Chapter 2 Homework
1. If a hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many different threat categories does the attack fall into?
- Thus far, these actions fall under the categories of compromises to intellectual property, espionage or trespass, sabotage or vandalism, and or theft. Depending on how the hacker achieved these feats other threat categories could be added such as, software attack, human error or failure, etc...
2. Using the Web, research Mafiaboy’s exploits. When and how did he compromise sites? How was he caught?
- Back in 2000 when Mafiaboy, Michael Calce, was 15 he hacked into and brought down some huge websites such as Amazon, Dell, eBay, Yahoo, etc... He did this by hacking into a bunch of university networks and then using them to attack other websites with information overload, a “denial-of-service attack.” He was tracked down by the FBI from an internet chat room where he claimed the name “Mafiaboy” and he had asked other hackers for advice for his next targets.
1. Before the discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that?
- It’s going to be a very large, expensive, and lengthy project to get done. Essentially, they are rebuilding part of the company by changing its procedures, polices, and general idea/attitude about information and computer security. Fred seems willing to take the steps needed and is relying on his CIO and CISO to do what they deem best.
2. How should Fred measure success when he evaluates Gladys’ performance for this project? How should he evaluate Charlie’s performance?
- Both should be judged on how much focus they put on technology to solve the problem. Most of the changes should be made on the management side because good management also helps solve the technology side of the problem. It covers more bases overall. So success should be viewed as how strict their new procedures and policies are to keep the company safe.
3. Which of the threats discussed in this chapter should receive Charlie’s attention early in this planning process?
- Since the attack that just occurred was a software attack that would be the obvious focus Charlie should have since it was the very reason, he is working on restricting their security.
Ethical Decision Making:
§ Instead of Charlie being named CISO, suppose instead Fred hired his son-in-law, an unemployed accountant, to fill the role. Assuming the person had no prior experience or preparation for the job in information security, did Fred make an ethical choice? Explain your answer.
- Absolutely not, one should never get a job if they are not qualified to do so. By not having someone qualified their security problem would simply get worse since they don’t have someone capable of dealing with the situation. Also, its unethical to turn someone like Charlie away who is qualified and has put in the work to someone else not qualified and is only getting the job as a personal favor to said person.
§ Suppose that SLS has implemented the policy prohibiting use of personal USB drives at work. Also, suppose that Davey brought in the USB drive he had used to store last month’s accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. It’s obvious that Davey violated policy, but did he commit ethical violations as well?
- Yes, it would be unethical of him to use the USB drive, since he is not following company policy. Only made worse by the fact that he created it and enforces it, Davey is creating a double standard here, and thus unethical. He should be held to the same standards of all fellow employees.