In: Computer Science
Securing Information Systems
Chapter eight in the Laudon text is filled with many examples of how computer systems are vulnerable due to failure, destruction, errors, and abuse. And the never ending onslaught of security breaches continues to escalate despite the lessons learned. It is evident that maintaining good information systems security is a full time endeavor.
By doing a search of the Internet or by other research methods,
find an example of an organization that faced an information
systems security issue or crisis.
Ponder these questions:
1) How did the organization identify that there was a security problem?
2) What, if any, security infrastructure and policies were in place when the problem occurred?
3) What initial actions were taken to deal with the situation?
4) From a management perspective, what, if any, new organizational policies and procedures did they institute?
5) Were any new security tools and technologies eventually implemented to further safeguard their systems?
6) What was the business impact? How did they recover? Were there any legal ramifications, loss of customers, or damage of reputation?
7) Generally speaking, how can a business determine the value of investing in security and control?
Ans 1)
UBER data breach
The company learned in late 2016 that two hackers were able to get
names, email addresses, and mobile phone numbers of 57
million users of the Uber app. They also got the driver
license numbers of 600,000 Uber drivers.No other
data such as credit card or Social Security numbers were stolen.
The hackers were able to access Uber’s GitHub account, where they
found username and password credentials to Uber’s AWS
account. Those credentials should never have been on
GitHub.
Ans 2)
If Uber had taught its developers not to hard-code credentials, or
used code-scanning to identify such mistakes during the development
process, the keys to the AWS account never would
have been stored on GitHub.The breach could have
been avoided by taking simple multifactor
authentication for those accounts.
Ans3)
Uber coverd up the breach, after two former senior Uber executives
— since fired — paid the two hackers $100,000
through its bug bounty to destroy the data that they obtained but
without notifying customers or regulators.
Ans 4)
Uber said it had fired its chief security officer, Joe Sullivan,
and a deputy, Craig Clark,over their role in the handling of the
incident. Sullivan, formerly the top security official at Facebook
and a federal prosecutor, served as both security chief and deputy
general counsel for Uber.
Ans 5)
Uber was investigated by multiple State AGs. Eventually, Uber
settled the case through an agreement that included all 50 states
and the District of Columbia, requirubg Uber to adopt model data
breach notification and data security practices and a corporate
integrity program for employees to report unethical behavior, and
hire an independent third party to assess its data security
practices. It also required Uber to pay a record penalty of $148
million.
The settlement required Uber to:
-Maintain and store GPS-based location information
in a password-protected environment, and encrypt the information
when in transit.
-Limit access to geo-location information to
designated employees with a legitimate business purpose, and
enforce this limitation through technical access controls, and a
formal authorization and approval process;
-Conduct annual employee training to inform
employees who are responsible for handling private information
about Uber’s data security practices;
-Maintain a separate section in its consumer-facing privacy
policy describing its policies regarding location
information collected from riders.
-Adopt leading data security protection practices
to protect its riders’ personal information; designate one or more
employees to coordinate and supervise its privacy and security
program; and conduct regular assessments of the effectiveness of
Uber’s internal controls and procedures related to the securing of
private information and geo-location information and the
implementation of updates to such controls based on those
assessments;
-Adopt multi-factor authentication that would be
required before any employee could access especially sensitive
rider personal information, as well as other leading data security
practices.
Ans 6)
The data breach has become the icing on a cake of bad publicity for
Uber, as stories of Uber’s workplace environment and its treatment
of employees preceded the breach. Then, the breach itself was
compounded by a significant delay in announcing and an attempt to
cover up the breach.
This case highlights the many types of costs resulting from a data breach. Beyond the initial clean-up cost, there are longer-term costs like:
-Impact to brand value and reputation
-Impact to customer trust and satisfaction
-Loss of customers; a Gemalto study of over 10,000
people worldwide, Data Breaches and Customer Loyalty, found that if
a company suffered a data breach, 70% of consumers would stop doing
business with it.
-Regulatory decisions that impact ability to do
business, such as the ability for Uber to do business in
the UK.
Ans 7)
The question of measuring the value of security in an organisation
has not been fully answered since the creation of information
security discipline. And this fact is, in my opinion, one of the
reasons security teams find it difficult to convince business to
invest in security, except perhaps immediately after an
incident.
The management of any organisation is typically good at managing based on information (metrics, KPIs, scorecards, traffic lights and others) available to them. However, the information needs to be at an appropriate level. Consider a CEO. Is s/he really interested in a number of vulnerabilities in all IT systems? Or would he be more interested in knowing how much exposure (in monetary terms) these vulnerabilities present?
There should be three types of security risk metrics in an organisation (top to bottom): a) Monetary-based risk exposure for an organisation, b) policy compliance scorecard, and c) detailed technology and procedural metrics. This systems needs to be connected from top down and bottom up as outputs from the bottom feed into the upper level metrics.