Abstract
This paper attempts to explain the importance of the establishment of a redundant and well-developed IT security system. The application of IT security measures is expected to prevent unauthorized entry and the protection of information related to the company’s financial transactions. However, a comparative study of recent high-profile IT security breaches revealed that cybercriminals had the capability to destroy the firm’s reputation and weaken the business organization’s financial strength without engaging in activities designed to produce a direct profit. In other words, it is time to look beyond the white-collar crime model.
Limiting the design of critical security measures in anticipation of white-collar types of cyber-attacks compels IT, security experts, to focus only on preventing financial loss or corporate espionage. It is important to understand that cybercriminals are not always after money or trade secrets. It is crucial to understand the fact that hackers are armed with different ways on how to cripple the business operation or drive the business into bankruptcy. It is not enough to secure the financial aspect of the business, because there are other ways to make a profit through the use of cyber-attacks. A change of mindset regarding the relatively new ways of penetrating the shroud of IT security enables the creation of better security measures.
Introduction
Corporate leaders around the world appreciate the value of cost-efficient communication and data storage facilities based on Information Technology platforms. Data management and data security are important things to consider in a business organization of the 21st century. Companies handling critical information are vulnerable in an interconnected world wherein cybercriminals have the capacity to hit targets that are located thousands of miles away. As a result, business organizations are investing in security systems in order to prevent unauthorized access to servers and critical IT-based infrastructure. It is of critical importance to focus on developing a ring of protection around the financial aspects of the business. It is practical to establish redundant security systems around financial transactions, bank accounts, procurement, and delivery systems for valuable products and high-value assets. However, it is not the most prudent thing to do for the business leader to allocate a bulk of the company’s scarce resources for the establishment of IT security measures. A comparative study of more than ten high-profile IT-related security breaches reveals that cybercriminals have the capability to damage a firm’s reputation and its financial stability even if the unauthorized entry into the company’s computer servers was not calculated for the benefit of a direct financial gain.
Relevant Literature
Thinking Beyond the White-Collar Crime Framework
It is important to develop an understanding regarding the nature of cyber-attacks and the type of crimes committed through the breach of a company’s IT security. In this regard, it is imperative to look beyond the use of the Internet in the context of white-collar crime. A typical example of a white-collar crime involves illegal activities rooted in the idea of extracting a monetary reward from the victim (Gottschalk 2010). Thus, the targets of the said crime are expected to give up cash or its equivalent (Segal 2016). In most cases, perpetrators of white-collar crime leverage the power of the Internet in order to acquire personal information. Highly coveted data includes credit card numbers and social security numbers (Siegel 2015). The acquisition of the said personal information enables unscrupulous people to withdraw money or establish a complicated set-up that eventually yields some form of monetary gain (Siegel 2015). For example, credit card fraud enables them to make unauthorized purchases over the World Wide Web (Siegel 2015).
It is important to point out that recent high profile IT security breaches are characterized as cyber-attacks that did not fit the conventional model based on the white-collar crime concept (Mellado 2013). In fact, low-level hacking strategies were deployed in order to steal important information. In addition, the main goal of the cybercriminals was not to steal credit card data or personal information that would have enabled them to access bank documents or create a phony loan application. Cybercriminal activity directed at the iconic brand Sony, the IT security firm RSA, Ltd., and email wholesaler Epsilon were carried out not for the purpose of financial gain (Mellado 2013). Actually, the online predators utilized their skills to observe and collect low-level information in order to develop more complicated attacks and learn more about the organization’s respective business operations processes (Mellado 2013). Due to the complex security measures that were installed beforehand, IT experts under the employ of Epsilon, Sony, and RSA, Ltd. established powerful deterrents in anticipation of sophisticated hacking techniques. It would have been foolhardy for even the best hackers on the planet to engage a world-renowned IT security expert like RSA in a frontal assault. However, the perpetrators of the said crime were able to gain access by delivering malware through an email sent to employees that did not have high-security clearances or were expected to work on sensitive aspects of the business organization.
