1

A Report on IT security framework of Uzbekistan Airways

By Begzod Abdumajidov

Prepared For: The CEO Valeriy Tyan

Deadline: December 9, 2010

TABLE OF CONTENTS

Executive summary....3 1. Introduction....4 2. Background of organization ....4 2.1 About Company.....4 2.2 Services of the Company.......4 2.3 Partnership with Korean Air......4 2.4 Corporate Mission..............................................................................4 3. IT security threats in Uzbekistan Airways......5 3.1 Phishing attack...5 3.2 Network sniffing5 3.3 Data theft.......................................................................................................................5 3.4 Spoofing.....5 3.5 Social engineering..5-6 4. Possible solutions and recommendations in Information Technologies and Systems framework....................................................................................................................... 4.1 Increasing customer awareness & anti-phishing software.6 4.2 End-to-end encryption...6 4.3 Cisco Data Loss Prevention (DLP) software package ..6 4.4 Context-Based Access Control & educating customers.6-7 4.5 Staff training......7 5. Conclusion..7 List of Reference....8 Appendices..............9 Journal....9

Executive summary

1. Introduction General Director of Uzbekistan Airways, Valeriy Tyan, has commissioned the following report to detect problems in areas where Information Systems (IS) and Information Technologies (IT) would provide feasible solutions. The primary focus of this report will be Uzbekistan Airways National Air Company (NAC) that provides both passenger and cargo services. I have obtained information and findings for this report through different ways including website of the company, books on IS and security in computing, online encyclopedias, online reports on airline industries and their dependency on IT to run their operations, personal interviews. 2. Background of organization 2.1. Uzbekistan Airways NAC came into existence on January 28, 1992 according to the resolution of the President of Uzbekistan, Islam Karimov. The company introduced a new program to develop civil aviation in a very short period. And in adherence with this plan Uzbekistan Airways started to re-equip its airports in the standards of International Civil Aviation Organization (ICAO). 2.2. Uzbekistan Airways offers both passenger flight and cargo services. It currently operates scheduled flights to more than forty cities of the city that are located in America, Europe, Middle East, Southeast, Central Asia and CIS (Commonwealth of Independent States) countries. 2.3. Although, Uzbekistan Airways have a number of partners including several tour companies and foreign airlines, Korean Air that is one of the most respected companies in the world remains as its largest partner. It is notable that they are developing long lasting strategic partnership in order to achieve common goals. 2.4. Uzbekistan Airlines strives to deliver high-quality services to its passengers. Main mission of the company is to increase the level of service and security of flights while remaining low cost business in order to stay competitive. Moreover, Uzbekistan Airways is trying to establish longterm relationships with one of the worldwide alliances, Sky Team. If Uzbekistan is accepted as a full member of this alliance, it will be able to provide both passenger and cargo services to countries it does not have any presence in with the help of Sky Team.

