Posted: February 1st, 2023

Analysis of Human Factors in Cyber Security: A Case Study of Anonymous Attack on Hbgary Benjamin Aruwa Gyunka Directorate of Information and…

Analysis of Human Factors in Cyber Security: A Case Study of Anonymous Attack on Hbgary Benjamin Aruwa Gyunka Directorate of Information and…

Hello, I need help with my writing class specifically on Research Findings Summary. Please see attached articles I’m working on.

Attachment 1

Attachment 2

Attachment 3

Attachment 4

Attachment 5

ATTACHMENT PREVIEW

Download attachment

Analysis of Human Factors in Cyber Security: A Case
Study of Anonymous Attack on Hbgary
Benjamin Aruwa Gyunka
Directorate of Information and Communication Technology
National Open University of Nigeria (NOUN)
Abuja, Nigeria
[email protected]
Abikoye Oluwakemi Christiana
Department of Computer Science
University of Ilorin
Ilorin, Nigeria
[email protected]
ABSTRACT
Purpose:
This
paper
critically
analyses
the
human factors or behaviours as major threats to
cyber security. Focus is placed on the usual roles
played by both the attackers and defenders (the
targets
of
the
attacker)
in
cyber
threats’
pervasiveness and the potential impacts of such
actions on critical security infrastructures.
Design/Methodology/Approach:
To enable an
effective and practical analysis, the Anonymous
attack against HBGary Federal (A security firm
in the United State of America) was taken as a
case study to reveal the huge damaging impacts
of human errors and attitudes against the security
of organizations and individuals.
Findings:
The
findings
revealed
that
the
powerful security firm was compromised and
overtaken
through
simple
SQL
injection
techniques and a very crafty social engineering
attack
which
succeeded
because
of
sheer
personnel negligence and unwitting utterances.
The damage caused by the attack was enormous
and it includes the exposure of very sensitive
and personal data, complete shutdown of the
website, loss of backup data and personnel
character deformations. The research also found
that
damaging
human
factors
results
from
ignorance or illiteracy to basic security practices,
carelessness
and
sometimes
sabotage
by
disgruntled employees from within and these
vulnerabilities have become prime target for
exploitation
by
attackers
through
social
engineering attacks. Social engineering was also
discovered to be the leading attack technique
adopted by attackers within the cyber space in
recent years.
Practical Implications:
The paper concludes by
advocating assiduous training and cyber security
awareness programmes for workforces and the
implementations
and
maintenance
of
basic
security culture and policies as a panacea for
social
engineering
cyber
attacks
against
individuals and organizations.
Originality:
Lots of work has been done and
many
still
on-going
in
the
field
of
social
engineering attacks and human factors, but this
study is the first to adopt an approach of a
practical case study to critically analyze the
effects of human factors on cyber security.
Keywords:
The Anonymous; HBGary Federal;
Uniform
Resource
Location
(URL);
Content
Management
System
(CMS);
SQL
Injection;
Cross-site Scripting (XXS); Social Engineering;
Cyber Security; Information Security
Paper Type:
Research Paper
1
Introduction
Humans have been found to be truly the weakest
link of security (Mitnick, Simon, & L., 2011) and
(GBC-DELL Survey, 2015). The psychology of
human workforce is being viewed as a critical
factor that poses serious cyber-attacks risks to all
users (Ranjeev & Lawless, 2015). Human cyber
security
behaviours
has
created
serious
vulnerabilities which attackers exploits using
social engineering attack techniques and findings
revealed that human factors are responsible for
95% of all security incidences (IBM, 2015).
Human threats to critical infrastructures and
services
come
mostly
from
careless
work
behaviours and ignorance of basic cyber security
practices
which
include
irregular
software
patching to get rid of bugs, installations of
malicious software, careless communication of
10

