Information security involves protection of digital data from unauthorized access. Growth in usage of mobile phones and computers to conduct personal and business activities have resulted into increased chances of compromises in these devices. There have been increased development and deployment of viruses and malware that mine data from devices of unsuspecting users.
This report discusses about incidences of information security breach that involved the usage or were as a result of usage of the aforementioned devices.
A chinese toy manufacturer called VTech is said to have suffered a massive data breach when suspected criminals attacked their servers. Personal data belonging to 5 million people including children was exposed. The data was said to include names, email and home addresses, passwords, genders and birthdays including photos of children (Kirk, 2015).
The attack involved the use of SQL injection (SQLi) on VTech’s web and database servers and in the process allowing the attacker to gain administrative access into the servers (FRANCESCHI-BICCHIERAI, 2015). SQL injection involves insertion of malicious commands intended to exploit a website forms and therefore making it to return other data it is not supposed to.
An SQL injection is enough for an attacker to bypass all authorization and authentication procedures and mechanisms in place and therefore retrieve the contents of a whole database.
The attacker claimed to have wanted to expose VTech’s poor security applied in the handling of sensitive customer data (FRANCESCHI-BICCHIERAI, 2015). The attacker is said to have randomly stumbled upon a online discussion pertaining to the tablets manufactured by VTech and how it was easy to manipulate them with majority of members claiming to be doing to fun.
The discussion piqued the attackers interest in exploiting vulnerabilities associated with VTech’s products and websites. The attacker exposed the fact that VTech’s web registration services and forms do not use proper security such as Secure Socket Layer (SSL) or Transport Layer Security (TLS) for encrypting data exchanged between its source and destination (Kirk, 2015).
The following are the possible solutions that a company can adopt to ensure safety of their sensitive data.
As it turns out, VTech either used poor or no encryption. They did not use SSL or TLS which encrypts data sent between a user’s computer and the service receiving the data. Also, the password encryption used was the hash-based encryption algorithm known as MD5 which is very weak and decoding tools for converting the hashes to original passwords are readily available. Proper encryption needs to be implemented to ensure safety of customers data and thus safeguard confidential customer data.
VTech attack involved SQL injection. As mentioned earlier, this involves insertion of malicious commands to trick a data source to return unauthorized data to an unauthenticated user. Injection occurs when a program especially web application form fields use data that have not been validated as part of an SQL query into a database.
To prevent SQL injection, it is important to validate and cleanup user input as well as avoiding concatenating user input the the application’s SQL but instead use parameterized SQL statements(Mackay, 2005).
The hack case involves sensitive company files and data being stolen from disks and posted online at Pastebin. The attack hacking incident is claimed to have been perpetrated by a group calling itself Guardians of Peace (ZETTER, 2014).
The incident affected Sony Pictures which is a motion picture studio based in the United States of America. The specific victims of the hack within Sony are the employees and their families.
It affected them by having their sensitive and classified data being leaked online which included employee details and their families, emails among the employees, details of the salaries of the company’s executives as well as copies of films that were said to have been unreleased.
It was claimed that 100 terabytes of data was stolen from Sony. the data included unreleased films which were shared for free in file-sharing websites. Internal documents pertaining to the personal information of Sony’s employees was also leaked. This included salaries, social security numbers, names and titles (Betters, 2015).
Sony Pictures itself got sued by former employees for failing to safeguard their private information. The company was accused of failing to prepare for cyberattacks despite previous warnings and attacks (Ellis, 2014).
This being a targeted attack, the hackers gained access into Sony through engaging with sympathetic employees coupled with the fact that physical security within Sony’s offices haven’t been implemented or weren’t given priority.
Upon gaining entry with the help of employees, the hackers stole the computer security credentials of the employee responsible for being the systems administrator. This gave them broad access to the company’s networks and computer systems.
Once inside Sony’s network, the hackers planted malware which was said to be a wiper malware which refers to a malware designed to destroy data, although the one used collected data instead.
The malware then stole passwords, private files, computer source codes as well as files containing passwords for accessing databases.
The malware then transmitted this information to the computers belonging to the hackers thereby making the attack a success (Bort, 2014).
Considering that the breach at Sony Pictures was orchestrated with the help of employees who were either disgruntled or had developed a negative attitude towards their employer, it is necessary to always handle complaints emanating from them and hence avoid consequences associated with such kind of workers.
Sony Pictures didn’t consider it a big deal to maintain physical security of where it kept its sensitive information (Bort, 2014). Anyone could get in and out without of the offices without any suspicions being raised as to who it was and their motive behind them being in the company’s premises.
The company ought to ensure that everybody who gets into the premises is subjected to a rigorous security check before being allowed into the premises.
After the attack, data and files belonging to the company were leaked and were easily seen or accessible by anyone without having to go through a decryption mechanism. This points to an incidence of storing data without encrypting it. When handling sensitive information whether locally or remotely, encryption mechanisms should be employed in order to safeguard the data in the event a hacking incident occurs.
Considering that employees at Sony would share emails between them, educating employees on the importance of sharing emails in a secure and encrypted connection should be a priority in all organizations.
Bearing in mind that an employee at Sony shared the password and access details of the system administrator, a conclusion can be made that sensitive tasks would be done by multiple employees. This ought to be avoided with employees being given tasks in which they are professionally qualified or denying them the permission to perform multiple sensitive tasks. This makes it possible and easier in tracking the individual whose actions compromises the security of the organization.
