REPORT COVER PAGE

CASE STUDY titled:

Chinese Hackers Blamed for University of Connecticut's Data Breach, U.S. to
Retaliate Alleged Chinese Cyber attacks
FB GROUP: Persona B02 A
Group members:

Name

ID

Lim Jun Wei

1132702896

Tan Chia Ching

1132702547

Hong Wei Thing

1132702897

Progress
Monitoring
(10%)

Total marks Presentation

of the report
(5%)
(15%)

Total
marks
(30%)

Table of Contents
1.0 Defining the Problem.................................................................................................. 3
1.1 Expectation........................................................................................................... 3
1.2 Reality.................................................................................................................. 3
1.3 Gap (Problem)....................................................................................................... 3
1.4 Problem Solving Goal.............................................................................................. 3
1.5 Problem statement.................................................................................................. 3
2.1 5W1H Technique....................................................................................................... 4
2.1.1 What happened.................................................................................................... 4
2.1.2 Where did the problem held place...........................................................................5
2.1.3 When is the problem started................................................................................... 5
2.1.4 Who is affected.................................................................................................... 5
2.1.5 How Chinese hacker hack into U.S. server and University of Connecticut (Uconn) database.
................................................................................................................................ 6
2.1.6 Why China hackers is able to hack into the University server without anyone aware of it?. 6
2.1.7 Why only the faculty of engineering in University of Connecticut, United States had been
hacked?..................................................................................................................... 7
2.1.8 What had been done in the moment to solve this issue?................................................7
2.1.9 Why the current solution have failed to solve the current issue?....................................8
2.2 Chronology............................................................................................................... 9
2.2.1 Data breach of Educational Institution in United States from year 2013 to the current year
2015.......................................................................................................................... 9
2.2.2 Data breach of Business-Financial and Insurance services (BSF), Government and military
(GOV), Healthcare-Medical providers (MED) in United State from the year 2013 to 2015.......12
3.0 Propose Solutions.................................................................................................... 15
3.1 Solution 1............................................................................................................ 15
3.2 Solution 2............................................................................................................ 17
3.3 Solution 3............................................................................................................ 19
4.0 Decide on the Appropriate Solutions............................................................................20
4.1 Solution 1............................................................................................................ 20
4.2 Solution 2............................................................................................................ 22
4.3 Solution 3......................................................................................................... 24
5.0 Decide the Best Solution............................................................................................ 26
6.0 Reference............................................................................................................... 29
7.0 Case Study............................................................................................................. 31

1.0 Defining the Problem (Tan Chia Ching)

Whose problem to solve: The Head of IT (Information Technology) Department of University of
Connecticut (UConn).
1.1 Expectation: (Lim Jun Wei)
Chief Information Officer (CIO) from University of Connecticut (UConn) expect that they are
putting their top priority on maintaining the security and integrity of its information technology
systems.
1.2 Reality: (Hong Wei Thing)
Over 5,000 students, alumni, different faculty members and research partners from the
University of Connecticut (UConn) has been hacked by hackers who stole the details of credit
card and social security.
1.3 Gap (Problem): (Tan Chia Ching)
The current Information Technology (IT) systems failed to maintain the security and integrity.
1.4 Problem Solving Goal: (Hong Wei Thing)
To help University of Connecticut (UConn) enhance security system and integrity, reduce data
breach cases happen.
1.5 Problem statement: (Lim Jun Wei)
Chief Information Officer (CIO) from University of Connecticut (UConn) expect that they are
putting their top priority on maintaining the security and integrity of its information technology
systems. However, the reality is over 5,000 students, alumni, different faculty members and
research partners from the University of Connecticut (UConn) has been hacked by hackers who
stole the details of credit card and social security. Therefore, the current Information (IT) system
failed to maintain the security and integrity.

2.0 Problem Analysis

2.1 5W1H Technique (Lim Jun Wei)
5W1H method is a series of question which is used to extend the question by asking a series of
question until we are able to solve the problem from the root of problem by 5 different aspect
which is what, where, when, who, why and the last one how. By asking those question we can
clearly understand more about the question are we up to solve.
2.1.1 What happened? (Lim Jun Wei)
Younger generation often make convenient priority for everything in their daily life but
they never acknowledge the consequences for the convenience they get. Hackers had been
increasing day by day along with the advancement of technology. In the year 2007 United States
Computer Emergency Readiness Team (Us-CERT) began to receive various reports regarding
attempts to hack by china hacker. However the phenomena does not decrease even the hackers
knew the US government is tracking them through their IP. Pentagon the database center of
United states alone getting more than 10 millions attempts to hack in a day back in the year 2012
while 600 of them attributed by hackers working for Chinese government to sought personal
email from top administration. We are sure by now the amount would be much more greater than
the past because NBCs source said that the hacks would still going on but would not name any
of the officials targeted. A Partisan senate investigation also found out that in one year Chinese
government had gained access to sensitive U.S defense logistics information for at least 20 times
but the transcom is only aware of only 2 of the security breach. Now even the database of
University of Connecticut (Uconn) in United States had been breached by Chinese hackers. On
march 2015, IT personnel from UConn reported that they had detect several breach in database
by Chinese hackers, however the investigation by Uconns IT personnel and Dells secureworks
reveal that the hackers had been in the server since September year 2013. Uconn authorities
reach out to the conclusion which the hackers are the Chinese based on the type of software and
methodology.

