Andy Kolden

Information Security

Chapter 2 (page 117)

 

Exercises

1)      Using the Web, research Mafiaboy’s exploits.  When and how did he compromise sites?  How was he caught?

-          In 2000, he compromised 6 university websites and loaded them with too much information at once which is called a denial-of-service attack.  Once he did this, President Clinton and Attorney General Janet Reno had to catch the person who did this.  They called for the manhunt for the hacker known as Mafiaboy.  This is how he was caught, but it raised a lot of awareness for how easy it was for someone to hack into such big networks so the government/security teams hired to him to be a white hat hacker a few years later.

 

2)      Search the Web for “The Official Phreaker’s Manual.”  What information in this manual might help a security administrator to protect a communications system?

-          A lot of the information listed in this manual would help a security administrator protect a communications system by using different codes that are spelled certain ways so that hackers cannot just intercept the code easily, meaning that if the hacker ,trying to steal private info, would not know how to spell certain code if the person writing it used some symbols instead of the correct way to spell it.  That is just one example of the many ways that the Phreaker’s manual explains how you can maintain a secure communication system.

 

Case Exercises

1)      Before this discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort?  Did Fred’s perception change after that? 

-          Fred didn’t think it was truly an issue but after he had realized how much they had lost after the attack and how much they could save with a more secure system, then he was all in for an updated procedure and new information security/training.   Gladys and Charlie did a great job explaining to him the benefits of having a more secure system and training that can go a long way. 

 

2)      How should Fred measure success when he evaluates Gladys’ performance for this project?  How should he evaluate Charlie’s performance?

-          If he can limit the company to not getting an attacks or theft then he can report that as a huge success in the process of implementing their new procedures and training technique.  Also, the less human error and/or failure that happens as a result of his training then he can report that as performance for both Charlie and Gladys.  The safer the network he can evaluate the both of their jobs as being worthwhile and successful.

 

3)      Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?

-          I would say that phishing attacks are a very severe way for people to compromise their company without knowing of it at all.  This can happen by people opening email links or clicking on unsecure links and the worm or virus can begin multiplying from there.  Charlie can inform all of his employees that some links may not be safe and if the employee is not sure, then they need to alert Charlie because it will never hurt to let him know to check something out.  Also, another threat could be something like escalation of privileges, because once a hacker gains more access to a company the more vulnerable that company becomes and the more information that hacker can gain.  These are just a few threats that he should be aware of that can really damage the company.

 

Ethical Decision Making

1)      Assuming the person had no prior experience or preparation for a job in information security, did Fred make an ethical choice?

-          No in this case it is not an ethical choice because his son-in-law did not have any experience and if things were to go wrong like theft, network crash, hacking, etc. then the new CISO would not have any clue how to fix these issues.  If he hired someone who has experience then things would always be up to date and always be getting fixed. 

 

2)      It’s obvious that Davey violated policy, but he did commit ethical violations as well?

-          He didn’t commit ethical violations because he used his work USB with accounting info stored on it but he could have had the USB scanned to make sure the USB didn’t have anything wrong on it like a worm/virus.  He could have also gotten his USB drive cleared or used a new drive so that the company knew they could trust all of the new devices that were used.  I don’t blame him for doing this but he could have asked his IT department if the USB would be safe to use before using the USB again.