A company dealing with data that is risky should consider insurance. Most insurers demand certain measures be taken to enhance safety of data and some of them include encryption, implementing physical security of premises and allocating sensitive duties to parties authorized to handle the data. This adds a layer of security to data and files within a company thereby minimizing damage.
This mostly focuses on emails. There should be policies on how to handle data such as emails being deleted regularly. This ensures that in the event of an attack, no sensitive information is leaked online. This reinforces privacy of messages such as business deals, plans and sensitive communications.
This enables the company to have a sample experience of the aftermath of a hacking incident and how handle it. It also helps the company to know what would be lost in the event that an attack occurs. It is through simulation that the company will be able to know which security procedures to put in place to ensure safety of its data, files and computer systems.
Bearing in mind the ability of a cyber attack to break a company’s reputation and thereby losing business, every executive should invest in security to and ensure that it is part of its core business and lifeline.
10 Tips to Prevent Data Theft for Your Small Business. SMALL BIZ AHEAD. Retrieved 8 April 2017, from https://sba.thehartford.com/managing-risk/10-tips-to-prevent-data-theft
Betters, E. (2015). Sony Pictures hack: Here's everything we know about the massive attack so far - Pocket-lint. Pocket-lint.com. Retrieved 8 April 2017, from http://www.pocket-lint.com/news/131937-sony-pictures-hack-here-s-everything-we-know-about-the-massive-attack-so-far
Bort, J. (2014). How The Hackers Broke Into Sony And Why It Could Happen To Any Company. Business Insider. Retrieved 8 April 2017, from http://www.businessinsider.com/how-the-hackers-broke-into-sony-2014-12?IR=T
Ellis, R. (2014). Sony Pictures faces lawsuits over security breach - CNN.com. CNN. Retrieved 8 April 2017, from http://edition.cnn.com/2014/12/20/us/sony-pictures-lawsuits/
Ford, N. (2015). VTech hacked: nearly 5 million parents’ and 6.4 million children’s details exposed UPDATED. IT Governance USA Blog. Retrieved 8 April 2017, from https://www.itgovernanceusa.com/blog/vtech-hacked-nearly-5-million-parents-and-200000-childrens-details-exposed/
FRANCESCHI-BICCHIERAI, L. (2015). One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids. Motherboard. Retrieved 8 April 2017, from https://motherboard.vice.com/en_us/article/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
Kirk, J. (2015). Data breach of toy maker VTech leaked photos of children, parents. Network World. Retrieved 8 April 2017, from http://www.networkworld.com/article/3010194/data-breach-of-toy-maker-vtech-leaked-photos-of-children-parents.html
Mackay, C. (2005). SQL Injection Attacks and Some Tips on How to Prevent Them - CodeProject. Codeproject.com. Retrieved 8 April 2017, from https://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev
Misener, D. (2015). What you need to know about the Vtech hack and protecting your kids' data. CBC News. Retrieved 8 April 2017, from http://www.cbc.ca/news/technology/vtech-data-breach-1.3345362
Morgan, L. (2016). List of data breaches and cyber attacks in 2015 – over 480 million leaked records. IT Governance Blog. Retrieved 8 April 2017, from https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2015-over-275-million-leaked-records/
Prince, K. ITBusinessEdge.com. Itbusinessedge.com. Retrieved 8 April 2017, from http://www.itbusinessedge.com/slideshows/show.aspx?c=79585&slide=9
Rajkumar, P. (2014). 15 ways to prevent data security breaches. Big Data Made Simple - One source. Many perspectives.. Retrieved 8 April 2017, from http://bigdata-madesimple.com/15-ways-to-prevent-data-security-breaches/
Zetter, K. (2014). Cite a Website - Cite This For Me. Wired.com. Retrieved 8 April 2017, from https://www.wired.com/2014/12/sony-hack-what-we-know/
MyAssignmenthelp.co.uk is a name in assignment writing services that students trust. We offer our assignment writing services for a wide variety of assignments including essays, dissertations, case studies and more. Students can place their order with us anytime as we function 24x7, and get their copies at unbeatable prices. We guarantee that all of our solutions are plagiarism-free.
MyAssigmenthelp.co.uk really nailed my assignment. They managed to deliver it on time even though I needed it in a day!
I need an English essay on the Romantic Age, but I didn't have much to spend. These guys did my essay at very cheap prices without affecting quality!
MyAssignmenthelp.co.uk really impressed me with the quality of the dissertation they delivered. It was absolutely flawless!
I thought I would not be able to get help for my epidemiology assignment anywhere but I got that with MyAssignmenthelp.co.uk, and it was a brilliant paper.
Honestly, guys, choose MyAssignmenthelp.co.uk the next time you need a paper. These people have simply the best writers in their team.
I never thought I would ever get an A grade on one of my assignments, but MyAssignmenthelp.co.uk made that dream come true!
I am really happy with the services I received from MyAssignmenthelp.co.uk. The paper was top notch and submitted on time.
Seriously, I think it's impossible to find even a single error in the assignments provided by MyAssignmenthelp.co.uk. I've ordered several, and each of them has been flawless!
I got the most amazing nursing case study I could have ever asked for! I am definitely ordering all my future assignments from here.