1. Explain how Bibliofind might have used firewalls to prevent the intruders from gaining access to its transaction servers.
Firewalls need to be placed at a company’s Internet entry point as a first layer of protection in a company’s IT security system, so, however many entry points, Bibliofind may have had, they should have had a firewall installed on each one. A firewall could have helped Bibliofind in preventing crackers from accessing their network and their customers personal data, but may not have eliminated it altogether; firewalls use a combination of tools, including encryption, and intrusion detection systems which are the next layers of protection. Had Bibliofind used firewalls to prevent intruders they would have chosen between one or more of the three types of methods which include packet filtering, proxy service or stateful inspection (a combination of sorts of packet filtering and gateway service).
With packet filtering, the packets are small chunks of data that are analyzed against a set of filters, and if those packets make it through the filters, they are sent to the requesting system and the rest are discarded. With a proxy service, information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. With a stateful inspection, there is no examination of the contents of each packet but instead compares certain key parts of the packet to a database of trusted information.
Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through, but if not, it’s discarded. But even, with the use of these methods, Bibliofind should also have customized their firewalls and configured them specifically to protect the computers and Web servers that were holding their customers personal information.
The crackers accessed Bibliofind’s computers remotely for four months and gained access to the servers that contained plain text files of the customer’s personal data, so the configuration should have included But even, with the use of these methods, Bibliofind should also have customized their firewalls and configured them specifically to protect the computers and Web servers that were holding their customers personal information. So, the configuration should have included rules placed on the firewall protecting the Web server such as that the computer or server holding the customer data would not be allowed to receive public FTP traffic, in addition to encryption, which would have deemed the text files useless to the crackers.
2. Explain how encryption might have helped prevent or lessen the effects of Bibliofind’s security breach.
As mentioned in the previous answer, firewalls are only a first line of defense in securing and protecting a company’s valuable digital data and systems, and the same applies to encryption. All of these security measures should be used in combination and proper configuration of IT systems is key to an e-commerce company’s success with IT security. Encryption is the process of transforming readable information, such as Bibliofind’s 98,000 customer names, addresses and credit card numbers, in to unreadable data using an algorithm.
Again, encryption on its own will not prevent cracking or cracker attempts, but must be used in conjunction with other security methods to protect customer data such as in the case with Bibliofind. Digital certificates could also have been part of a security protection of Bibliofind’s site, and had Bibliofind used encryption with their customers data files, and the crackers still obtained it, without the cipher key, the data would be useless to them and this could properly be explained in a public relations statement and make Bibliofind look more technologically savvy and preemptive in the face of this security disaster. 3. Present arguments for and against the type of legislation that requires companies to inform customers whose private information might have been exposed during a security breach.
It is difficult to provide an argument against this type of legislation since it is ethically the right thing to do on a behalf of a company. If a customer’s private/personal information or data has been obtained by someone that the customer did not give permission to do so, and happened because of a security hole or breach by the business the customer has an account with, then it only makes common, business, and legal sense, that a customer should be informed of this violation, as it is their personal data, not the ownership of the business by which the customer engages in any type of transaction.
That being said, the argument for this type of legislation is that it makes common sense and business sense for ethical and legal reasons. The argument against this type of legislation usually comes in the form of conversations and debates on “tort reform,” and “frivolous lawsuits,” from large profit-driven businesses that do not want to be accountable for any losses, damage or personal strife that may have ensued if a customer’s privacy or personal data has been compromised due to holes in a business’s security system, and in turn, the customer files a lawsuit against the company for not protecting their data.
When the customer sues the company for this security breach, the business at fault will have to consult with or hire legal representation, which, in turn will cost them money. Most companies don’t like to spend money, they only like to profit, so when they see money being spent for any reason, they will create an argument against anyone/any case who is seen as a threat to their most important asset: money. There are various laws out there to protect businesses from frivolous or “nuisance” lawsuits, and the statistics on this subject reflect that it is not a significant problem for any business, including e-business.