System Vulnerability and Abuse

When data are stored in digital form, they are more vulnerable than when they exist in
manual form.

Security refers to the policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information systems.

Controls consist of all the methods, policies, and organizational procedures that ensure
the safety of the organization's assets; the accuracy and reliability of its accounting
records; and operational adherence to management standards.

Threats to computerized information systems include hardware and software failure;

user errors; physical disasters such as fire or power failure; theft of data, services, and
equipment; unauthorized use of data; and telecommunications disruptions. On-line
systems and telecommunications are especially vulnerable because data and files can be
immediately and directly accessed through computer terminals or at points in the
telecommunications network.

CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES

The architecture of a Web-based application typically includes a Web client, a server,
and corporate information systems linked to databases. Each of these components
presents security challenges and vulnerabilities. Floods, fires, power failures, and other
electrical problems can cause disruptions at any point in the network.

The Internet poses additional problems because it was explicitly designed to be easily
accessed by people on different computer systems. Information traveling over
unsecured media can be intercepted and misused. Fixed IP addresses serve as fixed
targets for hackers, and Internet software has become a means for introducing viruses
and malicious software to otherwise secure networks.
Wireless networks are even more vulnerable because radio frequency bands are easy to
scan. LANs that use the Wi-Fi (802.11b) standard can be easily penetrated by outsiders
with laptops, wireless cards, external antennae, and freeware hacking software. Service
set identifiers (SSID) identifying access points in a Wi-Fi network are broadcast multiple
times and can be picked up fairly easily by sniffer programs. In war driving,
eavesdroppers drive by buildings or park outside and try to intercept wireless network
traffic. The initial security standard developed for Wi-Fi, called Wired Equivalent
Privacy (WEP), is not very effective. WEP is built into all standard 802.11 products, but
users must turn it on, and many neglect to do so, leaving many access points
unprotected.

WI-FI SECURITY CHALLENGES

Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to
obtain an address to access the resources of a network without authorization.

Malicious software, or malware, includes threats such as computer viruses and worms,
and Trojan horses. A computer virus is rogue software that attaches itself to other
programs or data files in order to be executed, and may be highly destructive to files,
computer memory, and hard drives. Viruses are typically designed to spread from
computer to computer through e-mail attachments or copied files.

Worms are independent computer programs that copy themselves to computers over a
network independently from other computer programs or files, and therefore spread
more rapidly. A Trojan horse is an apparently benign program that actually performs
some hidden action such as installing malicious code or compromising the security of a
computer.

Spyware can also act as malicious software by obtaining information about users'
buying habits and infringing on privacy. Keyloggers record keystrokes made on a
computer to discover steal serial numbers for software and passwords.

A hacker is an individual who intends to gain unauthorized access to a computer

system. The term cracker is typically used for hackers with criminal intent. Hackers
spoof, or misrepresent themselves, by using fake e-mail addresses or masquerading as
someone else. Hacker activities include:

 Theft of goods and services

 System damage
 Cyber vandalism: The intentional disruption, defacement, or even destruction of
a Web site or corporate information system.
 Spoofing: Hiding of the hackers true identities or email addresses, or redirecting
a Web link to a different web site that benefits the hacker.
 Theft of proprietary information: A sniffer is an eavesdropping program that
monitors network information and can enable hackers to steal proprietary
information transmitting over the network.
 Denial of service (DoS) attacks: Flooding a network or server with thousands of
false communications to crash or disrupt the network.
 A distributed denial-of-service (DDoS) attack uses hundreds or even thousands
of computers to inundate and overwhelm the network from numerous launch
points. Hackers can infect thousands of unsuspecting users' computers with
malicious software to form a botnet of resources for launching a DDoS.

In computer crime, the computer can be either the target of or the instrument of a crime.
The most economically damaging kinds of computer crime are DoS attacks, introducing
viruses, theft of services, and disruption of computer systems.

Other examples of computer crime include:

 Identity theft: In identity theft, an impostor obtains key pieces of personal

information to impersonate someone else and obtain credit, merchandise, or false
credentials.
 Phishing: Setting up fake Web sites or sending e-mail messages that appear
legitimate in order to coerce users for confidential data. Other phishing
techniques include evil twins (wireless networks masquerading as legitimate
Internet hotspots, used to capture personal information) and pharming,
redirecting users bogus Web sites posing as legitimate Web sites.
Click fraud occurs when an individual or computer program fraudulently clicks on an
online ad without any intention of learning more about the advertiser or making a
purchase. Click fraud can also be perpetrated with software programs doing the
clicking, and bot networks are often used for this purpose.

The U.S. Congress responded to the threat of computer crime in 1986 with the
Computer Fraud and Abuse Act. This act makes it illegal to access a computer system
without authorization. Most U.S. states and European nations have similar legislation.
Congress also passed the National Information Infrastructure Protection Act in 1996 to
make virus distribution and hacker attacks to disable Web sites federal crimes.

One concern is that terrorists or foreign intelligence services could exploit network or
Internet vulnerabilities to commit cyber terrorism or cyber warfare and cripple
networks controlling essential services such as electrical grids and air traffic control
systems.

The largest financial threats to businesses actually come from insiders, either through
theft and hacking or through lack of knowledge. Malicious intruders may sometimes
trick employees into revealing passwords and network access data through social
engineering. Employees can also introduce faulty data or improperly process data.

Software errors are also a threat to information systems and cause untold losses in
productivity. Hidden bugs or program code defects, unintentionally overlooked by
programmers working with thousands of line of programming code, can cause
performance issues and security vulnerabilities. Software vendors create lines of code
called patches to repair flaws without disrupting the software's operation.

Business Values & Ethics of Security & Control

The dictionary definition of the term professional ethics is: "Rules of conduct and ethics
obligating persons engaged in liberal professions." Indeed, in the most general terms, it
can be said that professional ethics is an applied term relating to the ways these
individuals and groups operate.

