Central Luzon State University

College of Engineering
Bachelor of Science in Information Technology

INTECH 1200
IT Professional Ethics
Case Study 1
Cybersecurity Vulnerability Issue

2nd Semester, SY: 2019-2020

Cybercrime is criminal activity done using computers and the Internet. This includes
anything from downloading illegal music files to stealing millions of dollars from online bank
accounts. Cybercrime also includes non-monetary offenses, such as creating and
distributing viruses on other computers or posting confidential business information on the
Internet.

Perhaps the most prominent form of cybercrime is identity theft, in which criminals use
the Internet to steal personal information from other users. Two of the most common ways this is
done is through phishing and pharming. Both of these methods lure users to fake websites, where
they are asked to enter personal information. This includes login information, such as usernames
and passwords, phone numbers, addresses, credit card numbers, bank account numbers, and
other information criminals can use to "steal" another person's identity. For this reason, it is
smart to always check the URL or Web address of a site to make sure it is legitimate before
entering your personal information.

Because cybercrime covers such a broad scope of criminal activity, the examples above
are only a few of the thousands of crimes that are considered cybercrimes. While computers and
the Internet have made our lives easier in many ways, it is unfortunate that people also use these
technologies to take advantage of others. Therefore, it is smart to protect yourself by using
antivirus and spyware blocking software and being careful where you enter your personal
information.

A data breach is a confirmed incident in which sensitive, confidential or otherwise

Common data breach exposures include personal information, such as credit card
numbers, Social Security numbers and healthcare histories, as well as corporate information,
such as customer lists, manufacturing processes and software source code. If anyone who is not
specifically authorized to do so views such data, the organization charged with protecting that
information is said to have suffered a data breach. If a data breach results in identity theft and/or
a violation of government or industry compliance mandates, the offending organization may face
fines or other civil litigation.
 BACKGROUND OF THE STUDY

A data breach is an incident where information is stolen or taken from a system without
the knowledge or authorization of the system’s owner. A small company or large organization
may suffer a data breach. Stolen data may involve sensitive, proprietary, or confidential
information such as credit card numbers, customer data, trade secrets, or matters of national
security.
The effects brought on by a data breach can come in the form of damage to the target
company’s reputation due to a perceived ‘betrayal of trust.’ Victims and their customers may
also suffer financial losses should related records be part of the information stolen.
Based on the number of data breach incidents recorded between January 2005 and April
2015, personally identifiable information was the most stolen record type while financial data
came in second.
There are different breach methods observed across industries. Most data breaches are
attributed to hacking or malware attacks. Other frequently observed breach methods include the
following: A trusted individual or person of authority with access privileges steals data. Payment
card data is stolen using physical skimming devices. Portable drives, laptops, office computers,
files, and other physical properties are lost or stolen. Through mistakes or negligence, sensitive
data is exposed. In a small of number of cases, the actual breach method is unknown or
undisclosed
The attacker, having picked a target, looks for weaknesses to exploit: employees,
systems, or the network. This entails long hours of research on the attacker’s part and may
involve stalking employees’ social media profiles to find what sort of infrastructure the company
has.
Having scoped a target’s weaknesses, the attacker makes initial contact either through a
network-based or social attack.
In a network-based attack, the attacker exploits weaknesses in the target’s infrastructure
to instigate a breach. These weaknesses may include, but are not limited to SQL injection,
vulnerability exploitation, and/or session hijacking.
In a social attack, the attacker uses social engineering tactics to infiltrate the target
network. This may involve a maliciously crafted email sent to an employee, tailor-made to catch
that specific employee’s attention. The email can phish for information, fooling the reader into
supplying personal data to the sender, or come with a malware attachment set to execute when
downloaded.
Once inside the network, the attacker is free to extract data from the company’s network.
This data may be used for either blackmail or cyberpropaganda. The information an attacker
collects can also be used to execute more damaging attacks on the target’s infrastructure.
 EVALUATION OF THE CASE
Data breaches continue to happen daily, and much more frequently as today’s security
systems are not able to keep up the pace with attackers who are much further ahead in the battle.
Protecting and securing data is foremost on the minds of companies, organizations and the world
at large and is a constant struggle and concern.
In what is Malaysia’s darkest data breach episode to date, more than 46 million mobile
subscribers’ data was stolen and leaked on to the dark web. Considering that the state has a
population of 32 million, it is believed that the whole country was affected, including foreigners
using pre-paid mobile phones. The leaked information includes mobile numbers, unique phone
serial numbers and home addresses. Personal information from multiple Malaysian public sector
and commercial websites was also stolen, making Malaysians vulnerable to social engineering
attacks and even phone cloning. Although the Malaysian technology news website Lowyat.net
claimed that it reported the breach to the Malaysian Communications and Multimedia
Commission (MCMC) after receiving a tip-off, the watchdog asked Lowyat.net to take the news
article down. The tech website was informed that someone was trying to sell huge databases of
personal details from at least 12 Malaysian mobile operators for an undisclosed amount of
Bitcoin on its forums. A vast amount of personal data was also stolen from Jobstreet.com and six
different official Malaysian organizations, including the Malaysian Housing Loan Applications
and the Academy of Medicine Malaysia. Lowyat.net founder Vijandren Ramadass told The
Star that all information it had received on the matter was handed over to the MCMC. The
MCMC only accepted the data breach a day later in a press statement released on Facebook, later
confirming that 46.2 million mobile subscribers were affected by the data breach.