View the Answer

sensitive information and connection to insecure
internet networks or Wi-Fi (Aziz, 2013) and
(James, 2015). They also include poor attitudes to
web
applications
usage
and
database
management which opens door to cross-site
scripting
(XXS)
and
SQL
Injection
vulnerabilities
(Stuttard
&
Marcus,
2011).
Attackers these days find it interestingly easier
to begin their attacks by the exploitation of
human ignorance, weakness and selfish interests
to gain an open entrance for a mega attack.
People are now inadvertently deceived to either
initiate
or
even
carry
out
the
attacks
by
themselves
without
the
attacker
necessarily
introducing an external event or involving very
expensive technical exploit kits. Human factor is
an insider threat against security either through
disgruntled employees seeking to cause pains or
through social engineering which appeals to
personnel’s instincts and attackers would rather
take advantage of these vulnerabilities, where
available, than engaging other exploits against
technical
security
devices
(James,
2015),
(Warwick, 2016) and (CeBIT Australia, 2017).
Research has shown that it is not good
enough to have all the state-of-the-art security
software and hardware properly installed and
running in an organization if the human factor to
cyber security is neglected (Nate L. , 2016), and
(James,
2015).
Firewalls,
Intrusion
Detection
Systems, Antimalware and many authentication
mechanisms
such
as
time-based
tokens
or
biometric smart devices, are usually installed to
protect
against
external
threats
but
cannot
protect against threats from within, caused by
ignorant and careless personnel (Mitnick, Simon,
& L., 2011) or by disgruntled employees aiding
external attacker (Blythe, 2013). Cyber attackers
would rather now want to exploit the vulnerable
human factors through simple tricks than to
spend much time and resources trying to gain
access by breaking through the different strong
technical security systems. This paper seeks to
practically analyze the impacts of human factors
to critical security infrastructures. The attack of
the
Anonymous
Hacktivist
group
against
HBGary Federal, a US based security firm, was
taken as a case study to analyze the different
phases of cyber attacks against human cyber
security behaviours. The different phases include
the analysis of defender(s) vulnerabilities (target
of attack – the human factors), the analysis of
the attackers’ tricks and techniques, and finally,
the analysis of the resulting damages. The paper
concludes
with
suggestive
techniques
for
preventing against such exploitations.
2
Social Engineering
Social engineering is a non-technical method of
cyber-attacks
which
absolutely
depends
on
human
psychology
and
mostly
involves
deceiving
people
into
breaching
standard
security practices (Nate, 2016). Researches have
shown that social engineering attacks are the top
most
threats
against
information
security
(Warwick, 2016) and (Nate, 2016). The whole
technique
of
social
engineering
attacks
is
completely anchored on the principle and art of
deception, making people do things that they
would ordinarily not want to do for a complete
stranger (Mitnick et al, 2011). Thus, victims of
this attack techniques are usually persuaded to
willingly open wide their security door ways to
unknown persons (Ranjeev & Lawless, 2015) or
are tricked to do things like giving out sensitive
information
or
documents,
disabling
critical
security
systems,
transferring
money
to
unknown persons’ accounts and many other
devastating things (Warwick, 2016). Sometimes
they are tricked to believe that the order they are
obeying is coming from a superior, colleague, or
partner sitting somewhere (Mitnick, Simon, & L.,
2011). Often times, what they are persuaded to
do are highly regrettable, causing irreversible
damages.
Common
approaches
or
attack
vectors
adopted in social engineering attacks include
engaging people through fake emails, social
media, voice calls, mobile apps, or through
direct physical contact with the defendant (target
of the attacker). Social engineering attacks, or
attacks against human psychology and instincts,
may come in the forms of phishing, malware
attacks, pretexting, baiting, quid pro quo and
tailgating (David, 2015). Phishing scams and
malware infections have be found to be the most
adopted
forms of
social
engineering
attacks
(GBC-DELL Survey, 2015) as indicated in Figure
1.
Anyone that falls victim of social engineering
attack would normally become the enabler of the
bigger attack or might even unknowingly be
used to directly complete the full-scale attack.
11