However, when dealing with the issue of "professional ethics", one must first define, or
at least clarify, the term "ethics" as a term existing in its own right. This article cannot
encompass the full scope of an in-depth philosophical definition; we will confine
ourselves to a practical clarification of the term, which will comprise the foundation of
this discussion.

Ethics

The origin of the term "ethics" is in the Greek language (ethos), and its meaning: "the
doctrine of morality" or "the doctrine of qualities." This is the title of a branch of
philosophy dealing with the moral value of man's conduct and with the rules and
principles that are intended to guide it. In other words: "a set of rules determining
appropriate and desirable conduct." The manner in which an individual conducts
himself in society is characterized by behavior based on accepted standards, or by
behavior that deviates from the norms of the society he belongs to, or operates in.

With respect to relations between individuals, the phrase: "do unto others as you would
have them do unto you" reflects the entire concept of ethics in one verse.
Notwithstanding, society will generally require a broad system of "values" in order to
phrase the rules of ethics that will guide its conduct.

Ethics is a fabric woven from "qualities" and "values".

"Qualities" are the attributes guiding the conduct of an individual, as he relates to the
world surrounding him (and to himself). The discussion on "man's good qualities" is as
long as the history of humankind, and is expressed in the Bible, in the literature of
various religions, in philosophy and in general literature along the ages.

"Values" are the tools we use for phrasing; they comprise a compass of sorts for
examining moral or ethical behavior. "Values" are a "yardstick for distinguishing
between good and bad."

The most important aspect for understanding the ethical issue lies in the fact that values
exist in unison, and not separately, or individually. Simplistically, we can say that the
greater the complexity of an individual's character, the 'denser' the set of values guiding
him when confronted with a moral or ethical dilemma. Such a dilemma is also created
when his aspirations, feelings, urge and personal needs clash with values. Generally
speaking, the resolution of ethical dilemmas will be based on grading the values.

Professional Ethics in the Field of Security

The basic question at the core of the issue addressed in this article is: Does work in the
field of security qualify as a profession? Without relating to the regulatory aspect of this
issue, this question has a definite, unequivocal answer: Security is a profession, without
a doubt!

In the second half of the last century, threats of terrorism, increased violence and crime
generated the need to protect society, its organizations and assets, and the information
that is essential for its existence, as well as to enable the members of society to maintain
a normal daily routine. This need led to the development, in Israel and worldwide, of a
professional discipline that includes all the processes characterizing a profession.
Security is integrated into the activities of all the governmental systems and most of the
public and large private organizations, and plays an active role in ensuring that they are
able to fulfill their missions and goals.

In governmental sectors in some countries, including in Israel, security and security

management have been taught as professions for over three decades. They includes a
common language, risk assessment standards, security systems that are adapted to the
particular characteristics and needs of the secured bodies, inspection and control
processes that are carried out and conclusions that are continuously drawn in the
interest of continual enhancement.

Uniformity is still deficient in the civilian, business and public sectors in Israel. While
some organizations have security systems that are quite effective, the effectiveness of
others leaves much to be desired, when taking into consideration the resources placed
at their disposal. We identify cases in which the level of security does not correspond to
the level of the threat, or in which the security plan is not fully compatible with the
organization's goals and/or manner of operation.

Numerous persons work in the field of security – throughout the country, in all its
organizations – is they in the governmental, public or business sectors. They should
share a common language and undergo training that will provide them with the
knowledge and tools to plan, design, establish and manage effective security systems
that will properly address the relevant threats, within the constraints of the allocated
budget and resources, and the frameworks they operate in.

An organization whose security personnel undergo training will be the first to gain
from this process: in addition to being better prepared for emergencies, it will benefit
from enhanced management and more effective utilization of its resources, and will be
able to better serve the organization's employee population and of its guests and
visitors.

The first ethical rule of security should be not to employ a person who has not been
properly and officially trained, and who has not been certified. Indeed, the Security
Division of the Israel Police is presently taking action to formalize compulsory rules
governing the training of security managers.

The definition of security is: "The full range of proactive, preplanned and coordinated
activities that are carried out in a secured body with the aim of foiling attempts made
by hostile elements to plan and carry out malicious acts."

The work of a member of the security staff, and certainly that of a security manager, is
filled with ethical dilemmas resulting from the high level of friction with the various
units of the organization, from the security handling of those arriving at its gates, from
exposure to organizational and personal information, from handling irregular incidents
and suspicious persons and from the need to be vigilant and prepared to deal with any
threat, at any time.

We train security managers and senior security officers on a regular basis, and are also
frequently confronted with ethical issues, when analyzing past incidents, in discussions
and in exercises, when dealing with the reciprocal relations of the security manager and
even with the professional content relating to planning, routine activities and
emergencies.

Although the necessity to deal with ethical issues is not new, we have identified an
increasing need to develop an ethical code for security.

Role of Ethics in IT Security

The news of late has been rich with stories of security breaches and ethical lapses that
have led to criminal behavior.

Consider the case of Bradley Manning, a United States Army soldier who was arrested
and charged in July, 2010 for transferring classified data onto his personal computer
and communicating national defense information to an unauthorized source, the
notorious WikiLeaks. The leaked material included 250,000 U.S. diplomatic cables. The
U.S. military has filed 22 charges against Manning which can carry the death sentence.

Also, a former Goldman Sachs computer programmer, Sergey Aleynikov, was

convicted of stealing proprietary source code that could spot tiny discrepancies in stock
prices and helped Goldman earn hundreds of millions of dollars in 2009. Aleynikov was
sentenced in March 2011 to more than eight years in prison.

"These are criminal actions that perhaps go back to the failure of not acting on a certain
code of ethics," says Dorsey Morrow, general counsel and corporate secretary for (ISC)
2, a not-for-profit IT security training and certifying organization. "You cannot set what
is good ethical behavior in every scenario, but providing guidelines and relating
consequences can lead them to the right path."

