UK Essays Services:

Free Help:

Security Hackers Internet

Understanding the potential security risks associated with hackers in business environments: an assessment of a university's IT security management procedures via the means of task analysis.

Introduction

The Internet is a silicon - based virtual world of a Boolean inherent nature where governments and thousands of organisations, banks, schools, hospitals and almost every modern institution across the world conduct on a daily basis their financial transactions as well as the exchange of a variety of what may be considered as sensitive data. It is a world wide broadcasting mechanism and a medium for the collaboration and interaction between users as it is unregimented by any international, political or geographical boundaries.

It is also however characterised by an upheaval of structure thus providing an ideal environment for data exploitation since it is accessible to anyone with a computer and a network access. According to the 2007 internet figures on the Internet Usage Statistics site (http://internetworldstats.com), there are approximately more than 1.2 billion users throughout the world; there are over 237 million people which are commercially active with 40 million people performing online banking with a retail of

$412.7, outlining the total size of internet economy at approximately $2.3 trillion (Nikolov, 2006). These figures suggest that a large quantity of sensitive information stored electronically e.g. credit card numbers, bank details, private records etc. are accessible for viewing, altering and manipulating by anyone with the necessary skills to hack or crack into a network system. Furthermore according to Dunn (2001), 64 per cent out of 538 businesses surveyed by the Computer Security Institute have experienced computer security breaches and financial losses. This is a crucial issue for any kind of organisation or institution that provides online services. To present an example on the latter, the cost - effect of hacking in the year 2000 was estimated at $1.5 trillion (Price Waterhouse Coopers, 2000) while in 2003 according to Ungoed - Thomas the cost was put at £1 trillion.

Purpose of the study

Educational institutions like universities have traditionally been providing perpetrators with a spectrum of hacking targets. According to The Information Management Journal (2007) in the US, universities suffered 50 out of the 300 reported security breaches which occurred throughout the year 2006. Several databases were hacked from institutions such as the ones from Alaska, Texas and Western Illinois; a system penetration in the University of California at Los Angeles remained undiscovered for a year while in Ohio about 173.000 records, including personal information - names, social security numbers, dates of birth - belonging to alumni, employees and students, were stolen. In the same year in the University of Southern California, 270.000 records were exposed following a series of breaches. The latter information indicate that computer security breaches do not belong in a fictional and cinematographically produced sphere with little or no effect but are in fact posing a serious threat that if left undetected may have dire financial and social repercussions.

The University of East London (UEL) has 500 desktop computers at its Dockland campus, another 240 at the one in Stratford (http://www.uel.ac.uk/it/smallprint.htm) and overall a total of approximately 1.271; most of these computers operate as terminals for internet access. This means that the amount of possible system intrusions is very high and indeed very plausible since every internet connection terminal is a possible target for malware penetration or a possible source for releasing into the system such software. The intrusions may be directed either from the in - campus terminals or from external ones via connection to the university's local area network (LAN) through the internet. Considering the fact that online banking is also been provided and since universities are a common target for hackers, an analysis on the relevant IT security may be deemed as very important. Furthermore the evolution of this new technological breeding ground - internet - is intrinsically based on a chaotic and anarchical progression of its sub - components and therefore amplifies the necessity of a sound Internet Security management and application.

This paper will not attempt to analyse in detail the technical aspects of implementing IT security - e.g. setting up firewalls but merely (attempt) to emphasise the necessity of it by depicting the intrusion threat and more importantly by acquiring a critical

overview on the current IT management system; for the latter purpose, a task analysis was applied based upon data collected from interviews of the relevant personnel; further details regarding the procedure, analysis and results can be found in the method and discussion section. It is important for the IT security managerial staff to maintain a vigilant attitude towards intrusion threats; Cavusoglu et al. (2005) suggest that there are three fundamental components of security that have to be addressed from the management: prevention, detection and response. This paper assesses the effectiveness of the latter and attempts to present a comprehensive view on IT security. Computer security has to be viewed as a core activity for the university while senior management has to view security from a holistic perspective (Trim, 2005).