3. 3.1. The first security threat that Uzbek Airways is exposed to is phishing attack. The news story that describes phishing attack to Amazon users in summer of this year can be a prime example. It says that two types of spam-phishing attacks targeted Amazon users. The messages first seem to be legitimate ones but direct users to fake links at the end. The first message appears to be an order confirmation form and once a customer clicks this link h/se will unknowingly reveal personal information that can be used for the benefit of phishers consequently. The second e-mail tells users that their e-mail address has been changed and they should verify new ones. However, according to the security policy of Amazon the company never sends messages that ask customers to disclose their personal information (Martinez, 2010). This kind of phishing attack is very likely to happen in Uzbek Airways as it offers e-tickets and handles some transactions online. For example, phishers might send an e-mail to frequent flyers a message asking to disclose their account details so that Airways could give them more discounts. 3.2. Network sniffing is considered to be one of the most dangerous security threats for companies operating in Airline Industry. The incident in 2009 with Heartland Payment Systems proves to be the case. There was a security breach when the sensitive data was crossing its network exposing customers to lose their identity and confidential financial information. Electronic payments processor said that it was going to reimburse the damage by allocating USD 12.6 million. Besides financial losses this security breach distracted company employees and caused Heartland being removed from the Visas list of credit card processors (Goodin, 2009). Uzbek Airways uses external networks to share customer data with its partners including hotels and tour companies. Therefore, its network can be vulnerable to such kind of attack. 3.3. Data theft is also considered to be the major IT security issue for Airline companies. A big incident happened with T-mobile when an employee of this company stole and sold personal account details to rival companies. The employee sold thousands of customer records including details of when contracts expired. Rival networks and mobile service operators then used this information to lure customers by cold calling them. The governments privacy watchdog said that it was the biggest data breach of its kind. (Wray, 2009) Such an information breach could cost companies millions of dollars in lost sales because once competitors obtain the confidential information they can and will obviously use it for their own benefit. There are many people in Uzbek Airways who have a direct access to confidential customer records marketing staff being an epitome. And unethical employees possibly could steal and sell this information to competing firms in the hopes of making millions of dollars. 3.4. Spoofing is one of the most serious IT security threats in many sectors including Airline industry. According to a news article three banks in Florida namely Premier Bank, Wakulla Bank, and Capital City Bank were hit with new spoofing attacks. At the beginning of March, 2006 attackers were able to hack the ISP servers that provided hosting services to these banks. After that, hackers redirected all of the traffic to a bogus web site designed in a similar fashion to those of banks and asked users to disclose their credit card numbers, PINs, and other confidential information. In phishing attacks hackers ask users to click on the fake link, however in this attack clients of the bank typed in the correct URLs. (McMillan, 2006) This kind of attack from external unauthorized users may choose passengers or cargo clients of Uzairways and steal and sell their sensitive information. 3.5. Social engineering is another important security issue that the company has to deal with. According to hacking news social engineering was used to access confidential information of Twitter, the company that offers social networking and micro-blogging services. And after this

incident it was revealed that the hacker committed this action deliberately but he did not have any harmful intention to use the sensitive data belonging to customers in an unethical way. During the interview he said that this was done to prove how easy it can be for a malicious person to gain access to the confidential files of the company without too much knowledge (Constantin, 2009). Uzbekistan Airways can also be vulnerable to such security threat as not all employees are aware of it.

4. 4.1. This security threat finds its solution in two ways. The first way to prevent phishing is to increase customer awareness about this type of attack. Thus, Uzbek Airways is recommended to remind their customers that they never ask sensitive information through e-mails, provide its customers with an easy way to report phishing attacks. This can be done by providing links on key authentication and report possible phishing scams on time as well as providing advice as to how to identify fake web-sites. The second way to prevent phishing attacks is to detect possible attacks using anti-phishing software. As an IT security expert, I would recommend the company to use NetCraft Anti-Phishing Toolbar. The main advantage of this software is that it integrates with mail servers to prevent customers from being exposed to receive e-mails that contain phishing URLs and also prevent such messages from being sent. Moreover, it integrates with web proxies and deny access whenever customers visit phishing links. By using these techniques, Uzbek Airways can ensure the security of its customers and earn their loyalty for doing so. 4.2. The company can prevent network sniffing by using encryption technique. Encryption method that is called end-to-end encryption allows the encrypted data to travel safely through risky networks to its recipient where the data will be decrypted assuming that both sides use the same key variables and algorithms. It would be advisable for Uzbek Airways to consult Echoworx Corporation to safeguard its networks. This is one of the leading companies in IT security sphere and it can offer the company Encrypted Message Exchange software that enables the Airways to work together with its partners and exchange confidential information in a secure manner. Using this software will allow the company to secure all information sharing and prevent sniffing attacks enabling it to keep good reputation and avoid financial losses. 4.3. Preventing data loss using appropriate software is one of the possible ways to ensure the minimization of data leakage. I would recommend Uzbekistan Airways to use Cisco Data Loss Prevention (DLP) software package. This software has the power to safeguard critical information against security threats due to enhanced mobility of workers, advanced communication channels and diverse services. Cisco DLP includes in-motion data leakage protection over the web with policies including content, context and destination and monitoring unauthorized physical or network access, malware, and end-user actions. By deploying this software package, UzAirways will be able to monitor behavior of its employees in order to know whether they are accessing the information that they have a right to and whether they are not using computers of other employees.

