Join the Premium Student Club @Zero Cost!
Get Assignment Done by MAS Certified Experts
Flat 50% Off on Assignment Bookings
Table of Contents
Structure of the Organization.
Structure of Database.
Attack Procedure and Motive.
Application of Cryptography.
Online business and the internet-based work is growing up rapidly nowadays with the great progress of Information Technology. It provides opportunities to the people to work from a remote place and also can access the internet service for their entertainment purpose. Thus, the Internet provides a reliable platform to many users like different professionals, business person, investor etc who exclusively depend upon the online network. This platform facilitates the user with the sharing and managing the data, transacting the business information, video conferences, commercial transactions, online purchase etc and very briefly, it can be said that most of the people around the world depend upon the internetwork (Floyd, et al., 2016). But, the operation on the internet is not limited to the business or elder person but also is used by the children. With the emergence of the mobile operating system like Android and others, children use to play games which may require the internet connection.
The matured people lie business person and others are more or less aware of the network threat that is caused by the hacker when the network is active (Mangipudi, et al., 2019). Thus, they may take the measure to prohibit the attack but most of the time they fail and it occurs silently. In this context, the child that is engaged in the gameplay, are not aware of the network attack as much. When the internet connection is switched on, the hackers intrudes in the system and steal the sensitive information like the personal details, email id, contact number etc which are vulnerable to make the system secure. This operation that is made by the hackers or the cybercriminals is referred to the Data Breach. This is not only the problem to the individuals rather it is a big problem to the organization itself (Krishnan & Vorobyov, 2013).
In this paper, the discussion will be made on the organization named as Macmillan Games. Macmillan Games have faced the security attacks in their system for which they require the enhancement of the technology to protect their system. The most insecurity that they have faced was the data leak of the job details and the employee information breach along with the server information of the users (Adlakha, et al., 2019). With that detection, they have got the idea that they were under attack of the social engineering data breach and for which they will investigate about the fact. The security and data breach that is caused by the cybercrime will be discussed in the proceeding sections.
Macmillan Games is a medium-sized organization who are dealing with games for children aged 7 to 11 years. They have employees about 1000 around the world. They are running their organization for a long time since 2000. They use to sell their games online using the Transaction Management System which helps them to manage their games using their internal system (Li, et al., 2016). They have three types of plans in the games concerning the payment system and those are:
Free Game: This can be played by the initial users who do not need to pay for this. The revenue is collected from the free game by showing them the advertisements within the game.
Monthly Payment: Advertisement is annoying at the time of playing the game and thus most of the game lovers do not like that. The game can be played by removing the advertisements by paying monthly. This will remove the advertisements but is not cheaper (Fang, et al., 2019).
Yearly Payment: This is the cheaper scheme which can be paid yearly and it allows the user to play the game without seeing any bit of advertisement.
This organization has a variety of game services as stated above. Additionally, to the services and gaming plans, the Transaction Management System managed the virtual pounds which are considered as the prepaid credit card to the employees. This prepaid credit is used by the employees of the system internally for enabling different services for the company (Demjaha, et al., 2019). The employees use to pay for such items using virtual pounds to the vendors. They are allowed to spend those on drinks for snack machines, stamps from the post office, and to spend on the food from the catering service.
The organization has its structure for the game management and these are discussed below:
The organization of the Macmillan Games is shown in the Fig-1. It consists of the Finance Department, IT Department, HR Department, Administrative Department. The departments are headed by the CEO of the organization.
The management of the Game service is technically handled by the IT department. It is headed by the CIO and is divided into four segments who are employed for four different operations like Controlling of the Network and Server infrastructure, Security management, development of Software and Web development.
The system of the organization has relied upon the authentication services. For registering a new user, the credential like the email id and password is required through which the userID is created within the system. The user id is essential for the login system and for playing the game. After login, the user will be able to play the game (Algarni & Malaiya, 2016). This user id is assigned to the user by the administrator of the system when a new user wants to create an account for playing games. After getting the user id, the user will be able to log in and can play. In this context, the user can select the plans of the games like the free plan, monthly plan or yearly plan. For this case, the user has to pay online from their bank cards and all the details are stored in the database (Barona & Anita, 2017).
