Chapter 9

Cybersecurity:
Organizational Implications
The possibilities for cyberattacks can emanate from sources that are local, remote, domestic or
foreign. They could be launched by an individual or a group. They could be casual probes from
hackers using personal computers (PCs) in their homes, hand-held devices or intense scans from
criminal groups (Fig. 1).

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Security breach
 Unauthorized acquisition of data that compromises security, confidentiality or integrity of
personal information (PI).
 Good faith acquisition of PI either by an employee or an agent of an organization for business
purposes is not considered to be a breach, provided that the PI is not used or subjected to
further unauthorized disclosure.
 PI is information that is, or can be, about or related to an identifiable individual.
 It includes any information that can be linked to an individual or used to directly or indirectly
identify an individual.

PI can be any of the following data

1. Social security number (SSN)/social insurance number.
2. Driver’s license number or identification card number.
3. Bank account number, credit or debit card number with personal identification number such as
an access code, security codes or password that would permit access to an individual’s financial
account.
4. Home address or E-Mail address.
5. Medical or health information.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Four key dimensions of Privacy:
1. Informational/data privacy
2. Personal privacy
3. Communication privacy
4. Territorial privacy

Key challenges from emerging new information threats to organizations:

1. Industrial espionage
2. IP-based blocking
3. IP-based “cloaking”
4. Cyberterrorism
5. Confidential information leakage

The internal costs typically involve people costs, overhead costs and productivity losses (Fig. 2):

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Internal costs associated with a cybercrime incidence

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
The consequences of cybercrimes and their associated costs:
1. Information loss/data theft (highest – 42%).
2. Business disruption (22%).
3. Damages to equipment, plant and property (13%).
4. Loss of revenue and brand tarnishing (13%).
5. Other costs (10%).

Organizational Implications of Software Piracy

 Software piracy is an IPR violation crime.
 Use of pirated software increases serious threats and risks of cybercrime and
computer security. Violation of copyright laws (pirated software).
 Knowing use is also a criminal offense under the Act.
 Use of unlicensed software (pirated software) should be discouraged.
 Vulnerability of nongenuine computer software (see Fig. 3). The spread of this virus
can be partly attributed to the lack of automatic security updates for unlicensed
software.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Organizations should track software licenses to ensure that only genuine copies are used and
that the number of installations is not more than the allowed number by establishing a software
license tracker tool.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Overview of Web Threats to Organizations
 Large number of companies as well as individuals have a connection to the Internet.
 Employees expect to have Internet access at work just like they do at home.
 Mobile workforce has various categories.
 Workforce mobility poses challenges for IT managers whose agenda is to protect the business
and business assets against malware.
 Protection of information assets is important; especially protection of removable/detachable
media.
Categories of Web threats
1. Employees do a number of activities online (viz., visiting infected websites, accessing
pornographic sites, responding to Spam mails and attempting to hack sites) to name a few.
2. There are many challenges and difficulties IT managers face when it comes to managing web
use in a secure and efficient way and when it comes to handle an “incident” alert received.

Employee Time Wasted on Internet Surfing

3. Approximately 45–60 minutes spent on personal web surfing at work.
4. Safe Computing Guidelines/Internet Usage Guidelines should be implemented.
5. Organizations need software tools to track.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Keeping Security Patches and Virus Signatures Up to Date
 Updating security patches and virus signatures have now become a reality of life and a
necessary activity for safety in the cyberworld!
 Keeping security systems up to date with security signatures, software patches, etc. is almost a
nightmare for management.
 Not doing it properly exposes IT systems to unnecessary risk.
 In-house web filters, policy engines, Spam and anti-malware systems need regular updates to
stay effective.
 Finding IT technicians with the right level of skill to manage these systems is another aspect of
this problem.

