Employers need to consider the negative implications increased monitoring of their employees may bring in terms of overall perception and attitude. Friedman & Reed (2007). What the employer may feel is perfectly acceptable policies and processes, the employee may have a very different view. Zwieg and Webster (2002) reported that certain technologies cross the line from being perceived as benign to being viewed as unfair and invasive. Such technologies create psychological barriers to monitoring or other security acceptance among the corporate culture. From an ethical point of view, an employee surely does not give up all of his or her privacy when entering the workplace. Schulman (2013). Employees’ perception that their privacy is being invaded may in effect increase as corporate monitoring activities expand throughout the organization.

According to Webster (2002), employers would do well to consider the issue of monitoring policies and procedures from different stakeholder perspectives within the organization. The interests of major constituents such as owners, managers and employees should be better balanced given the overall organizational objectives. Appropriate levels of monitoring and blocking processes should be implemented where necessary, but also communicated clearly with employees at the same time as raising their overall awareness of security challenges the organization faces. Monitoring and blocking software has its place in the workforce when implemented properly. When cases where these technologies become overused, or abused, they may in effect cause the opposite intended effect of increased employee productivity through a decrease in overall morale.

References:

1. Friedman, B. A., & Reed, L. J. (2007). Workplace Privacy: Employee Relations and Legal Implications of Monitoring Employee E-mail Use. Employee Responsibilities and Rights Journal, 19(2), 75–83. doi:http://dx.doi.org.ezproxy.umuc.edu/10.1007/s10672-007-9035-1
2. Schulman, M (2013). Little brother is watching you. Retrieved from: http://www.scu.edu/ethics/publications/iie/v9n2/brother.html
3. Zwieg, D., & Webster, J. (2002). Where is the line between benign and invasive? An examination of psychological barriers to the acceptance of awareness monitoring systems. Journal of Organizational Behavior, 23(5), 605–633.

Copyright has become a huge issue and talking point recently with continual legal challenges, the introduction and defeat of the Stop Online Piracy Act (SOPA) and considerations for future legislation, challenges and controversy.  The United States leads the world in having some of the toughest copyright laws on the books.  The issue of copyright has become forefront in nearly every aspect of the online world and continues to make headlines as groups opposed to more restrictive laws clash with organizations claiming the necessity for stricter legislation to protect their digital assets.  In a study taken on by the Business Software Alliance (BSA) in 2011, startling findings revealed that well over half of the world’s personal computer users admit to having pirated software.  BSA (2011).  This number includes 31% of those who claim to use pirated software in on ongoing basis.

Nation Master Crime statistics provides a graphical chart demonstrating the severe nature of software piracy especially within international countries.  The chart measures the total amount of units of pirated software per country divided by the total number of units installed.  The numbers puts the United States at the bottom of the pile with claiming 20%, while the top offender, Armenia, claims 93%.  Nation Master (2007).  The chart also demonstrates an apparent trend whereby countries of lower overall income levels and smaller economies tend to reveal a higher rate of piracy.  This really isn’t surprising when you consider an average piece of software can range anywhere from $50 upwards.  The latest version of the Microsoft operating system, Windows 8 professional, costs $199 for the upgrade.  Putting this into perspective if we pick the top rated country in terms of piracy from then nation master crime statistics, Armenia, we can determine from sources, the average yearly salary is just over $3600.  Comparing the average salary in the United States, which is just over $42,000 (about 11 and a half more than Armenia).  While software organizations sometimes provide different pricing overseas, there is still a huge disparity in terms of buying power in these less developed countries.  Couple this with the fact that most less developed countries have little or no laws that address intellectual copyright claims, you begin to understand why there is such a high rate of piracy.  This also has a knock on effect on the cultural values or norms, which are often influenced by laws.  The perception of what is right and wrong in terms of making a copy of a piece of software in order to provide better services, tools and resources for citizens of a developing nation, becomes a more complex issue.

Rideout (2012) discussed the very first lawsuit that was brought forward concerning copyright infringements with regard to 3D printing.  When Dr. Ulrich Schwanitz had created a model of the Penrose triangle and shared a video online to show this accomplishment, a member of a 3D printing community was inspired and created his own version.  The problem occurred when this member also shared the blueprint for the triangle, to which Dr. Schwanitz threatened him with legal action.  The lawsuit was later dropped, however it raised the question of what is acceptable to share with others regarding 3D blueprints or CAD (Computer Aided Design) files for these types of printers.  Couts (2012) states that the presumed fear is that people will eventually be able to download CAD files, or create their own with advanced 3D scanners, potentially putting entire industries out of business.

Patent and trademark law in its current form may be used by established industries to protect themselves against the problems described with 3D printing, however both have their limitations.  It is more likely that new laws will be lobbied for affected industries, similar to methods sought by the current digital space in terms of music and entertainment against piracy.  To a certain extent copyright owners will need to be compensated appropriately for their work, however it will be difficult to ascertain where the line will be drawn.  If a car steering wheel for example was protected under some copyright law or trademark, it would certainly hamper efforts of the auto industry.  If however on the other hand, 3D printers become so sophisticated, one could replicate for example, an iPhone, then most certainly intellectual property in the physical space would need appropriate protection.  While we are not in the Star Trek universe quite yet in terms of replication, as the technology continues to evolve, it is certainly a technology we should continue watch closely as it evolves from all parties perspectives.