So, the database contains all the user details (personal and financial), employee details (personal and financial) and the organizational data (financial transaction and maintenance). These are the vulnerable issues that they had and for which the data breach had occurred in this organization.
The organization had feasibly structured the system so that the ease of application of the gaming and the marketing is obtained. Though the system has some significant weakness due to the risk apart from some of the strength in the database and for which the data breach had been taken place (Tyks, 2012).
The administrator uses to create a log of the event of the users when they are engaged in accessing the games. This helps the administrator to view the operations that are going on currently. This log system uses top shoe the user who is currently playing, the time of play, date and the list of events are created by the user. This enables user tracking within the system
Though the log system helps view the event that is created by the user, though it has the drawbacks. The initial drawback was that this log only visualized the information about the group who have created the event (Tyks, 2012). It results in the observation of the events through the group level only. This implies that if a user has logged into the game system and made a change being a member of group X, it will show that someone has changed the log or event rather by showing the user id or user details. This will enable the hacker to modify the system configuration as nothing is shown on the portal. This is the main drawback for which the hackers are facilitated with the stealing of the database records (Naldi & Flamini, 2017).
The primary risk factor for the organization is the weakness in system management and the record keeping. As the infrastructure of the even and log service is not so strong. Additionally, the system does not persist the user of having strong passwords and this became the vulnerable issue as the weak password can easily be cracked (Hammouchi, et al., 2019). Thus, the hackers have intruded into the database and have stolen many records which includes the user details and the employee details with the information about the financial transaction.
The management had identified the issue that was created within the system. Thus, they have investigated all the department that is related to the data management and coordinates the playing of the games. They made the investigation as Harry have found a large amount of data including the PII was extracted from the system (Tyks, 2012). Tom was going through the logs to check if any security patches were enabled in the system for the betterment but identified that someone in the administrator group has fetched the data at the irrelevant time when all the employees are signed off and the time was around 2 am. This had created a great nuisance to the system and thus the investigation had been run. Harry and the Auditor have planned to conduct the investigation in a planned way and then to submit a report (Krishnan & Vorobyov, 2013). With that investigation they came to the following points:
With that investigation, the mode and motive of the network attack by the hackers have been realized and that will be discussed in the following section.
The auditor had found that the system is attacked due to lax security. It means, the system is not enabled with the high-end security and the organization is not much interested with the upgrading the security policy. Due to the fact, the hacker had easily penetrated the system and have stolen the records from the database. Auditor has found the suspicious activity of the contractor who was the middlemen of the system upgrade and asks for the username and password from the administrator (Barona & Anita, 2017). The auditor found that that person may be the guilty as the contractor is the part of the administrator group and the data leak is also made from the administrator group. So, the auditor had advised for looking into the steps of the contractor.
Attack Procedure and Motive
As the event is observed, it is the attempt of social engineering and can be done through different tools and technique. The possible theft that was understood initially are as follows:
Procedure-1: It can be done using the Phishing technique through which the data can be stolen from the server without the observation of the user and the administrator (Hammouchi, et al., 2019).
Procedure-2: SQL injection is another procedure through which the unauthorised intrusion to the database can be done.
Procedure-3: Information stealing is another procedure which requires the server information properly and can only be done by that [person who is the member of the group or organization (Adlakha, et al., 2019).
In this context, the Procedure-3 is applied as got from the previous discussion that the modification of the event log was done by a person in the administrator group.
The main motive of the hacking is to sell the user account to the black market. As the details contain the transaction details which includes the bank information, so the huge money can be earned in return of the selling. As per the investigation for some weeks, the Auditor has found that the hacker was no one except the Contractor. Her only problem was the access to the Transaction management system which she has gained by taking the IP address (Mangipudi, et al., 2019).