IT security professionals are the custodians of information, says Frank Smith, CIO at
Booz Allen Hamilton, a leading IT security and management consulting firm.
"Therefore, they need to be made of the highest ethical fiber to effectively safeguard this
information and operate on decisions and judgment calls that are in the best interest of
the firm."

If a security professional fails to handle data in a manner that is expected, both the
organization and the practitioner can experience serious legal and criminal
consequences.

Ethics Defined

"Ethics have always been important in the past; it's however, the awareness of ethics
that is becoming more critical now,"

With electronic access and technological advancement, it is much easier for

professionals today to make a mistake, behave incorrectly and have their unethical
actions to go viral.
These mistakes can include providing an incorrect opinion un-professionally on
someone via Twitter or Face book, offering incorrect information in the event of a fraud
investigation, or misusing access to the company's systems and files.

The danger with emerging technologies such as social media is that security
professionals can easily get into discussions about their work, which may divulge
confidential or non-public information. On one hand, security practitioners need to
participate in these discussions for the cause of promoting information security
management globally. And yet they have to avoid these discussions for fear of
information going viral or on record.

With technological advancement, the ability and ease to discuss vulnerabilities or

search for vulnerabilities in systems and product is high, and that makes the role of
security professionals even more complex when it comes to ethics and ethical behavior
in the workplace.

Instilling Ethics in the Workplace

Increasing incidents in the workplace have pushed organizations to either implement or

actively promote their codes of ethics that act as a set of guide posts to helps
practitioners understand expected behavior.

For example, Booz Allen Hamilton has implemented a code of ethics and training
program that highlight clear expectations of employee behavior in terms of the
organization's core values and adhered standards.

"These guidelines basically enable security professionals to recognize how they need to
act in circumstances that require an ethics decision," Smith says. For example: Someone
borrows an ID card because they forgot theirs. What could go wrong? How should
employees behave? What's the correct action to take?

This document should clearly outline expected behavior of employees based on the
values and standards of the organization. In the case of Booz Allen, these codes clearly
spell out what is acceptable employee behavior, for instance, in the event an employee
receives personally identified information from a client, or how the employee can
protect confidential client information.

"Protecting Confidential Client Information: The best way to protect client

information is to not take possession of it. Each of us must restrict receipt of client
information to only information that is reasonable necessary to propose or conduct an
engagement even if greater information access is offered. Your obligation to maintain
the confidentiality and security of client information continues not only during and
after the engagement ends, but also during and after your employment with the firm..."

"Employee Personal Data: Each of us must exercise extra caution when handling an
employee's personal data. We do not disclose current or former employee's personal
data to third parties other than confirmation of employment dates and position without
prior written consent from the employee or former employee unless the information is
required to fulfill a legitimate business need- such as employee benefits or as required
by law..."

Ethical Training

Smith also recommends organizations offer refresher courses regularly on codes of

ethics to professionals. These courses will act as a positive reminder to them that ethical
behavior is expected and mandated by the organization's culture. Other options
organizations have used:

 Scenario-Based Training: Moretti goes through scenario-based training every six

months in his multinational banking institution. The emphasis is on how
professionals need to operate and follow basic information security principles
and financial industry guidelines. For example, the training outlines a scenario of
a professional's access to sensitive data and provides guidelines to practitioners
on how they need to handle data and follow the rules of sharing, distributing
and storing this information.
 Affiliation with a Professional Association: As a manager of a security group,
Moretti prefers hiring a certified professional who has demonstrated the
capability of operating within a certain code of ethics. Professional associations
like (ISC) 2 and ISACA usually follow a strict code of ethics that helps security
practitioners maintain their professional standards. "If you are accredited an
information security certification, you are actively encouraged to go through
training on ethics and are also reviewed by your other peers in the industry, as a
result you build a strong ethical awareness."

Business value of Security and Control

Security and control have become a critical, although perhaps unappreciated, area of
information systems investment. The longer computer systems are down, the more
serious the consequences for the firm. With increasing reliance on the Internet and
networked systems, firms are more vulnerable than ever to disruption and harm.

Company systems often house confidential information about individuals' taxes,

financial assets, medical records, and job performance reviews. They may contain
information on corporate operations, trade secrets, new product development plans,
and marketing strategies. Inadequate security and control may also create serious legal
liability.

Businesses must protect not only their own information assets but also those of
customers, employees, and business partners. Recent U.S. government regulations
mandate the protection of data from abuse, exposure, and unauthorized access, and
include:
  The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which
requires members of the healthcare industry to retain patient information for six
years and ensure the confidentiality of those records
 The Gramm-Leach-Bliley Act, which requires financial institutions to ensure the
security and confidentiality of customer data
 The Sarbanes-Oxley Act, which imposes responsibility on companies and their
management to use internal controls to safeguard the accuracy and integrity of
financial information

Firms face new legal obligations for electronic records management and document
retention as well as for privacy protection. Electronic records management
(ERM) consists of policies, procedures, and tools for managing the retention,
destruction, and storage of electronic records.

Security, control, and electronic records management have become essential for
responding to legal actions. Much of the evidence today for stock fraud, embezzlement,
theft of company trade secrets, computer crime, and many civil cases is in digital form.
Legal cases today increasingly rely on evidence represented as computer data stored on
portable floppy disks, CDs, and computer hard disk drives, as well as in e-mail, instant
messages, and e-commerce transactions over the Internet. E-mail is currently the most
common type of electronic evidence.

An effective electronic document retention policy ensures that electronic documents, e-

mail, and other records are well organized, accessible, and neither retained too long nor
discarded too soon.

Computer forensics is the scientific collection; examination, authentication,

preservation, and analysis of data held on or retrieved from computer storage media in
such a way that the information can be used as evidence in a court of law. Electronic
evidence can reside on computer storage media in the form of computer files and as
ambient data, which are not visible to the average user.

Technologies and Tools for Security and Control

Various tools and technologies used to help protect against or monitor intrusion include
authentication tools, firewalls, intrusion detection systems, and antivirus and
encryption software.

