Operational CyberSecurity Final Case Report

UNIVERSITY OF DALLAS

Final Case Analysis Final Report for Operational Cyber Security

James Konderla & John Sand

4/15/2015

This is a final report for Dr. Sandra Blanke’s CYBS 7350: Operational CyberSecurity class in the spring of 2015 at the University of Dallas’ Satish and Yasmin Gupta College of Business. This report is an analysis of 16 cases which were previously analyzed as a midterm project by James Konderla and John Sand.

0 | P a g e

Final Case Analysis Table of Contents Executive Summary ....................................................................................................................................... 1

Part 1: Categorization of Breaches ............................................................................................................... 2

Part 2: Controls and Risk Management ........................................................................................................ 5

Classification of Data ................................................................................................................................. 5

Impact of Data Exposure ........................................................................................................................... 7

Data Encryption and Protection ................................................................................................................ 8

Access Controls ....................................................................................................................................... 10

Risk Management Framework and IT Governance ................................................................................. 11

Part 3: Recommendations by Breach Category .......................................................................................... 16

Breaches from Hacking .............................................................................. Error! Bookmark not defined.

Network Segmentation ....................................................................................................................... 16

Patching Servers and Workstations .................................................................................................... 17

Implementing Vulnerability Scanning ................................................................................................. 18

Implementing Application Scanning ................................................................................................... 19

Standardization of Architecture and Platforms .................................................................................. 19

Implementing Single Sign On .............................................................................................................. 20

Conclusion ................................................................................................................................................... 22

Bibliography ................................................................................................... Error! Bookmark not defined.

1 | P a g e

Final Case Analysis

Executive Summary

This paper will review selected security breaches and incidents between 2012 and 2014. The

known details regarding the causes of these breaches were reviewed in earlier papers and will be briefly

noted here. The purpose of this paper is to explore different strategies and controls that would have

mitigated or stopped the incidents covered.

There are many attack vectors and methods available to hackers attempting to breach the

defenses of an organization. To add to the problem, not only are there countless old ways to illicitly

break systems, but new methods and techniques are constantly being tested and developed.

Businesses and organizations are trying to ensure the confidentiality, integrity, and availability of their

computing and data assets. To have any chance of achieving this objective, a disciplined systematic

approach is essential. We will attempt to walk through the steps involved in recognizing what should be

protected, adopting a framework for protection and the different specific strategies and measures that

can be taken to lower risk. To begin, there will be a review of 16 breaches and although the breaches

discussed fall into only three types, the mitigations reviewed in the paper will have applicability to a

wide range of problems.

The first step in protecting assets is to understand what is important: data. Classification

methods and strategies will be reviewed and encryption strategies for different platforms and locations

will be explored as well as approaches for determining who can access data and how the access will be

granted and maintained. The section will end with a brief review of a risk management framework and

overall IT governance strategy, coupled with the physical protection of assets.

The last section will review some specific measures and actions that can deter, prevent, or

lessen the impact of a breach. The focus of this section will be on attacks by hacking as most of the 16

losses in this paper were caused by different hacks. Finally the conclusion will give a brief summary of

the lessons learned in the exercise and opinions on some of the best approaches.

1 | P a g e

Final Case Analysis

Part 1: Categorization of Breaches

In understanding the issues it may be handy to classify data breaches by the type of breach. One

such methodology is proposed by the Privacy Rights Clearinghouse. That organization divides the types

of data disclosure into seven broad categories. The categories are:

1. Unintended disclosure - Data is accidentally released by the controlling entity

2. Hacking or Malware - A flaw in the entity’s information technology architecture allows

unauthorized access.

3. Payment card fraud - Payment card fraud that is not from a hacking or malware exploit.

4. Insider- Data is stolen by someone with access from inside the organization.

5. Physical loss - The loss or mishandling of non- electronic records.

6. Portable device - Data lost or stolen from portable devices like laptops or smart phones.

7. Stationary device - A stolen or mishandled stationary device such as a server.

2 | P a g e

Final Case Analysis

This section will examine the sixteen breaches and the type of breach and data that was

disclosed. A summary of the data can be found in the table below.

Based on the classification of the Privacy Rights Clearinghouse, of the sixteen companies

studied, twelve were the victims of some type of hack or failure of the computer system. One company,

Coca Cola, was the victim of the physical theft of computing assets, two were targets of payment card

exploits, and one was breached by an unknown method.

As for the types of data compromised, five companies lost PCI data. Some loss occurred because

the information was not properly stored in a secure manner (as in the case of Stratfor) or in other

instances, the attackers managed to siphon off the information by inserting themselves into the

communications steam. Financial and personal data was obtained in seven of the attacks. Passwords

and/or email addresses were targeted in three of the exploits, presumably because they were the only

thing that could be stolen.