It has been made clear through the outcome of recent IT security breaches, that companies can lose more than money in the event of a malicious intrusion within the group’s IT infrastructure. It is certainly true that high-value companies cannot afford the consequences of a data loss (Dhivakar 2014). In certain firms designed around a service-oriented business model, the inability to connect with potential customers may well be considered an indirect cause of financial loss. A security breach resulting in “Denial of Service of Service” prevents the company from turning a profit (Dhivakar 2014). A significant number of business leaders consider this problem as terrible as the actual theft of funds.
A security breach due to a “Service Traffic Hijacking” prevents the real owner from using his or her account (Dhivakar 2014). From a corporate standpoint, the failure to control key aspects of the business for a certain period of time leads to a loss of reputation.
Crime beyond borders – the nature of Trans-national crimes
It is also crucial to have an understanding of the nature of trans-national crimes because it reveals the difficulty of prosecuting the perpetrators. This assertion simply means that a systematic approach and a proportionate response are needed in order to solve the problems created by transnational organized crime.
The menace of trans-national crime syndicates is being magnified by the impact of sophisticated telecommunication capabilities. Thus, it is not prudent to develop a crime-fighting mechanism designed to handle problems within the local scene. It is high time to acknowledge the unique sets of the problem brought about by technology crimes that are not bounded by geographical limitations (Beare 2012). As a consequence, policymakers and government officials are compelled to acknowledge the need for greater collaboration not only with stakeholders within a particular country but also with international leaders and international organizations (Beare 2012). International collaboration is very much needed in this arena. For the purpose of understanding the challenges up ahead with regards to the forging of international cooperation against transnational crimes, consider the description of the requirements for the creation of an effective law enforcement mechanism as seen below:
To have maximum effectiveness, these model treaties – like other bilateral and regional treaties or conventions such as those drawn up by the Council of Europe – have to be supported by legislation at the national level, which should be as streamlined as possible, both as to substantive law and as to procedural matters. They should also be implemented efficiently, using standard request forms and going through the designated authorities. In addition, these would need to be reviewed periodically, to encompass new forms of criminality, such as computer-related crimes (Savona & Williams 2005).
In the above-mentioned process describing the requirements for effective collaboration between sovereign states in order to take down transnational crime syndicates, it was made clear that hurdles are present in every corner (Savona & Williams 2005). Thus, there are commentaries explaining the role of the United Nations in the attempt to dismantle or at least weaken the power and influence of trans-national crime syndicates. Nevertheless, one can argue that a more systematic approach and more effective collaboration are some of the cost-effective steps to take in the fight against transnational crimes in a globally interconnected world.
Cyber terrorism
It is of critical importance to see the capability of terrorists to use the Internet in perpetuating their ideologies. At the present time, one can argue that the world’s criminal justice system was designed to function against crimes that were driven by the lust for money and power (Wittkop 2016). Human passions and the desire for selfish gains were the underlying motivations for the crimes that the justice system wanted to punish or deter (Wittkop 2016). After 9/11, democratic countries came to realize the core values of Islamic extremists, specifically the commitment to pursue goals that were never underlined by the pursuit of monetary gain. Their actions were never characterized by schemes to acquire property and other goods of value. Unlike hostage-takers requesting sums of money in exchange for prisoners, religious terrorists have no demands that are understandable to the average human being. If someone asked the rationality of the act, no one can give a coherent answer (Costigan & Perry 2012). No plausible answer was acceptable enough, none satisfies from an American’s point of view.
Although the real motivation of suicide bombers was shrouded in abstract religious thought, the desire to murder innocent civilians was reinforced several times through a trail of bloodshed. According to one commentary, it has always been the bloodthirsty desire of terrorists to cause harm to Western economies, however, their capabilities required the infiltration into territories and the execution of a plan, which was a tremendous challenge in terms of logistics and operational expenses (Wittkop 2016). If cyber terrorism becomes the favorite weapon of religious fanatics, it does not require a rocket scientist to understand the reason for supporting a bold strategy.