Access control consists of all the policies and procedures a company uses to prevent
improper access to systems by unauthorized insiders and
outsiders. Authentication refers to the ability to know that a person is who he or she
claims to be. Access control software is designed to allow only authorized persons to
use systems or to access data using some method for authentication. New
authentication technologies include:
  Token: A physical device similar to an identification card that is designed to
prove the identity of a single user.
 Smart card: A device about the size of a credit card that contains a chip formatted
with access permission and other data.
 Biometric authentication: Compares a person's unique characteristics, such as
fingerprints, face, or retinal image, against a stored set profile.

A firewall is a combination of hardware and software that controls the flow of incoming
and outgoing network traffic and prevents unauthorized communication into and out
of the network. The firewall identifies names, Internet Protocol (IP) addresses,
applications, and other characteristics of incoming traffic. It checks this information
against the access rules programmed into the system by the network administrator.
There are a number of firewall screening technologies:

 Packet filtering examines fields in the headers of data packets flowing between
the network and the Internet, examining individual packets in isolation.
 Stateful inspection determines whether packets are part of an ongoing dialogue
between a sender and a receiver.
 Network Address Translation (NAT) conceals the IP addresses of the
organization's internal host computer(s) to protect against sniffer programs
outside the firewall.
 Application proxy filtering examines the application content of packets. A proxy
server stops data packets originating outside the organization, inspects them,
and passes a proxy to the other side of the firewall. If a user outside the company
wants to communicate with a user inside the organization, the outside user first
"talks" to the proxy application and the proxy application communicates with the
firm's internal computer.
A CORPORATE FIREWALL

The firewall is placed between the firm’s private network and the public Internet or
another distrusted network to protect against unauthorized traffic.

Intrusion detection systems feature full-time monitoring tools placed at the most
vulnerable points of corporate networks to detect and deter intruders continually.
Scanning software looks for patterns indicative of known methods of computer attacks,
such as bad passwords, checks to see if important files have been removed or modified,
and sends warnings of vandalism or system administration errors.

Antivirus software is designed to check computer systems and drives for the presence
of computer viruses. However, to remain effective, the antivirus software must be
continually updated.

Vendors of Wi-Fi equipment have developed stronger security standards. The Wi-Fi
Alliance industry trade group's 802.11i specification tightens security for wireless LAN
products.

Many organizations use encryption to protect sensitive information transmitted over

networks. Encryption is the coding and scrambling of messages to prevent their access
by unauthorized individuals.

Two methods for encrypting network traffic on the Web are:

  Secure Sockets Layer (SSL): SSL and its successor Transport Layer Security
(TLS) enable client and server computers to establish a secure connection session
and manage encryption and decryption activities.
 Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for
encrypting data flowing over the Internet, but it is limited to individual
messages.

Data is encrypted by applying a secret numerical code, called an encryption key, so that
the data are transmitted as a scrambled set of characters. To be read, the message must
be decrypted (unscrambled) with a matching key. There are two alternative methods of
encryption:

 Symmetric key encryption: The sender and receiver create a single encryption
key that is shared.
 Public key encryption: A more secure encryption method that uses two different
keys, one private and one public.

PUBLIC KEY ENCRYPTION

A public key encryption system can be viewed as a series of public and private keys
that lock data when they are transmitted and unlock the data when they are received.
The sender locates the recipient’s public key in a directory and uses it to encrypt a
message. The message is sent in encrypted form over the Internet or a private network.
When the encrypted message arrives, the recipient uses his or her private key to decrypt
the data and read the message.

Digital signatures and digital certificates help with authentication. A digital signature is
a digital code attached to an electronically transmitted message that is used to verify the
origin and contents of a message. Digital certificates are data files used to establish the
identity of users and electronic assets for protection of online transactions. A digital
certificate system uses a trusted third party known as a certificate authority (CA) to
validate a user's identity. The digital certificate system would enable, for example, a
credit card user and a merchant to validate that their digital certificates were issued by
an authorized and trusted third party before they exchange data. Public key
infrastructure (PKI), the use of public key cryptography working with a certificate
authority, is a principal technology for providing secure authentication of identity
online.

DIGITAL CERTIFICATES

Digital certificates help establish the identity of people or electronic assets. They protect
online transactions by providing secure, encrypted, online communication.

Securing Wireless Networks

In today’s connected world, almost everyone has at least one Internet-connected device.
With the number of these devices on the rise, it is important to implement a security
strategy to minimize their potential for exploitation. Internet-connected devices may be
used by nefarious entities to collect personal information, steal identities, compromise
financial data, and silently listen to—or watch—users. However, taking a few
precautions in the configuration and use of your devices can help prevent this type of
activity.

What are the risks to your wireless network?

Whether it’s a home or business network, the risks to an unsecured wireless network
are the same. Some of the risks include:
Piggybacking

If you fail to secure your wireless network, anyone with a wireless-enabled computer in
range of your access point can utilize your connection. The typical indoor broadcast
range of an access point is 150 – 300 feet. Outdoors, this range may extend as far as 1,000
feet. So, if your neighborhood is closely settled, or if you live in an apartment or
condominium, failure to secure your wireless network could potentially open your
internet connection to many unintended users. These users may be able to conduct
illegal activity, monitor and capture your web traffic, or steal personal files.

Wardriving

Wardriving is a specific kind of piggybacking. The broadcast range of a wireless access

point can make internet connections available outside your home, even as far away as
your street. Savvy computer users know this, and some have made a hobby out of
driving through cities and neighborhoods with a wireless-equipped computer—
sometimes with a powerful antenna— searching for unsecured wireless networks. This
practice is known as “wardriving.”

Evil Twin Attacks

In an evil twin attack, an adversary gathers information about a public network access
point, and then sets up their system to impersonate it. The adversary uses a broadcast
signal stronger than the one generated by the legitimate access point, then,
unsuspecting users connect using the stronger signal. Because the victim is connecting
to the internet through the attacker’s system, it’s easy for the attacker to use specialized
tools to read any data the victim sends over the internet. This data may include credit
card numbers, username and password combinations, and other personal information.
Always confirm the name and password of a public Wi-Fi hotspot prior to use. This will
ensure you are connecting to a trusted access point.

