USA: +1(669)289-8683 
Sign in
There are 4 cases in the attached file. I need someone to comment on each case I provided.
– Comment about what you think to each case, what should you do, and provide yourself experience/example if necessary.
– 100 – 150 words on each case
– No Format/Style
– I want this within 3 hours
PS. I also provide an example about how to comment at the last page of attached file.
Case 1
1.
What exactly occurred?
Twitter is one of popular social media that targeted to be hacked.
The social network said in that approximately 250,000 user accounts were potentially compromised, with attackers gaining access to information including user names and email addresses. The company first detected signs of an attack earlier in the week, which led to an investigation and the discovery of a larger breach. The company detected unusual access patterns that led to identify unauthorized access attempts to Twitter user data. They discovered one live attack and were able to shut it down in process moments later. However, their investigation has thus far indicated that the attackers may have had access to limited user information. Twitter has reset the passwords and revoked session tokens, which allow user to stay logged into the service without reentering a password, for all of these accounts. Affected users will not be able to log in and will receive an e-mail instructing them to reset their password.
2. How was the company affected?
Twitter reports that 250,000 user accounts may have compromised. The company is able to detect the hacker immediately and send e-mail to the affected users instructing them to reset their passwords. They also recommend all users to create strong passwords and disable Java in their browsers.
3. What (if any) measures has the company taken since the breach to prevent future similar incidents?
The company offers tips for all of its users going forward, including using strong passwords that mix numbers and symbols with upper- and lowercase letters, not using the same password for multiple accounts, update and upgrade antivirus software and disabling Java. The company also provides tips to keep the account secure and also steps to take if your account has been compromised.
4. In your opinion, did the company have sufficient security safeguards in place prior to the breach?
In my opinion, Twitter has sufficient security safeguards in place prior to the breach. Twitter is able to detect the attacker before they get through all 200 million monthly active users. 250,000 accounts of affected users is a small amount comparing to the number of Twitter active users. After they notice the attack, the company have been reset the password of affected users and send them e-mail to change their password. I believed that after the breach Twitter would be more aware of the security protection.
Case 2
1. What exactly occurred?
Google detected a coordinated attempt by Chinese entities to compromise the accounts of Chinese dissidents. David Drummond, Google’s chief counsel, said, “A primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” According to George Kurtz at McAfee, the attacks were part of a large-scale, well-organized operation called Aurora. As a result, Google has stopped censoring its search results in China, and has considered pulling out of the country entirely.
2. How was the company affected?
The attacks were not just about dissidents. The attacks appeared to be part of a coordinated campaign that targeted the intellectual property of a wide swath of the US industrial base, including Dow Chemical, Symantec, Yahoo!, Northrop Grumman, and Juniper Networks.
The attack will spur more collaboration between the US private and public sectors. Dispassionate observers will recall reports in the news from last year about large-scale industrial attacks against the US government and critical infrastructure. If these more recent attacks against private companies are also felt to be coming from similar sources (the PRC government, PLA red teams etc.), it won’t take a genius to start connecting the dots. A formal public/private attack data sharing program, with generous safe-harbor exemptions, would be a good start. Re-invigorating the ISACs would be another.
3. What (if any) measures has the company taken since the breach to prevent future similar incidents?
CISOs should dust off their social engineering playbooks and do some internal phishing testing on their employees to make sure their staffs get the message.
4. In your opinion, did the company have sufficient security safeguards in place prior to the breach?
I think it is not enough for security. As an international company, they should let each country’s customer information keep independent. I believe if the American hackers attack Chinese customer Gmail, same problem will be happen, too. The best thing enterprises can do now is examine their security program to make sure that it includes healthy balanced diet of controls that protect both toxic data and secrets. I describe what enterprises should consider in my recent report.
Case 3
In January 2012, Zappos.com was the victim of a cyber attack by a criminal who gained access to parts of its internal network and systems through one of its servers in Kentucky. More than 24 million of its customer accounts had been compromised. Hackers were able to access Zappos customer’s names, e-mail addresses, addresses, phone numbers, the last four digits of credit card numbers and cryptically scrambled passwords. Zappos then has expired all customers’ passwords, and directed customers to reset their passwords via a dedicated password-reset page.
Zappos lost its reputation, brand, and trust with its customers due to this incident. Since most of people use similar passwords for most of their online log-ins or even online banking. Therefore, the Zappos breach made huge sense of how dangerous it could be to its customers.
However, Zappos seems to have sufficient security safeguards in place prior to the breach as follow.
Advance planning mitigates breach fallout.
Zappos has already taken concrete information security steps,prior to the breach, to mitigate the potential fallout of any breach it might suffer. Such steps included hashing all user passwords and storing credit card data in a separate database.
Create a response plan in advance. Zappos appeared to have a data breach notification response plan already in place. As part of that plan, the company emailed all employees with details about the breach, and included a copy of the breach-notification email it then sent to customers.
Issue a clear, timely warning. After Zappos suffered a breach, the company issued a clear, timely notification to its customers, warning them that they should change their passwords on Zappos.com, as well as any other site on which they reused the same password
.