4.4. One of the most effective ways to remedy this situation is to educate customers of Uzbek Airways. The airlines have to inform customers that they must not disclose their personal information even though they receive legitimate e-mails from the company but contact the company about the situation. This helps customers of the company to prevent them being exposed to losing their sensitive information and keeps the reputation and rating of the Airways. Next way to prevent spoofing attacks would be to use anti-spoofing software. Cisco systems

offer Context-Based Access Control that is considered to be a network firewall. This firewall protects traffic from an unprotected network. Moreover, with the help of this firewall solution Uzbek Airways can protect against spoofing by working out input access lists at all interfaces to allow only traffic from expected sources and deny all the remaining traffic. 4.5. Social engineering can be addressed effectively in several ways. Training the entire staff about social engineering so that they could be aware of negative consequences of carelessly disclosing sensitive information comes as an initial step. Staff of UzAirways is advised that they should never give out any information without authorization and report any doubtful behavior immediately to top management. This program also provides staff with possible checklist as to how to identify Social Engineering attack. Moreover, in order prevent people from overstating their position the use of access badges indicating their status is highly recommended and employees are also advised to look at those badges. However, if the identity of the person requesting information cannot be verified the personnel of the company should refuse to give them information in a polite way.

Conclusion

List of Reference: Cisco (2010) Configuring Context-based Access Control Available at: http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac.ht ml [Accessed: 30 November, 2010]. Cisco (2010) Data Leakage Protection: Assess Risk and Safeguard Valuable Information Available at: http://www.cisco.com/en/US/netsol/ns895/index.html [Accessed: 30 November, 2010]. Dan, G. (2009) Data-sniffing attack costs Heartland $12.6m Available at: http://www.theregister.co.uk/2009/05/07/heartland_breach_costs/ [Accessed: 30 November, 2010]. Devin, B., Michelle, M., Aaron, S. (2010) Anti-phishing software final report Available at: http://s2.webstarts.com/CSCE548Group3/uploads/final_report.pdf [Accessed: 30 November, 2010]. Echoworks (2010) Now is the time for Encrypted Message Exchange Available at: http://www.echoworx.com/products/encrypted-message-exchange/ [Accessed: 30 November, 2010]. Felix, M. (2010) Phishing for Amazon Users Available at: http://blogs.mcafee.com/mcafeelabs/phishing-for-amazon-users [Accessed: 30 November, 2010]. Gunter, O. (2004) The Phishing Guide: Understanding & Preventing Phishing Attacks Available at: http://www.ngssoftware.com/papers/nisr-wp-phishing.pdf [Accessed 30 November, 2010]. Lucian, C. (2009) Social Engineering Used to Compromise Twitter Available at: http://news.softpedia.com/news/Social-Engineering-Used-to-Compromise-Twitter-117172.shtml [Accessed: 30 November, 2010]. Richard, W. (2009) T-Mobile confirms biggest phone customer data breach Available at: http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy [Accessed: 30 November, 2010]. Robert, M. (2006) Banks Hit With New Spoofing Attacks Available at: http://www.pcworld.com/article/125263/banks_hit_with_new_spoofing_attacks.html [Accessed: 30 November, 2010]. SANS institute (2007) Social Engineering: A Means To Violate A Computer System Available at: http://www.sans.org/reading_room/whitepapers/engineering/social-engineering-means-violatecomputer-system_529 [Accessed: 30 November, 2010].

Appendices Journal