From the point of view of a national leader or a policymaker, there are two aspects of present-day cutting-edge technologies that may prove problematic when it comes to designing a plan to stop acts of terrorism. The first challenge comes in the form of countering the consequences of high-speed and high-level interconnections due to advanced telecommunication capabilities. The second area of concern comes in the form of challenges created by “real-world dependencies (Shakarian, Shakarian & Ruef 2013). Consultants in the field known as “Network Science” pointed out that a good example of a “real-world” dependency can be found in a power grid system or a in a railway system. These are networks and systems that contain nodes and connection points. A cyber terror attack on one node or point of exchange can cause major disruptions, because the other components of the system may depend on certain “key nodes or “rail lines” (Shakarian, Shakarian & Ruef 2013).
Relevant cases: Evidentiary support
Sony
In November of 2014, Sony, the world-renowned company fell victim to a destructive cyber-attack. The group responsible was identified by the moniker the Guardians of Peace. In the aftermath of the successful attack, the company’s communication network was in shambles. The main concern was the privacy and security of the information sent between the people working in the said company. Due to the impact of the cyber-attack, Sony’s employees were forced to communicate via pen and paper.
One can breakdown Sony’s IT security debacle into the theft of critical information and the disruption of business operations. The stealth attack enabled the intruders to gain a treasure trove of critical information, such as the media conglomerate’s intellectual property, names of employees, and information that may cause a serious degree of embarrassment for Sony’s top executives. Furthermore, the intruders introduced a virulent type of malware that rendered computer systems useless for an extended period of time. Aside from disrupting business operations due to the non-usability of certain computer units, significant erosion in productivity was also the direct outcome of data loss. It was revealed later that the introduction of a powerful type of malware caused the erasure of massive amounts of data on Sony’s computer hard drives (Wittkop 2016). In fact, the attack was implemented using sophisticated methods as manifested in the use of a government type of secure deletion protocols ensuring complete data wipeout (Wittkop 2016).
With the benefit of hindsight, negative commentaries came pouring after Sony’s cyber-attack problems were made public. IT security experts like Ira Winkler pointed out that due to the absence of basic cyber defense protocols, it was relatively easy to overwhelm Sony’s IT infrastructure (Winkler & Gomes 2016). In fact, Winkler pointed out the absence of the following defense mechanisms: 1) multiple-factor authentication to safeguard critical systems; 2) proper network segmentation; 3) insufficient malware software in place (Winkler & Gomes 2016). Winkler added the presence of the said defense protocols may have reduced the scope of the damage created by the attack, and instead of the theft of several films, they could have reduced access to only one film (Pagliery 2014).
Ashley Madison
In July of 2015, hackers breached into the security veil of a business organization called Ashley Madison. Before the attack, the said company was embroiled in a controversy, because it was a group known to enable extramarital affairs specifically for married men. It was easy to understand the social backlash the moment it was known to the public that such a service was available for men. Aside from the nature of the business, the anger of the general public was stoked into the raging fire when it was known that Ashley Madison was unapologetic with the blatant advertising of the way they do business. Nevertheless, the entry of hackers-turned-activist was not expected by even the company’s most vocal critic. The hacker group that initiated the successful breach was able to steal critical information regarding the users of the company’s website. There was no need to elaborate on the fact that this was a major scandal about to erupt on the world stage. As a result, the data breach created fear within the hearts of the customers using the site, because the threat of public shaming was real. The group responsible for the said attack made known their exploits to the general public. In addition, the group announced an ultimatum for the company to shut down its operations. The breach caused the deaths of several people after they committed suicide. Customers included in the leaked information filed lawsuits against the parent company of Ashley Madison.
RSA Ltd.
On March 18, 2011, corporate leaders of RSA Ltd. were compelled to make a public disclosure that the company was the victim of a cyber-attack. It was an ironic tale of a company tasked to solve the IT security issues. It has to be pointed out that RSA is a division of EMC Corporation, a business organization known all over the world as having the best technology and know-how with regards to compliance solutions and the need to secure IT-based platforms (Mellado 2013). In fact, before the reported incident, 90 percent of Fortune 500 companies never trusted another brand except for the one that carries the RSA trademark (Mellado 2013). Aside from the fact that RSA’s debacle serves as the best cautionary tale when it comes to IT security risks, there are other important lessons that one can glean from the said case of a security breach.
