Beruflich Dokumente
Kultur Dokumente
Name
ID
1132702896
1132702547
1132702897
Progress
Monitoring
(10%)
Total
marks
(30%)
Table of Contents
1.0 Defining the Problem.................................................................................................. 3
1.1 Expectation........................................................................................................... 3
1.2 Reality.................................................................................................................. 3
1.3 Gap (Problem)....................................................................................................... 3
1.4 Problem Solving Goal.............................................................................................. 3
1.5 Problem statement.................................................................................................. 3
2.1 5W1H Technique....................................................................................................... 4
2.1.1 What happened.................................................................................................... 4
2.1.2 Where did the problem held place...........................................................................5
2.1.3 When is the problem started................................................................................... 5
2.1.4 Who is affected.................................................................................................... 5
2.1.5 How Chinese hacker hack into U.S. server and University of Connecticut (Uconn) database.
................................................................................................................................ 6
2.1.6 Why China hackers is able to hack into the University server without anyone aware of it?. 6
2.1.7 Why only the faculty of engineering in University of Connecticut, United States had been
hacked?..................................................................................................................... 7
2.1.8 What had been done in the moment to solve this issue?................................................7
2.1.9 Why the current solution have failed to solve the current issue?....................................8
2.2 Chronology............................................................................................................... 9
2.2.1 Data breach of Educational Institution in United States from year 2013 to the current year
2015.......................................................................................................................... 9
2.2.2 Data breach of Business-Financial and Insurance services (BSF), Government and military
(GOV), Healthcare-Medical providers (MED) in United State from the year 2013 to 2015.......12
3.0 Propose Solutions.................................................................................................... 15
3.1 Solution 1............................................................................................................ 15
3.2 Solution 2............................................................................................................ 17
3.3 Solution 3............................................................................................................ 19
4.0 Decide on the Appropriate Solutions............................................................................20
4.1 Solution 1............................................................................................................ 20
4.2 Solution 2............................................................................................................ 22
4.3 Solution 3......................................................................................................... 24
5.0 Decide the Best Solution............................................................................................ 26
6.0 Reference............................................................................................................... 29
7.0 Case Study............................................................................................................. 31
2.1.2 Where did the problem held place? (Lim Jun Wei)
The victim in the article is a University that located at Mildford, Connecticut. They claim
to be hacked by hackers from China based on the type of software used and the methodology.
However, cyber incident like hacking happen all around the world no matter it is in an advance
country or a developing country. United States, a super economy country which is also one of the
most advanced country in the world becoming the most attractive nation for the Chinese hackers
to hack US government had been accusing the Chinese for hacking into various database in
United states started from google ,pentagon and now even the education institution database had
been breached calculated from the past 8 years since 2007, in the year 2014,local news reported
that 47% of adult in United states had been hacked through various database. That massive
number, tallied by Ponemon Institute researchers, is made even more mind-boggling by the
amount of hacked accounts up to 20 million just by year 2014 alone by the china hackers.
eventually get affected. Hence once a database is hacked, people who get affected are normally
those who currently engaging with the organization or those involved in the organization
operation. When a hacker hacked into an organization database, that respective organization
might need to compensate for the leaked of customer privacy.
2.1.5 How Chinese hacker hack into U.S. server and University of Connecticut (Uconn)
database. (Lim Jun Wei)
There are a lots of methods to hack into a database, different group of hackers have
different type of method and methodology. U.S government states that China hackers usually
hacks in the database by using various kind of steps, they usually starts off their hacks from an
agency which has diplomatic relationship with the U.S government by spamming a big load
email into the agency and bait for a reply from the agency. When any of the staff in the agency
replied to their email, a path had been opened for them to invade into the server and look for
loophole by using the loophole they are able to gain access to the server anytime. After they are
in the server they make themselves an admin in order to exploit fake user to send direct email to
the U.S government with the same ways they are able to gain their tickets into the U.S server.
However, U.S government refused to reveal any information regarding the agency involved in
the hacking incident publicly because they had not cleaned up the whole system yet nor they
dont want the Chinese to know they are into them.