References:

1. Couts, A. (2012).  Is the 3D printint industry about to start turning out lawsuits?  Digital Trends.  Retrieved from: http://www.digitaltrends.com/cool-tech/3d-printing-and-copyright-lawsuits/
2. Rideout, B. (2012). Printing the Impossible Triangle: The Copyright Implications of Three-Dimensional Printing. The Journal of Business, Entrepreneurship & the Law, 5(1). Retrieved from http://digitalcommons.pepperdine.edu/jbel/vol5/iss1/6
3. Thompson, C. (2012).  3D printing’s forthcoming legal morass.  Wired UK. Retrieved from http://www.wired.co.uk/news/archive/2012-05/31/3d-printing-copyright

In the last decade, several new laws have been created in order to defend against cyber-attacks, however in many occasions these have been insufficient to deal with the real international threats facing both individuals and corporations.  President Obama concluded in his State of the Union address that “we cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”  Flaherty (2013).  Currently, the most comprehensive law is the Federal Information Security Act (FISMA), which was put in place to require “all government agencies to develop security management systems.”  Vacca (2010).  This applies only to federal agencies, and while private businesses can adopt parts of this to improve their own security, this law does not regulate the private sector.  In 2012, the Cybersecurity Act failed to pass and this legislation and this law only set out to include voluntary measures.

Some industry specific regulations exist that, while cybersecurity initiatives were not their primary objective, certain standards have been mandated.  The Gramm Leach Bliley Act, which was originally enacted to eliminate legal barriers between financial institutions, also provided new rules for financial privacy (Janger & Schwartz, 2002).  These rules serve to combat against cybersecurity vulnerabilities and institutions are accountable to these measures.  On the whole however, it can be argued in light of cyber security specific regulations, there currently is little that would hinder business’ ability to innovate.  On the other hand, however, much needs to be done in terms of strengthening cybersecurity laws and regulation within the United States.

References:

1. Flaherty, A. (2013).  State of the Union: Obama’s Cybersecurity Plan.  Time Tech.  Retrieved from: http://techland.time.com/2013/02/13/state-of-the-union-obamas-cybersecurity-plan
2. Janger, E., J., & Schwartz, P., M. (2002). The Gramm-Leach-Bliley Act, information privacy, and the limits of default rules.  Retrieved from http://www.paulschwartz.net/pdf//minn-final.pdf
3. Vacca, J. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann Publications.

Another demographic that falls under a higher level of risk are younger Internet users, those who were born into the dot com era.  Many younger Internet users have been found to freely share more information about themselves online than their older counterparts.  An earlier study in 2005 by Govani and Pashley demonstrated how willingly younger Facebook users were open to sharing much information about themselves on their profiles.  This trend has only continued to rise in recent years as more members of the popular social networking site openly share birthday information, contact information including cell and home phone numbers, physical addresses, partners name, etc.  Much of this information is freely available to anyone because many Facebook users simply don’t spend the time to adjust their privacy settings and therefore is freely available to identity thieves.

Grimes (2010) illustrates the importance of education for user groups that are more vulnerable to targeted identity theft, stating that it is an important tool to defend against these criminals.  While their article concentrates more on older demographic groups, the underlying message of adequate education and raising awareness is of utmost importance.  Younger Internet users must realize the dangers of sharing too much information online, while older users need to be better protected against such perpetrators.  Awareness of the dangers of Internet tracking, malicious cookies and malware key logging software should be increased.

Ultimately the organizations that provide and promote their services online need to take some responsibility in ensuring their users have the rights tools and information available to protect against possible identity theft and phishing attacks.  Better regulations also need to be put in place.  Financial institutions should provide online information for users to help protect themselves against security threats, and social networking sites should provide easier ways for users to maintain reasonable privacy.  Until these more vulnerable groups have the knowledge and tools to better protect themselves against online criminals, they will continue to be popular targets in these kinds of security attacks.

References:

1. Govani, T., & Pashley, H. (2005).  Student Awareness of the Privacy Implications When Using Facebook. Privacy Policy, Law, and Technology Course, Carnegie Mellon University.  Retrieved from: http://lorrie.cranor.org/courses/fa05/tubzhlp.pdf.
2. Grimes, G. A. H. (2010). Older Adults’ Knowledge of Internet Hazards. Educational Gerontology, 36(3), 173–192.
3. Sylvester, E., L. (2004).  Identity Theft: Are the Elderly Targeted?  Connecticut Public Interest Law Journal.  Retrieved from: http://lsr.nellco.org/cgi/viewcontent.cgi?article=1013&context=uconn_cpilj&sei-redir=1&referer=http%3A%2F%2Fscholar.google.com.ezproxy.umuc.edu%2Fscholar%3Fhl%3Den%26q%3Dsenior%2Bcitizens%2Bidentity%2Btheft%26btnG%3D%26as_sdt%3D1%252C21%26as_sdtp%3D#search=%22senior%20citizens%20identity%20theft%22

Anonymity has also provided a means for malicious activity carried out by those who would not do so if their real life identity was attached to their actions.  You only have to look YouTube as a prime example of nasty and over the top negative comments left by its users to the extent of virtual harassment.  ‘Some scholars believe that a key limitation of online text-based environments is a prevalence of anonymity which directly spawns antagonism.’  Lange (2007).  Google has tried to combat this by encouraging users to link their Google+ accounts to YouTube, directly removing a layer of anonymity.  Others argue that if anonymity was curbed, this would subsequently diminish cases of cyber-bullying and other forms of online harassment.  “I think anonymity on the Internet has to go away. … People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors,” Randi Zuckerberg, formerly Facebook’s marketing director, said in 2011.  CBS (2011).

To some extent anonymity should not be able to be used in cases of abuse, nonsensical actions that cause harm to others, brought on by individuals who would never do so if their real name was made available.  On the other hand anonymity has been argued as one of the driving factors that make certain communities possible, because without some sort of protection, or layer of privacy, many people simply wouldn’t get involved in activities that contribute to great causes.  Whether or not we like it, anonymity on the Internet is here to stay, so we should find ways to embrace the benefits it brings and find ways to mitigate the negative aspects through better forms of accountability.  There will always be negative connotations to all new innovations and forms of communications and in the case of online anonymity; they simply do not outweigh the benefits it brings to those online communities that thrive on the safety of privacy.

