Friday, December 6, 2019
Data Security and Privacy Protection Issues
Question: Discuss about the Data Security and Privacy Protection Issues. Answer: Introduction: On November 2015, VTech was notified of a breach in its systems. An unauthorized party had accessed VTech customer data which was stored in the app store customer database. The attack had also compromised the confidentiality of data stored on the servers hosting its affiliate websites such as Kid Connect, PlanetVTech, and V.Smile Link. The app store contained confidential data used to authenticate users to allow them to download games, e-books, and other content to VTech products such as tablets. Hackers gained access to the Kid Connect which allowed them to access voice and text messages, photos, and drawings exchanged by users. Customers who used VTechs products such as PlanetVtech, Learning Lodge, V.Smile, and Kid Connect were affected. The hackers accessed over 4 million customer accounts and 6 million children profiles. Out of the 6 million children profiles, approximately 1 million were connected to Kid Connect services which held personal information such as name, gender, and birthdate. The attack also compromised the security of PlanetVtech and V.Smile allowing the hackers to access about 230,000 customer accounts and 220,000 children profiles available in these platforms (VTech, 2016). The attack affected the app store customer database, and servers related to VTechs products were accessed. The hack allowed attackers to access data of millions of customers including their names and addresses. This posed a risk to the customers who could be targeted by the attackers via snail mails to lure them to provide more information. How was the attack carried out? The attack was carried out by a hacker who was aware of the security vulnerabilities of the companys websites. The attacker found one of the VTech websites and performed a security test to determine its security vulnerabilities. VTechs used Flash plugins and provides a login form that allowed users to be authenticated before accessing their accounts. The site was vulnerable to SQL injection which allowed the user to execute SQL queries to access the database (Fransechi-Bicchierai, 2015). This allowed the user not only to access the system but obtain administrative privileges also known as root. With these privileges, the attacker could change system and security configurations on the server as well as access and manipulate the database that served the companys websites. At that point, the attacker could access all servers related to VTech products and was able to access data stored. Access to these servers allowed him to find databases storing personal data of millions of customers a nd children who used VTech products. The attacker could have been prevented if VTech had deployed SQL injection security measures to mitigate SQL injection attacks. The companys website could have been coded to validate and sanitize user input which could prevent the execution of SQL queries with magic characters. Instead of using dynamic SQL, the website could have used prepared statements or stored procedures to validate database parameters entered in the SQL query (Clarke-Salt, 2009). This could be effective in preventing the execution of corrupt SQL queries. Updating and patching flash plugins and the databases could have been essential in preventing exploitation of SQL injection by attackers to access the websites. An appliance-based or software web application firewall (WAF) could be used to filter out corrupted data in the SQL queries. A WAF with a comprehensive set of default rules and custom ones could be useful in providing an additional layer of security against security vulnerabilities before the application is patched. Reducing the attack surface of the companys web applications could have been instrumental in minimizing the risk of the attack. Elimination of unnecessary database functionality would be key in denying hackers from leveraging on various database commands to manipulate or access the data in the database (Joshi, 2007). For example, removing xp_cmdshell, a stored procedure that displays the windows command shell, could have prevented the attacker from gaining administrator security privileges. Instead of connecting the companys database using an account with admin-level privileges, the IT staff could have used a limited access account which is safer and could limit actions that hackers could perform. With a limited account, the attacker would have accessed an account with normal privileges which would mitigate the effects of the data breach. Changing database error messages could be effective in minimizing information about errors made in the input form. By using custom errors to display error messages, the hacker would not get information about the companys database as he would get just the fact that his actions caused an unhandled error. Implementing a two-factor authentication scheme would be essential in minimizing the risk of unauthorized access as users have to provide a one-time second password sent to their smartphones. Additionally, by regularly changing the passwords of application accounts, the company could have enhanced the overall security of its servers and database. In 2014, a cyber attack that targeted JPMorgan Chase compromised its IT systems and allowed hackers to gain access to the accounts of over 70 million customers and small businesses (Silver-Greenberg, 2014). This tally put the attack among the largest hacks targeting the financial industry in the United States. The details of the attack were disclosed at a time when public confidence in digital transactions was low. This was due to the recent cyber attacks that targeted various retailers such as Target and Home Depot that caused massive data breaches and compromised the safety of millions of customers and card holders. Unlike retailers, JPMorgan which is the large bank in the US stored financial information in its systems that