operational cybersecurity final case report
TRANSCRIPT
UNIVERSITY OF DALLAS
Final Case Analysis Final Report for Operational Cyber Security
James Konderla & John Sand
4/15/2015
This is a final report for Dr. Sandra Blanke’s CYBS 7350: Operational CyberSecurity class in the spring of 2015 at the University of Dallas’ Satish and Yasmin Gupta College of Business. This report is an analysis of 16 cases which were previously analyzed as a midterm project by James Konderla and John Sand.
0 | P a g e
Final Case Analysis Table of Contents Executive Summary ....................................................................................................................................... 1
Part 1: Categorization of Breaches ............................................................................................................... 2
Part 2: Controls and Risk Management ........................................................................................................ 5
Classification of Data ................................................................................................................................. 5
Impact of Data Exposure ........................................................................................................................... 7
Data Encryption and Protection ................................................................................................................ 8
Access Controls ....................................................................................................................................... 10
Risk Management Framework and IT Governance ................................................................................. 11
Part 3: Recommendations by Breach Category .......................................................................................... 16
Breaches from Hacking .............................................................................. Error! Bookmark not defined.
Network Segmentation ....................................................................................................................... 16
Patching Servers and Workstations .................................................................................................... 17
Implementing Vulnerability Scanning ................................................................................................. 18
Implementing Application Scanning ................................................................................................... 19
Standardization of Architecture and Platforms .................................................................................. 19
Implementing Single Sign On .............................................................................................................. 20
Conclusion ................................................................................................................................................... 22
Bibliography ................................................................................................... Error! Bookmark not defined.
1 | P a g e
Final Case Analysis
Executive Summary
This paper will review selected security breaches and incidents between 2012 and 2014. The
known details regarding the causes of these breaches were reviewed in earlier papers and will be briefly
noted here. The purpose of this paper is to explore different strategies and controls that would have
mitigated or stopped the incidents covered.
There are many attack vectors and methods available to hackers attempting to breach the
defenses of an organization. To add to the problem, not only are there countless old ways to illicitly
break systems, but new methods and techniques are constantly being tested and developed.
Businesses and organizations are trying to ensure the confidentiality, integrity, and availability of their
computing and data assets. To have any chance of achieving this objective, a disciplined systematic
approach is essential. We will attempt to walk through the steps involved in recognizing what should be
protected, adopting a framework for protection and the different specific strategies and measures that
can be taken to lower risk. To begin, there will be a review of 16 breaches and although the breaches
discussed fall into only three types, the mitigations reviewed in the paper will have applicability to a
wide range of problems.
The first step in protecting assets is to understand what is important: data. Classification
methods and strategies will be reviewed and encryption strategies for different platforms and locations
will be explored as well as approaches for determining who can access data and how the access will be
granted and maintained. The section will end with a brief review of a risk management framework and
overall IT governance strategy, coupled with the physical protection of assets.
The last section will review some specific measures and actions that can deter, prevent, or
lessen the impact of a breach. The focus of this section will be on attacks by hacking as most of the 16
losses in this paper were caused by different hacks. Finally the conclusion will give a brief summary of
the lessons learned in the exercise and opinions on some of the best approaches.
1 | P a g e
Final Case Analysis
Part 1: Categorization of Breaches
In understanding the issues it may be handy to classify data breaches by the type of breach. One
such methodology is proposed by the Privacy Rights Clearinghouse. That organization divides the types
of data disclosure into seven broad categories. The categories are:
1. Unintended disclosure - Data is accidentally released by the controlling entity
2. Hacking or Malware - A flaw in the entity’s information technology architecture allows
unauthorized access.
3. Payment card fraud - Payment card fraud that is not from a hacking or malware exploit.
4. Insider- Data is stolen by someone with access from inside the organization.
5. Physical loss - The loss or mishandling of non- electronic records.
6. Portable device - Data lost or stolen from portable devices like laptops or smart phones.
7. Stationary device - A stolen or mishandled stationary device such as a server.
2 | P a g e
Final Case Analysis
This section will examine the sixteen breaches and the type of breach and data that was
disclosed. A summary of the data can be found in the table below.
Based on the classification of the Privacy Rights Clearinghouse, of the sixteen companies
studied, twelve were the victims of some type of hack or failure of the computer system. One company,
Coca Cola, was the victim of the physical theft of computing assets, two were targets of payment card
exploits, and one was breached by an unknown method.
As for the types of data compromised, five companies lost PCI data. Some loss occurred because
the information was not properly stored in a secure manner (as in the case of Stratfor) or in other
instances, the attackers managed to siphon off the information by inserting themselves into the
communications steam. Financial and personal data was obtained in seven of the attacks. Passwords
and/or email addresses were targeted in three of the exploits, presumably because they were the only
thing that could be stolen.