Common problems encountered by management

It is a common error experienced by senior management, not to fully commit on the tasks necessary for securing the network flow (Kwok & Longley, 1999) and this is so partly due to the variety and quantity of knowledge one has to have in order to keep up with the technological advancements and requirements. The last two decades have seen a rapid transformation of the computer hardware and software; from the birth during the 80's of the 80x86 and Blitter(from BLIT or Block Image Transfer) processors to the Pentium technology and the usage of super - computers e.g. Cray II (1985) and BlueGene (2006), the architecture has changed dramatically; so has the complexity of software design as well as its variety. The amount of technical information required from one person to possess in order to respond to the needs of the occupation with a successful manner, has escalated over the last four decades. For this reason the IT management structure is now being divided into several segments in order to cope with the current demands of technological advancement and application; UEL alone has five general divisions under the director of IT services and twenty - five subdivisions comprised of occupational designations varying from Principal Database System Administrator to Senior Network Specialist both for Unix and Windows environments (http://www.uel.ac.uk/it/index.htm).

The root of occupational fragmentation within the IT management community can be traced back to the mid 1960s; the management of financial institutions aimed in establishing an online rapport amongst members of its rapidly developing and expanding business network. This consequentially led to the adoption of a more than 50 year old trend at the time, called “scientific management”. The model adopted was invented by Frederic Winslow Taylor (Taylor, 1911) and was largely known as “Taylorism”; the purpose of it was to remove the actual mode of execution of every work activity (Hannemyr, 1999) from the employees in order for the management to acquire a better control over the productivity and quality outcome. Taylorism resulted in the creation of specialised occupational fields characterised by their strict hierarchy of decreasing status and seniority. This meant that programmers, technicians and everyone who was employed within the IT infrastructure domain would have different privileges and access rights; a notion which implicitly contributed in the prohibition of freely exchanged ideas and information as well as the social interaction amongst the relevant personnel.

The application of Taylorism in financial institutions despite revolutionising management control and efficiency may also be viewed as one of the corner stones of problematic organisational designs faced by managers at present, including IT ones; this is so because it has led to the over - fragmentation of companies as latterly mentioned thus generating a multi - neural organisational network where progress and financial success is not based upon a communal effort of the individuals comprising the organisation but on the collaboration of numerous and separated departments employing dozens of varied skilled - level people and therefore providing the ideal cradle or initial conditions for a chaotic organisational structure where a problematic and ineffective communication is a standard issue.

The phenomenon of over - fragmentation introduces more variables into the design of the management system hence generating possible communication delays and breakdowns; these are issues that may contribute to the penetration of the network and the exploitation of sensitive material by hackers; should an incident is not detected or reported on time by the staff responsible e.g. a Denial of Service attack (DoS), this may prevent the correct function of the network and in worst cases result in its complete shutdown. To make matters worse employees often are not fully aware of the procedures followed when experiencing an electronic or a socially engineered attack or they do not know whom to contact if such a situation occurs. It should be noted that the implications of such a scenario are always financially costly and time - consuming.

However the lack of commitment and the over - fragmentation of the management structure are not the only common issues encountered; it is practically impossible to avert and detect all breaches and attacks on a network. As a side - effect IT security can not always produce a detailed and convincing demonstration to shareholders as to the necessity of constant and further funding. Since the costs associated with IT infrastructure are already quite high e.g. for the year 2007/08 it is estimated that UEL will spend approximately £1.470.600 (http://www.uel.ac.uk/it/smallprint.htm), it would be difficult to acquire further funding just for the purpose of advancing the IT security.

Moreover it is a common attitude of companies and institutions as Sanderson & Forcht (1996) suggest, to be presenting a delay in realising that ‘… a security structure should be well implemented as a way of protecting the business interests' of the relevant company or institution. According to Leeson & Coyne (2005) such organisations, particularly financial institutions, are reluctant in reporting hacker - related intrusions and losses for fear of how this may affect either the attitude of the shareholders or the public opinion regarding the institution. Maintaining a good public image is of vital importance for every financial institution; it is represented by the feedback of its economical flow thus sustaining and upgrading its social status; a good Status Quo is in turn translated in an increase of its capital capacity therefore increasing simultaneously the application of its capital investment.

