From: Nathan J. Nelson
To: Dr. Tucker, Shin-Ping
Subject: Homework 3
6 February 2019
Question 1: You and your team have been hired to assess the computer security of a small retailer. Where would you begin your assessment? What would you look for?
The investigation would begin with the IT infrastructure itself while concurrently monitoring the employee usage. During the monitoring of the IT infrastructure, we would examine the setup of the Group Policy and what permissions, if any the individual employees have, does the system update automatically, how often are backups made. In addition, how are managers utilizing their logons; are they using their master manager logon, have they created users specific to group policy, Windows Update Services, and Microsoft Deployment Services. When evaluating employee usage, we would look at the type of sites they are able to access due to company policies that are in place, will an employee readily click on a link in an email to be brought to an outside source?
Question 4: Your classmate tells you that he has been working all semester to create a blended threat and that he plans to test it against the university’s computer systems this weekend What do you say?
A blended threat combines virus, worm, Trojan horse, and other various malicious code traits in a single file. With utilizing this format, it has the ability to attack various parts of an organization’s infrastructure. You should inform your friend that, under U.S. codes they are liable for up to;
“Class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both)
to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both).
The law also punishes unauthorized access to a computer or computer network,
with penalties ranging from a class B misdemeanor to a class D felony
(punishable by up to five years in prison, a fine of up to $5,000, or both) (OLR).”
I would ask them if they knew punishment for what they were about to do, whether or not they thought they were going to get caught, ramifications other than jail or fines, and whether or not he was prepared to jeopardize the rest of his life over this one act.
Fairplay turns to a managed security service provider
1. What advantages does the use of an MSSP offer a small retailer such as Fairplay? Can you think of any potential drawbacks of this approach? Is there a danger in placing to much trust in an MSSP? Allowing a MSSP to run your services may be more cost effective, however, if the MSSP is attacked your data maybe vulnerable in that direction.
2. Data breaches at major retailers in recent years have shown that compliance with the PCI DSS is no guarantee against an intrusion. Does PCI compliance mean anything? If you were a member of Fairplay’s management team, what additional actions would you take to protect your customer’s credit card data? Ensure that any system defaults that were selected when the system was setup were changed using strong passwords and encryption. Does the compliance mean anything, depends on if you’re caught or have a data breach? If no content is lost then you are just playing a risky game, if your content is compromised, you can be fined up to $500,000.
3. Do research online to gain insight into the evolution of PCI DSS standard, what major changes were made in moving from 2.0 to 3.0. What changes are being suggested for future versions of the standard? The start was with Visa starting their own set of security protocols with the other vendors following suit later. In the 2000s all major card companies banded together to form one unique system to streamline and have comprehensive rules that were uniform across the board.
Sony’s Response to North Korea’s Cyberattacks
1. Do you think Sony’s response was appropriate?
Simply put, no I don’t believe their response was appropriate. When individuals bow to the demands of bullies; be them school yard, work, or terrorists, you open yourself up for further attacks, as you are then viewed as weak, or, an easy target. While contacting the FBI to allow their forensics teams was an acceptable move, to not show their film and bow to the terrorist and showed weakness.
2. What might Sony and the U.S. government have done differently to discourage future attacks on other U.S. organizations?
Develop a working relationship where the federal government and sizeable company such as Sony can help each other.
3. Are there measures that organizations and the governments can take together to prevent both real-world terrorist violence and cyberattacks?
There is no measure, that any one person or organization can take that will stop all the threats from around the globe. However, by being diligent in the use and protection of your systems you can try to stay one step ahead of those that would attempt to damage your organization. Cooperation between companies, intelligence agencies, and security companies will play an ever greater roll in the future.
“Payment Card Industry Data Security Standard.” Wikipedia, Wikimedia Foundation, 23 Jan. 2019, en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
Reinhart, Christopher. Summary of Federal "USA PATRIOT Act", www.cga.ct.gov/2012/rpt/2012-R-0254.htm.