References:

1. CBS News.  (2011).  Facebook: “Anonymity on the Internet has to go away.”  Retrieved from: http://www.cbsnews.com/2100-205_162-20087146.html
2. Lange, P., G. (2007).  Commenting on Comments: Investigating Responses to Antagonism on YouTube.  Paper presented at the Society for Applied Anthropology Conference.
3. Schwartz, M., J. (2012).  Has Anonymous Ruined Online Anonymity.  Information Week.  Retrieved from http://www.informationweek.com/security/privacy/has-anonymous-ruined-online-anonymity/232901448?itc=edit_in_body_cross

The history of financial law has seen both increases and decreases in regulation correlated with events to enforce, correct and maintain the system. It is important to understand some of the legislative history of this industry and its importance in order to reflect on current day regulation with regard to cybersecurity issues. It wasn’t until the Great Depression, which followed the stock market crash of 1929, that specific laws were enacted to strengthen the banking system and re-instill trust with the public. The Glass-Steagall Act of 1913 “separated commercial banking from investment banks in the United States” Neal & White (2012). It also created the Federal Deposit Insurance Corporation to help restore confidence in the banking system. Further regulation continued with the Banking Acts of 1933 and 1935, which were put in place to reform banking abuses. By the 1980s, banks were finding difficulty in competing with other non-traditional financial organizations that weren’t subjected to the same amount of regulation. The Depository Institutions Deregulation and Monetary Control Act of 1980 and the Depository Institutions Act of 1982 were passed, which softened the distinction between banks and other financial institutions. Many have argued it was these pieces of legislation that contributed to the Savings and Loans (S&L) crisis of the 1980s (Zimring, 1993). After the crisis, a swing back to regulation occurred to address these problems through the financial Institutions Reform, Recovery and Enforcement Act which restructured the S&L insurance system. This was followed by the Federal Deposit Insurance Corporation Act of 1991 (FIRREA) to further improve the S&L industry.

Further de-regulation occurred at the end of the 20th century in the form of the Financial Services Modernization Act of 1999, otherwise known as the Gramm Leach Bliley (GLB) Act, originally enacted to eliminate legal barriers between financial institutions. The importance of this regulation brings us to the present day with combating cybersecurity vulnerabilities. Not only did the act deregulate certain earlier provisions of the Glass Steagall Act, but it also provided new rules for financial privacy (Janger & Schwartz, 2002). The law requires financial institutions to ensure the security and confidentiality of customer records and information, protect against anticipated threats or hazards, and protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer (Financial Services Modernization Act, 1999, 15 U.S.C. 6801(b)). The law also requires financial institutions provide disclosures to their customers on how they are gathering and using their information. In terms of cybersecurity provisions, one of the most substantial parts of GBL is a provision that mandates financial institutions create and implement a “comprehensive written information security program that includes administrative, technical, and physical safeguards” (Bidgoli, 2006). The law allows for flexibility in how such a program should be implemented at the individual organization, however it is regulated by various state and federal agencies.

Some argue that the flexibility GLB affords financial institutions fails to enforce effective and comprehensive cybersecurity practices. Senator Robert Menendez has been pushing for newer legislation that would not only create greater protections for customers, but it would allocate new money for cybersecurity research and scholarships (Gross, 2011). There are other laws at both the federal and state level that are not directly tied to the financial industry; however they do mandate businesses comply with legislation. Some of these include the Federal Trade Commission Act, Electronic Communications Privacy Act, Sarbanes-Oxley Act, the Uniform Computer Information Transactions Act, and the Computer Fraud and Abuse Act. All of these have been established to protect consumers and organizations involved with data collection and storage of sensitive information.

References:

1. Bidgoli, H. (2006). Handbook of Information Security. Bakersfield, CA: John Wiley & Sons, Inc.
2. Financial Services Modernization Act, 1999, 15 U.S.C. 6801(b)). Retrieved from: http://www.ftc.gov/privacy/glbact/glbsub1.htm
3. Gross, G. (2011). Senator: New Cybersecurity Regulations Needed for Banks. PC World Business. Retrieved from: http://www.pcworld.com/article/230814/article.html
4. Janger, E., J., & Schwartz, P., M. (2002) The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules. Retrieved from: http://www.paulschwartz.net/pdf//minn-final.pdf
5. L, Neal., & E N., White. (2012). The Glass–Steagall Act in historical perspective. Quarterly Review Of Economics And Finance, 52104-113. doi:10.1016/j.qref.2011.12.005
6. Zimring, F.E. & Hawkins, G. (1993). Crime, Justice, and the Savings and Loan Crisis. In (Ed.) A. J. Reiss & M. Tonry, Beyond the Law: Crime in Complex Organizations (pp. 247-292). Chicago: University of Chicago Press.

In May 2012, the Bureau of Justice was targeted by a group known as ‘AntiS3curityOPA’, an affiliate of the more well-known ‘Anonymous’. The group managed to infiltrate and steal sensitive data from the bureau’s systems. The data was then released as a 1.7Gb archive on the Piratebay torrent site, freely available for anyone to download. The reason the group gave for carrying out this attack was to “spread information, to allow the people to be heard, and to know the corruption in their government”. Schwartz (2012).
This article focuses on this recent attack on the Bureau of Justice Statistics provides an in depth analysis of what went wrong, why the organization was targeted, and what people might want access to the released data. Understanding the motivations behind why the hackers carried out this attack will be analyzes along with gaining a clearer picture of who they are. Finally, this article looks at how the bureau might discourage or defend against future threats.

The Bureau of Justice Statistics

The Bureau of Justice Statistics is a federal government agency, which falls under the United States Department of Justice. The Bureau of Justice Statistics was created in 1979 and its purpose is to collect, analyze and publish crime data. According to its website, its mission is “To collect, analyze, publish, and disseminate information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government.”

