Information security incident- stuxnet virus

Hard to detect quickly, Stuxnet, a 500-kilobyte computer worm exploded in June 2010 with a unprecedentedly skillful 3-phased attack. It marks a turning point in geopolitical conflicts, when the fictitious scenarios once imagined in movies have become finally plausible. The worm can "exploit flaws in Microsoft Windows to spread on stand-alone systems via USB memory sticks" (Economist). The sophistication of the worm has strengthened expert’s belief that the creation for such advanced persistent attacks is rendered possible with sponsorship of nations. Stuxnet is openly acknowledged as a joint U.S-Israel project that reportedly destroyed a fifth of Iran’s nuclear centrifuges by causing them to spin out of control. (Kelly B Michael;, 2013)


                                       How stuxnet worked (David, 2013)

On a global scale, industrial and military facilities use industrial control systems which are dependent on a network of world-wide contractors; hence, enforcing compliance to a uniform set of security standards is difficult to achieve. Computer forensics reveal the nature of the advanced persistent attack which made the first attack undetectable as it did not cause an explicit damage. It set the stage for the next phased attack after 5 years to alter the pressure of the valves and spin the uranium centrifuges out of control.

The issue of ethics and law becomes blurred as it raises the questions of cyber warfare for defensive purposes. The impact of Stuxnet resulted in a successful setback of Iran’s nuclear program by 2 years and forensic evidence cannot definitely link the virus to United states or Israel which it considers as hostile nations. Responsible nations like United States must have coordinated with global security governance if they indeed executed the attack. It would be scary if hackers or people committing cyber crimes would get a handle of the worm since it is so powerful.

FireEye reveals increasing sophistication in attacks targeting US defense organizations by Iran. FireEye has purpose-built, virtual machine –based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber-attacks. Real-time, dynamic threat protection is used to protect organizations across the primary threat vectors and different phases of the attack life-cycle. (Fireeye, 2013)

The Stuxnet had real security clearances that were stolen exposing the security lapses and loopholes in industry standards and regulations. Discrimination in just war-theory requires combatants to identify legitimate targets--terrorism ignores this requirement as it invokes moral condemnation. The principles of attribution which is not only an issue of moral and criminal liability, of the attackers and defenders are not clearly defined due to lack of international agreements.

National cyber policies have to be supported by consistent and effective principles prior to the use of cyber weapons to determine the integrity of attacks or counter-attacks.  The processing and transmission of information according to McCumber Cube model is very critical due to the nature of its sensitivity and impact. (Patrick, et al., 2013) Using the cube model will allow for a better assessment of all of the security risks that need to be considered.

German security expert Langer, who deciphered the stuxnet attack released a proposal for cyber-security framework called Robust ICS Planning and Evaluation, or RIPE.  The risk-based NIST led cyber security framework is notorious for the lack of enforcement of security policies for contractors. NIST cyber security framework lets organizations determine the direction of their adoption of the framework on the basis of the implementation tier they are categorized into, which determines the maturity of the security status. (Kelly, 2013)

An organization can decide the zero category for their target implementation tier which means a completely immature cybersecurity process, and still conform to cyber security framework. RIPE details eight areas of the industrial  plant system that should be documented and measured to determine the security posture: (1) system population, or software and hardware inventory; (2) network architecture, including a network model and diagrams; (3) component interaction, or process flow diagrams; (4) workforce roles and responsibilities; (5) workforce skills and competence development; (6) procedural guidance and standard operating procedures; (7)deliberate design and configuration change and (8) system acquisition or procurement guidelines.

RIPE is a very practical approach with insights from industrial plant floor operators for better locking down the security environment. RIPE has the potential to influence NIST cyber security framework evolvement to its final form. (Kelly, 2013)

Works Cited

David Kushner The real story of stuxnet [Online] // spectrum.ieer.org. - 2013. - http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.

