ITSECURITY1

IT Security: Threats and Solutions in Organizations

Thomas Curtis
14 March, 2015

ITSECURITY2

Abstract
Information security is a problem that plagues businesses. Organizations can protect
themselves from the lingering threat of would be data stealers, which mitigates liability
and helps keep data secret, but can also become industry leaders in the ever evolving
technological landscape. Organizations who embrace the necessity of security will have
armed themselves with the knowledge of attackers, methodology and law. Research will
be obtained through interviewing professionals in the field, industry white papers,
government knowledge and law. The data will be analyzed, summarized and illustrated
as appropriate.
Introduction
IT security continues to present a challenge to business organizations. According to
Khan, organizations do not have adequate security controls (Khan, 2014). Attackers
are hitting businesses hard these days. A business that understands the risks,
processes and methodologies of attackers, how to mitigate the attacks and laws
associated to cyber infrastructure have an advantage.
Data is the lifeblood of an organization according to Protiviti (Bridging the Data
Security Chasm). Lifeblood is what keeps things living. An organization will die without
its data. Imagine a business that lost its entire database of customer data due to an
attack. That organization would surely see ramification to that.
Ponemon Institute found that the average cost of a data breach in the US was $188
per record (2013 Cost of Data Breach: Global Analysis). That means every single

ITSECURITY3

record stolen in a data breach cost $188. This kind of cost solidifies the need to be
proactive in protecting organizational data.
Fischer, a senior specialist in science and technology for the Congressional
Research Service, states that various experts have been growing more concerned over
cybersecurity for over a ten years (Fischer, 2013). Fischer further explains that this
growing concern has created legislative framework (Fischer, 2013). Understanding
these laws helps businesses know what protection can be put in place, as well as how
to identify an illegal cyber activity.
The Data Protection Compliance Report found that 94% of all breaches, in 2014,
were caused by a lack of information security. Integrating information security into
organizations can prevent nearly all cyber events. Clearly there is a need to further
understand how information security should be applied within organizations.
Proposed Research
Past research focuses on specialized areas of cyber security, but does not combine an
overarching focus on information security within an organization. This research
document will encompass multiple aspects of cyber security from a broad view point.
Real professionals in the field, white papers, and other industry accepted
documentation will be used to research and create a document that can be used for the
purpose of increasing security awareness and posture within organizations.

ITSECURITY4

Results
Expected results will be that most organizations do not have a security posture
adequate with todays standards. This will be backed up by research and statistics.
Discussion
This study will provide a great background for organizations. What it will not do is tailor
to an individual organization. Organizational leaders should expect to require a
personalized, in depth look at the current state of their organizations in order to properly
protect the data.

ITSECURITY5

IT Security continues to present a challenge to business organizations.

According to Khan, organizations do not have adequate security controls (Khan,
2014). Attackers are hitting businesses hard these days. A business that understands
the risks, processes and methodologies of attackers, how to mitigate the attacks and
specific laws related to cyber infrastructure have an advantage over organizations that
do not.
Data is the lifeblood of an organization according to Protiviti (Bridging the Data
Security Chasm). Lifeblood is what keeps things alive. If an attacker steals an
organizations data, the organizations lifeblood has been taken. The organization will die
without its lifeblood.
Ponemon Institute found that the average cost of a data breach in the United
States is $188 per record stolen (2013 Cost of Data Breach: Global Analysis). That
means that every single record stolen by an attacker costs an organization $188. If a
company with 300 employees is attacked, and the attacker steals only the employee
records, the cost would be $56,400. A pretty heavy hit just for losing employee records.
The Data Protection Compliance Report found that 94% of fall breaches in 2014
were caused by a lack of information security. Integrating information security into
organizations can prevent nearly all cyber events.
Organizational information security is protecting data from risk and threat
(Johnson & Goetz, 2007). It is important to keep your organizations secrets secret.
Would you leave plans for your new prototype sitting on your competitors conference
table? Why would you not lock up your digital data?

