1.  Consider that an individual threat agent, like a hacker, can be a factor in more than one threat category. If a hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many different threat categories does the attack fall into?


-      The theft would fall into espionage or trespass, compromises to intellectual property, sabotage or vandalism, and theft. 4 categories.


2.  Using the Web, research Mafiaboy’s exploits. When and how did he compromise sites? How was he caught?


-       Mafiaboy DoS attacked websites such as Yahoo, Fifa, Amazon, Dell, ETRADE, eBay, and CNN in the year 2000. Mafiaboy was caught because he bragged about his actions in an internet chat room.


Case Exercises

1.  Before the discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that?


-      Fred thinks just awareness and training for human error will fix this probably but that also depends if people are will to change to new style. While Gladys and Charlie are both aware of the coming threat if they don’t change the process.


2.  How should Fred measure success when he evaluates Gladys’ performance for this project? How should he evaluate Charlie’s performance?


-      If Charlie did any testing of the project against formal attacks and what new procedures will be introduced and technology will be replaced or bought, and should include cost of the whole project.


3.  Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?


-       The use of employee’s personal devices and flash drives with email filtering against certain attachments, and awareness of malware in emails for everyone in every department.


Ethical Decision Making

1.  Instead of Charlie being named CISO, suppose instead that Fred hired his son in law, an unemployed accountant, to fill the role. Assuming the person had no prior experience or preparation for a job in information security, did Fred make an ethical choice? Explain your answer.


-      Fred would not be making an ethical decision, as his son in law has no experience or knowledge in information security which would bad for his company. Fred would want someone who has experience in this area with bachelors and a master’s degree in information security and certifications of proof of knowledge.


2.  Suppose that SLS has implemented the policy prohibiting use of personal USB drives at work. Also, suppose that Davey Martinez brought in the USB drive he had used to store last month’s accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. It’s obvious that Davey violated policy, but did he commit ethical violations as well?


-      Yes, as he knew his devices could have been compromised and knew it was wrong to put his USB drive in the computer.