2.1.6 Why China hackers is able to hack into the University server without anyone aware of
it? (Lim Jun Wei)
China hackers used malware which not easy to be detect by any firewall or anti malware
software. Those malware are usually transfer to the server with a big loads of spam with email as
a camouflage. The china hacker normally disguise the malicious program with a name and file
extension so that the victim thinks he's getting something entirely different and tend to replied to
it. As users become savvier about Internet attacks, crackers find new ways to deliver their
programs in order to gain more access into the server. With all the disguise the malicious
program which is also called malware would be able to transfer to the organization server
without anyone realizing it. In the article it is clearly stated that the hacker had been in the server
6
since September 2013 which means they have complete access to the server for 1 year and 6
months without alerting the IT personnel of the University until an I.T personnel of University
Connecticut found trace of hack on March 2015.
2.1.7 Why only the faculty of engineering in University of Connecticut, United States had
been hacked? (Lim Jun Wei)
When a database is hacked the information of more than 20000 professors, students and
employee was exposed. These information might be useful for a foreign agent to bribe an
individual to hand over the research information and give up the valuable secret they are
researching by knowing what are the students and professor are working on. However this is not
the main purpose the hackers hack into the server. University of Connecticut is a major research
center which had collaboration with more than 650 major companies and the government sector.
The defense contracts, information of U.S defense system and technologies would be the main
aim of their operation. It would be a big score for another country to obtain such confidential
information of a nation. However, after an observation and investigation of 6 months no
evidence of data being exploit or erase by the hacker in the period of 2 years time since they
gain access into the server.
2.1.8 What had been done in the moment to solve this issue? (Lim Jun Wei)
In the moment, IT personnel in University Connecticut had been investigating the extent
of the compromised information stolen from the Universitys Server. Besides report the incident
to FBI for further investigations, the university also taking extra measures to protects its server.
In addition to assisting individuals and research partner in responding to this matter we are
taking further steps to secure our database systems too. Further steps to enhance the server
security included enhancing the firewall system firewalls are an essential part of any server
configuration. Even if your services themselves implement security features or are restricted to
the interfaces you'd like them to run on, a firewall serves as an extra layer of protection. A
properly configured firewall will restrict access to everything except the specific services you
need to remain open, the authority can also imply SSH keys security which only enable
individuals to connect when they pass the SSH Keys authentication with passwords.
2.1.9 Why the current solution have failed to solve the current issue? (Lim Jun Wei)
In information technologies (I.T) there are nothing known as perfect. There would
definitely be loophole somewhere in the defense system which we did not aware of. However the
hacker discover the loophole in the system and manage to breach into the server defense system
using various kinds of malware. A new solution would always come up after the problem has
been defined but however in the future hackers still manage crack in when they discover the
loophole of the defense system and comes up with a brand new malware and method which is
more advanced and powerful than the previous attempts.
Educational
Institutions
Location
Type of
breach
Case
Total
Records
Mar
13,
2013
Salem State
University
Salem,
Massachusetts
Hacking or
Malware
Server infected by
virus (Paychecks)
25,000
Apr
9,
2013
Kirkwood
Community College
Cedar Rapids,
Iowa
Hacking or
Malware
Database hacked
(Social security
number, Name)
125,000
Jun
24,
2013
Florida State
University, Florida
Department of
Education
Tallahassee,
Florida
Unintended
disclosure
Data exposed
during transfer data
(Social security
number, Address)
47,000
Jul
30,
2013
University of
Delaware
Newark,
Delaware
Hacking or
Malware
Vulnerability in
