- Case StudyHelp.com
- Sample Questions
Are You Looking for Cyber Security Assignment Questions and Answers?
Get Answers for (BUSL315) Cybersecurity Data Breaches Assignment – Checkout free assignment samples on Cyber Security for IT Students help at Case Study Help in Australia, UK and USA. We provide best solution for Cybersecurity assignment questions and Answers online from our IT Assignment Experts.
This report will discuss Deltex’s cybersecurity vulnerabilities, any crimes that may have been committed, company and director civil or criminal liabilities, how the company should respond to the attacks and breaches, and recommend changes that will minimise the risk and effects of further attacks.
The report has found that Deltex is highly vulnerable to cybersecurity attacks, may be civilly and criminally liable, and requires cybersecurity improvements to prevent further attacks. (BUSL315 cybersecurity)
- Deltex must prioritise the current attacks and deal with the most damaging. They should then limit any additional damage to the community and organisation.
- The company must improve technical security, re-train employees regularly, and test their attack-response capabilities if they want to prevent recurring and more damaging attacks.
- Directors must comply with disclosure regulations and seek legal counsel regarding any breaches of duty of care that may have
This report is limited by a lack of knowledge on Deltex’s current cybersecurity processes, a large number of attacks from multiple actors that require different and scaled responses, and fragmented evidence that may not represent the full scope of each attack.
Deltex’s Cybersecurity Vulnerabilities
Minnaar notes that our reliance on online information technologies creates a large range of vulnerabilities.1 No encryption is fool-proof and cybercriminals are finding innovative ways to breach systems. Below are some of Deltex’s cybersecurity vulnerabilities that were highlighted in the source documents.
An internet-enabled dishwasher that was unpatched. Document 3 shows how hackers used this appliance to slowly gain authorisation and access to all of their systems. Furthermore, document 12 illustrates that these hackers have used their access to identify patient treatment data and personal details to rob patients with opioid prescriptions, presumably to be sold on the black market.
Untrained staff (document 6) is another clear vulnerability which has caused employees to become susceptible to phishing emails (document 7), and has resulted in confidential information being released to an unknown party. Poor training may have also resulted in the ransomware attack against Deltex as employees may be unable to identify suspicious websites, downloads or attachments. However, Deltex may also have insufficient antivirus software and firewalls in place to protect employees from contracting viruses.
Poor defences to DDoS attacks. DDoS attacks, shown in document 2, on Deltex have prevented doctors from accessing and uploading patient information that is critical to the treatment of ill citizens. Document 1 demonstrates the danger of this restricted access as Dr Wilson was unable to connect to Deltex’s online patient information system.
Confidential and extremely sensitive information is accessible through an online platform and the only offline backups were kept in one place. This makes Deltex vulnerable to hackers seeking to disable Deltex’s services and systems for long periods of time, which document 10 demonstrates has happened.
Insufficient physical security of backed-up data as the fire mentioned in document 10 may have been a physical attack on Deltex’s data.
Medical devices are vulnerable to cybersecurity attacks. Specifically, Williams and Woodward note the vulnerability of pacemakers to cybersecurity attacks as they can be controlled wirelessly.2 This , combined with documents 5 and 9, makes the sudden failure of the pacemakers and death of Barnabus Toyce, a fierce advocate against North Korea, look suspicious. Additionally, Toyce’s ex-husband has personal reasons for possibly organising an attack against him. Williams and Woodward explain that successful attacks on pacemakers have occurred before due to a lack of ‘device embedded security controls’.3 This highlights a critical vulnerability for Deltex.
Crimes That Should Be Reported To The Police
Lindsay notes the difficulty in identifying the criminals behind cybersecurity attacks and the consequent ineffectiveness of retaliation,4 and Manning highlights that the development of law lags behind social technological changes.5 Therefore, it is more effective for organisations to spend resources on preventing and minimising the effects of attacks rather than relying on policing abilities. However, once breached an organisation should preserve evidence and report any crimes to the police for attempted prosecution.
There are several cyber-crimes that Deltex can report to the police. These crimes are;
Dishonestly obtaining or dealing in personal financial information: s480.4 Criminal Code Act 1995 (Cth).6 The attack on the batch processing program to obtain financial information and steal Deltex’s payroll funds is a contravention of the Criminal Code Act makes breachers criminally liable.
The DDoS attack which impaired electronic communications between doctors and Deltex’s patient information system and the attack that may have sabotaged pacemakers. These contravene s477.3 of the Criminal Code Act 1995 (Cth): unauthorised impairment of electronic communications.7
The ransomware attack that has prevented staff from accessing their computer files is a contravention of s478.2 of the Criminal Code Act 1995: unauthorised impairment of data held on a computer disk.8
Illegally accessing confidential patient information to rob houses for prescription opioids is clearly unauthorised access, modification of, or impairment with intent to commit a serious offence; s477.1 Criminal Code Act 1995.9
The access and modification of Sydney Memorial Hospital’s patient treatment data breaches s477.2 of the Criminal Code Act 1995: unauthorised modification of data to cause impairment.10
Company and Director’s Civil or Criminal Liability
The company and directors can face civil and criminal liability for several reasons when a cybersecurity breach has occurred. Lunn notes that there has been a transformation from protecting directors to making them liable for cybersecurity oversight, or lack thereof.11 This transformation is not just occurring in the United States, Australian legislation also makes directors responsible for their actions preceding and during a breach.