Fireeye Fireeye reveals advanced threat actvities by Iranian-linked Ajax security team in post stuxnet era [Online] // fireeye.com. - 2013. - http://www.fireeye.com/news-events/press-releases/read/fireeye-reveals-rise-in-advanced-threat-activities-by-iranian-linked-ajax-security-team-in-post-stuxnet-era.

Kelly B Michael; The stuxnet attack on Iran's nuclear plant was 'Far more dangerous' than previously thought [Online] // businessinsider.com. - 2013. - http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11.

Kelly Higgins Jackson Stuxnet Expert propose new framework of for ICS/SCADA security [Online] // darkreading.com. - 9 4, 2013. - http://www.darkreading.com/stuxnet-expert-proposes-new-framework-for-ics-scada-security/d/d-id/1140411?.

The meaning of Stuxnet. (2010, October 2). The Economist. Retrieved July 30, 2014, from http://www.economist.com/node/17147862/print

Patrick Lin, Fritz Allhoff and Neil Rowe C. Computing ethics [Journal]. - 2013.

Cloud Computing deployment and service models

Cloud Computing can be defined as a large pool of easily accessible and usable virtualized resources such as hardware, development platforms and software services which can be dynamically reconfigured to a variable load for optimization. Cloud computing is most likely to follow the technology adoption cycle of its predecessors, though different national policies and labor market may induce variable speed of adoption. (Federico Etro, 2013)

Cloud Computing Characteristics: (Dialogic, 2013)

• Virtualized infrastructure: - Sharing of physical services, storage and networking capabilities to optimize resources and reduce setup and operating costs
• Dynamic Provisioning: - Automatic re-configuration for expansion and contraction of service capabilities to match current demand requirements.
• Network Access: - Access the internet from a broad range of devices from traditional pcs, laptops and mobile devices.
• Managed Metering: - Metering for managing and optimizing the service and to provide reporting and billing information

Cloud computing deployment models (Victoria Kouyoumjian, 2010)

Cloud Computing Service Models (Victoria Kouyoumjian, 2010)

Comparison of Private, Public and hybrid deployment models (Brian O, 2013)

Private Clouds:

In private clouds, services and infrastructure are maintained on a private network solely designed for a specific organization; therefore offering the greatest level of security and control. Private cloud can be on-site at a customer’s premises or managed by a third party. Organizations like education institutions would choose a private cloud because they would be able to "enjoy the benefits of virtual servers without compromising security policies or overall system flexibility" (Stern, 2014). The added security comes with an added cost. Since the cloud is not shared publicly, the client has to deal with maintenance and operational costs. Before incurring these costs, private cloud usually come with an initial investment. Companies that are small-to-mid-size should compare apples to apples since there are so many costs involved.

The two private cloud deployment models are:
·         On-site private cloud – Applies to private clouds implemented at a customer’s premises

·         Outsourced private cloud- Applies to private clouds where the server side is outsourced to a hosting company

 Examples of private cloud are:
·         Eucalyptus
·         Ubuntu Enterprise cloud- powered by Eucalyptus
·         Amazon virtual private cloud
·         VMware cloud infrastructure suite, Microsoft ECI data center.

Typical characteristics of private cloud are:
·         Control and Security of data and applications are of paramount importance
·         Conformance to strict security and data privacy issues
·         Maintain the software and infrastructure efficiently (Singh, 2011)

Public Clouds:

The cloud infrastructure is made available to the general public or a large industry group and is owned by the organization selling cloud services. A major advantage to a public cloud is the possible cost savings. Instead of have IT on site to maintain a private cloud, a public cloud can be maintained offsite by the service provider. Compared to a private cloud, companies are able to control how much big or small they would like to make their IT infrastructure, usually in a pay-as-you-go option. The IT infrastructure can be controlled in a private cloud as well. However, companies have to place extra funds towards it in order to buy additional software.