Wireless Sniffing

Many public access points are not secured and the traffic they carry is not encrypted.
This can put your sensitive communications or transactions at risk. Because your
connection is being transmitted “in the clear,” malicious actors could use sniffing tools
to obtain sensitive information such as passwords or credit card numbers. Ensure that
all the access points you connect to use at least WPA2 encryption.

Unauthorized Computer Access

An unsecured public wireless network combined with unsecured file sharing could
allow a malicious user to access any directories and files you have unintentionally made
available for sharing. Ensure that when you connect your devices to public networks
that you deny sharing files and folders. Only allow sharing on recognized home
networks, and only while it is necessary to share items. When not needed, ensure that
file sharing is disabled. This will help prevent an unknown attacker from accessing your
device’s files.

Shoulder Surfing

In public areas malicious actors can simply glance over your shoulder as you type. By
simply watching you, they can steal sensitive or personal information. Screen protectors
which prevent shoulder-surfers from seeing your device screen can be purchased for
little money. For smaller devices, such as phones, be cognizant of your surroundings
while viewing sensitive information or entering passwords.

Theft of Mobile Devices

Not all attackers rely on gaining access to your data via wireless means. By physically
stealing your device, attackers could have unrestricted access to all of its data, as well as
any connected cloud accounts. Taking measures to protect your devices from loss or
theft is important, but should the worst happen, a little preparation may protect the
data inside. Most mobile devices, including laptop computers, now have the ability to
fully encrypt their stored data—making devices useless to attackers who cannot
provide the proper password or PIN. In addition to encrypting device content, it is also
advisable to configure your device’s applications to request login information before
allowing access to any cloud-based information. Lastly, individually encrypt or
password-protect files that contain personal or sensitive information. This will afford
yet another layer of protection in the event an attacker is able to gain access to your
device.

What can you do to minimize the risks to your wireless network?

 Change default passwords - Most network devices, including wireless access

points, are pre-configured with default administrator passwords to simplify
setup. These default passwords are easily available to obtain online, and so
provide only marginal protection. Changing default passwords makes it harder
for attackers to access a device. Use and periodic changing of complex passwords
is your first line of defense in protecting your device.
 Restrict access - Only allow authorized users to access your network. Each piece
of hardware connected to a network has a media access control (MAC) address.
You can restrict access to your network by filtering these MAC addresses.
Consult your user documentation for specific information about enabling these
features. You can also utilize the “guest” account, which is a widely used feature
on many wireless routers. This feature allows you to grant wireless access to
guests on a separate wireless channel with a separate password, while
maintaining the privacy of your primary credentials.
 Encrypt the data on your network - Encrypting your wireless data prevents
anyone who might be able to access your network from viewing it. There are
several encryption protocols available to provide this protection. Wired
 Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and WPA2 encrypt
information being transmitted between wireless routers and wireless devices.
WPA2 is currently the strongest encryption. WEP and WPA are both still
available; however, it is advisable to use equipment that specifically supports
WPA2, as using the other protocols could leave your network open to
exploitation.
 Protect your Service Set Identifier (SSID) - To prevent outsiders from easily
accessing your network, avoid publicizing your SSID. All Wi-Fi routers allow
users to protect their device’s SSID, which makes it more difficult for attackers to
find a network. At the very least, change your SSID to something unique.
Leaving it as the manufacturer’s default could allow a potential attacker to
identify the type of router and possibly exploit any known vulnerabilities.
 Install a firewall - Consider installing a firewall directly on your wireless
devices (a host-based firewall), as well as on your home network (a router- or
modem-based firewall). Attackers who can directly tap into your wireless
network may be able to circumvent your network firewall—a host-based firewall
will add a layer of protection to the data on your computer.
 Maintain antivirus software - Install antivirus software and keep your virus
definitions up-to-date. Many antivirus programs also have additional features
that detect or protect against spyware and adware.
 Use file sharing with caution - File sharing between devices should be disabled
when not needed. You should always choose to only allow file sharing over
home or work networks, never on public networks. You may want to consider
creating a dedicated directory for file sharing and restrict access to all other
directories. In addition, you should password protect anything you share. Never
open an entire hard drive for file sharing.
 Keep your access point software patched and up-to-date - The manufacturer of
your wireless access point will periodically release updates to and patches for a
device’s software and firmware. Be sure to check the manufacturer’s website
regularly for any updates or patches for your device.
 Check your Internet provider’s, or router manufacturers, wireless security
options - Your internet service provider and router manufacturer may provide
information or resources to assist in securing your wireless network. Check the
customer support area of their websites for specific suggestions or instructions.
 Connect using a virtual private network - Many companies and organizations
have a virtual private network (VPN). VPNs allow employees to connect
securely to their network when away from the office. VPNs encrypt connections
at the sending and receiving ends and keep out traffic that is not properly
encrypted. If a VPN is available to you, make sure you log onto it any time you
need to use a public wireless access point.

ENCRYPTION

In computing, encryption is the method by which plaintext or any other type of data is
converted from a readable form to an encoded version that can only be decoded by
another entity if they have access to a decryption key. Encryption is one of the most
important methods for providing data security, especially for end-to-end protection of
data transmitted across networks.

Encryption is widely used on the internet to protect user information being sent
between a browser and a server, including passwords, payment information and other
personal information that should be considered private. Organizations and individuals
also commonly use encryption to protect sensitive data stored on computers, servers
and mobile devices like phones or tablets.

How encryption works

Unencrypted data, often referred to as plaintext, is encrypted using an

encryption algorithm and an encryption key. This process generates cipher text that can
only be viewed in its original form if decrypted with the correct key. Decryption is
simply the inverse of encryption, following the same steps but reversing the order in
which the keys are applied. Today's most widely used encryption algorithms fall into
two categories: symmetric and asymmetric.

