Discussions x
Discussion 1 (Module 6):
Respond to the following question in 250 words:
Discuss the importance of software security as a priority throughout the software development life cycle. How does Cloud Computing change the way in which we think about the development of secure software systems?
Respond to the following student’s post and provide feedback in 200 words each (two students – 400 words total)
1- Gabriel’s Response:
The company I work at accepts credit cards, so security is of utmost importance. Security is considered during the requirements phase and this is codified in our SDLC. Security is also considered throughout the lifecycle of the development project and the software must pass multiple reviews. This is also included in the SDLC. The final system must also pass a security engineering assessment as well as a PCI assessment before the initial release is pushed to production. We are using DevOps so there may be multiple releases in a given week or even a given day. These releases are subject to code reviews, both automated and manual. Our developers work in teams of two, so it is reviewed as it is written. I believe that depending on the industry in which the company operates, the level of security varies, but it is also a priority. Since we have credit card information, it is a priority for us. There may be industries where security may be given less of a priority. Information is a valuable resource and should be treated as such.
I don’t think that the cloud is changing how we think about security, we are just using different technologies to achieve the same result. Where we once had to purchase a firewall appliance, we can use a virtual one in the cloud or use something completely different that has the same functionality, like an AWS security group. The biggest consideration is how we get the various systems to talk to each other securely
2- Stephan’s Response:
Increasingly software security must be retained as a priority throughout the SDLC. It used to be security could be planned, or designed, primarily during the beginning of the cycle with a fixed and controllable solution as simply one facet of the software design. Now, as threats and vulnerabilities increase, along with their consequences, security is a prime driver. Certainly, Cloud computing brings more attention to the matter. Throughout the SDLC the ability to dynamically consider, and reconsider, software to adjust and fine-tune is critical.
Another thought regarding security is the profile of users. Computers, iPhones, IoT and such have become ubiquitous in our culture. This includes their use being moved down the user ladder from Adults to Teens, to pre-Teens, and to Adolescents or even younger. In one’s home, via the Cloud users with no understanding, concern, or inclination of the consequences scour the internet via the Cloud to consume content.
Cloud computing opens the window wider on vulnerabilities, access, and control. In the interest of convenience (availability, storage capacity, ownership, cost, etc) the Cloud heightens the need to ensure security is effective as once it’s out on the Cloud, its out, it’s available, and it’s pervasive.
Discussion 2
Respond to the following question in 200 words:
From your own research, what are the most common cyber security threats? Which have proven to be the most costly? What data are the most important to protect?
Respond to the following student’s post and provide feedback in 200 words each (two students – 400 words total)
1- Eddie’s Response:
The costliest cyber security threats, as specified in the case, were employee security awareness training, user account management, user behavior profiling and monitoring, smartphone encryption, and tools for data loss-prevention. I concur with the case assessment of those being the costliest cyber threats. The most common cyber threats in my research revolve around the human component. Those threats include spam, scams, and phishing.
In my experience, the best way to prevent spam, scams, and phishing threats include frequent employee security awareness training and user account management. The most important data to protect is sensitive and confidential data, otherwise known as personally identifiable data (PII). Florida passed a law in 2014 called The Florida Information Protection Act (Links to an external site.) (FIPA) that expanded requirements relating reporting a data breach that involves PII data. Under the law, any breach that affects 500 or more Floridians’ PII data must be reported to the Florida Attorney General. Additionally, if it is determined that the PII data from the breach could potentially result in identity theft or financial harm, notice must be given to individuals affected within 30 days of the breach. There is, however, a provision in the law that essentially exempts notification to affected individuals if the data that is compromised from a breach is encrypted. In my opinion, encryption is one of the most important variables in protecting data.
2-
Kimberly Response:
Based on the case study, the different types of cyber-attacks include the following:
· Hack: Breaking into a server from a remote location to steal or damage data.
· Data Breach: An incident where sensitive and confidential data has been viewed, used and/or stolen by an unauthorized user.
· Backdoors: Access to a computer program to break into security mechanisms by the installation of another program in the back door.