Secure stored credit card data. Cryptographically storing credit card numbers is a Payment Card Industry Data Security Standard (PCI DSS) requirement. Zappos apparently didfollow the PCI regulations. Zappos credit card information was encrypted or not stored in a way that hackers could use.
Case 4
Security breach is a situation where an individual intentionally exceeds or misuses network, system, or data access in a manner that negatively affects the security of the organization’s data, systems, or operations.
The article is talking about a security breach has exposed the information of many iPad owners including dozens of CEO, military officials, and top politicians. However, it does not stop. Because of AT&T network, there are 114,000 user accounts have been exploited. The information of exposing in the breach included email-address, associated ID and some information about identify the SIM card.
AT&T closed the security hole. However, the victims have been unaware. This will influence the relationship between Apple and AT&T. “Brisk sales for the original wi-fi iPad had promised to turn the 3G model into a similar profit machine.”
There are some methods of protecting consumers from security breaches. Changing the passwords frequently is the simplest way of protecting. Examining security logs whenever consumers log in. Updating systems will be another method of protecting consumers. Also, company should implement a security plan. And I think the most important way is raising the awareness of customers’ information security.
In my opinion, the company does have security safeguards. However, there is no comprehensive safe for the consumers. If company and consumers want to decrease the security breaches, they should work together. Company should give a whole security plan and customers should increase their awareness of protecting their private information.
Example Case
1. The Indiana Family and Social Services Administration (FSSA) has suffered a large breach of protected health information (PHI) as the result of actions of a business associate (BA). The Indiana Family and Social Services Administration (FSSA) is in the process of notifying some FSSA clients that some of their personal information may have been accidently disclosed to other clients. The accidental disclosures may have occurred when RCR Technology Corporation made a computer programming error to a document management system the company supports on behalf of FSSA. This error caused an undetermined number of documents being sent to clients to be duplicated and also inserted with documents sent to other clients. This means some of the clients may have received documents belonging to other clients along with their own documents. This was the second reported large PHI security breach suffered by the FSSA as a covered entity (CE) at the hands of a BA.
2. The company has been affected mainly by the programming mistakes and the many other human and technical errors and that leaded to security breaches. In compliance with federal and state privacy law, FSSA has sent written notices to the 187,533 potentially impacted FSSA clients informing them that some of their personal information may have been disclosed.
The client of FASA may have received a surprise in the mail sometimes between May and early june of 2013. The FSSA mail had been opened to see detailed information about another FSSA client that could had included their name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount and employer information. Some financial information such as monthly income and expenses, bank balances, other assets and certain medical information such as provider names were there in the email. It also contained whether the client receives disability benefits ,medical status or condition and certain information about the client’s household members like name, gender and date of birth.
It was not possible to determine specifically which clients had personal information disclosed. Therefore, all of the clients potentially impacted are being notified.In an announcement made on July1 of 2013, the FSSA was telling its clients to return the accidentally mailed documents to the local FSSA office or to shred them. The FSSA provided detailed information as to how the breach occurred and what steps can be taken by individuals whose information might have been breached to protect their credit.
3.The company should take necessary steps to improve their computer programming and testing processes to prevent similar errors from occurring in the future.There are some more security tips which will help to protect the company data from security breaches.
a)Train comany employees: Companies should train all of their employees to use strong password to avoid dangerous links and emails.
b)Know company data: Employees should know where confidential data is stored and be sure to have it in a secure location.
c)Keep track of company devices: Companies should keep track of all the devices that employees use as a means to prevent potential data breaches.
d)Protect company’s network: Companies need to utilize firewalls and virtual private networks to secure sensitive information.
e)Secure physical devices: All electronics and physical devices should be secured and locked so that access is limited.
f)Keep facilities safe: Offices and stores should be locked to keep them protected.
g)Protect company’s website: Companies can reassure customers by using trustmarks on their website and utilizing strong anti-virus software.
h)Have clear cybersecurity policies: Companies should write a clear, well-planned policy that encompasses device use and how to dispose of secure information.
i)Dispose of products the right way: When devices are no longer being used, companies need to wipe all information from them and physically shred all paper documents.
j)Screen employees: Companies can limit their risk by screening employees prior to hiring them.
4. In my opinion I don’t think the company have sufficient safeguard in prior to breach because this was the second time the company reported large PHI security breach suffered as a covered entity (CE) at the hands of a business associate (BA). Once on November 9, 2010 the Department of Health and Human Services (HHS) list of large PHI security breaches reflects that the FSSA as the CE reported its BA. The Southwestern Indiana Regional Council on Aging had experienced the theft of a laptop computer containing unprotected PHI of 757 individuals.
Example Comment
This is a great example of an accidental breach. Things like this are more common that most people probably think. I’m sure the clients of FSSA were NOT happy to find out strangers might have such sensitive information about them.
I remember once I got something from my Doctor’s office that had information about another patient inserted into it. The information included his name, address, birthdate, patient id, and description of (somewhat embarrassing) services. I wrote a strong letter to the billing department and cc’ed it to both my doctor and the clinic director pointing out their HIPAA violation. I bet they never told the other patient about it, though. I didn’t because I thought he would be horrified to know that I knew about his rather embarrassing issue.