3 | P a g e

Final Case Analysis Presumably, most of the attacks occurred with the motive of financial gain and resulted in the

credit card information and even files containing password hashes being put up for sale. The attack on

Stratfor is one that appears to have been motivated by ideology, making it unique on our list.

4 | P a g e

Final Case Analysis

Part 2: Controls and Risk Management

As can be seen by the initial case analyses and the numerous articles on these specific breaches,

it is no simple matter to contain a breach once it has occurred. In fact, the cost of a breach both

financially and socially is so much that the only pertinent action is to mitigate the threat to a company’s

infrastructure as much as possible. In order to mitigate that threat, though, there are several steps that

must first be performed:

1.) Classify the company’s data

2.) Using the data classification scheme, identify the Financial impact for each category of data in

the event of a breach

3.) Encrypt Data based on the Data Classification Scheme

4.) Implement Access Controls based on the Least Privileged Principle

5.) Implement a Risk Management Framework based on Industry Best Practices

In this section of our paper we will focus on all three of the above steps before moving on, in Part 3,

to identifying specific controls to implement in each breach.

Classification of Data

After looking at several data classification standards we have determined that the best data

classification policy that fits these 16 companies is the ISO/IEC 27001:2005 A.7.2.1 Information

Classification Policy (ISO, 2005). This policy separates data into 4 categories and provides descriptions

and examples of the type of data that may be included in a particular category. The figure below

demonstrates the classification levels as well as a description of each.

5 | P a g e

Final Case Analysis

Figure 1, ISO/IEC 27001 Data Classification Policy

As can be noticed from the above figure, this data classification policy provides a baseline for

most publically-traded or privately owned companies but is just that: a baseline. With that said, we

found that the classification can be used as supplied to provide an initial classification of almost all

company data.

6 | P a g e

Final Case Analysis Impact of Data Exposure

Now that we have classified a company’s data, we can move on to determining the financial

impact of each category’s exposure or theft in the event of a breach. As each company and breach is

different it is almost impossible to quantify an exact dollar amount associates with each data

classification level but it is a simple matter to define the risk level of each. With that in mind, the

following basic risk levels have been identified and can be matched to most breaches:

• Low Risk – This level applies to data that, when exposed, provides a low risk to the affected

individuals. Examples include the exposure of product brochures or archived financial

reports that were previously made publicly available. The monetary amount associated with

this risk is relatively negligible.

• Medium Risk – This level applies to data that, when exposed, could be dangerous to the

affected parties, either as a future attack vector or by providing a risk to company

assets/personnel. Examples include passwords and corporate security procedures,

organizational data such as salary or organizational chart data or basic product information

that has not yet been publicly published. The monetary amount associated with this risk can

be moderate to severe depending on the impacted data and may include federal, state or

civil and criminal penalties.

• High Risk – This level applies to data that, when exposed, not only could be dangerous to

affected parties but could place the company at risk of large monetary fines, legal

retribution, or loss of market position. Examples include leaked trade secrets, client

proposals on current or future contracts or accounting and financial data that has not been

publicly released. The monetary impact associates with this risk is usually severe and can

7 | P a g e

Final Case Analysis

result in loss of business, civil and criminal penalties, federal and state fines and/or a

combination of many other punishments.

These risks levels, though, appear to both the customer and the company itself. To account for

both it is necessary to assess the risk of each separately, which we have done in the following chart.

Information Category Company

Risk Level

Customer Risk Level

Unclassified Public Data Low Low Proprietary Data Medium Medium Client Confidential Data High Low Company Confidential Data High High

Table 1, Risk level by Category and Affected Party

As can be seen from Table 1, the risk levels for the company and customer can differ greatly and

really share the same amount of risk for proprietary and company confidential data that can affect the

company’s market standing or expose the customer to an unnecessary level of risk, financial or

otherwise.

Data Encryption and Protection

Classification of Data is the key to securing many systems, especially those of High impact to the

company and the customer. It is important to note, though, that classifying data itself does not help in

the securing of data but can, instead, act as a guide for which data to secure. Some may argue that all

data a company houses must be secure and, to a degree, they are correct; in the real corporate world,

though, things cost money and only data at the highest risk levels may be seriously considered in a

company’s security plans.

8 | P a g e

Final Case Analysis Depending on the type of data housed, a company may even be forced to secure data according

to certain guidelines. In fact, several standards such as HIPAA and PCI require that payment card and

health information, as well as personally identifiable information, be encrypted so that, even after

exposure, the data becomes hard or even impossible to decipher. Due to recent events, such as the

Coca Cola Data Breach (Coca Cola, 2014), show that even a single machine can be compromised off-

premise and it’s data stolen. For this paper, though, we would like to focus on both and provide a 2-

pronged method of protecting data that is already in use by many fortune 50 companies today:

1.) Encryption of High-Risk Databases and Systems – Using an industry standard algorithm it is

highly recommended that, in addition to data that is legally required to be encrypted, all data

that has a high level of risk to the business and/or the customer should be encrypted at its

source. In addition, systems that store such data are recommended to be encrypted with a

software-based encryption software such as McAfee or Symantec’s corporate encryption

offerings.