software (Social
security number,
Name)
74,000
Aug
16,
2013
Ferris State
University
Big Rapids,
Michigan
Hacking or
Malware
Unauthorized
access to computer
network (Social
security number,
Name)
62,000
Sep
28,
2013
Virginia Polytechnic
Institute and State
University (Virginia
Tech)
Blacksburg,
Virginia
Hacking or
Malware
Server of Virginia
Tech's Department
of Human
Resources been
hacked (License
number)
144,963
Feb
19,
2014
University of
Maryland
College Park,
Maryland
Hacking or
Malware
Database hacked
(Social security
number, University
identification
number)
309,079
Feb
Indiana University
Bloomington,
Hacking or
Accessed by three
146,000
26,
2014
Indiana
Malware
automated
computer (Social
security number,
Address)
Mar
6,
2014
North Dakota
University
Bismarck,
North Dakota
Hacking or
Malware
Server hacked
(Name, Social
security number)
290,780
May
30,
2014
Arkansas State
University College
of Education and
Behavioral Science's
Department of
Childhood Services
Jonesboro,
Arkansas
Hacking or
Malware
Database hacked
(Social security
number)
50,000
Jun
16,
2014
Riverside
Community College
Riverside,
California
Unintended
disclosure
35,212
Jun
30,
2014
Butler University
Indianapolis,
Indiana
Hacking or
Malware
Hackers hack
personal
information
(Bank account,
Social security
number)
163,000
Jan
21,
2015
Mount Pleasant
School District
Mount
Hacking or
Pleasant, Texas Malware
Downloaded virus
files (Social
security number,
Address)
915
Feb
18,
2015
University of Maine
Orono, Maine
Portable
Device
941
May
15,
2015
University
Park,
Pennsylvania
Hacking or
Malware
Server hacked
(Social security and
credit cards
number)
18, 000
10
11
2.2.2 Data breach of Business-Financial and Insurance services (BSF), Government and
military (GOV), Healthcare-Medical providers (MED) in United State from the year 2013
to 2015.
Date
Type of
institution
Type of
breach
May
9,
2013
GOV
Administrative Office
of the Courts Washington
(Olympia,
Washington)
Hacking or
Malware
Server hacked
(Driver license
number, Social
security number)
1,000,000
Jul 3, GOV
2013
Unintended
Disclosure
Programming error
(Demographic
information, Bank
balance and assets)
187,533
Jul 5, BSF
2013
Morningstar
Document Research
(Chicago, Illinois)
Hacking or
Malware
Intrusion (E-mail
password, Credit
card numbers)
182,000
Jul
17,
2013
BSF
Unintended
Disclosure
Improper redacting
information (Social
security number,
Sensitive
information)
146,000
Aug
13,
2015
MED
Michigan Department
of Community Health,
Michigan Cancer
Consortium
(Lansing, Michigan)
Hacking or
Malware
Server hacked
(Cancer screening
test result, Address)
49,000
Dec
5,
2014
BSF
JPMorgan Chase
Hacking or
(New York, New York) Malware
465,000
Feb
5,
2014
MED
Server hacked
(Patient names,
Address)
405,000
Hacking or
Malware
12
Case
Total
Records
May
14,
2014
BSF
Paytime
(Mechanicsburg,
Pennsylvania)
Hacking or
Malware
Data breach
(Deposit bank
account
information)
233,000
Nov
10,
2014
GOV
US Postal Service
(Washington, District
Of Columbia)
Hacking or
Malware
Computer networks
hacked (Social
security number,
Dates of
employment)
800,000
Nov
25,
2014
GOV
Unintended
Disclosure
Breach reported
2 million
after vendor dispute
(Medical and
billing record)
Mar
16,
2015
MED
Advantage Dental
(Redmond,
Washington)
Hacking or
Malware
Database hacked
(Social security
number, Address)
151, 626
May
20,
2015
BSF
CareFirst BlueCross
BlueShield
(Baltimore, Maryland)
Hacking or
Malware
Database hacked
(Insurance
identification
number)
1.1 million
Jun
4,
2015
GOV
Office of Personnel
Management (OPM)
(Washington , District
Of Columbia)
Hacking or
Malware
Data breach
(Employees job
assignment,
Performance)
21.4
billion
Jul
17,
2015
MED
Hacking or
Malware
Data breach of
network (Medicare,
Health plan
identification
number)
4.5 billion
Sep
10,
2015
BSF
Hacking or
Malware
System hacked
(Social security
number, Financial
information)
10,000,000
13
Based on the chronology above which is the data breach of Business-Financial and
Insurance services (BSF), Government and military (GOV), Healthcare-Medical providers
(MED) in United State from the year 2013 to 2015 above shows that most of the cases happen
under hacking or malware category. These data prove that data breach not only happen in
education field but also other vital fields. U.S government accused China of sponsoring cyberattacks against American institutions but what is the reason of this accusation. This accusation
have been discussed for many years, and generally based on certain suspicious and assumption.
