Most Important Cybersecurity Vulnerability Facing It Managers Computer Science Essay

Most Important Cybersecurity Vulnerability Facing It Managers Computer Science Essay Vulnerabilities to exploitation in modern computers are varied. They range from web server vulnerabilities that allow attackers to take over the web server to very sophisticated side channel exploits that use things like packet timing or instantaneous power consumption to glean confidential information from computers. Vulnerabilities appear in the client software that members of an organization use to get their jobs done. The conclusion of this paper is that unpatched client side software is the most important cybersecurity vulnerability facing the IT community today. Since all modern organizations (companies, non-profits or government entities) use computers and networks as part of everyday operations, this vulnerability is applicable to all of them. For this reason, this paper does not focus on a particular organization or industry. Vulnerability vs. Threat Cybersecurity vulnerability is defined as weakness in a computer hardware or software system that can be exploited. This is different than a threat. A threat is the way in which vulnerability is exploited. An example of a cybersecurity threat is spyware or malware being introduced into a computer. Vulnerability is the weakness in the computers systems that allowed the threat to succeed. This paper focuses on the vulnerabilities, not the threats. Vulnerabilities can be very expensive. The 2009 Computer Security Institute / Federal Bureau of Investigations Computer Crime and Security Survey reports that average losses per respondent were $234,244, although that number was down from the previous year (Peters, 2009). Cybersecurity vulnerabilities can be present in any part of a computer systems software or hardware. According to the SANS institute, the number of vulnerabilities discovered in software applications far outnumber those found in operating systems. (Top security risks-vulnera bility exploitation trends). This is because operating systems tend to be more long lived and therefore more tested than applications. Vulnerabilities can also be more sophisticated than the normal vulnerabilities we read about often. For example, one can determine what operands are being processed by a computer by monitoring it instantaneous power consumption. This, along with a knowledge of what algorithms are being processed can lead to the guessing of an encryption key (Brooks, 2010). Once the encryption key is guessed, files and communications involving that host could be decrypted. Another unusual vulnerability is the fact that keystrokes are sent across communications networks one at a time, so that if one captures the communications of an ssh session, the keystrokes can be guessed based on the time between them and the layout of a QWERTY keyboard (Brooks, 2010). The Origin of Vulnerabilities Most vulnerabilities occur because of programmer error. One of the most common errors that cause cybersecurity vulnerability is called buffer overflow. In buffer overflow, more data is provided as input than the program is expecting. This causes a corrupted stack and can allow an attacker to inject rouge code. The use of modern programming languages and proper coding techniques can eliminate the possibility of buffer overflow, but there is vast amount of software out there that has this vulnerability, Much work has gone into mitigating and preventing this type of vulnerability to exist in software, or if it exists, to not be exploited. Vulnerabilities that appear in software may not be the result of programmer error. They may be inserted into software applications intentionally by dishonest employees of software vendors. The fact that there is not much reporting of the discovery of such vulnerabilities does not mean they dont exist. Consider the factors that might prevent a software vendor from publicizing the discovery of deliberate malicious code in one of their products. There are liability issues and the companys reputation would suffer if such a thing became known (Franz, 2008). Human Vulnerabilties Vulnerabilities that allow malicious actions to take place on an organizations computer systems sometimes have nothing to do with hardware or software. An organizations personnel can be a large cybersecurity vulnerability as well. Since it is the organizations personnel who implement any cybersecurity measures that are dictated from the CIO staff, it is they that are the key to the cybersecurity plans effectiveness. If people are practicing dangerous activities on the organizations computers, then all the planning in the world wont prevent bad things from happening. There are factors that contribute to the cybersecurity vulnerabilities that personnel contribute to. One study divided these factors into nine areas, external influences, human error, management, organization, performance and resource management, policy issues, technology, and training (Kreamer, Carayon, Clem, 2009). The authors make the point that not all vulnerabilities are caused by bad programming. Personnel issues a re a big factor, also. Take, for example, the Stuxnet worm that infected the Iranian nuclear facilities and has reportedly caused lots of damage and has delayed the Iranian nuclear development. The cyberdefenses that the Iranian IT security staff put in place were circumvented by the actions of at least one employee. The worm was introduced via an infected flash drive (Paulson, 2010). All the perimeter defense in the world wont work if an insider does something wrong either intentionally or unintentionally. Impacts of Vulnerabilities on Organizations Some of the cybersecurity vulnerabilities faced by an organization largely depend on what type of business that organization is engaged in. For example, if an organization has a large presence in online commerce (Amazon, New Egg) it has more vulnerability to web based attacks than an organization that doesnt use the internet for commerce. An organization that possesses unique hardware, for instance an electric utility or a hospital, has vulnerabilities that most organizations dont face. Regardless of the type of business an organization engages in and the associated vulnerabilities that are unique to that type of business, a modern organizations day-to-day operations are performed on computers. Computers and networks are at the core of every process that a company uses to do business. Most managerial and technical employees of any organization have access to and use a computer for performing his or her work. There are internal web sites and email systems that allow communications between employees. Employees use these computers to do