2.1.2 Where did the problem held place? (Lim Jun Wei)
The victim in the article is a University that located at Mildford, Connecticut. They claim
to be hacked by hackers from China based on the type of software used and the methodology.
However, cyber incident like hacking happen all around the world no matter it is in an advance
country or a developing country. United States, a super economy country which is also one of the
most advanced country in the world becoming the most attractive nation for the Chinese hackers
to hack US government had been accusing the Chinese for hacking into various database in
United states started from google ,pentagon and now even the education institution database had
been breached calculated from the past 8 years since 2007, in the year 2014,local news reported
that 47% of adult in United states had been hacked through various database. That massive
number, tallied by Ponemon Institute researchers, is made even more mind-boggling by the
amount of hacked accounts up to 20 million just by year 2014 alone by the china hackers.

2.1.3 When is the problem started? (Tan Chia Ching)

There is no specific on when is the cyber hacking problem started, but we are sure that
the problem arise with the advancement of technology such as database and computer. The first
hacking attempt was done by authentic hackers by using mainframe which is locked away in
temperature controlled glassed in area. It is very costly to run the mainframe hence programmer
has limited access by then. In the past hackers tend to hack and improve the system which has a
loophole to hack, but now people tend to use the technology advantage to invade other privacy or
even cause damage to a certain organization. While China began to developed since the early of
2000 when their technology improved they tend to be curious about the operation of United
States hence they began to hack into United states server to hijack information from Top admin
officers.
2.1.4 Who is affected? (Lim Jun Wei)
Everyone in United States might have the risk at encountering this problem when an
organization database is hacked, everyone which is related to the respective organization would
5

eventually get affected. Hence once a database is hacked, people who get affected are normally
those who currently engaging with the organization or those involved in the organization
operation. When a hacker hacked into an organization database, that respective organization
might need to compensate for the leaked of customer privacy.
2.1.5 How Chinese hacker hack into U.S. server and University of Connecticut (Uconn)
database. (Lim Jun Wei)
There are a lots of methods to hack into a database, different group of hackers have
different type of method and methodology. U.S government states that China hackers usually
hacks in the database by using various kind of steps, they usually starts off their hacks from an
agency which has diplomatic relationship with the U.S government by spamming a big load
email into the agency and bait for a reply from the agency. When any of the staff in the agency
replied to their email, a path had been opened for them to invade into the server and look for
loophole by using the loophole they are able to gain access to the server anytime. After they are
in the server they make themselves an admin in order to exploit fake user to send direct email to
the U.S government with the same ways they are able to gain their tickets into the U.S server.
However, U.S government refused to reveal any information regarding the agency involved in
the hacking incident publicly because they had not cleaned up the whole system yet nor they
dont want the Chinese to know they are into them.
2.1.6 Why China hackers is able to hack into the University server without anyone aware of
it? (Lim Jun Wei)
China hackers used malware which not easy to be detect by any firewall or anti malware
software. Those malware are usually transfer to the server with a big loads of spam with email as
a camouflage. The china hacker normally disguise the malicious program with a name and file
extension so that the victim thinks he's getting something entirely different and tend to replied to
it. As users become savvier about Internet attacks, crackers find new ways to deliver their
programs in order to gain more access into the server. With all the disguise the malicious
program which is also called malware would be able to transfer to the organization server
without anyone realizing it. In the article it is clearly stated that the hacker had been in the server
6

since September 2013 which means they have complete access to the server for 1 year and 6
months without alerting the IT personnel of the University until an I.T personnel of University
Connecticut found trace of hack on March 2015.
2.1.7 Why only the faculty of engineering in University of Connecticut, United States had
been hacked? (Lim Jun Wei)
When a database is hacked the information of more than 20000 professors, students and
employee was exposed. These information might be useful for a foreign agent to bribe an
individual to hand over the research information and give up the valuable secret they are
researching by knowing what are the students and professor are working on. However this is not
the main purpose the hackers hack into the server. University of Connecticut is a major research
center which had collaboration with more than 650 major companies and the government sector.
The defense contracts, information of U.S defense system and technologies would be the main
aim of their operation. It would be a big score for another country to obtain such confidential
information of a nation. However, after an observation and investigation of 6 months no
evidence of data being exploit or erase by the hacker in the period of 2 years time since they
gain access into the server.

2.1.8 What had been done in the moment to solve this issue? (Lim Jun Wei)
In the moment, IT personnel in University Connecticut had been investigating the extent
of the compromised information stolen from the Universitys Server. Besides report the incident
to FBI for further investigations, the university also taking extra measures to protects its server.
In addition to assisting individuals and research partner in responding to this matter we are
taking further steps to secure our database systems too. Further steps to enhance the server
security included enhancing the firewall system firewalls are an essential part of any server
configuration. Even if your services themselves implement security features or are restricted to
the interfaces you'd like them to run on, a firewall serves as an extra layer of protection. A
properly configured firewall will restrict access to everything except the specific services you
need to remain open, the authority can also imply SSH keys security which only enable
individuals to connect when they pass the SSH Keys authentication with passwords.

2.1.9 Why the current solution have failed to solve the current issue? (Lim Jun Wei)
In information technologies (I.T) there are nothing known as perfect. There would
definitely be loophole somewhere in the defense system which we did not aware of. However the
hacker discover the loophole in the system and manage to breach into the server defense system
using various kinds of malware. A new solution would always come up after the problem has
been defined but however in the future hackers still manage crack in when they discover the
loophole of the defense system and comes up with a brand new malware and method which is
more advanced and powerful than the previous attempts.