3 | P a g e
Final Case Analysis Presumably, most of the attacks occurred with the motive of financial gain and resulted in the
credit card information and even files containing password hashes being put up for sale. The attack on
Stratfor is one that appears to have been motivated by ideology, making it unique on our list.
4 | P a g e
Final Case Analysis
Part 2: Controls and Risk Management
As can be seen by the initial case analyses and the numerous articles on these specific breaches,
it is no simple matter to contain a breach once it has occurred. In fact, the cost of a breach both
financially and socially is so much that the only pertinent action is to mitigate the threat to a company’s
infrastructure as much as possible. In order to mitigate that threat, though, there are several steps that
must first be performed:
1.) Classify the company’s data
2.) Using the data classification scheme, identify the Financial impact for each category of data in
the event of a breach
3.) Encrypt Data based on the Data Classification Scheme
4.) Implement Access Controls based on the Least Privileged Principle
5.) Implement a Risk Management Framework based on Industry Best Practices
In this section of our paper we will focus on all three of the above steps before moving on, in Part 3,
to identifying specific controls to implement in each breach.
Classification of Data
After looking at several data classification standards we have determined that the best data
classification policy that fits these 16 companies is the ISO/IEC 27001:2005 A.7.2.1 Information
Classification Policy (ISO, 2005). This policy separates data into 4 categories and provides descriptions
and examples of the type of data that may be included in a particular category. The figure below
demonstrates the classification levels as well as a description of each.
5 | P a g e
Final Case Analysis
Figure 1, ISO/IEC 27001 Data Classification Policy
As can be noticed from the above figure, this data classification policy provides a baseline for
most publically-traded or privately owned companies but is just that: a baseline. With that said, we
found that the classification can be used as supplied to provide an initial classification of almost all
company data.
6 | P a g e
Final Case Analysis Impact of Data Exposure
Now that we have classified a company’s data, we can move on to determining the financial
impact of each category’s exposure or theft in the event of a breach. As each company and breach is
different it is almost impossible to quantify an exact dollar amount associates with each data
classification level but it is a simple matter to define the risk level of each. With that in mind, the
following basic risk levels have been identified and can be matched to most breaches:
• Low Risk – This level applies to data that, when exposed, provides a low risk to the affected
individuals. Examples include the exposure of product brochures or archived financial
reports that were previously made publicly available. The monetary amount associated with
this risk is relatively negligible.
• Medium Risk – This level applies to data that, when exposed, could be dangerous to the
affected parties, either as a future attack vector or by providing a risk to company
assets/personnel. Examples include passwords and corporate security procedures,
organizational data such as salary or organizational chart data or basic product information
that has not yet been publicly published. The monetary amount associated with this risk can
be moderate to severe depending on the impacted data and may include federal, state or
civil and criminal penalties.
• High Risk – This level applies to data that, when exposed, not only could be dangerous to
affected parties but could place the company at risk of large monetary fines, legal
retribution, or loss of market position. Examples include leaked trade secrets, client
proposals on current or future contracts or accounting and financial data that has not been
publicly released. The monetary impact associates with this risk is usually severe and can
7 | P a g e
Final Case Analysis
result in loss of business, civil and criminal penalties, federal and state fines and/or a
combination of many other punishments.
These risks levels, though, appear to both the customer and the company itself. To account for
both it is necessary to assess the risk of each separately, which we have done in the following chart.
Information Category Company
Risk Level
Customer Risk Level
Unclassified Public Data Low Low Proprietary Data Medium Medium Client Confidential Data High Low Company Confidential Data High High
Table 1, Risk level by Category and Affected Party
As can be seen from Table 1, the risk levels for the company and customer can differ greatly and
really share the same amount of risk for proprietary and company confidential data that can affect the
company’s market standing or expose the customer to an unnecessary level of risk, financial or
otherwise.
Data Encryption and Protection
Classification of Data is the key to securing many systems, especially those of High impact to the
company and the customer. It is important to note, though, that classifying data itself does not help in
the securing of data but can, instead, act as a guide for which data to secure. Some may argue that all
data a company houses must be secure and, to a degree, they are correct; in the real corporate world,
though, things cost money and only data at the highest risk levels may be seriously considered in a
company’s security plans.
8 | P a g e
Final Case Analysis Depending on the type of data housed, a company may even be forced to secure data according
to certain guidelines. In fact, several standards such as HIPAA and PCI require that payment card and
health information, as well as personally identifiable information, be encrypted so that, even after
exposure, the data becomes hard or even impossible to decipher. Due to recent events, such as the
Coca Cola Data Breach (Coca Cola, 2014), show that even a single machine can be compromised off-
premise and it’s data stolen. For this paper, though, we would like to focus on both and provide a 2-
pronged method of protecting data that is already in use by many fortune 50 companies today:
1.) Encryption of High-Risk Databases and Systems – Using an industry standard algorithm it is
highly recommended that, in addition to data that is legally required to be encrypted, all data
that has a high level of risk to the business and/or the customer should be encrypted at its
source. In addition, systems that store such data are recommended to be encrypted with a
software-based encryption software such as McAfee or Symantec’s corporate encryption
offerings.
