IV- II SEM CSE, Cyber Security Unit - V

Unit-5

❼Cybersecurity: Organizational Implications

In the global environment with continuous network connectivity, the possibilities for
cyberattacks can emanate from sources that are local, remote, domestic or foreign. They could be
launched by an individual or a group. They could be casual probes from hackers using personal
computers (PCs) in their homes, hand-held devices or intense scans from criminal groups.

Fig: A cybersecurity perspective. EU is the European Union.

PI is information that is, or can be, about or related to an identifiable individual. It includes any
information that can be linked to an individual or used to directly or indirectly identify an individual.

Most information the organization collects about an individual is likely to come under “PI”
category if it can be attributed to an individual. For an example, PI is an individual’s first name or
first initial and last name in combination with any of the following data:

1. Social security number (SSN)/social insurance number.

2. Driver’s license number or identification card number.

3. Bank account number, credit or debit card number with personal identification number such

as an access code, security codes or password that would permit access to an individual’s
financial account.
4. Home address or E-Mail address.

5. Medical or health information.

Page 1 of 12
CREC
 IV- II SEM CSE, Cyber Security Unit - V

An insider threat is defined as “the misuse or destruction of sensitive or confidential

information, as well as IT equipment that houses this data by employees, contractors and other
‘trusted’ individuals.”
Insider threats are caused by human actions such as mistakes, negligence, reckless
behavior, theft, fraud and even sabotage. There are three types of “insiders” such as: 1. A
malicious insider is motivated to adversely impact an organization through a range of actions
that compromise information confidentiality, integrity and/or availability. 2. A careless insider
can bring about a data compromise not by any bad intention but simply by being careless due
to an accident, mistake or plain negligence.

3. A tricked insider is a person who is “tricked” into or led to providing sensitive or

private company data by people who are not truthful about their identity or purpose
via “pretexting” (known as social engineering).

∙ Insider Attack Example 1: Heartland Payment System Fraud

A case in point is the infamous “Heartland Payment System Fraud” that was uncovered
in January 2010. This incident brings out the glaring point about seriousness of “insider
attacks. In this case, the concerned organization suffered a serious blow through nearly 100
million credit cards compromised from at least 650 financial services companies. When a card
is used to make a purchase, the card information is trans- mitted through a payment network.

∙ Insider Attack Example 2: Blue Shield Blue Cross (BCBS)

Yet another incidence is the Blue Cross Blue Shield (BCBS) Data Breach in October
2009 the theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility
puts the private information of approximately 500,000 customers at risk in at least 32 states.
The two lessons to be learnt from this are:
1. Physical security is very important.

2. Insider threats cannot be ignored.

What makes matters worse is that the groups/agencies/entities connected with

cybercrimes are all linked. There is certainly a paradigm shift in computing and work
practices; with workforce mobility, virtual teams, social computing media, cloud computing
services being offered, sharp rise is noticed in business process outsourcing (BPO) services,
etc. to name a few.
 Page 2 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V

Fig: Cybercrimes – the flow and connections.

A key message from this discussion is that cybercrimes do not happen on their own or
in isolation. Cybercrimes take place due to weakness of cybersecurity practices and “privacy”
which may get impacted when cybercrimes happen.

Privacy has following four key dimensions:

1. Informational/data privacy: It is about data protection, and the users’ rights to

determine how, when and to what extent information about them is communicated to
other parties.
2. Personal privacy: It is about content filtering and other mechanisms to ensure that the

end-users are not exposed to whatever violates their moral senses.

3. Communication privacy: This is as in networks, where encryption of data being

transmitted is important.
4. Territorial privacy: It is about protecting users’ property for example, the user devices

from being invaded by undesired content such as SMS or E-Mail/Spam messages. The
paradigm shift in computing brings many challenges for organizations; some such key
 challenges are described here.

Page 3 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V

Fig: Security threats – paradigm shift.