How the encryption operation works

Symmetric-key ciphers, also referred to as "secret key," use a single key, sometimes
referred to as a shared secret because the system doing the encryption must share it
with any entity it intends to be able to decrypt the encrypted data. The most widely
used symmetric-key cipher is the Advanced Encryption Standard (AES), which was
designed to protect government classified information.

Symmetric-key encryption is usually much faster than asymmetric encryption, but the
sender must exchange the key used to encrypt the data with the recipient before the
recipient can perform decryption on the cipher text. The need to securely distribute and
manage large numbers of keys means most cryptographic processes use a symmetric
algorithm to efficiently encrypt data, but use an asymmetric algorithm to securely
exchange the secret key.

Asymmetric cryptography, also known as public key cryptography, uses two different
but mathematically linked keys, one public and one private. The public key can be
shared with everyone, whereas the private key must be kept secret. The RSA encryption
algorithm is the most widely used public key algorithm, partly because both the public
and the private keys can encrypt a message; the opposite key from the one used to
encrypt a message is used to decrypt it. This attribute provides a method of assuring
not only confidentiality, but also the integrity, authenticity and no reputability of
electronic communications and data at rest through the use of digital signatures.

Benefits of encryption

The primary purpose of encryption is to protect the confidentiality of digital data stored
on computer systems or transmitted via the internet or any other computer network. A
number of organizations and standards bodies either recommend or require sensitive
data to be encrypted in order to prevent unauthorized third parties or threat actors from
accessing the data. For example, the Payment Card Industry Data Security
Standard requires merchants to encrypt customers' payment card data when it is both
stored at rest and transmitted across public networks.

Modern encryption algorithms also play a vital role in the security assurance of IT
systems and communications as they can provide not only confidentiality, but also the
following key elements of security:

 Authentication: the origin of a message can be verified.

 Integrity: proof that the contents of a message have not been changed since it was
sent.
 No repudiation: the sender of a message cannot deny sending the message.

Types of encryption

Traditional public key cryptography depends on the properties of large prime numbers
and the computational difficulty of factoring those primes. Elliptical curve
cryptography (ECC) enables another kind of public key cryptography that depends on
the properties of the elliptic curve equation; the resulting cryptographic algorithms can
be faster and more efficient and can produce comparable levels of security with shorter
cryptographic keys. As a result, ECC algorithms are often implemented in internet of
things devices and other products with limited computing resources.

As development of quantum computing continues to approach practical

application, quantum cryptography will become more important. Quantum
cryptography depends on the quantum mechanical properties of particles to protect
data. In particular, the Heisenberg uncertainty principle posits that the two identifying
properties of a particle -- its location and its momentum -- cannot be measured without
changing the values of those properties. As a result, quantum encoded data cannot be
copied because any attempt to access the encoded data will change the data. Likewise,
any attempt to copy or access the data will cause a change in the data, thus notifying the
authorized parties to the encryption that an attack has occurred.

Encryption is used to protect data stored on a system (encryption in place or encryption

at rest); many internet protocols define mechanisms for encrypting data moving from
one system to another (data in transit).

Some applications tout the use of end-to-end encryption (E2EE) to guarantee data being
sent between two parties cannot be viewed by an attacker that intercepts the
communication channel. Use of an encrypted communication circuit, as provided by
Transport Layer Security (TLS) between web client and web server software, is not
always enough to insure E2EE; typically, the actual content being transmitted is
encrypted by client software before being passed to a web client, and decrypted only by
the recipient.

How encryption is used

Encryption was almost exclusively used only by governments and large enterprises
until the late 1970s when the Diffie-Hellman key exchange and RSA algorithms were
first published -- and the first personal computers were introduced. By the mid-1990s,
both public key and private key encryption were being routinely deployed in web
browsers and servers to protect sensitive data.

Encryption is now an important part of many products and services, used in the
commercial and consumer realms to protect data both while it is in transit and while it
is stored, such as on a hard drive, Smartphone or flash drive (data at rest).

Devices like modems, set-top boxes, smartcards and SIM cards all use encryption or
rely on protocols like SSH, S/MIME, and SSL/TLS to encrypt sensitive data. Encryption
is used to protect data in transit sent from all sorts of devices across all sorts of
networks, not just the internet; every time someone uses an ATM or buys something
online with a Smartphone, makes a mobile phone call or presses a key fob to unlock a
car, encryption is used to protect the information being relayed. Digital rights
management systems, which prevent unauthorized use or reproduction of copyrighted
material, are yet another example of encryption protecting data.

Cryptographic hash functions

Encryption is usually a two-way function, meaning the same algorithm can be used to
encrypt plaintext and to decrypt cipher text. A cryptographic hash function can be
viewed as a type of one-way function for encryption, meaning the function output
cannot easily be reversed to recover the original input. Hash functions are commonly
used in many aspects of security to generate digital signatures and data integrity
checks. They take an electronic file, message or block of data and generate a short
digital fingerprint of the content called a message digest or hash value. The key
properties of a secure cryptographic hash function are:

 Output length is small compared to input

 Computation is fast and efficient for any input
 Any change to input affects lots of output bits
 One-way value -- the input cannot be determined from the output
 Strong collision resistance -- two different inputs can't create the same output

The ciphers in hash functions are optimized for hashing: They use large keys and
blocks, can efficiently change keys every block and have been designed and vetted for
resistance to related-key attacks. General-purpose ciphers used for encryption tend to
have different design goals. For example, the symmetric-key block cipher AES could
also be used for generating hash values, but its key and block sizes make it nontrivial
and inefficient.

Contemporary encryption issues

For any cipher, the most basic method of attack is brute force; trying each key until the
right one is found. The length of the key determines the number of possible keys, hence
the feasibility of this type of attack. Encryption strength is directly tied to key size, but
as the key size increases so, too, do the resources required to perform the computation.