The first assumption that U.S assume China taking part in sponsoring cyber-attack is
China wants to get advanced technology from U.S for helping its own country in different
sectors. Chinas improvement and successful innovations in high technology field become the
reason of the suspicious from U.S. According to Mandiant most noticeable report was released
on February 19, 2013 with a title Exposing one of the Chinas cyber espionage units, he says
that thousands of cyber-attacks have come from one neighborhood which is near Shanghai area
and the espionage group is mainly targeted U.S blue chip companies in 20 separate industries
from aerospace to financial services. However, Chinese foreign ministry spokesman, Hong Lei
says that making unfounded accusations based on preliminary results is both irresponsible and
unprofessional. China resolutely deny the hacking actions and establish relevant laws and
regulations, develop strict law enforcement to defend against the hacking activities.
14
to crack than weak password. Therefore, a secure information technology computer system must
has strong passwords for all their user accounts in order to ensure and protect their clients
databases. There are some ways to apply strong password policy for personal user account to
protect their private information secure as shown below;
A typical strong password policy might include:
Password must contain at least two numerical digital, two alphabetical characters and at
least two special character such as (%,,&, @, #, $)
Password may not contain any words in the dictionary or any commonly used IT login
names such as (Administrator, Admin, Sa, Password)
Passwords using may not contain any personal information such as (birthday or name)
Evidence:
To demonstrate the dangers of a weak password, in year 2008, a Skype user accidentally broke
into the Bank of France by using the password 123456. He didnt steal anything and he was
found not guilty in the subsequent court case after the police caught up with him. However, this
could have turned into a major disaster, had he been a hacker rather than a mere Skype user
looking for a means to make cheap phone calls. Many hackers have broken into countless
websites and organizations since the raise of the Internet world. These include Hotmail, Yahoo!,
Bank of America, Linkedln, NASA, and the Pentagon, and $10 million online heist carried out at
CITIbank by Vlasmir Levin in 1994. In year 2004, Microsoft Corporation fell prey to a password
hacker that stole the whole source code of Window 2000. The hacker was never caught. Lately, a
hacker stole the password to a Twitter account held by the Associated Press (AP) and posted a
fake story on Twitter said that explosion at the White house. Because of APs credibility, the
story led to a 143 point drop in the New York Stock Exchange (NYSE), costing around billions
of dollars losses in economic which were fortunately reversed when NYSE recovered entirely.
Almost every day, countless of people fall prey to hackers who steal their important passwords,
and facing the problem of losses consequently. The reason this problem keep happening because
16
their passwords are weak, or they do not know the importance of enacting effective password
protection techniques.
3.2 Solution 2:
Implement encryption on database in United States university. Create database encryption key to
strengthen the security system in database. - Hong Wei Thing (1132702897)
Technique: Bionic (Crab, Tortoise)
The technique I choose to solve IT systems that failed to maintain the security and integrity is
bionic. The animal I choose to represent my solution is either crab or tortoise as they both having
a hard shell to protect their own from danger situation. This situation is likely same with the
problem we faced, data breach and we implement encryption on database as protection from
hackers.
Definition:
Encryption on database is defined as the process of hiding information to make it unreadable
without a decryption key. Create a transparent decryption key is used to transparently encrypt the
database. Decryption key is only known by the party or parties that exchange the secret messages
and cannot be exported from the database. It is available only to the system. When the database
owner (DBO) is changed, the database encryption key does not have to regenerate. The goal of
encryption is to ensure that even the sensitive information is exposed or compromised, the
information is still remain useless to anyone without the decryption key to decrypt it and make it
difficult for someone to steal the information.
Types of encryption on database:
Transparent or external encryption refer to the encryption of the whole database. This is provided
by native encryption functions within the database engine. Column and table level granularity is
offered by some database vendors, but it becomes common as it begins to apply encryption for
all data. It is called transparent database encryption due to the invisible to users that use the data
and to the applications. Transparent encryption is to ensure the information did not exposed from
physical media (disk) or storage. It can also be controlled through drive or OS/ (Operating
17
System) file system encryption with applying encryption on disk. Although these options are lack
of the protections of native database encryption, but both are invisible to the application and
require the same code or schemas. Database from users without database credentials will be
protected by transparent encryption but data from authorized users will not be protected.
