Principle of Information Security Case Study of PeopleSharz

Question: Discuss about thePrinciple of Information Securityfor Case Study of PeopleSharz. Answer: Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees adherence to information security policies: An exploratory field study.Information management,51(2), pp.217-224. Introduction The report depicts the problems that has been raised in an organization namely as PeopleSharz, an internet startup company, founded in the year of 2012. In order to develop its position in the competitive marketplace the organization is willing to adopt different business strategies. During analysis it has been found that the website of the company was attacked by the external hackers and the confidential data from the storage area are shared publically. In order to achieve financial stability PeopleSharz has started to analyze the technical problems of the organization. The background of the organization and related problems will be illustrated in this report. The reason behind hacking and dependencies and the critical success factors to the job will also be demonstrated in this report. Background and the Problem Analysis PeopleSharz, an Internet startup company founded in the year of 2012 and the founders of the company are Peter Tweet and Mark Bukerzerg. On 21st April, 2016 the website of the organization was hacked by the hackers and in a teleconference the shared data by the hackers are analyzed and found to be real. From the teleconference the organization came to know that the shared data are similar to the confidential data stored in the database of the organization. The hackers were successful to steal the data from the storage (Rodrigues et al. 2013). Due to this reason the security statement established by PeopleSharz is facing several questionnaires. The main reason behind the hacking was lack of data security or improper usage of encryption keys. The data stored in the database of PeopleSharz used public symmetric key for data encryption but the key was shared key and thus it become easier for the hackers to use the shared key (Fernandes et al. 2014). In order to decrypt the data hackers easily used the shared key. Improper data encryption was the major reason of data hacking. Cryptography is referred to as one of the major area of concern for every organization to maintain the security of the data. Nowadays, the networks used by different organizations are taking global form and information stored in the database is becoming digital (Mahajan and Sachdeva 2013). As information play the vital role, thus open communication channels and stealing of sensitive information are becoming the main target for the hackers. The modern set of cryptography provides robust technology set. However, many benefits and challenges are identified related to encryption (Deligiannidis, et al. 2013). It provides four basic services regarding information security. Encryption technique was used to secure the information and the communication from the unauthenticated users. Authentication is another helpful tool of encryption process which provides authentication such as MAC and digital signature. Digital signature helps to prevent spoofing, snooping and DOS attacks. In addition to this, PeopleSharz encrypted its network traffic to avoid the threat vectors. Introduction of digital signature, and cloud based platform SaaS, PaaS, IaaS to enhance the level of data confidentiality (Li et al. 2013). The website is required to be developed with the help of SSL/TLS. Different operational procedures are adopted to develop the data security of the system. However, PeopleSharz is a startup internet based company, thus the cost estimated or the budget of development was not enough to implement cloud based solution and digital signature process to keep the security of the data. Lack of usage of data security package is one of the major reasons behind the data hacking. The administration or top level management team of PeopleSharz was not using proper data encryption technologies. Virus attacks or malicious attacks on the system administration helped the hackers to steal confidential data from the data storage (Fernandes et al. 2014). The database management system used by the organization must have been used encryption key. By using this technology only the authenticated users access the data stored in the storage. Data disruption, deception, active attack, passive attacks are the different kinds of attacks or hacking methodologies. Analysis of the Threats During threat analysis of PeopleSharz different threats are identified and these are as follows: Malware: This is the acronym of malicious software. Malware can either be software or a virus or a worm as well. The hackers generate programming codes and transmit it through website or network to the users device (Parashar and Arora 2013). If the user access those websites or network then the virus carried out by the site will attack the stored data. Computer virus: This s referred to as virus because it can travel from e infected device to another. Dishonest people generally use this kind of programs to attack the confidential data of an organization or any personnel (Bernstein, Lange and Schwabe 2012). Virus is also capable to delete data, store data or edit data rather virus can even change the content of the data. Rogue security software: This is a special kind of advertisement that forces one user to access the link. Generally, when people uses any kind of social media it has been found that sometimes advertisement regarding popup windows opens and forces the users to click on that particular link (Ren, Wang and Wang 2012). As soon as the user clicks on that link, unwanted malicious generates and attacks the data stored in the files of the device. Crypto wall 2.0 is an incident of data hacking where the users were unable to reassess their data until or unless they provide bit coins to the hackers (Boyle 2014). Botnet: This is referred to as a group of computers connected through a single internet network. Each single device connected to the device is known as zombie computer (Chen and Zhao 2012). This kind of attackers generally attacks the devices by using email or spam. The objective of DOS attack is to bring down a website application by overloaded user request rather it can be said that sometimes it has been found that one website is requested by many users and after each access the data stored in the website can be hacked by the hackers. Trojan horse: This is referred to as software that might attack by simple operating an application or by downloading. If any device is attacked by the Trojan horse then it can do everything (Singh 2013). Different records stored in the database of an organization, can be hijacked and those data can be used by any one regardless of the location and the geographical boundary of the users. Malicious spyware: The malicious spyware is generally used to describe different Trojan applications. The cyber criminals might used this kind of spyware to hack the confidential data of whether any organization or any individual (Deligiannidis, et al. 2013). Over the internet the recorded data can send back to the cyber attackers. Whenever, the top level management team of an organization wants to monitor the workflow or any employee, and then they use this kind of spyware to track the flow of the data. Spam: This