ITSECURITY6

Every organization needs to be cognizant of cyber security. Riley (2014) quoted

the FBI Director, James Comey. There are two kinds of big companies in the United
States. There are those who have been hacked and those who do not know they
have been hacked. Chances are every organization has been hacked at one point or
another. That is why any organization needs to respect cyber security.
In order to figure out where to start, you need to understand how an attacker
penetrates a network. An attacker will use a variety of methods to infiltrate. Baumann
(2002) says the way an attacker breaks into a network is to first perform
reconnaissance, then probe and attack, third, listening, then gain first access, then
advance access, perform stealth, takeover the network and finally erase tracks.
Protecting against the attackers methodology is crucial. There are ways to
defend against this methodic onslaught. The State of California Department of Justice
Office of the Attorney General (Protect Your Computer From Viruses, Hackers, and
Spies. n.d.) recommends a layered approach to defense: install a firewall, use anti-virus
software, use anti-spyware software, manage your system and browser, use a strong
password, secure your wireless network, use caution when sharing files, shop safely
online and finally take control of your systems. No singular defense is a panacea, and
the State of California recognizes this.
Many times organizations do not consider network security until after they are up
and running. In order to start enforcing information security from scratch, Jones (2000)
recommends that you address controlling system infrastructure through the use of
information security policies, organization of information security, asset management
and control, computer and network management, physical and environmental security,

ITSECURITY7

access control, systems development life cycles and maintenance, personal security,
business continuity planning and policy compliance. It is a mouthful, but it should not be
intimidating. These security methods will be discussed.
When starting your organizational information security plan, you must perform a
risk assessment. A risk assessment component should be included in any change
management activity impacting the operating system environment, supporting network
infrastructure or applications residing on the network (Jones, 2000). Basically, any time
a system is altered, a risk assessment should be completed.
The first step in creating an information security plan is to identify threats to the
organization. A threat assessment considers the full spectrum of threats (i.e., natural,
criminal, terrorist, accidental or other undefined threats) for a given facility (Renfroe &
Smith, 2014). The chief information security officer should consider every possible
threat there could be to an organization through any means necessary. There is a
plethora of historical data for regions that can help determine these risks.
After assessing risk, an organization must assess how vulnerable the facility is to
each threat. There are a number of ways to conduct a vulnerability assessment. A good
method is to hire an unbiased, external organization to test your organization against
common threats. Once the vulnerability assessment has been conducted, the
organization should classify each threat based on impact (Renfroe & Smith, 2014).
Once vulnerability and risk assessment has been completed, the organization
should evaluate the risks. Some risks are too far-fetched to provide any real threat. A
sharknado would probably be devastating to an organization, but it is a highly unlikely

ITSECURITY8

threat. Quantifying the impact associated with a threat is one of the most difficult
aspects of risk evaluation (Data Governance Risk: Challenges in Information Security.
n.d.).
After evaluating risk, the organization must determine what the impact to
business is. Sometimes it just is not worth the cost associated with mitigating a risk.
Risk should be balanced versus cost and versus inconvenience (Data Governance
Risk: Challenges in Information Security. n.d.). Senior leadership in the organization
may be helpful when determining impact to business.
The final piece to creating an organizational information security plan is to
actually prepare the plan. The plan should contain methodology for an incident
response team. Incident response procedures vary depending on the specific
organization of business functions, information technology, public information, law
enforcement and other business function types. The document outlines steps that
should be included in those processes and ensure appropriate responses to securityrelated incidents (Information Technology Services, n.d.). Test plan members by
simulating disasters, and have them document the full process.
There are dozens of methods of penetration into a network. They can be
categorized into two categories: the internal threat and the external threat. Both are very
real threats and can both be disastrous when an event does strike.
Coleman (2014) quoted Alex McGeorge, senior security researcher at a Floridabased provider of specialized offensive information technologies. McGeorge said

ITSECURITY9

Corporations do not take their internal security as seriously as they should. Employees
are a very large risk to an organization.
According to an online survey by IT Governance, more than half of the
respondents agree that the greatest threat to an organizations data is the organizations
employees (Coleman, 2014). Not to say that these employees are malicious, but
because employees are generally unaware of the threat they may be causing.
SolarWinds survey found that over half of respondents to an independent survey
identified accidental inside breaches as a top security threat (Vicinanzo, 2015). Most
employees simply do not realize that they are causing a data breach. It could be
plugging in a USB drive with malware embedded, clicking an internet link to a malicious
website, opening a malicious document, or other apparently harmless end user
activities. These seemingly benign employee actions are one of the greatest threats to
an organization.
However, not all inside threats are accidental. Many times the disgruntled
employee can cause a significant risk to information system security. The United States
Department of Homeland Security announced that the exploitation of business
networks and servers by disgruntled and/or former employees has resulted in several
significant FBI investigations in which individuals used their access to destroy data,
steal proprietary software, obtain customer information, purchase unauthorized goods
and services using customer accounts, and gain a competitive edge at a new company
(Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and
Proprietary Information, 2014). Disgruntled employees can and will steal your data to