2.) Encryption of all Mobile Systems – Once a system leaves a facility it becomes impossible to
properly secure its data. In fact, this becomes the easiest type of theft because of the quick
turnaround: stealing the system becomes the hardest part but cloning a hard drive and dumping
the system can be done in as little as an hour (depending on drive size). In fact, according to a
Symantec article (Symantec, 2014) data theft accounts for 80% of the cost for a stolen machine
with the average total cost being over $49,000. By Encrypting a system with software or
hardware-based encryption a company can save hundreds of thousands of dollars a year by
making the data almost unreadable in the event of a theft, with some software even offering a
“remote wipe” capability.
9 | P a g e
Final Case Analysis
Used together, these two major data encryption methods can protect corporate data and reduce
not only the amount of thefts (by discouraging thieves) but by obscuring the data and making it
practically useless in the event of a theft. Of course we only recommend this for high risk systems, as
any type of encryption comes with a slight performance hit (though in most cases this is negligible).
Access Controls
Now that we have classified the data and the impact of each classification’s exposure, we can
focus on one of the most important areas of controls and risk management: Access Controls. There are
many access control schemes but the most applicable to all companies in this report is the Role Based
Access Control, or RBAC. RBAC uses an individual’s role in the organization to determine the access level
needed for an individual to complete their job while also ensuring that each individual is granted only
the access needed for their roles and nothing else. This eliminates individuals using their access on
systems that are not required for their job and roles within the company by enforcing the “least
privileged” principle. In a recent article (TechRepublic, 2013), Dominic Vogel listed three basic steps for
implementing the least privilege principle, the second of which was to use role based access methods.
According to the National Institute of Science and Technology (NIST, 1992) there are three rules each
role must have. Though the article has aged, these rules still hold true:
1. Role Assignment – a user can only execute a transaction/query if the user has been assigned a
role, not counting the initial identification and authentication process.
2. Role Authorization – a user’s active role/ID must be authorized for the transaction/query they
are attempting to make.
3. Transaction Authorization – a user can execute a transaction/query only if the
transaction/query is authorized for the user’s current role.
10 | P a g e
Final Case Analysis
This framework provides a three-pronged approach to delivering Role Based Access Controls: a user
must have a role and they can only access the roles they are authorized for but are further only able to
use the transactions that their role is authorized for. This approach eliminates the need for granting
specific users access and instead focuses on lumping access into a role and assigning users to roles,
making both user management and access management easier to manage and more robust. By
combining RBAC with the principle of Least Privilege we can enforce a separation of duties easier as
well, applying group or role-based access according to the user’s Job and/or department in the company
WITHOUT giving the user access to tools their subordinates or colleagues in other departments may
have, as the user’s current job does not require such access.
Risk Management Framework and IT Governance
The last topic of discussion for this part of the paper is often overlooked but can mean the
difference between stopping a threat as it happens and discovering a threat after the fact: the risk
management framework. Many companies have IT departments that are very adept at handling risks
but without declaring a formal risk management framework a company risks miss-handling incidents
due to a lack of uniformity between handling of different kinds of risks. Additionally, a company
becomes unable to fully utilize best practices and industry standards but also runs the risk of being
unable to declare to stakeholders and/or shareholders that IT Governance has been fully utilized in the
course of both everyday procedures and during the course of incident investigations. In the course of
our studies we have come to realize that there is one framework that stands above the rest for general
usage but can also be applied to specific usages: the Cobit Framework (ISACA, 2012).
11 | P a g e
Final Case Analysis
Figure 2, The Cobit Framework
As can be seen above, the Cobit framework has IT Governance at its core, giving company
executives a clear picture of the 5 areas they need to focus on in order to properly govern both the IT
organization and risks. The best approach for using and understanding the Cobit framework is to start
with strategic alignment and follow the illustration clockwise. That being said, first a company must
ensure strategic alignment, focusing on linking business and IT plans to ensure that not only is the value
proposition of IT validated but that IT operations are aligned fully with the business. Next IT specifically
must focus on value delivery, ensuring that promised services are delivered in a cost effective manner
while also optimizing the costs of IT operations. The third focus area for the Cobit framework is resource
management, which not only focuses on managing current resources, including applications,
information, infrastructure and people, but also on optimizing these resources to ensure that they are
properly utilized.