Examples of Public Cloud:
·         Google app engine
·         Microsoft windows azure
·         IBM smart cloud
·         Amazon EC2 (Singh, 2011)

Many companies avoid public clouds because they are concerned about the security. In order to lessen the risk, companies can implement systems such as instruction detection and prevention systems (IDPS). These systems are much stronger than usual firewalls and were also created to prevent any attacks. While this can alleviate security concerns, it is the duty of some companies to meet compliance requirements through Sarbanes-Oxley, PCI, and HIPAA (Stern, 2014). Unfortunately, not all companies make a promise to meet these compliance requirements. Therefore, companies need to research cloud vendors and understand what they provide. 

Community clouds:

The cloud infrastructure is shared by several organizations and support a community that has shared concerns about mission, security requirements, policy and compliance considerations like governmental departments, universities and central banks. Community Cloud also has two possible scenarios. Google apps for government is a good example for community cloud;

•        On-site Community Cloud Scenario :- Applies to community clouds implemented on the premises of the customers comprising of the community cloud
•       Outsourced Community Cloud: - Applies to community clouds where the server side is outsourced to a hosting company.

Hybrid Clouds:

This type of cloud infrastructure was created for those were not ready to move to the public cloud. The cloud infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities but are bounded together by common technology to help migrate the data and applications for load balancing. Companies have "concerns over reliability and out-of-the box support for support for custom business-critical applications" (Dover, 2014).  For companies that struggle to choose between their expensive in-house technology systems and cloud systems, they are able to have both. To have a hybrid cloud, a company's ideal situation would be to figure out which applications and data that they will maintain on site. The company would determine other applications to be maintained in the cloud such as analytics or mobile technology (Guido, 2014).  VMware vCloud offers hybrid cloud services.

 

Hybrid cloud (Rackspace.com)

Logistics Clouds- IT strategies across transnational organizations (Logical, 2013)

Logistics businesses of different sizes especially small businesses can reduce their transaction costs of B2B co-operation and compete and collaborate with global players and promote collective and sustainable modes of transport. The challenge is to balance the interests of stakeholders, businesses, policy-makers and consumers and regulate laws and adopting polices for internet usage and international data flows as different countries have approached net neutrality from various angles.

  The transnational internet connectivity market has improved service and offers attractive pricing by encouraging additional investments in backbone and local access networks and internet exchange points (IXPs). Market based policies such as auctions, flexible use, spectrum sharing and spectrum trading have to supplement slow, bureaucratic processes. (ITU, 2013)

Multi-modal infrastructure of the six major central European logistics hubs such as the Airport of Leipzig/Halle the main hub for DHL in Europe, Interporto Bologna, the largest interior freight village of Northern Italy, Port of Koper which is one of the most important sea harbours in the Adriatic sea (Logical, 2013)

•        Infrastructure providers such as sea and inland ports , freight villages and airports are engaged in fierce international competition and creating the best possible framework for business operations is their top priority
•         Logistics operators can use software-as-a-service-offers to increase their IT competitive advantage
•        Local and regional promoters of economic development support logistics hubs as they are majorcontributors to economic growth, tax income and labor market
•         Universal data standards established for cloud computing logistics

Works Cited

e-business systems- Competitive advantage

E-business involves all commercial activities, a dynamic set of technologies, applications and business processes performed across computer platforms that link organizations to their customers, suppliers and other business partners through electronic exchange. (Indrit Troshani, 2007)

The exponential growth and rapid changes of e-business technologies bring forth new opportunities and challenges to businesses. The underlying technologies of e-business solutions such as data storage, processing and transport are becoming increasingly indistinguishable and are susceptible to commoditization. (Indrit Troshani, 2007)

 Investments in e-business are a competitive necessity rather than a source of competitive advantage. Value will be added only when e-business applications can be harnessed to achieve organizational goals more effectively and efficiently than competitors. Gaining competitive advantage depends on the extent to which e-business applications are aligned with organizational goals (Indrit Troshani, 2007)

E-business advantage framework components

---

·         Alignment between e-business and overall business strategies: - This alignment is difficult to replicate as both e-business and overall business strategies are likely to evolve uniquely for each organization.

·         Inter-organizational linkages: - Linkages to facilitate complex interactions and collaborative relationships between organizations are most likely to be unique, and therefore, more likely to survive competitive imitation.