ITSECURITY10

give to another company. They can and will sell your secrets. They can and will destroy
your data simply for revenge.
A final type of insider threat is one that may not seem like a threat at all;
misconfigured systems. Radichel (2014) reviewed a 2013 data breach at Target retail
stores resulting in over 40 million credit cards being stolen. Radichel found that the point
of sale system was vulnerable to attacks. Radichel further quoted a Mandiant security
report defining how the reconnaissance revealed misconfigured systems and
vulnerabilities in those misconfigured systems. It is essential to keep software patched,
up to date, properly configured and hardened.
There are a number of different types of external threats. FFIEC IT Examination
Handbook InfoBase Appendix C: Internal and External Threats (n.d.) categorizes
external threats as malicious activity, natural disasters, technical disasters and
pandemics. External threats are any disasters that do not originate from within the
organization. Threats such as fire, hackers, power outages and other disastrous threats
are specific types of external threats.
Pretty much anyone in this day and age has heard of hackers. Hackers are
people who use a variety of attacks to carry out their malicious activities. Hackers can
be good, bad, indifferent or scary (Long 2012). There are simply many different hacker
profiles that exist.
Long (2012) further classifies hackers into categories. There are hacktivists,
government sponsored hackers, black hat hackers, white hat hackers, grey hat hackers
and insiders. This is quite the gambit of names for what constitutes a hacker.

ITSECURITY11

One of the hacker profiles is hacktivists. Hacktivists are people who hack for a
cause. Thompson (2013) wrote an article about the late co-founder of Reddit, Aaron
Swartz, who committed suicide. Swartz was facing a lengthy prison sentence because
he allegedly hacked into a system and stole academic articles. The prosecutors claim
that Swartz intended to freely distribute these academic articles because he had often
spoken about the importance of making information freely available. Swartz hacked for
a cause; the freedom of information for the public at no cost. Whether Swartz was
justified in what he did or did not do is opinion, but Swartz was definitely a hacktivist
because he hacked for a cause; regardless of whether the cause was just or unjust.
State, or government, sponsored hackers are a real thing; almost like modern
day James Bonds. Government often hire state-sponsored hackers in order to ensure
security holes in their infrastructure. But often, this type of hacking can enter spy
territory as well (Rashed, 2012). Countries seek hackers to penetrate other countrys
networks and steal data.
Black hat hackers are hackers who illegally break into systems with the intention
of being malicious according to Chandler (2012). Black hat hackers have no intention of
being good when they attempt to penetrate a network. This is a dangerous type of
hacker. Many black hats have turned white hat in later years.
According to Hoffman (2013), white hat hackers are ethical hackers. White hats
use their knowledge of penetrating computer networks for purposes of helping
organizations. They test systems for organizations in order to help strengthen the
security of an organization. White hats can be contracted to legally break into a network,

ITSECURITY12

find flaws and document them so the vulnerabilities can be fixed later by the
organization.
Hoffman (2013) further defines another hacker hat. Gray hat hackers fall in
between white hat and black hat. Just as we have gray areas in ethics of life, so are
there gray areas in the ethics of hacking. A gray hat may compromise a system, but not
for personal gain. The gray hat would compromise a system, then disclose the
information to an organization in an effort to help. The fact that the system was
compromised without permission makes the penetration unethical even if the action
could be arguably ethical.
Insiders are another type of hacker. Many people may not think of themselves
as a hacker, but the fact remains, if you have credentials to a system you could
technically be a hacker. Many people are familiar with the Sony hack leading to mass
exposure of the movie The Interview. According to Report (2014), the hack may have
been an inside job. There have been reports that a former employee helped with the
hack on Sony Pictures.
You can mitigate against all these hackers. Targeted Cyber Intrusion Detection
and Mitigation Strategies (2013) offer a variety of ways to help mitigate or even prevent
information security events. They recommend preserving data, performing credential
management, network segmentation, increased logging and auditing, access control,
application whitelisting and policies.
As a part of the Australian Government Initiative (n.d.), training personnel is also
a great way to mitigate attacks. If you teach users how to create strong passwords, be

