1. Internet Activists
1.1. Nature of Activism
The contemporary computer-based communication systems are utilized during the composition, storage, delivery, and processing of communication. The communication involves the transfer of electronic mails, organization of computerized conferencing, and constitution of bulletin-board systems. Computer-based communication systems are designed to facilitate adequacy in data volume and speed of transfer during communication practices. This procedure is, at times, referred to as office automation. In some instances, office automation ends up creating problems in communication between the organization and its stakeholders. The main forms of challenges are those that result from activities of internet activists and hackers (Layton, 2007).
Internet activism is a new form of challenge that is yet to be tackled in an effective manner. The issue of internet activism consists of both ethical and technological dimensions. Initially, this form of activism was understood as a form of freedom of expression. This is because it involved the use of electronic communication techniques such as podcasts and emails in to facilitate broadcasting of information. However, activism has assumed a new direction in the recent past. Most internet activists aim at paralyzing communication channels through information overload, a scenario that is also referred to as electronic junk. They achieve their goals by disseminating a significant number of useless and unwanted messages, a situation that impairs communication between interconnected networks. In effect, information systems become unresponsive to certain inputs. The accuracy of their response reduces in a significant degree. Other forms of impairment involve systematic ignorance of important input features, a scenario that makes response time permitted (Krutz & Russell, 2003). In addition to incorrect responses, some systems end up quitting before the completion of the communication process.
Admirers of WikiLeaks chose internet activism as a form of punishment to organizations and corporations that they deemed hostile to the activities of exposing secret diplomatic cables. Among the victims were justice systems and financial institutions that sought to impair the undertakings of WikiLeaks. This form of activism differs from hacking. Hacking aims at gaining access to a computer system without authorization. The accessing individuals aspire to gain total control of the communication system. They aim at having powers to edit, install, and delete files and systems that are held in user’s directories. Their main goal is not to slow communication but to hide their presence (Layton, 2007).
1.2.Current Monitoring Technologies
Various groups of technologists are in the process of improving internet security. However, today’s activists are arming themselves with adequate knowledge in order to facilitate their intrusion into communication systems. This scenario has facilitated improvement in monitoring technologies so as to delay or deter security lapses. Such improvements include frequent updating of the operating system. Every software product possesses loopholes. The fixation of these loopholes proceeds on a continuous basis, and as such, consumers are encouraged to update their operating systems as soon as they can. Updating is encouraged because some of the enhancement in software systems facilitates the monitoring activities. In effect, this results into a significant reduction in information reduction (Jeffrey, 1992).
Usage of firewall is among the most effective method of blocking unwanted traffic to a communication system. As such, it is advisable to keep the firewall on under all circumstances as such a strategy would deter a substantial amount of intrusions. The use of firewall should be supplemented by installation of effective antivirus software. Current antivirus software incorporates intelligence features that facilitate the monitoring of threats towards a communication system. As such, the choice of effective antivirus software is of the great utility to an organization. Therefore, an organization should not compromise the installation of antivirus software for cost (Dhillon, 2007).
In most cases, information overload results from excessive mailing. As such, effective network administration necessitates scanning of all incoming mails before clicking on the links which would eventually lead to the impairing of the system. The most effective method of averting information overload is disregarding strange and unknown mails.
There are a number of web filter technologies that facilitate blocking of un-trusted sites. These tools have been effective in impairing the endeavors of activists who have formulated tricks that aim at luring users into unsafe sites. All in all, administrators of communication systems should utilize available resources so as to keep their systems up to standard in terms of safety and speed. Such a strategy would ensure that the system is not grounded in case of an attack by activists (Dhillon, 2007).
Various organizations have been addressing the issue of internet activism through a couple of strategies. Among the most important strategies include the re-training of information system administrators, securing of communication environment, and incorporation of technologies that facilitates an effective fight back. Among the most popular technologies include intrusion detection systems and firewalls. Reputable software corporations are creating patches for various forms of vulnerabilities so as to defend the communication networks of their client organizations. Moreover, they are embarking on the initiative of training those that deals with the administration of information and communication systems of enterprises (Charles, 1993).