·         E-business integration with business processes :- Innovations in business practices and their integration with e-business solutions are likely to be organization specific

·         Organizational agility: -   E-business application can facilitate significant alterations of leadership styles from coercive or directive to consultative or collaborative which are likely to result in different levels of organizational agility.

·         Management Commitment and support: - It has potential to distinguish from successful and unsuccessful e-business investments.

·         Interactions between IT professionals and e-business application users-Patterns of interactions between IT professionals and end-users are different in different organizations and constitute an opportunity for asymmetric distinctiveness across organizations.

·         Organizational Culture: - Key source of enduring competitive advantage as it creates a climate for either encouraging or discouraging risk-taking or experimentation with e-business solutions.

·         Intellectual resources: - Organization specific interpersonal relationships, application development, technology integration skills, corporate –level knowledge assets and managerial human resources become difficult to acquire and highly complex to imitate by competitors.

---

E-commerce is one of the most popular forms of e-business. Some of the big Internet companies are highly competitive to the brick and mortar stores. There are a few strategies that have allowed e-commerce to reach the masses:

1. Subscription-based commerce- Consumers no longer have to go to the store. Instead, they can easily get access to their favorite items right at their doorstep. Dollar Shave Club has had much success with this type of model. Knowing that many men shave on a weekly/monthly basis, men can get high-quality razors at a reasonable price without going to the store.

2. Mobile commerce- Most consumers have a phone; therefore, it would be wise for a company to be able to reach a company via mobile application. "Mobile commerce is growing at a rate of over 130 percent annually" (Evans). Many banking companies have made apps; however, Wells Fargo seems to know what customers want. "Anything to enhance the customer experience is key because it can be the difference between keeping the customer or having them go to a competitor" (Needle).

3. Internet-only merchandise- Without going into the store, some companies have been able to grab consumers' attention via the Web. Dell was one of the first companies to integrate ecommerce in their sales process. (NetonomyNET). It was not just about the company's ability to provide computers online; much of Dell's success was due to its innovation of customizable computers. Either way, the company was able to provide a unique approach to e-commerce.

Works Cited

Evans, M. (2014, January 16). 12 E-Commerce Strategies To Grow Your Business This Year. Forbes. Retrieved June 30, 2014, from http://www.forbes.com/sites/allbusiness/2014/01/16/12-e-commerce-strategies-to-grow-your-business-this-year/

Needle, D. (2013, November 13). Wells Fargo has over a million iPad app customers for online banking. TabTimes. Retrieved June 30, 2014, from http://tabtimes.com/news/finance-insurance/2013/11/13/wells-fargo-has-over-million-customers-only-use-tablets

Top 5 Largest Online Retailers - Who Are These Companies And How Did They Make It To The Top?. (2013, January 30). NetonomyNET. Retrieved June 30, 2014, from http://netonomy.net/2013/01/30/top-5-largest-online-retailers-who-companies-how-did-they-make-it/

Indrit Troshani Enabling e-business competitive advantage [Online] // knowledgetaiwan.org. - 2007. - http://www.knowledgetaiwan.org/ojs/files/Vol2No1/4_Enabling_e-Business_Competitive_Advantage.pdf.

Business Intelligence Systems

These days, companies can not rely on certain reports to run their business. Instead, some companies have resorted to business intelligence systems to help them. It is "a process for analyzing large volumes of data within companies, usually stored in data warehouses to determine patterns and trends which are applicable to make the best decisions for the company’s growth." (Bucur, 2012)

A BI system facilitates a company to streamline business, reduce costs and identify new business opportunities by :
-Eliminating uncertainty – ensuring accurate data, providing real-time updates and overviews, trends and forecasts to take informed decisions

·         -Rapid provision of information – hence reducing the time to study large volumes of information printed

·         -Easy access to economic indicators anywhere, anytime – provide sales and marketing personnel critical data on mobile devices

·        -Determine crucial areas of profitability – Identification of class of customers and markets

·         -Improve decision making and identify potential/deficient market segments

·         -Determine key performance factors

·         -Analyze large amounts of historical data to identify trends that may affect business

Most users use 68% of the reporting capabilities of a BI system. There is a downward trend in the use of ad hoc reports and a growth trend in interactive-visual solutions that will most likely be increasingly deployed in the coming years. 

