The Pros and Cons of Free College for All Discussion Discuss the pros and cons of free college for all. For this prompt, read the articles below and check
The Pros and Cons of Free College for All Discussion Discuss the pros and cons of free college for all. For this prompt, read the articles below and check out the requirements for free college in other countries. Many times we taut other countries but do not fully understand the restrictions and requirements that come along with certain government provided programs. Your use of careful, well thought-out statements and questions. (Original contribution) The degree of your involvement in the discussion (ongoing involvement) How you integrate other people’s comments into your own findings. (Interactivity) Length of entry (1st entry – minimum four paragraphs and 16 sentences / 2nd entry – minimum two paragraphs and link to scholarly article or website) Hackers launch cyber-attacks that affect several parts of the nation’s financial infrastructure over
the course of several weeks. Specifically, sensitive credit card processing facilities are hacked and
numbers are released to the Internet, causing 120 million cards to be cancelled; automated teller
machines (ATMs) fail nearly simultaneously across the nation; major companies report payroll
checks are not being received by workers; and several large pension and mutual fund companies
have computer malfunctions so severe that they are unable to operate for more than a week.
Identify the countermeasures that need to be implemented to prevent these cyber-attacks from
occurring in the future.
Question: Discuss what type(s) of countermeasures need to be implemented to prevent the
cyber-attack described above from occurring in the future. Be specific in recommending
countermeasures for this scenario.
Instructions:
•
Need minimum 400 words
•
Need 3 APA references
•
No plagiarism please
•
Need 3 Responses (150 words each)(Use uploaded document for responses)
Initial post 1:
Federal and state laws regulate mergers and acquisitions. Regulation is based on the concern
that mergers inevitably eliminate competition between the merging firms. This concern is most
acute where the participants are direct rivals, because courts often presume that such
arrangements are more prone to restrict output and to increase prices. The fear that mergers
and acquisitions reduce competition has meant that the government carefully scrutinizes
proposed mergers. On the other hand, since the 1980s, the federal government has become less
aggressive in seeking the prevention of mergers.
Despite concerns about a lessening of competition, U.S. law has left firms relatively free
to buy or sell entire companies or specific parts of a company. Mergers and acquisitions often
result in a number of social benefits. Mergers can bring better management or technical skill to
bear on underused assets. They also can produce economies of scale and scope that reduce costs,
improve quality, and increase output. The possibility of a takeover can discourage company
managers from behaving in ways that fail to maximize profits. A merger can enable a business
owner to sell the firm to someone who is already familiar with the industry and who would be in
a better position to pay the highest price. The prospect of a lucrative sale induces entrepreneurs
to form new firms. Finally, many mergers pose few risks to competition.
Antitrust merger law seeks to prohibit transactions whose probable anticompetitive
consequences outweigh their likely benefits. The critical time for review usually is when the
merger is first proposed. This requires enforcement agencies and courts to forecast market
trends and future effects. Merger cases examine past events or periods to understand each
merging party’s position in its market and to predict the merger’s competitive impact.
There are 3 regulations that are important for an engineering project
•
Defense acquisition policy
The policy aims in achieving optimum utilization of the funds allocated in the
procurement of military equipment and Systems. Example includes procurement of a defense
equipment.
•
Federal acquisition regulations
One of the regulations that is mentioned in the federal acquisition regulation is that
construction and architect engineering contract have to be subjected to the clause
mentioned in the policy document.
•
Pollution Prevention Act
Regulations are important for any engineering project as it helps to monitor the
activities that can cause hazardous situation that can prove to be loss to the economy in the
form of life or financial loss. Regulations help in better coordination among the suppliers and
vendors. Policies, regulations and acts are framed with respect to resulting in benefit for the
society and maintaining integrity and ethics throughout the industry.
Initial Post 2:
An attack of this magnitude had to be going on for quite some time. With the victims being credit
card processing facilities, ATMs (owned by financial institutions), major corporations (reporting
payroll problems), and large pensions and mutual funds being disrupted (owned by both financial
institutions and major corporations and investment firms), it’s clear that a multitude of tools,
techniques, and processes should have been in place ahead of the attack.
Without knowing how the attack took place, it’s difficult to come up with solid
preventative actions, at least from a technical standpoint. For example, if the hackers used
phishing emails like they did at The National Bank of Blacksburg (a bank in Virginia that lost over
$2 million in the scams), then training and protocols that strip out attachments from emails
(unless whitelisted) would be a good idea. In another recent incident, hackers got way with $20
million from a Mexican bank by exploiting bugs in a bank’s app because proper validation checks
hadn’t been done during a code review before implementation.
In the United States there are tons of laws and regulations that enforce the need for
preventative measures. In particular the payment card industry data security standard (PCI-DSS)
exists to protect credit card data like the 120 million accounts that were hacked in this scenario.
Presumably the PCI-DSS protocols were already in place, but it did not prevent the data leak, so
it’s probably best to look for deltas between what the PCI-DSS calls for and newer, more stringent
standards. Also, the PCI-DSS does require that a Qualified Security Assessor (QSA) review
individual firms to make sure they are compliant with the regulations. A good first step would
be to review that report (the last available for the firm that lost the credit card data).