2.2 Chronology (Hong Wei Thing)

2.2.1 Data breach of Educational Institution in United States from year 2013 to the current
year 2015.
Date

Educational
Institutions

Location

Type of
breach

Case

Total
Records

Mar
13,
2013

Salem State
University

Salem,
Massachusetts

Hacking or
Malware

Server infected by
virus (Paychecks)

25,000

Apr
9,
2013

Kirkwood
Community College

Cedar Rapids,
Iowa

Hacking or
Malware

Database hacked
(Social security
number, Name)

125,000

Jun
24,
2013

Florida State
University, Florida
Department of
Education

Tallahassee,
Florida

Unintended
disclosure

Data exposed
during transfer data
(Social security
number, Address)

47,000

Jul
30,
2013

University of
Delaware

Newark,
Delaware

Hacking or
Malware

Vulnerability in
software (Social
security number,
Name)

74,000

Aug
16,
2013

Ferris State
University

Big Rapids,
Michigan

Hacking or
Malware

Unauthorized
access to computer
network (Social
security number,
Name)

62,000

Sep
28,
2013

Virginia Polytechnic
Institute and State
University (Virginia
Tech)

Blacksburg,
Virginia

Hacking or
Malware

Server of Virginia
Tech's Department
of Human
Resources been
hacked (License
number)

144,963

Feb
19,
2014

University of
Maryland

College Park,
Maryland

Hacking or
Malware

Database hacked
(Social security
number, University
identification
number)

309,079

Feb

Indiana University

Bloomington,

Hacking or

Accessed by three

146,000

26,
2014

Indiana

Malware

automated
computer (Social
security number,
Address)

Mar
6,
2014

North Dakota
University

Bismarck,
North Dakota

Hacking or
Malware

Server hacked
(Name, Social
security number)

290,780

May
30,
2014

Arkansas State
University College
of Education and
Behavioral Science's
Department of
Childhood Services

Jonesboro,
Arkansas

Hacking or
Malware

Database hacked
(Social security
number)

50,000

Jun
16,
2014

Riverside
Community College

Riverside,
California

Unintended
disclosure

Sent to wrong email address (Name

and Address)

35,212

Jun
30,
2014

Butler University

Indianapolis,
Indiana

Hacking or
Malware

Hackers hack
personal
information
(Bank account,
Social security
number)

163,000

Jan
21,
2015

Mount Pleasant
School District

Mount
Hacking or
Pleasant, Texas Malware

Downloaded virus
files (Social
security number,
Address)

915

Feb
18,
2015

University of Maine

Orono, Maine

Portable
Device

Laptop was stolen

(Social security
number, Phone
number)

941

May
15,
2015

Penn State College

of Engineering

University
Park,
Pennsylvania

Hacking or
Malware

Server hacked
(Social security and
credit cards
number)

18, 000

*Hacking or Malware: Electronic entry by an outside party, malware and spyware.

*Portable Device: Lost, discarded or stolen laptop, smartphone, portable memory device, etc.

10

*Unintended Disclosure: Sensitive information posted publicly on a website, mishandled or sent

to the wrong party via email, fax or mail.
Based on the chronology above which is the data breach of educational institution in
United State from the year 2013 to 2015 above shows that most of the cases are under hacking or
malware category. From the website, thedailybeast.com with a title Chinese Hackers Target U.S
University With Government Ties reports that Chinese hackers usually use spear phishing as a
method to hack academic institutions. Spear phishing is a message that were typically designed
to resemble emails from trustworthy senders, like colleagues or any of the university department
to encourage the recipients open the attached files or click on the hyperlinks which is included in
the messages to trick them into installing malicious software on their computers. This software is
able to record information such as login password or even credit cards information. Chinese
hackers are trying to obtain unauthorized access to get sensitive data using this method therefore
the cases with hacking or malware type will be much more frequent happen compare to other
types. Overall, education institution field occupy 8.9% in data breach cases. The statistic is
updated on August 2015.
From the table above, social security number obviously become the most common
information in data breach. Social security number is vital for United States resident as they
need social security number for finding a job. Based on Official Social Security website, they
remind U.S. resident do not carry the card with you. Keep it in a safe place with your other
important papers. Therefore we know that social security number is very important, and this is
very serious problem when a persons social security get hacked. According to the survey report
from PewResearchCenter with a title of More online Americans say theyve experienced a
personal data breach, we conclude that over 15% adults which is under the age range from 18 to
29 years old had lost their personal information such as social security number, credit card or
bank account information. The age range i choose for 18 to 29 years old as most of the
universitys student come from the age range and they are more engaged with online life.
Therefore the possibility of students been hacked by spear phishing method is possible
nowadays.

11

2.2.2 Data breach of Business-Financial and Insurance services (BSF), Government and
military (GOV), Healthcare-Medical providers (MED) in United State from the year 2013
to 2015.
Date

Type of
institution

Name & Location

Type of
breach

May
9,
2013

GOV

Administrative Office
of the Courts Washington
(Olympia,
Washington)

Hacking or
Malware

Server hacked
(Driver license
number, Social
security number)

1,000,000

Jul 3, GOV
2013

Indiana Family and

Social Services
Administration
(FSSA), RCR
Technology
Corporation
(Indianapolis, Indiana)

Unintended
Disclosure

Programming error
(Demographic
information, Bank
balance and assets)

187,533

Jul 5, BSF
2013

Morningstar
Document Research
(Chicago, Illinois)

Hacking or
Malware

Intrusion (E-mail
password, Credit
card numbers)

182,000

Jul
17,
2013

BSF

St. Mary's Bank

(Manchester, New
Hampshire)

Unintended
Disclosure

Improper redacting
information (Social
security number,
Sensitive
information)

146,000

Aug
13,
2015

MED

Michigan Department
of Community Health,
Michigan Cancer
Consortium
(Lansing, Michigan)

Hacking or
Malware

Server hacked
(Cancer screening
test result, Address)

49,000

Dec
5,
2014

BSF

JPMorgan Chase
Hacking or
(New York, New York) Malware

Data breach (Tax

refunds, Employee
payment)

465,000

Feb
5,
2014

MED

St. Joseph Health

System
(Suwanee, Georgia)

Server hacked
(Patient names,
Address)

