Vulnerabilities in the Organization

Cyberspace is the infrastructure of the modern world, and Cybersecurity is the infrastructure of Cyberspace.

On this page


Internet presence has become a prerequisite for the operation of any organization, whether it is a government agency, a business activity, or an academic institution. Every organization needs an open door to the public, with the ability to serve its constituency online and the capacity to securely hold data. The Internet presents unprecedented opportunities for practically every organization. However, along come unprecedented dangers that may lead to costly, often irreversible, damage.

Let us consider the cost of the one penny intrusion. The story goes that in a certain bank the online system was compromised, and one penny was removed from an account. Let us see how much that penny will cost the bank. Following the discovery of the account compromise, an emergency meeting of twenty executives was called which lasted for four hours. A decision was made to reconcile all of the
bank’s 250,000 accounts based on the previous day’s records. This activity would require two full days of the bank’s five member IT department. A public relations campaign was authorized, via several media, to hopefully offset any negative publicity. Undoubtedly, the cost of the one penny intrusion ended up as far more than the one penny loss.

Organizational operations are not physically performed and monitored anymore, but are done electronically via shared databases and via intranets, extranets, and the Internet. That is, we operate based on the perception of reality and not with reality itself. A bank manager looks at the screen to see the financial standing of the bank and does not count the bills and the coins that are in the hundreds of the bank’s locations.

While the convenience, efficiency, and effectiveness provided by the information systems are of unprecedented magnitude, similarly are the accompanying dangers. As a result, it is imperative that organizational security measures must match the ever-increasing threats. In the case of a security breach in an information system, the most important security measure is the real-time detection, notification, and instant countermeasure.

A certain white paper states: “The business . . . needs to detect attacks or vulnerabilities instantaneously and provide effective solutions.”* Therefore, incident detection is the cornerstone in any security plan—a plan that is supported by the design of a secure system that provides an incident analysis and a vulnerability repair procedure.

Common Organizational Vulnerabilities

In the definition of an organizational information system, each and every functional requirement needs to have an accompanying security component addressing external as well internal possible attacks. According to statistics, the most successful cyber attacks are of the hybrid nature. An insider, knowledgeable of a vulnerability, helps an outsider to successfully bypass the system security and access the organization’s resources.
In information system design and implementation, besides the expected nominal performance, security functions need be added that will prevent the creation of vulnerabilities. Most vulnerabilities arise from one or more of the following:

Data Backup:

Backing up data in intervals that are incompatible with systems operations speed. It is the CIO’s decision whether data be backed up every hour, minute, second, or millisecond. The frequency of moving data from the soft backup storage to the hard archival media has to be carefully selected. Also, decisions need to be made as to the permanency of data and their accessing policy. Deletion of unnecessary data can be very important because it may be under compliance regulations. The dependence of postintrusion analyses on backed-up data is absolute, because the access trail of archived data* can provide valuable information.

Operational Buffer Overflow:

Every piece of data entry or entry request is temporarily stored in a buffer while being serviced. Easy software design calls for a fixed-size buffer of a guesstimated size. Whatever the size, the buffer may fill, making the particular function inoperable or inaccessible. Securityminded software design calls for a dynamic size buffer that may endlessly extend itself into the vast available disk storage. Attackers would overflow targeted buffers, usually resulting in data or code overwriting. It is possible that attackers may install malware that a naive buffer may pass for executable code with disastrous consequences.

Operational Speed Saturation:

Endless and persistent requests, though simple, may exceed the computational limits of the system and virtually incapacitate external communications with bona fide users. Again, security-minded software design calls for provisions to ignore or block persistent requests of common origin.

Access Authorization and Authentication

Authorization codes and processes are often vulnerable for a variety of reasons. The
most common are

◾ System allows the user endless password entry attempts. In this case, the attacker automates the attack, using a password generator that in a matter of time discovers the correct password.
◾ System does not allow the user many password entry attempts, and the user writes the password in possibly vulnerable places.
◾ System demands password change at frequent intervals, creating inconvenience to the user, and user makes minimal changes, with each change adding vulnerability.

Present authentication technologies include the following four factors, also illustrated
in Figure 2.1a–d:

◾ Something the user knows (e.g., password, PIN)
◾ Something the user has (e.g., ATM card, smart card, USB device)
◾ Something the user is (e.g., biometric characteristic, such as a fingerprint) [1]

Figure 2.1 Authorization criteria

◾ Something the user receives, e.g., one-time passwords (OTP) received via mobile telephony (such as short message service, SMS) or via the Internet (such as email or other personally accessible application)

“User names and passwords no longer provide adequate security [2].” A successful solution to the password problem has been the use of OTP [3], where the authorization server, via an alternate channel, sends the user an OTP each time the user needs to access the system. Such passwords can be valid for a short period of time, with the possible alternate channels being:

◾ Mobile telephony, where the authorization server sends the OTP to the user’s
cell phone via SMS or even machine spoken
◾ The Internet, where the authorization server sends the OTP to the user via
chat, Skype, MSN, or as an email [3]

This solution falls in the category of the so-called Two Factor Authentication (TFA).* TFA implies the application of two authorization modes to best authenticate the user. The first factor is a conventional one, such as user name and password, and the second factor is an unconventional mode, such as the answer to a certain question or a biometric parameter, or a parabiometric† parameter.

The “two-factor authentication solution leverages an everyday tool—the phone—[that is very close to the person] to secure [authentication for] account logins and transactions [2].” This type of authentication falls in the parabiometric category.

The participation of the mobile phone in the authentication process can be as simple as receiving an OTP or even speaking back a certain passphrase for voice print authentication. Furthermore, even if an attacker enters the correct user name and password, the authorized user will receive an immediate call informing them of the access. If the access is an intrusion attempt, the legitimate user “can immediately
block the account and notify the company’s fraud department, [that] can instantly take appropriate action [2].”
Multifactor (multimode) authentication procedures are on the rise and are being progressively deployed in high-security applications. An OTP example is illustrated in Figure 2.2, where the password is sent to the user via mobile telephony as an SMS.
An OTP can be combined with biometrics, as shown in Figure 2.3, where the fingerprint reading and an OTP is sent to the server for resource access.
A network illustrating the biometric OTP technology appears in Figure 2.4.

Leave a Reply

Your email address will not be published. Required fields are marked *