Summary
In this essay I will look at the basic fundamentals of security and privacy for users and businesses in the 21st century and what I think the security risks are for them and what the impact the security problems have on our privacy laws, does controversial access to every bit of information about people actually make systems more secure i.e. prevent system attacks. I will go in-dept into what I believe are the main security risks for users and businesses when browsing the Internet or shopping and using online banking and also discuss briefly what it would be like to have no privacy. I will also discuss how when a user goes on a social networking site or search engine they might be at risk of sharing information unwillingly with the service providers. And another topic I will be discussing in this is how humans fail in their bit for security and how to prevent this from happening.
Digital security in the 21st century is now more important than ever before, there are many different types of security threats to the average person, business or even government. This is because everything we do on a daily basis can have a security risk, whether it be from online shopping or checking your email. If a user's computer has been hacked or has some spyware or malware and is being used for online shopping, then the hacker might gain access to the user's protected data which can then be used for fraud or theft or sold on to a third party.
Shopping in a store with your debit or credit card can also be a risk as cards can be cloned by staff and pin numbers stolen using a device that looks the same as the card machine but has been designed or modified to remember pin codes and clone debit or credit card information. Stolen laptops and mobile phones can have sensitive personal information on them, even losing your universal serial bus storage device or USB pen drive as they are know as for short, which can contain all sorts of information because people, businesses and governments all use these devices to move or store data. And if the data is not encrypted then there is always the chance that someone can gain access to it.
Security is the main issue when it comes to a person's personal information whether it be from browsing the Internet to online banking there will always be people who want to steal information for an entire range of reasons. (eg: phishing, fraud or even marketing!)
Another thing to be wary of is the topic of Liberty; are security laws infringing on our basic human rights to privacy and our security by allowing corporations and even governments to spy on our Internet communications for what they call 'anti-piracy' or "National Security" such as the PATRIOT Act in the United Sates of America, and this brings me to conclude, why should the rights of the many suffer because of the actions of a few?
And this is being debated every day of every week by civil rights activists to our own government deciding what they can do and cannot do. Too much information available about anyone to anyone can be dangerous and this topic should be taken very seriously.
Another major impact on personal privacy is the development of social networking sites and search engine providers that sell the user's information on to third parties.
To quote: "Privacy is a fundamental human right. It underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights of the modern age." by Marc Rotenberg, Protecting Human Dignity in the Digital Age (UNESCO 2000). I think that we are heading into a society that is not aware of the fundamental human rights we have and how we attained them.
For example anti-utopian, 'dystopian' novels of the 20th century depicted societies where privacy was non existent and an intrusive, oppressive regime denied this fundamental human right as a matter of course. In Yevgeny Zamyatin's novel 'We' the population lived in buildings constructed of glass, which allowed everyone and anyone to snoop on anyone whom they wished. Opposition is impossible in a society where privacy is non-existent. George Orwell's 1984, 'Big Brother' and tele-screens are frighteningly similar to todays move towards a 21st century society where the Government and corporations have full access to every bit of any citizen's digital life.
The 19th century black champion of civil rights, Frederick Douglass protested that any rights and liberties won by any people were awarded after contesting the power structures of society. He said in 1857 that 'Power concedes nothing without a demand, it never did and it never will. Find out just what any people will quietly submit to, and you have found out the exact measure of injustice and wrong that will be imposed upon them.'
Frederick Douglass, speaking on the emancipation of the West Indies, 1857
'Men may not get all they pay for in this world, but they must certainly pay for all they get.' also has meaning to that you can use a search engine for free and also a social networking site, but be careful of your information as it may be sold on to third parties.
In the book; The Art of Deception: Controlling the Human Element of Security, the authors Kevin D. Mitnick & William L. Simon naively blame the Human individual as the weakest link, the individual is relegated to a position below the security system in question. Page 3, titled in big black letters 'Security's Weakest Link' states '...the human factor is truly security's weakest link.'