Every computer system that connects to the internet increases the chances of being compromised. As such, individuals are encouraged to form a habit of checking their firewalls’ logs on a regular basis. This will facilitate the detection of activities that are deemed dangerous to the communication system. Therefore, the log should be constituted in a way that is understandable to most stakeholders of the system. Effective implementation of intrusion detection devices and firewalls can deter attacks. In situations where an attacker succeeds in his/her mission, the system logs are during the evaluation of the manner in which the invasion was done as well as the identity of the invader (Dhillon, 2007).
In some instances, administrators are expected to apprehend intruders while conducting their illegal activities. However, most of them notice trouble after communication systems has been impaired. However, effective recovery strategies can facilitate the return of the communication system to its normal operating capacity. Therefore, the administration should endeavor in facilitating measures that lead to recovery after the loss and impairment.
In the event of a successful attack, the network administration is encouraged to gather facts regarding the nature of the attack. Stakeholders are advised to avoid being emotionally charred as this would drive them into seeking revenge. Revenging is unethical, and besides, it puts the system into a greater risk. This is because of the encouragement it gives to the activists, especially when they realize that a human factor is competing with their activities. The best form of counter measure is to improve the system’s security so as to deter future attacks (Antenucci, 1991).
Instead of retaliating, the administration should opt for tracking down the attacker. IP addresses have been providing useful leads in the tracking endeavors. The administration is advised against deleting new files from the system. Such a move may prove to be counterproductive as the activist may delete valuable logs from the computer system before the administrator acquires enough evidence against him/her. Once the identity of the activist has been identified, the administrator is then required to consolidate the information so as to facilitate prosecution (Charles, 1993).
2.Implementation of an online patient care system
2.1.Potential Security Threats
Introduction of an online patient care system presents a number of risks to the patients’ medical data. The three top security threats include attack by malware, automated log-offs, and availability of removable media. Malwares is viruses, worms, Trojan horses and spyware that pose security threats to a computerized system. Pressure groups, interest groups, lobby groups, as well as other interested individuals may attach importance to the medical information of military personnel. Antagonists may view such information as a vital tool for disseminating propaganda. As such, a military health care system would attract undue attention from a section of the society.
For various reasons, there are those that would opt to infect the system with viruses in an attempt to impair the operations of the computerized medical system. Others may opt to utilize the loopholes in the in the system’s security strategy. Accessibility of the system by unauthorized individuals presents a serious security threat. Unauthorized individuals may gain access whenever the staff leaves their work stations without logging off. They may then peruse medical information of individuals without the permission of the relevant authorities. In most instances, it may be difficult to hold these individuals accountable as they do not operate under the normal rules and regulations of the organization (Charles, 1993).
Proliferation of removable devices such as USB gadgets presents opportunities for downloading and storing data in tiny devices. Their portability presents a new category of risk as medical information can be illegally acquired by a click of a mouse. This poses a great risk to patients’ personal information as well as the medical facility’s trade secrets.
In some instances, information systems pose the challenge of denial of service. This interrupts the normal functioning of a health facility, a scenario that endangers the lives of patients. Denial of service may emanate from malicious actions of sending floods of unnecessary requests to the organizations’ servers. These actions overwhelm the server, a scenario that denies legitimate users a chance to access their medical information. This may lead to wrong diagnoses and treatments, situations which would end up complication the conditions of the sick persons. Moreover, denial of service may result into a significant downtime, and this would result into financial losses for the organization. If the situation is not arrested, the losses may lead to ultimate collapse, and this would result to a loss of credible records, most of which would never be recovered (Antenucci, 1991).
