Mitigating Corporate Information Exposure on the Web

Introduction

A clear understanding of how the authors of research define information security, including theft of information, is fundamental to mitigate corporate information exposure on the web. This literature review covers some of the security weaknesses, associated with corporate information, and explores some of the issues that researchers raise on this matter. The effort to define “information security” generates extensive literature, due primarily to the evolving understanding of the concept itself and the complexity it encompasses.

Defining information security

Andress & Rogers (2011, p. 20) claimed that much of the personal and corporate information are stored in systems and if this information is exposed to an attacker, the consequences can be terrible. Andress & Rogers (2011, p. 20) also argued that corporations can lose millions of dollars, deal with legal processes and lose their reputation due to a system configuration issue, allowing an attacker to gain access to a database that contains personally or corporate information. We witness these events regularly in the media. According to Andress & Rogers (2011, p. 16) information security is essential in an era which data from a large number of people and companies are stored in a diversity of computer systems, often not under direct control. Security and productivity are opposing concepts, and, saying that people are completely secure is a difficult task. As reported by the U.S. law, information security is defined as: “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction”. Basically, it means that we want to protect our data and systems from those who want to use them.

The Confidentiality, Integrity and Availability Model (CIA Model)

Andress & Rogers (2011, p. 23) stated that the CIA triad focuses heavily on data security and for this reason it is easier to understand security concepts. These are the three primary concepts in information security: Confidentiality, Integrity and Availability. Andress & Rogers (2011, p. 23) also highlighted that confidentiality is a familiar concept, however, it should be known that it does not mean privacy. Bourke & Wessely (2008, p.888) point out that confidentiality, in the medical environment, is an integrant of privacy and refers to the duty of keeping secure and secret from others, information given by or about an individual. Killinger (2010, p.18) defined integrity as a commitment of being honest and to honor moral, ethical, spiritual, and artistic values and principles. Killinger (2010, p.18) added that there is no integrity in saying one thing and doing another. In short, integrity refers to the ability to prevent data from being modified or deleted without authorization.This is very important because if an attacker altered the data of a patient's treatment process this could lead to his death. (Andress & Rogers, 2011, pp. 24,25). Andress & Rogers (2011, p. 25) defined availability as the power to access data when needed. Loss of availability can have several consequences such as: power loss, OS or software problems, network attacks. When these problems happen due to attacks by an outside party, such as hackers, they are called as a Denial of Service (DoS) attack.

Attacks

You, Lenzini, Ogiela, & Bertino (2012, pp. 831-833) stated that because of the dangers associated with unauthorized accesses coming from insiders it is necessary to develop an integral security management system that is able to protect, internally and externally, a company's major information assets. Internally, with the use of firewalls, protocols, encryptions and authorizations; and externally, with the training of employees. On the other hand, Mitnick (2002, p.12) advocated that even if a company has the best security technologies and trained their staff to a maximum level, the company is still vulnerable. Mitnick (2002, p.12) justified this argument saying that the human factor is the greatest weakness of security.

USB Memories

A special issue in the information security is the use of USB Memories. Lee, Yim, & Spafford (2012) explained that these storage devices, besides being useful and easy to carry information, often personal and corporate information, are easily accessible because they are easy to steal, and once they are lost or stolen, their content can be hacked. But Lee, Yim, & Spafford (2012) also argued that this information can be protected, encrypting it and using authentication protocols.

Impersonation

Mitnick (2002, pp.12,13) argued that most of the successful attacks are not due to the complexity of security, but to the error of the human or simply to his ignorance about good security practices. For example, passwords can be obtained if the attacker pretends to be someone else and simply asks for them. Mitnick (2002, pp.12,13) also stated that anyone who thinks that only security products like firewalls, intrusion detection systems, or stronger authentication devices provide absolute security are settling for the illusion of security.

Abuse of Trust

Mitnick (2002, pp.16,17) stated that in most of the cases, attackers have great social skills with people; they convey solidarity and friendship so a quick trust can be established and most of our secret and sensitive information are related to our tastes, experiences, stories and our life, therefore it is easy for the attacker to get them.

Tailgating

Long et al. (2008) defined tailgating as the act of following a person, and being attentive to all the steps that he does, such as places he frequents and schedules. This is one of the best non techno techniques of the attacker, to access a secure building and steal information. It may, also, or may not, be related to the abuse of trust. Long et al. (2008) asserted that no one should be careless when entering a secure location.

Phishing

Dhamija, Tygar, & Hearst (2006) stated that, usually, fake websites are created that are very similar to the real ones, thus deceiving the user who thinks he is in the real one, and ends up giving his data to the attacker without realizing it. Dhamija, Tygar, & Hearst (2006) also argued that many users suffer from this attack because they have lack knowledge about it. Therefore, the main defense to take is distinguishing legitimate websites. For example, an important factor that the user should be aware of in these cases is to check if the address bar contains "https" where the "s" means secure, another is to pay attention to the page design that usually has some faults compared to the true one.

Conclusion

This literature review has summarized recent discussion from research about what constitutes a useful definition of web security and how to mitigate the corporate information exposure on the web. Determining what is and is not secure is important, in summary, being completely secure on the internet and not exposing information is a difficult task, but there are steps that can be taken to get close to it if we acquire more and more knowledge of the forms of attack. The research has highlighted that the human factor is the greatest weakness of security.

References

• Andress, J., & Rogers, R. (2011). The Basics of Information Security. Elsevier Inc. https://doi.org/10.1016/C2010-0-68336-2
• Bourke, J., & Wessely, S. (2008). Confidentiality. BMJ (Clinical Research Ed.), 336(7649), 888–91. https://doi.org/10.1136/bmj.39521.357731.BE
• Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems - CHI ’06(p.581). New York, New York, USA: ACM Press. https://doi.org/10.1145/1124772.1124861
• Killinger, B. (2007). Integrity: Doing the right thing for the right reason. Montreal: McGill-Queen's University Press.
• Lee, K., Yim, K., & Spafford, E. H. (2012). Reverse-safe authentication protocol for secure USB memories. Security and Communication Networks, 5(8), 834–845. https://doi.org/10.1002/sec.580
• Long, J., Pinzon, S., Wiles, J., Mitnick, K. D., Long, J., Pinzon, S., ... Mitnick, K. D. (2008). Chapter 2 – Tailgating. In No Tech Hacking(pp. 13–26). https://doi.org/10.1016/B978-1-59749-215-7.00002-0
• Mitnick, K. (2002). The Art of Deception. Current Opinion in Neurobiology, 352. https://doi.org/10.1300/J114v10n01_07
• Savage, N. (2017). Information & Social Engineering [PowerPoint slides]. Retrieved from https://docs.google.com/presentation/d/1nBOjWL9UyM03mx4GQzUWoqUQRmurVOQVhEVhy_EeLtQ/edit#slide=id.p
• You I., Lenzini G., Ogiela M., Bertino E. (2012). Security and Communication Networks, vol. 5(8), 831-833 https://doi.org/10.1002/sec.598