research and purchase products from web sites. This requires that these computers be connected to the internet. The Most Important Cybersecurity Vulnerability: Unpatched Client Software Because internet connected computers are ubiquitous in an organizational setting, these computers must be kept up to date with relevant security patches to prevent attacks against known vulnerabilities. For a large organization, this can be a daunting task. The fact that a patch exists for a vulnerability means that the vulnerability has been found and probably publicized. This means that the entire hacker community has access to the exploit and there is a good chance more attacks exploiting this vulnerability will be launched. This makes it imperative that the patch be put in place quickly. Failure to do this leaves an organization open to This is why the SANS institute ranked as the number one vulnerability facing organizations today (as of 2009) unpatched client side software (Top security risks executive summary, 2009). The number two ranked vulnerability was internet facing web sites. SANS also stated that on average, major organizations are taking at least twice as long to pat ch client side vulnerabilities than they are to patch operating systems (Top security risks executive summary, 2009). Because the unpatched client software vulnerability is not industry or business class dependent it is applicable to any company, non-profit organization or government entity. For this reason, the discussion of unpatched client side software does not focus on a particular class of organizations. Unpatched client side software can be exploited in many different ways. One of the more popular methods is by use of directed email attacks called spear phishing. In a spear phishing attack, a computer user is sent an email intended to entice the user into opening an attachment or clicking on a link that results in malware being installed on the users computer. When the user opens the attachment or clicks on the link, vulnerabilities in the client software on his or her computer are exploited to gain access to the users machine or the entire corporate network. The exploited vulnerabilities may be in any client software such as browsers, document readers, or image viewers. These types of attacks are a common method of gaining footholds into corporate networks (ICS-CERT, 2011) and were the method used to launch some well publicized attacks, like the Aurora attack against Google, Adobe and other tech companies (Zetter 2010). While the Aurora attack was not enabled by unpatched client so ftware (it used previously unknown, or zero day vulnerabilities in Microsoft Internet Explorer to enable the exploit), it is relevant to this discussion because the methods used in this attack have been published, making it easy for other attackers to replicate it. This makes it imperative that patches are applied in a timely manner to prevent it. There are two main problem areas that contribute to the large amount of unpatched client software that remains in use in an organization. The first is that the software vendors sometimes do not publish patches in a timely manner. The second is that once a patch is issued by a software vendor, the patch does not get deployed to the organizations computers for various reasons. As an example of software vendors not fixing vulnerabilities quickly enough, a company called TippingPoint (now a part of Hewlett Packard) recently released the details of 22 unpatched security vulnerabilities. Some of these vulnerabilities had been reported to their developers over two and half years ago (Keizer, 2011). TippingPoints Zero Day Initiative buys exploits from independent researchers. They also sponsor contests that reward the best exploits. They then provide their customers protection from these exploits and notify the developer of the targeted software of the existence of the vulnerability that all owed the exploit to work. When a patch is issued by a software vendor, it then has to be applied to an organizations infrastructure in order to be effective. The application of patches does not always happen quickly for several reasons. One reason is that the application of patches is disruptive to the organizations operation. The patches must be vetted by the security personnel and tested by the IT department. Testing patches prior to deployment is critical in avoiding incompatibility problems which would disrupt the organization even more. Another reason that patches dont get applied quickly is that they may not be compatible with in-house operating software. For instance, if Microsoft announces an upgraded browser that fixes many security holes, an organization may not be able to use it because internal software such as an accounting or HR system that they use is not compatible with it. How to Prevent Unpatched Client Software Vulnerabilities Organizations can deal with the problem of unpatched client software by being proactive in subscribing to a service that informs them of the existence of new vulnerabilities and in creating and implementing a patch management process. A patch management process is a multifaceted one. The following elements must be included in the patch management process (Gerace and Cavusoglu): Senior Executive Support. Without which this, no process can succeed. Dedicated Resources and Clearly Defined Responsibilities. If there is no staff assigned to the patch management process, it wont get done. Creating and Maintaining a Current Technology Inventory. This helps the patch management team determine which and how many systems need to be patched. Identification of Vulnerabilities and Patches. This allows the team to be aware of what patches are applicable to the organizations machines. Pre-deployment testing of patches. This should be done in a controlled environment to prevent adverse side effects. Post-deployment scanning and monitoring. This gives an indication of the effectiveness of the patch. As with any other business process, the patch management process must be audited by the use of measurements and metrics. Key metrics include severity/priority incidents associated with mission-critical application outages for inaccurate patching (Colville, 2010). Measuring the effectiveness of the patch management process then leads to modifications to it that improve the effectiveness. Conclusion Of the many different cybersecurity vulnerabilities that face organizations in todays world, unpatched client side software is the most dangerous. This is because this type of vulnerability threatens all organizations, regardless of the type activities they are engaged in. If they utilize computers, then this vulnerability must be addressed to prevent cybersecurity exploitation.