User perceptions on the benefits of implementing a BI system. (Bucur, 2012)

Graphical data visualization of retail sales
Business users will most likely place emphasis on different features or functionalities than IT users, and those features will drive BI purchase trends. Business users value data visualization as it allows them to promptly to identify issues, patterns, outliers or trends and take pre-emptive and necessary action without having to manually search through heaps of data.   Users can see the business overview and minimize human errors and save valuable time. (Santosh S Venkatraman Alicia M Brooks, 2012)

Dashboards

Dashboards display summary data graphically so it can be consumed at a glance and features such as drill down links and filters allow business users to view detailed metrics. Data discovery tools are very expensive considering the cost-per-user but are popuar due to easy user interfaces and great benefits. (Santosh S Venkatraman Alicia M Brooks, 2012)

   

Current trends in business intelligence- Spatial Visualization

 GPS combined with power of business intelligence analytics –users can visualize events given any geographical location. The figure below depicts the number of customers for a particular business stacked up in different cities in texas, and it also shows the distance and direction of customers from the factory. (Santosh S Venkatraman Alicia M Brooks, 2012)

Customer data in Spatial Visualization

A fine example of successful spatial visualization use would be competitor analysis. Mapping new, remodeled, or relocated competitors facilitates an organization to quickly identify locations that will potentially be affected by incoming competitors. Organizations gain lead time to implement effective strategies within the impacted areas and mitigate negative impact.  Oracle has incorporated special visualization into its popular business intelligence 11g platform. (Santosh S Venkatraman Alicia M Brooks, 2012)

Spatial visualization that measures units and variable sales of a particular set of products in a manufacturing organization.

Costs 

Boris Evelson discusses the costs associated in Business Intelligence, and his best and only real answer is "it depends." (Evelson, 2011) Although he risks the idea of oversimplification, Evelson suggest that since every BI is unique to an individual business due to the "scope, requirements, technology used, corporate culture and at least a few dozen of more dimensions," in many cases we can often apply the good old 80/20 rule. The following is a breakdown of his analysis: 

Components

• ~20% for software, hardware, and other data center and communications infrastructure
• ~80% for full time employees, outside services (analysis, design, coding, testing, integration, implementation, etc), new processes, new initiatives (governance, change management, training)

Initial software costs (~80%) vs. Ongoing software license maintenance costs (~20% / year)

Direct (~20%) vs. Indirect costs (~80%). Here are some examples:

Direct ~20%

• Data integration for reporting and analysis
• Data cleansing processes for reporting and analysis
• Reporting and analytical data bases such as Data Warehouses, Data Marts
• Reporting / querying / dashboards
• OLAP (Online Analytical Processing)
• Analytical MDM (Master Data Management)
• Analytical metadata management
• Data mining, predictive analytics
• BI specific  SOA (Services Oriented Architecture) or other types of EAI (Enterprise Application Integration)

Indirect ~ 80%

• Data integration for operational purposes
• Operational databases (ODS)
• Operational data quality processes
• Portals
• Collaboration
• Search, knowledge management
• Operational master/reference data management
• Operational metadata management
• Performance management (scorecards, metrics management)
• Text mining / text analytics

Initial Design and Build of Data Integration (ETL, quality, DW, MDM, metadata, etc) (~80%) vs. Reporting and Analytics (~20%)

Ongoing support of Data Integration (~20%) vs. Reporting and Analytics (~80%)   (Evelson, 2011)

Cultural Issues

Howard Dresner, who created the phrase Business Intelligence in the 1980’s states overcoming cultural obstructions are just as important to the successful outcome of any Business Intelligence project, if not more important than any other barrier. To ensure the success of any BI project, Dresner states “companies need to develop a performance-directed culture, one in which business and IT work together.” (Tech Target, 2009)

