Information Security

INTRODUCTION

Today we have methods to make it possible to audit systems, which can be used for good or for the worse, and it is something that can be achieved through external or third-party systems, or it can be implemented with some methodology and techniques which allows the investigation and analysis of events which occurred while the operation of information systems Piattini (1999, pp. 3-5).

EXPERIENCE WITH THE ORGANIZATION

Some years ago, I worked as a consultant for the “Tribunal Regional do Trabalho” (freely translated to Regional Labor Court), which was responsible for the labor-related process in the states of Parana and Santa Catarina. As the systems where all important, the need of auditing was something important since it had to log who was the user who was imputing information in the system, for instance. This was something common with the type of framework which we were using at that time, which was also based on the concept of auditing, and making it available for its subsystems Alvim (2017).

METHODS TO MAKE SYSTEMS AUDITABLE

The auditing can be achieved on customized software by developing its functionalities and adding security proceedings like logging the user and using logical exclusion, for instance. I will give the example of record auditing on relational databases.

Once you have a table, you may have two additional columns to that, username and date and hour. By having this two additional columns and making your software input the user logged in and the hour and date of the event, you have the desired auditing which will allow the proceedings of investigations on your software.

There is also a resource which can help a lot on the investigation, which is the database logging. Some commercial and open source SGDB’s support this feature, however there are some alternatives like Huang & Liu (2009) presents in their paper entitled “A Logging Scheme for Database Audit”, which is based on intercepting the database communication, parsing and processing the database protocol and making it auditable for further investigation procedures.

CONCLUSION

Today, with the penetration of the information systems in all the spheres of the governmental and private market, the systems auditing became a very important subject, with many ways of implementing it, as seen in the Huang & Liu (2009) article, which uses alternative resources to implement security and auditing in a very creative and original manner.

REFERENCES

Piattini, M (1999) Auditing Information Systems. London: Idea Group Publishing.

Paulo A. (2017) Java EE 6 Open Source com jCompany Developer Suite [online] Available at: http://www.powerlogic.com.br/powerlogic/ecp/comunidade.do?app=portal&pg=540&idConteudo=1263 (Accessed 17 September 2017).

Huang Q & Lianzhong L (2009) ‘A Logging Scheme for Database Audit’, IEEE Conference Publications, 2, pp-390-393.

INTRODUCTION

In spite of the electronic devices such as cameras, fingerprints and identity cards, for instance being used by the police in the past in regards to criminal situations, today is very and very more often that this devices are developed by the industry to help companies on achieving their goals, being possibly regarding policies of the company or even to help the company to operate in a good health helping it to succeed in the business world.

With the usage of electronic monitoring the company is able to check how much time the employee spend at work, how productive they are, the usage of applications and when they do better at work and when they do less (HubStaff, 2017).

ABOUT MY COMPANY

Today I am working as a consultant for a small size company where there are no policies being formalized, but there are rules the employees know they have to follow.

INTERNET MONITORING

In the company I work today. we have a very little  monitoring system which is called Squid. This tools is not only used for monitoring for also for caching internet results which were already accessed in the past (Squid, 2017).

CAMERA MONITORING

Cameras are everywhere in the company, not only to supervise the professionals, but in my country it is very common to have assaults in all kind of companies, so this is common that the company equip every room with cameras as a security device to serve as footage in case something happens.

BIOMETRIC ACCESS

In the company I work for there is the usage of fingerprints to unlock doors, in order to provide access in some rooms only for allowed persons. For instance, in the development room is accessed only by the development related people (Advance Systems, 2017).

PERSONAL INSIGHTS

I personally think since the company have its concerns in regards to the good performance of its operations and the need of being successfully achieving the customer deals or negotiations, monitoring is valid in the terms which will allow the company to operate the way it needs to do. I personally believe the security devices are ways to secure the company to allow that its operations happens without surprise or even lead to the bankrupt of the company.

REFERENCES

Squid, 2017. Squid: Optimising Web Delivery. [Online] Available at: http://www.squid-cache.org. [Accessed 02 September 2017].

Hubstaff. 2017. What is Employee Monitoring?. [ONLINE] Available at: https://hubstaff.com/employee_monitoring. [Accessed 3 September 2017].

Advance Systems. 2017. Track Employee Hours Using Biometric Fingerprint Scanner. [ONLINE] Available at: https://advancesystemsinc.com/track-employee-hours-using-biometric-fingerprint-scanner/. [Accessed 3 September 2017].

