Daniel Reis - Cybersecurity: Issues of Today, a Path for Tomorrow

CYBERSECURITY

ISSUES OF TODAY, A PATH FOR TOMORROW

Daniel Reis

Copyright 2016 Daniel L. Reis.

All rights reserved. No part of this book may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, recording, taping or by any information storage retrieval system without the written permission of the author except in the case of brief quotations embodied in critical articles and reviews.

Archway Publishing

1663 Liberty Drive

Bloomington, IN 47403

www.archwaypublishing.com

1 (888) 242-5904

Because of the dynamic nature of the Internet, any web addresses or links contained in this book may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them.

Any people depicted in stock imagery provided by Thinkstock are models, and such images are being used for illustrative purposes only.

Certain stock imagery Thinkstock.

ISBN: 978-1-4808-3030-1 (sc)

ISBN: 978-1-4808-3031-8 (hc)

ISBN: 978-1-4808-3032-5 (e)

Library of Congress Control Number: 2016906973

Archway Publishing rev. date: 08/18/2016

Contents

I would like to thank my girlfriend Cindy Wood for all her support and patience with me completing an MS in Information Systems Security, and then being a glutton for punishment with the near three years to write this book. Also, I wish to thank Steve Edwards for his editing, advice on my overall writing tone, John Walker for his security and editing, and Mike Adler for taking the time to read the manuscript and provide input. All were very supportive, gracious and helpful.

Introduction
What This Book Is About

S ecuring our data and systems today and in the future is critical. To do this, business and technology professionals have to deal with the problems of todays security technology to maintain security now, as well as how to use it to secure systems and data against future issues. Cybersecuritys primary focus are business issues; but it has historically been driven by technical aspects that have oriented it as a technology solution instead of business oriented solution that people must continually encounter. A goal here is to provide insight into the current state of security solutions and the industry, taking into consideration the changes that need to be addressed due to current and future challenges rooted in securing computing resources and data. This includes the types of security issues organizations face today as well as threat prospects we will likely face in the foreseeable future. Its evident that securing systems and data is inherently difficult and problematic for the security industry and organizations alike. Accounting for the number of choices and nearly unlimited options for network and security design and implementation, and the sophistication of todays hackers, sometimes makes it a wonder that any protection is been as effective as it has been. Clearly there has been a tremendous amount of thought and effort to continue to move protection forward. However, the issues surrounding the complexity created by the many facets of computing and security environments are not expected to disappear anytime soon, and are continually complicating the ability to secure data. These issues are endemic to any organization that simply wants to use computing resources while also keeping its data secure. It would be nice if it was simple to succeed at protection, but it isnt.

Cybersecurity is an ongoing exercise applied to all the elements that make up computing devices. This includes various types of computers, smartphones, private and public network devices, the Internet, and all the devices and software comprised within the global computing sphere. This field also includes all the processes and mechanisms by which digital equipment, information, and services are allowed access and protected from unintended or unauthorized access, change, or destruction. This must include physical security, as online security, physical and digital security is intertwined. Any breach is bad; however, a physical security breach can be one of the most catastrophic kinds of security breaches because it can allow full access to both data and equipment, and is usually the result of an attack from an internal source. Overall, cyber security is the process of applying security measures in order to ensure data confidentiality, integrity, and availability (CIA) to authorized parties for information that is in transit or at rest.

An area crucial to protecting all data that needs to be considered is the need to address personal identity and personal information ownership and privacy. The question of who legally owns information about individuals within organizations is fundamental to being able to control and protect it. Without some clearly defined rules or laws to address identity information ownership, as well as rules for utilizing and sharing individual and organizational information, protecting this data will continue to be difficult, if not impossible. There are numerous regulations in the United States that cover portions of this issue, but there is nothing close to being comprehensive. In the United States, the rules for data privacy generally apply to specific industries, such as health care (HIPAA), unlike the overall privacy directives that Europeans instituted, covering all members of the European Union.

There could be a form of a fair use rules that allow organizations to be able to utilize personal information they gather based on their research, analysis, and ongoing business practices, without putting it at risk. For these rules to be useful, everyone needs to accept that there are different classes of information, such as details about individuals that should be treated with more control to its access and use. Organizations could have access under a system that ensures they have proper credentials and follow established procedures for personal data handling and disposition. Perhaps it could be checked out for a certain period of time for specific use in nonhuman readable format and then either returned, or it could automatically delete. Every organization that checked out data would also have to follow certain standards that show that the datas integrity was met. There could even be a liability insurance program based on an organization having met certain protection methodology benchmarks to ensure overall data compliance and provide coverage against a breach. To allay organizational concerns, knowledge learned from using personal information would not be lost; they could own the resulting data as their own intellectual property without containing or be directly tied to an individuals identity or personal information. To manage more sensitive personal information, there could be a method to anonymize that data in order to help ensure that any sensitive or personal information is left at the source or, at minimum, obfuscated when used by an organization for various purposes. This could leave personal information within the domain of its owner within a single point of storage and access control to better protect it and allow authorized organizations with access when needed. There are a number of issues if attempting to anonymize information today because as we know now there are tens of thousands of different systems that store personal information. In addition, systems and software can pretty easily correlate information from just a few of these stored systems along with the constant data exhaust all of us create with our online lives means anyone can at some level can be identified. There are a lot of technical as well as potential legal issues to being able to protect personal data and still make it available for research or other reasonable business uses. Unfortunately, there arent any silver-bullet answers to this problem. But the fact stands that regardless of methodology, the current level of private-information exposure; because there is no single owner a whole host of problems are created that wont go away until some type of reliable privacy ownership and control can be defined and implemented.