Bandwidth Wastage Issues

Organizations have to pay for their bandwidth utilization. Under such a scenario, there is a concern
when expensive bandwidth is wasted by non-work Internet use. With the rise of social networking
and the trend toward social media marketing, streaming audio and video sites and TV-on-demand
business, Internet connections are under severe strain. There are tools to protect organization’s
bandwidth by stopping unwanted traffic before it even reaches your Internet connection.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Mobile Workers Pose Security Challenges
 Security concerns with Personal digital assistant (PDAs).
 Association of RIM BlackBerries.
 Mobile workers use those devices to connect with their company networks when they are on
the move.
Challenges in Controlling Access to Web Applications
 Presently, a large number of organizations’ applications are web based.
 There will be more in the future as the Internet offers a wide range of online applications.
 Employees often tend to use these applications to bypass corporate guidelines on security.
Employees may use their personal E-Mail IDs to send business-sensitive information (BSI) for
valid or otherwise reasons. These reduce IT department’s control over data and security.
 More and more organizations are getting worried about employee access to webmail or instant
messaging applications.
 As the sophistication of online applications increases, this is going to become a significant
problem.
The Bane of Malware
Many websites contain malware. Such websites are a growing security threat. Although most
organizations are doing a good job of blocking sites declared dangerous, cyberattackers, too, are
learning. Criminals change their techniques rapidly to avoid detection. The consequences of
infection are severe compared with any kind of malware.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
The Need for Protecting Multiple Offices and Locations
 Delivery from multi-locations and teams collaborating from multi-locations to deliver a single
project are a common working scenario today.
 Most large organizations have several offices at multiple locations.
 Protecting information security and data privacy at multiple sites is indeed a major issue
primarily because protecting a single site itself is a challenge these days.
 In a solo site scenario, anti-malware, web filtering and monitoring software are needed.
 Additional effort is required with multiple sites, as all hardware and administrative overheads
are multiplied!
 For an Internet-based-hosted service, it does not matter how many E-Mail servers there are.
However, with inhouse solutions, you do not have to pay an upfront capital cost for hardware
and software followed by an unpredictable ongoing maintenance cost. Fixed fee per user is
also an option to consider.

Security and Privacy Implications from Cloud Computing

There are data privacy risks associated with cloud computing.
Basically, putting data in the cloud may impact privacy rights, obligations and status.
There is much legal uncertainty about privacy rights in the cloud.
Organizations should think about the privacy scenarios in terms of “user spheres.”

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Social Media Marketing: Security Risks and Perils for Organizations
Usage of social media sites by large business-to-business (B2B) organizations (Fig. 4):
1. Facebook is used by 37% of the organizations.
2. LinkedIn is used by 36% of the organizations.
3. Twitter is used by 36% of the organizations.
4. YouTube is used by 22% of the organizations.
5. MySpace is used by 6% of the organizations.

Understanding Social Media Marketing

Most typical reasons why social media marketing is used to promote their products and services:
1. To be able to reach to a larger target audience.
2. To increase traffic to their website coming from other social media websites.
3. To reap other potential revenue benefits and to minimize advertising costs.
4. To build credibility by participating in relevant product promotion forums and responding to
potential customers’ questions immediately.
5. To collect potential customer profiles.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
 Cyber Security by Nina Godbole/Sunit Belapure
Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Best Practices with Use of Social Media Marketing Tools
 Establish a “social media policy.”
 Use of personal blogging for work-related matters should be monitored and minimized.
 Use of policies and implementation of policy-based procedures are always essential.
 Increasing employee awareness is an ongoing activity.
 Organizations need to educate their employees about the risks associated with the use of online
social media tool.
 Organizations must raise their employees’ awareness of the fact that even seemingly innocuous
information can reveal too much about the company or the person’s private life.
 It is worth exploring appointment of a social media expert within the company.
 Need to establish the “need-based access policy.”
 Policies should not be treated as a one-time activity.
 Blocking the infected websites is another necessary activity.
 Access blocking can also be applied to any other suspicious site on the Internet.
 Firewalls help to protect the organization.
 Protection against vulnerability is possible by carefully planning vulnerability scanning and
penetration testing.
 An intrusion prevention system (IPS) serves as a protective barrier to the corporate network.
 Securing the Intranets should also be included in the protection activities.
 Include mobile devices in the security policy.
 With the use of centralized management, administrators can manage, monitor and configure the
entire network and all devices using a single management console.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
The Organizational Best Practices
1. Organization-wide information systems security policy
2. configuration/change control and management
3. risk assessment and management
4. standardized software configurations that satisfy the information systems security policy
5. security awareness and training
6. contingency planning, continuity of operations and disaster recovery planning
7. certification and accreditation