2.) Encryption of all Mobile Systems – Once a system leaves a facility it becomes impossible to

properly secure its data. In fact, this becomes the easiest type of theft because of the quick

turnaround: stealing the system becomes the hardest part but cloning a hard drive and dumping

the system can be done in as little as an hour (depending on drive size). In fact, according to a

Symantec article (Symantec, 2014) data theft accounts for 80% of the cost for a stolen machine

with the average total cost being over $49,000. By Encrypting a system with software or

hardware-based encryption a company can save hundreds of thousands of dollars a year by

making the data almost unreadable in the event of a theft, with some software even offering a

“remote wipe” capability.

9 | P a g e

Final Case Analysis

Used together, these two major data encryption methods can protect corporate data and reduce

not only the amount of thefts (by discouraging thieves) but by obscuring the data and making it

practically useless in the event of a theft. Of course we only recommend this for high risk systems, as

any type of encryption comes with a slight performance hit (though in most cases this is negligible).

Access Controls

Now that we have classified the data and the impact of each classification’s exposure, we can

focus on one of the most important areas of controls and risk management: Access Controls. There are

many access control schemes but the most applicable to all companies in this report is the Role Based

Access Control, or RBAC. RBAC uses an individual’s role in the organization to determine the access level

needed for an individual to complete their job while also ensuring that each individual is granted only

the access needed for their roles and nothing else. This eliminates individuals using their access on

systems that are not required for their job and roles within the company by enforcing the “least

privileged” principle. In a recent article (TechRepublic, 2013), Dominic Vogel listed three basic steps for

implementing the least privilege principle, the second of which was to use role based access methods.

According to the National Institute of Science and Technology (NIST, 1992) there are three rules each

role must have. Though the article has aged, these rules still hold true:

1. Role Assignment – a user can only execute a transaction/query if the user has been assigned a

role, not counting the initial identification and authentication process.

2. Role Authorization – a user’s active role/ID must be authorized for the transaction/query they

are attempting to make.

3. Transaction Authorization – a user can execute a transaction/query only if the

transaction/query is authorized for the user’s current role.

10 | P a g e

Final Case Analysis

This framework provides a three-pronged approach to delivering Role Based Access Controls: a user

must have a role and they can only access the roles they are authorized for but are further only able to

use the transactions that their role is authorized for. This approach eliminates the need for granting

specific users access and instead focuses on lumping access into a role and assigning users to roles,

making both user management and access management easier to manage and more robust. By

combining RBAC with the principle of Least Privilege we can enforce a separation of duties easier as

well, applying group or role-based access according to the user’s Job and/or department in the company

WITHOUT giving the user access to tools their subordinates or colleagues in other departments may

have, as the user’s current job does not require such access.

Risk Management Framework and IT Governance

The last topic of discussion for this part of the paper is often overlooked but can mean the

difference between stopping a threat as it happens and discovering a threat after the fact: the risk

management framework. Many companies have IT departments that are very adept at handling risks

but without declaring a formal risk management framework a company risks miss-handling incidents

due to a lack of uniformity between handling of different kinds of risks. Additionally, a company

becomes unable to fully utilize best practices and industry standards but also runs the risk of being

unable to declare to stakeholders and/or shareholders that IT Governance has been fully utilized in the

course of both everyday procedures and during the course of incident investigations. In the course of

our studies we have come to realize that there is one framework that stands above the rest for general

usage but can also be applied to specific usages: the Cobit Framework (ISACA, 2012).

11 | P a g e

Final Case Analysis

Figure 2, The Cobit Framework

As can be seen above, the Cobit framework has IT Governance at its core, giving company

executives a clear picture of the 5 areas they need to focus on in order to properly govern both the IT

organization and risks. The best approach for using and understanding the Cobit framework is to start

with strategic alignment and follow the illustration clockwise. That being said, first a company must

ensure strategic alignment, focusing on linking business and IT plans to ensure that not only is the value

proposition of IT validated but that IT operations are aligned fully with the business. Next IT specifically

must focus on value delivery, ensuring that promised services are delivered in a cost effective manner

while also optimizing the costs of IT operations. The third focus area for the Cobit framework is resource

management, which not only focuses on managing current resources, including applications,

information, infrastructure and people, but also on optimizing these resources to ensure that they are

properly utilized.