In the Computer Security Handbook, John Wiley & Sons (2002) 6 which some of the top security specialists in the world have contributed to. Donn B. Parker, a retired (1997) senior management consultant at RedSiren Technologies in Menlo Park, Ca, who has specialised in information security for 35 of his 50 years in the computer field and who Information Security Magazine has identified as one of the five top Infosecurity Pioneers (1998) writes in '5.1.3 Functions of Information Security Computer Security Handbook' that the complete opposite to the previous paragraph is true, that the three function security model; (prevention, detection, and recovery) is completely insufficient and that an 11 function model is needed to eliminate or mitigate the security risks in question, which include avoidance, deterrence, detection, prevention, mitigation, transference, investigation, sanctions & rewards, recovery, correction, & finally; education.
It is easy to jump to conclusions and intuitively blame the people whom personify 'hackers' or adversaries to computer security professionals, but history shows us that nothing should be taken for granted concerning security. No system will be inherently perfect, and new technologies are continually being created and updated, and most will likely become more secure as time goes on. Human nature on the other hand is a constant and no man or woman should ever denigrate humanity to a role below that of a firewall, for any reason. If a computer security system is vulnerable, patch the system or come up with innovative methods to secure it from outside access, improve on the imperfect and take comfort knowing that you have executed your job successfully, thus without sacrificing your morality.
Popular attacks employed by hackers
Once a malicious program has been installed on a personal, business or governments body's computer, it can cause harm in many different ways. Some of the more popular methods of attack employed by hackers are:
Attacking a company's network through Denial of Service attack (DoS) or Distributed Denial of Service attack (DDoS) to stop the company from trading or bring the company to a complete standstill.
Stealing or copying secret or confidential data for corporate espionage or to commit extortion or fraud.
Gaining user access and pretending to be a legitimate user. This can be very bad if a hacker gains access to any information as the user might not realise in time for it to be stopped being used eg. bank account or credit card information being stolen.
Destroying files or company data to affect the running of a business or government body or to cover up fraud.
Risks to an Organisation:
Security vulnerabilites inherently come from within an organisation, be it flaws in security software, bugs in network applications or unauthorised use of company hardware. If hackers take advantage of these vulnerabilities, it can affect the running of any business dramatically. The risk of interruption to business can affect profit and cash-flow and increase the operational costs as security consultants are called in to deal with the problem. If hackers have gained access to certain resources, there is also the possibility that the organisation's website will be taken offline temporarily depending on national or local law and regulations for the protection of customer information eg: Online Privacy Directive of the European Union (95/46/EC)8 some examples of situations where this may occur are:
Users i.e. hackers or persons who have gained access to the system by circumventing security.
Unauthorized access to any sensitive customer or company information.
The so-called 'weakest-link'?
Social Engineering & Manipulation:
Con-artists are being used to acquire confidential information by manipulating genuine users into telling them crucial information.
'Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.'
These con-artists rely and work on the fact that people are not aware the information they know is valuable and thus are careless about protecting it because they think it's irrelevant. These con-artists will search bins or skips or take advantage of people's tendency to choose passwords that are easy to remember and relevant to the user, such as date-of-birth or a pet's name. Such information may be found on social networking sites, online profiles, bills and letters from the trash. The name that is given to the method these con-artists employ is called 'Social engineering' and it is a very real threat to any security system.
Another vulnerability is an employee looking to embezzle money from the organisation, or to commit other fraud with customers. This is an important aspect for IT security as an individual working within the organisation would have access to hardware and other trade-secrets that may be used to further the fraud or to attempt to cover up any criminal activities.
Indentity Theft:
A disgruntled member of staff may have access to the organisation's databases and customer accounts. This data which can include social security numbers, credit card information, names, addressed and emails, could be accessed, stolen, corrupted or even sold on to other parties.
Vulnerabilities from within:
Provided that there is a system to back-up data, this system could fail, or corrupted data could be 'backed-up' onto a RAID if there is no system to verify data integrity leading to a catastrophic loss of the organisation's data which could affect for eg: the running of a company website.