In an information system, vulnerability is the weakness that allows a hacker or an activist to reduce the information assurance of a computerized system. For an online patient care system, vulnerability would result from an intersection between three elements: flaw or susceptibility, accessibility to the flaw, and the capacity to exploit the flaw. The activist or hacker may connect to the system through the application of a technique or tool that has the capability of exploiting the weakness. Vulnerability is also referred to as attack surface (Charles, 1993).
Although the definition of vulnerability may incorporate security risks, using the same terms interchangeably may lead to confusion. This is due to the fact that there can be no risk without the potential of a loss. As such, there can be vulnerability without an associated risk. An example of this is when the value of the affected asset cannot be determined. There are various classifications of vulnerabilities. Vulnerabilities are classified according to impact the impact they have on the system. These assets include the hardware, software, network, personnel, organization, and site.
Vulnerabilities under the hardware category include susceptibility to duct, humidity, unprotected storage, and soiling. An online patient care system would hold crucial information pertaining people’s health. As such, if the hardware component of the system gets disfigured, operation of the whole system would be impaired, a scenario which would pose risks to the lives of military personnel. Under the software category, vulnerabilities include insufficient testing and inadequate audit trail. Software vulnerabilities pose the greatest risks to the medical system. this is because holding of information is facilitated by the software. In that case, software failure would effectively lead to loss of information.
Vulnerabilities that are classified under the network category include unprotected communication channels and unsafe network architecture. A significant amount of information is accessed during transit. Indeed, such an attack would be difficult to detect as it does not happen in the server computer where the administrator can monitor activities with ease. Site vulnerabilities include environmental calamities like a flood and unreliable power supply. Finally, organizational vulnerabilities that would expose this medical system to risks include inadequate audits and security as well as lack of continuity in planning.
2.3.Security Approaches to Protection
An online patient care system would require the utilization of accessible and dependable channels that can be easily protected from misuse. However, the need for accessibility has been blamed for some of the most detrimental vulnerabilities discussed in the previous section. The situation can be easily exacerbated by the organization’s failure to address obvious risks. Nevertheless, there are a number of health institutions that recognize that their operations are mission critical and, therefore, necessitate the incorporation of strategic security measures.
The proposed organization would ensure data security through incorporation of control frameworks so as to facilitate the conceptualization of the facility’s risk management plan. This would enable the adoption of a robust risk assessment procedure that facilitates compliance with the firm’s objectives. The adoption of Operational Critical Threat, Asset, and Vulnerability Evaluation, OCTAVE approach would lead to effective understanding, addressing, and assessment of the risks that are associated with the implementation of a communication system. This is because the adoption of OCTAVE methodology would facilitate the identification, prioritization, and management of security risks (Charles, 1993).
Effective security approaches are those that enable the organization to develop various criteria for risk assessment with a view of determining and evaluating potential consequences that the risks pose to the facility. As such, identification of vulnerabilities should be followed by an initiation of corrective actions so as to mitigate the risks in a manner that creates a practice-based protective strategy. These are the views that lead to the formulation of the OCTAVE methodology, a tool that would be effective in diffusing the challenges that the online patient care system would face.
2.4.Security Issues Related to Outsourcing
During the evaluation of outsourcing choices, the enterprise needs to consider the advantages and disadvantages of the option. This section evaluates the disadvantages associated with outsourcing as well as the impacts of such a strategy. Disadvantages include the loss of control and confidentiality, hidden costs, quality problems, and bad publicity.
Signing a contract with another firm turns the control and management over to another institution. This would increase the chances of data loss and accessibility to unauthorized persons. Extra challenges will result as the two companies may not be observing the same standards. As the contracted company would wish to maximize profits, it may end up providing substandard services in an endeavor to cut the costs of operation. Outsourcing would also introduce the challenge of hidden costs. As such, the medical facility would find it difficult to budget its operations. The challenges result from the fact that not all aspects of security are covered in contracts. Therefore, anything that is not covered under the terms of the contract attracts hidden costs, a situation that is considered disadvantageous during the negotiation process (Jeffrey, 1992).