The intruders utilized a mode of attack called the “targeted phishing email” through the use of a malicious Excel file (Diehl 2016). In a span of two days, low-level employees at the said company received “phishing” type of emails. The use of the said tactic requires the clever use of website design or letterhead design to fool the recipient of the authenticity of the email. Once the unsuspecting victim took the bait, the attacker gained access to the victim’s computer, extracted personal information, and manipulated the computer in order to perform unauthorized work on a particular system. In this particular case, the cyber criminals created an email purported to be a message coming from RSA’s well-known business partner.
The said business partner was a recruitment agency allied with RSA, and the email that was sent contained an Excel file that was supposed to contain recruitment information about RSA employees. Human frailty and human nature combined to make the fake file and enticing file open. After viewing the said Excel file containing an Adobe Flash object based on a vulnerability called CVE-2011-0609, malware called “PoisonIvy Backdoor” was activated (Diehl 2016). As a result, the attacker had full control of the victim’s computer (Diehl 2016). In the end, the attackers were able to connect RSA’s computer to a domain name associated with illegal activities. In this case, credit card numbers or social security numbers were not stolen (Mellado 2013). However, the attackers gained valuable insight into the role of the workers and critical information about RSA’s clients. Evaluators pegged the opportunity cost and reputation cost at $66 million (Diehl 2016).
Saudi Aramco
The Aramco brand name may not ring a bell for people living outside the Middle East. However, this organization is one of the key players when it comes to global energy supply because Aramco provides at least 10% of the world’s fossil fuel needs (Wittkop 2016). In the year 2012, Aramco, a leading supplier of crude oil to the world market, fell victim to a cyber-attack perpetrated by a group called “Cutting Sword of Justice” (Wittkop 2016). The sneak attack came during the holy month of Ramadan, the Arab world’s most important holiday. Only a skeletal force remained to handle daily operations. When the full force of the attack was made known, at least 35,000 workstations were rendered useless and the critical data within these workstations were compromised. In order to mitigate the impact of the said cyber-attack, Aramco executives were forced to shut down a major portion of the business operations. Financial data was not released to the general public. However, insiders revealed that the cost of the attack was several times greater than the financial impact of Sony’s IT security breach.
iCloud
iCloud is a service that enables users to store data to an outside source. In a world dominated by the use of social media, the ability to store images, and other important information outside the user’s phones or laptops is an added advantage, especially after considering the impact of storage space on the performance of particular electronic equipment. However, remote access to the said virtual storage system can be seen as a vulnerable aspect of the said system. Unscrupulous people can take advantage of the said weakness. In the year 2014, the news of nude pictures of Hollywood celebrities circulating around the World Wide Web captured the imagination of the general public (Williams 2014). It was an issue of privacy as well as the security of the iCloud system. It is interesting to note that investigators may have alluded to the idea that the breach was due to the use of social engineering or the use of insights from the study of human nature in order to break the password. In this case, there was no financial loss attributed to the victims. The hackers did not steal credit card information from a famous female actor like Jennifer Lawrence (Williams 2014). However, they stole her naked pictures and allegedly sold them online.
It is important to note that the vulnerability of the iCloud’s system was due in large part to a compromise that Apple, Inc. was compelled to do in response to the convenience issues of Apple’s product users (Epifani & Stirparo 2015). In this case, it was deemed a tremendous hassle for Apple users to contend with multiple or redundant encryption for files stored in an iCloud facility. The convenience issue cropped up when Apple product users need only to transfer files from one device to the next. Thus, the ability to figure out the password from one Apple device enables the hacker to get hold of files that were deemed accessible by virtue of ownership.
Qatar’s RasGas
In the year 2012, the liquefied natural gas or LNG producer named RasGas fell victim to a cyber-attack. RasGas is an energy company based in Qatar in the Middle East. RasGas was known as the second-largest producer of LNG for Qatar’s national economy (Radziwill 2015). The modus operandi was the insertion of a virus that enabled the intruders to shut down the company’s website and email servers (Radziwill 2015). The said virus was actually malware that succeeded in crippling the capability of 30,000 workstations.