Once IT and the company are strategically aligned with a focus on value delivery and risk
management, the company can then move on to risk management. This should be handled at the
highest levels and cascade down to ensure compliance and understanding but this process must also
flow in reverse: transparency about risks at all levels of the enterprise should be seen and understood by
everyone. Once all of these areas have been properly addressed, the company can then move on to
12 | P a g e
Final Case Analysis performance measurement, ensuring that the risk management framework has been properly
implemented by tracking and monitoring project completion, resource usage, process performance and
service delivery. One example of monitoring this performance is the use of actionable and achievable
goals through the use of SMART objectives (Learn Marketing, 2015). By combining these five areas with
IT Governance a company can effectively manage risks at every level of the organization while remaining
transparent to shareholders and their employees as well.
Physical Security
Physical Security is the last focus of this part in our paper and is often overlooked in many
enterprises. Physical security not only pertains to the physical securing of a company’s facility, but to a
company’s resources and personnel as well. As a 2008 article states: ‘many businesses have confidently
installed a full complement of data-security measures only to have a thief walk through the door and
steal the server’ (ITSecurity.com, 2008). This statement holds true for every company and especially for
some of those covered in this paper. Even inside a facility a disgruntled employee can steal staplers,
flash drives, or even laptops and may go unnoticed due to a lack of security controls. There are several
basic steps that can be taken to fully secure IT resources:
• Use Rack-Mounted equipment: Using rack mounted equipment not only saves space but allows
IT personnel to easily secure and centralize equipment.
• Lock down portable devices: Lock USB drives away and, depending on the device, use key locks
(such as the Kensington lock) to lock down equipment where possible.
• Close off open ports: Especially in lobbies and unsecured areas, LAN drops and wireless access
should always be restricted. Where internet usage is needed, these ports should be segregated
13 | P a g e
Final Case Analysis
from the rest of the network using a different subnet without LAN transversal to the main
network being allowed.
• Secure workstations: Workstations and non-portable equipment, especially in public or
reception areas, should be locked down physically as well as being segregated from critical
infrastructure where possible.
• Lock down printers: Printers are often overlooked but can be the source of a very secure
network breach. Often printer LAN ports are assumed to be secure (reason being: who would
want to wire their laptop into a printer port?) but the exact opposite is true. Printer ports should
be secured to printers only and should be on a separate network that identifies devices
(printers, laptops, etc.) and responds to traffic requests accordingly.
• Surveillance Equipment: Most companies have surveillance equipment but it is not always
monitored 24/7. There should always be monitoring of this equipment, especially at exit,
entrance, dock and any other doors or areas that can lead to external facility access.
• Lock Down Workstations: Many employees leave their desks for only a moment to get coffee,
chat with coworkers, pick up printouts or have a quick meeting but leave their workstations
unlocked. Through methods such as group policy a workstation can be forced to lock itself after
a certain amount of time, keeping an attacker from using another employee’s credentials to
access resources they are not authorized for.
• Lock Doors: Many offices have locks and many organizations secure their entrance and exit
ways but these same organizations often leave office doors unlocked. All employees with door
locks should lock their doors to ensure that the contents of their office are both secure and
inaccessible to any attackers.
• Equipment Management Logs: Where servers and systems have access logs, so too should
equipment rooms and storage cabinets. Every employee should sign in/out any resources they
14 | P a g e
Final Case Analysis
have taken from an equipment room in order to provide tracking and enforcement of
equipment usage policies.
Of course there are many more physical security procedures that can be followed but at a minimum
all the above physical security policies be put into place in addition to a corporation’s current physical
security policies to ensure that resources are securely and effectively accessed while minimizing possible
attack vectors.
15 | P a g e
Final Case Analysis
Part 3: Recommended Security Components Of the sixteen cases presented in this study twelve were perpetrated by some form of a system
hack. There is no one type of exploit that is easily corrected by controls and the recommendations for
these issues encompass a wide range of actions. We have identified the following 6 actions that can
mitigate these risks and should be recommended for all companies, whether covered in this analysis or
not:
• Network Segmentation
• Patching Servers and Workstations
• Implementing a Vulnerability Scanner
• Implementing Application Scanning
• Standardization of Architectures and Platforms
• Implementation of Single-Sign-On (SSO)
In the following sections we will cover each of these recommendations in-depth.
Network Segmentation
One of the first decisions to make for enhancing security is the practicality or desirability of
segmenting networks into functional areas. For some smaller companies this action may not be practical
because of administrative or size issues. For large businesses network segregation is an extremely
powerful preventive control.
The type of segmentation and the extent will depend on the nature of a business. One
approach, recommended by Reuven Harrison in an article in Network Computing (2014) suggests using
business drivers to think of network zones based on compliance mandates like the Payment Card
16 | P a g e
Final Case Analysis Industry Data Security Standard, along with other business or industry mandates (Harrison, 2014). For
example, telecommunications companies often have control networks separate from the networks that
handle customer traffic. One network controls the routes and switches that handle customer
communications while a separate network controls the actual equipment handling the customer traffic.