Outsourcing introduces threats to confidentiality and security. This puts the survival of the organization at risk. The risk is attributable to the loss of confidentiality with regard to medical and payroll records. Various research studies have indicated that it is difficult to ensure that data is effectively protected. Effectiveness would only be possible if the contract provides for penalization of a party that fails to meet its obligations. Finally, outsourcing will tie the success of the system to the capability and financial standing of outsiders. This may compromise the quality of the services being offered.
3. Implementation of a Hybrid Cloud Solution
3.1.Challenges to the proposed solution
While implementing the hybrid cloud solution, the management will be tasked with addressing three main issues: Time, Usability, and Accuracy. The three are the drives that inspire the development of an automated system that would process and store personnel records. To achieve the effectiveness of the cloud solution, the management will have to address the issue of accuracy during data processing. As such, the initial challenge that the company faces involves the verification of data being processed. Verification is important as it ensures that the information that the system ends up storing information that can be relied upon during critical decision making.
The hybrid cloud solution is aimed at facilitating access to information that would enhance the credibility of a business’s transactions. The goal of the company is to have the right personnel in its ranks so as to enhance the organizational performance. As such, the management will be faced with the difficulty of ensuring that the procedure used in data processing delivers results that are reliable, understandable, and implementable. This is due to the danger of losing credibility, a scenario that would result if the system provides invalid reports (Allen, 2001).
The goal of the hybrid solution is to alleviate the disputes that arise during decision making processes. As such, the hybrid solution must be a system that facilitates access to information. This would, therefore, necessitate the development of a system that is easy to operate so that the executives and the end users can cooperate in formulating strategic goals and objectives for the organization. There will, therefore, be a challenge of ensuring accessibility of the information being stored in the hardware. Moreover, the information being generated must be presented in reports that are geared toward the formulation of precise decisions. This will be challenging as there are varieties of report formats, and it is difficult to have everyone agree on any one of them. Furthermore, there may be need to train the stakeholders on the application of reports during decision making processes (Layton, 2007). This requirement would lead to increased cost of operation, a situation which would strain the company resources leaving several vote heads inadequately funded.
There would also be the challenge of ensuring timely delivery of information. Most stakeholders anticipate solutions which the system may not handle. This is because, unlike the human beings, the hybrid solution cannot perform tasks that the developers did not provide for. As such, it may, at times, be a waste of time and company resources to search for solutions that the system cannot provide. The time wasted may result into lost opportunities for the company, and this would lead to loss of revenue (Allen, 2001).
On the aspect of security, the automated system exposes the personnel records to a number of risks. Most of the risks are associated with unauthorized access to personnel data. Such fears may prompt the personnel to withhold vital information, a situation that may reduce the credibility of the data on records. Additionally, hackers, competitors, and activists may gain access to important data and trade secrets. Such a loss of confidentiality would expose the company to malicious onslaughts, a scenario which would lead to the collapse of the enterprise.
3.2.The Information System Manager
The protection of data will be the responsibility of the manager in charge of information systems. The executive board will delegate the roles of planning, directing, and coordinating activities associated with the electronic information processing and data recovery so as to ensure safety of personnel records. To ensure that the development team addresses the issues of security, the manager will review the activities being undertaken by the developers and system analysts, and in consultation with other stakeholders, assess the security needs and requirements of the system. He will direct the development of security enhancement technologies so as to ensure control and data recovery after a disaster (Layton, 2007).
The information system manager will be required to manage backups and approve programs and system charts prior to their implementation. As such, he will be the one responsible with the evaluation of the technology being used as well as the project requirements and feasibility. As the leader tasked with daily procedures of the system, he will be required to analyze workflows, establish priorities, set deadlines, and develop standards that aim at enhancing the system’s information security.
