Information Governance and Networking Security

Information Governance and Networking Security

Contents

Introduction……….……….……….……….……….……….……….……….…………………………15

1. Background: summary about your story/case study……….……….……….………15
2. Issues of the Information Governance and the Networking security……….….15
3. The approach you intend to adopt in your assignment……….……….……….……16
4. The summary of the conclusions reached……….……….……….……….……………..16

Section 2: Strengths and weaknesses……….……….……….……….…………………………….17

Case 2: represents a gross violation of security networks……….………………..………….19

Section 3: Theory and standard suggested and approaches………………..……………….20

Section 4:  Recommendations………………..……………………………..…………………………24

References………………..……………………………..……………………………………………………25

Section I Introduction

1. Background: summary about your story/case study (or stories/case studies)

In this report, I want to highlight and analyse cases where Information Governance and Networking Security was broken into. In the case which highlights the risks faced by  companies storing large amounts of information, a Vietnamese man, based outside US, was able to use his online identity theft service to purchase and access personal and financial details of considerable number of individuals around 200 million,  directly from a company owned by Experian and he was later caught. In the second story where network security lapses was brought into limelight by the Snowden disclosures, the U.S. was found to have breached the security network of internet service provider Huawei and besides hacking the servers also stole the source code. These two examples are cases where huge violations of confidentiality, secrecy and data protection occured.

(Experian lapse allowed id theft service access, 2014) (Experian sold consumer data to id theft service, 2014)

2. Which of the issues of the Information Governance and the Networking security you are going to write about

I am going to write about how the lack of proper controls, checks and authentication protocols as well as strong encryption mechanisms can lead to the loss and theft of huge amounts of valuable personal data. In the issue of Networking security, how once again, lack of sufficiently strong network checkpoints such as secure servers and vulnerabilities in internet protocols would allow hacking and stealing of information.

3. The approach you intend to adopt in your assignment (the following sections contents)

My report would start with the introduction, wherein I would introduce the two stories to highlight issues related to the two topics  viz information governance and network security and would specify the issues which would be discussed. I would highlight the various questions related to the issues in the next three sections and would summarize the key points in the conclusion.

4. The summary of the conclusions reached

How companies manage huge amount of information is very critical in an age of rapidly developing technology ane equally capable hackers and attackers. Any loopholes can be severally punished as happened in the case of the Experian affiliated company from whose database, the personal information of millions of Americans were obtained by a data theft company. Similarly, companies and institutions need to pay attention to network security in view of the dangers of attack both from within and by external agents, as happened in the case of Huawei.

Section 2: Describe what the strengths and weaknesses were of the approach adopted against the issues being described.

Case I represents an example of Identity theft on a large scale. Identity theft is defined as that which occurs when someone is able to access personal data of other people illegally and use them for wrongful purposes. There a variety of ways by which identity theft could be carried out including through emails, malware, eavesdropping, impersonation etc. In  the case of Identify theft which i have cited as an example, the Vietnamese man, Ngo had used his site www.superget.info to access the huge database of Experian by pretending to be based in the U.S and thus tricked the company into sharing data on greater than 200, 000 million Americans. These data include such confidential details as social security, credit card data etc. The question which surprises is how did such a major company like Experian not discover the ongoing thieving for almost one year? This itself attributes to the success of the hacker’s approaches and experience at evading surveillance. The investigations by the United States Secret Service led to the discovery that ngo had accessed the database of Experian, exposing millions of their customers to having their information misused, via a company Court Ventures, which had a contract with Ngo for buying customer records and was paying for this via wire transfers of cash from Singapore. Ngo in turn was providing the access of these records to greater than 1300 customers and making a huge profit by selling personal data.  What were the reasons behind the success of this scheme?

1. There was no direct connection between Ngo and Experian excepting through Court Ventures
2. Ngo’s search strategy would pull out details of many individuals alongside with the one’s whose details were requested and those the number of individuals’ information and records obtained were staggering. So Multiple records were obtained for the search of one record. This attributed his knowledge as a hacker and expertise at search retrieval.
3. There was complete lack of due monitoring and screening bY Experian on what is being done with the customer information. They were completely ignorant of Ngo’s activities . Only after the US Secret Service started investigations, they came to know. This was a dangerous precedent and undoubtedly lead to the exposure of millions of customers to the risk of having their identity stolen and misused.
4. In addition, Court Ventures never did any verification of the history of the client Ngo with whom they were contracted. Ngo had a history of cyber hacking, defacing websites and credit card fraud. How did they contract him then? Indicates complete lack of security aspects as to who is buying the customer information and to what as well as the potential purposes.
5. Experian data were meant for US usage only. The facts that funds were being wired from Singapore, did not alert Experian or Court Ventures. The latter was tricked into believing that the data was to be used for fraud prevention and ID verification purposes.
6. It exposed the weaknesses of data storage and selling companies, their vulnerabilities, and the need for protecting customer information and allowing access to customers to ensure that customers know what happens to their information as well as any illegal usage can be tracked and monitored and the customers need to be in the know.
7. Ultimately Ngo’s strength of being based outside the US became his weakness and he was discovered on this basis, lured and caught.

Case 2: represents a gross violation of security networks

This case refers to the incident highlighted during the Snowden disclosures that the US had illegally breached the security network of Huawei corporation by managing to access its internal servers. Huawei is a Chinese company which provides digital modems for internet connectivity for a large fraction of the world’s internet consumers. (Sanger and Perlroth, 2014) (Cushing, 2014) (Introduction to network security, 2014) (Curtin, 1997)

How did it target: The agents of the US targeted the workings of the routers and digital switches used to ensuring Huawei’s digital services as well as monitored the communication networks this leading to massive network security breaches.

