Josh Hogan

Chapter 1: Introduction to Information Security

Exercises

1)      Look up “the paper that started the study of computer security.” Prepare a summary of the key points. What in this paper specifically addresses security in previously unexamined areas?

-          This paper addressed certain issues that have never been looked at before and that will be a problem in the near future. Network capabilities are expanding which mean there will be more users on it than ever before. There will always be threats, but now more than ever. This paper laid out possible ideas to computer engineers on how they can come up with defenses for the attacks that will happen. The paper talks about policy issues along with database management, they talked about limiting unauthorized access to users while establish greater security systems, and involved personnel from many levels of the organization having to do with information security.

2)      Assume that a security model is needed for the protection of information in your class. Using the CNSS model, examine each of the cells and write a brief statement on how you would address the three components of each cell.

-          Applying a security model to our class information will require examining the information and looking through possible protection policy and access levels for all involved. Considering the 27 possible security elements in McCumber Cube on page 19 of our textbook, we will need to consider the level of information confidentiality we need to apply to the class data. We will also need to decide the integrity level of the data used throughout the course. Finally, we should put the access level and the info availability necessary to faculty, instructors and students.

3)      Using the Web, identify the chief information officer CIO, chief information security officer CISO, and systems administrator for your school. Which of these people represents the data owner? Which represents the data custodian?

-          The chief information officer, or CIO here at UWS in Thomas Janicki. He is considered right now to be the interim CIO. From what I gathered, UWS doesn’t have a CISO but that title would fall to Thomas Janicki as well. The systems administrator here is Ross Eaton. Thomas Janicki would be the data owner while Ross Eaton is considered our data custodian.

4)      Using the Web, find a large company or government agency that is familiar to you or located in your area. Try to find the name of the CEO, the CIO, and the CISO. Which was the easiest to find? Which was the hardest?

-          The company that I decided to research for this question is Microsoft. The CEO is Satya Nadella. The CIO of Microsoft just changed a couple years ago from Jim Dubois to Kurt DelBene. The CISO there is Bret Arsenault. All were easy to find with a simple google search but I would say that the CEO was the easiest while the CIO was the hardest because it had changed recently.

5)      Using the Web, find out more about Kevin Mitnick. What did he do? Who caught him? Write a short summary of his activities and explain why he is infamous.

-          Kevin Mitnick is a computer specialist and is known for his hacking. He was a cyber-criminal who was arrested in 1995 by the FBI and was sentenced to five years for is involvement in hacking personal credit of many people while also hacking the bus system in Los Angeles. He also hacked the public telephone system. He was convicted and plead guilty to numerous cyber-crimes and was later released in 2000 and now owns his own computer security firm, Mitnick Security Consulting, LLC.

6)      Using the Web, explore the technique known as “iterative and incremental development.” Then, investigate “agile development.” How are they related?

-          The iterative and incremental model is used for developing software. It divides the process into smaller portions known as increments and runs these through cycles know as iterations. The agile development is a software for project management. It helps engineers promote development iterations throughout all phases of the software life cycle. It helps plan, develop and improve the process. They are related because the agile development follows the increment and iterative model for its software development. In both, the processes are known as increments that take place during iteration and both help minimize the risk while also resulting in faster delivery of a product.

Case Exercises

Discussion Questions

1)      Do you think this event was caused by an insider or outsider? Explain your answer.

-          This event could have been caused by an insider or an outsider. An insider would have every opportunity to have access to any number of computers to install a virus, say by just inserting a USB drive. An outsider could have done this by sending an email with a virus or worm and if that email gets opened by someone, the computer and network is now infected.

2)      Other than installing virus and worm control software, what can SLS do to prepare for the next incident?

-          They could patch their Outlook email server and or upgrade. They could also train their employees to not open emails that may look suspicious, while conducting mandatory ethical training to all employees so they know it is wrong to insert harmful USB drives.

3)      Do you think this attack was the result of a virus or a worm? Explain your answer.

-          I think this action was the cause of a worm because a worm is a program that replicates and copies itself across a network.

Ethical Decision Making

1)      Would it be ethical for Amy to open such a file?

-          I don’t think it would be ethical for Amy to open such a file if it had managers salaries and Social Security Numbers on there. Not only should she not look at this information because it is none of her business, but this file might have some malicious virous or worm in it ready to infect upon executing the file.

2)      If such an e-mail came in, what would be the best action to take?

-          If such an email came in, the proper course of action would be to not open the file and then report it to the network security team in the organization. Then make most of the future emails as spam so you will never be urged to open them.