Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!
It has been widely reported online and readers would have known by now that Monster
http://www.monster.com websites have been hacked. Confidential information has been downloaded, maybe malicious scripts have been uploaded, who knows what else has been done. But the question is... WHY? Why has the site been hacked in the first place. We understand that Monster has recently undergone a site upgrade - but still, that’s NO EXCUSE for not protecting confidential information. Let’s look at common terminology on the types of computer security incidents, and computer security evaluation methods.
Off the top of my head I can think of at least 10 other job boards/recruitment sites which have failed security testing in the past 6 months. How do I know? I have been the one testing these sites and have found the data.
No... this is not "hacking" but programmers/employees leaving holes in software code, not protecting files (chmod, directory listings, etc) or just have stupidly left files and confidential information online thinking "no one will be able to find it". Well it have found it.
You must be proactive and vigilant with information stored online. Regular site testing and security checks by 3rd party professionals, as well as correct server configuration can help you. Feel free to contact me regarding these website testing services and if you ever recieve an email from me regarding security - take note!
Types of Computer Security IncidentsInsider abuse of access - An employee or person authorised to use the businesses computer system abuses this access, such as downloading a large amount of data, or accessing the internet for personal use against this businesses IT policy
Theft or loss of hardware - Hardware, such as laptops, PDA’s (personal digital assistant) or other devices, are lost or stolen and not recovered. Does not include hardware that is damaged or destroyed.
Virus or other malicious code - Software designed specifically to damage or disrupts a system, such as a virus or a Trojan horse. May be either self-replicating or non self-replicating code (any statements and/or declarations that are written in a computer programming language) to change the way a computer operates without the consent or knowledge of the system owner or user. This includes all types of malware (malicious software) except spyware
Spyware - Software designed to collect information from a computer secretly and send it anywhere (eg key loggers) or change settings and interfere with the performance of a compromised computer
Phishing - Assuming the identify of a legitimate organisation or website using forged email, fraudulent websites or other instant messaging communication forums such as MSN, to persuade others to provide information – usually personal financial, such as credit card numbers, account user name, passwords, social security numbers – for the purpose of using it to commit fraud.
Denial of service attack (DOS Attack) - An attack aimed at specific web sites by flooding the web server with repeated messages, depleting the system resources and denying access to legitimate users
Sabotage of network or data - Intentional destruction of, or damage to, a computer network or to data stored on a network or stand alone computer
Unauthorised network access - Obtaining access to a restricted computer network, without providing adequate credentials such as logon name and password
Theft or breach of propriety or confidential information - The unauthorised access to, and/or, use, viewing, duplication, distribution or theft of, propriety or confidential information. Proprietary information is information relating to or associated with the business’s product, business or activities. It includes, but is not limited to items such has trade secrets, research and development and financial information.
Incident involving the business’s web application - Any malicious or destructive incident that involves this business’s website. This might include placing unauthorised information on a website or preventing it from being used as intended.
Corruption of hardware of software - Damage to computer hardware or software that renders it, in part or in whole, non-operational
Corruption or loss of data - Damage to or interference with data that renders it, in part or in whole, non-operational
Unavailability of service - Making the operations of your business either in part or in whole unavailable
Web site defacement - Damage caused to a public web sites that limits or prevents its intended use
Non-critical operational losses - A disruption to your business that did not cause suspension or severe damage to your business’s operations
Non-critical financial losses - Loss of money or value to your business that did not cause a severe negative alteration to your business’s financial state
Harm to reputation - The reduction in confidence in your business or an increase in negative association with your business
Critical operational losses - A disruption to your business that caused suspension or severe damage to your business’s operations
Critical financial loss - Loss of money or value to your business that causes sever negative alteration to your business’s income or assets
Computer Security Evaluation MethodsSecurity audit by internal staff - A measurable technical assessment of a network, system or application that is carried out by a staff member of the business
Security audits by external businesses - A measurable technical assessment of a network, system or application that is carried out by a person who is not a staff member of the business – ie outsource to a consultant
Internet content filtering/image filtering or monitoring - Software or hardware designed for monitoring and limiting access to inappropriate information or data configured according to the organisation security policy.
Intrusion detection systems - Software applications designed to protect backbone services by detecting inappropriate, incorrect, or anomalous activities that cannot usually be detected by a conventional firewall
Intrusion prevention systems - Software or hardware designed to protect computers from exploitation by identifying and blocking potentially malicious activities in real time.
System penetration testing - A method to evaluate the security of a computer, system or network by simulating an electronic attack (ie an attack by a hacker)
System audit policies - Policies mandating audits of this business’s computers, including issues such as the frequency and type of audits carried out and details of those responsible for undertaking those audits. This is a measurable technical assessment of a network, system or application
Risk assessment policies - Policies that govern the type and frequency of risk assessment of this business. Risk assessment is a process where the magnitude of potential loss and the probability it will occur are measured.
Security compliance check - A form of assessment used to check a variety of security issues in terms of their compliance with a policy or guideline
Automated tools - The use of software to monitor and report on the status of, and changes to files and settings on individual systems, networks, servers etc.
Email monitoring software - Software that is designed to monitor the email activity of users
Web activity monitoring software - Software that is designed to monitor the web activity (sites visited, documents viewed) of a specific user or users.
Monster Hacked Again; 4.5 Million Records Stolen -
http://www.ere.net/2009/01/27/monster-hacked-again-45-million-records-stolen/ (couldn't help but copy a screen shot of the article with paid advertisements for Monster on the right)
Article URL: http://www.recruitmentdirectory.com.au/Blog/monster-hacked-again-plus-information-on-security-terminology-a88.html
Article Tags: 
Hide Comments (0)
Back to Menu
