Cyber Breach Case Research

Document Type:Research Paper

Subject Area:Technology

Document 1

The challenges facing cybersecurity globally have weakened the complex systems that were put in place. Cybersecurity activities should be guided towards providing sustainable economic and health systems security. The United States has been on the lead in fighting cyber insecurity with both legislation and policies that aim towards minimizing acts of cyber terror. The NIST framework is aimed at using business drivers to guide cybersecurity activities and taking care of the risks that arise in the process by including them as management processes. This paper discusses cases of cybersecurity that have happened in various companies across the different industries from social media to health among others. It looks at the time the breach incidences happened, their impact on the company in terms of revenue and performance to the control measures that ought to be put in place to mitigate the risks in future and finally the recommendations. The regulatory measures that this paper discusses refer to the policies by regulatory bodies, such as HIPAA on e-health, which act as the framework with which the organization should adopt and the consequences of failing to implement the regulations by these regulatory bodies. Under cause, we discuss the issues that led to the attack to happen, the preventive or control measure analyzes the measures to curb such incidences in the future and then finally, under recommendations, this paper analyzes some of the mitigation measures the management can implement to curb such incidences in the future. Table of Contents Executive Summary 2 0. Introduction 5 1. Plastic surgery of South Dakota (Ransomware) 5 1.

Sign up to view the full document!

Vulnerability and risk/loss value 5 1. Control issues 6 1. Regulatory guidelines 7 1. Recommendation 7 1. Snapchat (DISC) 7 1. What made the breach happen? 8 1. Procedure to improve company processes 8 1. Concerns from a legal perspective 9 1. Preventative measures 9 1. Legal perspective 14 1. Preventative measures 15 1. Recommendation 15 1. University of Oklahoma (HACK) 16 1. What made the breach happen? 16 1. Vulnerability and risk/loss value According to the company they learned about the ransomware attack on February 12 and thus made arrangements including the impromptu deployment of third-party experts to look into the matter and report shortly the amount, nature and contents of the data that was breached before taking necessary actions. According to the reports, it was confirmed that approximately 10,200 clients’ data had fallen prey of the attacker as they had not been adequately protected following the prerequisite data protection procedures as stipulated by the company bylaws (Pierret, 2017).

Sign up to view the full document!

The company also confirmed that, up to the time the breach was discovered, there hadn’t been any evidence in the public domain that indicated that the information that was stolen by the attackers had been used elsewhere. The short-term impact of the attack saw that the company carries out an in-depth audit of its information systems to determine other areas that were deemed vulnerable. The company also took to itself to ensure that their customer's financial records and accounts were not breached in the process by offering to look into the customer’s accounts through credit monitoring in partnership with financial institutions. Regulatory guidelines Implementing procedures that detect and guard company systems against malicious software that is introduced into the system illegally. The procedure should include an analysis of the risks so as to identify threats and the system vulnerabilities to the company electronic protected health information (ePHI).

Sign up to view the full document!

HIPAA requires that companies implement access controls that close out malicious personnel and activates from gaining access into the ePHI by providing access to specific persons who are authorized to access the system (Carlson & Mandel, 2017). The guidelines also direct that the company systems should at all times incorporate backups that run systematically with the company systems. This directive equally emphasizes the need for a business continuity plan in the event of a malware attack (Fetzer & West, 2008). The breach was thereby categorized as a phishing attack (Russel, 2016). Procedure to improve company processes To reduce future similar attacks on the company, the chief executive officer of the company says that they are on the verge of pursuing advanced training for its employees to help them in understanding the modes of attacks that hackers and other attackers would use in perpetrating attacks on the company.

Sign up to view the full document!

Training is the number one procedure that needs to be implemented by the company if it has to fight disclosure attacks. A similar attack that happened in 2014 in which more than 200,000 photos from users in which attackers used third-party applications to infiltrate the company’s database would be prevented if the employees of the company were trained on the different ways with which attackers would cause an attack (Russel, 2016). The company was seen giving reports that no user data was affected in the process of the attack and that users shouldn’t fear for their information being disclosed but in the end, the user data was disclosed to the public. Both data in storage and data in transit is kept safe through encryption and makes disclosure hard for the attacker. The use of third-party authentication reduces the number of password combinations that users need to remember in order to gain access to the site.

Sign up to view the full document!

