The major breaches that occurred over the last nine years have affected LinkedIn to a serious extent on an organizational level. Based on the analysis of the company’s cybersecurity status, the major flaws comprise breaches in the website’s API, as well as the lack of HttpOnly cookies and DNSSEC. In addition, first-time visitors of the service are subject to a MITM attack because the domain does not appear on the HSTS preload list (UpGuard, 2021). Thus, in the current cybersecurity situation, the company remains subject to unauthorized third-party access. The lack of DNS key verification creates a favorable environment for phishing attempts, providing another avenue of user data fraud.
In this regard, the service’s data is to be protected from unauthorized from the outside. The security systems of Bell-LaPadula and Biba are unlikely to become the optimal choice for this objective. They are designed primarily for the military context, preserving the chain of command and preventing the improper manipulation of data. A similar perspective is valid in the case of Clinical Information Systems Security. The Chinese Wall is created for competitive digital environments, making its purpose utterly different from the pressing concerns of LinkedIn. Next, the Access Control Matrix of the Graham-Denning system deals with specific variables, which are not applicable in LinkedIn’s cybersecurity space.
The intermediary principle of Clark-Wilson is more promising in the discussed scenario, but there appear to exist better options. More specifically, the frameworks of noninterference and nondeducibility rely on the strong division of low and high entities (Lu et al., 2019). This is exactly what is needed by LinkedIn, as breaches in DNSSEC and API may allow unauthorized users to access high-level objects within the system. The noninterference framework appears more secure for such sensitive data. Even though it is often perceived as excessively strict, this level of protection will benefit LinkedIn amid the aftermath of data breach scandals.
Therefore, the systems of noninterference and nondeducibility reflect the features that are required by LinkedIn. The imperfections of the system’s API enabled the most recent data breach that led to a leak of hundreds of millions of users’ private data. Such software is useful for the establishment of an enhanced interaction between several applications, but it imposes additional risks. More specifically, with the absence of HttpOnly cookies, low-level users may obtain access to high-level objects within the system if the IT department of the company overlooks certain loopholes. The properties of the noninterference framework regulate the relationship between the two levels, implementing a solid wall between the entities. Accordingly, this wall will implement an additional security checkpoint that will verify any access attempts. If the required status for viewing and editing high-level objects is not registered by the system, the attempt will be blocked, notifying the cybersecurity unit.
On the other hand, the core of most security models dates back to the earlier stages of cybersecurity evolution. Thus, their properties may not reflect the full extent of today’s information systems complexity. For example, the concept of API is a relatively recent addition to data handling, as prior frameworks were more self-contained and the need for external interaction was not as obvious. Thus, the strict categorization of applications, and not only users, is required to reflect the value of API along with its challenges. In addition, the chosen security framework is to maintain the uninterrupted functioning of millions of datasets, which comprises both users and partner organizations. The implementation of new firewalls is often associated with the risks of making the process more complicated or long. LinkedIn is a website of paramount importance for today’s professional communities, possessing a considerable amount of data. Thus, it is vital not to increase the load on servers to have a user experience unimpaired by security initiatives.
Finally, it appears possible to compile an updated cybersecurity plan for LinkedIn. The organization currently seeks to create “economic opportunity for every member of the global workforce” (LinkedIn, 2021a). As per the company’s data policy, the search for economic opportunities is to be safe and secure so that both users and employers trust the platform (LinkedIn, 2021b). Thus, the ambitions of the company are truly global, imposing additional requirements on the functionality and safety of its web services. In its current practice, LinkedIn has strict regulations in terms of the use of potentially damaging software, algorithms, and tools. Any means of scraping and automated contact interaction are strictly prohibited on the platform (LinkedIn, 2018). In addition, the terms of the service naturally discourage users from illegally obtained data manipulation. As per the current plan, these verbal restrictions will be strengthened further by a noninterference security framework. The idea is to draw a line, distinguishing publicly available data from private information.
At the same time, any signs of automated means of data handling even in the public domain, such as multiple attempts of dataset access in a short period, should be immediately identified and blocked. Most of the current risks come from third parties, becoming an external threat to the integrity of the company. Within the framework of the plan, users will exhibit only a portion of private contact information in the public domain. The rest of the data will be placed under the website’s protective mechanisms and accessed through API-based mediators. For example, recruiters will not be able to see phone numbers and email addresses directly. Instead, LinkedIn’s interface will process their requests and transmit communication attempts as an intermediary high-level subject. Appendix B lists the key security aspects of an envisaged LinkedIn cybersecurity framework.
References
LinkedIn. (2021b). LinkedIn joins Digital Trust & Safety Partnership. Web.
LinkedIn. (2018). Prohibited software and extensions. Web.
LinkedIn. (2021a). About LinkedIn. Web.
Lu, C., Qian, G., & Chen, T. (2019). A cloud computing security model based on noninterference. Wuhan University Journal of Natural Sciences, 24, 194–200. Web.
UpGuard. (2021, July 27). LinkedIn. Web.