User or data encryption is describing the encryption of specific tables, columns or data
information in the database. It is called user encryption due to the objects being encrypted are
managed and owned by a user. Only the highly sensitive data is protected such as credit card
number is being encrypted in database using this encryption model. The purpose of this
encryption model is to ensure unintended disclosure is well protected and separation of duties on
credentialed users in the database is well enforced. The only disadvantage is that these forms are
visible to the application and require code and database changes. The successful of this
encryption method is depends on how the way key management handle in using internal vs.
external encryption services and applications in database. Transparent encryption is offered from
some vendors to apply on specific tables or columns, but the major purpose is still focusing on
the media loss and file protection and not separation of duties.
Evidence:
Based on ellusion website with a title Banner data defense at Texas Technology University: The
importance of database-level encryption shows that Texas Technology University begins to
apply database encryption from 6.00a.m, 15 September 2014 (Saturday) until 16 September 2014
(Sunday). The Texas Technology University System was aware of these threats and willing to set
a budget of $1.75 billion for this complex system to ensure more than 44,000 students in their
academic institutions and medical schools information are keeping safely and securely. It is
important to encrypt database as hackers often target unencrypted database first which allow
them to get in and out immediately. Database encryption also helps institution to comply with
private and regulatory instructions by transparently encrypt information data such as social
security number, birth dates and other personal identifiable information. According to Texas
Technology Universitys review, they choose Banner Data Defense as this software package
18
combines multiple layers of Information Technology (IT) security defense solution which
including encryption, firewall and audit tool. Is an all in one software.
3.3 Solution 3:
Establish an I.T assist team to research the method used by China hackers to hack into U.S
network security system. Design a new firewall and antimalware system according to the method
used by China hackers to prevent them from hacking into the server again.
- Lim Jun Wei (1132702896)
Technique: If I were method
If I were Barrack Obama the President of United States, I would be worried about the cyberattack incident that takes place in the nation. The information which is stolen by the other
country from our server might lead to a great disadvantage on our defense system nor our
political status and economy status. The data might be a high confidential project which is still
under research or just the information of the federal employees no matter what data does the
hacker acquire it can still deal a great damage to the nation. It would be a great score for other
nation to acquire a confidential information from another. To protect the nation privacy and
security I would probably establish an I.T assist department which takes direct order from the
homeland defense department in order to solve the crisis of confidential data leak. As a rational
leader, I would not accused anyone for conducting any act before any evidence is found because
the accusation would be groundless. A groundless accusation would not be an act of a critical
thinker. By establish an I.T team to mainly focus on researching the method that china hackers
hack, the team would be able to determine the weakness of the hacking method. The team also
have the responsibility to invent a new antimalware software and firewall in order prevent the
hackers from breaching in the server again. The assist team is also responsible on guiding and
providing information and software to all the organization in United States, with the help of the
I.T assist team all the organization would be able to upgrade their information technology
security by that the risk of being hack is decreased to the minimum. Last but not the least, the I.T
support team should also observe and check the server to make sure the server does not has any
disuniform and clean from malware time to time. By implementing this plan, the U.S
19
government would be able to solve the problem from the root by upgrading the security of
information technology system and maintain the security and integrity of the entire nation server.
(A) ADVANTAGES
(B) DISADVANTAGE
(A) - (B) = 4 - 1
=3
Advantages:
1) Able to guarantee clients personal information is being protected well.
As the length and characters of password increase would stronger the passwords,
similarly it means the account password not easily being crack by hacker so will keep the
safety of organization database and the secure of people information.
20
Stronger password will increase the difficulty level and not easily for hacker to crack into
someones account. In this 21th century as the number of hackers are increasing, it is
crucial for everyone who are using information system account to set a stronger account
number in order to prevent being one of the cyber victim.
It does not cost much money for upgrading the system for an organization and make it
compulsory for all their clients to set strong passwords. Besides that, every company or
organization have their responsibilities to protect their customers personal information
and being secure well. So, company should ensure the safety of clients and do not being
so call cyber victim.