The key challenges from emerging new information threats to organizations are as follows:
1. Industrial espionage: There are several tools available for web administrators to
monitor and track the various pages and objects that are accessed on their website. 2.
IP-based blocking: This process is often used for blocking the access of specific IP
addresses and/or domain names.
3. IP-based “cloaking”: Businesses are global in nature and economies are
interconnected. 4. Cyberterrorism: “Cyberterrorism” refers to the direct intervention of a
threat source toward your organization’s website.

5. Confidential information leakage: “Insider attacks” are the worst ones. Typically, an
organization is protected from external threats by your firewall and antivirussolutions.

🡺 Cost of Cybercrimes and IPR Issues: Lessons for Organizations

 Reflecting on the discussion in the previous sections brings us to the point that
cybercrimes cost a lot to organizations.

Page 4 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V

Fig: Cost of cybercrimes.

When a cybercrime incidence occurs, there are a number of internal costs associated
with it for organizations and there are organizational impacts as well.

Detection and recovery constitute a very large percentage of internal costs. This is
supported by a benchmark study conducted by Ponemon Institute USA carried out with the
sample of 45 organizations representing more than 10 sectors and each with a head count of at
least 500 employees.

∙ Organizations have Internal Costs Associated with Cybersecurity Incidents

The internal coststypically involve people costs, overhead costs and productivity losses.
The internal costs, in order from largest to the lowest and that has been supported by the
benchmark study mentioned:
1. Detection costs.
2. Recovery costs.
 3. Post response costs.
4. Investigation costs.
5. Costs of escalation and incident management.
6. Cost of containment.
∙ The consequences of cybercrimes and their associated costs, mentioned 1.
Information loss/data theft.
2. Business disruption.

Page 5 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V

3. Damages to equipment, plant and property.

4. Loss of revenue and brand tarnishing.

5. Other costs.

∙ There are many new endpoints in today’s complex networks; they include hand-held
devices.
Again, there are lessons to learn:
1. Endpoint protection: It is an often-ignored area but it is IP-based printers, although they

are passive devices, are also one of the endpoints.

2. Secure coding: These practices are important because they are a good mitigation control to

protect organizations from “Malicious Code” inside business applications.

3. HR checks: These are important prior to employment as well as after employment. 4.

Access controls: These are always important, for example, shared IDs and shared laptops are
dangerous.

5. Importance of security governance: It cannot be ignored policies, procedures and their

effective implementation cannot be over-emphasized.

∙ Organizational Implications of Software Piracy

Use of pirated software is a major risk area for organizations.
From a legal standpoint, software piracy is an IPR violation crime. Use of pirated
software increases serious threats and risks of cybercrime and computer security when it comes
to legal liability.

The most often quoted reasons by employees, for use of pirated software, are as follows:

1. Pirated software is cheaper and more readily available.

2. Many others use pirated software anyways.

3. Latest versions are available faster when pirated software is used.

🡺 Web Threats for Organizations: The Evils and Perils

 Internet and the Web is the way of working today in the interconnected digital economy.
More and more business applications are web based, especially with the growing adoption of
cloud computing.
∙ Overview of Web Threats to Organizations
The Internet has engulfed us! Large number of companies as well as individuals have a
connection to the Internet. Employees expect to have Internet access at work just like they do at
home.
IT managers must also find a balance between allowing reasonable personal Internet use
at work and maintaining office work productivity and work concentration in the office.

Page 6 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V

∙ Employee Time Wasted on Internet Surfing

This is a very sensitive topic indeed, especially in organizations that claim to have a
“liberal culture.” Some managers believe that it is crucial in today’s business world to have the
finger on the pulse of your employees.
People seem to spend approximately 45-60 minutes each working day on personal web
surfing at work.
∙ Enforcing Policy Usage in the Organization
An organization has various types of policies. A security policy is a statement produced
by the senior management of an organization, or by a selected policy board or committee to
dictate what type of role security plays within the organization.

Fig: Policy hierarchy chart.