In all cases a solid IT security comes down to the training and more importantly the integrity of the employees responsible for it. The latter can be an institution's or company's greatest strength or weakness since most of the breaches are realised so from within, meaning the employees of the institution (Haugen & Selin, 1999). It is therefore imperative for a company's hiring process to be quite thorough. It is also important for a company to provide a sense of positive assimilation towards the personnel, a feeling of being part of a team. People tend to react differently and in a more positive manner to occupational requirements when feeling secure and when they believe that their efforts are being recognised and appreciated. When treated properly the goals of the institution become their own; their work, thoroughness and levels of productivity are viewed as means for contributing to the general development of the institution or company. It is therefore necessary to believe that it is part of their responsibilities to behave in an appropriate mode.

However this not usually the case; companies particularly large financial ones, often due to their over - fragmented nature do not act as a medium for providing a sense of belonging and security to the employees but merely as faceless and detached work - places where the employees are regarded only as an expendable tool for capital growth. Global financial tendencies have made sure of that; when downsizing personnel is common practice amongst companies and when the amount of job - seekers is greater than the number of available work - places (slow level of absorption - particularly when one is ascending within the organisational hierarchy - combined with a frequent replacement of human resources), the strategies applied by companies undermine the principles constructing the notion of a comprehensible psychological contract.

The concept of psychological contract is one of a sensitive nature; what was generally accepted as a clear - cut agreement between the employer and the employees has changed along with the financial evolution of the international attitude towards an intense and rapidly evolving capital acquisition scheme; demands and the structure of institutions and companies are constantly being altered towards a more business - centred approach, seeding feelings of insecurity and dissatisfaction in the employ's frame of mind. Because IT security is not only about setting up defences and restricting access to unauthorised personnel but it is mostly about identifying the potential risks involved with intrusion, this is a major potential risk factor for all businesses; should an employee believe that the ethics of the psychological contract are being violated, this generates a potential line of attack leading to fraud and security breaches. The relationship between the employer and the employee has always been constructed upon the mutual understanding of both elements; however nowadays it is easier to break an agreement

The purpose of a financial institution is profit and profit is the outcome of sensible risk - taking methods and the application of a well performed risk assessment. Organisational systems fail because of inadequate risk assessments; wrong managerial assumptions on the abilities, responsibilities and attitudes of employees produce a dysfunctional working - network. A dysfunctional working - network in turn has a great negative impact on profit by presenting perpetrators with chances for intrusion. It should be made clear that the fusion of all the latter issues discussed as these are confronted by management, are common and occur with a variant frequency within financial institutions. Organisational structure has become one of a complex and animated composition and this is illustrated by the fast - growing numbers of the birth and financial demise of businesses.

It would be considered as prudent before referring any further to the implications and effects of hacking in the business environment or the methodology involved with the intrusion techniques and the assessment of the relevant management structure, to proceed with a brief delineation of hacking history.

A very brief history of hacking

The history of hacking can be traced back to 1870s where several teenagers interfering with the newly developed telephone system in the US (St. Petersburg Times, 2000). However the term ‘hacking' was not established until the 1960s at the Massachusetts Institute of Technology (MIT) where members of the Tech Model Railroad Club ‘hacked' into the control system of model trains in order to alter their speed, effectiveness and route (Leeson & Coyne, 2005). In the same year and the years to follow, MIT introduced the Artificial Intelligence Lab, providing the students with some of the first mainframe units; these units compared with present standards were slow and were occupying too much space. They were also presenting the students and staff with a number of software and hardware problems, forcing them to overcome these obstacles with improvisation and innovation. Hence the term ‘hacker' was created and applied to anyone who had the ability to alter the source code of programmes for the purpose of improvement; by that point in history, being a ‘hacker' did not involve illicit activities nor did it had the reputation it has nowadays.