For years, information security specialists have been compiling information on the
exploitations that hackers have successfully used on companies in dozens of countries. These
exploits are sorted into hundreds of Common Vulnerabilities and Exposures (CVEs) to identify
them for future reference.
However, many of these security vulnerabilities go unfixed for long periods of time. For
example, according to Verizon’s 2015 Data Breach Investigations Report, “99.9% of the
exploited vulnerabilities had been compromised more than a year after the associated CVE was
published.” Leaving these old security vulnerabilities unfixed gives hackers a free pass to your
company’s most sensitive information.
Unfortunately, one of the biggest sources of a data breach isn’t some unknown or
forgotten security bug, it’s human error. According to statistics from a CompTIA study cited by
shrm.org, “Human error accounts for 52 percent of the root causes of security breaches.” The
specific nature of the error may vary, but some scenarios include: The use of weak passwords;
Sending sensitive information to the wrong recipients; Sharing password/account information;
and Falling for phishing scams.
Many of these human errors can be prevented by making sure employees know their
basic data security measures. As stated in the SHRM article, “experts often say more employee
training is needed to address the ‘human firewall’ issue.”
 While closely related to human error, this cause of company data is more insidious in
nature. Human error implies an innocent accident or mistake. Insider misuse, on the other hand,
is the deliberate abuse of your company’s systems by an authorized user, typically for personal
gain.
As pointed out in Verizon’s 2015 DBIR, “it’s all about grabbing some easy Benjamins
for these mendacious malefactors, with financial gain and convenience being the primary
motivators (40% of incidents).”
The issue here is that the malicious actor is someone in whom your organization has
placed trust. Worse yet, as pointed out by Verizon’s report, “catching insider abuse is not easy…
in many of the incidents we reviewed, the insider abuse was discovered during forensic
examination of user devices after individuals left a company.”
While preventing insider abuse is nearly impossible, damage can be limited through
compartmentalization of information on your network or cloud. The fewer files and systems a
single user can access, the harder it is for them to abuse their access. However, it can also make
sharing of necessary data more difficult as well.

Proposed Solution/Changes
Data breaches have traditionally been difficult to detect in a timely and cost effective
manner. There are three ways to authenticate an identity: something you know like a password,
something you have like a USB key, and something you are, like a fingerprint. Usernames and
passwords are still the primary means of authentication for most companies, people, and devices,
but they only represent a single factor, because they’re both something you know.
Usernames are generally trivial to guess, and passwords are relatively easy to crack or
compromise. Attackers also often acquire usernames and passwords through phishing attacks. In
the case of breaches like Target, or Home Depot, or Sony, the attackers were able to obtain valid
username and password credentials to access the network, and the rest is history. Had those
organizations used two-factor authentication, and also required something you have or something
you are, the attackers wouldn’t have been able to do much with the username and password.
However, two-factor authentication alone is not enough. It has to be properly implemented two-
factor authentication.
Most companies are selective in their use of two-factor authentication, Oberheide
explained. “Historically, two-factor authentication has been limited in deployment scope to only
the most critical services or to a select group of key administrators due to cost and usability
burden.”
In other words, even organizations that have two-factor authentication in place are often
using it only for specific users or servers. All it takes is one unprotected server housing sensitive
information that isn’t protected with two-factor authentication, and the results can be a
catastrophic data breach. It’s like locking every door and window in your house except for one,
and hoping a burglar isn’t thorough enough to find the one unlocked entrance.
There’s some good news, according to Oberheide. “In an environment where firewalls
are becoming increasingly irrelevant (what does "on-premise" mean to a small company in an IT
world of cloud and mobile) and endpoint antivirus efficacy is laughable, two-factor
authentication is becoming the go-to security technology for organizations of all sizes.” Thanks
to initiatives like FIDO, and emerging two-factor authentication systems that are simpler and less
expensive, two-factor authentication is gaining momentum.
Companies and individuals should utilize two-factor authentication everywhere it’s
possible or offered. It’s only a matter of time until a username and password is compromised, but
as long as the attacker doesn’t also have the mobile phone or fingerprint that goes with those
credentials, the data will still be safe.

