2. Using the Web, research Mafiaboy’s exploits. When and how did he compromise sites? How was he caught?
Michael Calce (Mafiaboy) is currently a security expert but in his past was a computer hacker from Quebec. He was responsible for a series of denial-of-service attacks that were very high profile because of their high-profile targets. These targets include, Fifa.com, Amazon, Dell, E*TRADE, eBay, and CNN. In 2000 was when MafiaBOI launched project Rivolta against Yahoo and wound up overwhelming the top search engine so much that the site had to be shut down for over an hour. He also brought down the previously listed companies in similar DDoS attacks. Calce came under investigation after he was found bragging about taking down the Dell site before it was released as public knowledge that Dell was attacked. Calce eventually plead guilty and got 8 months open-custody and 1 year of parole.
1. Consider that an individual threat agent, like a hacker, can be a factor in more than one threat category. If a hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many different threat categories does the attack fall into?
The attacks would fall under multiple categories if they did all these things. If the attacker were break into a network, they would be trespassing by getting onto the site without consent or knowledge of the owner. If they copied files they would fall under the category of espionage; this is stealing files from a party that is unaware of your presence. If the hacker were to deface a website, they would be committing an act of vandalism. Vandalism isn’t only physical but can occur on digital platforms. Stealing credit card numbers also falls under the theft/espionage category.
1. Before the discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that?
Gladys and Charlie both understood how much work would need to be done to do a complete overhaul on their information security system. I believe that Fred was caught off guard by some of the changes and expected there to only be changes made to computer hardware. I believe Fred is on board with Charlie being the new CISO and will be open to the budget proposal and changes to the security protocols in the company.
2. How should Fred measure success when he evaluates Gladys’ performance for this project? How should he evaluate Charlie’s performance?
Fred can measure Glady’s success by looking at the outcomes of her decisions to bring Charlie on board and allowing him to do an overhaul of the Information Security System. Charlie can be graded on the new infrastructure of the security system and on how well the new security protocols are implemented and how cost effective they are.
3. Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?
Charlie should focus on securing the companies networks and operations first. The last worm that the company was affected by was brought about from an employee bringing a corrupted personal flash drive in and using it on a corporate computer. This should never be allowed in the workplace.
Ethical Decision Making
Instead of Charlie being named CISO, suppose instead that Fred hired his son-in-law, an unemployed accountant, to fill the role. Assuming the person had no prior experience or preparation for a job in information security, did Fred make an ethical choice? Explain your answer.
Fred would be making a very unethical decision by hiring his unqualified son-in-law. As a candidate his son-in-law has nothing of value to offer the company in this position and this would be potential terms for lawsuit if someone suited for the position was passed up in favor of an unqualified relative. Not only would it be unethical, but it would make Fred a complete dumbass who doesn’t care about security standards within his business.
Suppose that SLS has implemented the policy prohibiting use of personal USB drives at work. Also, suppose that Davey Martinez brought in the USB drive he had used to store last month’s accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. It’s obvious that Davey violated policy, but did he commit ethical violations as well.
By breaking company policy and using a personal flash drive Davey is working in an unethical way. Not only is he breaking policy he is also causing the company financially. Davey needs to use appropriate means of data storage and clearly only used an unsecure flash drive because it was somehow more convenient for him. Davey sucks.