405,000

Hacking or
Malware

12

Case

Total
Records

May
14,
2014

BSF

Paytime
(Mechanicsburg,
Pennsylvania)

Hacking or
Malware

Data breach
(Deposit bank
account
information)

233,000

Nov
10,
2014

GOV

US Postal Service
(Washington, District
Of Columbia)

Hacking or
Malware

Computer networks
hacked (Social
security number,
Dates of
employment)

800,000

Nov
25,
2014

GOV

Texas Health and

Human Services
(Houston, Texas)

Unintended
Disclosure

Breach reported
2 million
after vendor dispute
(Medical and
billing record)

Mar
16,
2015

MED

Advantage Dental
(Redmond,
Washington)

Hacking or
Malware

Database hacked
(Social security
number, Address)

151, 626

May
20,
2015

BSF

CareFirst BlueCross
BlueShield
(Baltimore, Maryland)

Hacking or
Malware

Database hacked
(Insurance
identification
number)

1.1 million

Jun
4,
2015

GOV

Office of Personnel
Management (OPM)
(Washington , District
Of Columbia)

Hacking or
Malware

Data breach
(Employees job
assignment,
Performance)

21.4
billion

Jul
17,
2015

MED

UCLA Health System

(Los Angeles,
California)

Hacking or
Malware

Data breach of
network (Medicare,
Health plan
identification
number)

4.5 billion

Sep
10,
2015

BSF

Excellus Blue Cross

Blue Shield
(Syracuse, New York)

Hacking or
Malware

System hacked
(Social security
number, Financial
information)

10,000,000

*Hacking or Malware: Electronic entry by an outside party, malware and spyware.

*Unintended Disclosure: Sensitive information posted publicly on a website, mishandled or sent
to the wrong party via email, fax or mail.

13

Based on the chronology above which is the data breach of Business-Financial and
Insurance services (BSF), Government and military (GOV), Healthcare-Medical providers
(MED) in United State from the year 2013 to 2015 above shows that most of the cases happen
under hacking or malware category. These data prove that data breach not only happen in
education field but also other vital fields. U.S government accused China of sponsoring cyberattacks against American institutions but what is the reason of this accusation. This accusation
have been discussed for many years, and generally based on certain suspicious and assumption.
The first assumption that U.S assume China taking part in sponsoring cyber-attack is
China wants to get advanced technology from U.S for helping its own country in different
sectors. Chinas improvement and successful innovations in high technology field become the
reason of the suspicious from U.S. According to Mandiant most noticeable report was released
on February 19, 2013 with a title Exposing one of the Chinas cyber espionage units, he says
that thousands of cyber-attacks have come from one neighborhood which is near Shanghai area
and the espionage group is mainly targeted U.S blue chip companies in 20 separate industries
from aerospace to financial services. However, Chinese foreign ministry spokesman, Hong Lei
says that making unfounded accusations based on preliminary results is both irresponsible and
unprofessional. China resolutely deny the hacking actions and establish relevant laws and
regulations, develop strict law enforcement to defend against the hacking activities.

14

3.0 Propose Solutions

3.1 Solution 1:
University or any organization must enforce strong password policies in their Information
Technology management in order to improve the security of database and protect their clients
personal information being stolen by hacker. - Tan Chia Ching (1132702547)
Technique: Shift Perspective
If I were the Chief information official of an organization, I would definitely implement a strong
password policy to my organization as this solution does not cost much money, simple to
implement and most importantly can secure the database of an organization and protect my
customers personal information well.
Definition:
Applying strong password policies requirement is an important and simple step but cannot be
ignored. However, still have many Universities or organizations has not deployed this simple
policies. Many organizations always fail to change the standard administrator usernames and
todays hackers have access to a more advanced password cracking software. Therefore, it is
crucial by enforcing strong password policies so that every user account for students and other
organizations user can be impervious to brute force and dictionary based password cracking
attempts.
Supporting Argument:
A weak password can make one company vulnerable to hackers. Moreover, a weak password
provides hackers with easy access to ones computer system to get their personal information
such as bank account number, email password, house address and so on. Hence, enforcing a
strong passwords is very important to every organization as strong passwords are harder to crack
so the organization can ensure the safety of their clients databases. However, there is a stronger
and powerful password cracking software that is available today. Password hacking are normally
uses one of the three different approaches: dictionary attack, intelligent guessing, and brute force
automated attacks that try every single possible combination of characters. Just needed enough
time, the automated method can hack any password. Yet, strong passwords are still much harder
15

to crack than weak password. Therefore, a secure information technology computer system must
has strong passwords for all their user accounts in order to ensure and protect their clients
databases. There are some ways to apply strong password policy for personal user account to
protect their private information secure as shown below;
A typical strong password policy might include:

Password must be at least 15 characters

Password must contain both upper-case letters and lower-case letters

Password must contain at least two numerical digital, two alphabetical characters and at
least two special character such as (%,,&, @, #, $)

Password may not contain any words in the dictionary or any commonly used IT login
names such as (Administrator, Admin, Sa, Password)

Passwords using may not contain any personal information such as (birthday or name)

Evidence:
To demonstrate the dangers of a weak password, in year 2008, a Skype user accidentally broke
into the Bank of France by using the password 123456. He didnt steal anything and he was
found not guilty in the subsequent court case after the police caught up with him. However, this
could have turned into a major disaster, had he been a hacker rather than a mere Skype user
looking for a means to make cheap phone calls. Many hackers have broken into countless
websites and organizations since the raise of the Internet world. These include Hotmail, Yahoo!,
Bank of America, Linkedln, NASA, and the Pentagon, and $10 million online heist carried out at
CITIbank by Vlasmir Levin in 1994. In year 2004, Microsoft Corporation fell prey to a password
hacker that stole the whole source code of Window 2000. The hacker was never caught. Lately, a
hacker stole the password to a Twitter account held by the Associated Press (AP) and posted a
fake story on Twitter said that explosion at the White house. Because of APs credibility, the
story led to a 143 point drop in the New York Stock Exchange (NYSE), costing around billions
of dollars losses in economic which were fortunately reversed when NYSE recovered entirely.
Almost every day, countless of people fall prey to hackers who steal their important passwords,
and facing the problem of losses consequently. The reason this problem keep happening because