The more the customers have to remember the more they are likely to use keyloggers and written references making their access information vulnerable to the attacker. Recommendations Make security a business problem and not just an IT problem. Issues of information security should be dealt with using resources and tools approved by the management without leaving it to the ICT team of the company. What made the breach happen The breach happened because of the transactions that were made at the company’s website. Gamestop identified that the hacker might have taken advantage of one of the user’s information to pose as an administrator thus causing the breach. Initially, the company management believed that the breach might have resulted from the retails stores and that one of the company’s point of sale system might have been affected by a malware introduced to the system by the hacker.

Sign up to view the full document!

The reason for this conclusion is because the attack happened at the height of sales season during a holiday. However, the company later attributed the attack to a hacker who used malware to steal Card Verification Values (CVV2) from the company website. The regulation aims at making the individuals have control over their data by initiating policies and strict conditions over the acceptance by the user on the data to be captured and stored by a company (Buttarelli, 2017). The UE creates obligations to companies in different areas such as compulsory breach notifications, data anonymization and appointment of officers to oversee data protection measures as well as compelling companies that handle user information to make key changes in the way they organize the collection s and dissemination of user data. There are standards that govern the companies that would want to operate in the countries where this regulation covers and other affiliate member states.

Sign up to view the full document!

Companies should issue notifications to the relevant authorities within 72 hours of becoming aware of the breach with fines and penalties on those who fail to fulfill this requirement. Preventative measures The main preventive measure the company should implement is to stay updated on the contemporary hacking threats. The company was founded in 2011 by Annika Weyhrich a public curator in the music and culture space. The company has ten employees. Fling. com is an adult dating site with approximately 57 million users globally. What made the breach happen The attack which happened in 2017 by a hacker saw the hacker make away with user details for more than fifty million users. The company will need to set realistic and measurable objectives to align with the overall strategic organization plans and goals. Legal perspective The Active Cyber Defense Certainty Act (ACDC) provides an exception to the Computer Fraud and Abuse Act (CFAA) liability by allowing companies or affected individuals to go out of their way and gather intelligence from diverse networks outside their own to obtain intelligence on the potential hackers for purposes of attribution.

Sign up to view the full document!

The FBI led national Cyber Investigative Joint Task Force (NCIJTF) has an internal set of procedures to oversee and provide guidance on the occurrence of hacking. The company is however required to implement procedures that minimize the chances of attackers gaining privileged information from their sites. In this view, Fling is supposed to come up with measures and procedures that limit information access by outsiders. University of Oklahoma (HACK) The University of Oklahoma is an educational institution with company size of approximately 5,000 employees. The institution of higher learning fell prey to a devastating cyber-attack on November 7, 2017, leading to information breach of more than 280,000 patients (Evolvemga, 2018). What made the breach happen? The breach at the university happened as a result of the hacker gaining access to administrator details from one of the university management account activities.

Sign up to view the full document!

The hacker gained access to confidential folders containing patient information on Medicaid billing for more than 280,000 patients (Evolvemga, 2018). Procedure to improve company processes The first measure to improve services of Oklahoma University is through creating new standards and policies which will act as the benchmark to guide employees. government personal information protection directive. Preventative measures The best preventive measure against the hacking attack on the Oklahoma University is to toughen access control. Since the attacker infiltrated the system through the administrator side of the account, it is vital that the organization enforces user credentials that cannot be guessed by the hacker. This included limiting the number of tries by the administrator in the event that their account is inaccessible. Login details should never be sent through the email.  European Data Protection Law Review, 3(2), 155-159.

Sign up to view the full document!

doi. org/10. edpl/2017/2/5 Carlson, S. Mandel, J. InfoWorld Media Group. Evolvemga.  Oklahoma State University Breach Impacts Nearly 280k Medicaid Patients.  Evolve MGA. Retrieved 16 March 2018, from https://evolvemga. net/plastic-surgery-associates-of-south-dakota-notifies-10200-after-ransomware-attack/ Russel, J.  Snapchat Employee Data Leaks Out Following Phishing Attack.  TechCrunch. Retrieved 16 March 2018, from https://techcrunch. com/2016/02/29/snapchat-employee-data-leaks-out-following-phishing-attack/ Spring, T. org/10. j. jocs. Fetzer, D. West, O.

Sign up to view the full document!

From $10 to earn access

Only on Studyloop

Original template

Downloadable