Week Memo

Memo to Client In this memo one will Include a summary of the facts, Including the names, ages, educational background, and Income status for Mr.. And Mrs.. Close and their two dependents. Loose CPA will also discuss two of the Close's goals and concerns. This memo will also summarize the findings and key elements of the personal budget, balance sheet, and the statement of cash flow.Loose CPA will also make recommendations and support for improving the financial situation for the Close's. Summary of Facts Clients- Ken and Tina Close are married with two children, Tyler (16) and Nikkei (14). Ken Is 42 years old disabled ex-factory worker with a high school education. Tina Is a 37 year old Event Planner with an Associates Degree in customer service. Although Ken is disabled he does receive disability benefits of $14,500 annually and Titan's annual income is $32,500.Tyler is a Junior at BBS and works part-time at Culler's with an annual income of $3,100. Nikkei is a freshman at BBS and is not employed. The family's goals are to reduce credit card debt and to save for a vacation. The vernally biggest concerns are that their credit will suffer if they do not pay off the debt and that Tyler and Nikkei will both need vehicles soon. Key Items and Findings The balance sheet compiled for the Close's shows total assets to be worth $188,250 and total liabilities at $115,320. 24.Ken and -rattans net worth $72,929. 76. The statement of cash flow compiled includes monthly income from Ken's Social Security Disability and Titan's net income from event planning for a total monthly income of $3,294. 16. The total cash outflows of $2629. 69 can be divided Into fixed expenses of $1475. 49 and variable expenses of $1 154. 20 for the month of February. The monthly inflows minus monthly outflows gives the Close's a cash surplus of $664. 47 each month to divide up for emergencies, savings, and a family vacation.The monthly gadget show no variance for inflows but does show a small varia nce for outflows. The savings variance was ($4. 53), the fixed expense variance was zero, and the variable expense variance was $6. 23. Thus giving a total outflow variance of $1. 70. Loose CPA recommends that Mr.. And Mrs.. Close try to limit the amount spent on credit cards in the future and for the balance due on the current credit cards to be paid in an amount higher than the monthly minimum due in order to pay the cards off faster and reduce interest charges.

A Class Divided Personnel and Industrial Psychology

In the classic film, â€Å"A Class Divided†, schoolteacher Mrs. Jane Elliot devised and conducted a lesson plan to show her students exactly how discrimination comes about. Outraged by what she saw occurring in the nation, Mrs. Elliot conducted this lesson with a class of third graders the day following the assassination of Martin Luther King.Mrs. Elliot set the stage for differentiating between blue eyed and brown-eyed children. Her goal was to have her students experience what it felt like to be discriminated against. She had previously discussed the issue of discrimination with her students and thought the seemed to understand and was in fact upset by Dr. King’s death; they did not recognize the discrimination in her class exercise until it was over and pointed out to them.Mrs. Elliott’s lesson divided her class by eye color. She had two groups, the brown eyes students and the blue eyed students. She told the students at the start of the day, that the blue eye s group was comprised of the smarter and nice students. She gave them special privileges as a result of their favored designation.The students in the brown eyed group were treated poorly, with negative comments and unfair rules. She was surprised to see how the children accommodated these roles. The brown eyed students suddenly did poorer on tests and acted differently. The blue eyes group took on a posture of superiority and was mean to the brown eyed students.In class she purposely commented on the superiority of blue-eyed children in order to set them against the brown-eyed students. She then reversed her statement the following day. When she revered her treatment of the students, the student’s behavior reversed. The brown eyed students became superior and the blue eyed students began doing poorly. It became clear that as an authority figure, what she said was believed. Even parents did not question her statement.The thesis of this experiment was that people accept and act upon what people of authority or social stature. The film depicting her classroom experiment was mad in 1985 for the PBS show FRONTLINE. The film was entitled A Class Divided. The film included a follow-up on Mr. Elliot’s students, who were young adults at the time the film was made. Thee film was followed by similar stories of experiments in other settings.The implications of this film on psychology are broad based. It demonstrates the impact of authority and social stature. The lessons learned as a result of this film help us to understand how the influence of authority and socials stature can be used in both positive and negative ways. It helps us to understand why and under what conditions people will blindly follow others.2. Malcolm Gladwell, New York archives: Personality plus Overview of the articleThis article, written by Malcolm Gladwell, was printed in the September 2004 edition of the New Yorker critiques the use of personality tests. The tests discussed are those largely used in the employment arena. Gladwell gives the history of the development of various tests and then their common uses, his personal experience and his assessment of the test as an employment tool.The article is extremely easy to read and interesting. Gladwell provides background on some of these commonly used tests, which would be of surprise to employers using them.   