Access to each network is separated and accessed by different groups. A large law firm or investment
bank might need to separate networks based on the type of clients served, so that the chance of any
conflict of interest from improper access client data.
If a company’s infrastructure is breached, network segmentation should make it much more
difficult for any attacker to get unfettered access to resources across an enterprise. For example, one
criticism levelled at Target was that their networks were improperly segregated. Jalkumar Vijayan
writing in Computer World noted that the real damage was done because Target’s network had no
proper segmentation (Vijayan, 2014).
Patching Servers and Workstations
An important part of preventative control measures is to have scheduled patching implemented
for any server or workstation in an enterprise. The schedules will depend on the types of software used
by operating systems and applications but should be done regularly. Issued patches should be assessed
on a continuing basis and applied as soon as it is practically possible to do so. Some software companies,
for example Microsoft, issue patches on a monthly schedule on what has come to be known as “patch
Tuesday”. Other vendors may issue patches on a more irregular schedule.
As noted in by Daniel Voldal in a 2003 SANS Whitepaper (Voldal, 2003), patches should first be
tested in a development environment before deployment, which becomes especially important when
patching business or mission critical platforms. After testing, patches can be deployed to production
environments. Enterprises should consider using automated tools when they are available to make
17 | P a g e
Final Case Analysis patching easier. Some vendors, like Microsoft, supply patching tools with their systems but third party
applications can also be purchased for these purposes.
Implementing Vulnerability Scanning
One important measure to implement is to have a standard program of scanning servers and
workstations for vulnerabilities. Once implemented, this action can alert administrators to
vulnerabilities in platform caused by operating system defects or configuration issues while also
providing logs that are required by certain federal and state regulations.
Bob Konigsberg, in a SANS whitepaper, provides a short list of the issues port scanning activity
can detect on a network (Konigsberg, 2002) including:
• Detection of rogue applications (like Back Orifice)
• Alerts on unauthorized or miss-configured remote control systems like PCAnywhere
• Identification of all machines with active web servers
• Identification of open shares with weak or missing passwords
• Identification of machines with Simple Network Management Protocol (SNMP) capability which
may be used to illicitly map networks
• Identification of improperly configured private databases and webservers
• Identification of Internet Relay Chat or AOL Instant Messenger servers
• Identification of other types of malicious software (such as worms)
In addition, scanning can pick up suspicious activity, like FTP, that may be running on non-standard
ports. Although not strictly concerned with malicious activity, scanning may also test the efficiency of
any patching activity on the systems in an enterprise and becomes an invaluable tool. Konigsberg
18 | P a g e
Final Case Analysis recommends that scanning for general issues be conducted once a month on all subnets if possible and
should include port scanning functions, both as a preventative and detective control: preventative in
that it functions with server baselines to make system misuse harder, and detective because scanning
can pick up suspicious activity occurring on a network.
Implementing Application Scanning
An adjunct to port scanning servers and a separate activity is scanning web applications for
issues. A web application scanning program can perform black box tests against a company’s network to
detect attack vectors like cross site scripting, SQL injection, and other exploits based on compromising
web servers. This same scan can also pick up outdated software and, depending on the software, may
even recommend which patches or hotfixes should be applied.
Standardization of Architecture and Platforms
Although not strictly a security measure, architectures and platforms should be standardized to
the extent possible based on business needs to enable enhance security. Effective guidelines and
procedures can be developed from policies for a limited number of machines but system administrators
can also use their in-depth knowledge of the issues with their respective platforms or applications to
develop company or application-specific standards. Configurations for new machines can be
standardized where possible and unneeded or unsafe ports disabled by default. Rules can also be
developed to govern the use on non-standard ports in systems which may help in the detection of
malware or other exploits in the initial machine builds. Another benefit is when security bulletins are
issued, they may be reviewed and evaluated more efficiently.
19 | P a g e
Final Case Analysis In organizations that develop applications, code sharing, and to some extent documentation can
become shared and standardized using secure platforms such as StarTeam or Git, which can have
positive impacts on the Software Development Lifecycle by allowing bug tracking and faster patch/hotfix
delivery.
Implementing Single Sign On
Another enhancement that is not strictly a security issue but will simplify maintenance and other
support activities is to implement single sign on. This feature may be able to reduce help desk support
costs and enhance enterprise security. This can help secure severs and applications when users leave an
organization and reduce the work needed during audits. An example, seen below, shows a centralized
login portal that is currently in use at PepsiCo.