In the 1970s the term ‘phreaking' is introduced; Jonathan Draper, a former Vietnam veteran discovers that the sound produced by a plastic whistle offered with Captain Crunch's cereal box, matches the frequency required by the US national phone company to make a long distance phone call. The AT&T's switching system recognises the frequency as a valid attempt - since dimensions and weight vary with coins, different sounds are produced when inserted into the coin - slot hence a unique sound - signature is transmitted to the phone company - thus granting access for making the call. Draper was apprehended by the late 1970s for tampering with the communication system for about a decade. Phone hacking (phreaking) became popular amongst the hacker community during the 1970s and early 1980s; two members of California's Homebrew Computer Club, Steve Jobs and Steve Wozniak, constructed some of the first blue boxes devices. These devices are built upon the same principles that Draper accidentally discovered and assist in hacking to the phone system. It should be noted that the latter mentioned hackers are the founders of Apple Computers Company.

During the 1980s the notion of being a hacker is promoted through cinematography e.g. Wargames and literature. Author William Gibson comes up with the term ‘cyberspace' in his novel Neuromancer thus laying the foundation for the genre of ‘cyberpunk' which had an indirect influence on the hacker culture by promoting the conflict between anti - heroes and financial corporations (Thomas, 2002). The first issues of the 2600: The Hacker Quarterly electronic magazine is being distributed; information on how to hack systems as well as on sensitive data from a number of organisations is being copied from diskette to diskette. As a governmental response the Comprehensive Crime Control Act is being voted and gives jurisdiction to the US Secret Service over credit card details for the purpose of fraud detection. This follows the arrest of the 414s hackers group charged with the offence of breaking into more than 60 network systems. In the late 1980s another Act is being introduced; the Computer Fraud and Abuse Act gives further access to private information to governmental agencies. The Computer Emergency Response Team is formed by the US defence agencies in order to investigate the increasing number of network attacks. The term ‘hacking' did no longer refer to original ideas aiming to improve the design of a system but it was synonymous with disorder, intrusion and the potential loss of millions of dollars.

Hackers continue the wave of attack by heisting $10 million from the National Bank of Chicago. As a result operation ‘Sundevil' is initiated by the government with raids in 14 different major cities around the US. Kevin Lee (a.k.a. Dark Dante) is arrested after stealing military documents. However hack attacks continue to grow throughout the late 1980s and 1990s; the Grifith Air Force base, NASA and the Korean Atomic Institute are all hacked (Leeson & Coyne, 2005). In 1995 two Russian hackers stole $10 million from Citybank; DoS attacks cause networks to crash in companies such as Amazon and eBay resulting in the loss of millions of dollars. On the 5^th of February 2001, the database of the World Economic Forum (WEF) was hacked by a group of anti - globalisation activists; approximately 80.000 pages of personal information were stolen - credit card numbers, email addresses, phone numbers etc. - including those of UN secretary Kofi Annan, Shimon Peres, Yasser Arafat, former US president Bill Clinton and Microsoft's founder Bill Gates (Matai, 2002). Perhaps the most famous hacker of all, Kevin Mitnick (a.k.a. the Condor) whose illicit actions have grown into legendary proportions amongst the hacker community, was arrested and convicted in one year of imprisonment for the second time in the late 1990s on account of 25 indictments which included charges for fraud and illegal possession of private documents from large corporations such as Motorola and Sun Microsystems. According to CNN he was accused of computer hacking, stealing corporate secrets, scrambling of phone networks, hacking into the US National Defence Warning System amongst other, causing losses of millions of dollars. He remained in the Federal Bureau of Investigation's (FBI) list of most wanted criminals for two and half years before apprehended.

The cases involving what Kevin Mitnick described as the ‘The art of intrusion' (Mitnick, 2005) meaning hacking and all its derivatives, are indeed more than can be accounted for. The process of hacking evolution has progressed from an age of innocence which involved elite computer programmers and system administrators finding witty solutions to engineering problems, to a prankster one where to hack into a mainframe was considered a challenge for the purpose of having fun and then to an era of organised mayhem characterised by the decrease of ethically abiding hackers and the rise of an all - for - profit and an all - for a - political ideology mentality (Nikolov, 2006). Programmers are now divided into hackers or white hatters aiming in discovering the vulnerabilities of a system hence reporting it to the companies in order to improve their safety standards and crackers or black - hatters who aim in exploiting the data acquired thus causing mayhem and promoting disorganisation in every kind and level of institutional or governmental structure.