16

their passwords are weak, or they do not know the importance of enacting effective password
protection techniques.
3.2 Solution 2:
Implement encryption on database in United States university. Create database encryption key to
strengthen the security system in database. - Hong Wei Thing (1132702897)
Technique: Bionic (Crab, Tortoise)
The technique I choose to solve IT systems that failed to maintain the security and integrity is
bionic. The animal I choose to represent my solution is either crab or tortoise as they both having
a hard shell to protect their own from danger situation. This situation is likely same with the
problem we faced, data breach and we implement encryption on database as protection from
hackers.
Definition:
Encryption on database is defined as the process of hiding information to make it unreadable
without a decryption key. Create a transparent decryption key is used to transparently encrypt the
database. Decryption key is only known by the party or parties that exchange the secret messages
and cannot be exported from the database. It is available only to the system. When the database
owner (DBO) is changed, the database encryption key does not have to regenerate. The goal of
encryption is to ensure that even the sensitive information is exposed or compromised, the
information is still remain useless to anyone without the decryption key to decrypt it and make it
difficult for someone to steal the information.
Types of encryption on database:

Transparent/ External encryption

Transparent or external encryption refer to the encryption of the whole database. This is provided
by native encryption functions within the database engine. Column and table level granularity is
offered by some database vendors, but it becomes common as it begins to apply encryption for
all data. It is called transparent database encryption due to the invisible to users that use the data
and to the applications. Transparent encryption is to ensure the information did not exposed from
physical media (disk) or storage. It can also be controlled through drive or OS/ (Operating
17

System) file system encryption with applying encryption on disk. Although these options are lack
of the protections of native database encryption, but both are invisible to the application and
require the same code or schemas. Database from users without database credentials will be
protected by transparent encryption but data from authorized users will not be protected.

User/ Data encryption

User or data encryption is describing the encryption of specific tables, columns or data
information in the database. It is called user encryption due to the objects being encrypted are
managed and owned by a user. Only the highly sensitive data is protected such as credit card
number is being encrypted in database using this encryption model. The purpose of this
encryption model is to ensure unintended disclosure is well protected and separation of duties on
credentialed users in the database is well enforced. The only disadvantage is that these forms are
visible to the application and require code and database changes. The successful of this
encryption method is depends on how the way key management handle in using internal vs.
external encryption services and applications in database. Transparent encryption is offered from
some vendors to apply on specific tables or columns, but the major purpose is still focusing on
the media loss and file protection and not separation of duties.
Evidence:
Based on ellusion website with a title Banner data defense at Texas Technology University: The
importance of database-level encryption shows that Texas Technology University begins to
apply database encryption from 6.00a.m, 15 September 2014 (Saturday) until 16 September 2014
(Sunday). The Texas Technology University System was aware of these threats and willing to set
a budget of $1.75 billion for this complex system to ensure more than 44,000 students in their
academic institutions and medical schools information are keeping safely and securely. It is
important to encrypt database as hackers often target unencrypted database first which allow
them to get in and out immediately. Database encryption also helps institution to comply with
private and regulatory instructions by transparently encrypt information data such as social
security number, birth dates and other personal identifiable information. According to Texas
Technology Universitys review, they choose Banner Data Defense as this software package

18

combines multiple layers of Information Technology (IT) security defense solution which
including encryption, firewall and audit tool. Is an all in one software.

3.3 Solution 3:
Establish an I.T assist team to research the method used by China hackers to hack into U.S
network security system. Design a new firewall and antimalware system according to the method
used by China hackers to prevent them from hacking into the server again.
- Lim Jun Wei (1132702896)
Technique: If I were method
If I were Barrack Obama the President of United States, I would be worried about the cyberattack incident that takes place in the nation. The information which is stolen by the other
country from our server might lead to a great disadvantage on our defense system nor our
political status and economy status. The data might be a high confidential project which is still
under research or just the information of the federal employees no matter what data does the
hacker acquire it can still deal a great damage to the nation. It would be a great score for other
nation to acquire a confidential information from another. To protect the nation privacy and
security I would probably establish an I.T assist department which takes direct order from the
homeland defense department in order to solve the crisis of confidential data leak. As a rational
leader, I would not accused anyone for conducting any act before any evidence is found because
the accusation would be groundless. A groundless accusation would not be an act of a critical
thinker. By establish an I.T team to mainly focus on researching the method that china hackers
hack, the team would be able to determine the weakness of the hacking method. The team also
have the responsibility to invent a new antimalware software and firewall in order prevent the
hackers from breaching in the server again. The assist team is also responsible on guiding and
providing information and software to all the organization in United States, with the help of the
I.T assist team all the organization would be able to upgrade their information technology
security by that the risk of being hack is decreased to the minimum. Last but not the least, the I.T
support team should also observe and check the server to make sure the server does not has any
disuniform and clean from malware time to time. By implementing this plan, the U.S

19

government would be able to solve the problem from the root by upgrading the security of
information technology system and maintain the security and integrity of the entire nation server.

4.0 Decide on the Appropriate Solutions:

4.1 Solution 1 (Tan Chia Ching)

(A) ADVANTAGES

(B) DISADVANTAGE

1. Able to guarantee clients personal 1. Long characters password can be easily

information security is being protected forget by people and hard to memorize for
well.
someone.
2. Get rid of hacker.

