Question

Securing Information Systems

Chapter eight in the Laudon text is filled with many examples of how computer systems are vulnerable due to failure, destruction, errors, and abuse. And the never ending onslaught of security breaches continues to escalate despite the lessons learned. It is evident that maintaining good information systems security is a full time endeavor.

By doing a search of the Internet or by other research methods, find an example of an organization that faced an information systems security issue or crisis.

Ponder these questions:

1) How did the organization identify that there was a security problem?

2) What, if any, security infrastructure and policies were in place when the problem occurred?

3) What initial actions were taken to deal with the situation?

4) From a management perspective, what, if any, new organizational policies and procedures did they institute?

5) Were any new security tools and technologies eventually implemented to further safeguard their systems?

6) What was the business impact? How did they recover? Were there any legal ramifications, loss of customers, or damage of reputation?

7) Generally speaking, how can a business determine the value of investing in security and control?

Answer 1

Ans 1)
UBER data breach
The company learned in late 2016 that two hackers were able to get names, email addresses, and mobile phone numbers of 57 million users of the Uber app. They also got the driver license numbers of 600,000 Uber drivers.No other data such as credit card or Social Security numbers were stolen. The hackers were able to access Uber’s GitHub account, where they found username and password credentials to Uber’s AWS account. Those credentials should never have been on GitHub.

Ans 2)
If Uber had taught its developers not to hard-code credentials, or used code-scanning to identify such mistakes during the development process, the keys to the AWS account never would have been stored on GitHub.The breach could have been avoided by taking simple multifactor authentication for those accounts.

Ans3)
Uber coverd up the breach, after two former senior Uber executives — since fired — paid the two hackers $100,000 through its bug bounty to destroy the data that they obtained but without notifying customers or regulators.

Ans 4)
Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark,over their role in the handling of the incident. Sullivan, formerly the top security official at Facebook and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Ans 5)
Uber was investigated by multiple State AGs. Eventually, Uber settled the case through an agreement that included all 50 states and the District of Columbia, requirubg Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices. It also required Uber to pay a record penalty of $148 million.
The settlement required Uber to:
-Maintain and store GPS-based location information in a password-protected environment, and encrypt the information when in transit.
-Limit access to geo-location information to designated employees with a legitimate business purpose, and enforce this limitation through technical access controls, and a formal authorization and approval process;
-Conduct annual employee training to inform employees who are responsible for handling private information about Uber’s data security practices;
-Maintain a separate section in its consumer-facing privacy policy describing its policies regarding location information collected from riders.
-Adopt leading data security protection practices to protect its riders’ personal information; designate one or more employees to coordinate and supervise its privacy and security program; and conduct regular assessments of the effectiveness of Uber’s internal controls and procedures related to the securing of private information and geo-location information and the implementation of updates to such controls based on those assessments;
-Adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices.
Ans 6)
The data breach has become the icing on a cake of bad publicity for Uber, as stories of Uber’s workplace environment and its treatment of employees preceded the breach. Then, the breach itself was compounded by a significant delay in announcing and an attempt to cover up the breach.

This case highlights the many types of costs resulting from a data breach. Beyond the initial clean-up cost, there are longer-term costs like:

-Impact to brand value and reputation
-Impact to customer trust and satisfaction
-Loss of customers; a Gemalto study of over 10,000 people worldwide, Data Breaches and Customer Loyalty, found that if a company suffered a data breach, 70% of consumers would stop doing business with it.
-Regulatory decisions that impact ability to do business, such as the ability for Uber to do business in the UK.

Ans 7)
The question of measuring the value of security in an organisation has not been fully answered since the creation of information security discipline. And this fact is, in my opinion, one of the reasons security teams find it difficult to convince business to invest in security, except perhaps immediately after an incident.

The management of any organisation is typically good at managing based on information (metrics, KPIs, scorecards, traffic lights and others) available to them. However, the information needs to be at an appropriate level. Consider a CEO. Is s/he really interested in a number of vulnerabilities in all IT systems? Or would he be more interested in knowing how much exposure (in monetary terms) these vulnerabilities present?

There should be three types of security risk metrics in an organisation (top to bottom): a) Monetary-based risk exposure for an organisation, b) policy compliance scorecard, and c) detailed technology and procedural metrics. This systems needs to be connected from top down and bottom up as outputs from the bottom feed into the upper level metrics.