Classification of intruders and methods of intrusion

According to Lodin (1998), intruders can be classified in two types: 1.Outside intruders, meaning every cracker who is responsible for an attack initiated from an external terminal regardless of its geographical latitude and longitude and 2. Inside intruders, referring to all employees working within a company; they manipulate, exploit or destroy sensitive information causing in many cases financial losses that can not be amended. Sundaram (1996: as in Sherif and Ayers, 2003) divided intrusion into six categories regardless of the source of intrusion:

Attempts for breaching into a database. These are usually not successful and are discovered by irregularities in the information flow within the network.

Masqueraded attacks. Crackers may often attempt to gain access by electronically altering their network identity and by pretending to be someone who would have a legitimate reason for prying into the database.

Penetration of the security control system. This is a successful intrusion attempt where a company's security system has been breached thus providing access to most if not all areas and sectors where the data are being stored.

Leakage of data to unauthorised users; in some cases copying a fragment of sensitive information can be realised either with the knowledge of the employee - which makes him or her, an accessory to illicit activities or even the actual perpetrator - or without it, due to the lack of relevant skills. An employee may not realise the probable repercussions of his actions when supplying the intruder with the information requested thus creating a leakage in security.

Denial of Service attacks (see footnote 4, p6).

Malicious usage of software. The use of any kind of malware for the purpose of intrusion as well as the misuse of existing software applications and programming for the same purpose.

The term malware encompasses a number of software infectious applications; viruses, worms, Trojan horses, botnets, key - loggers, rootkits, backdoors etc. A virus is a program that attaches itself on a file and can replicate without the knowledge of the user; the original virus can modify its copies and in turn the newly produced versions of the virus can alter their own copies. It can affect the system in a variety of ways including file corruption and deletion, boot sector malfunction, memory overflow etc. In contrast to the virus, a worm does not need to attach its source code on a file in order to replicate itself. Instead it uses network nodes as a mean for distributing copies thus consuming the system's bandwidth capacity causing interruption in the information flow. The Trojan horse much like in Homer's Iliad aims in installing itself on the system thus providing access to it by supplying to the cracker sensitive information e.g. passwords, email addresses etc. It does so in a common manner by disguising itself in something that it is not; a recent example of a Trojan horse is the swen malware which claimed to be a Microsoft update application and infected thousands of systems.

A botnet is a collection of autonomous software programmes running on an infected network or computer. A number of malicious software e.g. viruses, Trojan horses, backdoors etc. are being operated under the shell of a command - and - execute main control program which transmits the data acquired usually remotely. The affected terminals in a network are referred to as zombies, a term adopted from the hacker community. Key - loggers can be either a software application or hardware equipment; regardless of their nature, they aim in recording the data input as this is done so via the use of the keyboard. The information are then either automatically being mailed at a pre - defined email address or in the case of the hardware device, are stored within its memory bank and remain there until the intruder manually downloads them. A rootkit is a program or again a combination of programmes which attempts to provide supervisor privileges - administrative access - to crackers by attaining control over the operating system supporting the network. The upload of sensitive data by the use of rootkits, often requires the existence of backdoors; a backdoor is a method of bypassing the security measures of a system and providing permanent access to the data. It can be either a software application e.g. the Back Orifice - which had dire repercussions for hundreds of thousand systems - or simply be designed as a default and secret access gateway within the original source code of a program or of a hardware device.

Counteract measures of IT Security

UEL culture and managerial awareness

References

Association of Records Managers & Administrators. (2007). “ID thieves targeting universities”, The information Management Journal, 3:7.

Boole, G. (1954). “An Investigation of the Laws of Thought, on Which Are Founded the Mathematical Theories of Logic and Probabilities”, Dublin. University Press.

Cavusoglu, H. Mishra, B. & Raghunathan, S. (2005). “The value of intrusion detection systems in information technology security architecture”, Information Systems Research 16, 1: 28 - 46.