Nowadays, we can see from the news and internet the number of hacker keep increasing
every year in global. However, simply strengthen the number of password would reduce
the rate of hacking per year in global. It is because some hackers who do not have such
high level of skill to hack into account with the existing of stronger password.
Disadvantage:
1. Long characters password can be easily forget by people and hard to memorize for
someone.
Stronger password has its pros but also has its cons. Hard for people to memorize long
characters password has become the cons of a strong password. Many people tend to
create a short account password number in order to easily memorize, so when they
change to a longer password number theyll easily forget and feel hard to remember those
number and characters.
21
(A) ADVANTAGES
(B) DISADVANTAGE
With using database encryption, University is able store students private and personal
data such as social security numbers, payment information, financial aid records, grades
and etc securely from hackers. Although some of the information like names, address or
date of birth is considered less important, but hackers is able to use these basic
information to get ones credit information. Therefore, implementation of encryption of
database is a must to let lecturers, office staffs and students feeling safe.
A data breach would lead a negative impact towards the reputation of a university. The
public ought to feel the lack of privacy and security if they were to enroll into the
university. Meanwhile, a data security breach of an university would be classify as an
inefficient act by management of the university because they did not carry out their
22
responsibility to ensure the privacy of the students and professor. In contrast, when a
university is free from data breach cases, the reputation of the university would also
followed to increase.
3. Encrypted data can only be read by a system or user who has the key to unencrypt
the data.
Encryption key is stored outside the database in an external security module. Only
security administrator able to access into the database, getting information. For this
external security module, Oracle uses an Oracle wallet to store the master encryption key
for the prevention of unauthorized user hacked in. When a new master encryption key is
set, user must back up a copy of the wallet. Backup process have to be separated, this is
because in case the backup tape get lost, the third person will not have the chance to get
both wallet and encrypted data. Below shows the image using encryption key to encrypt
or decrypt the database.
Disadvantage:
23
(B) DISADVANTAGES
Followed by the establishing of the I.T team, a solution to maintain the security and
integrity from the invasion of china hackers would be presented. When the security of our
Information system is enhanced by new software. The difficulties of hacking into our
server would also be increasing but nothing is perfect in Information Technology there
are for sure loophole somewhere in the server eventually the hackers will find out a new
methods to implant their malware. However, the experts in the assist team will observe
the server from time to time to make sure that the server is clean of malware.
When the hackers hack into the U.S server, information of the users in the organization
will all be exposed to the hackers. When all the information is exposed an individual
privacy had been invaded. By ensuring the server and data maintaining its security and
integrity the privacy of millions of citizen would also be secured and restored.
3. Confident and trust of the citizens towards the government will increase.
When the government is making effort to protect the privacy of their citizens, the citizen
feel relieved to be protected. The government effort on ensuring the server and database
safe from hacker, can also make the citizens to gain confidence and trust towards the
government efficiency and responsibility.
Disadvantages:
1. Establish a new department would consume a lot of budget for the operational cost.
Every department require an operation cost to run, when the government is setting up a
new department more budget would be used on setting up this new department.
Furthermore, the budget for setting up Information Technology (IT) department would
consume more than setting up a normal department as I.T appliances are very costful.
Update of data security system would make a change on the software interface employee
is used to. The change might cause inconvenience to the staff and hence slowing down
the productivity of the employee. Besides that an update will be patch time to time
following the advancement of information technology.
25
Transparent or external encryption refer to the encryption of the whole database. This is provided
by native encryption functions within the database engine. Column and table level granularity is
offered by some database vendors, but it becomes common as it begins to apply encryption for
all data. It is called transparent database encryption due to the invisible to users that use the data
and to the applications. Transparent encryption is to ensure the information did not exposed from
physical media (disk) or storage. It can also be controlled through drive or OS/ (Operating
System) file system encryption with applying encryption on disk. Although these options are lack
of the protections of native database encryption, but both are invisible to the application and
require the same code or schemas. Database from users without database credentials will be
protected by transparent encryption but data from authorized users will not be protected.
