The internet is approximately 40 years old and is continuing to grow at a rapid pace. This rapid growth and use of the internet for practically everything you can do in life has also cause a major increase in threats. Cyber-criminals are often breaking into security on many major websites and making the news. Information Security is turning into an important part in protect a business’s information. Amazon.com website went online in 1995 (Byers, 2006). Amazon offers there services and products through the website Amazon.com to many countries around the world, which includes: United States, Canada, France, Spain, Japan, Italy, Germany, United Kingdom, and China (Amazon, 2012). Amazon has been around for approximately 17 years and continuous to be a successful business. One of the reason for this is because Amazon investing time in Information Security. Amazon has a massive amount of information on servers around the globe contain sensitive information, not only information for Amazon but also for Amazon’s customers.
Some examples of the information Amazon maintains on the servers they own: product information, warehouse information, call center information, customer service information, service information, customer account information, bank information, cloud computing information, digital media download information, and reviews of customers for product information (Amazon, 2012). There will always be some kind of the potential risks to the information maintained by any business or person because new vulnerabilities are found every day. Just recently, on August 7, 2012, a wired magazine reporter’s information stored on his Google account, Twitter account, MacBook, iPad, and iPhone where erased without the user wanting this done. A hacker that goes by the name of Phobia comprised the reporters Amazon account with a security exploit. The security exploit allowed Phobia to access the reporter’s Amazon account by calling and resetting the passwords over the phone with the reporters compromised AppleCare ID and Amazon ID (Kerr, 2012).
Amazon responded with the following, “We have investigated the reported exploit, and can confirm the exploit has been closed as of yesterday afternoon (Kerr, 2012).” Another major breach in security for Amazon occurred on the Zappos.com, which Amazon also owns. 24 million accounts where compromised, which included the following account information: names, shipping addresses, billing addresses, phone numbers, and email addresses (Vilches, 2012). Zappos CEO Tony Hsieh wrote in an email that the hackers gained access to the internal network of Zappos allowing the hacker’s access to the server that was in Kentucky. On October 28, 2011 a researcher uncovered a massive security flaw in the Amazon Cloud service that is provided by Amazon (Hickey, 2011). A team of German researchers found a way that hackers would be able to access user accounts and data. The methods of attack the security researchers found that the Amazon Cloud service was vulnerable to where signature wrapping and cross site scripting. XML signature wrapping attacks were developed that could completely take over a user account with administrator permissions for the Amazon Cloud accounts.
The AWS interface could also be manipulated to run an executable code and create cross-site scripting attacks. The researchers said that they had access to all the customer data, including authentication data, tokens, and passwords (Hickey, 2011). There are many other vulnerabilities for Amazon that may exist but are not known. Intruders (hackers) are a major threat for Amazon as proven from the previously listed examples. When the attack is done by a small group or just one person the threat will fall into the unstructured category (Conklin, White, Williams, Davis, & Cothren, 2012). Threats caused by attacks by hackers that are in a criminal group are known to fall into the structured category (Conklin, White, Williams, Davis, & Cothren, 2012). Physical security is important to remember because if a hacker can get into the internal network and infrastructure, it can be much easier to gain unauthorized access to the network.
Information Security risk analysis is used to access the vulnerabilities, threats, and how to set controls for an organization (Whitman, 2011). List of what can be vulnerable: Web Servers, Computer Servers, Routers, Client, Databases, Firewalls, Software, Power, and Transmission. List of threats: Denial of Service Attacks, Spoofing and Masquerading, Malicious Code/Virus, Human Errors, Insider Attacks, Intrusion, Spamming, and Physical Damage to Hardware. List of costs: Trade Secrets, Client Secrets, Trust, Lost Sales, Clean up Costs, Information, Hardware, Software, Services, and Communication. List of controls to be used: Firewalls, IDS, Single Sign-on, DMZ, Security policy, Employee Training, Configuration of Architecture, and Hardening of Environment. All of these lists can be put into a chart to help form a risk analysis and setup controls to be used for Amazon (Conklin, White, Williams, Davis, & Cothren, 2012).
The legal, ethical, and regulatory requirements for protecting data need to be thought about when it comes to Information Security. Statutory laws, administrative laws, and common laws currently exist and are involved in computer security. New cyber laws are being defined by the courts, but none of these laws have been used yet (Conklin, White, Williams, Davis, & Cothren, 2012). In 1986, the Computer Fraud and Abuse Act (CFAA) was established to make it a crime to access computer systems when not authorized.
Amazon has been around for 17 years and has a good track record for catching security risks and patching them quickly. With the internet continuing to grow at such a rapid pace, Amazon and everyone wanting to maintain their data integrity needs to tight down on their Information Security protocols. Information Security is turning into an important part in protect a business’s information.
Amazon. (2012). Amazon. Retrieved from http://www.amazon.com Byers, A. (2006). Jeff Bezos: the founder of Amazon.com. New York, NY: The Rosen Publishing Group. Conklin, A., White, G., Williams, D., Davis, R., & Cothren, C. (2012). Principles of Computer Security: CompTIA Security+ and Beyond (Exam SY0-301) (3rd ed.). New York, NY: McGraw-Hill Company. Hickey, A. R. (2011, October 28). Researchers Uncover ‘Massive Security Flaws’ In Amazon Cloud. Retrieved from http://www.crn.com/news/cloud/23190911/researchers-unconver-massive-security-flaws-in-amazon-cloud.htm Kerr, D. (2012, August 7). Amazon addresses security exploit after journalist hack. Retrieved from http://news.cnet.com/8301-1009_3-57488759-83/amazon-addresses-security-exploit-after-journalist-hack/ Vilches, J. (2012, January 16). Amazon owned Zappos hacked. Retrieved from http://www.techspot.com/news/47060-amazon-owned-zappos-hacked-24-million-accounts-compromised.html Whitman, M. E. (2011). Readings and Cases in Information Security: Law and Ethics. New York, NY: Cengage Learning.