3. Does not cost much money to improve

stronger password system.
4. Reduce global hacking rate per year.

(A) - (B) = 4 - 1
=3
Advantages:
1) Able to guarantee clients personal information is being protected well.

As the length and characters of password increase would stronger the passwords,
similarly it means the account password not easily being crack by hacker so will keep the
safety of organization database and the secure of people information.

20

2) Get rid of hacker.

Stronger password will increase the difficulty level and not easily for hacker to crack into
someones account. In this 21th century as the number of hackers are increasing, it is
crucial for everyone who are using information system account to set a stronger account
number in order to prevent being one of the cyber victim.

3) Does not cost much money to improve stronger password system.

It does not cost much money for upgrading the system for an organization and make it
compulsory for all their clients to set strong passwords. Besides that, every company or
organization have their responsibilities to protect their customers personal information
and being secure well. So, company should ensure the safety of clients and do not being
so call cyber victim.

4) Reduce global hacking rate per year.

Nowadays, we can see from the news and internet the number of hacker keep increasing
every year in global. However, simply strengthen the number of password would reduce
the rate of hacking per year in global. It is because some hackers who do not have such
high level of skill to hack into account with the existing of stronger password.

Disadvantage:
1. Long characters password can be easily forget by people and hard to memorize for
someone.

Stronger password has its pros but also has its cons. Hard for people to memorize long
characters password has become the cons of a strong password. Many people tend to
create a short account password number in order to easily memorize, so when they
change to a longer password number theyll easily forget and feel hard to remember those
number and characters.

21

4.2 Solution 2 (Hong Wei Thing)

(A) ADVANTAGES

(B) DISADVANTAGE

1. University is able to protect students

personal data.

1. High cost is needed to apply

database encryption.

2. Universitys reputation will be higher as data

breach cases reduce.
3. Encrypted data can only be read by a system
or user who has the key to unencrypt the
data.
(A) - (B) = 3 - 1
=2
Advantages:
1. University is able to protect students personal data.

With using database encryption, University is able store students private and personal
data such as social security numbers, payment information, financial aid records, grades
and etc securely from hackers. Although some of the information like names, address or
date of birth is considered less important, but hackers is able to use these basic
information to get ones credit information. Therefore, implementation of encryption of
database is a must to let lecturers, office staffs and students feeling safe.

2. Universitys reputation will be higher as data breach cases reduce.

A data breach would lead a negative impact towards the reputation of a university. The
public ought to feel the lack of privacy and security if they were to enroll into the
university. Meanwhile, a data security breach of an university would be classify as an
inefficient act by management of the university because they did not carry out their
22

responsibility to ensure the privacy of the students and professor. In contrast, when a
university is free from data breach cases, the reputation of the university would also
followed to increase.

3. Encrypted data can only be read by a system or user who has the key to unencrypt
the data.

Encryption key is stored outside the database in an external security module. Only
security administrator able to access into the database, getting information. For this
external security module, Oracle uses an Oracle wallet to store the master encryption key
for the prevention of unauthorized user hacked in. When a new master encryption key is
set, user must back up a copy of the wallet. Backup process have to be separated, this is
because in case the backup tape get lost, the third person will not have the chance to get
both wallet and encrypted data. Below shows the image using encryption key to encrypt
or decrypt the database.

Disadvantage:

23

1. High cost is needed to apply database encryption.

Due to the complexity of database encryption, especially in large databases, the
implementation fees is costful. Large databases need special designed encryption to suit
database. The system need to have capacity and upgrades system to perform and maintain
data encryption efficiently and effectively. The reduction of systems operations can be
obviously compromised without an effective system.

4.3 Solution 3 (Lim Jun Wei)

(A) ADVANTAGES

(B) DISADVANTAGES

1. Confidential information and data of the

country would be secure from the risk of
being exposed.

1. Establish a new department

would consume a lots of
budget.

2. Privacy of citizens of United States is

restored.

2. Update of the data security

process will influence the
operation.

3. Confident and trust of the citizens towards

the government will increase.
(A) - (B) = 3 - 2
=1
Advantages:
1. Confidential information and data of the country would be secure from the risk of
being exposed.

Followed by the establishing of the I.T team, a solution to maintain the security and
integrity from the invasion of china hackers would be presented. When the security of our
Information system is enhanced by new software. The difficulties of hacking into our
server would also be increasing but nothing is perfect in Information Technology there
are for sure loophole somewhere in the server eventually the hackers will find out a new
methods to implant their malware. However, the experts in the assist team will observe
the server from time to time to make sure that the server is clean of malware.

2. Privacy of citizens of United States is secured and restored.

24

When the hackers hack into the U.S server, information of the users in the organization
will all be exposed to the hackers. When all the information is exposed an individual
privacy had been invaded. By ensuring the server and data maintaining its security and
integrity the privacy of millions of citizen would also be secured and restored.

3. Confident and trust of the citizens towards the government will increase.

When the government is making effort to protect the privacy of their citizens, the citizen
feel relieved to be protected. The government effort on ensuring the server and database
safe from hacker, can also make the citizens to gain confidence and trust towards the
government efficiency and responsibility.

Disadvantages:
1. Establish a new department would consume a lot of budget for the operational cost.

Every department require an operation cost to run, when the government is setting up a
new department more budget would be used on setting up this new department.
Furthermore, the budget for setting up Information Technology (IT) department would
consume more than setting up a normal department as I.T appliances are very costful.

2. Update of the data security will influence the operation.

Update of data security system would make a change on the software interface employee
is used to. The change might cause inconvenience to the staff and hence slowing down
the productivity of the employee. Besides that an update will be patch time to time
following the advancement of information technology.