∙ Monitoring and Controlling Employees’ Internet Surfing
A powerful deterrent can be created through effective monitoring and reporting of
 employees’ Internet surfing.
Even organizations with restrictive policies can justify a degree of relaxation; for
example, allowing employees to access personal sites only during the lunch hour or during
specified hours.
∙ Keeping Security Patches and Virus Signatures Up to Date
Updating security patches and virus signatures have now become a reality of life, a
necessary activity for safety in the cyberworld! Keeping security systems up to date with
security signatures, software patches, etc. is almost a nightmare for management.

Page 7 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V

∙ Surviving in the Era of Legal Risks

As website galore, most organizations get worried about employees visiting
inappropriate or offensive websites. We mentioned about Children’s Online Privacy Protection.
Serious legal liabilities arise for businesses from employee’s misuse/inappropriate use of the
Internet.
∙ Bandwidth Wastage Issues
Today’s applications are bandwidth hungry; there is an increasing image content in
messages and that too, involving transmission of high-resolution images.

There are tools to protect organization’s bandwidth by stopping unwanted traffic before
it even reaches your Internet connection.

∙ Mobile Workers Pose Security Challenges

Use of mobile handset devices in cybercrimes. Most mobile communication devices for
example, the personal digital assistant

∙ Challenges in Controlling Access to Web Applications

Today, a large number of organizations’ applications are web based. There will be more
in the future as the Internet offers a wide range of online applications, from webmail or through
social networking to sophisticated business applications.
∙ The Bane of Malware
Many websites contain malware. Such websites are a growing security threat. Although
most organizations are doing a good job of blocking sites declared dangerous, cyber attackers, too,
are learning. Criminals change their techniques rapidly to avoid detection. ∙ The Need for
Protecting Multiple Offices and Locations
 Delivery from multi-locations and teams collaborating from multi-locations to deliver a
single project are a common working scenario today. Most large organizations have several
offices at multiple locations.
🡺 Social Media Marketing: Security Risks and Perils for Organizations
Social media marketing has become dominant in the industry.
According to fall 2009 survey by marketing professionals, usage of social media sites
by large business-to-business (B2B) organizations shows the following:
1. Facebook is used by 37% of the organizations.

2. LinkedIn is used by 36% of the organizations.

3. Twitter is used by 36% of the organizations.

4. YouTube is used by 22% of the organizations.

5. My Space is used by 6% of the organizations.

Page 8 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V Although the use of social media marketing site is rampant,

there is a problem related to “social computing” or “social media marketing” – the problem of
privacy threats.

Exposures to sensitive PI and confidential business information are possible if due care
is not taken by organizations while using the mode of “social media marketing.”

Fig: Social media - online tools.

∙ Understanding Social Media Marketing
Most professionals today use social technologies for business purposes. Most common
usage include: marketing, internal collaboration and learning, customer service and support,
 sales, human resources, strategic planning, product development.
Following are the most typical reasons why organizations use social media marketing to
promote their products and services:
1. To be able to reach to a larger target audience in a more spontaneous and instantaneous

manner without paying large advertising fees.

2. To increase traffic to their website coming from other social media websites by using Blogs

and social and business-networking. Companies believe that this, in turn, may increase their
“page rank” resulting in increased traffic from leading search engines.
3. To reap other potential revenue benefits and to minimize advertising costs because social

media complements other marketing strategies such as a paid advertising campaign. 4. To build
credibility by participating in relevant product promotion forums and responding to potential
customers’ questions immediately.

Page 9 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V 5. To collect potential customer profiles. Social media sites

have information such as user profile data, which can be used to target a specific set of users for
advertising

There are other tools too that organizations use; industry practices indicate the following:

1. Twitter is used with higher priority to reach out to maximum marketers in the technology
space and monitor the space.
2. Professional networking tool LinkedIn is used to connect with and create a community of
top executives from the Fortune 500.
3. Facebook as the social group or social community tool is used to drive more traffic to
Websense website and increase awareness about Websense.
4. YouTube (the video capability tool to run demonstrations of products/services, etc.) is used
to increase the brand awareness and create a presence for corporate videos.
5. Wikipedia is also used for brand building and driving traffic.