Cable News Network. (1999). “The trials of Kevin Mitnick”, [online] 18 March. Available at:

http://www.cnn.com/SPECIALS/1999/mitnick.background/.

Dunn, L. (2001). “Cybercrime skyrockets, say security reports: incidents double in 2000 and are still climbing but who's playing cybercop?”, [online] Medill News Service, 6 July, available at: www.idg.net/go.cgi?id=506588.

Hannemyr, G. (1999). “Technology and pleasure: considering hacking constructive”, [online] First Monday: Peer - Reviewed journal on the internet. Available at:

http://www.firstmonday.org/issues/issue4_2/gisle/index.html.

Haugen, S. & Selin, J. R. (1999). “Identifying and controlling crime and employee fraud”, Industrial Management & Data Systems, 99, 8: 340 - 344.

Kwok, L. F. & Longley, D. (1999). “Information security management and modelling”, Information Management & Computer Security 7, 1: 30 - 39.

Leeson, P. T. & Coyne, J. C. (2005). “The economics of computer hacking”, [online]. Available at:

http://www.ccoyne.com/Economics.html [23/12/2007].

Lodin, S. (1998). “Intrusion detection product evaluation criteria”, Ernst & Young LLP. Available at:

http://www.docshow.net/ids.htm.

Matai, D. K. (2002). “Anatomy of a hack: an exploration of the effects of asymmetric attack”, mi2g Ltd. eRisk Conference - IUA Digital Risk Working Party, 30 May.

Miniwatts Marketing Group. (2007). “World internet usage and population statistics”, [online] Nielsen//NetRatings, 30 September. Available at:

http://www.internetworldstats.com/stats.htm [15/10/2007].

Mitnick, K. (2005). “The art of intrusion: the real stories behind the exploits of hackers, intruders & deceivers”, Indiana: Wiley Publishing.

Nikolov, M. (2006). “The destructive effects of electronic hacking: social and economic implications”, [online] Etisalt Academy. Available at:

http://www.ea.ae [19/12/2007].

PriceWaterhouseCoopers (2000). “Security Benchmarking Service/Information Week's 2000”, [online] Global Information Security Survey. Summary available at:

http://www.pwcglobal.com/extweb/ncpressrelease.nfs/docid/7ABBA8E73B1E901D8525693500548A34.

Sanderson, E. & Forcht, K. A. (1996). “Information security in business environments”, Information Management & Computer Security 4/1: 32 - 37.

Sherif, J. S. & Ayers, R. (2003). “Intrusion detection: methods and systems. Part II”, Information Management & Computer Security, 11, 5: 222 - 229.

St. Petersburg Times. (2000). “A history of hacking”, [online] 01 November. Available at:

http://www.catb.org/~esr/jargon/html/B/blitter.html.

Sundaram, A. (1996). “An introduction to intrusion detection”, [online] Crossroads: The ACM student magazine, 2, 4. Available at:

http://www.acm.org/crossroads.

Taylor, F. W. (1911). “The principles of scientific management”, [online] American Magazine, March - May. Available at:

http://melbecon.unimelb.edu.au/het/taylor/sciman.htm

The Jargon File v4.4.7. (2003). “blitter”, 29 December. Available at:

http://www.catb.org/~esr/jargon/html/B/blitter.html.

The Linux Information Project. (2006). “Malware definition”, [online] February 5. Available at:

http://www.linfo.org/malware.html.

Thomas, D. (2002). “Hacker Culture”, Minneapolis: University of Minnesota Press.

Trim, P. R. J. (2005). “Managing computer security issues: preventing and limiting future threats and disasters”, Disaster and Prevention Management 14, 4: pp. 493 - 505.

Ungoed - Thomas, J. (2003). “The e-mail timebomb”, The Sunday Times, 24 August, p.19.

University of East London. (2006). “IT services: service plan 2005/06”, [online]. Available at:

http://www.uel.ac.uk/it/smallprint.htm.

University of East London. (2007). “IT services: organisation plan”, [online]. Available at:

http://www.uel.ac.uk/it/index.htm.

We provide a professional essay writing service that thousands of our customers use as an effective way of improving their grades, improving their research and saving them lots of time.