Once IT and the company are strategically aligned with a focus on value delivery and risk

management, the company can then move on to risk management. This should be handled at the

highest levels and cascade down to ensure compliance and understanding but this process must also

flow in reverse: transparency about risks at all levels of the enterprise should be seen and understood by

everyone. Once all of these areas have been properly addressed, the company can then move on to

12 | P a g e

Final Case Analysis performance measurement, ensuring that the risk management framework has been properly

implemented by tracking and monitoring project completion, resource usage, process performance and

service delivery. One example of monitoring this performance is the use of actionable and achievable

goals through the use of SMART objectives (Learn Marketing, 2015). By combining these five areas with

IT Governance a company can effectively manage risks at every level of the organization while remaining

transparent to shareholders and their employees as well.

Physical Security

Physical Security is the last focus of this part in our paper and is often overlooked in many

enterprises. Physical security not only pertains to the physical securing of a company’s facility, but to a

company’s resources and personnel as well. As a 2008 article states: ‘many businesses have confidently

installed a full complement of data-security measures only to have a thief walk through the door and

steal the server’ (ITSecurity.com, 2008). This statement holds true for every company and especially for

some of those covered in this paper. Even inside a facility a disgruntled employee can steal staplers,

flash drives, or even laptops and may go unnoticed due to a lack of security controls. There are several

basic steps that can be taken to fully secure IT resources:

• Use Rack-Mounted equipment: Using rack mounted equipment not only saves space but allows

IT personnel to easily secure and centralize equipment.

• Lock down portable devices: Lock USB drives away and, depending on the device, use key locks

(such as the Kensington lock) to lock down equipment where possible.

• Close off open ports: Especially in lobbies and unsecured areas, LAN drops and wireless access

should always be restricted. Where internet usage is needed, these ports should be segregated

13 | P a g e

Final Case Analysis

from the rest of the network using a different subnet without LAN transversal to the main

network being allowed.

• Secure workstations: Workstations and non-portable equipment, especially in public or

reception areas, should be locked down physically as well as being segregated from critical

infrastructure where possible.

• Lock down printers: Printers are often overlooked but can be the source of a very secure

network breach. Often printer LAN ports are assumed to be secure (reason being: who would

want to wire their laptop into a printer port?) but the exact opposite is true. Printer ports should

be secured to printers only and should be on a separate network that identifies devices

(printers, laptops, etc.) and responds to traffic requests accordingly.

• Surveillance Equipment: Most companies have surveillance equipment but it is not always

monitored 24/7. There should always be monitoring of this equipment, especially at exit,

entrance, dock and any other doors or areas that can lead to external facility access.

• Lock Down Workstations: Many employees leave their desks for only a moment to get coffee,

chat with coworkers, pick up printouts or have a quick meeting but leave their workstations

unlocked. Through methods such as group policy a workstation can be forced to lock itself after

a certain amount of time, keeping an attacker from using another employee’s credentials to

access resources they are not authorized for.

• Lock Doors: Many offices have locks and many organizations secure their entrance and exit

ways but these same organizations often leave office doors unlocked. All employees with door

locks should lock their doors to ensure that the contents of their office are both secure and

inaccessible to any attackers.

• Equipment Management Logs: Where servers and systems have access logs, so too should

equipment rooms and storage cabinets. Every employee should sign in/out any resources they

14 | P a g e

Final Case Analysis

have taken from an equipment room in order to provide tracking and enforcement of

equipment usage policies.

Of course there are many more physical security procedures that can be followed but at a minimum

all the above physical security policies be put into place in addition to a corporation’s current physical

security policies to ensure that resources are securely and effectively accessed while minimizing possible

attack vectors.

15 | P a g e

Final Case Analysis

Part 3: Recommended Security Components Of the sixteen cases presented in this study twelve were perpetrated by some form of a system

hack. There is no one type of exploit that is easily corrected by controls and the recommendations for

these issues encompass a wide range of actions. We have identified the following 6 actions that can

mitigate these risks and should be recommended for all companies, whether covered in this analysis or

not:

• Network Segmentation

• Patching Servers and Workstations

• Implementing a Vulnerability Scanner

• Implementing Application Scanning

• Standardization of Architectures and Platforms

• Implementation of Single-Sign-On (SSO)

In the following sections we will cover each of these recommendations in-depth.

Network Segmentation

One of the first decisions to make for enhancing security is the practicality or desirability of

segmenting networks into functional areas. For some smaller companies this action may not be practical

because of administrative or size issues. For large businesses network segregation is an extremely

powerful preventive control.

The type of segmentation and the extent will depend on the nature of a business. One

approach, recommended by Reuven Harrison in an article in Network Computing (2014) suggests using

business drivers to think of network zones based on compliance mandates like the Payment Card

16 | P a g e

Final Case Analysis Industry Data Security Standard, along with other business or industry mandates (Harrison, 2014). For

example, telecommunications companies often have control networks separate from the networks that

handle customer traffic. One network controls the routes and switches that handle customer

communications while a separate network controls the actual equipment handling the customer traffic.