Social Computing and the Associated Challenges for Organizations

1. Social computing (or “Web 2.0”): Empowers people to use Web-based public products and
services.
2. It is much more than just individual networking and entertainment.
3. It helps thousands of people across the globe to support their work, health, learning, getting
entertained and citizenship tasks in a number of innovative ways.
4. Social networking, social media marketing and social computing are not unrelated concepts.
5. Social computing is related to social media marketing.
6. Due care to be taken while using social computing as a channel strategy for communicating
with internal or external stakeholders.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Protecting People’s Privacy in the Organization
 People hate to be monitored
 Tracking and monitoring people’s transactions on the Internet is a controversial issue.
 RFIDs have been successful to track objects, animals, birds and goods in shipment.
 In the US, Social Security Number is a well-established system/mechanism for uniquely
identifying all American citizens.
 Although the Indian Government has issued IDs, they are fragmented by purpose and region in
India.
 This leads to widespread bribery, denial of public services and loss of income – it particularly
makes citizens poor.
 When the unique identity database comes into existence, the number of identity databases
(voter ID, passports, ration cards, licenses, fishing permits, border area ID cards) currently
existing in India are supposed to be linked to it.

Guidelines for Internet Usage, Safe Computing Guidelines and Computer Usage
Policy
Recognize the need for proactively protecting company’s identity when online. Anonymizer
effectively mitigates threats with their identity protection and information assurance solutions;
however, there are risks too associated with “Anonymizers”. In view of the cyberthreats, it
becomes cardinally important for organizations to develop Safe Computing Guideline. They are
sometimes referred to as Organizational Guidelines for the Internet Usage or Computer Usage
Policy. Policies are always important as they provide an objective and direction for
implementation.
Cyber Security by Nina Godbole/Sunit Belapure
Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Developing an Organizational Policy for Computer Usage
A “computer usage policy” should address the following elements:
1. Mission Statement
2. Introduction
3. Internet Safety
4. Confidentiality
5. User Responsibilities
6. Disciplinary Action for Privacy Violation and Disclaimer
7. Miscellaneous

Incident Handling
 Handling of any type of service disruption or interruption.
 The act of violating an explicit or implied security policy.
 An adverse event in an information system, and/or network, or the threat of the occurrence of
such an event.
 Any adverse event which compromises some aspect of computer or network security.
 An occurrence in a system that is relevant to the security of the system (event).

Cyber Security
 Protecting information, equipment, devices, computer, computer resource, communication
device and information stored therein from unauthorized access, use, disclosure, disruption,
modification or destruction.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
 Providing security in terms of both physical security to the devices and security to the
information stored therein such devices.
 Providing protection from unauthorized access, use, disclosure, disruption, modification and
destruction to both physical device and the information stored therein.
“Incident response,” “incident handling” and “incident management” have a relationship among
them. Incidents include but are not limited to the following list:

1. Loss of computing devices

2. Detection or discovery of a program agent

3. Detection or discovery of unauthorized users, or users with privileges in excess of authorized

privileges

4. Detection or discovery of critical or widespread vulnerabilities, or mis-configuration

“Event” and “adverse events” are the two related terms to be noted. An event is an observable
occurrence in a system or network. All events may not call for a countermeasure unless they are
“adverse events” which sometimes are referred to as “risk events.” Adverse events are events that
result in negative consequence.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
On-call procedures are activated and vendor support is invoked:
1.High priority incidents
2.Medium priority incidents
3.Low priority incidents

Why to Have Incident Response Systems?

 Rising number of threats in the cyberspace.
 Strong need for instituting incident response management systems in organization.
 Cyber attacks frequently cause the compromise of personal and business data.
 Real incidents involving viruses, worms, Trojan Horses, Spyware and other forms of Malicious
Code.

What Organizations Can Do To Protect their Systems from Cyber Security

Incidents?
 Organizations need to protect their information systems from malware.
 Organizations need to protect business-sensitive information in general and protected health
information (PHI) in the healthcare sector, and PI and SPI of their multiple stakeholders.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Best Practices for Organizations
1.Develop and implement an approach to malware incident prevention.
2.Develop and implement policies that support the prevention of malware incidents.
3.Incorporate prevention of malware incident and handling of awareness programs, and provide
guidance and training to users.
4.Establish capabilities to mitigate vulnerabilities and to help prevent malware incidents through
documented policy, technical processes and procedures.
5.Establish threat mitigation capabilities to assist in containing malware incidents by detecting and
stopping malware before it can affect systems.
6.Establish a robust incident response process capability that addresses malware incident handling
through preparation, detection and analysis, containment/eradication/recovery and post-incident
activities.
7.Establish malware incident prevention and handling capabilities that address current and short-
term future threats that are robust and flexible.