Figure 3, PepsiCo Identity Manager
20 | P a g e
Final Case Analysis This portal, like many SSO systems, allows a centralized login to request, modify and disable
access to a user’s account. By combining this with Role-Based Access an enterprise can easily audit
which users belong to which groups while using the group’s attributes to determine which company
assets or resources any particular user has access to. Of course this also simplifies things for users as
well, enabling a centralized console for synchronizing passwords across common systems (such as Active
Directory, LDAP, Web Services or company-specific applications).
21 | P a g e
Final Case Analysis
Conclusion
There are wide variety of threats in today’s information technology landscape that have the
potential to breach the security of an organization’s data. A systematic approach to assess the assets,
policies, and architecture of organization is critical for security. The initial approach for organizations
could be summed up as:
• Understand what should be protected. That is, make sure an organization’s information assets
are properly classified.
• Implement access controls appropriate to the organization’s information. Make sure that only
the access needed for job functions is provided.
• Appropriate encryption and data protection controls should be applied to data including data at
rest and in transit.
• Align the information governance policies with business strategies. This may be the most crucial.
It will ensure that the information technology systems support the goals of the business.
After the initial foundation is created, different components of the security infrastructure can be
added. These include:
• Network Segmentation (where appropriate)
• Scanning (both port and application),
• A patching and threat assessment process,
• Standardizing architecture and platforms,
• using single sign on to manage user access,
• using enhanced (or next generation) firewalls with active filtering to block inappropriate access
Of course there are many more components but based on the breaches we covered these
should be considered priorities, especially when guarding against hacking.
22 | P a g e
Final Case Analysis
References
74,000 Data Records Breached on Stolen Coca-Cola Laptops. (2014, January 27). Retrieved March 3,
2015, from http://www.infosecurity-magazine.com/news/74000-data-records-breached-on-
stolen-coca-cola/
Ashford, W. (2015, January 23). US journalist jailed over Stratfor hacking. Retrieved February 23, 2015,
from http://www.computerweekly.com/news/2240238715/US-journalist-jailed-over-Stratfor-
hacking
Ashmore, D. (2012). The Java EE Architect's Blog. Retrieved April 8, 2015, from
http://www.derekashmore.com/2012/01/benefits-of-standardized-application.html
Bennett, D. (2012, Oct 24). Credit card hackers strike at Barnes & Noble. The Wire. Retrieved
February 12, 2015 from http://www.thewire.com/business/2012/10/credit-card-hackers-strike-
barnes-noble/58285/
Brown, R. (2012, November 20). South Carolina Offers Details of Data Theft and Warns It Could Happen
Elsewhere. New York Times. Retrieved February 10, 2015, from
http://www.nytimes.com/2012/11/21/us/more-details-of-south-carolina-hacking-episode.html
COBIT 4.1: Framework for IT Governance and Control . (2007, May 1). Retrieved April 8, 2015, from
http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
Coca-Cola suffers data breach after employee 'borrows' 55 laptops. (2014, January 27). Retrieved March
3, 2015, from http://www.techworld.com/news/security/coca-cola-suffers-data-breach-after-
employee-borrows-55-laptops-3499054/
Deltek Breach Raises Questions About Widespread Hacking. (2014, April 24). Retrieved March 3, 2015,
from http://www.nextgov.com/cybersecurity/2014/04/deltek-breach-raises-questions-about-
widespread-hacking/82867/
Deltek Suffers Data Breach, Hackers Gain Access to Credit Card Information. (2014, April 10). Retrieved
March 3, 2015, from http://news.softpedia.com/news/Deltek-Suffers-Data-Breach-Hackers-
Gain-Access-to-Credit-Card-Information-436861.shtml
i | P a g e
Final Case Analysis Edwards, J. (2008, February 21). The Physical Side of IT Security - IT Security. Retrieved April 8, 2015,
from http://www.itsecurity.com/features/physical-side-of-security/
FAQ about the Dept. of Revenue hack attack. (2012, October 25). Retrieved February 16, 2015, from
http://www.carolinalive.com/news/story.aspx?id=820299#.VOqkFEIqYUU
Fraser, M. (2012). Hackers with a cause. Operational Risk & Regulation, 13(4), 18-21. Retrieved from
http://search.proquest.com/docview/1023798978?accountid=7106
Chris Gaylord, I. E. (2012, Jul 13). LinkedIn, last.fm, now yahoo? don't ignore news of a password breach.