The backdrop for the testing assessment is the story of a lieutenant in the US Army, Sandy Nininger.He explains that Niniger was an unlikely soldier given his calm, thoughtful demeanor. Nininger however, developed into a fierce soldier and was awarded the Medal of Honor posthumously for his WWII service.   Gladwell goes through the various personality tests and wonders how any of these tests might have noticed the trait in Nininger that made him such a warrior, when he was better known for drinking tea and listening to classical music.The history of the Myers Briggs is somewhat comical as Gladwell write s. He explains that the test was the brainchild of mother-daughter socialites, seeking to better understand the men in heir life and relationship between men and women. The Myers brigs was developed based on Jung, but according to Gladwell, these woman knew or understood very little about Jung’s theories. In fact, he makes it clear that Jung would have never agreed with the basic tenant of the Myers Briggs.Gladwell met with a psychologist and underwent the Thematic Apperception Test which required him to compose stories for pictures. The psychologist then looked and themes in Gladwell’s stories and gave him a report. While Gladwll understood the assessment and found the psychologist to be quite perceptive, he expresses concern regarding the amount of subjectivity in this test assessment. A different psychologist could have come to an entirely different conclusion.Finally, he discusses the services of a company called Developmental Dimensions International (DDI). This c ompany assesses prospective employee’s strengths and weaknesses by spending a day with the person in a simulated workday. There person is given a job for the day and then assessed on a variety of levels. Gladwell spent a day with the company and received an assessment that again, he could understand but questioned the subjective nature of the assessment.Gladwell, in summary reminds us that while personality tests are frequently used by employers, there is much subjectivity and room for interpretation. He acknowledges the fact that these tests are fun and the results are interesting, he cautions the use of them as meaningful assessments. He concludes by asking if any of the test he reviewed, would have been able to predict Sandy Nininger's personality traits.

Banning Cosmetic Animal Testing Should Not Be Banned

Banning Cosmetic Animal Testing â€Å"If you want to test cosmetics, why do it on some poor animal who hasn t done anything? They should use prisoners who have been convicted of murder or rape instead. So, rather than seeing if perfume irritates a bunny rabbit s eye, they should throw it in Charles Manson s eyes and ask him if it hurts† (Ellen DeGeneres). Animal testing has been dated back to the Greeks in the 2nd and 4th centuries BCE, but cosmetic animal testing did not begin until the twentieth century. Animal testing in the United States was established in 1938 when Congress passed the Food, Drug, and Cosmetic Act. This act was issued in response to several tragic incidents involving untested products in the 1930s. Several countries, including the European Union, Norway, Israel, and India have already banned animal testing for cosmetics and the sale of the beauty products. Other countries, including the United States are considering in banning cosmetic animal testing, but countries like China and Br azil still require some cosmetic products to be tested on animals. Cosmetic animal testing is usually performed on mice, guinea pigs, rats, and rabbits. Animal testing is the use of non-human animals in research and experiments to determine the safety of a substance. Cosmetics are products and substances used to improve and beautify your physical appearance. Animal testing for cosmetic products and substances should be banned completely because ofShow MoreRelatedThe Use Of Research On Cosmetics And Its Effects On Society1604 Words   |  7 PagesBlinded by Beauty On average, 26 million animals are used every year for the use of research on cosmetics. These tests should be banned for many obvious reasons such as it is clearly cruel and inhumane, they cost more than alternative methods, and they do not predict an accurate result due to the anatomical differences. Animals are being unfairly tortured and killed for research on ingredients that people are unknowingly using in their everyday lives. Here’s an important question to consider;Read MoreAnimal Experimentation Should Be Banned1426 Words   |  6 Pagesjudged by the way its animals are treated.