Chapter 2: The Need for Security
1. Consider that an individual threat agent, like a hacker, can be a factor in more than one threat category. If a hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many different threat categories does the attack fall into?
∑ Breaking into a network falls under espionage or trespass
∑ Copying a few files falls under theft.
∑ Defacing a Web page falls under sabotage or vandalism.
∑ Stealing credit card information falls under compromise of intellectual property
2. Using the Web, research Mafiaboyís exploits. When and how did he compromise sites? How was he caught?
In 2000, Michael Calce aka Mafiaboy shutdown the websites of Amazon, CNN, Dell, E*Trade, eBay, and Yahoo! by taking over a few university networks and using their combined power to DDoS aka denial-of-service these websites. He was caught because back then the whole hacking community was about notoriety and so it wasnít hard for the FBI to figure out that he was responsible for the attack.
1. Before the discussion at the start of the chapter, how do Fred, Gladys, and Charlie each perceived the scope and scale of the new information security effort? Did Fredís perception change after that?
Fred was ignorant to what information security meant and the amount of work that would have to be put into this new ambitious project, but after Charlie explained his strategy, Fredís perception does change. †Gladys and Charlie clearly know just how massive of a task this would be.
2. How should Fred measure success when he evaluates Gladysí performance for this project? How should he evaluate Charlieís performance?
Results are the only way to measure performance. Especially since Fred has a bit of a weak grasp of whatís really being done here. He could look at monthly or quarterly reports from the previous years and see if there is a reduction in incidences and threats.
3. Which of the threats discussed in the chapter should receive Charlieís attention early in his planning process?
It would be better to focus on human error or failure because in the last chapter we seen that Amy opened an attachment from a malicious email. First thing to do is to educate and retrain employees on how to handle emails. Second, change the settings of the email to prevent auto opening attachments and images.
Ethical Decision Making
1. Instead of Charlie being named CISO, suppose that Fred hired his son-in-law, an unemployed accountant, to fill the role. Assuming the person had no prior experience or preparation for a job in information security, did Fred make an ethical choice? Explain your answer.
No, I donít think that would be an ethical choice because this decision does nothing to benefit the organization. In fact, it does the complete opposite and would place a greater burden and risk on the organization. When it comes to hiring someone for any position, it is best to hire the more skilled and qualified worker instead.
2. Suppose that SLS has implemented the policy prohibiting use of personal USB drives at work. Also, suppose that Davey Martinez brought in the USB drive he had used to store last monthís accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. Itís obvious that Davey violated policy, but did he commit ethical violations as well?
With the amount of information given, it looks like he just wanted to move the worksheet over to the company servers. His actions donít appear to be malicious, but if he knew that it was possible for the USB to be compromise, then he would be putting the entire company at risk. In that case, he actions would be unethical.