Iran’s Nuclear Program
The United States had been vocal against Iran’s desire to enrich Uranium, a process that would have enabled the country to develop a nuclear program. Thus, it was alleged that the U.S. government was behind the use of the Stuxnet virus in order to derail Iran’s nuclear ambitions. The said virus rendered ineffective the centrifuge machines that were needed to enrich uranium.
In December of 2009, observers monitoring the progress of Iran’s nuclear program were startled to discover that a key facility was replacing broken or ineffective centrifuges at a higher rate (Zetter 2014). In addition, inspectors came to visit an average of twice a month, and on many occasions, they came unannounced to the said facility. European diplomats and other reliable sources estimated that the number of damaged centrifuges breached the 2000 mark (Zetter 2014). Inspectors were not allowed to ask the reason for the replacement. Thus, it took a long time to find out that the damage was caused by a sophisticated computer virus. It was discovered later on that the virus inserted into the computer systems controlling Iran’s nuclear program was the creation of skilled computer hackers (Zetter 2014). In ordinary cases of computer virus infection, creators of viruses rely on well-documented knowledge regarding vulnerabilities within an operating system or popular software like Adobe PDF Reader or Internet Explorer (Zetter 2014).
However, in the case of Iran’s cyber-attack, the virus was made by a computer code that was unrecognizable by the most sophisticated anti-virus software available in the market. This is due to the simple reason that the virus was designed to attack an unknown vulnerability. In most cases, when a vulnerability was discovered by a vendor or software creator, the parent company issues a patch or a way for the customers to eliminate the vulnerable aspect of the software. In the course of time, the vulnerabilities of a popular operating system are known to the manufacturer and IT security professionals. Therefore, it takes advanced knowledge and skill for the virus creator to figure out undocumented and unknown vulnerabilities in the software. In fact, one can argue that even the software creator had no idea that such a vulnerability existed in the first place. Thus, the virus was undetected, and the explanation for the continuous destruction of Iran’s expensive centrifuges. The world came to know the virulence of the Stuxnet computer virus (Chayes 2015).
Estonia’s Government Websites
Estonia was once an independent nation after succeeding to break free from the shackles of the Soviet Union. However, two years after the declaration of independence, Russian hegemony was restored when the Soviet Union invaded Estonia and reclaimed control over the said territory. However, when the Germans invaded Estonia during the Second World War, a significant number of Estonians supported the invasion and hailed the German army as the liberating force. The said historical review provides a backdrop of the acrimonious relationship between the two nations. In the year 2007, Estonia made a public announcement to remove a statue located in the center of the city and transfer the same to a location on the outskirts of the city.
The Russian government interpreted the decision as an insult to Moscow because the statue depicted a Red Army soldier mourning the death of his comrades. In other words, the statue symbolized the sacrifice made by tens of millions of Russians who died during the Great Patriotic War (Segal 2016). Estonia’s political leaders provided a practical reason for the relocation of the statue. However, the Russian government considered the drastic action as Estonia’s deliberate attempt to cut-off the Soviet legacy and strengthens its alliance with other European countries (Segal 2016). In April 2007, after a violent riot made headlines, a wave of cyber-attacks was launched against Estonia’s government websites. One successful attack defaced the websites of the Estonian president. A similar attack was directed towards the website of the country’s Ministry of Foreign Affairs. The attack also crippled websites under the Ministry of Justice and the Estonian parliament.
The cyber warfare incident required the use of botnets and the need to commandeer computers located in different parts of the world. In a typical website operation, a request is made in order for a browser to use the said website. However, the manipulation of the system in order to produce “pings” or request to the site resulted in overwhelming the websites. Thus, the end result was the shutdown of the said government websites.
It was revealed at a later date that the perpetrators behind the Estonian cyber-warfare case were traced to a Russian-sponsored youth group called the Nashe (Chayes 2015). A commentary regarding the incident revealed an important facet of the Estonian cyber warfare crisis. The commentary highlighted the fact that the response to Estonia’s political decision was not proportionate to the act committed by the Estonian government. In other words, a state-sponsored or a patriotic-type of cyber warfare committed by a group of nationals against another sovereign state can lead to unforeseen circumstances that the original perpetrators may even come to regret.