In such a case, the cryptography policy works better apart from the employee faith. As seen from the case study, the internal employee is not reliable for the operation. Using the cryptography policy, the username and the password can be encrypted using the obtained algorithms like Blowfish, RSA or Tripple-DES etc (Fang, et al., 2019). In this case, the username will be visualized in an encrypted way and cannot be recognized well. This will prevent the unauthorised access to the account irrespective of the identification of the IP address. The demonstration is shown below:
Orginal User name: htolman (for Harry Tolman)
Encrypted Username: THqsvEQtnrbjYOpQbjJkpQ== (using Blowfish)
5GIpWC1kwL8N9I1N8iLCCE2/vI11L0E9Q/ga8Aaf7Ig= (using RSA)
nXV3QAuCH7R3U3o8Nztp9g== (using Tripple DES)
Key: AB BC CD DE EF F0 01 1F
So, the username cannot be identified and the same strategy can be applied on the password encryption also. The key is private to the head of the administration or the CEO. So, if the hacker will identify the IP address, it does not mean that the access into the database is possible (Floyd, et al., 2016).
You used to many words in the introduction and background of the paper. Due to this, word count for this section has fallen short. You need to offer solutions (more than one) to the weaknesses and evaluate them using literature sources.
In this paper, the analysis of and the evaluation of the security management of the Macmillan Games is discussed. From the background of the organization, the basic infrastructure of the security and the administrative works can be identified and that was very weak. For such reason, the data beach has been taken place. The strategy of the stack and the motive of the hacker has been analysed and it was identified that the hacking was done for money by the contractor. Lastly, the proposed solution is provided through the application of the cryptography. Thus, the analysis and the investigation are successful.
Adlakha, R., Sharma, S., Rawat, A. & Sharma, K., 2019. Cyber Security Goal’s, Issue’s, Categorization & Data Breaches. International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), pp. 397-402.
Algarni, A. M. & Malaiya, Y. K., 2016. A consolidated approach for estimation of data security breach costs. 2nd International Conference on Information Management (ICIM), pp. 110-115.
Barona, R. & Anita, E. A. M., 2017. A survey on data breach challenges in cloud computing security: Issues and threats. Circuit Power and Computing Technologies (ICCPCT) 2017 International Conference, pp. 1-8.
Demjaha, A., Caulfield, T., Sasse, M. A. & Pym, D., 2019. 2 Fast 2 Secure: A Case Study of Post-Breach Security Changes. IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 192-201.
Fang, Y., Guo, Y., Huang, C. & Liu, L., 2019. Analyzing and Identifying Data Breaches in Underground Forums. IEEE Access , pp. 48770 - 48777.
Floyd, T., Grieco, M. & Reid, E. F., 2016. Mining hospital data breach records: Cyber threats to U.S. hospitals. IEEE Conference on Intelligence and Security Informatics (ISI), pp. 43-48.
Hammouchi, H. et al., 2019. Digging Deeper into Data Breaches: An Exploratory Data Analysis of Hacking Breaches Over Time. Procedia Computer Science, Volume 151, p. 1004.
Krishnan, P. & Vorobyov, K., 2013. Security and Privacy Protection in Information Processing Systems. Infromation system, Volume 402, p. 272.
Li, W., Yin, J. & Chen, H., 2016. Targeting key data breach services in underground supply chain. IEEE Conference on Intelligence and Security Informatics (ISI), pp. 322-324.
Mangipudi, E. V., Rao, K., Clark, J. & Kate, A., 2019. Towards Automatically Penalizing Multimedia Breaches (Extended Abstract). IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 73-78.
Naldi, M. & Flamini, M., 2017. Calibration of the Gordon-Loeb Models for the Probability of Security Breaches. Computer Modelling & Simulation (UKSim) 2017 UKSim-AMSS 19th International Conference, pp. 135-140.
Tyks, R. A. a. J., 2012. Disaster at a University: A Case Study in Information Security. Journal of Information Technology Education: Innovation in Practice.
Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Computer Science Assignment Help
Proofreading and Editing$9.00Per Page
Consultation with Expert$35.00Per Hour
Live Session 1-on-1$40.00Per 30 min.
Doing your Assignment with our resources is simple, take Expert assistance to ensure HD Grades. Here you Go....
Min Wordcount should be 2000 Min deadline should be 3 days Min Order Cost will be USD 10 User Type is All Users Coupon can use Multiple