Alternative methods of breaking a cipher include side-channel attacks, which don't

attack the actual cipher but the physical side effects of its implementation. An error in
system design or execution can allow such attacks to succeed.

Attackers may also attempt to break a targeted cipher through cryptanalysis, the
process of attempting to find a weakness in the cipher that can be exploited with a
complexity less than a brute-force attack. The challenge of successfully attacking a
cipher is easier if the cipher itself is already flawed. For example, there have been
suspicions that interference from the National Security Agency weakened the Data
Encryption Standard algorithm, and following revelations from former NSA analyst
and contractor Edward Snowden, many believe the NSA has attempted to subvert other
cryptography standards and weaken encryption products.

More recently, law enforcement agencies such as the FBI have criticized technology
companies that offer end-to-end encryption, arguing that such encryption prevents law
enforcement from accessing data and communications even with a warrant. The FBI has
referred to this issue as "Going Dark," while the U.S. Department of Justice has
proclaimed the need for "responsible encryption" that can be unlocked by technology
companies under a court order.
What is cloud computing?

Basically, cloud computing is a kind of outsourcing of computer applications. Using

cloud computing, users have the ability to access applications and applications from
wherever they are; the computer applications have been hosted by an external party
and reside in the cloud. This means that users do not have to be concerned about things
like storage and electricity, they could simply enjoy the final result.

Life before mining computing

Conventional business programs have always been very complicated and costly. The
quantity and wide range of hardware and software required to conduct them are
daunting. You want a whole team of specialists to set up, configure, test, conduct,
protected, and update them.

When you multiply this effort across dozens or hundreds of programs, it's easy to see
why the biggest businesses with the best IT departments are not getting the programs
they want. Small and midsize companies don't stand a opportunity.

With cloud computing, you eliminate those headaches that come with storing your own
data, as you are not handling software and hardware -- that becomes the responsibility
of an experienced vendor like Sales force. The shared infrastructure means it works just
like a utility: You only pay for what you need, updates are automatic, and scaling up or
down is simple.

Cloud-based apps may be up and running in weeks or days, and they cost less. Using a
cloud app, you simply open a browser, log in, personalize the program, and begin
using it.

Businesses are running all sorts of programs in the cloud, such as customer relationship
management (CRM), HR, accounting, and much more. Some of the world's largest
companies moved their software to the cloud using Sales force after rigorously testing
the security and reliability of our infrastructure.

Constantly dig deeper when evaluating cloud offerings and keep in mind that if you
have to buy and manage software and hardware, what you're taking a look at is not
actually cloud computing but a cloud that is false.

Learn more about platform as a service

Infrastructure for a Service (IaaS)

A third party hosts components of infrastructure, including hardware, applications,

servers, and storage, also providing backup, security, and maintenance.
Employing the cloud, applications such as an online browser or application can become
a usable tool.

Platform as a Support (PaaS)

The branch of cloud computing which allows users to develop, run, and manage
applications without having to get caught up in code, infrastructure, storage and so
forth.

There are lots of types of PaaS. Every PaaS alternative is public, private, or a hybrid
combination of both. Public PaaS is hosted at the cloud, and its infrastructure is handled
by the supplier. Private PaaS, on the other hand, is placed in on site servers or personal
networks, and is maintained by the consumer. Hybrid PaaS uses elements from the
public and private, and is capable of executing applications from several cloud
infrastructures.

PaaS can be further categorized depending on whether it is open or closed source,

whether it is mobile compatible (mPaaS), and also exactly what company types it caters
to.

When picking a PaaS alternative, the most significant considerations beyond how it's
hosted are how it integrates with existing data systems, which programming languages
it supports, and what application-building tools it offers, how customizable or
configurable it is, and how effectively it's supported by the provider.

As digital technology grow ever more powerful and accessible, programs and mobile
platforms are becoming nearly universally prevalent. Businesses are benefiting from
new PaaS abilities to further outsource jobs that would have otherwise relied on
neighborhood solutions. This is made possible through improvements in computing.

Traditional business applications have always been quite complex and costly. The
amount and variety of hardware and software necessary to conduct them are daunting.
You want a whole team of experts to set up, configure, test, run, protected, and update
them.

If you multiply this effort across dozens or hundreds of programs, it's easy to see why
the biggest companies with the best IT departments aren't getting the apps they need.
Little and mid-sized businesses don't stand a chance. The significance of cloud-hosted
information makes it an essential tool for these kinds of situations.

Below are several additional benefits of cloud computing.

Adaptable

Cloud computing permits for flexible applications and software which are
customizable, while allowing owners control over the center code.
Multitenant

Cloud software provides the opportunity to supply personalized applications and

portals to quite a few customers or tenants.

Reputable

Because it is hosted by a third party, businesses and other users have greater assurance
of reliability, and if there are issues, easy access to customer support.

Scalable

With the Web of Things, it is essential that applications functions across every device
and integrates with other programs. Cloud software can provide this.

Safe

Cloud computing can also guarantee a more protected environment, thanks to

enhanced resources for security and centralization of information.

The woes of Security, Data Loss, Performance & Cost in the Cloud

Although the title of this article may look ambiguous to the untutored, it will strike a
chord with those acquainted with cloud computing fundamentals. They are trending
topics in the realm of cloud computing and are actively debated in forums and social
circles. The crux of this article would be to ascertain the accuracy of these so called
“inherent drawbacks” of cloud computing.

1- Security

The most compelling challenge for someone attempting to switch from their existing
computing module to the cloud is to ascertain how secure cloud computing is.
Aficionados of conventional computing often allege that the extensive use of
virtualization, which is a fundamental tenant of cloud computing, only adds viable
security risks. Virtualization software might be compromised which could jeopardize
the entire infrastructure which includes cloud computing, storage and networking.

In defense of cloud computing, and to negate these claims, it is pertinent to mention

that cloud computing is comprised of a comprehensive set of defensive
implementations. These implementations or security controls are derived keeping in
view hurdles which might occur, as well as to shield the cloud architecture against an
external or internal threat. The security control suite consists of deterrent controls,
corrective controls, preventive controls and detective controls. The stringent
implementation of these meticulously crafted security measures with respect to asset,
vulnerability and threat assessment matrices makes cloud computing a totally secure
gambit.