3.3.Issues of Concern
Service providers and software vendors will be expected to address a couple of issues during the implementation of the hybrid solution. These issues include that manner in which data is gathered and planned as well as how the resources are coordinated during decision making processes. Since reliance on shared data and technology present the organization with ethical and security consequences, I would wish to query the providers and vendors on the basics of information systems.
I would ask the vendors to explain how the information systems will be used in the planning, coordination, and control of business decisions. I would also seek an explanation regarding the software and hardware tools that will be involved in the implementation of the system. Due to the importance that is attached to information system security, I would require an explanation on how the experts will secure the information and technology that are associated with the information system. Additionally, I would query the manner in which internet communication would be secured from activists and hackers. It would also be necessary for vendors to address the issue of ethical dilemmas that are associated with the incorporation of the system. In particular, I would seek more information regarding the success in the proper use of information and equipments during the dissemination of the data that has been collected form stakeholders.
3.4. Security Provisions
The managers of information systems are required to address various issues that emanate from the development of new technologies such as virtual worlds and other internet applications. This results into an ever-changing scenario, a situation that initiates constant changes. The changes are, at times, unforeseen, and as such, their rise presents stress levels that are difficult to tackle. Therefore, there are a number of provisions that facilitate secure computing while implementing a software system. Data security presents the biggest challenge to cloud computing. This is because cloud computing is a strategy that leads to loss of control, virtualized environments, multi-tenancy, and difficulties in auditing. These issues present security challenges to the organization (McNab, 2004).
The above issues require management to institute security provisions while incorporating cloud computing. Among the provisions include the demand that the cloud provider use secure methods during storage, transfer, and access of data files. As such, the institution should abide by the provision that described security protocols that relate to such processes. As a protocol, the stakeholders should be reasonable in their demands so that the implementation of the system serves as an effective method of reducing data loss. There should be a necessity to employ various security measures so as to facilitate vulnerability management. The organization should ensure that encryption and firewalls are utilized in order to enhance security of information (Allen, 2001).
Another provision addresses the issue of notification with regard to a security breach. This means that cloud computing should comply with the laws that are associated with bleach of notification. In regard to this, the organization may consider imposing penalties in situations where data security is compromised. When these issues are effectively addressed, the security of the system as well as the data is enhanced.
4.Implementation of a Mobile Application
4.1. Cyber Security Concerns associated with Mobile Devices
Mobile devices refer to a class of devices built at their core around ease of connectivity and accessibility of online services. They offer many merits in increased productivity of client, corporate and personal data. Not only are they used in communication, they are also used in carrying personal and sensitive data. In the past few years, mobile devices have rapidly increased in both functionality, and power and their popularity risen exponentially. The platform for these devices becomes similar to portable computers and desktops but their unique qualities demands unique security risks. The easily downloaded and installed applications open the platforms up to malware. Invariant changes in software and hardware configuration render challenge with data security in the mobile devices as compared to desktops and portable Computers. Hackers were once inspired by personal ill fame and curiosity, but mobile devices have shifted these to financial gain.
Smart phones support multiple bands to enable ease of roaming on a wide range of network. This may allow a hacker to force the device to register with an insecure protocol which it would normally allow the hacker to decrypt data. The mobile device then would forward all traffic through the protocol allowing complete interception of data streams. Hacker would then impersonate the sending host and gather sensitive information about the organization which the hacker would use to gain financially.
Hackers use malware to steal business, personal data, or impersonate mobile device connectivity. They pirate application, add malicious code, and trick mobile users to download them. Once mobile users install these pirated applications on their phones, hackers steal their personal and business data. This malware might also sign them up without their knowledge for text message subscription services which would charge them, and the money deposited in the hackers accounts.
4.2.“Baking” the software development process for mobile applications
During the development of mobile applications, developers can develop applications that scan other application when people try to download them to their smart phones. These scanning applications prevent installation of malware, and they alert mobile user when they visit or click unsecure link.