Incident Response Team Work, Capabilities and Structure

 An active coordination and management role needs to be created.
 Incident response team needs to be formed.
 Staffing the incident response team is a tricky issue.
 Team success is about skills, competencies, capabilities and training.
 Haphazard teams with inadequate skills will not work.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Benefits from Incident Response Systems
1. Organization has the ability for responding to incidents systematically so that the appropriate steps are
taken.
2. There is a provision for helping personnel to recover quickly and efficiently from security incidents,
minimizing loss or theft of information and disruption of services. This results in timely resolution of incidents,
resulting in reduced business impact.
3. Being able to use the information gained during incident handling to better prepare for handling future
incidents and to provide stronger protection for systems and data.
4. The ability to deal properly with legal issues that may arise during incidents.
5. Improved user satisfaction.
6. More efficient utilization of service desk and other staff .
7. Enhanced ability to measure and monitor IT performance relative to SLAs.
8. Better data to support executive decisions regarding service quality.
9. Improved ability to track incidents and service requests efficiently.
10. Proactive identification of process enhancements.
11. A systematically installed incident handling system makes it imperative for organization to carry out a root
cause analysis of the incidents that have occurred.
12. It also helps to study if there is a “trend” and “pattern” in the cybersecurity incidents that have taken
place.
13. Lessons learned from meetings provide other benefits.
14. Reports from these meetings are good material for training new team members.
15. Information regarding an incident may be recorded in several places.
16. Organizations should deploy centralized logging servers and configure devices to send duplicates of their
log entries.
17. A system enforces recording of the information with regard to an incident.
18. Incident handlers benefit from this practice because they have the pertinent log entries available together.
19. Use of checklists helps to harmonize the incident response analysis.
Cyber Security by Nina Godbole/Sunit Belapure
Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Forensics Best Practices for Organizations
 Organization’s forensics readiness is important.
 Forensics readiness is defined as the ability of an organization to maximize its potential to use
digital evidence while minimizing the costs of an investigation.
 Preparation to use digital evidence is not easy.
 It involves system and staff monitoring, technical, physical and procedural means to secure
data to evidential standards of admissibility, processes and procedures.
 All this becomes essential for ensuring that staff recognizes the importance and legal
sensitivities of evidence, and appropriate legal advice and interfacing with law enforcement.
 The prime factor in understanding the need for forensics readiness is a risk assessment.
 An asset register is certainly needed to understand the attractiveness of targets to the types of
crime
 Be aware that any information security defensive measures based on a risk assessment will
always leave a residual risk.

Digital Forensics Investigation and Digital Evidences

 Quality and availability of evidence is a passive aspect of the DFI.
 Cybercriminals are known to exploit the fact that investigation is costly and takes time.
 Real-life situations show that half an hour of attacker time requires an average investigation
time of 48 hours!

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Digital evidence could:
 Help manage the impact of some important business risks.
 Support a legal defense.
 Support a claim to IPR.
 Show that due care (or due diligence) was taken in a particular process.
 Verify the terms of a commercial transaction.
 Lend support to internal disciplinary actions.

Key factors that affect evidence preservation and investigation time:

 1. How logging is done
 2. What is logged
 3. IDS under use
 4. Forensics acquisition (of the evidence)
 5. Evidence handling