Show entire document

ATTACHMENT PREVIEW

Download attachment

75

View the Answer

76

Show entire document

ATTACHMENT PREVIEW

Download attachment

Journal of Business Continuity & Emergency Planning Volume 7 Number 2
Cyber security:
A
critical examination
of
information sharing versus data sensitivity
issues
for
organisations
at
risk
of
cyber attack
Jason Mallinder and Peter Drabwell
Received (in revised form): 15th July 2013
Credit Suisse, Zürich, Switzerland
E-mail: [email protected]
Jason Mallinder
joined Credit Suisse in 1998,
initially managing the Access Control team in
London. During his time at the bank, he has
managed a number of teams and programmes in
the identity management and IT risk manage-
ment areas. In July 2011, Jason moved to focus
on operational risk management within the
investment bank for a year, before returning to
technology risk management as the EMEA
regional head. Prior to joining Credit Suisse,
Jason worked at Aon Risk Services for seven
years and he has supported his career by
achieving qualifications in both risk management
and project management
Peter Drabwell
is a senior technology risk ana-
lyst at Credit Suisse within the Risk Management
division, responsible for private banking, wealth
management and shared services IT clients
across EMEA. Prior to joining Credit Suisse,
Peter was responsible for the risk assessment of
ABN AMRC/RBS IT integration, and the devel-
opment of risk management strategy for
mergers, acquisition and divestitures. Peter is an
active member of the ISC(2) European Advisory
Board and is currently President of the ISACA
London Chapter.
ABSTRACT
Cyber threats are growing and evolving at an
unprecedented rate. Consequently, it is becoming
vitally important that organisations share infor-
mation internally and externally before, during
and after incidents they encounter so that les-
sons can be learned, good practice identified and
new cyber resilience capabilities developed.
Many organisations are reluctant to share such
information for fear of divulging sensitive infor-
mation or because it may be vague or incom-
plete. This provides organisations with a
complex dilemma: how to share information as
openly as possibly about cyber incidents, while
protecting their confidentiality and focusing on
service recovery from such incidents. This paper
explores the dilemma of information sharing
versus sensitivity and provides a practical
overview of considerations every business conti-
nuity plan should address to plan effectively for
information sharing in the event of a cyber
incident.
Keywords: cyber, threat, incident, infor-
mation security, business continuity
planning,
intelligence,
prevention,
detection, response
INTRODUCTION
Cyber threats are growing and evolving at
an unprecedented rate.^ Rapidly evolving
cyber criminal networks have already
recognised the value of intelligence shar-
ing and collaboration as evidenced by the
growing number and sophistication of
Journal of Business Continuity
& Emergency Planning
Vol.7 No. 2, pp. 103-111
© Henry Stewart Publications,
1749-9216