AT&T
Cybercriminals utilized a technique called “distributed denial-of-service attack to disable the capabilities of AT&T’s servers (Williams 2012). The process required continuous hours of the systematic onslaught. As a result, AT&T was unable to provide critical service to its valued customers. In a traditional appreciation of cyber-attacks, the bone of contention focuses on the monetary aspect of the said intrusion. In this case, however, there was no direct monetary benefit that can be seen as an incentive for the perpetrators to carry out the DDoS attack (Williams 2012). Nevertheless, AT&T’s reputation was severely damaged in the aftermath of the said attack.
Examined from another point of view, the DDoS attack on a critical service provider such as telecommunication companies are forms of cybercrimes that crime syndicates or unscrupulous people can use to vent their criticism or malicious mischief on a targeted business establishment. Thus, rival companies can use the same tactic in order to eliminate competitors. From another perspective, DDOs are inexpensive ways of causing economic sabotage.
Aside from the fact that a DDoS attack is an unsophisticated way to cause indirect but significant damage, there is also the issue of using the system’s legitimate protocols as the focal point of the attack. For example, in a DDoS attack, the communication protocol revolving around the request for a response was a useful feature in ordinary circumstances. However, in the creation of numerous fake and immaterial requests, the same useful feature becomes a liability.
Lockheed Martin
In May 2011, Lockheed Martin, one of the world’s biggest defense contractors, was in the grip of a persistent cyber-attack. According to the company’s spokesperson, Lockheed was under “a significant and tenacious” onslaught from the weapons of an invisible enemy (Diehl 2016). Outside the company’s headquarters, a group of hackers was attempting to break into the heart and soul of the organization’s IT infrastructure. The hackers had a clear desire to penetrate Lockheed’s computer network by entering through the company’s VPN.
It was revealed later on that Lockheed Martin’s VPN was under the protection of an RSA SecurID (Diehl 2016). In other words, the company hired RSA to handle its IT security requirements. However, the attackers had prior knowledge of the “seeds, serial numbers of valid security tokens, and the underlying algorithm” needed to secure the so-called RSA SecurID (Diehl 2016). Investigators discovered later that before cybercriminals initiated the attack at Lockheed, a successful IT security breach was initiated at RSA, Ltd., and there was ample evidence to believe that the two attacks were related to each other. The assertion pertaining to the use of stolen SecurID information against Lockheed was bolstered by the fact that the said defense contractor was one of RSA’s clients (Diehl 2016).
The company was fortunate enough to have established protocols triggering early detection mechanisms. In this regard, all employees were required to change their respective network passwords. Lockheed instigated preventive measures including the directive to disable the corporate VPN. In addition, orders were made for the disconnection of all remote access to the company’s virtual network (Diehl 2016). All employees were compelled to work only within the corporate offices of Lockheed. For a certain period of time, no one was allowed to work using telecommunication processes. SecurID tokens were disallowed until a replacement was made available for all the workers.
Maroochy Water Services
As pointed out earlier, terrorists are not going to stop until they are able to destroy a large population of human beings. However, they do not possess the capability and the finances to handle such a complicated operation within hostile territory. It is therefore logical for them to consider the low-risk high-reward proposition of cyber terrorism. It is a low-risk proposition for them because they have the option to launch an attack from a foreign country with no political ties to America or democratic nations under the umbrella of the European Union. Some of the most problematic areas to defend against a cyber-terrorist act are public utility companies, energy companies, and public transportation hubs that are vulnerable due to complexity and interconnections. The said systems have “key nodes” that are critical targets. In the year 2000, the Australian government was battling a real-world nightmare scenario when a cyber-attack caused the contamination of Queensland’s primary water service provider.
The details of the incident reverberated all over the world and the name Maroochy Water Services became infamously linked to a real-world example of how one person with above-average knowledge of computer systems can expose people to hazardous wastes, materials, and substances that have the potential to become weapons of mass destruction.