By culture Dresner meant “people and groups of people - their beliefs, motives, attitudes, organization, customs, processes, etc.” Transparency, accountability, and constructive conflict resolution are the keys to a performance based culture and the most successful organizations are able to sustain this culture. (Dresner, 2009)

The cultural aspects of information use are extremely important for Business Intelligence. If people are giving incentives to use information, whether information is hoarded for power, which individuals are responsible for maintaining the information, financially how it impacts people’s bonuses, and how the people involved in providing information to the business are organized. (Elliot, 2014)

Implementation Issues
Although business intelligence systems have become easier to implement, there are still many implementation issues that companies need to look over before selecting a business intelligence system. The purpose of a business intelligence system is to use the company's data and transform it into reports/metrics that are meaningful. First, a company has to understand what they are trying to accomplish and state their goals.
Without having an objective, the company could easily being spending tons of money for a system that is not fulfilling its purpose. Implementing a business intelligence system is costly; therefore, a company must be swift in order to "access information that could give them a competitive edge over the rest of the field" (Thelwell, 2014) Purchasing the system is not the only issue. In addition to that, the company has to deal with other costs such as "installation, hardware, consultancy support and additional staffing requirements" (Thelwell, 2014). It is key for a company to think about all of the costs that are involved in addition to the cost of the actual system.

A company's goals and objectives go hand in hand with the implementation of a business intelligence system. When installing this system, the company needs the correct infrastructure so that the system is working properly. Quite often, a company seeking a business intelligence system does not hold a strong enough infrastructure; therefore, more money has to be invested into the project. Not only that, additional costs and time are needed to train employees.

Lastly, security is a huge concern. Companies are hesitant to implement to move to business intelligence systems because so much data, confidential information for that matter, is being moved in high volumes.

Works Cited

Evelson, Boris. (2011, March 1). Does The Good Old 80/20 Rule Work For Estimating BI Costs? Retrieved from Forrester: http://blogs.forrester.com/boris_evelson/09-02-03-does_good_old_8020_rule_work_estimating_bi_costs

Bucur Cristian Implications and directions of development of web business intelligence systems for business community [Online] // http://eds.a.ebscohost.com.ulm.idm.oclc.org. - 2012. - http://eds.a.ebscohost.com.ulm.idm.oclc.org/eds/pdfviewer/pdfviewer?sid=caf042a4-2b10-4f35-840a-5768d1c0dcb6%40sessionmgr4001&vid=3&hid=4105.

Santosh S Venkatraman Alicia M Brooks Quest for business intelligence [Online] // http://eds.b.ebscohost.com.ulm.idm.oclc.org/. - march 2012. - http://eds.b.ebscohost.com.ulm.idm.oclc.org/eds/pdfviewer/pdfviewer?sid=c51acc11-99c6-42fc-8efb-f5539c697626%40sessionmgr110&vid=3&hid=109.

Dresner, H. (2009, june 15). It's all about culture - a glimpse into my new book. Retrieved from Business Intelligence: http://businesssintelligence.blogspot.com/2009/06/its-all-about-culture-glimpse-into-my.html

Elliot, T. (2014, 4 29). Q&A: Self-Service vs Traditional Business Intelligence. Retrieved from Business Analytics: http://timoelliott.com/blog/2014/04/qa-self-service-vs-traditional-business-intelligence.html
Implementing Successful Business Intelligence Projects: What the 2014 World Cup Can Teach Us. (n.d.). RSS. Retrieved June 24, 2014, from http://smartdatacollective.com/matillion-limited/204506/implementing-successful-business-intelligence-projects-what-2014-world-cup-

Tech Target. (2009). For business intelligence success, culture counts as much as technology. Retrieved from Tech Target: http://searchbusinessanalytics.techtarget.com/podcast/For-business-intelligence-success-culture-counts-as-much-as-technology