The Sony Playstation Network Hack of 2011 that affected 77 million people, the December 2015 hack of Valve’s Steam platform that impacted 34,000 subscribers and the September 2016 Yahoo hack that compromised the personal information of 500 million users show that major corporations, even those with supposedly “impenetrable systems” are not immune to being penetrated by a determined hacker or hacking group. The problem stems from the programming arms race between corporations and hackers with one group constantly looking for flaws in program architecture and the other patching the identified flaws in the system (Ferdinand, 2015). [“Write my essay for me?” Get help here.]
Company databases are valuable since they can contain personal information and credit card numbers which would enable whoever obtains them to accomplish identity theft (Jenab & Moslehpour, 2016). In fact, there is an underground market on the dark web (sites that can only be accessed via TOR browsers) that enable people to buy and sell information that has been obtained by hackers. Companies attempt to safeguard their databases through continuous investment into better systems, more robust programming architectures, elaborate anti-virus programs and other methods of preventing their accumulated data from being stolen by unscrupulous individuals. Unfortunately, there is no such thing as a truly secure system when it is connected to the internet. Programs follow, by their very design, a set of rules when it comes to their implementation within a system. Understanding these rules and knowing their different vulnerabilities based on research and experimentation is the very essence of what hackers do. Through this paper, the concepts of security by design, present day security measures and the process of vulnerability management will be examined to showcases how each method contributes towards methods of safeguarding data. It is anticipated that this process will reveal that, no matter how advanced the method of database protection, there is always a means of circumventing it. [Need an essay writing service? Find help here.]
Security by Design
The phrase “security by design” is a blanket terminology used to describe systems that have been developed based on the security needs of a company. In essence, a system is built with the idea of securing it from potential vulnerabilities and attacks and making it potentially “impenetrable” to hackers (El-Hajj, Ben Brahim, Hajj, Safa, & Adaimy, 2016). However, going along the line of thought that there is no such thing as a completely secure system, there are some caveats to the concept of security by design. Not all companies have the resources to fund their own dedicated I.T. department and, as such, they generally hire external service providers for their security needs.
The problem with this strategy is the potential for hacking groups to specifically target the systems from such a vendor due to the number of companies utilizing it. For example, the Denuvo copyright protection system is used by many businesses to prevent their digital games from being copied and distributed online via torrent sites. It utilizes a combination of encryption, serial number identification and online referencing to prevent a copied game from working. This has made it the “go-to” method of copyright protection for many game companies due to its supposed “impenetrability.”
Unfortunately, as of August 2016, multiple news sources have reported that Denuvo has been successfully hacked resulting in potentially hundreds of games being vulnerable to illegal online distribution via torrents. This example shows that relying on a readily available platform for your security needs may be the most cost-effective solution, but it does leave a company vulnerable to potential breaches given the focus that hackers would have on penetrating such a system due to its widespread use.
Since generic security systems bought from a vendor utilize the same open ports, they would all have the same port vulnerabilities which enable hackers to readily know how to attack a system, what route they should take and the potential success they would have (El-Hajj et al., 2016). The same vulnerability also extends to the use of generic firewalls that have similarly been bought from a provider. This does not mean though that only large corporations have the potential to safeguard their system.
This indicates that smaller businesses should hire external providers for a more expensive but more secure custom designed system for their needs rather than one that is generic and sold to multiple companies. The logic behind this for businesses is that it is better to have multiple systems with different protocols than a single one that ‘s hard to penetrate but affects multiple systems. This ensures that even if the system of one company is penetrated, this does not impact other businesses that have used the same systems provider.
Aside from designing a system from the ground up, there are other methods that companies implement when it comes to safeguarding their systems. These practices consist of the following:
a.) Access Control Methods
This method involves limiting the capacity of people or external entities from interacting with specific parts of a company’s system through control compartmentalization. The basic principles of this method focus on giving access only to specific aspects of a system based on that individual’s role within the company. For example, a Customer Service Representative (CSR) for AT&T’s mobile phone division would only have access to the company’s customer management system (it’s CARE platform), its mobile phone activation and maintenance program (the Telegence system) and its payment processing program which is connected to the Vesta payment system (Van Staalduinen, Khan, & Gadag, 2016). However, the CSR would not be given access to the company’s mobile network platform which controls signals within specific areas, nor would the CSR be given the capability to access more private aspects of a customer’s data (ex: their call and text records). Access to these systems is restricted only to personnel that handle cases that are limited to those systems (Van Staalduinen et al., 2016).
By implementing a compartmentalized approach, this prevents a potentially malicious employee within the company from affecting systems that could cause millions of dollars in damage. Not only that, access control helps businesses to track potential anomalies that appear in the system by tracking which department was in charge of that system. Methods like this contribute to preventing malicious access to systems and ensures the continued integrity of stored data.
However, the problem with access control methods is that it can also work against systems by making sure that only select people within an organization can modify or control them. This was seen in 2008 when a disgruntled network administrator in San Franciso shut access to the FiberWAN network for the city administration due to a clash in belief about network security protocols and granting access to people he deemed as unfit and potentially incapable of correctly handling the system.[Click Essay Writer to order your essay]
Safety and competency aside, this situation shows the inherent issues when it comes to access control limitations since, if the person with access to a particular aspect of a system intends to commit malicious behavior, they can implement it with the compartmentalized limitations preventing others from potentially undoing what they did. There is no readily available solution to this particular issue since access control has become a standard practice in most corporations.
b.) Hardware Protection
This method refers to the methods used in protecting a system by preventing unauthorized modification of system protocols via preventive methods on the hardware (Khatri & Brown, 2010). This can come in the form of write protection being utilized on the hard disks of a system, implementing methods of memory protection, and even installing devices on computers to monitor current activities and to prevent unauthorized access. For example, one of the most common methods of hardware protection in companies is to block off access to external read/write ports for desktop computers.
