Network Security

 Information and System Security

A basic tenet in the relationship between employees and employers is the trust they place in each other.  This trust at its foundation begins with the security of both parties' information.  On the one hand, the employer should have in place security layers protecting company information, including that of its employees.  On the other hand, employees should follow company guidelines on handling and sharing of company information.  Employers should invest in training and educating their employee base about the threats and risks that exist to its systems and valuable information.

Individuals at home should follow similar rules and behaviors as they do at work to protect their personal information.  This includes the sharing and posting of information on social media and conduct when using e-mail.

Ping of Death

Last week, we used the ping command to learn more about network communications.  As part of this exercise, we learned that the ping command transmits small data packets over a network to a server at a specific IP address.  The receiving server, in turn, responds with a new packet of information, which is then used to determine how much time it took for the packet to arrive and if any data packets were lost during the transmission.

As helpful as the command is to troubleshoot network problems, it has also been used maliciously to harm servers via a Denial of Service (DoS) attack, which attempts to interrupt or halt service by the target computer or server.  Attackers send oversized or malformed data packets using the ping command that exploits weaknesses in servers, causing problems, including memory overflow, which would ultimately lead to service interruption.

Computer Security Incidents

Phishing scams and E-mail spam are the two most common security incidents I have witnessed at work and home.  E-mail spam is essentially unwanted e-mail advertising, both legitimate and illegitimate products or services.  Sometimes spam can also include links to websites or files to be downloaded to expose users to other threats.  In the US, legislation exists to limit e-mail spam, but it has been challenging to enforce. E-mail spam is estimated to make up over 50% of all e-mail traffic in 2014 (Vahid & Lysecky, 2017).

Phishing attacks or scams were said to represent the biggest threat to cybersecurity (Matthews, 2017).  Phishing scams are typically in the form of an e-mail that appears legitimate from a known organization that tricks users into sharing sensitive information.  This information ranges from personal data, banking accounts, and user credentials to defraud the user.   I have received numerous phishing e-mails from individuals posing to be the CEO of my company, asking that I immediately respond to the e-mail by clicking on a link provided in the body of the e-mail.  A former employer was recently a victim of a phishing attack, whereby a service provider’s employee received a phishing e-mail and opened the attachment, which then requested the user’s credentials.  The unsuspecting user entered the credentials, which were transmitted to the scammers.  The scammers used the user’s credentials to access the user’s e-mail account via webmail and locate and contact customers with large accounts to request payments for services be made to a new account.  In this case, my former employer’s accounting department complied with the request as it appeared legitimate and originating from the service provider’s e-mail server.  In total, my former employer paid nearly US $1MM to the scammers, of which after a year-long investigation involving the US Secret Service, and FBI, recovered nearly US $400,000 from seized accounts.  At the time, we were confident this attack was launched from Europe or Russia, but it turned out to be a scamming ring located here in the United States.  The lesson here is that the weakest link in the cybersecurity system established by both my former employer and its service provider was the employee.  The nature of this type of threat is why employers have to invest in training all employees to recognize these threats and report them promptly. 

Security Recommendations

Computers will always be subject to phishing and spam attacks given the nature of their delivery via e-mail, so education and training of people is the most effective way to combat this type of threat.  In addition to employee education, companies should use anti-spam and anti-phishing software available to minimize the number of attacks that make it to the user.

  

References

Yihunie, F., Abdelfattah, E., & Odeh, A. (2018). Analysis of ping of death DoS and DDoS attacks. 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT), Systems, Applications and Technology Conference (LISAT), 2018 IEEE Long Island, 1–4. https://doi-org.proxy-library.ashford.edu/10.1109/LISAT.2018.8378010

Vahid, F., & Lysecky, S. (2017). Computing technology for all. Retrieved from zybooks.zyante.com/

O’Leary, D. E. (2019). What Phishing E-mails Reveal: An Exploratory Analysis of Phishing Attempts Using Text Analysis. Journal of Information Systems, 33(3), 285–307. https://doi-org.proxy-library.ashford.edu/

Mathews, L. (2017, February 6). IRS Issues Warning As W-2 Email Scams Ramp Up. Forbes. https://www.forbes.com/sites/leemathews/2017/02/06/irs-issues-warning-as-w-2-email-scams-ramp-up/?sh=45c2f18591fe 10.2308/isys-52481