is an electronic junk mail (Mahajan and Sachdeva 2013). The users devices might get attacked by the hackers by the usage of this kind of spam. If any user tries to access the spam mal then the other mails stored in the drive of the machine can be hacked by the attackers. Rootkit: In order to achieve administration level access a computer network uses the Rootkit (Bernstein, Lange and Schwabe 2012). It is basically a collection of tools that that used to access the administration level records. This can be installed by the criminals in the users device so that they can access the data from the storage. For exploiting data from the storage this can be used by the cyber criminal or hackers. Mitigation process: In order to mitigate this issue it is recommended to PeopleSharz to adopt the best suited encryption process. The public and private keys used by the organization should have to be shared by nature so that only the authorized users can access the data whenever required (Parashar and Arora 2013). However, it can be said that, they are needed to adopt cloud based technology to resolve or fix the issues of Botnets and Trojan Horses. Additionally, the strong configuration and restricted connectivity is required to be adopted to improve and enhance the efficiency level of data protection. Dependencies and Critical Success Factors to the Job In order to develop the efficiency of an organization, an organization is required to depend on the stakeholders of the organization. The users and employees of an organization are interviewed to collect different sorts of information associated to the security breaches. Host: It can be said that if the reasons of data breaches are the host providers then they are responsible for this process (Boyle 2014). Nevertheless, if the host providers are not the actual responsible person, then also they will suffer due to the violence occurred. Administration: They are the top level management team of PeopleSharz. The board of directors are also part if the administration. It is necessary for them to be aware of all the legal rules and regulations regarding privacy and security (Chen and Zhao 2012). Due to hacking massive part of PeopleSharz are affected very badly. The data stored in the database management system of the organization are hacked and publically released. Improper application of encryption key is another reason thus the administration is also responsible for the attack. Consumers: The consumers of the product of PeopleSharz are affected very badly. The attackers not only attacked the confidential data rather they shared it (Kumari and Chawla 2015). The consumers are facing technology based challenges as the hacked data are financial and personnel by nature. Employees: The employees working for PeopleSharz are mostly responsible because they were not aware of the technical terms regarding data security (Singh 2013). The rules and regulations needed to be followed by each and every employees working for the company to keep the data security. Recommendations In order to improve the security management process for PeopleSharz, certain recommendations are needed to implement. These are as follows: Secured data transition: PeopleSharz is a start up internet based company, and it needed to provide security to data during transaction from host to client. As the current system does not possess proper data security thus they must focus on transmission time data privacy. Proper encryption tools: In order to encrypt data proper encryption tools are needed t be implemented. The system does not possess all the tools thus; PeopleSharz should adopt required algorithms of data encryption. Cloud based management: Cloud based management system is needed to be implemented as it is cost effective and secured by nature. Service oriented network virtualization towards convergence of networking and cloud computing should support the SOA architecture. Secured architecture: The architecture of PeopleSharz is needed to be secured enough so that unauthorized users cannot hack the data from the data storage easily. Conclusion From the overall discussion it can be concluded that, PeopleSharz has not maintained all the rules and regulations that are needed to be implemented to keep the data security. Different wrong things involved in the system, are identified and the mitigation process regard that is also mentioned in this report. The hackers hacked all the confidential data from the database of PeopleSharz and almost all the associated people such as employees, administration, clients and host providers are found to be responsible and affected by the attacks. Moreover, in order to mitigate the problems or in order to improve the security management process, certain mitigations are also mentioned in this report. References: Bernstein, D.J., Lange, T. and Schwabe, P., 2012, October. The security impact of a new cryptographic library. InInternational Conference on Cryptology and Information Security in Latin America(pp. 159-176). Springer Berlin Heidelberg. Boyle, M., 2014. Information Assurance Standards: A Cornerstone for Cyber Defense.Warfare,13, pp.8-18. Chen, D. and Zhao, H., 2012, March. Data security and privacy protection issues in cloud computing. InComputer Science and Electronics Engineering (ICCSEE), 2012 International Conference on(Vol. 1, pp. 647-651). IEEE. Deligiannidis, L., Wiseman, C., Yun, M. and Arabnia, H.R., 2013. Security Projects for Systems and Networking Professionals.Emerging Trends in ICT Security, p.111. Deshmukh, D., Pasha, A. and Qureshi, D., 2013. Transparent Data Encryption--Solution for Security of Database Contents.arXiv preprint arXiv:1303.0418. Fernandes, D.A., Soares, L.F., Gomes, J.V., Freire, M.M. and Incio, P.R., 2014. Security issues in cloud environments: a survey.International Journal of Information Security,13(2), pp.113-170. Kumari, S. and Chawla, J., 2015. Comparative Analysis on Different Parameters of Encryption Algorithms for Information Security. Li, M., Yu, S., Zheng, Y., Ren, K. and Lou, W., 2013. Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption.IEEE transactions on parallel and distributed systems,24(1), pp.131-143. Mahajan, P. and Sachdeva, A., 2013. A study of Encryption algorithms AES, DES and RSA for security.Global Journal of Computer Science and Technology,13(15). Mohamed, E.M., Abdelkader, H.S. and El-Etriby, S., 2012, May. Enhanced data security model for cloud computing. InInformatics and Systems (INFOS), 2012 8th International Conference on(pp. CC-12). IEEE. Nafi, K.W., Kar, T.S., Hoque, S.A. and Hashem, M.M.A., 2013. A newer user authentication, file encryption and distributed server based cloud computing security architecture.arXiv preprint arXiv:1303.0598. Parashar, A. and Arora, R., 2013. Secure user data in cloud computing using encryption algorithms.International journal of engineering research and applications,3, pp.1922-1926. Ren, K., Wang, C. and Wang, Q., 2012. Security challenges for the public cloud.IEEE Internet Computing,16(1), p.69. Rodrigues, J.J., de la Torre, I., Fernndez, G. and Lpez-Coronado, M., 2013. Analysis of the security and privacy requirements of cloud-based electronic health records systems.Journal of medical Internet research,15(8), p.e186. Singh, G., 2013. A study of encryption algorithms (RSA, DES, 3DES and AES) for information security.International Journal of Computer Applications,67(19).