by the state. The spies use the most complicated approach to maximum the attack damage for the target. Regularly, they have a clear mind of what’s their goal, which could be intellectual property, financial data or most important, insider information. They are always being persistent to succeed as they’re hired or supported by the state; it’s a demand for them to success (2013 Data Breach Investigations Report, 2013).
The last type of attacker, criminals. Typically, criminals are motivated by financial gain most of the time. As it concerns about how much profit they would make, they are more careful and sophisticated when valuing and selecting targets. They often use more complex techniques than activists. Once they’ve gained the access to the system, they would steal any data that might have financial value and easy for them to take advantage of (2013 Data Breach Investigations Report, 2013).
There’s also a huge chance for the attacker to be former employees. According to the 2013 Data Breach Investigations Report (2013), it says that over half of the insiders committing impairment were former employees taking advantage of the old method they used to get access to get inside to the system, or backdoors that have not be disabled.
Yet although the industries are most likely to be hacked and attacked, the likelihood of an espionage attack is still relatively low. The 33% of espionage attacks were aimed at the areas of manufacturing, professional services and transportation industries (2013 Data Breach Investigations Report, 2013).
In the case of the First Union Bank, we could track the intention of the hackers by analyzing the consequence it has or might cause to the bank. Since the system used for nightly ACH funds transfer and the LoanWrite has been broken into. The sensitive data of the bank and the private personal information of the customers seem like their major target of this attack. Therefore, the attacker of this incident has the tendency to be activists.
As mentioned in 2013 Data Breach Investigations Report, “the majority of financially motivated incidents we looked at originated in the US or Eastern Europe — particularly Romania, Bulgaria and the Russian Federation.” So there’s great chance for the attack to be originated in those areas.
The biggest threat of the attack is as the hacker has already taken down two important system of the bank, and all the loan officers have already had their data and access to the application stolen by the hacker, this means the hacker could continuing to attack other bank systems and steal much more information. This might cause a total paralysis in the bank, and all the business would be shut down by that time. Moreover, the consequence to the bank is more than losing money, it also affects the image of the bank, and the reputation the bank has been trying so hard to build and maintain.
People might ask, why does it take so long to release the remedies and recover measures for the attack happened so long ago. This is because most of the attacks take much longer than we though to be found out. There’s 62% of the breaches took months to discover, and 4% of the breaches in the 2013 report took years to discover (2013 Data Breach Investigations Report, 2013). For this case of bank data breach, if the hacker has got to the access of customer’s personal information, like their card number and security code of the card, which means they are able to use that unauthorized card. Illegally. By that time, it might be easier to discover the breach since the attack has affected the customer and caused their loss directly. Then the customer will become the role to discover the breach and report it to the bank.
In the other cases in the 2013 Data Breach Investigations Report, an external party spotted 69% of the breaches, and customers spotted only 9% of breaches.
Also, there’s 10% of breaches were spotted by users (2013 Data Breach Investigations Report, 2013).
As the last part of the 2013 Data Breach Investigations Report, it recommends few points of suggestions, to which I partly agree with.
I agree with the followings: Perform regular checks to ensure that essential controls are met. Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness. Regularly measure things like “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices. Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security. Don’t underestimate the tenacity of your adversaries, especially espionage- driven attackers, or the power of the intelligence and tools at your disposal (2013 Data Breach Investigations Report, 2013). All of above could help the bank to be fully prepared for the attack and moreover, it provides doable solutions to deal with the breaches.
Although, I disagree with the
followings:
Eliminate unnecessary data; keep tabs on what’s left.
It’s hard to determine the term of “unnecessary data”. Hackers could take advantages of what eliminated. Maybe the data seems useless for the bank, but it could be something hacker could take advantage of to attack the bank security system.
Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection. The process of sharing must be protected and secured, otherwise it could be dangerous, and might cause data loss to the bank. Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology. A blend of people, processes, and technology might be efficiency, but it’s also dangerous. It’s not hard to understand that it’s hard to supervise and conduct the whole process, once a little negligence is taken place, then the whole system is in danger, and it’s hard to track the problem is happening in which process and by which technology. Reference Bhasker, B. (2013). Electronic Commerce Framework Technologies and Applications (4th edition). New York, NY: Mcgraw Hill Higher Education. Cheng, A. (December 30, 2013,). Target’s reputation takes another hit. Market Watch The Wall Street Journal. Retrieved from http://blogs.marketwatch.com/behindthestorefront/2013/12/30/targets-reputation-takes-another-hit/
Høstland, K., Enstad, P. A., Eilertsen, Ø., & Bøe, G. (2010). Information Security Policy Best Practice Document. UNINETT led working group on security. Retrieved from http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-ufs126.pdf
Stamp, M. (2011). Information security: principles and practices (2nd edition). New York, N.J.: Wiley Press. Target Corporation Annual Report (2012). United States Securities And Exchange Commision. Retrieved from http://www.sec.gov/Archives/edgar/data/27419/000104746912002714/a2207838z10-k.htm The 2013 Data Breach Investigations Report (2013). Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com/DBIR/2013/