includes not only credit card details but also sensitive data that could compromise the confidentiality of the bank's customers. Investigations on the attack indicated the banks fault which created a security loophole that was leveraged by the hackers to gain ac cess to the system without triggering defense mechanisms. Who were affected and how? The attack on JPMorgan Chase caused a data breach that allowed the attackers a lot of customer data including names, addresses, email addresses, phone numbers, and other sensitive information. As the largest bank in the country, JPMorgan Chase holds a lot of financial information including sensitive information which if exposed can compromise the confidentiality of customers (Agrawal, 2014). Although the hackers were unable to access account information, they compromised the confidentiality and privacy of customer personal information. This implies that the hackers took personal information of millions of American households which could be used for malicious activities. The data breach affected American households and small businesses in different ways. The average American household faced the risk of getting emails mimicking JPMorgans emails which could direct them to malicious websites requesting for sensitive information such as bank credentials. Customers could be sent mails that lured them with a reward claim which aims at getting their financial information. Additionally, American households and small businesses were at risk of getting phone calls from malicious people impersonating bank officials that sought to gain their financial information. The attack occurred when attackers acquired the login credentials of an employee of JPMorgan. These credentials allowed the attackers to login into the banks system and access customer data. Typically, many systems have a double authentication scheme that requires users to provide a second one-time password before allowing them to gain access to the system. The security vulnerability in JPMorgans system was basic the bank did not implement a double authentication scheme for user login. The banks IT staff had not updated one of the network servers with the dual password scheme. Thus, users could login into the bank systems without requiring a second password. This created a security loophole that allowed the hackers who had login credentials to log into the system. It appears that the attackers had access to several applications and programs that run on JPMorgans systems which they could have used to identify known security vulnerabilities in the applications. These applications could have allowed them to find the faulty server that had not been updated with double authentication scheme which served as an entry point to the banks systems. As a result, the hackers were able to gain access to the system without triggering defense mechanisms which could have issued security alerts and lock them out of the system. JPMorgan Chase could have prevented the attack if it had applied its security standards across its system components. If the IT department had implemented two-factor authentication in all servers, the attackers would not have gained access to any of the servers. Without a device that can receive the second one-time password, the attackers would not access the system with the login credentials they had (Order, 2008). Two-factor authentication provides an additional security layer. In addition to regular login credentials, the scheme would send a unique code to a users smartphone. With this feature, the servers at JPMorgan would have a stronger defense mechanism safeguarding against intrusion as the hackers only have login credentials. Data encryption would have assisted in safeguarding the confidentiality of customer personal information. Encrypting data would have made the financial information more secure (Chen, 2012). Since breach prevention and threat monitoring may safeguard the IT system from all attacks, data encryption could have been used as a last line of defense to secure the data from unauthorized access. With encryption, the data accessed by the hackers would have been useless as they couldnt decrypt it to obtain meaningful information. Account monitoring and control would have played an instrumental role in preventing data breaches. This would have allowed the bank to monitor account usage to determine accounts accessing the system and customer data. Such monitoring would have triggered defense mechanisms as the hackers accessed and retrieved data from the system (Cardenas, 2008). IT staff would have been notified of the breach which would have been effective in responding to the security incident to mitigate the effects of the breach as well as lock the hacker out of the system. Additionally, account control would have allowed the bank to determine malicious actions performed by the hackers such as copying customer data into external hard drives. This would have enhanced protecting the IT system from the attackers as their access to the system would have been revoked before extensive damage occurs as a result of the breach. References Agrawal, T., Henry, D., Finkle, J. (2014). JPMorgan hack exposed data of 83 million, among biggest breaches in history. Cardenas, A. A., Amin, S., Sastry, S. (2008, June). Secure control: Towards survivable cyber-physical systems. InDistributed Computing Systems Workshops, 2008. ICDCS'08. 28th International Conference on(pp. 495-500). IEEE. Chen, D., Zhao, H. (2012, March). Data security and privacy protection issues in cloud computing. InComputer Science and Electronics Engineering (ICCSEE), 2012 International Conference on(Vol. 1, pp. 647-651). IEEE. Clarke-Salt, J. (2009).SQL injection attacks and defense. Elsevier. Joshi, S. (2007). SQL injection attack and defense. Order, U. T. (2008). Two-factor authentication. Silver-Greenberg, J., Goldstein, M., Perlroth, N. (2014). JPMorgan Chase Hack Affects 76 Million Households.New York Times,2.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.