View the Answer

Underground forums and information
exchanges.” Government and industry
information sharing is far less advanced.
While organisations are beginning to
recognise the imperative for cyber infor-
mation sharing, they still face the chal-
lenge of balancing transparency and
confidentiality.
This challenge is significantly increased
given the growing
interconnectivity
between organisations and their partners;
by way of example, it is increasingly
common for attackers seeking sensitive
information to target an organisation’s
supply chain (the attack vector being
focused on a third-party vendor in order
to reach the principal target). An example
of such a data breach recently occurred at
Bank of America, whereby attackers man-
aged to successfully access employee and
executive data stored through a third-party
subcontractor. What is particularly inter-
esting about this attack is that it was
allegedly motivated by a project initiated
by Bank of America to monitor publicly
available information in an effort to iden-
tify security threats.
The increasing complexity of supply
chains coupled w^ith the adoption of
cloud-based services places greater onus on
organisations to understand where their
data are and to ensure that they are man-
aged appropriately, in order to prevent sup-
pliers’ vulnerabilities from becoming their
ow^n. This further emphasises the impor-
tance of information exchange regarding
cyber incidents within a supply chain.’*
Commonality between cyber land-
scapes within organisations increases the
appeal of exploiting shared weaknesses as
malicious parties find cyber attacks that
can be reused against multiple targets to be
more attractive. Organisations and indus-
tries with mechanisms to disseminate
information about cyber-attacks rapidly
not only help others to minimise the
impact from such incidents but also
decrease the long-term attractiveness of
themselves and their industry as targets.
Despite the challenges, organisations
can take steps to enable their ability to
share information before during and after
cyber incidents, helping organisations and
industries to buud more resilient operating
frameworks, while presenting themselves
as less attractive targets.
PRE-INCIDENT DATA MANAGEMENT
Cyber incidents are increasingly expensive
and prevention is better than cure.
Accordingly to a recent survey by the
UK Department for Business, Innovation
and Skills, the average cost of the worst
security breach of the year is presently in
the region of/;450,000 to X;850,000 and
^35,000 to ;£65,000 for large organisa-
tions (>250 staff) and small business (<50 staff), respectively.^ The report adds: 'in total, the cost to UK pic of security breaches is of the order of billions of pounds per annum — it's roughly tripled over the last year'. Information can be used to enhance the organisation's ability to manage its data and its defences efficiently and effectively. Sources of information that an organisa- tion can use as part of its incident manage- ment strategy can be varied, from independent sources of threat analysis (eg information related to tools, techniques and resources being used by attackers to breach cyber defences) and published industry-specific trends to third-party sup- plier/vendor reports of anomalies worthy of further review.^ Given the increasing dependence on third parties and growing inter-connectiv- ity, organisations should consider adopting a more collaborative, 'partner' approach to incident management data exchange and analysis. The business operating landscape is becoming more complex to manage Show entire document ATTACHMENT PREVIEW Download attachment 22 Intellectual Property & Technology Law Journal Volume 25 • Number 12 • December 2013 T oday, you would be hard pressed to find an organization that does not use IT systems and the Internet to conduct its business. While technology offers great benefits, it also brings risk. As technology becomes ever more complex, the scope and scale of cyber risks are increasing at an unprecedented rate. Because responsibility to man- age cyber risks rests with each organization, it needs to be high on each board’s agenda. It is clear that this is no longer just an issue for the IT department. Governments around the world are trying to educate businesses about the risk of cyber crime, while at the same time equipping law enforcement authorities with the tools to prosecute offend- ers. The European Union in particular is seeking to take a lead in efforts to raise the bar in cyber crime prevention and enforcement, and the United Kingdom has identified cyber crime as a “Tier 1” threat to national security alongside terrorism. Although it will never be possible for cyber risks to be eradicated entirely, there are many steps that companies can take to address and mitigate cyber risks and to respond appropriately when an attack occurs. But evidence suggests that many companies are still not putting in place adequate measures to address cyber security. According to the UK govern- ment, 1 “about 80 percent of known attacks would be defeated by embedding basic information secu- rity practices for your people, processes and tech- nology.” Indeed, KPMG recently announced 2 that it had been able to collect employee user names, email addresses, and sensitive internal file location infor- mation about every UK FTSE 350 company using data publicly available on the Internet. This kind of data could be used to carry out fraud or obtain companies’ intellectual property. The research also indicated that more than half of the FTSE 350 companies demonstrated potential vulnerabilities to attack because they did not have up-to-date secu- rity patches and/or were using old server software. As the Director of GCHQ (the United Kingdom’s communications intelligence agency) said in guid- ance published last year, 3 “Value, Revenue and Credibility are at stake. Don’t let cyber security become the agenda—put it on the agenda.” Background Cyber attacks can be conducted using a variety of different methods and technologies, includ- ing botnets, denial of service attacks, spamming, pharming, spoofing, malware ( e.g. , viruses, worms, Trojan horses, etc.), phishing, and ID theft. Such attacks may be instigated by a wide variety of players for different reasons ( e.g., employees acci- dentally, through negligence or maliciously; com- petitors conducting industrial espionage, sabotage, or intellectual property theft; state sponsored actors such as foreign intelligence services, organized crime gangs, terrorists; cyber criminals intent on fraud; and hackers and hacktivists, etc.). Cyber incidents can be caused by a variety of factors including vulnerable IT systems and networks, insecure email, lost and stolen devices, social engineering, etc. The inside factor cannot be underestimated. According to Symantec’s recent annual Cost of a Data Breach Report, 4 employee actions and system errors were the cause of nearly two thirds of all data security breaches. Cyber incidents can result in damage to infra- structure, downtime and business interruption, loss of commercially sensitive data, theft of intel- lectual property, fraud, and