Access to each network is separated and accessed by different groups. A large law firm or investment

bank might need to separate networks based on the type of clients served, so that the chance of any

conflict of interest from improper access client data.

If a company’s infrastructure is breached, network segmentation should make it much more

difficult for any attacker to get unfettered access to resources across an enterprise. For example, one

criticism levelled at Target was that their networks were improperly segregated. Jalkumar Vijayan

writing in Computer World noted that the real damage was done because Target’s network had no

proper segmentation (Vijayan, 2014).

Patching Servers and Workstations

An important part of preventative control measures is to have scheduled patching implemented

for any server or workstation in an enterprise. The schedules will depend on the types of software used

by operating systems and applications but should be done regularly. Issued patches should be assessed

on a continuing basis and applied as soon as it is practically possible to do so. Some software companies,

for example Microsoft, issue patches on a monthly schedule on what has come to be known as “patch

Tuesday”. Other vendors may issue patches on a more irregular schedule.

As noted in by Daniel Voldal in a 2003 SANS Whitepaper (Voldal, 2003), patches should first be

tested in a development environment before deployment, which becomes especially important when

patching business or mission critical platforms. After testing, patches can be deployed to production

environments. Enterprises should consider using automated tools when they are available to make

17 | P a g e

Final Case Analysis patching easier. Some vendors, like Microsoft, supply patching tools with their systems but third party

applications can also be purchased for these purposes.

Implementing Vulnerability Scanning

One important measure to implement is to have a standard program of scanning servers and

workstations for vulnerabilities. Once implemented, this action can alert administrators to

vulnerabilities in platform caused by operating system defects or configuration issues while also

providing logs that are required by certain federal and state regulations.

Bob Konigsberg, in a SANS whitepaper, provides a short list of the issues port scanning activity

can detect on a network (Konigsberg, 2002) including:

• Detection of rogue applications (like Back Orifice)

• Alerts on unauthorized or miss-configured remote control systems like PCAnywhere

• Identification of all machines with active web servers

• Identification of open shares with weak or missing passwords

• Identification of machines with Simple Network Management Protocol (SNMP) capability which

may be used to illicitly map networks

• Identification of improperly configured private databases and webservers

• Identification of Internet Relay Chat or AOL Instant Messenger servers

• Identification of other types of malicious software (such as worms)

In addition, scanning can pick up suspicious activity, like FTP, that may be running on non-standard

ports. Although not strictly concerned with malicious activity, scanning may also test the efficiency of

any patching activity on the systems in an enterprise and becomes an invaluable tool. Konigsberg

18 | P a g e

Final Case Analysis recommends that scanning for general issues be conducted once a month on all subnets if possible and

should include port scanning functions, both as a preventative and detective control: preventative in

that it functions with server baselines to make system misuse harder, and detective because scanning

can pick up suspicious activity occurring on a network.

Implementing Application Scanning

An adjunct to port scanning servers and a separate activity is scanning web applications for

issues. A web application scanning program can perform black box tests against a company’s network to

detect attack vectors like cross site scripting, SQL injection, and other exploits based on compromising

web servers. This same scan can also pick up outdated software and, depending on the software, may

even recommend which patches or hotfixes should be applied.

Standardization of Architecture and Platforms

Although not strictly a security measure, architectures and platforms should be standardized to

the extent possible based on business needs to enable enhance security. Effective guidelines and

procedures can be developed from policies for a limited number of machines but system administrators

can also use their in-depth knowledge of the issues with their respective platforms or applications to

develop company or application-specific standards. Configurations for new machines can be

standardized where possible and unneeded or unsafe ports disabled by default. Rules can also be

developed to govern the use on non-standard ports in systems which may help in the detection of

malware or other exploits in the initial machine builds. Another benefit is when security bulletins are

issued, they may be reviewed and evaluated more efficiently.

19 | P a g e

Final Case Analysis In organizations that develop applications, code sharing, and to some extent documentation can

become shared and standardized using secure platforms such as StarTeam or Git, which can have

positive impacts on the Software Development Lifecycle by allowing bug tracking and faster patch/hotfix

delivery.

Implementing Single Sign On

Another enhancement that is not strictly a security issue but will simplify maintenance and other

support activities is to implement single sign on. This feature may be able to reduce help desk support

costs and enhance enterprise security. This can help secure severs and applications when users leave an

organization and reduce the work needed during audits. An example, seen below, shows a centralized

login portal that is currently in use at PepsiCo.