The PCI-DSS is extensive, but it has tons of requirements for protecting cardholder data,
including but not limited to installing firewalls, prohibiting direct access between the Internet
and any system component that has cardholder data, requiring personally owned hardware (such
as cell phones) have firewalls, not using vendor supplied defaults, not storing sensitive data (even
if it’s encrypted), masking the PAN (the primary account number on the front of a credit/debit
card), etc. My guess is that some of these standards or guidelines weren’t adhered to during the
attack. This can be a seemingly simple oversight.
Sometimes even when strong security is implemented, an oversight in access control, for
example, can cause a cascading effect. The infamous Target hack of several years ago happened
despite the fact that the retail chain had implemented FireEye (a network monitoring platform)
and Symantec endpoint protection on all machines. Target had allowed an HVAC company direct
access to its networks, and that HVAC company was hacked. Hackers installed malware on point
of sale terminals, and from there, they were able to retrieve credit and debit card numbers.
Target didn’t do their due diligence in making sure that companies with federated access met
their own security standards, in this case.
Although difficult, I believe several frameworks should be analyzed. NIST standards
should be viewed and then tailored or scoped as needed for use by large corporations that fell
victim to this attack. Since the majority of the IT infrastructure in the United States is privately
owned, and FISMA only applies to government computers, it’s important to encourage
companies to take their security seriously. This comes from the top, and proper role and
responsibilities should be described in sufficient detail so that leaders and security practitioners
can make better assessments and more quickly patch vulnerabilities, etc. For example, the NIST
Special Publication 800-37, Rev. 1 gives us a breakdown of the Risk Management Framework
(RMF), including categorizing the system, selecting and implementing controls, assessing controls
for effectiveness, authorizing the system, and continuous monitoring. NIST Special Publication
800-53 breaks down several security-related roles such as the authorization advocate, the
designated approval authority (DAA), CIO, ISSO, Risk Analyst, etc. This is very important because
it requires buy-in from senior leaders (as they have a defined role in the overall security
governance of an organization), and it prevents the common problem of having IT personnel just
do the security.
Initial Post 3:
Financial institutions are the first target for adversaries as they can get hold of sensitive details
which has PCI and PII data. These institutions need to follow various security regulations to be
compliant. In datacenters PCI and PII zones are the most critical areas which needs protection
throughout their existence. Let’s start to think like a hacker, what do I target? A database server
with customer credentials and account details. Once I get hold of the data I need to initiate a
theft from the account and transfer it safely. The other way is to blackmail by holding the data.
These are critical because financial institutions end up paying them else they had to face the heat
from customers through lawsuits. Now going to the technical details network failures to defend
hacks is the prime known reason. But best practices with respect to critical services also add to
the risk of disruption. Network along with security best practices by auditing agencies should be
followed to avoid financial rupture.
To start with Network all the servers which does critical transactions have to encrypted
end to end over TLS to make sure the source and destination are trusted. User encryption should
be applied right after customer enters the details so that end to end communication is safe and
sound. PKI (private key infrastructure) helps in maintaining balance across the critical end points.
Every application that holds sensitive data (like PCI) should be password protected with multi
factor. PCI networks should be isolated from regular Corporate networks and access should be
limited to specific endpoints which are protected by multi factors like jump servers and VDI’s.
Enforcing defense mechanisms through vendors like Arbor helps in reducing large scale attacks
to targeted one’s. Application level security plays a vital role in shaping these financial
institutions. Every application needs to be setup to be fault tolerant and should be capable of
providing high availability incase of node failures. Limited port usage to limit the scale of attack
is the need of the hour. PCI compliance is one key thing which can’t be avoided. There are certain
guidelines set by regulatory agencies to make sure industry works on basis of standards which
are quite important for financial institutions.
Application specific devices come with watch dog timers. In case of multiple failed
attempts to login or access a device will be shut down as configured in watch dog timers. These
proved efficient many times and are usually seen in laptops. These timers can be added as an
external security or internal security. More often used in ATM’s provide a great use at times.
These watch dog timers are programmable and can be adapted to specific environments. As a
best practice customer should keep changing their account credentials. More often accounts are
vulnerable because of insufficient best practices. Banks should provide alert notifications when
changes are made to accounts at free of cost which will motivate customers use banking services
which in turn protects the credibility of institution.
Remote locations where digital transaction service cannot be provided should stick with
traditional payment system through banks and secured bank outposts to avoid irregularities.
Banks should make sure to use their own online processing channels rather than depending on
third party units to make sure compliance is followed at every step. Most institutions offload
these channeling to avoid excess costs. In case of attacks fault tolerant systems should be
activated to make sure secure channels are switched from time to time, this confuses adversaries
during the attacks. Financial institutions should shutdown systems in initial stages of attacks
which avoids in data leaks. Regular audits by PCI teams to make sure every zone is protected and
follows industry norms. Institutions should limit the exposure of sensitive environments like
database servers in high protected infrastructures to avoid physical intrusions. In event of
attacks, institutions should be ready with cash to avoid disrupting economy. Institutions should
work with customers to retain trust which indirectly prevents Chaos.
What happens after an attack? A hacker had to store the digital money to some known
account. Usually, citizens from other countries sponsor these attacks so that they will not be
liable to fraud. Countries should come together and make strict laws for foreign exchange.
Countries like Panama, Mauritius are infamous for such scams as they don’t have proper legal
MOU’s to punish these culprits. It is the duty of government to do its due by establishing proper
financial agreements to provide visibility to user foreign accounts. Switzerland is one country
which always takes the blame, but it is the responsibility of every country to work with countries
like Switzerland to avoid financial attacks.
Purchase answer to see full
attachment