The Bureau of Justice also provides grants to criminal justice statistics programs for data collection and processing as well as statistical and methodological research. They provide support to state, local, and tribal governments through their National Criminal History Improvement Program (NCHIP), State Justice Statistics (SJS) Program for Statistical Analysis Centers, and the NICS Act Record Improvement Programs for States and State Court Systems (NARIP). The bureau’s dissemination programs are summarized in the table below.

More information on each of these programs can be found on the Bureau of Justice Statistics website. The information they primarily deal with are publically available data sets, statistics and reports, freely available to anyone who access these program websites. Furthermore, the bureau provides in depth publications available for direct download from their website in various common formats including PDF, ASCII, and comma-delimited format (CSV).

Overview of the Security Breach

On May 22nd 2012, the hacker group known as ‘Anonymous’ released a video titled “Monday Mail Mayhem” claiming to have successfully breached the Bureau of Justice Statistic’s information systems. This same group, Anonymous, was also responsible other attacks, including the Department of Justice and the Federal Bureau of Investigation just two months earlier. Infosec Island (2012). The video they released contained a narrative in a computerized voice that stated, “Today we are releasing 1.7GB of data that used to belong to the United States Bureau of Justice, until now.” The message went on to reveal that internal emails as well as an entire database dump were made available. Anonymous (2012). The narrative went on to justify the actions of this hacker group by implying that their goal was to expose corruption within the federal government and claiming that the “truth will set us free in the end.”

The video (which can be seen on YouTube above) provided a dramatic set of visuals and sound effects designed to grab the viewer’s attention. After the statement had been made, other visuals including the text “police state”, “global politics”, and “big pharma”, scrolled by the screen in the form of a chain. This was then followed by the words “Together we Rise Up” next to “And Change Our World”. The video concluded with other threats and warnings appearing to instill fear or excitement depending on the context of the viewer.

The 1.7Gb archive named (1.7GB_leaked_from_the_Bureau_of_Justice) was uploaded to the Pirate Bay torrent sharing website by “AnonymousLeaks”. The reason for stealing and then making this archive available to the world was revealed in their video with the following statement, “We are releasing data to spread information, to allow the people to be heard, and to know the corruption in their government.” As mentioned earlier, the Bureau of Justice Statistics only publishes publicly available information on criminal offenders, victims of crime and the operation of justice systems within the United States at all levels of government. Therefore, it seemed odd that the hacker group was concerned with the information they could obtain from the bureau. Schwartz (2012) suggested that perhaps the connection was due to recently released information on hacker crimes and this was perhaps a way that Anonymous was able to get back at the organization.

Whether or not the true motive behind this attack driven by anger over the aforementioned published hacker crimes, it was clear that this was an embarrassing situation for the bureau. An organization called Identity Finder downloaded the torrent to analyze its contents, which appeared to contain 6.5 GB of web server data, reports and files. It did not however contain “any sensitive personal information, internal documents, or internal emails” according to Identity Finder in a statement. Rashid (2012) concluded that the claims put forward by Anonymous about a “booty you may find lots of shiny things such as internal emails, and the entire database dump”, were unsubstantiated. If this had been true, many people who could have potentially profited from such data may have been interested in this. As it turned out there was in fact a directory called “Mail”, however it was mainly empty and contained 3 email addresses that were unique, 2 of which were considered administrative.

Other data within the archive contained over three thousand files of criminal information in the form of spreadsheets and graphical charts, which wasn’t very surprising to see since this is the type of data the bureau typically disseminates and makes publicly available. The information from the archive would have been of little interest to groups of hackers interested in potentially selling or using this information for malicious causes. One area of concern noted by Identity Finder was that the entire server file structure as well as JavaScript files and error logs had been made available. This in itself could be useful to hackers to stage future attacks and to give a clearer overview of the bureau’s network topology. The fact that the bureau knew this information was now publicly available should have prompted them to internally secure their systems from potential future attacks. Rashid concluded that while this attack had not resulted in a major exposure of Personally Identifiable Information (PII), it was however a massive public relations mess for the agency and it had provided a means of promoting the hacking group Anonymous.

Anonymous and Hacktivism

Traditionally, hackers have remained in the dark carrying our covert operations in terms of breaking into systems for profit or personal gain. In recent years there have been a greater number of security breaches by groups who like to be labeled ‘Hacktivists’. The term ‘serious harm’ could be considered subjective depending on the context of the attack and the actors and victims involved. Anonymous, the group behind the Bureau of Justice Statistics can be argued to fall under the category of hacktivism. Anonymous began its roots in the form of 4chan, a website where users signed anonymously. It first made itself known to the general public in 2008 when it took issue with a request made by the church of Scientology to YouTube to remove a video starring Tom Cruise which had been leaked there. They began launching denial-of-service attacks against Scientology sites and breached several systems leaking sensitive information. Anonymous backed WikiLeaks by defacing the websites of Mastercard and Visa after they prevented WikiLeaks donators making payments by using their networks. Anonymous have also been known to wage a vendetta against law enforcement agencies, websites and databases by defacing sites and releasing PII on law enforcement personnel. Schwartz (2012). In more recent years the group has shown support for the Occupy Wallstreet movement and has even been involved with threatening the Mexican drug cartel.

The mask worn by Anonymous members originates from the movie V for Vendetta and features prominently in all Anonymous related media and online videos. So what is it that drives this group to do what they do? Anonymous claim that they do not represent or stand for any government or organizations, they make it clear that they support freedom of speech, people, and information. Prince (2012). The group has long established their disapproval of the so-called “police state” referring to the United States in that it incarcerates more people than any other country. Their qualms aren’t limited to the United States however, they are concerned with any organization, government or entity that imposes restriction in terms of freedom of information or injustices they feel strongly enough to get involved with. Several months ago, the group threatened to release names, addresses, social security numbers, and other private information of every football player from Stuebenville High School, where two players had been accused of raping a 16 year old girl. They released a video which stated that they were not going to ignore a group of men who turned “rape as a game or sport” get away with their crimes just because of their athletic ability. Caufield (2013).