Figure 3, PepsiCo Identity Manager

20 | P a g e

Final Case Analysis This portal, like many SSO systems, allows a centralized login to request, modify and disable

access to a user’s account. By combining this with Role-Based Access an enterprise can easily audit

which users belong to which groups while using the group’s attributes to determine which company

assets or resources any particular user has access to. Of course this also simplifies things for users as

well, enabling a centralized console for synchronizing passwords across common systems (such as Active

Directory, LDAP, Web Services or company-specific applications).

21 | P a g e

Final Case Analysis

Conclusion

There are wide variety of threats in today’s information technology landscape that have the

potential to breach the security of an organization’s data. A systematic approach to assess the assets,

policies, and architecture of organization is critical for security. The initial approach for organizations

could be summed up as:

• Understand what should be protected. That is, make sure an organization’s information assets

are properly classified.

• Implement access controls appropriate to the organization’s information. Make sure that only

the access needed for job functions is provided.

• Appropriate encryption and data protection controls should be applied to data including data at

rest and in transit.

• Align the information governance policies with business strategies. This may be the most crucial.

It will ensure that the information technology systems support the goals of the business.

After the initial foundation is created, different components of the security infrastructure can be

added. These include:

• Network Segmentation (where appropriate)

• Scanning (both port and application),

• A patching and threat assessment process,

• Standardizing architecture and platforms,

• using single sign on to manage user access,

• using enhanced (or next generation) firewalls with active filtering to block inappropriate access

Of course there are many more components but based on the breaches we covered these

should be considered priorities, especially when guarding against hacking.

22 | P a g e

Final Case Analysis

References

74,000 Data Records Breached on Stolen Coca-Cola Laptops. (2014, January 27). Retrieved March 3,

2015, from http://www.infosecurity-magazine.com/news/74000-data-records-breached-on-

stolen-coca-cola/

Ashford, W. (2015, January 23). US journalist jailed over Stratfor hacking. Retrieved February 23, 2015,

from http://www.computerweekly.com/news/2240238715/US-journalist-jailed-over-Stratfor-

hacking

Ashmore, D. (2012). The Java EE Architect's Blog. Retrieved April 8, 2015, from

http://www.derekashmore.com/2012/01/benefits-of-standardized-application.html

Bennett, D. (2012, Oct 24). Credit card hackers strike at Barnes & Noble. The Wire. Retrieved

February 12, 2015 from http://www.thewire.com/business/2012/10/credit-card-hackers-strike-

barnes-noble/58285/

Brown, R. (2012, November 20). South Carolina Offers Details of Data Theft and Warns It Could Happen

Elsewhere. New York Times. Retrieved February 10, 2015, from

http://www.nytimes.com/2012/11/21/us/more-details-of-south-carolina-hacking-episode.html

COBIT 4.1: Framework for IT Governance and Control . (2007, May 1). Retrieved April 8, 2015, from

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

Coca-Cola suffers data breach after employee 'borrows' 55 laptops. (2014, January 27). Retrieved March

3, 2015, from http://www.techworld.com/news/security/coca-cola-suffers-data-breach-after-

employee-borrows-55-laptops-3499054/

Deltek Breach Raises Questions About Widespread Hacking. (2014, April 24). Retrieved March 3, 2015,

from http://www.nextgov.com/cybersecurity/2014/04/deltek-breach-raises-questions-about-

widespread-hacking/82867/

Deltek Suffers Data Breach, Hackers Gain Access to Credit Card Information. (2014, April 10). Retrieved

March 3, 2015, from http://news.softpedia.com/news/Deltek-Suffers-Data-Breach-Hackers-

Gain-Access-to-Credit-Card-Information-436861.shtml

i | P a g e

Final Case Analysis Edwards, J. (2008, February 21). The Physical Side of IT Security - IT Security. Retrieved April 8, 2015,

from http://www.itsecurity.com/features/physical-side-of-security/

FAQ about the Dept. of Revenue hack attack. (2012, October 25). Retrieved February 16, 2015, from

http://www.carolinalive.com/news/story.aspx?id=820299#.VOqkFEIqYUU

Fraser, M. (2012). Hackers with a cause. Operational Risk & Regulation, 13(4), 18-21. Retrieved from

http://search.proquest.com/docview/1023798978?accountid=7106

Chris Gaylord, I. E. (2012, Jul 13). LinkedIn, last.fm, now yahoo? don't ignore news of a password breach.

