Josh Hogan

Chapter 2: The need for Security

Exercises

2) Using the Web, research Mafiaboy’s exploits. When and how did he compromise sites? How was he caught?

            - Mafiaboy was a 15-year-old Canadian was accused of conducting an attack against CNN’s website. He also faced charges for taking down sites like eBay, E*Trade and Yahoo among a few others, although he was never convicted. He compromised these sites with Denial of Service attacks which basically sends an endless array of meaningless data to the site making it impossible to use or respond to actual users. He was caught and charged with 2 counts of criminal mischief. A programmer who worked at the university noticed a computer in their lab that was used to send thousands of requests per minute to the CNN website.

5) Using the categories of threats mentioned in this chapter and the various attacks described, review several current media sources and identify examples.

            - An example of this would be social engineering. That is a social technique used to gain information or access someone’s account. The attackers could claim to be someone he or she is not to gain access to anything! Such as impersonating someone as a help desk technician to attempts to get a victim to give up his or her user IDs or passwords for whatever system they are trying to get access to. It could also go the other way where an attacker could call a help desk to a company impersonating the victim or a victim’s loved one to gain authorization to the users information, like in the video we watched in class.

Case Exercises

Discussion Questions

1)      Before the discussion at the start of this chapter, how do Fred, Glady’s and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that?

-          Before the discussion, the three of them were focused on different ends in regards to information security. As in being more focused and concerned with adding additional software to fix the malware issues like Fred when there were more simple steps to take before they got there.

2)      How should Fred measure success when he evaluates Glady’s performance for this project? How should he evaluate Charlie’s performance?

-          Fred measures success when evaluating the performance of Glady on the basis of the new security measures and network protocol in the organization. Fred is going to be putting a lot of trust into Charlie’s performance. Charlie was just introduced that new plan on the security of the organization and had be nominated for the Chief Information Officer. So, Charlie is in a trustworthy position.

3)      Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?

-          According to the case, the threats that should receive Charlie’s attention early on in his planning process would be Portable Media Management. This would include USB and DVD drive. So, some sort of plan needs to come into place about not letting employees use personal drives on the company network, that includes cell phone chargers. This is how it worked in the Marine Corps,  we couldn’t plug anything into a work computer and if you did, it would be flagged and higher ups would come and grill with questions to make sure it wasn’t a security breach rather than a Private being an idiot.

Ethical Decision Making

Instead of Charlie being named CISO, suppose instead that Fred hired his son-in-law to fill the role. Assuming the person had no prior experience or preparation for a job in information security, did Fred make an ethical choice? Explain.

-          No, Fred did not make an ethical decision. It is extremely unethical to hire an unexperienced family member or friend rather then a trained professional in the field you are hiring in. Fred should also consult with Glady and others to get an overall opinion if the son-in-law is a good candidate for the job. Instead of hiring him in the position that deals with the company’s network security, find him a job in finance or something where he is more qualified and wont sacrifice company security.

Suppose that SLS has implemented the policy prohibiting the use of personal USB drives at work. Also, suppose that Davey brought the USB drive he had used to store the last month’s accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. It’s obvious that Davey violated the policy, but did he commit ethical violations as well?

-          These sort of policies are in place to protect the organization. Like I stated earlier, this is a policy that is in place that we had to follow in the Marine Corps. Unless it was a checked out USB drive from our communication department and was cleared by Intel, it was not to be plugged in to a computer, this includes even a cell phone charger. I think Davey did make an ethical violation because not only did he not follow the rules and just said “screw the rules” and violated the company’s security and information again, he also didn’t ask anyone for assistance in what he could do to resolve the issue.