Deltex’s directors may find themselves in breach of their director’s duties for failing to implement adequate cybersecurity procedures to prevent hackers from accessing their systems, regularly training staff, and securely storing sufficient backups of data. This would breach s180 of the Corporations Act 2001 (Cth),12 making the directors civilly liable where victims or victim’s families may seek damages. Page, Kaur and Waters state that directors must ‘inform themselves of the risks facing their companies so they can discharge their duty to exercise reasonable care, skill and diligence’.13 If directors’ inability to prevent these attacks is considered reckless, and dishonest, then directors would be in breach of s184 of the Corporations Act,14 possible imprisonment.
making them criminally liable. This would result in fines and Another issue from these attacks would be that the directors comply with the ASX’s continuous disclosure listing rules,15 and s674 of the Corporations Act 2001 (Cth),16 as the compromisation of Deltex’s patient information systems, payroll program, patient treatment data, and attack on Yunex pacemakers will significantly lower Deltex’s share price once this information is made public.
Similarly, Deltex will have to disclose the current risks affecting the company and what they are doing to respond and prevent further attacks against the company in their annual reports and merger proposals (document 11). This is so that current and possible future investors are aware of the risks of investing in the company, and that the organisation Deltex is planning to merge with is fully aware of the issues Deltex is facing. This is so that investors can make informed decisions based on accurate information that does not mislead them. Failure to do this will make Deltex civilly liable to shareholders.
Keogh, Gordon and Marinovic17 also note that Deltex will have breached the Privacy Act 1988 (Cth).18 This is because the attacks have resulted in the disclosure of personal information due to inadequate protection and risk management. Deltex must inform the Australian Information and Privacy Commissioner as well as individuals affected by the data breach (Privacy Amendment Act 2017).19
Deltex also has a duty of care to its users, and may be liable for the personal data compromises and robberies that have occurred due to the theft of their data. This could result in fines or damages that must be paid.
Response to Attacks and Breaches
Doctrines or conceptual frames that respond to and prevent cybersecurity attacks are themselves ineffective. The cybersecurity world is ‘incredibly complex…with vastly more actors, and massively more distributed technologies’.20 Therefore, a variety of sources will be applied to Deltex’s situation to most effectively respond to these attacks.
Dhillon’s article on responding to cybersecurity breaches focuses on first surveying the damage.21 Deltex must take stock of the attacks, where they are coming from, and their effects. This is important for identifying what strategies Deltex should employ in response to the attacks. Currently, the attacks include DDoSing, ransomware, pacemaker hacking, patient data breaches, payroll hacking, a financial attack and a phishing attack. These attacks are possibly coming from darknet hackers, the company Deltex is planning to merge with, North Korea as an assassination of Barnabus Toyce, Toyce’s ex-husband, or an insider aiming to profit from confidential information or sabotage.
Next, Deltex should protect the crown jewels. This means prioritising the infrastructures, systems or services that should be most protected.22 Currently, there are too many attacks occurring for Deltex to simultaneously respond to all. The most severe is the patient information data breach as it affects thousands of users and is resulting in robberies. Next, the attack on Yunex pacemakers. This attack has already caused the death of one patient (document 9) and may result in further deaths. After such attacks are handled Deltex can then focus on the other attacks that are less severe as they affect solely the company. Active cyber-defensive strategies must be implemented to divert hackers and prevent them from re-breaching systems. Iasiello recommends effective tools and denial and deception strategies in his article.23 The range of tools means each attack has an appropriate solution.
Dhillon then advocates limiting additional damage.24 Deltex must contain the impact of these breaches to eliminate or slow their effect on the organisation and its stakeholders. Strategies may include taking systems offline, and enlisting help from authorities or NGOs to prevent the distribution of data already breached. Communicating with users to implement individual security procedures is also crucial to limiting the damage.
It’s important to restore and analyse the systems and services that were attacked to establish whether they will work again or are compromised by viruses and backdoors left behind by attackers.25 Dr Ron Sugar also advocates running test drills to further identify and fix areas of concern.26
Continuous preservation of evidence throughout the breach response process is important for assisting 3rd parties and government agencies in prosecuting attackers and repairing the damage of these breaches.27
Finally, a plan to implement changes that will minimise the risk and effects of further attacks should be developed.
Recommended Changes to Minimise Risk of Attacks and Breaches
Many cybersecurity experts exclaim, there are those that know they’ve been breached and those that don’t. Breaches and attacks are inevitable, so it is essential that changes are made and processes implemented to minimise this risk, and limit their effects.