The Christian Science Monitor Retrieved from


Global Payments Inc Profile. (n.d.). Retrieved February 19, 2015, from

http://markets.ft.com/research/Markets/Tearsheets/Business-profile?s=GPN:NYQ

Hempel, J. (2013, Jul 01). LinkedIn: How it's changing business. Fortune, 168, 68. Retrieved from


Home Depot Hit By Same Malware as Target. (2014, September 7). Retrieved March 3, 2015, from

http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/

Home Depot: Hackers Stole 53M Email Addresses. (2014, November 7). Retrieved March 3, 2015, from

http://krebsonsecurity.com/2014/11/home-depot-hackers-stole-53m-email-addreses/

Information Classification Policy. (2005, January 1). Retrieved March 27, 2015, from

http://www.iso27001security.com/ISO27k_Model_policy_on_information_classification.pdf

The Cost of a Lost Laptop. (2009, February). Retrieved April 11, 2015, from

http://www.intel.com/content/dam/doc/white-paper/enterprise-security-the-cost-of-a-lost-

laptop-paper.pdf

Introduction. (1992). Retrieved April 8, 2015, from

http://csrc.nist.gov/groups/SNS/rbac/documents/Role_Based_Access_Control-1992.html

ii | P a g e

Final Case Analysis Konigsberg, B. (2002). Auditing Inside the Enterprise via Port Scanning & Related Tools. Retrieved April 8,

2015, from http://www.sans.org/reading-room/whitepapers/auditing/auditing-enterprise-port-

scanning-related-tools-75

Korolov, M. (2012). Cyber security review. Treasury & Risk, Retrieved from


Krebs, B. (2012, July 17). Spammers Target Dropbox Users. Retrieved February 15, 2015, from

http://krebsonsecurity.com/2012/07/spammers-target-dropbox-users/

Krebs, B. (2012, May 17). Global Payments Breach Now Dates Back to Jan. 2011. Retrieved February 20,

2015, from http://krebsonsecurity.com/2012/05/global-payments-breach-now-dates-back-to-

jan-2011/

London, W. (2014, August 4). P.F. Chang's: 33 restaurants affected in data breach. Retrieved March 3,

2015, from http://www.usatoday.com/story/money/business/2014/08/04/pfchang-credit-

debit-card-data-breach/13567795/

Loy, S. L., Brown, S., & Tabibzadeh, K. (2014). SOUTH CAROLINA DEPARTMENT OF REVENUE: MOTHER

OF GOVERNMENT DYSFUNCTION. (). Arden: Jordan Whitney Enterprises, Inc. Retrieved from


Messmer, E. (2012, July 26). Global Payments: Data Breach Cost a Whopping $84.4 Million. Retrieved

February 20, 2015, from http://www.cio.com/article/2393717/cybercrime/global-payments--

data-breach-cost-a-whopping--84-4-million.html

More than 300,000 records exposed in computer security attack at University of Maryland. (2014,

February 19). Retrieved March 3, 2015, from http://www.washingtonpost.com/local/college-

park-shady-grove-campuses-affected-by-university-of-maryland-security-

breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.html

Network Segmentation Key To Good Network Hygiene - Network Computing. (2014, June 16). Retrieved

April 8, 2015, from http://www.networkcomputing.com/networking/network-segmentation-

key-to-good-network-hygiene/a/d-id/1269687

iii | P a g e

Final Case Analysis Notice Template for Vermont Residents. (n.d.). Retrieved March 3, 2015, from

http://ago.vermont.gov/assets/files/Consumer/Security_Breach/2014 04 07 Deltek ltrt

Consumer re security breach.pdf

Palmer, M. (2012, Feb 28). WikiLeaks publishes hacked stratfor emails. Financial Times Retrieved from


Park, L. (2014). Data Breach Trends. Retrieved April 8, 2015, from

http://www.symantec.com/connect/blogs/data-breach-trends

Pepitone, J. (2012, April 3). 1.5 million card numbers at risk from hack. Retrieved February 22, 2015,

from http://money.cnn.com/2012/04/02/technology/global-payments-breach/

Peroth, N. (2011, December 25). Hackers Breach the Web Site of Stratfor Global Intelligence. Retrieved

February 12, 2015, from http://www.nytimes.com/2011/12/26/technology/hackers-breach-the-

web-site-of-stratfor-global-intelligence.html?_r=0

Perlroth, N. (2012, August 1). Dropbox Spam Attack Tied to Stolen Employee Password. New York Times.