Defense Strategy and Discouragement of Attacks

Anonymous certainly appear to be carrying out their activities for some kind of greater good. They believe their actions are justified in terms of the various systems they have broken, the information they have leaked, and the harm and cost they have caused government and private organizations and agencies. It is difficult to ascertain whether or not the Bureau of Justice Statistics would be able to do anything differently to discourage the actions of such a radical group, however simply having a better understanding on their background, motives and intent would be beneficial. Armed with this knowledge, it is important for organizations like the Bureau of Justice Statistics to be prepared against similar attacks in the future. There have been many times in the past that Anonymous have taken action that has provided more media coverage than harm, however at the same time there have also been very real breaches with high costs. This attack should not be taken lightly and other government agencies should learn from shortcomings in security strategies. Since the Bureau of Justice Statistics typically carries and provides publically available information, reports and number crunching, it probably did not deem itself a high probability target for so-called hacktivists, however recent events have proven otherwise. The public knowledge of such an attack has not only lead to ‘embarrassment’, but also brings into question the security practices of other government agencies.

Strategies should be implemented immediately to protect the bureau from the already leaked information on the server logs and network topology. While it is not clear where the vulnerability was in order for Anonymous to penetrate the bureau’s system, strategies should be in place to regularly review website traffic. While there was no evidence that the publically facing website was connected to internal sensitive documents, strategies should still be put in place to detect unauthorized access. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) should be used to detect and prevent unauthorized access. Other security practices should be implemented including proper separation of responsibilities, multi-layered security controls, and other means of network and physical security. On a larger picture, agencies from different parts of the federal government should coalesce in terms of security strategy, policies and overall strategy to ensure that adequate protection is given even to those web presences that only provide public information.

Conclusion

The Bureau of Justice Statistics was an unlikely target of the hacktivist group Anonymous. The entire event seemed to provide more media attention than actual harm and it proved to be an embarrassment for the agency. For the bureau, they didn’t suffer extreme losses, however this was a big win for Anonymous as it gave them extended media coverage along with key words such as the “Department of Justice” even though this agency was not hacked. It highlighted the importance of maintaining strong security practices, even for websites that are providing nothing more than publically available information.

Hacktivist groups have made headlines more frequently in recent years. Supporters of piracy and anti-copyright movements labeled under the category of ‘freedom of information’, have spurred interest on a global scale and continue to grow in number. It is important that government and private organizations continue to evaluate the risks these groups create and to better understand the motivations and culture behind their populations. This is particularly of importance within organizations that are perceived ‘enemies’ or ‘adversaries’ of such groups, which includes much of the federal government systems, law enforcement organizations, pro-copyright institutions and any other organization perceived to not fall in line with the hacktivists world view on justice. By better understanding these groups and the threats they bring, government agencies and private organizations will be better equipped to refine their security strategies enabling them to protect themselves from future incidents.

References:

1. Anonymous Hackers Plan to Target OPD. (n.d.). Retrieved March 30, 2013, from http://www.wowt.com/news/headlines/Anonymous-Hackers-Plan-to-Target-OPD-200361161.html?ref=161
2. ANONYMOUS – Monday Mail Mayhem. (2012). Retrieved from http://www.youtube.com/watch?v=2oEo3OC75yY&feature=youtube_gdata_player
3. Bass, T. (2000). Intrusion detection systems and multisensory data fusion. ACM, 43(4):99{105, 2000. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.47.3851&rep=rep1&type=pdf.
4. Caufield, P. (2013). Hacker Group Anonymous plans second ‘Occupy Steubenville’ rally on Saturday. Retrieved from: http://www.nydailynews.com/news/national/tk-article-1.1233022
5. Chacos, B. (2012). Anonymous Hacks Department of Justice! But Does It Really Matter? Retrieved from: http://www.maximumpc.com/article/news/anonymous_hacks_department_justice_does_it_really_matter
6. Check Point (2011). Check Point Products: IPS-1. Retrieved from: http://www.checkpoint.com/products/ips-1/index.html
7. Denning, D. E. (2000). Proceedings at the Internet and international systems: information technology and American foreign policy decision making workshop, San Francisco, CA: Activism, hacktivism, and cyberterrorism: the Internet as a tool for influencing foreign policy. Retrieved from http://oldsite.nautilus.org/archives/info-policy/workshop/papers/denning.html
8. Infosec Island (2012). Anonymous Claims Department of Justice Hack, Data Dump. Retrieved from: http://mark.dev.infosecisland.com/blogview/21395-Anonymous-Claims-Department-of-Justice-Hack-Data-Dump.html
9. Prince, P. (2012). Anonymous Hacktivists Leak Bureau of Justice Statistics. Retrieved from: http://www.eweek.com/c/a/Security/Anonymous-Hacktivists-Leak-Bureau-of-Justice-Statistics-622457/
10. Rashid, F., Y. (2012). Anonymous DOJ Breach More Embarrassing Than Harmful. (n.d.). PCMAG. Retrieved March 30, 2013, from http://securitywatch.pcmag.com/security/298272-anonymous-doj-breach-more-embarrassing-than-harmful
11. Schwartz, M. (2012). Anonymous Leaks 1.7 GB Justice Department Database — InformationWeek. (n.d.). Informationweek. Retrieved from http://www.informationweek.com/news/security/attacks/240000778

Ever since the introduction of Apple’s iPhone followed by the popularity of Android devices, the computing landscape has seen a major shift in usage towards mobile platforms.Traditionally mobile devices were limited to Personal Digital Assistants (PDAs) and basic cellular phones used for voice communications. PDAs typically did not have access to external networks and were limited in how data was handled, typically through a synchronization process with the user’s personal computer.