INTRODUCTION

The main objective of this small article is to give my point of view on internet privacy and stolen information.

PERSONAL DATA AND INFORMATION

This is not new for a computer professional that conversations and information can be stolen on many ways which may be using technical flaws, the insecurity of the internet protocols, networks resources, and others.

The revelation of Edward Snowden of people being monitored by the CIA and NSA, brought up to the internet users, the alert of being aware of what is shared on the internet. Edward Snowden considered one of the most extraordinary delators of the History. Never before someone revealed such quantity of secret files of the more powerful intelligence institution of the world, in order to make it public. And that is what he did (Harding, 2014).

WAYS TO STORE DATA

Today, there are many ways of storing such big quantity of information about users and make it to use with business intelligence, data mining and many others techniques. The list below shows some of them:

  • Hadoop: It is an open-source software framework for storing data and running applications on clusters of commodity hardware. It provides massive storage for any kind of data, enormous processing power and the ability to handle virtually limitless concurrent tasks or jobs” (SAS, 2016).

  • NoSQL Databases: A new way of storing data in a document oriented, key/value or graphs models. This new database paradigm brings the possibility of storing high quantity of data and information using a horizontal approach in instead of verticalization, which is very common in relational databases (Sadalage, 2012).

WHO CAN AND HOW INFORMATION CAN BE ACCESSED

The confidentiality of stored user information and who can access it is very sensible. There are thousands of robots running on the internet today and getting many information from websites. You may one day received an unknown contact request on skype or facebook, I personally believe this is one way of the robots to access your personal information and store in pirate databases, which may be used for privilege of others.

In spite of sensible data to be guaranteed by big corporations such as Facebook and Google, for instance, there is always the possibility of this data to be stolen and published or kept with hackers and bad intentioned people.

CONCLUSION

Today, we need to be careful with what kind of data we share on the internet, be very careful with sensible information and beware of unknown contacts and relationships on the internet. I recommend people to usually change credit card numbers and do not make it available personal account data on untrusted websites.

REFERENCES

Harding, L., 2014. The Snowden Files. 1st ed. London: The Guardian Books.

What is Hadoop?. 2016. SAS. [ONLINE] Available at: http://www.sas.com/en_us/insights/big-data/hadoop.html. [Accessed 14 February 2016].

Sadalage, P. J., 2012. NoSQL Distilled. 1st ed. USA: Addison-Wesley.

Network Hacking is a very common topic nowadays, and it has been one of the most important topics in computer science since the early years of connectivity and the wide spread of computers and networks.

A very simple definition for a hacker is given as “In computer networking, hacking is any technical effort to manipulate the normal behavior of network connections and connected systems. A hacker is any person engaged in hacking. The term “hacking” historically referred to constructive, clever technical work that was not necessarily related to computer systems. Today, however, hacking and hackers are most commonly associated with malicious programming attacks on the Internet and other networks.” (About.com, 2016).

There are many techniques a hacker may use to exploit a system or a vulnerability. They can be technical or social. In the following paragraphs, there will be summarized some of the ways a computer can be hacked in the networking context.

1. SOCIAL ENGINEERING

Social Engineering is a technique used by a hacker to persuade someone in order to achieve a goal which may, get some important data, get unauthorized access. Imagine a data center and let’s suppose the bad-intentioned hacker wants to get access to that place; this person may wear like the cleaning people and fake access to get into the place. This a a very simple example of how a social engineering activity may happen. According to TechTarget, 2016, some common examples of social engineering are:

  • Virus writers use social engineering tactics to persuade people to run malware-laden email attachments;

  • Phishers use social engineering to convince people to divulge sensitive information;

  • Scareware vendors use social engineering to frighten people into running software that is useless at best and dangerous at worst;

2. EXPLOITATION OF SOFTWARE TECHNICAL FLAWS

Computer Software are not safe and there are many flaws which can be exploited in order to get privileged access in computers, and this is one of the most common ways hackers uses to get access to private and corporate computers.