· It allows an unauthorized user to get back into a computer/system at a later time.
· Denial of Service Attack: Gaining access to a network, computer or program to disable the system.
· Direct-access attacks: Incident where an unauthorized user gains access to a computer to compromise security.
· Exploits: A piece of software that takes advantage of a software malfunction such as a bug or glitch in order to cause unintended behavior to occur on computer software or hardware.
· Hardware and software failures: Breaks and/or bugs or glitches in hardware or software devices/applications.
· Malware: software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
· Viruses: a piece of code which is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.
· Spam, scams and phishing: Email messages that are either unwanted (spam/scam) or designed to harm a company or individual by obtaining sensitive data (scam/phishing).
· Human Error: This could be either intentional or unintentional.
· Fraud: wrongful or criminal deception intended to result in financial or personal gain
· Password theft: Intentional stealing of user IDs and passwords to gain unauthorized access to computers and/or data.
· Staff dishonesty: Intentional employee acts to gain unauthorized access to computers, systems and/or data or stealing sensitive data for personal or financial gain.
· Security breaches: Incidents that are considered as a break-in. This could be a break in to a computer, computer system, network or an actual physical break-in of a business location.
According to my own research, some new attacks we see today include:
· Ransomware: Incidents where malicious actors encrypt and hold data and/or computer systems “hostage” until a financial ransom is paid.
· Cryptojacking: hijacking devices to harness computer power at scale to efficiently mine cryptocurrency.
· Credential stuffing: Stealing userId/password combinations of system credentials (i.e. third party vendors, executives, system administrators, etc.)
· Cloud Issues: Sensitive data left open on the Internet due to misconfigured cloud services.
According to the case study, the direct-access cyber attack is the most common attack type. Therefore, I think the direct-access cyber attack could include many different types of cyber attacks, such as hacking, malware, backdoors, etc. According to some recent research I did, it looks like the most costly data breaches recently have been completed when hackers broke into a system and deployed malware in the system and/or gained direct access remotely. According to a Touchpoint article (URL: https://www.firmex.com/resources/blog/the-10-most-expensive-data-breaches-in-corporate-history/), the most costly data breaches included the retail sector, such as Home Depot, Target, Sony Playstation, TJ Maxx, Hannaford Bros. Also on the list are some third party services, such as Heartland Payment Systems, Epsilon. Also on the list are a government agency, The Veterans Administration, Sony Entertainment and a health insurer, Anthem. According to the summary of these attacks, most occurred from malware deployed to the servers/computer systems. According to some of my research, no industry, organization or company is immune from a cyber attack.
Also, it is very hard to say that one type of attack over another is more costly. It really depends on the type of business. For example, if a business is soley an online business (i.e. no “brick and mortar” location), then a denial of service attack may be more costly to that type of business.
Also, according to a recent Security Magazine article (URL: https://www.securitymagazine.com/articles/90493-cyber-attacks-cost-45-billion-in-2018), organizations incurred $45 billion in losses in 2018 due to ransomware and other malicious incidents. The incidents noted in that article include cryptojacking, deceptive email, supply chain/third party attacks, attacks on governments, cloud issues, credential stuffing/credential breaches.
According to the case study, the 2014 cost of Cyber Crime Study, in 2014, the highest annual cost per organization that was reported in the Energy & Utilities and Defense industries. Based on this information, the most important data that needs to be protected would be the national infrastucture and the military organizations and government agencies.
One of the biggest concerns with cyber attacks and threats today is the threat to the US national critical infrastructure, including the Energy and Utilities industry and the US Defense industry.
There was also a large increase in the annualized cost to the Retail sector over the five year period of the study. And we have seen in the news, on the internet, etc. the many attacks on the retail sector where sensitive credit card payment information was stolen for personal gain, identity theft or for sale on the dark web. In a recent search, I reviewed several articles related to cyber attacks on retail and restaurant chains such as Quaker, Steak and Lube, Wawa, Target, etc. So based on these recent attacks, I think that some of the most important data that needs to be protected in additional to the national infrastructure and US Defence industry is credit card/payment card information. Hackers continue to breach this type of data.