liability to third parties. Accordingly, the potential harm that can be caused to businesses by cyber incidents is substantial and may include: • financial losses ( e.g. , loss of money, the cost of remediating and rectifying damage, impact on share value, loss of revenue, etc.); Susan McLean is an of counsel lawyer at Morrison and Foerster in London, England, and a member of the Technology Transactions group and the Global Sourcing group. She may be contacted at [email protected] . Beware the Botnets: Cyber Security Is a Board Level Issue By Susan McLean View the Answer Volume 25 • Number 12 • December 2013 Intellectual Property & Technology Law Journal 23 • reputational damage (damage to brand, loss of trust with customers, etc . ); • damage to business interests ( e.g., loss of business/ clients, impact on potential merger/corporate transaction, reduced competitive advantage, etc.); • legal and regulatory penalties ( e.g., fines, etc.); and • compensation to affected third parties. Latest Developments: United Kingdom Cyber security is high on the UK government’s agenda. A Cyber Security Strategy 5 was published in November 2011 and various initiatives have since been launched to deal with the issue. Latest developments include the following. • In September 2012, the UK government published cyber security guidance for UK businesses 6 explaining what cyber risks are and providing a 10-step plan for the management of cyber risks. However, according to a recent survey, 7 although almost all of the companies surveyed thought that their company’s specific exposure to cyber risk was increasing, almost 50 percent of company boards had not discussed this guidance and 28 percent of boards had not even seen it. • In March 2013, the government launched the Cyber Security Information Sharing Partnership (CSIP) 8 to help government and industry share information and intelligence on cyber security threats. The kind of information to be shared includes technical details of an attack, methods used in planning an attack, and how to mitigate and deal with an attack. The initiative initially will involve 160 private sector organizations. • In April 2013, the government published further guidance on cyber security specifically for small businesses. 9 • In April 2013, the government published its detailed 2013 Information Security Breaches Survey. 10 The survey identified that 93 percent of large organizations and 87 percent of small businesses had experienced at least one security breach in 2012. This was an increase of roughly 50 percent on 2011 figures. The average worst security breach cost large organizations between £450,000 and £850,000 and small businesses £35,000 to £65,000. Eighty-one percent of respondents briefed their board or senior man- agement on cyber risk, but the frequency of such briefings varied considerably. • In May 2013, the government published guid- ance 11 outlining the required criteria for a cyber security standard for companies. Businesses had until October 14, 2013 to submit views. • It has been reported 12 that the UK’s intelligence agencies MI5 and GCHQ have written to FTSE 350 companies urging them to carry out cyber security health checks. The companies have been asked to complete a questionnaire identi- fying how they protect intellectual property and customer data. The data will then be aggregated anonymously to enable companies to see how they rank compared with their peers. The com- panies will then be contacted to discuss where the company may be vulnerable under a second stage of the initiative. Other industry-specific initiatives have been launched. For example, in February 2013 it was reported in the UK parliament 13 that the Financial Services Authority (the UK’s financial regulator prior to its replacement by the FCA and PRA in April 2013) is reviewing the cyber practices of 30 major financial institutions. When the review is con- cluded, the regulator intends to publish an updated version of its Business Continuity Management Practice Guide and a discussion paper. Latest Developments: Europe Pursuant to the EU’s cyber security strategy, in June 2013 the EU’s cyber security agency, the European Network and Information Security Agency (ENISA) was formally granted a seven-year mandate with an expanded set of duties, and in July 2013, the Cybercrime Directive was adopted. In addition, the draft Network and Information Security Directive and the draft Data Protection Regulation continues to make progress through the legislative process. Show entire document ATTACHMENT PREVIEW Download attachment Running head: CYBER SECURRITY ISSUES Summary of Research Findings: Cyber Security Issues Ptemah Tabati University of Maryland University College 1 View the Answer CYBER SECURITY ISSUES Article #1 Author(s) Gyunka, Benjamin Aruwa & Christiana, Abikoye Oluwakemi Publication year 2017 Article title Analysis of Human Factors in Cyber Security: A Case Study of Anonymous Attack on HbGary Journal title Computing and Information Systems Five key terms Cyber Security, Information Security, Social Engineering, SQL injection, Anonymous Focus of study The study used Hbgary, a security firm, to illustrate the risks facing information systems. The study focuses on the detrimental role played by the attackers and most of the times intentionally or unintentionally by employees. The study expands on many cyber-attack techniques as well as the extent of their costly consequences. Information systems security is at the center of many vulnerabilities often aggravated by the human factor. While it has been always talked about on many occasions, the social engineering remains the main trick that never fails. Author conclusions The authors concluded that huge negligence is the main cause of most information systems security breaches. To circumvent most of those damages to information systems infrastructure, the authors recommend that some staff trainings on standard security principles and policies must be conducted on a regular basis. Personal reflections The article studying the case of HbGary makes a critical analysis of social engineering. HBGary Federal case showed the hypocrisy in place in today’s economy. While working hard to help many renowned companies with securing their network infrastructure, HBGary Federal failed to apply its own products to itself to begin with. As sad as it appeared, HBGary Federal failed on the most obvious of the social engineering techniques: phishing. The authors, selected an appealing case to study for obvious reasons, the company, HBGary, was well known for its portfolio and it didn’t survive the successful attack of Anonymous. While the extent of damage sustained by HBGary was devastating it exposed many dirty and secret operations the company was involved in. The article shows how easy it has become today to fail for social engineering techniques because reverence has strongly gained place within many companies’ chain of command. 2 Show entire document

Order | Check Discount

Tags: AI Plagiarism free essay writing tool, Australia dissertation writers, Australia essays, Australian best tutors, best essay writers pinterest