Apache has been the most common web server on the internet since April 1996, and is currently used by 38% of all websites (Netcraft.com, 2014). The most important HTTP server in the world, the Apache HTTP Server, has one section on their website just to announce and help to detect security flaws on their software:

2. USE OF HACKING TECHNIQUES

There are some common hacking techniques in order to get privileged information. Some of them are:

  • DNS POISONING: Consists of handling the resolver name of internet addressees and use fake pages and information to catch user data;

  • SNIFFING: Consists of intercepting network information and read them in order to get privilged information;

  • MAN-IN-THE-MIDDLE: Consists of intercepting and faking responses in order to manipulate user activity and get privileged information;

Other commons techniques are: Spoofing, Brute Forcing and Session Hijacking.

CONCLUSION

There are many ways of exploit systems and it is really difficult to guarantee a server is 100% secure, however one of the key computing concepts that came to improve server security is the cloud computing, which servers are stored and maintained in secure data-centers and more often the security is a key aspect and most of the providers offer security tools and resources in order to improve the servers security in the business computing space.

REFERENCES

About.com. 2016. What is a Hacker?. [ONLINE] Available at: http://compnetworking.about.com/od/networksecurityprivacy/f/what-is-hacking.htm. [Accessed 27 January 16].

TechTarget.com. 2016. Social Engineering. [ONLINE] Available at: http://searchsecurity.techtarget.com/definition/social-engineering. [Accessed 27 January 16].

Netcraft.com. 2014. Are there really lots of vulnerable Apache web servers?. [ONLINE] Available at: http://news.netcraft.com/archives/2014/02/07/are-there-really-lots-of-vulnerable-apache-web-servers.html. [Accessed 27 January 16].

Introduction

The main point to be covered in this discussion is the Target Corporation security breach that took place in 2013, which affected customers who swiped their credit and debit cards between Nov. 27/2013 and Dec. 15/2013, and became a very important topic in network security. This security issue was announced via a report written by the security researcher Brian Krebs, who published that Target had suffered a data breach and the customer’s card information was totally exposed and unsecured in 2013 (CNN Money, 2013).

About the Company

Target Corporation is the 2nd largest American retailing company having revenue of $72,596 in 2013 and taking the 29th place in the ranking on Fortune’s World Most Admired Companies List (Target Corporation, 2014).

Affected and Impacted Customers

The main fact is that in 2013 about 40 million credit and debit card information stored in the Target Corporation computers, was stolen by hackers and this information was used by bad-intentioned users, who possibly would use this information for self-benefit.

Technical Information and Causes

To understand a bit more about it, security experts said that hackers targeted the point-of-sale system, maybe infecting those computers with malware in the terminals or possibly collecting the data on route to the credit card processors (CNN Money, 2013).

Specialists said that the main problem is the obsolete technology used in American Credit and Debit card transactions. Comparing to the technology used abroad credit cards have a chip that creates a unique PIN for the transaction and is also more difficult to clone, different from the technology used in the USA, which the magnetic strip could be easily duplicated.

My personal critical thoughts

With my experience on developing software, first, a big mistake is probably the technique of storing the complete user’s credit card information since it is not necessary because there is the possibility of storing only a part of the credit card number and ask the user to fill it when necessary, so I would never encourage storing all the card information at any computing resource.

Based on my findings I can conclude that the main reason all the information being stolen is the use of obsolete technology not only in Target Corporation but also by all the American companies that use credit card related operations.

Conclusion

Computer security cannot be guaranteed with the kind of technology we have nowadays especially when we considering networks, which data can be intercepted and you do not have control to where this is information is being transferred and stored.

The Target Corporation case became very popular on the news, but this kind of security breach occurs frequently on the Internet and so much information is stolen every day, nevertheless, it is possibly never come to the news.

REFERENCES

CNN Money. 2013. Target: 40 million credit cards compromised. [ONLINE] Available at: http://money.cnn.com/2013/12/18/news/companies/target-credit-card/index.html?iid=EL. [Accessed 03 August 14].

Target Corporation. 2014. Corporate Overview. [ONLINE] Available at: http://investors.target.com/phoenix.zhtml?c=65828&p=irol-homeprofile. [Accessed 03 August 14].

CNN Money. 2013. Target credit card hack: What you need to know. [ONLINE] Available at: http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/. [Accessed 03 August 14].

Think Progress. 2013. Why Target’s Security Breach Was Bound To Happen. [ONLINE] Available at: http://thinkprogress.org/economy/2013/12/23/3101291/target-breach-highlights-lack-uniform-consumer-protections/. [Accessed 03 August 14].