The Christian Science Monitor Retrieved from
http://search.proquest.com/docview/1026559960?accountid=7106
Global Payments Inc Profile. (n.d.). Retrieved February 19, 2015, from
http://markets.ft.com/research/Markets/Tearsheets/Business-profile?s=GPN:NYQ
Hempel, J. (2013, Jul 01). LinkedIn: How it's changing business. Fortune, 168, 68. Retrieved from
http://search.proquest.com/docview/1425507773?accountid=7106
Home Depot Hit By Same Malware as Target. (2014, September 7). Retrieved March 3, 2015, from
http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
Home Depot: Hackers Stole 53M Email Addresses. (2014, November 7). Retrieved March 3, 2015, from
http://krebsonsecurity.com/2014/11/home-depot-hackers-stole-53m-email-addreses/
Information Classification Policy. (2005, January 1). Retrieved March 27, 2015, from
http://www.iso27001security.com/ISO27k_Model_policy_on_information_classification.pdf
The Cost of a Lost Laptop. (2009, February). Retrieved April 11, 2015, from
http://www.intel.com/content/dam/doc/white-paper/enterprise-security-the-cost-of-a-lost-
laptop-paper.pdf
Introduction. (1992). Retrieved April 8, 2015, from
http://csrc.nist.gov/groups/SNS/rbac/documents/Role_Based_Access_Control-1992.html
ii | P a g e
Final Case Analysis Konigsberg, B. (2002). Auditing Inside the Enterprise via Port Scanning & Related Tools. Retrieved April 8,
2015, from http://www.sans.org/reading-room/whitepapers/auditing/auditing-enterprise-port-
scanning-related-tools-75
Korolov, M. (2012). Cyber security review. Treasury & Risk, Retrieved from
http://search.proquest.com/docview/924487967?accountid=7106
Krebs, B. (2012, July 17). Spammers Target Dropbox Users. Retrieved February 15, 2015, from
http://krebsonsecurity.com/2012/07/spammers-target-dropbox-users/
Krebs, B. (2012, May 17). Global Payments Breach Now Dates Back to Jan. 2011. Retrieved February 20,
2015, from http://krebsonsecurity.com/2012/05/global-payments-breach-now-dates-back-to-
jan-2011/
London, W. (2014, August 4). P.F. Chang's: 33 restaurants affected in data breach. Retrieved March 3,
2015, from http://www.usatoday.com/story/money/business/2014/08/04/pfchang-credit-
debit-card-data-breach/13567795/
Loy, S. L., Brown, S., & Tabibzadeh, K. (2014). SOUTH CAROLINA DEPARTMENT OF REVENUE: MOTHER
OF GOVERNMENT DYSFUNCTION. (). Arden: Jordan Whitney Enterprises, Inc. Retrieved from
http://search.proquest.com/docview/1647822379?accountid=7106
Messmer, E. (2012, July 26). Global Payments: Data Breach Cost a Whopping $84.4 Million. Retrieved
February 20, 2015, from http://www.cio.com/article/2393717/cybercrime/global-payments--
data-breach-cost-a-whopping--84-4-million.html
More than 300,000 records exposed in computer security attack at University of Maryland. (2014,
February 19). Retrieved March 3, 2015, from http://www.washingtonpost.com/local/college-
park-shady-grove-campuses-affected-by-university-of-maryland-security-
breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.html
Network Segmentation Key To Good Network Hygiene - Network Computing. (2014, June 16). Retrieved
April 8, 2015, from http://www.networkcomputing.com/networking/network-segmentation-
key-to-good-network-hygiene/a/d-id/1269687
iii | P a g e
Final Case Analysis Notice Template for Vermont Residents. (n.d.). Retrieved March 3, 2015, from
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/2014 04 07 Deltek ltrt
Consumer re security breach.pdf
Palmer, M. (2012, Feb 28). WikiLeaks publishes hacked stratfor emails. Financial Times Retrieved from
http://search.proquest.com/docview/923847926?accountid=7106
Park, L. (2014). Data Breach Trends. Retrieved April 8, 2015, from
http://www.symantec.com/connect/blogs/data-breach-trends
Pepitone, J. (2012, April 3). 1.5 million card numbers at risk from hack. Retrieved February 22, 2015,
from http://money.cnn.com/2012/04/02/technology/global-payments-breach/
Peroth, N. (2011, December 25). Hackers Breach the Web Site of Stratfor Global Intelligence. Retrieved
February 12, 2015, from http://www.nytimes.com/2011/12/26/technology/hackers-breach-the-
web-site-of-stratfor-global-intelligence.html?_r=0
Perlroth, N. (2012, August 1). Dropbox Spam Attack Tied to Stolen Employee Password. New York Times.