These earlier devices posed lesser threats than today’s mobile technology, simply because they were under greater control, and had limited potential to cause harm to corporate networks. Typically PDAs and other mobile devices were company-issued, which meant that strict policies could be enforced on their usage. In recent years however the growth of the mobile landscape has meant that many individuals own personal devices, which are often brought to their place of work. In addition to this, modern devices have the ability to connect to other networks, download more sophisticated software, and therefore are at a higher risk of opening security vulnerabilities.

The evolution of the mobile workforce is being driven by lifestyle choices, productivity gains, and technology improvements. Friedman and Hoffman (2008). As more workers continue to take advantage of the flexibility of working from home, the use of mobile equipment to connect with colleagues outside the traditional workspace will need to be examined in the context of security. This article explores the current threats and vulnerabilities of mobile devices. For each threat and vulnerability, a probability of occurrence is provided and recommendations on policy changes have been made to mitigate the risk of security breaches. The article uses the NIST framework as a baseline of current threats and builds on this with other secondary research to give a better picture of the current challenges facing organizations in terms of mobile security.

Defining Mobile Devices

Along with the explosion in growth of mobile devices in the last five years, a significant increase in sophistication has occurred, meaning that many of these devices are just as advanced as the common desktop computer. In many instances, users have replaced their primary means of connecting to the Internet via their PC to their mobile device. Feature complete mobile applications are growing in popularity, which can be seen by the number of purchases and downloads in Apple’s and Google’s app stores for their respective devices. The line has become blurred in terms of separation of personally owned equipment, when most individuals now carry a mobile device with them to work, and many connect that device to their organizations personal computer and ultimately to the network.

In order to better understand the challenges that organizations face in keeping their networks connected, we must first define what a mobile device is. Souppaya & Kent (2012) in their recommendations for the National Institute of Standards and Technology (NIST) provide a list of characteristics that can be used to define a mobile device. In their publication they describe a mobile device being a small form factor with at least one wireless network interface for Internet access, local storage, an Operating System (OS), ability to run applications, and finally built-in features for data synchronization. Friedman and Hoffman (2008) define mobile devices as “portable electronic systems that store and manipulate potentially confidential information.” Their definition goes on to list laptops, handheld computers, cell phones, PDAs, BlackBerry devices, and digital music players.

While the list of characteristics typically describes commonly used devices, there is however other mobile hardware we should also be concerned with. Vacca (2009) described that USB flash storage devices are sometimes not considered to be a major threat; however these types of mobile storage device can be concealed and used to either introduce malicious code to a host computer, or to steal data. In addition to this, less commonly thought of as threats are digital cameras, which also have the capability to act as an external storage device and can equally cause the same level of concern as that of a USB drive or smartphone. These types of mobile hardware are also listed in the NIST recommendations under optional characteristics of mobile devices and should therefore be included when considering mobile threats and vulnerabilities.

Using NIST as a baseline for the research provided in this article, we can determine the overall objectives needed to be considered for mobile security. These include confidentiality, integrity, and availability. Confidentiality considers the importance that any data or information contained within a mobile device must not be accessible by unauthorized personnel. Integrity considers the importance of detecting any intent, malicious or otherwise, that results in a change of data stored or transmitted from the mobile device. Finally availability ensures that those who have the appropriate permission to do so, can access data from the mobile device whenever it is required.

Assessing the Threats and Vulnerabilities of Mobile Devices

Many of the threats and vulnerabilities facing non-mobile equipment within organizations cross over directly into the mobile space. Lack of formal training, intentional and unintentional insider attacks, social engineering strategies, phishing attacks, and other forms of intentional security breaches are all areas of concern in a mobile security strategy. In addition to this, mobile devices introduce a number of new threats and vulnerabilities that need to be addressed. Friedman and Hoffman (2008) claim that mobile devices are typically both the most vulnerable systems within the enterprise as well as being the least defended. Their rationale is that mobile devices are susceptible to similar types of security vulnerabilities as their peer desktop counterparts, however because they are used both inside and outside the corporate firewall, there is a higher risk when outside physical corporate defenses. In addition to this, traditional desktop systems typically use wired LANs, whereby mobile devices use wireless technologies increasing overall risk of interception of data. Mobile devices are at a much higher risk of being lost or stolen than a desktop PC. Finally, in many organizations, security budgets are more closely tied to internal defenses and corporate LANs, since they are within physical reach of the Information Technology (IT) staff.

Sujithra and Padmavathi performed a survey on mobile device threats and vulnerabilities and from this they categorized them as follows. Mobile threats have been broken down into four main categories:

1. Application-based threats: Downloaded applications, which introduce either hidden security threats or unintentional exploits.
2. Web-based threats: Phishing scams, malicious code in downloads, browser exploits.
3. Network-based threats: Exploits via Bluetooth, Wi-Fi eavesdropping
4. Physical threats: Lost or theft of device

In addition to this Sujithra and Padmavathi discuss vulnerabilities including Trojan horses, botnets, worms and rootkits, which are all forms of malicious code that can be used to breach the device or network. Some publications that focus on mobile security overlap in areas of threats and vulnerabilities, while others go more in depth with specific threats. Nasim (2012) provides a complete analysis of the most critical Bluetooth attacks in real life scenarios. All of the vulnerabilities and threats can cause substantial harm to the organization in both financial losses as well as reputation. Some of this can be measured in the form of customer satisfaction of the organization. If a customer’s data has been stolen due to lack of mobile security measures implemented within the organization, their level of satisfaction will be greatly diminished, ultimately leading to an overall negative impact on reputation. It is therefore essential that current mobile vulnerabilities and threats are examined as closely as traditional systems security.

