Question

Research the internet for an example of a violation of sensitive information (data breach). Post a summary of the situation and outcome (as well as the source) and evaluate if controls were adequate to prevent the violation. What would you have done to protect the organization from this type of exposure in the future?

Answer 1

Internet users use a service provided by the companies like social media, bank account, and have to provide their personal details like bank balance, address, phone number, browsing history, location details, details of any personal document like passport, national identity card etc. Online hackers breach the security of a company and this is a threat to the user privacy. The companies promise to provide security to the users and expend a percentage of their production cost for this purpose. Unauthorized access to this data is violation and threat to sensitive information. There are many examples of this data breach throughout the history. Lets discuss an example.

* LinkedIn data breach:

• LinkedIn is a socail media platform for job portals , and users posting the CVs. LinkedIn has almost 700million registered customers. It shares accesss of user profiles with recruiters and companies. The reason I chose LinkedIn example because it's one of the most commonly used social media platform and also it is being used by professionals and not like any common person as on Facebook.
• In June 2012, 165 million users were affected password information was stolen by hackers and sold online. The main problem was the users passwords were weak and ealiy hackable and also LinkedIn did not salt the passwords.
• Salting means Cryptoghraphy technique. Salt is an addtional data being inlcuded with the password while storing in the databse. Salt is stored so that hackers don't get the direct password of the user.
• Later LinkedIn accepted and said that 6.5 million passwords were stolen and published online.
• Later in 2016, 117 million passwords were out for sale by hackers. This is more than that what LinkedIn accepted.

*The reason for the hack:

• Experts reveal that the main problem was LinkedIn did not use salt while hashing the passwords. Therefore it was easy to hack the passwords from the database using old table matching technique.
• Also the users were not prompted to create a strong passwords while creating the account.

* Ways to protect such data breach :

• As discussed above LinkedIn should have used a proper cryptoghraphic technique to store the passwords. The encrption and description has to be tight and secure. Use of random salt should be encouraged along with the encrypted passwords while storing.
• Make sure the users use passwords according to standard guidelines like the USSC passwords Strength and security guidelines. Users must be encouraged to use passwords longer in length and with symbols, capital letters and numbers.
• Passwords should not include username and or email id.
• Normally single words are not long in length. Therefore to avoid the user entering passwords containing single words, the software should guide the user tp enter passwords atleast 10 in length. Hackers can look up the dictionary for common words, slangs.
• The should be system to force use of rules like atleast one capital letter, one numerical, and a specail symbol along with the specified length. Guide the users to not use common words like p@ssw0rd123, though this may fullfill alll the requirements above, but still its a guessable password.
• No employee should be allowed to take the confidential data of the organization to his/her home with any reason. The laptops brought to the organization premises must have some rules of the organization.
• The users must be notfied the login to their account if any suspicious activity if found.
• The system administrator should also get notofication of any access to the system from a non-familier ip address.

* Conclusion: Data breach is a malpractice to steal the data from the users and government offcials should have some principles that companies should follow else stern action must be taken.