Retrieved February 10, 2015, from http://bits.blogs.nytimes.com/2012/08/01/dropbox-spam-
attack-tied-to-stolen-employee-password/?_r=0
Porterfield, E. (2013, May 9). Washington State system hacked, data of thousands at risk. Retrieved
March 3, 2015, from http://www.reuters.com/article/2013/05/09/us-usa-hack-
washingtonstate-idUSBRE9480YY20130509
Server at Washington State Courts Office Hacked: Sensitive Data Exposed | SecurityWeek.Com. (2013,
May 10). Retrieved March 3, 2015, from http://www.securityweek.com/server-washington-
state-courts-office-hacked-sensitive-data-exposed
SMART Objectives. (n.d.). Retrieved April 8, 2015, from http://learnmarketing.net/smart.htm
Scanning Web Applications for Vulnerabilities. (n.d.). Retrieved April 8, 2015, from
http://www.mcafee.com/us/resources/solution-briefs/sb-scan-web-apps-vulnerabilities.pdf
Schwartz, M. J. (2012). Zappos breach: 8 lessons learned. Informationweek - Online, Retrieved from
http://search.proquest.com/docview/916500950?accountid=7106
iv | P a g e
Final Case Analysis Schwartz, M. J. (2012). LinkedIn confirms password breach, phishing intensifies. Informationweek -
Online, Retrieved from http://search.proquest.com/docview/1019086886?accountid=7106
Scmidt, M. & Peroth, N. (2012, Oct 23). Hackers get credit dta at Barnes and Noble. New York Times
Retrieved February 12, 2015 from http://www.nytimes.com/2012/10/24/business/hackers-get-
credit-data-at-barnes-noble.html
Shalvey, K. (2012, Jun 06). LinkedIn confirms some user passwords were stolen. Investor's Business Daily
Retrieved from http://search.proquest.com/docview/1018759761?accountid=7106
St. Joseph Health System breach leaves thousands of records vulnerable. (2014, February 5). Retrieved
March 3, 2015, from http://www.theeagle.com/news/local/st-joseph-health-system-breach-
leaves-thousands-of-records-vulnerable/article_541d3f86-8a43-5913-af16-d7cd0b847c0a.html
St. Joseph Health notifies 33,000 of potential data breach. (2014, June 12). Retrieved March 3, 2015,
from http://www.northbaybusinessjournal.com/93787/st-joseph-health-notifies-33000-of-
potential-data-breach/
State Hacking/Computer Security Laws. (n.d.). Retrieved March 3, 2015, from
http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws
Stratfor launches website after security breach. (2012, Jan 11). PR Newswire Retrieved from
http://search.proquest.com/docview/915079482?accountid=7106
Start Calculator | Databreach Calculator : Estimate Your Risk Exposure. (n.d.). Retrieved April 11, 2015,
from http://www.databreachcalculator.com/GetStarted.aspx
Target Data Breach Spilled Info On As Many As 70 Million Customers. (2014, January 10). Retrieved
March 3, 2015, from http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-
breach-spilled-info-on-as-many-as-70-million-customers/
Team, T. (2012, April 3). Global Payments Data Breach Exposes Card Payments Vulnerability. Retrieved
February 18, 2015, from http://www.forbes.com/sites/greatspeculations/2012/04/03/global-
payments-data-breach-exposes-card-payments-vulnerability/
v | P a g e
Final Case Analysis Texas Hospital Discloses Huge Breach - InformationWeek. (2014, February 5). Retrieved March 3, 2015,
from http://www.informationweek.com/healthcare/security-and-privacy/texas-hospital-
discloses-huge-breach-/d/d-id/1113724
Tsuruoka, D. (2012, Apr 03). Zappos breach A harbinger of more threats? layered defense key rising
sophistication of professional hackers tests website security. Investor's Business Daily Retrieved
from http://search.proquest.com/docview/963544960?accountid=7106
UMD Data Breach. (n.d.). Retrieved March 3, 2015, from http://umd.edu/datasecurity/
Velotta, R. N. (2013, Jan 17). Zappos.com makes fortune's list of best places to work. McClatchy -
Tribune Business News Retrieved from
http://search.proquest.com/docview/1270467604?accountid=7106
Vogel, D. (2013, May 29). How to successfully implement the principle of least privilege. Retrieved April
8, 2015, from http://www.techrepublic.com/blog/it-security/how-to-successfully-implement-
the-principle-of-least-privilege/
Voldal, D. (2003). A Practical Methodology for Implementing a Patch management process. Retrieved
April 8, 2015, from http://www.sans.org/reading-room/whitepapers/bestprac/practical-
methodology-implementing-patch-management-process-1206
Washington State Courts Hacked: 160,000 Social Security Numbers Potentially Accessed. (2013, May
10). Retrieved March 3, 2015, from
http://www.forbes.com/sites/kellyclay/2013/05/10/washington-state-courts-hacked-160000-
social-security-numbers-potentially-accessed/
Wahba, P., & Katz, B. (2012, October 24). Barnes & Noble says thieves tampered with PIN pads.
Retrieved February 16, 2015, from http://www.reuters.com/article/2012/10/24/us-
barnesnoble-breach-idUSBRE89N05L20121024
Woo, S., & Worthen, B. (2012, Jan 17). Lessons from zappos attack. Wall Street Journal (Online)
Retrieved from http://search.proquest.com/docview/916417847?accountid=7106
vi | P a g e