Due to the potential presence of viruses on thumb drives and CD, these ports are usually blocked off since, no matter how secure a company’s firewalls are, it cannot protect itself from viruses being introduced directly into the system via USB terminal. This particular practice is the most feasible when it comes to preventing access to systems since, by physically blocking the ports to a system, an ordinary employee cannot gain access to it.
c.) Encryption of Data
Aside from limiting access to data, there are other methods that can be implemented if unauthorized access is achieved. Data encryption is the process of utilizing a series of symbols, jumbled letters, and symbols to represent the original content of data. The data can only be unencrypted if the correct encryption key is placed thereby enabling the program to unscramble the information.
This method of data protection is utilized in a wide variety of different systems since it adds an added layer of safety over the safety protocols that are already in place. However, it should be noted that data encryption should not be considered as a 100 percent effective means of safeguarding data. Encryption keys can be solved via a wide variety of different methods (ex: brute forcing encryption through a program specifically designed to solve encryptions). This is why methods of data encryption are always evolving alongside current processes meant to circumvent them.
The process behind authentication is very straightforward, if you use a system and provide a username or access the system via a company provided laptop with a built-in network access program, a “handshake” occurs between your access of the system and the database of users within the system. Once your network credentials have been examined, the system will then compare it to the database of users that exist within the system and will grant access if authentication server finds the necessary credentials.
The use of passwords involves the creation of a unique identifying key that is used to access a network, system or file. It is was one of the first methods used in data protection and continues to be used to this day. Unfortunately, as seen in numerous publicized cases (ex: Mark Zuckerberg’s Facebook account being hacked) passwords can be guessed and, as such, people should practice proper password management and creation strategies to prevent this from happening.
The concept behind vulnerability management is acknowledging the fact that there is no such thing as a 100 percent secure system and having the necessary vigilance to anticipate potential threats before they become a serious issue. There are hundreds of new viruses, trojans, and malware that are created each year with the express purpose of penetrating computer systems. One of the ways vulnerability management practices help to prevent such threats from affecting computer systems is through constant security updates and testing the present day security measures in the system (Chua & Storey, 2016).
Security updates come from database updates from various government and non-government organizations that identify potential virus threats and release data on how to counter them. System admins then implement these solutions into the system and test the security measures that have been implemented to ensure continued system integrity. Aside from this, there is also application and network security protocols to take into consideration. Application protocols limit the ability of installed programs to influence a system’s program. This ensures that applications only work within a pre-defined environment which helps to limit the potential damage they cause (Bamrara, 2015).
Network security measures are used in the same context; however, they involve isolating systems and preventing one system from affecting the other. For example, a system that a CSR operates in is kept on a separate server and network infrastructure than other critical systems. This ensures that if a virus were to compromise the CSR system, it would not affect critical systems in other parts of the company. The last practice involving vulnerability management are password management practices which often means changing passwords on a bi-weekly basis. Exercises like this help to lower potential network break-ins by ensuring that methods that can be used to gain access to the system (ex: a stolen password) are changed (Wei, Murugesan, Kuo, Naik, & Krizanc, 2013).[Need an essay writing service? Find help here.]
Overall, what this paper has shown is that there is no such thing as a system that cannot be penetrated so long as it is connected to the internet. Even systems that are not directly connected to the net can be breached via human incompetency or through malicious actions by an employee within the company. This is why companies should practice constant vigilance when it comes to the actions they take when safeguarding their databases.
Bamrara, A. (2015). Evaluating Database Security and Cyber Attacks: A Relational Approach. Journal Of Internet Banking & Commerce, 20(2), 1.
Chua, C. H., & Storey, V. C. (2016). Dealing with Dangerous Data: Part-Whole Validation for Low Incident, High Risk Data. Journal Of Database Management, 27(1), 29-57.
El-Hajj, W., Ben Brahim, G., Hajj, H., Safa, H., & Adaimy, R. (2016). Security-by-construction in web applications development via database annotations. Computers & Security, 59151-165.
Ferdinand, J. (2015). Building organisational cyber resilience: A strategic knowledge-based view of cyber security management. Journal Of Business Continuity & Emergency Planning, 9(2), 185.
Jenab, K., & Moslehpour, S. (2016). Cyber Security Management: A Review. Business Management Dynamics, 5(11), 16-39.
Khatri, V., & Brown, C. V. (2010). Designing Data Governance. Communications Of The ACM, 53(1), 148-152.
Van Staalduinen, M. A., Khan, F., & Gadag, V. (2016). SVAPP methodology: A predictive security vulnerability assessment modeling method. Journal Of Loss Prevention In The Process Industries, 43397-413.
Wei, D. S., Murugesan, S., Kuo, S., Naik, K., & Krizanc, D. (2013). Enhancing Data Integrity and Privacy in the Cloud: An Agenda. Computer, 46(11), 87-90.