From current literature, including NIST recommendations and the publications outlined above, four major vulnerabilities or areas of concern have been compiled in the following table to outline the major vulnerabilities and threats facing the enterprise in the context of mobile device security. Four major vulnerabilities have been highlighted and each listed has associated threats, probability of occurrence, and policy suggestions to help mitigate the overall risk of successful security breaches.

Lack of Physical Control

This is one area of concern or major vulnerability facing any organization that either issues corporate mobile devices, or allows the use of personal devices in the office. The probability of occurrence has been marked as high simply because of the large number of lost and stolen devices every year. Due to the mobile nature of these devices, they can be used anywhere and this leaves open a very real possibility that unauthorized individuals could look over at a users’ device in a public environment or potentially read private information if the mobile equipment is left unattended.

Company owned devices could also be potentially used to upload sensitive data to unauthorized cloud backup services, such as Apple’s iCloud or used to connect and share data with a user’s home computer. Company owned devices should be encrypted so that in the event of theft, the perpetrator should not be able to access any sensitive data. Additional security also needs to be put in place at the network domain level in addition to the standard device Personal Identification Number (PIN) lock system, which is often inadequate in itself for comprehensive security. Finally company owned devices should be prohibited from connecting to third party backup services or home computers.

Use of Non-Corporate Mobile Devices

Most workers nowadays have their own mobile device and in many cases bring these devices to work. Without proper restrictions in place, it is very easy for an employee to plug their phone or other mobile device into their computer’s USB port, either for convenient charging or for synchronizing their data. This opens the possibility of sensitive company data being transferred to an unsecure personal device or worse still, the introduction of malicious code. Many people have started getting into the trend of ‘jail breaking’ their personal mobile devices to allow them to use unrestricted software. Jail breaking or ‘rooting’ a device can often leave it vulnerable to malicious code or unintentional security vulnerabilities. AhnLab (2012).

In a similar situation, a corporate mobile device connected to a user’s personal computer at home increases similar security risks. Sujithra and Padmavathi G. (2012). The organization’s security policy should assume that all personal owned devices are untrusted and therefore restrict or prohibit the use of ‘Bring Your Own Device’ BYOD mobile devices. No personal device should be allowed to connect to the network unless the organization has a way of securing these devices by providing a technical solution. Souppaya and Kent, K. (2012). While the use of personal devices is a major security concern, it has been listed as medium on the probability of occurrence since organizations should have control of their network in order to restrict the usage of such devices.

Insecure Communications

Most mobile devices use external networks to connect to the Internet. This opens up the possibility of attacks such as ‘Man in the middle’ and Wi-Fi eavesdropping. If connected to an unsecured Wi-Fi connection, such as the types available at coffee shops and other public places, it is entirely possible for someone to ‘sniff’ the network and view activity and potentially sensitive information. Data in this situation can be compromised by an attacker “taking advantage of the fact that many applications and web pages do not use proper security measures, sending their data in the clear (not encrypted) so that it may be easily intercepted by anyone listening across an unsecured local wireless network.” Sujithra and Padmavathi (2012). Organizations need to enact strict security policies whereby all issued mobile devices are provided with sufficient encryption to prevent ‘leakage’ of information on external networks. If properly implemented, this will mitigate the risk of an outside person or group stealing information. The probability of occurrence is also rated as low since these types of security breaches are less common on mobile devices than loss or theft. If an organization-issued device is secured properly, it shouldn’t be as big a risk overall.

Mobile Apps and Web Content Exploits

Quirolgico, Voas, and Kuhn (2011) focus specifically on mobile apps vulnerabilities and how they can be ‘vetted’ to mitigate risk. In a Homeland Security Newswire publication, a mobile security company, Lookout, was looked at in depth. Lookout developed the “App Genome” project, which involved scanning and documentation of hundreds of thousands of apps that contain malicious code. Lookout created the App Genome project in order to gain a better understanding of what mobile apps are doing as well as to examine if “bad things are happening in the wild.” (HSNW, 2012). It was noticed that a lot of mobile apps had hidden code contained within that was used mainly for analytics and advertising, however this demonstrated the extent to which code could be easily hidden or embedded in an app without the users knowledge. Because of the nature and sophistication of such exploits, the probability of occurrence is higher since many employees will have access to install third party apps both on company issued as well as personal devices.

The NIST recommendations show the importance of mitigating risks with mobile apps that use location services. Souppaya and Kent (2012) inform us that hackers can use these types of services to figure out where the user of a mobile device is located. With this information they can then analyze this data with other sources to determine who this user associates with as well as the type of activities they commonly take part in at specific places.

Mobile apps are only part of the risk. Web applications visited in the browser are becoming more advanced. NIST refers to these types of risk as untrusted content. Mobile devices are prone to the same kinds of malicious code that desktop web browsers face. In recent years the use of Quick Response or QR codes has become common place in marketing and advertisements. A QR code can quickly direct a user to a specific web URL simply by scanning the code using the devices built in camera. QR codes could therefore be used to direct mobile devices to websites containing malicious code.

Policy changes that could be put in place to mitigate the risk of malicious code, web app and content exploits should look into restricting or prohibiting the installation of unapproved apps on company-owned devices. The assumption should be made that all third party apps are untrusted. For apps that are required, risk assessments should be carried out on these before whitelisting them. Educating users on the risks of untrusted content is an essential part of the security strategy and restricting certain functions on devices such as the camera to prevent scanning of QR codes is also another step that could be taken.

Conclusion

This article examined some of the literature already published on the vulnerabilities and threats of mobile devices in the workplace. This is an area of technology that is in a constant state of flux as new and more dangerous exploits are being discovered all the time. First of all, it was important to define what a mobile device is in order to determine the types of vulnerabilities and threats that face the enterprise. The literature helped with this definition and then research into the current vulnerabilities and threats were presented as four broad areas of vulnerabilities that organizations should be aware of.

