SNHU Improving Data Protection And Security Discussions

Respond to the following 3 posts:

1-Between January 2001 and January 2003, Daniel Baas hacked into Acxiom’s database and downloaded passwords and data files (eWeek,2003). Mr. Baas worked for the Market Intelligence Group, and they analyzed data for Acxiom (eWeek,2003). Through this connection he gained access to a password for one of Acxiom’s servers. Mr. Baas downloaded the passwords and data on the CDs and kept them at his house. He did not use the data or sell it. Acxiom only became aware of the theft when Hamilton Country Sheriff informed them (Holcombe, 2003). Mr. Baas stole over 300 passwords and data files then ended up costing Acxiom $5.8 million (eWeek, 2003). This is not the only time that Acxiom was victim to an external threat, a few months after this incident they became victim to an even larger data theft.

Because Acxiom has repeatedly been subject to data breaches it is apparent, they have some weaknesses that need to be addressed. More commonly fraud is committed by someone within the company, but with Acxiom the threat came from outside the company. The other troubling factor is that Acxiom was not aware of the data breach until they were informed by authorities. Acxiom needs to focus on making it more difficult to access their data, implement a system to detect data breaches, and reduce the amount of information that can be stolen if a data breach does occur.  Somehow Mr. Baas gained access to a password, controls need to be established to limit remote access. Individuals that have remote access should be properly trained in what is expected of them to keep the network secure. Because Acxiom was unaware of this data breach, they require a system in place that can detect these types of intrusions. Mr. Baas did have access to a password, but he was signing in from a different computer then normally utilized this password. A multi-step verification would have been helpful in this situation. And finally, if a breach does occur Acxiom should be encrypting the data so hackers cannot read the data even if they gain access to it.

2- In 1994, Vladimir Levin a Russian mathematician and hacker attempted to steal $10 million from Citibank.  Levin was able to gain customer identification codes and passwords to transfer money from cash management accounts to accounts in other banks controlled by Levin and his accomplices.  Levin was arrested in London, England where U.S. Federal Government requested extradition of Levin to the U.S.  During the extradition appeal hearing in 1997 House of Lords judgement records, an affidavit submitted by Citibank’s Byron Yancey the executive of Citi’s global cash management services wrote Levin was able to link to a “dumb computer terminal” through the telephone system, then to Citibank’s computer in Parsipanny, New Jersey. A request for transfer of funds is filtered to this terminal before going to Citibank’s computer, where the request must be authenticated by two employees of the customer, each using a separate identification and password (House of Lords Judgements – In re Levin, 1997).

If it were not for the customers early detection of funds going missing, the breach may not have been caught in time to notify the authorities and capture Levin.  The customers did have a procedure of a two person authorization process, but it was Cititbank’s lack of proper encryption of the customer data that led to the theft (Romney, Steinbart, Summers, & Wood, 2021, p. 238).

After the 1994 Citibank hack, the company put in new controls for customers that required the use of electronic devices that creates a new password for every transaction.  Currently new multifactor authentication has become the standard for most organizations can mitigate data breaches, but also best practice guidelines and user awareness can help prevent the risk of data breaches (Suleski, Ahmed, Yang, & Wang, 2023).

3- Rumors of a cyber attack during the Gulf War were confirmed in 1992. The attack was carried out by a group of Dutch teenagers who focused on collecting sensitive information “regarding military personnel, equipment, and other war operations via vulnerable network systems.” (Desert Snoopers, 1992) However, there is speculation that the group was searching for nuclear weapons data. The cyber attack(s) occurred between April 1990 and May 1991. The attack targeted 34 DoD (Army, Navy, and Air Force) sites attached to the internet. The group used well-known security weaknesses that previous hacker groups had used and that the DoD was aware of.

The hackers gained access to the DoD systems by weaving their way onto the internet via universities, government, and commercial systems. They used these sites as a way to access military sites. From there, the weaknesses came down to easily guessed passwords, known security holes in computer operating systems, and vendor-supplied accounts with easy-to-guess or no passwords. These accounts maintained privileged information about operations and maintenance. “In many of the intrusions, the hackers modified the system to obtain system administrator privileges and to create new privileged accounts.” (United States General Accounting Office, 1991) Prior to these attacks, many of the sites did not have written/set protocols on how to handle cyber attacks of this nature; however, as a result of the attack – protocols were established.

Before the cyber intrusion of the Dutch teens, the DoD knew the importance of internal controls and felt they had adamant procedures in place to prevent the level of intrusion they saw. However, it was made apparent that the established procedures were not being followed regularly. Recommendations for accounting information system (AIS) controls for the DoD (following the attack) would include:

Strong Password Requirements for ALL Accounts- This would include user/vendor profiles being required to change the original/default password, having randomly selected passwords, stringent password requirements (18 characters, with 3 numbers, etc.), and being forced to change passwords every 60-90 days.

Multi-Factor Verification – Having a one-time access code sent to an established email, phone, or app to verify identity.

Routine System Audits – Maintain an audit trail and conduct random and scheduled audits.

Annual Security Training – Training on what is and is not confidential, how to protect data, and how to proceed if it is believed that there has been a breach.

While the cyber attack posed a significant risk of an information leak, ultimately, it did not cause damage to life or liberty and sparked a need for tighter internal controls, policies, and procedures within the DoD.