ITSECURITY13

smart with online activities and create an annual training plan, attacks could be
mitigated by your users. By users knowing what not to do, cyber security events will
become lessened.
Preserving data is essential when a network has been penetrated (Targeted
Cyber Intrusion Detection and Mitigation Strategies, 2013). If you restart a system,
some data may be lost. It is important to pull log data and live system data before
shutting down a compromised system. Detailed notes and observations should be kept
as they may be used in a criminal investigation. Personnel performing a cyber-incident
response should also avoid making any changes to operating systems or hardware as
this may overwrite information that pertains to the cyber incident.
Setty (n.d.) suggests a variety of methods to manage credentials. Passwords
should have an aging feature with a predetermined minimum and maximum password
age. You should also, never store a password on a device or write it down. Setty (n.d.)
further suggests that passwords should have a minimum length enforced and require a
mixture of upper case, lower case, symbols and numbers. Also, system administrators
should be conscientious about their passwords. Admins should choose stronger, more
complex passwords than users.
Logging capabilities should be enabled in all systems. According to Targeted
Cyber Intrusion Detection and Mitigation Strategies (2013), logging capabilities should
be maximized for firewalls, proxy servers, domain name servers, intrusion detection
systems, packet captures, flow data from routers and switches and host application
logs. It may require a lot of space to keep and maintain these types of logs, so ensure
you have adequate space before implementing these maximized logging capabilities.

ITSECURITY14

Also, it may be important to note that logs require a person to read them. Logs will likely
not do any good without a properly trained person reviewing them.
Another method of mitigating damage caused by attackers is to segment the
network. Network segmentation is the process of separating a large network into
several smaller networks through the user of firewalls, switches and similar devices
(Harris, 2014). By segmenting the network you can make attacking significantly more
difficult, make intrusion detection easier and reduce the amount of data that can be
leaked in the event of a breach.
An organizations applications can also be whitelisted to enhance an
organizations security posture. Whitelisting is the process of allow only specific
applications to access the internet. You explicitly deny all others from having access
(Targeted Cyber Intrusion Detection and Mitigation Strategies, 2013). By explicitly
denying anything except what is permitted to run in an organizations network, security
is greatly enhanced.
There is a point at which an organization determines what an acceptable level of
risk is. Acceptable risk is determined by the actual risk and cost impact to an
organization. What is acceptable for one organization may not be acceptable for
another organization.
Acceptable risk is determined by management because management
understands the impact to the company if business objectives cannot be met (Harris,
2014). Management needs to rely on the security team because management may not
understand the probability of risk. Once the security team has conveyed the probability

ITSECURITY15

of risk, management can determine if the impact is great enough to warrant securing
against.
If the threat is not great enough for management believe the risk is worth
securing against, it is known as an acceptable risk. Management makes the
determination that business impact is not severe enough and accepts the chance that
there may be a breach.
So far we have touched on a lot of information security thinking of it as a virtual
environment. However, physical security is an integral part of an organizations
information security. After all, if an attacker can walk right into a server, stick a drive into
a server and extract a companys data, what good is network and server security?
Giannoulis & Northcutt (n.d.) recommend a variety of physical securities. Server
room protection, workstation protection, building perimeter protection and immediate
areas around the building are all aspects of physical security to consider when planning
an organizations information security.
Shinder (2007) suggests locking the server room, using lockable server racks
and putting surveillance in place. Access control is also a great security method so you
know which authorized users accessed a server room. Good locks that cannot easily be
broken are essential here. If your locks can be knocked off easily, they are not
protecting much. Locking the server racks is just another layer in case the intruder does
get past the door locks. With surveillance, if anyone does attempt to brute force their
way past your locks, you will have a video of them doing it. Hopefully the intruder will be
identifiable for action by law enforcement.

ITSECURITY16

When securing workstations, it is a good idea to use physical locks, harden the
operating and BIOS and teach user awareness (Giannoulis & Northcutt (n.d.). Physical
locks can help keep people from stealing the workstations. User awareness teaches
users to ask questions if they see a stranger working on a laptop. Hardening the
operating system and BIOS can prevent unauthorized booting, stealing of data and
malicious software from being loaded onto the workstation via physical access.
The building perimeter defense is also an essential component to the physical
security of information systems. (Physical Security Handbook 440-2-H) suggests
physical barriers, fencing, gates, protective lighting, reinforced doors and windows and
security on entry/egress. Fences create a barrier around the building which may make
attempting to pass through inconvenient. Gates allow fences to be passed through by
authorized personnel and create a bottleneck for access. Protective lighting helps
security personnel detect intruders from a distance in the dark or poorly lit areas.
Reinforced doors are more difficult to break into than doors that are not reinforced.
Windows can also be made stronger preventing would be intruders from breaking the
glass to enter.
When an external cyber actor attempts to penetrate an organizations network,
they use a very specific and methodic approach. Johansson & Riley (2005) identify the
steps an attacker takes to break into a network as recon and footprinting, network
scanning and enumeration, initial penetration, privilege escalation, maintain access and
cover tracks. These seven steps not only allow the actor to compromise an
organizations network, but also allow the hacker to remain in a network undetected for
a length of time.