25

5.0 Decide the Best Solution

After the discussion between our group members and the expert, we would like to choose
Solution 2 as the best solution which is implement database encryption key to strengthen the
security system on database in United States University. This is supported by definition and
evidence. (Hong Wei Thing, Lim Jun Wei, Tan Chia Ching)
Definition: Encryption on database is defined as the process of hiding information to make it
unreadable without a decryption key. Create a transparent decryption key is used to transparently
encrypt the database. Decryption key is only known by the party or parties that exchange the
secret messages and cannot be exported from the database. It is available only to the system.
When the database owner (DBO) is changed, the database encryption key does not have to
regenerate. The goal of encryption is to ensure that even the sensitive information is exposed or
compromised, the information is still remain useless to anyone without the decryption key to
decrypt it and make it difficult for someone to steal the information.
Types of encryption on database:

Transparent/ External encryption

Transparent or external encryption refer to the encryption of the whole database. This is provided
by native encryption functions within the database engine. Column and table level granularity is
offered by some database vendors, but it becomes common as it begins to apply encryption for
all data. It is called transparent database encryption due to the invisible to users that use the data
and to the applications. Transparent encryption is to ensure the information did not exposed from
physical media (disk) or storage. It can also be controlled through drive or OS/ (Operating
System) file system encryption with applying encryption on disk. Although these options are lack
of the protections of native database encryption, but both are invisible to the application and
require the same code or schemas. Database from users without database credentials will be
protected by transparent encryption but data from authorized users will not be protected.

User/ Data encryption

26

User or data encryption is describing the encryption of specific tables, columns or data
information in the database. It is called user encryption due to the objects being encrypted are
managed and owned by a user. Only the highly sensitive data is protected. So normally credit
card number is being encrypted in database using this encryption model. The purpose this
encryption model is to ensure unintended disclosure is well protected and separation of duties on
credentialed users in the database is well enforced. The only disadvantage is that these forms are
visible to the application and require code and database changes. The successful of this
encryption method is depends on how the way key management handle in using internal vs.
external encryption services and applications in database. Transparent encryption is offered from
some vendors to apply on specific tables or columns, but the major purpose is still focusing on
the media loss and file protection and not separation of duties.
Evidence: Based on ellusion website with a title Banner data defense at Texas Technology
University: The importance of database-level encryption shows that Texas Technology
University begins to apply database encryption from 6.00a.m, 15 September 2014 (Saturday)
until 16 September 2014 (Sunday). The Texas Technology University System was aware of these
threats and willing to set a budget of $1.75 billion for this complex system to ensure more than
44,000 students in their academic institutions and medical schools information are keeping
safely and securely. It is important to encrypt database as hackers often target unencrypted
database first which allow them to get in and out immediately. Database encryption also helps
institution to comply with private and regulatory instructions by transparently encrypt
information data such as social security number, birth dates and other personal identifiable
information. According to Texas Technology Universitys review, they choose Banner Data
Defense as this software package combines multiple layers of Information Technology (IT)
security defense solution which including encryption, firewall and audit tool. Is an all in one
software.
There are some advantages of having this solution. The first one is University is able to
protect students personal data. With using database encryption, University is able store students
private and personal data such as social security numbers, payment information, financial aid
records, grades and etc securely from hackers. Although some of the information like names,
27

address or date of birth is considered less important, but hackers is able to use these basic
information to get ones credit information. Therefore, implementation of encryption of database
is a must to let lecturers, office staffs and students feeling safe.
Secondly, Universitys reputation will be higher as data breach cases reduce. A data
breach would lead a negative impact towards the reputation of a university. The public ought to
feel the lack of privacy and security if they were to enroll into the university. Meanwhile, a data
security breach of an university would be classify as an inefficient act by management of the
university because they did not carry out their responsibility to ensure the privacy of the students
and professor. In contrast, when a university is free from data breach cases, the reputation of the
university would also followed to increase.
Thirdly, encrypted data can only be read by a system or user who has the key to
unencrypt the data. Encryption key is stored outside the database in an external security module.
Only security administrator able to access into the database, getting information. For this
external security module, Oracle uses an Oracle wallet to store the master encryption key for the
prevention of unauthorized user hacked in. When a new master encryption key is set, user must
back up a copy of the wallet. Backup process have to be separated, this is because in case the
backup tape get lost, the third person will not have the chance to get both wallet and encrypted
data. Below shows the image using encryption key to encrypt or decrypt the database.
However, there will also be disadvantage for United States University if they
implementing this solution to their University. The disadvantage is the higher cost that needed to
apply on database encryption. Due to the complexity of database encryption, especially in large
databases, the implementation fees is costful. Large databases need special designed encryption
to suit database. The system need to have capacity and upgrades system to perform and maintain
data encryption efficiently and effectively. The reduction of systems operations can be obviously
compromised without an effective system. Anyway, the cost for applying the encryption on
database is lower compared to solution 3 which is establishing an I.T assist team to do research
on the method used by China hackers.