Concerns with Being a Forensically Ready Organization

 Digital evidence is required.
 An organization needs access to the evidence that will be able to support its position.
 There is always a tendency to focus on containment and recovery.
 There is a trade-off to be made between recovery and evidence.
 A lot of information is also lost or discarded.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Benefits of Being a Forensically Ready Organization
1. The ability to gather evidence that can serve in the company’s defense if subjected to a lawsuit.
2. Comprehensive evidence gathering can be developed as a deterrent to the insider threat
(throwing away potential evidence is simply helping to cover the tracks of a cybercriminal).
3. In case of a major incident, a rapid and efficient investigation can be conducted and actions can
be taken with a view to minimal disruption to the business.
4. Reduction in cost and time of an internal investigation through a systematic approach to evidence
storage.
5. A structured approach to evidence storage can reduce the costs of any court-ordered disclosure
or regulatory or legal need to disclose data (e.g., in response to a request under data protection
legislation).
6. Forensics readiness can widen the scope of information security to the wider threat from
cybercrime, such as IP protection, fraud or extortion.
7. It demonstrates due diligence and good corporate governance of the company’s information
assets. It can further demonstrate that regulatory requirements have been met.
8. It can improve and facilitate the interface to law enforcement, if involved.
9. It can improve the prospects for a successful legal action.
10. It can provide evidence to resolve a commercial dispute.
11. It can support employee sanctions based on digital evidence (e.g., proving violation of an
Acceptable Usage Policy).

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Media and Asset Protection: Best Practices for Organizations
 “Information asset”: A definable piece of information stored in any manner that is recognized as
“valuable” to the organization.
 Data breaches take place when criminals perceive “value” to the data/information stored on the
media or see a particular information asset as valuable.
 All data breach incidents may not necessarily involve only network attacks; even physical media
can get stolen and crimes happen.
 It is imperative to have local encryption for hard disks and any other media that are believed to
store critical information.
 Even when the information is classified and a scheme is deployed for information asset
protection, it is of no use without an effective access management system.
 Managing the access to organization’s information assets is of paramount importance.
 Access” is the ability or the means necessary to read, write, modify or communicate
data/information or otherwise use any system resource.
 Access management is the process for managing individual and group authorization to read,
create, modify or transfer data, and to perform specific functions or transactions.
 Access management framework is the consolidation of all access management standards,
requirements and resource references to incorporate business unit best practices in a single
document. Employees in the organization are committed to information protection and are
responsible for classifying and protecting information that has value to the organization, its
employees and the customers, suppliers, business partners and others with whom the
organization does business.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
Aspects pivotal to a sound access management framework:
1. What: Identification of data and functions that need to be protected.
2. Who: Determination of who should have access to specific data and/or functions and why they should
have access (authorization criteria).
3. How: Definition of the specific method to request, evaluate, approve (or reject) and implement access
authorization.
Figure 5 presents the elements that affect an access management framework based on fundamental
governance principles. The elements in the figure indicate that a mature access management framework
spans across corporate instructions based on organizational standards and guidelines.
Importance of Endpoint Security in Organizations
 People who are out of job are found to steal confidential company information with them either on
DVD or using USB drives.
 Security risks from hand-held devices (such as iPods, USB devices, Smartphones, etc.) have
dramatically increased the risk of intentional and unintentional data leaks and other malicious activity.
 An “endpoint” is an individual computer system or device that acts as a network client and serves as a
workstation or personal computing device. Common endpoints are laptops, desktops and personal
computing devices including hand-held devices that can connect into the network.
 Securing the endpoints is essential to protect assets. Organizations that do not have any form of
endpoint security, have their corporate networks and data potentially exposed to hackers and
criminals who can access sensitive information from unprotected access points.
 The use of portable storage devices poses a huge security risk to networks at the endpoints.
 Moreover, securing these endpoints has become a major area of concern for IT security implementers
in corporate as well as small and medium enterprises.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
 Cyber Security by Nina Godbole/Sunit Belapure
Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.
 Web-based applications are more prone to security threats. E-Mails have become the most
common method or primary means of communication for almost all organizations and
individuals.
 Most people are not careful when sending information through E-Mails. Highly confidential
information inside the E-Mail text and/or sent as attachments results in possible breach of
confidential data through E-Mail system.
Organizations can take a number of actions:
 Devices can be tested for security compliance and devices that fail compliance testing should
get quarantined.
 Users of those devices should be provided with direction and resources for updating the
device with the necessary patches and security setting.
It is to be remembered that endpoint compliance includes both kinds of devices: (1) Devices that
are under the control of the organization (corporate desktops and laptops) and (2) External
endpoints that are not under the organization’s direct control.

Cyber Security by Nina Godbole/Sunit Belapure

Copyright  2011 Wiley India Pvt. Ltd. All rights reserved.