Another vulnerability to be concerned about is if your personal information is stolen and someone pretends to be you for the purpose of fraud and steals money from your bank account to buying cars in your name from stolen credit cards. Information can also be stolen for the purposes of a business finding out their competitors trade secrets and a prime example of this is where Boeing asked Airbus to stop encrypting their communications. The future of security will be in biometrics. Biometrics are the use of unique identifiers of a persons unique features such as a thermal scan of there face, this is unique to every person as even twins do not share the same trait. Another security companies are staring to use more is a combination of voice recognition, iris scans with finger prints. For example if you look at when a person travels to or from the united states of America there finger print is taken along with their picture.
The people that suffer the most from an intrusion are the average web users whom just want to browse the internet and check their emails. But web browsing comes with its risks and the more advanced users whom are not so naive understand the security risks and know to scan for malware and spyware after each session.
Ways in reducing infection from browsing:
- Make sure anti- virus definitions are up to date
- Make sure anti spyware definitions are up to date
- Make sure to have a firewall installed and regularly update it
- Scan all files and email attachments that are downloaded
- Do not download a file extension with a .exe at the end when it is meant to be a .doc file, common sense will work wonders
Ways information can be obtained by unwarranted access:
- Loss of usb pen drive with sensitive information on it.
- loss of a laptop with sensitive information on it.
- password and user names been hacked which can lead to the wrong information being access by the wrong people.
Threats are not always internal threats to an organisation as they may come from an outside source. An example of this would be a distributed denial of service attack or denial of service attack.
Regular back up of date should also be made to information as none can guarantee that it will be 100% from hackers or data corruption and manipulation.
Conclusion
It's becoming more and more obvious that the current level of security measures we use everyday are becoming obsolete and that hacking is on the increase, from just reading the news all you hear about is governments making national cyber-security centers for interests economic security and that Google and Yahoo have been hacked by unknown culprits from around the world, this shows that there is a need for change in the thinking of how we understand security and go about protecting ourselves. I think the use of biometrics will become a lot more popular in the future and you can also see biometric security on laptops with the finger print scanners and the military using facial thermal scans.
While on the other hand many laws are being passed for security which make the average person have less rights and less privacy. And because of this we need to find a compromise in the middle so that we do not lose one of our basic human rights as a people and start to live in one of these anti-utopian worlds I mentioned earlier and from the looks of the way some societies are going it may not be too far fetched. Just take a look at North Korea and Burma for example or Nazi Germany during World War Two, Germany was one of the most technologically advanced society's in Europe at that time and look what happened when the wrong person got into power back by the wrong corporations and businesses and party.
Bibliography
- Accessed from http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559062#[1] on 25th march 2010
- Yevgeny Zamyatin's 'We' http://en.wikipedia.org/wiki/We_(novel)
- http://www.online-literature.com/orwell/1984
- http://www.blackpast.org/?q=1857-frederick-douglass-if-there-no-struggle-there-no-progress
- The Art of Deception: Controlling the Human Element of Security
- Kevin D. Mitnick, William L. Simon, Foreword by Steve Wozniak ISBN: 978-0-471-23712-9, John Wiley & Sons, October 2002 http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124
- Computer Security Handbook, 4th Edition
- Seymour Bosworth (Editor), M. E. Kabay (Editor) ISBN: 978-0-471-26975-5, John Wiley & Sons, 2002 http://www.amazon.com/Computer-Security-Handbook-Seymour-Bosworth/dp/0471412589
- Vulnerabilities in the Embedded OpenType Font Engine could allow remote code execution http://support.microsoft.com/kb/961371
- Data Protection Directive (95/46/EC) http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
- Privacy & Human Rights 2004 http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-82591&als[theme]=Privacy%20and%20Human%20Rights
matt nathanson matt nathanson rick perry oops rick perry oops tom bradley penn state tom bradley penn state grace potter
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.