Question

It is not uncommon to hear that a company’s IT security is compromised. Find nine cases from 2010 to 2018 (i.e. one case for each year). Summarize and compare those nine cases. You need to draw tables to compare them.What are the major implications of your analyses to the IT audit profession? What lessons do they give to the IT audit profession? What is the best way to prevent and detect such cases based on your analyses?

Answer 1

Ans:

Cases since 2010

1.Educational credit Management Corporation-2010

On March 26, 2010, ECMC, a student loan agency,revealed that personal data on about 3.3 million student loan borrowers had been stolen from its headquarters in Minnesota. The compromised information included student's names, addresses, date of birth and social security numbers.

2.Betfair-2011

Betfair admitted that more than 2.9 million usernames and 90,000 bank account details were leaked in 2011 when their server was hacked by cyber criminals, possibly from Cambodia. The revelation came to light when the betting exchange said it did not disclose in 2011's flotation prospectus the details of the attack on customer's payment card details. This led to the resignation of Betfair's security breach.

3.Wisconsin Department of Revenue-2012

The Wisconsin Department of revenue revealed that it had accidentally made public 110,795 social security numbers and tax id numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department's website for almost three months before being removed.

4.Target-2013

In mid December 2013 it was found that cyber criminals had breached the systems. It was reported that hackers had access to credit card and debit card information. It cost nearly 110 million for the company to make the compensation

5.eBay-2014

The online retailer suffered one of the biggest data breaches yet reported by an online retailer. The breach is thought to have affected the majority of the company's 145 million members, and many were asked to change their passwords as a result. The lawsuit could cost eBay more than $5 million.

6.Premera-2015

Premiere, a medical insurance company, was hacked in May of 2014-but the breach wasn't disclosed until of March of 2015. The hack compromised the data of 11 million individuals, including "social security numbers, birthdays, emails, bank account information, clinical information and detailed insurance claims" to both past and present customers, dating back to 2002.

7.Snapchat -2016

700 current and former Snapchat employees had their personal information stolen when hacked used a phishing scam to trick an employee into e-mailing them the private data. Posing as Snapchat chief executive Evan Spiegel, the attackers simply requested-and received -sensitive employee information including names, social security numbers, and wage/payroll data.

8.America's job link-2017

America's Job link, a web-based system that connects job seekers and employers, revealed its system were breached by a hacker who exploited a misconfiguration in the application code. The criminal was able to gain access to the personal information of 4.8 million job seekers, including full names,birth dates, and social security numbers.

9.FedEx-2018

In February, Kromtech security discovered information from approximately 119,000 FedEx customers on an unsecured Amazon web services cloud storage server. Information includes drivers licenses, names, home addresses, passports and phone numbers.

Implications:

IT security risk may not have been identified as a key risk area by auditor as part of risk assessment, but this does not necessarily mean that no breach has occurred. Auditors should still maintain their professional scepticism when carrying out their audit as there could be events or conditions that may indicate a possible breach. Some businesses with weak IT programmes and controls may not even realise that that they have been the subject of breach. Auditors should hence conduct their audit with mindset that recognises the possibility that an actual cyber attack may have happened. Through the performance of the usual audit procedures, it is still possible to identify such cyber incidents.

Lesson learnt:

1.Privileged Id's are growing and so is associated risk

2 Grant user entitlements appropriately and keep them updated

3 Managing and monitoring privileged users is necessary for both security and compliance.

4.Mitigate insider risk and maintain compliance with a privileged identity management solution.

PREVENTIONS:

1.Sensitive information must be protected wherever it is stored sent or used .Do not reveal personal information inadvertently.

2 The organisation should ban shifting data from one device to another external device. Losing removable media will put data on the disk under risk

3.Any media that may serve as an allegiance to the hackers should be restricted to download.This could reduce the risk of transferring the downloadable media to an external source.

4.The organisation should shred all the files and folders before disposing a storage equipment. There are application which can retrieve information after formatting

5.The institution should have a ban on the device that are unencrypted. Laptops and other portable devices that are unencrypted are prone to attack.