Zappo\'s Security Breach Zappos\' Security
In the first month of this year, 2012, online shoe retailer Zappos' now a business unit of Amazon, experienced a security breach that was initiated from a distribution center located in Kentucky. The nature of the breach shows how vulnerable the retailer's systems are to employees who choose to break in and attempt successfully to gain access to customer records. It also showed how vulnerable the entire Amazon.com e-commerce system is attacks originating from internal servers. The hacker, an employee, gained access to over 24 million Amazon.com and Zappos' customer records. Despite having sophisticated 128-bit encryption on these systems, the hacker was able to bypass internal systems with knowledge of how the distribution center staff had constructed firewalls and password conventions. The last four digits of the customers' credit cards were taken, their names, addresses, complete customer histories and approval credit limits of they had obtained Amazon.com credit cards (Letzing, 2012). The security systems had not been upgraded since 2010 when Zappos had been purchased for $800 million by Amazon.com and made a core part of the overall company network (Hsieh, 2010). As Zappos' had superior technologies for logistics planning and execution, supply chain planning and execution, and the ability to orchestrate fulfillment with 3rd party logistics providers, Jeff Bezos made the decision to standardize on Zappos' technologies and websites (McDonald, 2011). Zappos' had also created a unique series of technologies that allowed for consumers to inspect entire series of items online and evaluate how they will look in them (Tsuruoka, 2012). Zappos' had also created an entire corporate culture predicated on delivering exceptionally positive, memorable experiences for anyone purchasing online from them, empowering customer service teams to do whatever it could within the boundaries of profitability and legality to exceed customers' expectations (Tsuruoka, 2012). The theft of 24 million records was even more surprising given how strong of a culture the company has, one known for promoting worker autonomy and giving them as much freedom as they need to do their jobs (Shine, 2012). The theft had been motivated by the potential to sell the names on the black market for tens of thousands of dollars, a temptation even the relatively well-paid employees of Amazxon.com could not pass up (Letzing, 2012). The breach was discovered within the Amazon Web Services (AWS) team's audits were completed of transactions across all subsidiaries, including a reconciliation of accesses by role (Letzing, 2012). If Amazon was not able to track the access points and roles of associates looking at data online, chances are this breach would have not been fully found. Given the highly analytical nature of the Amazon.com culture within the AWS business unit, the discovery and reaction to the breach within hours highlights why e-commerce companies need to consider partnering with cloud platform providers for the long-term (Tsuruoka, 2012). If Zappos' had been in the position of hosting their own website and relying on their own infrastructure, the breach may potentially have never found to the extent to which it happened (Letzing, 2012).
Information Technology Hilcorp Energy Company
The report provides practical security assessment on the method Hilcorp Energy Company employs to implement security practice and procedures on the company assets. The report uses in-dept interview for data collection. From the data collected, it is revealed that the management has a greater understanding on the importance security measures on the company IT assets. Thus, the company employs different strategies to enhance security of the company assets. While the company takes practical measures to implement adequate security devices for the company assets, the report identifies some loopholes in the company security practice and procedures. To enhance the security measures on the company assets, the report suggests that the company should implement more security measures such as the use of public key cryptography technique, IPS, and the use of multi-layer firewall to increase the company security practice and procedures.