RECOMMENDATIONS
Companies must ensure that data is adequately protected to prevent loss or theft. Where a
breach has taken place, companies may need to notify individuals as well as face negative impact
on the company’s brand and customer loyalty. Under the General Data Protection Regulation,
companies may face fines of up to €20 million or 4% of annual turnover.
Ensure software is updated and patched regularly to avoid weak spots for hackers to
exploit. Carry out vulnerability assessments to review and address any changes or new risks in
data protection. Consider all aspects, such as data storage and remote access for employees, and
ensure that policies and procedures are adequate. Personal data should at least be encrypted,
including on work laptops issued to staff. Instead of using backup tapes that can be lost or stolen,
data can be backed up to remote services using the Internet. Train staff to follow best practices,
be aware of the importance of data security and how to avoid mistakes that could lead to
breaches. Awareness of sensitive data and security should be a part of the company’s culture.
When working with other companies that may be handling your customers’ data, make sure they
also have adequate systems in place to protect data. Having a third party carry out a risk
evaluation allows an objective and outside view of the current breach risks. A Data Security
expert can advise on the best solutions specific to each company to reduce the risk of breach.
This also demonstrates a serious intention to ensure data protection.
Phishing emails are the most common cause of breaches, with 72% of cyber security
breaches originating from staff receiving fraudulent emails. Snapchat fell victim to a phishing
scam when staff were targeted by a spam email impersonating the company’s CEO. The email
asked for payroll information, which unfortunately an employee disclosed.
Never open an attachment that you are not expecting or click a link that comes from an
unknown sender. Make sure your staff are aware of this and know how to identify a spam email.
This may seem simple enough, but phishing emails are becoming more and more complex, with
many people being fooled.
Passwords are vital in ensuring the security of your sensitive data, but they still need to
be strong or they won’t be effective. Make sure that your staff change their passwords at least
every six months, and use combinations of upper- and lower-case letters, numbers and symbols.
It is also vital that passwords are not shared with any other members of staff. A password is for
that individual only and should never be revealed or passed on to anyone.
Too many data breaches are caused by staff leaking information. These breaches are
often due to an employee accidently passing on the data, but data is sometimes taken by ex-
employees, too. This happened to Ofcom in 2016 when an ex-employee stole six years’ worth of
third-party data to pass on to his new employer. A simple way to avoid these types of breaches is
to limit access to sensitive data to the relevant members of staff and to cut off access when an
employee leaves. Not all staff need access to this information, so make sure it is limited to
appropriate employees only.  
Make sure you have all the necessary antivirus and anti-malware software installed on
your system. You should also have firewalls in place to prevent unauthorized access to your
network. Using such software can restrict a hacker’s access to your data and avoid multiple cyber
security breaches. One of the most effective ways to protect yourself from a data breach is to find
out if you are vulnerable to one. By conducting regular tests and audits, you can get proof that
your data is secure, minimizing the risk of a breach.
An information security management system (ISMS) can help you manage all your
security processes in one place, consistently and cost-effectively. It is a system of processes,
documents, technology and people that manages information risks, such as cyber-attacks, hacks,
data leaks or theft. ISO 27001 is the international standard that describes best practice for an
ISMS. It provides a proven framework that helps organizations protect their information through
effective technology, auditing and testing practices, organizational processes and staff awareness
programmers. Be better prepared for a cyber-attack with proven solutions delivered by the team
who led the world’s first successful ISO 27001 implementation.
 REFERENCES
https://techterms.com/definition/cybercrime
https://www.trendmicro.com/vinfo/us/security/definition/data-breach
https://www.cio.com/article/3293060/the-biggest-data-breaches-in-the-asean-region.html?
fbclid=IwAR2mI9epJyUwf9DT4uscaZMinPkMIs7H9op6fg1PMMNlTOHS-9O7ZvXLBuI
https://www.whoa.com/data-breach-101-top-5-reasons-it-happens/
https://its.ucsc.edu/security/breaches.html
https://www.itgovernance.co.uk/blog/five-simple-ways-businesses-can-avoid-a-data-breach