ITSECURITY17

Recon and footprinting is the act of looking at a network and probing for
weaknesses (Johansson & Riley, 2005). The hacker may review company websites,
publically available information and look for executive information to create phishing
attacks during this phase. The first thing the hacker must know are the basics of the
organization and its people. Even things like a mission statement may give an attacker
information that can be used against the organization for penetration.
After the attacker performs recon and footprinting, the actor must perform
scanning and enumeration of the network (Johansson & Riley, 2005). This process
consists of doing things like creating a map of the network devices, internet protocol
addresses, network ranges, domain names, brands of network equipment and servers
as well as operating system information. With this information, the attacker can
determine what types of attacks would be most effective against a network through use
of vulnerability assessment software or other means.
Once an attacker has a plan in mind, based on the information discovered about
the network, the attack will commence. This may be a brute force attack, phishing
attempt, vulnerability or maybe even a social engineering attempt. This attack will give
the attacker at least basic access into a network (Johansson & Riley, 2005). The
credential stolen may be, and often is, from a low level employee. A low level
employees credential is enough for the hacker to begin wreaking havoc, though.
The next step for the bad actor is to escalate privileges (Johansson & Riley,
2005). There are a variety of ways to escalate privilege, but the end result is always the
same. The attacker wants root or administrative rights to the network. The hacker wants

ITSECURITY18

to, for all intensive purposes, own the network. The attacker uses the basic credentials
he or she already compromised to further penetrate and dig hooks into a network.
Once the attacker owns the system, he or she will install a variety of malicious
software designed to keep access active (Johansson & Riley, 2005). The attacker may
create another hidden account for themselves to use, install back doors, reduce security
or employ a variety of other methods. The goal is to always have access even if the
system security administrators discover the breach.
The final step of an attacker is to cover their tracks (Johansson & Riley, 2005).
Maintaining access in a system is significantly easier if the attacker is not caught.
Covering tracks also makes prosecution more difficult for law enforcement. The attacker
may delete or modify logs, time stamps and more.
The number of malicious software attackers use are vast, but fit into some basic
categories. The malicious software categories are viruses, Trojans, bots, worms,
backdoors, and exploits (What Is the Difference: Viruses, Worms, Trojans, and Bots?).
Viruses are malicious software programs that are designed to make a system
perform negatively. They are designed to be destructive and self-replicating. Viruses
propagate from system to system through their host file (What Is the Difference:
Viruses, Worms, Trojans, and Bots?).
Worms are very similar to viruses. They can be just as devastating, and are selfreplicating as well. The major difference between a virus and worm is that a worm does
not require a host file to replicate. Worms may rely on an exploit in an operating system
or send themselves via email (What Is the Difference: Viruses, Worms, Trojans, and

ITSECURITY19

Bots?)..
Trojans are malicious software designed to trick an operating system or user into
installing them. The installed Trojan then can do a variety of actions. It may simply
annoy a user or may be much more malicious. Trojans can do a variety of malicious
things under the guise of being legitimate programs (What Is the Difference: Viruses,
Worms, Trojans, and Bots?).
Bots are programs that automatically perform tasks. Bots can be legitimate
pieces of software used to automate mundane tasks or could be used for malicious
intents. A malicious bot installed on a computer may automatically log information and
send it to a server at intervals, or any variety of automated tasks the attacker may want
(What Is the Difference: Viruses, Worms, Trojans, and Bots?).
Backdoors are pretty much as the name says. Usually backdoors are dropped
with Trojans. Older backdoors sat dormant on a system and waited for a connection
from the attacker (What Is the Difference: Viruses, Worms, Trojans, and Bots?).
System administrators became wise to attackers connecting to their backdoors
and started using firewalls to block the connections. Newer more sophisticated
backdoors call out to an attackers internet address trying to connect home. Firewalls did
not block outbound connections as a general rule of thumb (What Is the Difference:
Viruses, Worms, Trojans, and Bots?).
Now security administrators may block the outbound ports. To circumvent
security, developers of backdoors have begun using legitimate ports to make backdoors
look like other legitimate traffic. If a backdoor used port 80, the hypertext transfer