❼ Security and Privacy Implications from Cloud Computing

There are data privacy risks associated with cloud computing. Basically, putting data in
the cloud may impact privacy rights, obligations and status. There is much legal uncertainty
about privacy rights in the cloud. Organizations should think about the privacy scenarios in
terms of “user spheres.”

There are three kinds of spheres and their characteristics are as follows:

1. User sphere: Here data is stored on users’ desktops, PCs, laptops, mobile phones, Radio
 Frequency Identification (RFID) chips, etc. Organization’s responsibility is to provide access to
users and monitor that access to ensure misuse does not happen.
2. Recipient sphere: Here, data lies with recipients: servers and databases of network providers,
service providers or other parties with whom data recipient shares data.
3. Joint sphere: Here data lies with web service provider’s servers and databases. This is the in
between sphere where it is not clear to whom does the data belong.
🡺 Protecting People’s Privacy in the Organization
The costs associated with cybercrimes. A key point in that discussion is that people
perceive their PI/SPI to be very sensitive. From privacy perspective, people would hate to be
monitored in terms of what they are doing, where they are moving.
In the US, Social Security Number is a well-established system/mechanism for uniquely
identifying all American citizens; however, similar thoughts are now emerging in India. The UID
Project was started by Government of India and is running through an agency called Unique
Identification Authority of India (UIDAI) based on the similar concept.

Page 10 of 12
CREC
IV- II SEM CSE, Cyber Security Unit - V

Fig: Anonymity by web proxy.

🡺 Forensics Best Practices for Organizations
This section focuses on forensics readiness of organizations. Organization’s forensics
readiness is important forensics readiness is defined as the ability of an organization to
maximize its potential to use digital evidence while minimizing the costs of an investigation.
Preparation to use digital evidence is not easy – it involves system and staff monitoring,
technical, physical and procedural means to secure data to evidential standards of
admissibility, processes and procedures. All this becomes essential for ensuring that staff
recognizes the importance and legal sensitivities of evidence, and appropriate legal advice
and interfacing with law enforcement.
The prime factor in understanding the need for forensics readiness is a risk assessment.
 Fig: Cyber forensics and case investigation: Where it ends.
∙ Organizations must Understand Digital Forensics Investigation and Digital Evidences
Organizations must appreciate that the quality and availability of evidence is a passive aspect
of the DFI.
Cybercriminals are known to exploit the fact that investigation is costly and takes time.Page 11

of 12

CREC
IV- II SEM CSE, Cyber Security Unit - V The categories of guiding procedures and activities that

facilitate DFI are as follows: 1. Retaining information;

2. Planning the response;

3. Training;

4. Accelerating the investigation;

5. Preventing anonymous activities;

6. Protecting the evidence.

∙ Concerns with Being a Forensically Ready Organization

An effective incident response system is pertinent to an organization’s forensics

readiness this is because digital evidence is required whenever it can be used to support a legal
process.

∙ Key Activities for Organizations Getting Forensically Ready

In the context of forensic readiness discussion, the key activities are presented. These
are the activities that an organization should consider if they wish to be forensically ready.
∙ Benefits of Being a Forensically Ready Organization

To conclude the discussion on forensics readiness, we present the benefits that an

organization can derive from its forensics readiness:
1. The ability to gather evidence that can serve in the company’s defense if subjected to a

lawsuit.
2. Comprehensive evidence gathering can be developed as a deterrent to the insider threat 3. In

case of a major incident, a rapid and efficient investigation can be conducted and actions can be
taken with a view to minimal disruption to the business.
4. Reduction in cost and time of an internal investigation through a systematic approach to

evidence storage.
5. A structured approach to evidence storage can reduce the costs of any court-ordered

disclosure or regulatory or legal need to disclose data.

6. Forensics readiness can widen the scope of information security to the wider threat from

cybercrime, such as IP protection, fraud or extortion.

7. It demonstrates due diligence and good corporate governance of the company’s information

assets.
8. It can improve and facilitate the interface to law enforcement, if involved. 9.

It can improve the prospects for a successful legal action.

10. It can provide evidence to resolve a commercial dispute.

It can support employee sanctions based on digital evidence.

Page 12 of 12
CREC