Developers can also use sandboxing to secure the mobile applications. Sandboxing refers to a security technique for creating restrained execution surrounding used for running unknown programs. The technique reduces the level of un-trusted program posses of accessing the application (McNab, 2004). It provides a tightly assured set of resources for un-trusted programs to run in such as space on memory and disk. It also protects programs from interfering, and as a result, increases the stability of developers’ applications. The developer should provide a safe environment where the mobile application executes and prevent interference from un-trusted programs.
4.3.Cyber Security Countermeasures
To countermeasures cyber security, the organization should take the following measures;
4.3.1.Regular Scanning of Applications
The organization should scan applications in smart phones for malicious malware. This scanning would remove malware from people’s phone and market. Scanning also would prevents smart phones applications accessing other applications, and inform mobile users if a malicious application gains access to their contact list or location.
4.3.2.Secure the Application, Device, Database, and Network
Wireless networks are always open and this can be used to mount an attack. The organization should take a hard look at its wireless network and access policies. The organization should request its internet provider regularly analyzing its network traffic to identify malware and problems that can limit traffic flow. The organization should use remote wiping and encryption technologies to guard users’ login details on the device. They should also lay policies that explicate what platform and devices should be supported and what protection witting conduct appears like. The organization should guard the mobile application and ensure it does not expose sensitive product data to other applications. They should also educate the application end user the risks prone to them (Layton, 2007).
4.3.3.Enforce Strong Process and Policies to Protect Data
The organization should put in place strong processes and policies to improve the security of the mobile application. The organization should train smart phone users’ use of security tools and give them guidelines on how to choose a strong password, and how to avoid losing their devices (Peltier, 2001).
4.3.4.Offers Incentives to Promote Security
The organization should consider offering incentives to promote secure conduct instead of punishments. The organization should also be in a position to distinguish malicious intent from accidents to prevent employees’ victimization. Workplace environment should be such that employees should feel comfortable knowing they can report a security breach with exemption.
4.3.5.Identify the Enemy
The organization should focus resources on areas where attack has the potential to result to significant damage. Technologies should be looked at from all possible ways someone could steal organization data or interrupt the network. The organization must take a holistic approach when covering its mobile applications (Peltier, 2001). It should implement multiple security layers to provide redundancies if any security layer gets compromised.
4.4.The key practices that ensure the security of mobile devices
To ensure mobile device security, smart phone users should do the following;
4.4.1.Configure Smart Phones Securely
Smart phone users should enable auto lock to avoid accidental phone operations. They should enable password protection and use strong passwords which are hard to crack. They should also avoid using features that remember passwords or username to prevent un-authorized access to their phones. Smart phone users should ensure appropriate configuration of browser settings to prevent exposing their sensitive login credentials to malware (White, 2003).
4.4.2.Turn On Encryption
Smart phone users should always use the strong security controls on their Phones. This will enable them to be careful and help them to have a high level of psychological disorder about what happens to their sensitive information. Users should consider using thin client models to ensure secure maintenance of their data. This helps avoid the issue of storing confidential user’s data on his/ her mobile devices. This also helps in avoiding developing new mobile solutions, once there is a release of new technology in the market (Peltier, 2002).
4.4.3 Request Authentication to login on their Smart Phones
Smart phones are too easy to lose without proper authentication. Users should turn on smart phone authentications, so that lost smart phones should not be easily accessed by the person who steals or find them.
4.4.4 Utilize Remote Wipe Capabilities
Smart phone users should remotely access and disable their smart phones in the event of theft or loss. They should ask their IT firms to give them these privileges so that they can ensure data protection (White, 2003). With the remote accessing capability, the device users would only take quick call to IT firm which will take care of the stolen smart phones.
4.4.5 Smart Phone users should consider control of Third Party Applications
Hacker’s pirate and add malicious code to most of third party applications. These malware steals sensitive information about users and Smart phone users limits the installation of un-trusted application to prevent hackers from commanding control of their devices (Peltier, 2002).