ITSECURITY20

protocol web service, it would blend in with normal traffic. Even if a system admin did
detect the backdoor, they could not block port 80 without blocking everyones access to
the web (What Is the Difference: Viruses, Worms, Trojans, and Bots?).
There are a variety of defense methods for the plethora of attacks in existence.
There is no panacea or singular defense that can be put in place. Information security
requires a layered approach, like an onion. As each layer is stripped away, the attacker
finds another piece of security. The goal is to make penetration into an organization so
difficult that the attacker will move on to an easier target. Good options for a layered
security approach are antivirus, anti-malware, firewalls, routers, switches and intrusion
detection and prevention systems.
An antivirus is a piece of software designed to detect viruses. Antivirus detects
viruses based on a signature detection method. In other words, it scans files looking for
a portion of the code to match what is known to be a virus. If a virus signature is
matched, the software may quarantine, delete or prompt a user for interaction
(McDowell & Householder, 2009).
Anti-malware is similar to antivirus in that it is a signature based detection
system. The big difference is that antivirus is designed to scan for viruses while antimalware scans for other types of malware like Trojans or bots (Henry, 2013).
Firewalls can be either software or hardware. Firewalls block network traffic
based on their configurations. It may be a port configuration, application, internet
protocol or network range. Firewalls can also be used to whitelist, or only allow,
specified traffic to enter or exit a network. While the premise is the same, whitelisting is

ITSECURITY21

configured as if it is allowing the specified traffic, then blocking all other traffic
(Michigan CyberSecurity Hardware Firewall vs Software Firewall).
Hardware firewalls are used more for perimeter network defense and
demilitarized zones. Software firewalls are generally used on end points such as
workstations. Hardware firewalls protect entire networks. They can also be used to
enhance security when a resource must be externally facing, but require access to an
internal server such as a database (Michigan CyberSecurity Hardware Firewall vs
Software Firewall).
Routers can be configured to enhance security as well. An administrator can
manually create certain routes to networks. If the network does not have a route, traffic
can never access it. This allows an administrator to setup internal networks that never
face the external internet which increases security (Network Security Features for the
Enterprise Headquarters).
Switches have layer 2 security abilities. Switches can be locked down based on
MAC addresses and switch ports (Bhaihi, 2005). If a machine that is not authorized
even connects to a network, the port would be shutdown, preventing the would-be
attacker from even getting access to the network.
Intrusion detection systems are nodes that can be placed throughout the
network. And intrusion detection system could be placed at the entry/egress point of a
network to capture all data and to individual subnetted networks (Scarfone & Mell,
2007).

ITSECURITY22

By placing an intrusion detection system at the entry/egress point of a network an

administrator will create a lot of work. The logs must be reviewed by a person (Scarfone
& Mell, 2007).. Placing an intrusion detection system at the external point of the network
creates massive logs that may become unmanageable.
Placing intrusion detection systems at various points for individual networks or
network segments still requires a lot of work, but is easier for an administrator to read
(Scarfone & Mell, 2007). As the number of intrusion detection nodes increases, so does
the need for additional administrators.
Intrusion prevention systems work very similarly to intrusion detection systems.
The big difference is that intrusion prevention systems will actively drop network packets
the system determines as being malicious (Scarfone & Mell, 2007). The caveat with
intrusion prevention systems is they must be tuned or they will drop legitimate traffic. If
legitimate traffic is being dropped by a prevention system, the organizations productivity
will suffer.
There are a variety of different industry compliance organizations that dictate a
minimum requirement of information security that must be met for that organization.
Two major industry compliances are the Payment Card Industry (PCI) and the Health
Insurance Portability and Accountability Act (HIPAA). These two data compliances are
required for a large portion of businesses in the United States.
Payment Card Industry certification is required of any merchant or organization
that accepts, transmits or stores any cardholder data (PCI Compliance Guide). If an
organization plans on accepting even one credit card, they must meet Payment Card

