Discussion paper with 2 responses
Learning Objectives and Outcomes
Analyze the given case study on the security breach.
Recommend controls to avoid an enterprise security breach.
Assignment Requirements:
1) Read the attached document and address the following:
2) Using what you have learned about security breaches, describe what measures should have been taken by the educational service and test preparation provider to avoid the security breach mentioned in the text sheet.
Local Breach of Sensitive Online Data
The EducationS Review, a fictional company, is hit with a data breach that is making headlines. The Olianas-based educational service and test preparation provider inadvertently exposed files of at least 100,000 students in various parts of the country through its Web site. News of the breach was made public on Tuesday morning by a report in the local newspaper.
The files were exposed after the company switched the Internet service providers earlier this year. The sensitive information, which included personal data such as names, birth dates, ethnicities, and learning disabilities, as well as test performance, were easily accessed through a simple Web search and were available for at least seven weeks, according to the report. None of the information was password protected and was intended only to be viewed by EducationS authors.
EducationS officials told the local newspaper that access to the information was immediately shut down as soon as the company was informed about the problem. This brings up two big questions, said Alex Graham, a senior technology consultant with information technology (IT) security and control firm Lizos. Are companies doing enough to protect their data? Also, do companies really need to keep all this kind of data?” A competing test preparation firm discovered the flaw. The competitor contacted the local newspaper with the story, according to Alex, who said the play-out points to the high stakes were now involved with a data breach. If companies have not heard this before, it is a huge reminder that security is important not just for the companys customers, but for the companys reputation as well.
While the publishing of birth dates may not seem like a massive leak, Alex said the information is a good stepping-stone for someone who is attempting to steal an identity. This is the second time in a month a public breach has involved birth dates. A glitch in a test version of social networking site, Facebook, inadvertently exposed the birthdays of its 80 million members last month. Alex discovered the bug while checking Facebooks new design. He noticed that the birth dates of some of his privacy-obsessed acquaintances were popping up when they should have been hidden. The fact that the people affected by this latest breach were children adds to the general background radiation about security, or lack thereof, of peoples’ data on the Web.
2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1 Post 1: The text about the security breach experienced at the Educations Review online illustrates how peoples information may be vulnerable if not properly protected. The following steps should be taken to avoid future security breaches.
Train workers: Employees should be educated and trained regarding cyber-security and how to respond to potential security problems. This adds more trained personnel to the organizations overall security. Therefore, the company should invest in continuous training and often security checks to avoid security breaches.
Strong passwords enforcement: There should be strong passwords and scheduled password changes after 3-6 months in all systems. This may seem trivial, but it is a vital step towards enhancing security.
Data protection: All data should be protected by storing it in the cloud, whereby no unauthorized parties can access it. There should also be other forms of access controls to avoid people to access data easily, which increases security breaches (“6 Cheap Ways to Ensure Your Cyber Security”, 2020). All systems containing sensitive data should only be accessed by close company members and employees to avoid data insecurity.
Data and device encryption: Devices with no encryption are more vulnerable and prone to different attacks. The company should ensure cyber-security by using antivirus software, installing firewalls, and use of whole-disk encryption.
Manage data acquisition: The Company should be cautious while collecting and recording sensitive information. Privacy should be prioritized to avoid any data leakage.
Patch vulnerabilities: The Company should avoid using outdated software and ignoring vulnerabilities because it could be a better way for cybercriminals to access the systems and tamper with data.
Breach recovery plan: The Company should have a plan to effectively and quickly respond to any potential breach to reduce damages.
Reference
6 Cheap Ways to Ensure Your Cyber Security. (2020). Retrieved 9 September 2020, from https://www.wisebread.com/6-cheap-ways-to-ensure-your-cyber-security
Post 2: Data Security
Data breaches are becoming more common and an increasing concern for organizations. According to Cyber Observer, organizations globally will be spending 6 trillion dollars annually (Cyber Observer, 2020). Data is an asset, and unauthorized access or a cyber attack can lead to severe consequences both to the victims and the organization. Organizations, therefore, have to strive to ensure that data maintains its triad properties of confidentiality, integrity and availability (CIA). Organizations, therefore, have to ensure that they follow both state and federal policies to safeguard their data to avoid suffering reputational damage, damage to their infrastructure, loss of financial in communicating to the affected individuals and facing legal challenges as this could jeopardize their operations. The data breach faced by EducationS Review is an example of why organizations need to follow and implement robust measures to avoid recurring cases of cyber breaches.
In this case, 100,000 students data were exposed. However, it is necessary to understand the measures that were in missing in this case to enhance the security of the data. In a peer discussion, we were able to identify that there were inadequate first-layer access controls and laxity within the organization. In my view the organization did not conduct any privacy impact assessment even after switching the internet service provider, for instance, the threat was realized after a more extended period of more than seven weeks (Case Study, 2014). Holding such kind of sensitive information should have mandated the organization to conduct PIA which would have allowed them to identify risks posed on personal data. This approach would have allowed them to implement authentication measures, that is the user passwords which was a lacking feature in this case.
In our discussion, one of the peers was advocating for encryption mechanisms. This approach is useful in that it is often not possible to rule out a data breach despite employing a robust security infrastructure. This approach will ensure that, despite the attacker accessing the resources, he or she cannot make any sense from them or utilize in other activities such identity theft (Cheng, Liu & Yao, 2017). In support of this idea, he raised the concern of social engineering, that despite implementing access control measures, the users were at the risk of being duped and thus allowing the adversaries to gain login credentials and deliver their payload to the systems. However, in this case, I am opposed to it because various simple things were overlooked by the organization and ought to be prioritized. The information was supposed to be viewed by the authors only, which means issues surrounding access control have to be addressed. For instance, why would information only meant to utilized by EducationS become accessible to everyone on a simple web search? In my view, setting the authentication mechanisms to role-based could avert the problem. EducationS, being a competitive organization, has partners and other stakeholders who help them in conducting various roles. Also, it has employments assigned to multiple tasks. In this case, the implementation of role-based Access Control would have solved the problem. It is because this approach would authorize one to gain access to data based on their roles (Lesson 3, 2015). For instance, the authors would be granted access based on their job description while others also can access the data they only need to use and deliver their services. This policy would have satisfied the access control principles in that it would separated responsibilities, allowed users to access only what they need to know and provide only the required privileges.
References
Case Study. (2014). Local Breach of Sensitive Online Data. Jones & Bartlett Learning.
Cheng, L., Liu, F., & Yao, D. (2017). Enterprise data breach: causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), e1211. doi: 10.1002/widm.1211
Cyber Observer. (2020). Retrieved 11 September 2020, from https://www.cyber-observer.com/cyber-news-29-statistics-for-2020-cyber-observer/#:~:text=The%20damage%20related%20to%20cybercrime,2021%2C%20according%20to%20Cybersecurity%20Ventures.
Lesson 3. (2015). Access Control, Authentication, and Public Key Infrastructure [pdf]. Jones & Bartlett Learning.