39
3
Cyber Security
Distrust and caution are the parents of security.
—Benjamin Franklin
3.1 Introduction
And the winner is…Heartland Payment Systems for the single largest
data breach in US history. Heartland is a business that provides payment
transactions, which means it acts as an intermediary between merchants
and the banks and clearly has a signicant amount of personal customer
data stored on its systems. The data that were stolen, as I am sure you
have already guessed, were payment card data (130 million credit card
numbers, expiration dates, and cardholder names). The Heartland Payment
System’s hacker, who also is responsible for the TJX breach in 2007, used an
SQL (structured query language) injection that exploited the vulnerabili-
ties in the database layer of the company’s website with simple database
commands. SQL injections are unfortunately not uncommon and have
been part of other data breaches. Table3.1 shows some other large data
breaches.
The scariest part of this data breach is that Heartland was fully compliant
with the Payment Card Industry Data Security Standard (PCI-DSS) at the
time of the intrusion. The takeaway from this incident is that “ compliance
with industry standards is no guarantee of security” (Vijayan 2010). Thus, the
need to go beyond the standards is a must. It is a wake-up call for companies
that feel they are secure by passing the PCI security audit. This is not to
saythat PCI and other standards are not good, but rather is simply pointing
out that companies need to monitor their assets and points of entry continu-
ously. For example, companies need to realize that they need to protect not
only the most critical servers but also the servers that control things such as
heating, venting, and air conditioning—“the ones that seem less important,”
said Peter Tippett, vice president of technology and innovation at Verizon
Business (King 2009). If you ask a hacker, he or she will tell you that those
“noncritical,” possibly forgotten servers are the ticket inside your network.
In sum, risk assessment needs to be proactive and continuous because the
threats are continuously changing.
40 What Every Engineer Should Know About Cyber Security
Whether you are a manager that needs to establish and implement an
information security program or an engineer that wants to understand the
information security program where you work, this chapter is a great place
to start, as it is an overview of the major components that are recommended
to be part of any security program. First, let us dene two terms: information
security and cyber security. Information security is the process of protecting
data against unauthorized access while ensuring its availability, privacy, and
integrity. Cyber security is the body of technologies, processes, and practices
designed to protect networks, computers, programs, and data from attack,
damage, or unauthorized access; in other words, it implies more than the
protection of data. Therefore, information security can really be consid-
ered a subset of cyber security. However, in reality, these terms are used
interchangeably. We can conclude that the difference between information
security and cyber security is that cyber security includes a few additional
elements such as application security, network security, disaster recovery,
and business continuity planning. Just in case there are any linguists
reading this chapter, the history of the word “cyber” was explained by Ed
Felten in his 2008 article, “What’s the Cyber in Cyber-Security?” Essentially,
it started with a Greek word that implies a boat operator; then Plato used it
to mean “governance,” and then, in the twentieth century, Norbert Wiener
used “cybernetics” to refer to the robot controller. Finally, William Gibson in
his novels about the future coined the word “cyberspace.” Now it seems that
the word “cyber” is put in front of anything and everything associated with
the Internet.
3.2 Information Security
Information security is a system consisting of many parts: software, hard-
ware, data, people, procedures, and networks (Whitman and Mattord 2012).
Each component of the system clearly has different security requirements,
but they are all based on the CIA Security Triad Model (44 United States
Code, Section 3542). The following are the ofcial denitions of the security
characteristics as well as the model (Figure3.1):
Availability: Ensuring reliable access to and use of information at all
times
TABLE3.1
Large Data Breaches
Global Payments January 2012 1.5 Million accounts
CardSystems Solutions January 2005 40 Million accounts
TJX Companies January 2007 90 Million accounts
Get What Every Engineer Should Know About Cyber Security and Digital Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