In this particular case, the attack was orchestrated by one man named Vitek Boden. He was a disgruntled former contractor whose job application was turned down by the Maroochy Shire Council. Offended by the repudiation, Boden utilized his insider knowledge of the system to contaminate clean water with untreated water. Aside from the fact that Boden was a one-man army, there are two other aspects of the case that stood out. First, Boden was able to cause tremendous damage using only one laptop (Shakarian, Shakarian & Ruef 2013). Second, it required the services of an insightful employee several weeks of hard work to figure out that there was a problem, and that it was not the byproduct of human error or system error but in fact a deliberate act to contaminate the water supply.
Boden was arrested three months after he decided to rage against his former employer (Shakarian, Shakarian & Ruef 2013). However, it took a long time before authorities realized that Boden took control of more than 140 pumping stations and released more than one million liters of untreated sewage water into a system that delivered water to local waterways (Shakarian, Shakarian & Ruef 2013). One can just imagine the impact if mischief was not the only motivating factor for the perpetrator of the said crime. It is difficult to contemplate the outcome of terrorists took control of the local water service station and manipulate the system to poison the city’s source of potable water.
Comparative Study
Table 1. Side-by-side comparison of the high profile IT security breaches in the last decade.
Analysis
In the case of Sony and RSA, Ltd., the adversary utilized a low-level hacking strategy. IT security experts assigned to safeguard the company’s servers could have prevented the said attacks by simply incorporating better corporate governance (Mellado 2013).
In the Lockheed Martin case, the intrusion protocol was implemented through various stages of hacking activities. It is interesting to note that the first stage of the attack was manifested in a low-level intrusion that made it harder for IT experts to anticipate and detect. The cases that were described earlier showed the importance of looking beyond the white-collar crime problem of IT security breaches. It was made clear that intruders are not always interested in getting a financial gain after the successful implementation of a cyber-attack. In the case of Ashley Madison, the goal was to blackmail the users of the said website. It is possible to use the same tactic in order to extort money from the victims.
In the case of Estonia and Iran’s nuclear program, there was no desire to earn money from the said illegal activity. It is interesting to note that IT security breaches can become a political tool. The pervasive use of social media and commercial websites has increased the value of securing IT-based platforms. In the case of Estonia, government work was hampered due to the problem of IT security breaches.
It is also important to focus the spotlight on the separation between systems for communication and email messages and the separate system that was designed to handle the actual work of the enterprise. For example, in the case of Qatar’s RasGas, the intruders were able to use the infrastructure for communication in order to manipulate the system that was earmarked for the utilization of mined natural gas. It is imperative to develop better compartmentalization protocols in order to prevent hackers from getting into the mechanical or electrical components of a business operation.
The RasGas case strengthened the argument that skilled hackers are able to insert sophisticated computer viruses into systems that were not connected to the World Wide Web. This insight has major implications, especially when it comes to the idea that hackers have the capability to affect physical destruction and not just to steal data or slow down the capability of several computers.
Discussion
The contamination case of the Maroochy Water Service facility located in Australia is the oldest case of a successful cyber-attack described in the paper. However, this case provided a clear example of the real-world damage that a cyber-terrorist may hope to accomplish. In addition, the case revealed the inherent weakness of complicated systems that are affected by “real-world dependencies.” For example, it took a skilled worker who had intimate knowledge of the system several weeks to finally discover that the problem was not the result of system failure. In a related case, it took a long time for Iran’s nuclear inspectors to discover that the root cause of the broken centrifuges was not the end-result of a faulty design, but it was the outcome of a deliberate attack.
The Maroochy Water Service case also highlighted the fact that an insider can cause a great deal of damage to the system. In this regard, it is critically important to have more than a few people who had absolute mastery of the system in order to counter the diabolical plans of a few disgruntled employees. In other words, corporate executives and other corporate leaders are not supposed to have a superficial understanding of the system. Someone in higher-level management must have a clear understanding and detailed appreciation of the whole system in order to figure out vulnerabilities and to find out in advance how a potential attack can be carried out using insider knowledge.
It is also critically important to focus the spotlight on Sony for the simple reason that there were defense mechanisms available in the market that could have been installed beforehand in order to stifle the attack or at least limit the damage to one section of the company. Sony’s failure to invest in an extensive and redundant anti-intrusion can become a useful example in explaining the reluctance of company leaders to invest in areas that could not provide a financial gain for the intruders.