Retrieved February 10, 2015, from http://bits.blogs.nytimes.com/2012/08/01/dropbox-spam-

attack-tied-to-stolen-employee-password/?_r=0

Porterfield, E. (2013, May 9). Washington State system hacked, data of thousands at risk. Retrieved

March 3, 2015, from http://www.reuters.com/article/2013/05/09/us-usa-hack-

washingtonstate-idUSBRE9480YY20130509

Server at Washington State Courts Office Hacked: Sensitive Data Exposed | SecurityWeek.Com. (2013,

May 10). Retrieved March 3, 2015, from http://www.securityweek.com/server-washington-

state-courts-office-hacked-sensitive-data-exposed

SMART Objectives. (n.d.). Retrieved April 8, 2015, from http://learnmarketing.net/smart.htm

Scanning Web Applications for Vulnerabilities. (n.d.). Retrieved April 8, 2015, from

http://www.mcafee.com/us/resources/solution-briefs/sb-scan-web-apps-vulnerabilities.pdf

Schwartz, M. J. (2012). Zappos breach: 8 lessons learned. Informationweek - Online, Retrieved from


iv | P a g e

Final Case Analysis Schwartz, M. J. (2012). LinkedIn confirms password breach, phishing intensifies. Informationweek -

Online, Retrieved from http://search.proquest.com/docview/1019086886?accountid=7106

Scmidt, M. & Peroth, N. (2012, Oct 23). Hackers get credit dta at Barnes and Noble. New York Times

Retrieved February 12, 2015 from http://www.nytimes.com/2012/10/24/business/hackers-get-

credit-data-at-barnes-noble.html

Shalvey, K. (2012, Jun 06). LinkedIn confirms some user passwords were stolen. Investor's Business Daily

Retrieved from http://search.proquest.com/docview/1018759761?accountid=7106

St. Joseph Health System breach leaves thousands of records vulnerable. (2014, February 5). Retrieved

March 3, 2015, from http://www.theeagle.com/news/local/st-joseph-health-system-breach-

leaves-thousands-of-records-vulnerable/article_541d3f86-8a43-5913-af16-d7cd0b847c0a.html

St. Joseph Health notifies 33,000 of potential data breach. (2014, June 12). Retrieved March 3, 2015,

from http://www.northbaybusinessjournal.com/93787/st-joseph-health-notifies-33000-of-

potential-data-breach/

State Hacking/Computer Security Laws. (n.d.). Retrieved March 3, 2015, from

http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws

Stratfor launches website after security breach. (2012, Jan 11). PR Newswire Retrieved from


Start Calculator | Databreach Calculator : Estimate Your Risk Exposure. (n.d.). Retrieved April 11, 2015,

from http://www.databreachcalculator.com/GetStarted.aspx

Target Data Breach Spilled Info On As Many As 70 Million Customers. (2014, January 10). Retrieved

March 3, 2015, from http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-

breach-spilled-info-on-as-many-as-70-million-customers/

Team, T. (2012, April 3). Global Payments Data Breach Exposes Card Payments Vulnerability. Retrieved

February 18, 2015, from http://www.forbes.com/sites/greatspeculations/2012/04/03/global-

payments-data-breach-exposes-card-payments-vulnerability/

v | P a g e

Final Case Analysis Texas Hospital Discloses Huge Breach - InformationWeek. (2014, February 5). Retrieved March 3, 2015,

from http://www.informationweek.com/healthcare/security-and-privacy/texas-hospital-

discloses-huge-breach-/d/d-id/1113724

Tsuruoka, D. (2012, Apr 03). Zappos breach A harbinger of more threats? layered defense key rising

sophistication of professional hackers tests website security. Investor's Business Daily Retrieved

from http://search.proquest.com/docview/963544960?accountid=7106

UMD Data Breach. (n.d.). Retrieved March 3, 2015, from http://umd.edu/datasecurity/

Velotta, R. N. (2013, Jan 17). Zappos.com makes fortune's list of best places to work. McClatchy -

Tribune Business News Retrieved from


Vogel, D. (2013, May 29). How to successfully implement the principle of least privilege. Retrieved April

8, 2015, from http://www.techrepublic.com/blog/it-security/how-to-successfully-implement-

the-principle-of-least-privilege/

Voldal, D. (2003). A Practical Methodology for Implementing a Patch management process. Retrieved

April 8, 2015, from http://www.sans.org/reading-room/whitepapers/bestprac/practical-

methodology-implementing-patch-management-process-1206

Washington State Courts Hacked: 160,000 Social Security Numbers Potentially Accessed. (2013, May

10). Retrieved March 3, 2015, from

http://www.forbes.com/sites/kellyclay/2013/05/10/washington-state-courts-hacked-160000-

social-security-numbers-potentially-accessed/

Wahba, P., & Katz, B. (2012, October 24). Barnes & Noble says thieves tampered with PIN pads.

Retrieved February 16, 2015, from http://www.reuters.com/article/2012/10/24/us-

barnesnoble-breach-idUSBRE89N05L20121024

Woo, S., & Worthen, B. (2012, Jan 17). Lessons from zappos attack. Wall Street Journal (Online)

Retrieved from http://search.proquest.com/docview/916417847?accountid=7106

vi | P a g e

Operational CyberSecurity Final Case Report

Documents

selected security breaches

data encryption

categorization of breaches

classification of data

university of dallas

risk management framework

impact of data exposure

access controls