ITSECURITY23

Industry compliance. If the organization does meet Payment Card Industry compliance,
the organization could be subject to fines.
The Health Insurance Portability and Accountability Act dictates required security
required of health care providers (Summary of the HIPAA Security Rule). It is
designed to keep patient confidential data secure. Any organization in the health
industry must follow the Health Insurance Portability and Accountability Act.
In addition to industry compliance requirements, there are also laws in place that
are required of organizations. These laws dictate how data and information systems are
handled in the United States.
The Homeland Security Act of 2002 was enacted in an effort to prevent terrorist
attacks in the United States. The act is supposed to mitigate damages and minimize
vulnerability to the United States and its citizens (Fischer, 2013). The Homeland
Security Act also applies vaguely to technology as terrorists could use technology to
wreak havoc on the United States.
Another act introduced in 2002 was the Federal Information Security
Management Act (FISMA). This act was signed into law as a legislation that protects
United States government information and assets against threats (Fischer, 2013). The
act seeks to be an overarching, all-encompassing act for government information
security.
In 1999 the Gramm-Leach-Bliley Act (GLBA) was introduced. The GLBA was an
attempt to control how financial institutions protect and use the private information of its
clients (Fischer, 2013). Financial institutions were beginning to use information

ITSECURITY24

technology more widely, thus creating the need for law to govern how the financial
institutions used and transmitted personal information.
Another act, introduced in 1994, was the Communications Assistance for Law
Enforcement Act (CALEA). This act forced telephone companies to redesign their
networks in order to make it easier for law enforcement to listen in on the wire (Fischer,
2013). The act was redesigned in 2004 to apply to communications over the internet
and voice over internet protocol systems as well.
The Department of Defense Appropriations Act was enacted in 1987. This act
was designed to give the United States military the authority it needed to undertake
military operations (Fischer, 2013). As information technology became more widely
utilized, the act started to apply to methods of cyber warfare as well.
The High Performance Computing Act, enacted in 1991, gave funds needed to
create a major internet network (Fischer, 2013). It allowed for faster internet speeds
fuelling economic growth, education and more. The creation of faster internet became
known as the information super highway.
The Privacy Act of 1974 has been called to in numerous industries. It applies to
technology as well. The Privacy Act of 1974 governs the collection, maintenance and
use of private information (Fischer, 2013). This act was huge because it created
accountability for the private information citizens are required to give out.
The E-Government Act of 2002 provided a framework for information security to
federal computer networks and systems (Fischer, 2013). The act established a
minimum requirement that had to be adhered to for government agencies.

ITSECURITY25

In the information age when attackers are relentlessly pounding on organizational

information security, well informed organizations will emerge victorious. Armed with a
variety of tools, organizations will be able to stand up to cyber bullies threatening to
steal data or cripple the organization. Understanding the risks, processes and
methodologies of attackers, how to mitigate the attacks and specific laws governing the
information age will put an organization on top.

ITSECURITY26

References
2013 Cost of Data Breach: Global Analysis. (2013, May 1). Retrieved January 30, 2015.
Baumann, R. (2002, November 24). Ehical Hacking. Retrieved February 9, 2015.
Bayuk, J. (2009, June 16). How to Write an Information Security Policy. Retrieved
February 10, 2015.
Bhaiji, Y. (2005, January 1). Layer 2 Attacks & Mitigation Techniques. Retrieved
February 10, 2015.
Business Owners. (n.d.). Retrieved February 9, 2015, from
http://www.staysmartonline.gov.au/business_owners
Chandler, G. (2012, May 8). Top 10 Notorious Black Hat Hackers. Retrieved February
24, 2015.
CIP Compliance. (n.d.). Retrieved February 10, 2015, from
http://www.nerc.com/pa/CI/Comp/Pages/default.aspx
Coleman, T. (2014, May 10). Cybersecurity Threats Include Employees. Retrieved
February 9, 2015.
Data Governance Risk: Challenges in Information Security. (n.d.). Retrieved February 9,
2015, from http://webdocs.stern.nyu.edu/old_web/emplibrary/Stiglianese_Data_Governance_and_Ope
rational_Risk_Calculation_SLIDESHOW.pdf
Fischer, E. (2013, June 20). Federal Laws Relating to Cybersecurity: Overview and
Discussion of proposed Revisions. Retrieved January 30, 2015.
Giannoulis, P., & Northcutt, S. (n.d.). Security Laboratory. Retrieved February 9, 2015.