The Aim: This was a part of political surveillance of Huawei and China, to establish whether there was any link between the two, to understand and change the technology so that the US could monitor the anti US countries using Huawei technology. Another aim was to monitor networks using Huawei as the suspected countries use these and also monitor 20 Chinese hacking groups, these are all part of surveillance and counter surveillance strategies.

The hackers were extremely successful as per reports. Reportedly, they got their hands on the source code used for Huawei software, hacked into networks, internal servers and were able to monitor all internal communications.  It was a Well-planned and well executed  strategy which highlights the weaknesses of the Huawei system, even though it is a global giant. They really needed to shore up their network security, access to servers and even the emails. They attacked at all levels, at the entry points of network and were able to penetrate within and discover the source code.

Section 3: describes what the theory and standard suggest and what approaches do you think would  be suitable?

Case I

This case represents a clear violation of information governance procedures which relate to the policies, procedures etc relating to administration, storage and management of large a mounts of information as well as privacy issue regarding access to information. IG procedures are necessary for ensuring confidentiality, availability and integrity of the public and private data deposited with institutions as well as ethical management of this data.

In this case, it is obvious that standard rules were not followed. As per IG : information lifecycle is divided into four phases: creation, transmission, usage storage and destruction or decommission.  Data can also be stored in numerous formats. Hence, agencies dealing with large amounts of personal information must ensure secure arrangements at each level, both at the level of process as well as storage and conversion of data from one form to the other. The highlighted case shows that obvious lack of attention and negligence at different points were there which led to harvesting of considerable amount of personal data by the thieves.

Such companies should let the consumers what kind of information on them is available with them and should have stringent monitoring mechanisms in place. They should have mechanisms to ensure that while the data owners know what happens to their data, outsiders are not allowed to access without stringent verification and authentication at different levels including data, user and at the level of entity. For this, they need to use high quality data encryption mechanisms as well as controls set in place to ensure at the level of access to data as well as who can access data, with differential access being granted. Restricted usage even to those who are entitled to access information as well as no tampering facility. Encryption should also be placed over the methods by which the data is created, stored and transferred including all the possible points during the information flow wherein possible attacks and hacking can occur. Design authentication protocols using cryptographic messages  so that no illegitimate activity or attack is allowed. Also, methods to ensure that the memory is protected and kept secret. Use encryption keys for password access. Where large amount of data are concerned, de –identification methods can be used to ensure that the critical elements of the  data remain hidden.

Case 2

The internet is a series of networks.  Each network consists of a system of computers which communicated with each other through their servers. Threats to network can come from several points. The breach of networks can occur at several points. Key facts which will determine the susceptibility of a network to outside attacks would be knowledge of the assets, vulnerabilities etc. The internet is a complex scenario where information transmission and reception by the different computers  is through the servers and information is sent in the form of packets of data. There are protocols for this which determine the various aspects of how the messages have to be sent, received and answered back and there are devices called routers which are responsible for forwarding this data.  The three elements of networks are thus:

• network borders: applications and hosts
• the core of the network:
  • routers
  • network of networks
• the points of access to networks and physical media such as communication links

These thus represent the points of attacks

Thus each layer represents potential vulnerabilities. What can be done to prevent such massive overhaul would be to :

1. ensure authenticated protocols at each stage of the communication process, involving secure , cryptographic methods
2. Install firewalls which protect the company’s intranet from the internet using a variety of methods such as application gateways and packet filtering but fire walls represent only a single point of defence and hence there should be as many defence points as possible else huge security lapses may occur.
3. Install security devices and guard modems carefully. Terminal servers should have watertight passwords to ensure that outsiders cannot get through as this represents the entry point to your network

4.Usage of crypto capable routers such that the traffic between two points can be secure

5.Use of VPNs

(Curtin, 2007)

Section 4:  Say what you would do if you had time again or if faced with the same problem of information governance and network security.

If we had the time or given that we face a situation, where we face the same thing, we would do the following in both the cases:

1. Ensure encryption and secure authentication at all points of the networks and database. Ensure controls and check points at each point of accessing information from the database.
2. Verify that those who buy the customer data have genuine credentials, can have testimonials to their identity and submit proof of what they are.
3. Monitor constantly the purchase transactions as well as what is being done with the data accessed.
4. Ensure stringent internet protocols and firewalls are in place to prevent security violation. Again, constant monitoring and upgrading of software and hardware as well to deal with potential vulnerabilities which can be used by attackers.

References:

Curtin, M. 1997. Introduction to Network Security. [online] Available at: http://www.interhack.net/pubs/network-security/network-security.html#SECTION00050000000000000000 [Accessed: 12 Apr 2014].

Cushing, T. 2014. Leak Shows NSA Breached Huawei’s Internal Servers, Grabbed Executive Emails And Source Code | Techdirt. [online] Available at: http://www.techdirt.com/articles/20140323/08082126663/leak-shows-nsa-breached-huaweis-internal-servers-grabbed-executive-emails-source-code.shtml [Accessed: 12 Apr 2014].

Krebsonsecurity.com. 2014. Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records —  Krebs on Security. [online] Available at: http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-million-consumer-records/ [Accessed: 12 Apr 2014].

Krebsonsecurity.com. 2014. Experian Sold Consumer Data to ID Theft Service —  Krebs on Security. [online] Available at: http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service/ [Accessed: 12 Apr 2014].

Sanger, D. A. and Perlroth, N. 2014. NSA breached chinese servers. [online] Available at: http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html?_r=0Case [Accessed: 12 Apr 2014].