Improving technical security processes to attempt to prevent the wide range of cybersecurity attacks now present, and new developments, is critical. Chowdhury notes that attacks on health informatics are increasing as they are a high-value target for hackers, so mitigation strategies must be cutting-edge.28 The Australian Defense Signals Directorate has published a range of pragmatic strategies to mitigate targeted cyber-intrusions which Deltex can implement.29
Just as important as technical factors is the education and training of employees.30 This should be done by establishing programs and monitoring the continuous re-training of employees every 12-18 months so that the organisation is regularly exposed to emerging threats. A new training and evaluatory method, which Deltex should consider, is the use of gamification in cybersecurity education, which is engaging and practical.31
Data compromisation and modification had the greatest effect on Deltex. Whilst technical processes may not be able to prevent all breaches from occurring due to the enormity of attacks, actors and their resources, frequent backups of data that is stored securely and in multiple locations is integral to security. Chinthapalli advocates that data should be backed-up every hour,32 particularly in health-service organisations that have a duty of care to doctors and their patients.
After implementing such changes, Deltex should employ an independent firm to undertake a simulated attack on Deltex to test their security levels and ability to respond to attacks. Deltex can then work with the firm to identify and fix security weaknesses and improve responses. The simulation should be kept secret from employees so as to ensure an authentic response occurs, and should be repeated annually. Firms in the energy industry have to protect sensitive data, like Deltex, and advocate using simulations to ‘safeguard critical facilities from terrorist and cyber threats’, both of which Deltex may have 33 experienced (documents 5 and 9).
De Bruin and Von Solms highlight the importance of communicating with the board on cybersecurity.34 Without communication, the board is likely to have little understanding on the organisation’s cybersecurity processes, strategies, and ability to respond in crises. Whilst De Bruin and Von Solms emphasise a need for improved reporting processes35, Dr Ron Sugar explains that direct contact with the board is much more important36. Regularly consulting the board face-to-face can educate them on cybersecurity issues and needs, and garner commitment to cybersecurity goals. Furthermore, this may help develop a cybersecurity-positive culture.
These changes will minimise the risk and effectiveness of breaches, but not totally prevent them. So firms constantly need to update strategies and plans so that responses can be improved in proportion with emerging threats.
Articles, books and reports:
Bruin, Rossouw De and S H Von Solms, ‘Cybersecurity governance: How can we measure it?’ (Paper presented at 2016 IST-Africa Week Conference, Durban, South Africa 11-13 May 2016)
Chinthipalli, Krishna, ‘The hackers holding hospitals to ransom’ (2017) 257 British Medical Journal
Chowdhury, Abdullahi, ‘Recent Cybersecurity Attacks and Their Mitigation Approaches- An Overview’ (In: Batten L., Li G. (eds) Applications and Techniques in Information Security, ATIS 2016, Springer, Singapore, 2016)
Dhillon, Gurpreet, ‘What to do before and after a cybersecurity breach?’ (2015) Changing Faces of Cybersecurity Governance 7
Donaldson, Scott E. et al, ‘Enterprise Security- How to Build a Successful Cyberdefense Program Against Advanced Threats (Apress, 2015)
Iasiello, Emilio, ‘Hacking Back: Not the Right Solution’ (2014) 44 Parameters 105
Jorgensen, Robert, Dale Rowe and Neil Wyler, ‘Competitions and gamification in cybersecurity education and workforce development and evaluation of real world skills’ (2017) 33 Journal of Computing Sciences in Colleges 155
Keogh, Karen, Chelsea Gordon and Patricia Marinovic, ‘Global developments in cyber security law: is Australia keeping pace?’ (2018) (42) LSJ: Law Society of NSW Journal 82
Lindsay, Jon R. , ‘Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack’ (2015) 1 Journal of Cybersecurity 53
Lunn, Brad, ‘Strengthened Director Duties of Care for Cybersecurity Oversight: Evolving Expectations of Existing Legal Doctrine’ (2014) 4 Journal of Law and Cyber Warfare 109
Manning, Colin , ‘Old Laws, New Crimes: Challenges of Prosecuting Cybercrime in Ireland’ (Cork Institute of Technology, Cork, Ireland, 8 February, 2016)
Minnaar, Anthony ‘‘Crackers, cyberattacks and cybersecurity vulnerabilities: the difficulties in combatting the new cybercriminals’ (2014) 2 Acta Criminologica: Southern African Journal of Criminology 127
National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity version 1.1 (2018)
Page, Joanna , Madison Kaur and Emma Waters, ‘ Directors’ liability survey: Cyber attacks and data loss- a growing concern’ (2017) 1 Journal of Data Protection & Privacy 173, 176
Thomas, Liisa and Amber C. Thomson, ‘From panic to pragmatism: De-escalating and managing commercial data breaches’ (2018) 2 Cyber Security: A Peer-Reviewed Journal 17
Weber, Steven, ‘Coercion in cybersecurity: What public health models reveal’ (2017) 3
Journal of Cybersecurity 173
Williams, Patricia AH and Andrew J Woodward, ‘Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem’ (2015) 8 Med Devices (Auckl) 305