ITSECURITY27

Grimes, R. (2013, September 30). 7 sneak attacks used by today's most devious
hackers. Retrieved February 10, 2015.
Harris, S. (2006, April 1). How to define an acceptable level of risk. Retrieved February
9, 2015.
Harrison, R. (2014, June 6). Network Segmentation Key To Good Network Hygiene Network Computing. Retrieved February 26, 2015.
Henry, A. (2013, August 21). The Difference Between Antivirus and Anti-Malware (and
Which to Use). Retrieved February 10, 2015.
Hoffman, C. (2013, April 20). Hacker Hat Colors Explained: Black Hats, White Hats, and
Gray Hats. Retrieved February 24, 2015.
Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and
Proprietary Information. (2014, September 23). Retrieved February 9, 2015.
Information Technology Services. (n.d.). Retrieved February 9, 2015, from
http://www.ucop.edu/information-technology-services/initiatives/resources-andtools/security-incident-handling.html
Johansson, J., & Riley, S. (2005). Anatomy of a Hack. In Protect your Windows
network: From perimeter to data (p. 608). Upper Saddle River, NJ: AddisonWesley.
Johnson, M., & Goetz, E. (2007, May/June). Embedding Information Security Into the
Organization. IEEE Security & Privacy, 16-24.
Jones, P. (2000, July 1). Organizational Information Security from Scratch -. Retrieved
February 9, 2015.

ITSECURITY28

Khan, M. (2014). Effectiveness of Detective and Preventative Information Security

Controls in Information Systems Organizations. Canadian Journal of Pure &
Applied Sciences, 8(3), 3125-3129.
Long, L. (2012, January 26). Profiling Hackers. Retrieved February 9, 2015.
McDowell, M., & Householder, A. (2009). Security Tip (ST04-005). Retrieved February
10, 2015.
Michigan CyberSecurity - Hardware Firewall vs Software Firewall. (n.d.). Retrieved
February 10, 2015, from http://www.michigan.gov/cybersecurity/0,4557,7-217-108698--,00.html
Network Security Features for the Enterprise Headquarters. (n.d.). Retrieved February
10, 2015, from http://www.cisco.com/c/en/us/products/collateral/routers/7301router/product_data_sheet0900aecd802c982b.html
Payment Card Industry (PCI) Data Security Standard. (2013, November 1). Retrieved
February 10, 2015, from
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
PCI Compliance Guide. (n.d.). Retrieved February 28, 2015, from
https://www.pcicomplianceguide.org/pci-faqs-2/#2
Pelgrin, W. (2015, January 1). 2015 Cyber Security Outlook. Monthly Security Tips
Newsletter, 1-2.
Physical Security Handbook 440-2-H. (2013, January 13). Retrieved February 27, 2015.
Protect Your Computer From Viruses, Hackers, and Spies. (n.d.). Retrieved February 9,
2015, from http://oag.ca.gov/privacy/facts/online-privacy/protect-your-computer

ITSECURITY29

Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented
Target Breach. Retrieved February 9, 2015.
Rashed, T. (2012, April 18). State Sponsored Hacking and Cyber Security Policy.
Retrieved February 24, 2015.
Renfroe, N., & Smith, J. (2014, August 18). Threat/Vulnerability Assessments and Risk
Analysis. Retrieved February 9, 2015.
Report, P. (2014, December 30). New evidence Sony hack was 'inside' job, not North
Korea. Retrieved February 24, 2015.
Scarfone, K., & Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems
(IDPS): Recommendations of the National Institute of Standards and
Technology. NIST Special Publication, 800(94), 1-127. Retrieved February 10,
2015.
Setty, H. (n.d.). System Administrator Security Best Practices. Retrieved February 24,
2015, from http://www.sans.org/reading-room/whitepapers/bestprac/systemadministrator-security-practices-657
Shinder, D. (2007, July 16). 10 Physical Security Measures Every Organization Should
Take. Retrieved February 27, 2015.
Summary of the HIPAA Security Rule. (n.d.). Retrieved February 10, 2015, from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Targeted Cyber Intrusion Detection and Mitigation Strategies (Update B). (2013,
February 6). Retrieved February 9, 2015.
Thompson, C. (2013, January 18). Hacktivism: Civil Disobedience or Cyber Crime?
Retrieved February 24, 2015.

ITSECURITY30

Vicinanzo, A. (2015, January 26). DHS Accidental Insider Top Threat to Federal
Cybersecurity, SolarWinds Finds. Retrieved February 9, 2015.
Walters, R. (2014, October 27). Cyber Attacks on U.S. Companies in 2014. Issue Brief,
4289, 1-5. Retrieved February 9, 2015.
What Is the Difference: Viruses, Worms, Trojans, and Bots? (n.d.). Retrieved February
10, 2015, from http://www.cisco.com/web/about/security/intelligence/virus-wormdiffs.html
Zients, J., Kundra, V., & Schmidt, H. (2010, April 21). Memorandum for Heads of
Executive Departments and Agencies. Retrieved February 10, 2015, from
http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m1015.pdf