26
User or data encryption is describing the encryption of specific tables, columns or data
information in the database. It is called user encryption due to the objects being encrypted are
managed and owned by a user. Only the highly sensitive data is protected. So normally credit
card number is being encrypted in database using this encryption model. The purpose this
encryption model is to ensure unintended disclosure is well protected and separation of duties on
credentialed users in the database is well enforced. The only disadvantage is that these forms are
visible to the application and require code and database changes. The successful of this
encryption method is depends on how the way key management handle in using internal vs.
external encryption services and applications in database. Transparent encryption is offered from
some vendors to apply on specific tables or columns, but the major purpose is still focusing on
the media loss and file protection and not separation of duties.
Evidence: Based on ellusion website with a title Banner data defense at Texas Technology
University: The importance of database-level encryption shows that Texas Technology
University begins to apply database encryption from 6.00a.m, 15 September 2014 (Saturday)
until 16 September 2014 (Sunday). The Texas Technology University System was aware of these
threats and willing to set a budget of $1.75 billion for this complex system to ensure more than
44,000 students in their academic institutions and medical schools information are keeping
safely and securely. It is important to encrypt database as hackers often target unencrypted
database first which allow them to get in and out immediately. Database encryption also helps
institution to comply with private and regulatory instructions by transparently encrypt
information data such as social security number, birth dates and other personal identifiable
information. According to Texas Technology Universitys review, they choose Banner Data
Defense as this software package combines multiple layers of Information Technology (IT)
security defense solution which including encryption, firewall and audit tool. Is an all in one
software.
There are some advantages of having this solution. The first one is University is able to
protect students personal data. With using database encryption, University is able store students
private and personal data such as social security numbers, payment information, financial aid
records, grades and etc securely from hackers. Although some of the information like names,
27
address or date of birth is considered less important, but hackers is able to use these basic
information to get ones credit information. Therefore, implementation of encryption of database
is a must to let lecturers, office staffs and students feeling safe.
Secondly, Universitys reputation will be higher as data breach cases reduce. A data
breach would lead a negative impact towards the reputation of a university. The public ought to
feel the lack of privacy and security if they were to enroll into the university. Meanwhile, a data
security breach of an university would be classify as an inefficient act by management of the
university because they did not carry out their responsibility to ensure the privacy of the students
and professor. In contrast, when a university is free from data breach cases, the reputation of the
university would also followed to increase.
Thirdly, encrypted data can only be read by a system or user who has the key to
unencrypt the data. Encryption key is stored outside the database in an external security module.
Only security administrator able to access into the database, getting information. For this
external security module, Oracle uses an Oracle wallet to store the master encryption key for the
prevention of unauthorized user hacked in. When a new master encryption key is set, user must
back up a copy of the wallet. Backup process have to be separated, this is because in case the
backup tape get lost, the third person will not have the chance to get both wallet and encrypted
data. Below shows the image using encryption key to encrypt or decrypt the database.
However, there will also be disadvantage for United States University if they
implementing this solution to their University. The disadvantage is the higher cost that needed to
apply on database encryption. Due to the complexity of database encryption, especially in large
databases, the implementation fees is costful. Large databases need special designed encryption
to suit database. The system need to have capacity and upgrades system to perform and maintain
data encryption efficiently and effectively. The reduction of systems operations can be obviously
compromised without an effective system. Anyway, the cost for applying the encryption on
database is lower compared to solution 3 which is establishing an I.T assist team to do research
on the method used by China hackers.
28
6.0 Reference:
Aaron Weiss (2012, Aug 6). How to prevent SQL injection attacks. Retrieved from
http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html
Arshad Noor, Boaz Gelbord, Clarkendweller, Dave Howe, JohnF, Mostafa Siraj, pktsniffer,
Sharon Besser, Terence Spies. Understanding and Selecting a Database Encryption or
Tokenization Solution. Retrieved from
https://securosis.com/assets/library/reports/Securosis_Understanding_DBEncryption.V_.