28

6.0 Reference:
Aaron Weiss (2012, Aug 6). How to prevent SQL injection attacks. Retrieved from
http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html
Arshad Noor, Boaz Gelbord, Clarkendweller, Dave Howe, JohnF, Mostafa Siraj, pktsniffer,
Sharon Besser, Terence Spies. Understanding and Selecting a Database Encryption or
Tokenization Solution. Retrieved from
https://securosis.com/assets/library/reports/Securosis_Understanding_DBEncryption.V_.
1_.pdf
A students need to know guide to web security. (2015). Retrieved from
http://www.onlineuniversities.com/internet-security/
Betsy Ziobron. (2003, July 1). Keeping campus networks safe and secure. Retrieved from
http://www.cablinginstall.com/articles/print/volume-11/issue-7/contents/security/keepingcampus-networks-safe-and-secure.html
Chronology of data breaches. (2015). Retrieved from
https://www.privacyrights.org/data-breach/new?title=&page=1
Database files and filegroup. (2015). Retrieved from
https://msdn.microsoft.com/en-us/library/ms189563.aspx
Ellusion. (2015). Texas Tech University System learns the value of database-level
encryption. Retrieved from
http://www.ellucian.com/Insights/Texas-Tech-University-System-learns-the-value-ofdatabase-level-encryption/
Emma Kavanagh. (2015). Strong password protection. Retrieved from
http://www.nortonsecurityonline.com/security-center/strong-password.html
Identity theft protection service. (2012, July). Retrieved from
http://www.consumer.ftc.gov/articles/0235-identity-theft-protection-services
Is China really behind the Office of Personal Management (OPM) hack? [video file].
Retrieved from https://www.youtube.com/watch?t=119&v=8S_9Dhbogsk
Oracle help centre. (2015). Database Advanced Security Administrator's Guide. Retrieved
from http://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm
Paolo Passeri. (2014, Jan 19). 2013 Cyber attacks statistic (Summary). Retrieved from
29

http://www.hackmageddon.com/2014/01/19/2013-cyber-attacks-statistics-summary/
Paolo Passeri. (2015, Jan 13). 2014 Cyber attacks statistic (Aggregated). Retrieved from
http://www.hackmageddon.com/2015/01/13/2014-cyber-attacks-statistics-aggregated/
Paolo Passeri. (2015, Sep 10). August 2015 Cyber Attacks Statistics. Retrieved from
http://www.hackmageddon.com/2015/09/10/august-2015-cyber-attacks-statistics/
Securing stored data using transparent data encryption (2015). Retrieved from
http://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm
Texas Tech University. (2014, Nov 03). TechAnnounce. Retrieved from
http://www.techannounce.ttu.edu/Client/ViewMessage.aspx?MsgId=163168
Tips for creating strong password (2015). Retrieved from
http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strongpassword#TopOfPageTarget
The importance of strong passwords. (2010, Oct 5). Retrieved from
http://www.utexas.edu/its/secure/articles/importance_strong_passwords.php
Who is the high value targeted area for further attack, who might be the good target for
human recruitment the spy. [video file]. Retrieved from
https://www.youtube.com/watch?v=swZR8OCQmyY

30

7.0 Case Study

For Critical Thinking Assignment 2, our Persona group had selected this article.
Title: Chinese Hackers Blamed for University of Connecticut's Data Breach, U.S. to Retaliate
Alleged Chinese Cyber attacks
Date: 01 August 2015
Words: 599 words
The URL Link:
http://www.chinatopix.com/articles/60277/20150801/chinese-hackersblamed-university-connecticuts-data-breach-u-s-retaliate.htm
The University of Connecticut (UConn) has been hit by hackers who stole credit card and social
security details of over 5,000 students, alumni, faculty members and research partners.
Tom Breen, UConn deputy spokesperson announced on Friday that the cyberattack targeting the
university's engineering school was carried out by Chinese hackers.
"The university is responding to a criminal cyber intrusion through which hackers apparently
originating in China gained access to servers at UConn's School of Engineering," Breen said.
IT personnel at UConn's engineering school reportedly detected the cyber intrusion in March.
Investigations by the university and Dell's SecureWorks revealed that the hackers may have
breached the school's servers in September 2013.
The University has since informed thousands of students, alumni, faulty and research partners in
the public and private sector as the breach may have compromised their personal information.
Breen says officials are still investigating the extent of the compromised information stolen from
the university's servers.
"The breach is far more extensive, could impact many more accounts and started much earlier
than we originally believed." "There is no way at the present time to determine the exact number
of accounts hacked, "Breen said.
UConn authorities say they arrived at the conclusion that the hackers were Chinese based on the
type of software and methodology of the cyber-attack.
The case has since been reported to the FBI for further investigations. The university is also
taking measures to protect its servers.

31

Michael Mundrane, UConn's chief information officer and vice provost said the university
placed "the highest priority on maintaining the security and integrity of its information
technology systems."
"The unfortunate reality is that these types of attacks are becoming more and more common,
which requires us to be more vigilant in protecting our university community," he said. "That's
why, in addition to assisting individuals and research partners in responding to this incident,
we're taking steps to further secure our systems."
In recent months the U.S. has accused China of sponsoring cyber-attacks against American
institutions.
In June, a series of cyber-attacks against the Office of Personnel Management saw the theft of
sensitive data affecting over 20 million people. After the highly publicized breach, James R.
Clapper Jr., director of national intelligence, blamed China for the cyberattack. He said "you
have to kind of salute the Chinese for what they did."
Despite numerous allegations, the Chinese government has denied any involvement in the
hacking scandals. Beijing has insisted that China is also a victim of cyber-attacks.
According to the New York Times, the Obama administration has been considering the issue of
cyber-attacks and has decided to retaliate against China for the Office of Personnel Management
breach.
However, U.S. authorities are thorn between the natures of the response, as they want to avoid
exacerbating the cyber-hacking conflict between the two countries.
"One of the conclusions we've reached is that we need to be a bit more public about our
responses, and one reason is deterrence," a senior official informed NY Times on White House
deliberations on the issue. "We need to disrupt and deter what our adversaries are doing in
cyberspace, and that means you need a full range of tools to tailor a response."
Despite having different opinions on the issue of cyber-attacks, US officials are united on the fact
that if nothing is done the attacks are likely to increase.
The U.S. Department of Justice recently indicted five officers of the People's Liberation Army on
charges of stealing intellectual properties from American companies. Many view the proceedings
as only symbolic as the Chinese officials will not be prosecuted unless in an American court.

32