1. Missä tietoturva osa-alueissa seuraavat tapaukset ovat aiheuttaneet ongelmia?



Date: March 2011

Impact: Epsilon

Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms like CitiGroup Inc. and the non-profit educational organization, College Board.


The source of the breach is still undetermined, but tech experts say it could lead to numerous phishing scams and countless identity theft claims. There are different views on how damaging the Epsilon breach was. Bruce Schneier, chief security technology officer at BT and a prolific author, wrote in a blog post at the time that, "Yes, millions of names and e-mail addresses (and) other customer information might have been stolen. Yes, this personal information could be used to create more personalized and better-targeted phishing attacks. So what? These sorts of breaches happen all the time, and even more personal information is stolen." Still, Kevin McAleavey of the KNOS Project says the breach is being estimated as a $4 billion dollar loss. Since Epsilon has a client list of more than 2,200 global brands and handles more than 40 billion e-mails annually, he says it could be, "the biggest, if not the most expensive, security breach of all-time."


b) RSA Security

Date: March 2011

Impact:  Possibly 40 million employee records stolen.


The impact of the cyber attack that stole information on the company's SecurID authentication tokens is still being debated. The company said two separate hacker groups worked in collaboration with a foreign government to launch a series of spear phishing attacks against RSA employees, posing as people the employees trusted, to penetrate the company's network. EMC reported last July that it had spent at least $66 million on remediation. But according to RSA executives, no customers' networks were breached. John Linkous, vice president, chief security and compliance officer of eIQnetworks, Inc. doesn't buy it. "RSA didn't help the matter by initially being vague about both the attack vector, and (more importantly) the data that was stolen," he says. "It was only a matter of time before subsequent attacks on Lockheed-Martin, L3, and others occurred, all of which are believed to be partially enabled by the RSA breach." Beyond that, Linkous says, is the psychological damage. "The breach of RSA was utterly massive not only from a potential tactical damage perspective, but also in terms of the abject fear that it drove into every CIO who lost the warm-and-fuzzy feeling that the integrity of his or her enterprise authentication model was intact. Among the lessons, he says, are that even good security companies like RSA are not immune to being hacked. Finally, "human beings are, indeed, the weakest link in the chain," Linkous says.


c) Stuxnet

Date: Sometime in 2010, but origins date to 2007

Impact:  Meant to attack Iran's nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems.


The immediate effects of Stuxnet were minimal -- at least in this country -- but eIQnetworks' John Linkous ranks it among the top large-scale breaches because, "it was the first that bridged the virtual and real worlds. When a piece of code can have a tangible effect on a nation, city or person, then we've truly arrived in a strange, new world," he says. Linkous says Stuxnet is proof that nation-states, "are definitely actors -- both attackers and victims -- in the cyberwarfare game." He adds that the more that electro-mechanical industrial and energy systems migrate to larger networks -- particularly the Internet -- "the more we're going to see these real-world intrusions."


d) Sony's Play Station Network

Date: April 20, 2011

Impact: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.


This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. According to Sony it still has not found the source of the hack. Whoever they are gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords. "It's enough to make every good security person wonder, 'If this is what it's like at Sony, what's it like at every other multi-national company that's sitting on millions of user data records?'" says eIQnetworks' John Linkous. He says it should remind those in IT security to identify and apply security controls consistently across their organizations. For customers, "Be careful whom you give your data to. It may not be worth the price to get access to online games or other virtual assets."



Miten hoidat seuraavat tapaukset tietoturvan kannalta mallikkaasti?

a) Sinun tarvitsee lähettää sähköpostilla liitetiedosto, joka sisältää erittäin luottamuksellista tietoa.

b) Haluat salata tietokoneen kovalevyltä tärkeitä tiedostoja luotettavaa salausalgoritmia käyttäen.

c) Haluat selvittää mikä hidastaa oppilaitoksen internet-yhteyden toimintaa merkittävästi.

d) Epäilet että muistitikulla on virus, mutta sinun tarvitsee saada muistitikun sisältämien tekstidokumenttien tekstit talteen.

e) Olet jäänyt lukkojen taakse viikonlopuksi rakennukseen läppärin kanssa josta löytyy tarvittavat ohjelmistot seuraavaan: etsi piilotettu WLAN, se on WEP-salattu. Miten pääset otta yhteyden ulkomaailmaan netin kautta. Sinulla ei puhelinta, rakennus vahvasti lukittu, olen maanolla kellarikerroksessa, netti on vaihtoehtosi selvitä viikonlopusta laihtumatta 10 kg.