Over the last few decades society’s need for convenience has made it increasingly dependent on technology (Johansson, 2018). This dependency on the use of both information and communication technologies to perform daily tasks has dramatically increased the use of cyberspace (“Shibboleth Authentication Request,” n.d.). Cyberspace is “the notional environment in which communication over networks occurs. The use of cyberspace provides almost boundless access to information, interactive communication, and vast other resources according to Johansson (2018). While the use of cyberspace has irreversibly changed the world, it comes with its own set of problems. Cybercrimes, criminals launch attacks designed to exploit the speed, convenience and anonymity of the cyberspace (“Cybercrime / Cybercrime / Crime areas / Internet / Home – INTERPOL,” n.d.). eBay’s security posture at the time of the 2014/2015 data breach showed the company lacked understanding of cybersecurity and the concepts needed to incorporate an enterprise cybersecurity process to protect its vital resources and the private information of its customers.
Background Summary: Cybersecurity
Cyber-security is a major national security issue because, in the current digital era, information is considered an essential component of power. Cybersecurity is not to be contradicted with computer security because they are very distinct entities. Computer security is the basic security of computer hardware, software and electronic data (Finkle, Chatterjee, & Maan, 2014). Cybersecurity is more complicated and extensive as it entails protection from all forms of attacks that can be carried out in the cyber world (online and offline cyberspace). The primary objective of cybersecurity is ensuring information does not fall into the wrong hands.
The important cybersecurity concepts include Confidentiality, Integrity, and Availability (CIA).
Computer vulnerabilities grow as fast as the technology itself. Hacker, persons seeking to gain unauthorized access to information and vital resources, seek to exploit these vulnerabilities. The most common vulnerabilities are associated with the computer programming. “Computer programming is the process of developing a list of instructions that tell the computer how to perform a task. The software is the compilation of instructions that tell the computer how to perform a task. System Software is the interface between application software and computer hardware. Application Software performs a function for the user; helps the user perform a task” (Tuck, 2005). Hacker, seeking to gain control over software interaction, exploit weaknesses and gain unauthorized access to vital resources and information.
Network Forensic Analysis Tools (NFAT) creates reports of potential problems in a system by scanning the computers on a network for vulnerabilities and possible entry points that a hacker can use. NFAT reports provide a picture of everything happening in a system or network (Julian, 2014). Administrators analyze the reports to track any unauthorized activities.
Penetration testing is the act of testing the vulnerabilities of computer systems, web applications, or a network to find loopholes that can be exploited by hackers. It can be performed manually by ethical hackers or by using automated applications. Ethical hacker, hack into a network to test and evaluate its security (Turk, 2005). The information collected regarding possible vulnerabilities and weaknesses is then used by administrators to make necessary security changes (Turk, 2005) strategically. Organizations like eBay are advised to perform pen tests as often as possible to make sure that their systems are secure.
The major enterprise cybersecurity concepts include integrating cyber-space risks with the general risk management approaches. Managing and mitigating cyber risks should be part of the organization’s risk management framework (Julian, 2014). Elevation of cybersecurity risk management should involve executive level management to increases the awareness of the threat posed by cyber-attacks. Evaluation of the organization’s specific cybersecurity risks, it is essential for an organization to identify its most valuable assets and perform risk assessments test to prioritize protective approaches and measures (Julian, 2014). Provision of oversight and evaluation; the management should oversee the management and mitigation of cybersecurity risks.
Proportionate and Risk-based; Cybersecurity framework should be founded on a detailed understanding of the vulnerabilities, threats, and the potential aftermath of a cyber-attack. The frameworks should be specifically designed to handle such threats (Johansson, 2018). Outcome-oriented; it is vital that the framework regulations achieve the projected results rather than being a means to an end. Prioritizing; different threats have different degrees of importance. The most imminent and dangerous threats have to be handled first. Realistic and Practical; generating policies which aren’t executable because of various factors such as lack of resources doesn’t help in improving the cybersecurity of an organization (Johansson, 2018).
The major types of cybersecurity threats that a modern enterprise might face are:
- Point of Sale (POS) Intrusions: Hackers install malware in the POS devices designed to collect data from clients’ credit cards. This threat is potent for all large brick and mortar retailers (Julian, 2014).
- Web Applications Attacks: Hackers look for weakness in the websites of organizations and exploit them to access personal information of users.
- Insider Misuse: Individuals working inside a company might access sensitive data and use for personal interests (Julian, 2014).
- Physical Theft: The hardware technologies that are installed in an organization to reduce cyber-attacks are prone to theft.
Major corporations like eBay are a prime target of cyber-attacks because of their massive financial resources, the value of data that they hold and use of cyberspace. It is essential to the company’s success that they invest in cybersecurity. Without an effective enterprise cybersecurity plan in place, the company can expect to suffer significant losses from future cyber-attacks.
Security Weakness Assessment
This Security Weakness Assessment will provide a summary of eBay’s cybersecurity weaknesses with specific reference to vulnerabilities, threats, and risk from a holistic enterprise view.
eBay’s vulnerabilities include but are not limited to the following:
- Lack of a Cybersecurity awareness training: The company did not have a training program in place to educate is employees on cybersecurity policies.
- Lack of Incident response policies: The company didn’t have an appropriate plan in place to adequately respond to cybersecurity incidents.
- Misconfigured database: Databases that can be exploited by hackers to gain access using an SQL injection (Hug & Giampapa, J. A. 2012).
Threats to eBay’s include but are not limited to the following:
- Malware: Software used to harm to a computer system.
- Phishing: Attempt to gain information with malicious intent.
- Internal threats: Employees who deliberately or mistakenly compromise a company’s security (Hug & Giampapa, 2012).
The risk to the company includes but not limited to:
- Loss of customer/company information: Compromise of classified/sensitive customer/company information.
- Loss of public trust: The public does not trust the company to protect it Personal Identifiable Information (PII).
- Loss of value in company stock: Company stock prices drop causing the company financial loss.
Areas of improvement from a technology perspective
- Properly Configured Databases: Databases with updates Security patches.
- Anti-Virus software: Software designed to detect Malware
- Intrusion Detection System: Program designed to detect unauthorized access.
Areas of improvement from a people perspective
- Cybersecurity awareness Training: Training for employees to increase awareness of cybersecurity policies and best practices.
- Employee dismissal: Removal of fired employees accounts and access.
- Executive Leadership involvement: Executive leadership involvement with cybersecurity.
Areas of improvement from a policy perspective
- Enterprise Cybersecurity Policy: Overall Cybersecurity policy
- Incident Response Policy: Procedure for response/reporting of cybersecurity Incidents.
- Incident Recovery Policy: Procedure for recovering from a cybersecurity Incident.
This security weakness assessment summarized weaknesses in eBays security posture. This assessment is not all inclusive as there are many other vulnerabilities, threats and risk detected that have not been listed. Areas of improvement are recommendations to executive leadership and are not all-inclusive as many other improvements can be made.