Important lessons acquired in the study of the cyber-attack leveled against RSA Ltd. demand review and dissemination to corporate leaders around the world. The case study of RSA’s vulnerability revealed that the company did not make the same mistake as Sony, because it was difficult for hackers to engage the security system in a frontal assault. It was an expected move considering the fact that RSA was considered as the best IT security service provider for some of the largest companies on the planet. In the end, RSA’s much-vaunted IT security system was not enough to protect the company from the impact of human frailties. Thus, the case should be considered as a cautionary because a defensive mindset should encourage the design of a system that included the ability to predict possible human reactions when exposed to a certain situation. Thus, it is prudent to train workers how to detect possible low-level strategies designed to persuade employees to open a file or install a Trojan-like virus into the employee’s computer.
Finally, the Stuxnet virus’ derailment of Iran’s nuclear program should form part of a master’s course regarding IT security breaches. This virus was created by a sophisticated group of hackers who were able to develop an intrusion mechanism exploiting a vulnerability in the operating system software that even the software maker did not know exist. It is best to illustrate the capability of the Stuxnet developer at the same level as a world-renowned software programming company or a world-class anti-virus software company. In other words, it is the best course of action to invest in the latest state-of-the-art IT security programs in order to prevent the repeat of the financial and reputation damage caused by intruders in the Sony intrusion scandal. However, the Stuxnet virus case sends a clear message not to get into a false sense of security, because the best hackers in the world are able to find vulnerabilities in the operating system or anti-virus software if they have access to the right resources.
Conclusion
There is a need to look beyond the white-collar crime aspect of cyber-attacks. It has been made clear that there are different ways for cybercriminals to make money. The use of intimidation and blackmail provides them an avenue for earning a profit using cyber warfare. In addition, companies may lose money not only as of the direct consequence of leaked financial information but as a direct result of damage to reputation and the lack of customer confidence with regards to the product or the ability of the company to safeguard personal information. Cybercriminals have the capability to use intellectual property or sell information to others on how to penetrate a system using compromised security information. This was the case of RSA and Lockheed Martin. Furthermore, there is a need to develop security measures that take into consideration the effectiveness of low-level strategies like email phishing. In this regard, IT consultants must determine how the interconnection of work-related activities and job responsibilities become tell-tale signs on how to access greater levels of authority within a company’s personnel structure.
Reference List
Beare, E 2012, Encyclopedia of transnational crime and justice, Sage Publications, Thousand Oaks.
Chayes, 2015, Borderless wars, Cambridge University Press, New York.
Costigan, S & Perry, J 2012, Cyberspace and global affairs, Routledge, New York.
Dhivakar, A 2014, RSA algorithm, Anchor Academic Publishing, Hamburg.
Diehl, E 2016, Ten laws for security, Springer, New York.
Epifani, M & Stirparo, P 2015. Learning iOS forensics, Packt Publishing, Birmingham.
Gottschalk, P 2010, White-collar crime: detection, prevention and strategy in business enterprise, Universal Publishers, Boca Raton.
Mellado, D 2013, IT security governance innovations, IGI Global, Hershey.
Pagliery, J 2014, Sony-pocalypse’: why the Sony hack is one of the worst hacks ever, Web.
Radziwill, Y 2015, Cyber-attacks and the exploitable imperfections of international law, Brill, Danvers.
Savona, E & Williams, P 2005, The United Nations and transnational organized crime, Frank Cass, New York.
Segal, A 2016, The hacked world order, Perseus Books Group, Philadelphia.
Shakarian, P, Shakarian J & Ruef, A 2013, Introduction to cyber-warfare, Elsevier, Waltham.
Siegel, L 2015, Criminology: the core, Cengage Learning, Mason.
Williams, B, 2014, Here’s what we know so far about the celebrity photo hack, Web.
Williams, M 2012, AT&T hit by DDoS attack, suffers DNS outage, Web.
Winkler, I & Gomes, A 2016, Advanced persistent security, Syngress, Cambridge.
Wittkop, J 2016, Building a comprehensive IT security program, Springer Science, New York.
Zetter, K 2014, Countdown to zero day: Stuxnet and the launch of the world’s first digital weapon, Random House, New York.