1_.pdf
A students need to know guide to web security. (2015). Retrieved from
http://www.onlineuniversities.com/internet-security/
Betsy Ziobron. (2003, July 1). Keeping campus networks safe and secure. Retrieved from
http://www.cablinginstall.com/articles/print/volume-11/issue-7/contents/security/keepingcampus-networks-safe-and-secure.html
Chronology of data breaches. (2015). Retrieved from
https://www.privacyrights.org/data-breach/new?title=&page=1
Database files and filegroup. (2015). Retrieved from
https://msdn.microsoft.com/en-us/library/ms189563.aspx
Ellusion. (2015). Texas Tech University System learns the value of database-level
encryption. Retrieved from
http://www.ellucian.com/Insights/Texas-Tech-University-System-learns-the-value-ofdatabase-level-encryption/
Emma Kavanagh. (2015). Strong password protection. Retrieved from
http://www.nortonsecurityonline.com/security-center/strong-password.html
Identity theft protection service. (2012, July). Retrieved from
http://www.consumer.ftc.gov/articles/0235-identity-theft-protection-services
Is China really behind the Office of Personal Management (OPM) hack? [video file].
Retrieved from https://www.youtube.com/watch?t=119&v=8S_9Dhbogsk
Oracle help centre. (2015). Database Advanced Security Administrator's Guide. Retrieved
from http://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm
Paolo Passeri. (2014, Jan 19). 2013 Cyber attacks statistic (Summary). Retrieved from
29
http://www.hackmageddon.com/2014/01/19/2013-cyber-attacks-statistics-summary/
Paolo Passeri. (2015, Jan 13). 2014 Cyber attacks statistic (Aggregated). Retrieved from
http://www.hackmageddon.com/2015/01/13/2014-cyber-attacks-statistics-aggregated/
Paolo Passeri. (2015, Sep 10). August 2015 Cyber Attacks Statistics. Retrieved from
http://www.hackmageddon.com/2015/09/10/august-2015-cyber-attacks-statistics/
Securing stored data using transparent data encryption (2015). Retrieved from
http://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm
Texas Tech University. (2014, Nov 03). TechAnnounce. Retrieved from
http://www.techannounce.ttu.edu/Client/ViewMessage.aspx?MsgId=163168
Tips for creating strong password (2015). Retrieved from
http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strongpassword#TopOfPageTarget
The importance of strong passwords. (2010, Oct 5). Retrieved from
http://www.utexas.edu/its/secure/articles/importance_strong_passwords.php
Who is the high value targeted area for further attack, who might be the good target for
human recruitment the spy. [video file]. Retrieved from
https://www.youtube.com/watch?v=swZR8OCQmyY
30
31
Michael Mundrane, UConn's chief information officer and vice provost said the university
placed "the highest priority on maintaining the security and integrity of its information
technology systems."
"The unfortunate reality is that these types of attacks are becoming more and more common,
which requires us to be more vigilant in protecting our university community," he said. "That's
why, in addition to assisting individuals and research partners in responding to this incident,
we're taking steps to further secure our systems."
In recent months the U.S. has accused China of sponsoring cyber-attacks against American
institutions.
In June, a series of cyber-attacks against the Office of Personnel Management saw the theft of
sensitive data affecting over 20 million people. After the highly publicized breach, James R.
Clapper Jr., director of national intelligence, blamed China for the cyberattack. He said "you
have to kind of salute the Chinese for what they did."
Despite numerous allegations, the Chinese government has denied any involvement in the
hacking scandals. Beijing has insisted that China is also a victim of cyber-attacks.
According to the New York Times, the Obama administration has been considering the issue of
cyber-attacks and has decided to retaliate against China for the Office of Personnel Management
breach.
However, U.S. authorities are thorn between the natures of the response, as they want to avoid
exacerbating the cyber-hacking conflict between the two countries.
"One of the conclusions we've reached is that we need to be a bit more public about our
responses, and one reason is deterrence," a senior official informed NY Times on White House
deliberations on the issue. "We need to disrupt and deter what our adversaries are doing in
cyberspace, and that means you need a full range of tools to tailor a response."
Despite having different opinions on the issue of cyber-attacks, US officials are united on the fact
that if nothing is done the attacks are likely to increase.
The U.S. Department of Justice recently indicted five officers of the People's Liberation Army on
charges of stealing intellectual properties from American companies. Many view the proceedings
as only symbolic as the Chinese officials will not be prosecuted unless in an American court.
32