2- Performance

Inherent cloud tenants that like increased availability, on-demand resource

provisioning and scalability are all designed to deliver peak performance and enhance
the overall usability of applications and data hosted in the cloud. The most common
mistake that people make is equating application performance issues with cloud
computing environment. When a cloud computing subscriber selects a cloud
computing flavor not well aligned with their business module, the performance is, at
best, degraded. However, that does not mean that from time to time some performance
issues that are totally centric to cloud computing environment do not arise.

3- Cost

Pay-As-You-Go is the unique payment method introduced by cloud computing. This

method entails that the subscriber is only charged for the resources consumed (e.g.
bandwidth consumed, storage used, or enhanced processor time requested). Utilizing
cloud computing also renders maintaining on-premises optimized hardware, having a
team on site to maintain it and worrying about managing costly software licenses.
Needless to say that all of these aspects are considerable cost savers!

4- Data loss and disaster

Cloud computing environments irrespective of their flavor provide stringent data loss
prevention and disaster recovery measures. Client’s data hosted in the cloud is
routinely backed up and stored safely so it can be readily accessed in case of emergency.
Thanks to the virtualization aspect (which is uselessly criticized by conventional
computing proponents) it is possible to maintain an identical copy of the entire setup
including the operating system, applications, patches and data.

Security issues cloud computing and the mobile digital platform

Although cloud computing and the emerging mobile digital platform have the potential
to deliver powerful benefits, they pose new challenges to system security and reliability.
We now describe some of these challenges and how they should be addressed.

Security in the Cloud

When processing takes place in the cloud, accountability and responsibility for
protection of sensitive data still reside with the company owning that data.
Understanding how the cloud computing provider organizes its services and manages
the data is critical. The Interactive Session on Technology describes how even
sophisticated Web-based firms can experience security breakdowns. Cloud computing
is highly distributed. Cloud applications reside in large remote data centers and server
farms that supply business services and data management for multiple corporate
clients. To save money and keep costs low, cloud computing providers often distribute
work to data centers around the globe where work can be accomplished most
efficiently. When you use the cloud, you may not know precisely where your data are
being hosted.

The dispersed nature of cloud computing makes it difficult to track unauthorized

activity. Virtually all cloud providers use encryption, such as Secure Sockets Layer, to
secure the data they handle while the data are being transmitted. But if the data are
stored on devices that also store other companies’ data, it’s important to ensure these
stored data are encrypted as well. Companies expect their systems to be running 24/7,
but cloud providers haven’t always been able to provide this level of service. On several
occasions over the past few years, the cloud services of Amazon.com and
Salesforce.com experienced outages that disrupted business operations for millions of
users
Cloud users need to confirm that regardless of where their data are stored, they are
protected at a level that meets their corporate requirements. They should stipulate that
the cloud provider store and process data in specific jurisdictions according to the
privacy rules of those jurisdictions. Cloud clients should find how the cloud provider
segregates their corporate data from those of other companies and ask for proof that
encryption mechanisms are sound. It’s also important to know how the cloud provider
will respond if a disaster strikes, whether the provider will be able to completely restore
your data, and how long this should take. Cloud users should also ask whether cloud
providers will submit to external audits and security certifications. These kinds of
controls can be written into the service level agreement (SLA) before signing with a
cloud provider.

Securing Mobile Platforms

If mobile devices are performing many of the functions of computers, they need to be
secured like desktops and laptops against malware, theft, accidental loss, unauthorized
access, and hacking attempts. Mobile devices accessing corporate systems and data
require special protection. Companies should make sure that their corporate security
policy includes mobile devices, with additional details on how mobile devices should
be supported, protected, and used. They will need mobile device management tools to
authorize all devices in use; to maintain accurate inventory records on all mobile
devices, users, and applications; to control updates to applications; and to lock down or
erase lost or stolen devices so they can’t be compromised. Firms should develop
guidelines stipulating approved mobile platforms and software applications as well as
the required software and procedures for remote access of corporate systems.

Companies should encrypt communication whenever possible. All mobile device users
should be required to use the password feature found in every smart phone. Mobile
security products are available from Kaspersky, Lookout, and Droid Security. Some
companies insist that employees use only company-issued smart phones. BlackBerry
devices are considered the most secure because they run within their own secure
system. But, increasingly, companies are allowing employees to use their own smart
phones, including iPhones and Android phones, for work, to make employees more
available and productive (see the Chapter 5 discussion of BYOD). Protective software
products, such as the tools from Good Technology, are now available for segregating
corporate data housed within personally owned mobile devices from the device’s
personal content.

ENSURING SOFTWARE QUALITY

In addition to implementing effective security and controls, organizations can improve

system quality and reliability by employing software metrics and rigorous software
testing. Software metrics are objective assessments of the system in the form of
quantified measurements. Ongoing use of metrics allows the information systems
department and end users to jointly measure the performance of the system and
identify problems as they occur. Examples of software metrics include the number of
transactions that can be processed in a specified unit of time, online response time, the
number of payroll checks printed per hour, and the number of known bugs per
hundred lines of program code. For metrics to be successful, they must be carefully
designed, formal, objective, and used consistently. Early, regular, and thorough testing
will contribute significantly to system quality. Many view testing as a way to prove the
correctness of work they have done. In fact, we know that all sizable software is riddled
with errors, and we must test to uncover these errors.

Good testing begins before a software program is even written by using a walkthrough
a review of a specification or design document by a small group of people carefully
selected based on the skills needed for the particular objectives being tested. Once
developers start writing software programs, coding walkthroughs also can be used to
review program code. However, code must be tested by computer runs. When errors
are discovered, the source is found and eliminated through a process called debugging.
You can find out more about the various stages of testing required to put an
information system into operation