† - Mahatma Gandhi. These famous words still ring true in today’s society as we struggle to overcome the scientific experimentation on animals. Animals have acted as the archstone of human civilization since the dawn of man, from a source of food, to companionship. However, in the past century, we have been blurring the line between environmental entitlement and environmenta l rape. Every member of the human race interacts and depends on animals, and we owe themRead MoreAnimal Testing Should Not Be Banned1572 Words   |  7 PagesAnimal Testing Every year, over two hundred million innocent animals are injured or killed in scientific experiments across the world. Of those animals, between seventeen and twenty million are used in the United States alone. It is said that an animal dies in a laboratory every three seconds (Animal Testing 101). Those in favor of animal experimentation say they are taking animals’ lives to save humans. It is not necessary to subject animals to torturous conditions or painful experiments in theRead MoreThe Importance Of Animal Testing857 Words   |  4 Pagescomes to animal testing. A considerable amount of people believe that examinations should be banned, others think it should be continued. According to NCBI, animals have been utilized repeatedly since 384 BC. This disagreement has been debated since before the 1920’s and is still continuing. The main opposing point of animal examinations, is the extent of the experiment used on the animal. But, if scientists did not take part i n animal testing, humans safety would be in danger. Although animals shouldRead MoreThe Ethics Of Animal Testing1534 Words   |  7 Pageswhat most do not know is that a couple or couple hundred, animals were killed to approve, by law, of that product. This act is called animal testing, which is the method or experiment that forces an animal to go through any harm or distress (Thew). I do not agree with this practice simply because it harms innocent animals for products that we do not need to survive or remain with. I believe animal testing tortures innocent and helpless animals, by containing them in tight spaces, with chemicals drenchedRead More Animal Testing Needs To Stop Essay990 Words   |  4 Pages Cosmetic and drug companies should stop animal testing. By animal testing, the companies not only violate the animals rights (which is breaking the law), but their testing methods are hazardous which endanger the animals life. Finally, the companies should stop animal testing because each year we lose hundreds of thousands of animals and could make a difference by stopping this cruelty. Stop the animal testing, and save a life. To start with, cosmetic and drug companies shouldRead MoreLetter to Là ³real Canada Regarding Avoiding Animal Testing2492 Words   |  10 PagesDATE: April 03, 2014 TO: K. Voltan, Vice President FROM: Rob Geis, Marketing Executive SUBJECT: Higher Demand for Non-Animal Tested Cosmetic Products INTRODUCTION L’Orà ©al Canada and Animal Testing There has been some controversy regarding L’Orà ©al Canada and their use of animal testing in their cosmetic products. For certifications regarding safety, we currently possess 86% of manufacturing facilities that are either OHSAS 18001 or VPP certified. (L’Orà ©al Canada, 2014) Safety is a priority forRead More Experiments on Animals Should Not be Banned Essay2687 Words   |  11 PagesExperiments on Animals Should Not be Banned (word count includes paper outline) Technology and animal testing have provided the human population with many advancements in the past century. Every opportunity to embrace these advancements should be used for the betterment of the human population. It is often an argument based on personal opinion, but once the facts are analyzed, the affirmatives of animal testing outweigh the rationale for banning animal testing. The study ofRead MoreAnimal Testing Should Be Banned776 Words   |  4 PagesAnimal Testing Should be Banned  ¨Over 100 million animals are burned, crippled, poisioned and abused in US labs every year ¨ ( ¨11 Facts About Animal Testing ¨). Imagine if that was someones animal getting tortured in labs just to test things such as beauty products and perfume. Animal testing was first suggested when,  ¨Charles Darwin evolutionary theory in the mid 1850s also served to suggest that animals could serve as effective models to facilitate biological understanding in humans ¨ (Murnaghan)Read MoreAnimal Testing Proposal Essay1549 Words   |  7 PagesMillions of animals are being unneedlessly tested on for cosmetics, even though there are plenty of alternatives available and most of the results are unreliable or not applicable to humans. Although the fight against animal testing has made huge progress recently, America has yet to stop this cruel practice and chooses to torture animals while other countries are making a stop to the testing (â€Å"Animal Testing 101†). Right now, millions of mice, rats, rabbits, primates, cats, dogs, and other animals are locked