The vulnerabilities and threats presented here were ranked as low, medium or high in terms of the probability of their occurrence. Each of these areas were examined and recommendations were made on how to mitigate the risks associated with them. As hackers continue to exploit mobile devices in more sophisticated ways, organizations will need to continue to be vigilant in mitigating risks to security breaches leading to loss, theft or unauthorized tampering of their intellectual assets. More resources will need to be put into mobile security and a recognition of the complexities of the mobile landscape will need to be considered when developing and refining policies. There is a wealth of literature to guide companies including the NIST framework, which can be used to help strengthen their own security policies, which will need to continually evolve to combat the newest threats and vulnerabilities facing them.

References:

1. AhnLab Reports 2012 Mobile Security Threat Trends. (2012). Computer Security Update, 13(2), 1–4.
2. Ali A Altalbe. (2013). Do New Mobile Devices in Enterprises Pose A Serious Security Threat? Advanced Computing : an International Journal, (1), 53.
3. Curran, J. (2012). Panelists: Mobile Applications Present Largest Security Threats. Cybersecurity Policy Report, 1–2.
4. Ernest-Jones, T. (2006). Pinning down a security policy for mobile data. Network Security, 2006(6), 8–12. doi:10.1016/S1353-4858(06)70399-3
5. Friedman, J., & Hoffman, D. V. (2008). Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 7(1/2), 159–180.
6. Godwin-Jones, R. (2008). Mobile computing trends: Lighter, faster, smarter. Language
7. Homeland Security Newswire. July 29, 2010. New cybersecurity threat: smartphone apps that do more than what they say they do. Retreived from http://www.homelandsecuritynewswire.com/new-cybersecurity-threat-smartphone-apps-do-more-what-they-say-they-do
8. Learning and Technology, 12(3), 3-9. Retrieved from http://www.postgradolinguistica.ucv.cl/dev/documentos/90,927,Mobile_goodwin_2008.pdf
9. Maity, S., Bera, P., Ghosh, S. K., & Dasgupta, P. (2010). A Formal Verification Framework for Security Policy Management in Mobile Ip Based Wlan. International Journal of Network Security & Its Applications, 2(4), 194–211.
10. Massé, D. (2012). $389 M Mobile Application Security Market Set to Explode as Threats Increase. Microwave Journal, 55(11), 56–56.
11. Mont, J. (2012). Developing Policies That Address Mobile Computing Risk. Compliance Week, 9(106), 46–48.
12. Nasim, R. (2012). Security Threats Analysis in Bluetooth-Enabled Mobile Devices. International Journal of Network Security & Its Applications, 4(3), 41–56.
13. Quirolgico, S., Voas, J., & Kuhn, R. (2011). Vetting Mobile Apps. IT Professional, 13(4), 9–11.
14. Rouse, J. (2012). Mobile devices – the most hostile environment for security? Network Security, 2012(3), 11–13. doi:10.1016/S1353-4858(12)70045-4
15. Souppaya, M., & Kent, K. (2012). Guidelines for managing and securing mobile devices in the enterprise (draft) [electronic resource] : recommendations of the National Institute of Standards and Technology / Murugiah Souppaya, Karen Scarfone. Gaithersburg, MD : U.S. Dept. of Commerce, National Institute of Standards and Technology, [2012].
16. Sujithra M, & Padmavathi G. (2012). Mobile Device Security: A Survey on Mobile Device Threats, Vulnerabilities and their Defensive Mechanism. International Journal of Computer Applications, (14), 24.
17. Unal, D., & Caglayan, M. u. (2013). A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks, 57(1), 330–350.
18. Wilshusen, G. C. B. (2012). INFORMATION SECURITY: Better Implementation of Controls for Mobile Devices Should Be Encouraged. GAO Reports, 1.
19. Zawoad, S., & Hasan, R. (2012). The Enemy Within: The Emerging Threats to Healthcare from Malicious Mobile Devices.

When researchers undertake a qualitative study, they are in effect agreeing to its underlying philosophical assumptions, while bringing to the study their own world views that end up shaping the direction of their research.  Creswell describes the following four philosophical assumptions:

• Ontological (The nature of reality): Relates to the nature of reality and its characteristics.  Researchers embrace the idea of multiple realities and report on these multiple realities by exploring multiple forms of evidence from different individuals’ perspectives and experiences.
• Epistemological (How researchers know what they know): Researchers try to get as close as possible to participants being studied.  Subjective evidence is assembled based on individual views from research conducted in the field.
• Axiological (The role of values in research): Researchers make their values known in the study and actively reports their values and biases as well as the value-laden nature of information gathered from the field.
• Methodology (The methods used in the process of research):  inductive, emerging, and shaped by the researcher’s experience in collecting and analyzing the data.

Interpretive Frameworks

Interpretive frameworks can be considered a basic set of beliefs that guide action.  The philosophical assumptions (ontology, epistemology, axiology, and methodology) are embedded within interpretive frameworks that researchers use.  Creswell suggests interpretive frameworks may be social science theories (leadership, attribution, political influence and control, and many others) to frame the researcher’s theoretical lens in studies.  On the other hand the theories may be social justice theories / advocacy / participatory, seeking to bring about change or address social issues in society.  Below are the main interpretive frameworks Creswell describes in his book.  I have summarized these in the table listing the approaches and practices for each.

In order to carry out any kind of research that uses either part or all qualitative methods, it is important to consider the philosophical assumptions as well as the interpretive frameworks described here.  I will be referring back to these as I develop my own study, however for a better understanding of these concepts, please refer to Creswell’s book referenced below.

References:

1. Creswell, J. W. (2012). Qualitative inquiry and research design: Choosing among five approaches. Thousand Oaks, CA: Sage.