Paul Shaw



1.     Consider that an individual threat agent, like a hacker, can be a factor in more than one threat category. If a hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many different threat categories does the attack fall into?

I think the attack would fall under at least five different categories; the five being compromised intellectual property, espionage or trespass, information extortion, sabotage, and theft. Compromised intellectual property due to file theft, trespass due to his unauthorized access to the network and also file theft, and information extortion from the file copying and the theft of credit card numbers. Sabotage and theft, meanwhile, are from the defacing of the web page, the stolen credit card numbers, the copied files, and the breaking into the network in the first place.

2.     Using the Web, research Mafiaboy’s exploits. When and how did he compromise sites? How was he caught?

In the year 2000, Mafiaboy compromised Yahoo!, eBay, CNN, and Amazon, as well as an unsuccessful attempt at Dell. He claims he let a script run while he was at school, a security program being fed a web address and that’s what really caused these websites and web hosts to go down from DDOS attacks. He was caught after foolishly bragging about how he did it on some public forums and chatrooms, and sunk himself fully when he mentioned he was behind an attempt unknown to the public. He was sentenced in 2001 with a light sentence of house arrest, limited computer access and a fine.

Case Exercises

            Discussion Questions

1.     Before the discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that?

Fred wants a cheap, easy fix and thinks it shouldn’t be too hard to implement one. Gladys, on the other hand, thinks it will take a lot more than just some small easy fix, and needs a real professional look over, which Charlie provides. Charlie says there will be some extra additions and the costs shouldn’t be too extravagant, but he says information security is as importing if not more important than computer security. Fred seems to understand after all this was brought to his attention, and he gives the go ahead to get started on shaping up security.

2.     How should Fred measure success when he evaluated Gladys’ performance for this project? How should he evaluate Charlie’s performance?

Gladys should be evaluated on general information upkeep, making sure everything was working right with the company and nothing was out of the ordinary data wise. Charlie should be evaluated on how secure all the data is both on and offline, keeping security systems up and running and adapting to recent changes in the virus and malware space. Both, however, should be evaluated on how well informed and aware the employees under them are.


3.     Which of the threats discussed in this chapter should receive Charlie’s attention early on?

Early threats to keep an eye on at the start of this new program include human error, as all the cases the company has dealt with were from the inside so far. Other than that, Software attacks seems like an immediate threat that needs attention since both attacks were worms so far, and after that sabotage and vandalism in case a worm or virus tries to mess with important company documents.

            Ethical Decision Making

Instead of Charlie being named CISO, suppose instead Fred hired his son-in-law, an unemployed accountant, to fill the role. Assuming the person had no prior experience or preparation for a job in information security, did Fred make an ethical choice?

            I do not think Fred made an ethical choice in this hypothetical scenario. Jeopardizing an entire company’s information just because you want your son-in-law to have a job again is a super bad call in all possible instances. Its entirely possible he is a natural at information security upkeep, but he will mess up as he learns the trade and will probably cost the company as a whole much more than if Charlie were hired instead.

Suppose that SLS had implemented a policy prohibiting use of personal USB drives at work. Also, suppose that Davey Martinez brought in the USB drive he had used to store last month’s accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. It’s obvious Davey violated policy, but did he commit ethical violations as well?

            I think Davey did commit ethical violations, mainly with him keeping important company documents on a personal drive that he brought home. Unless that is ok at the company, of course, in which case he still knowingly brought in a device from home, aware of the fact that his home system brought in the worm to the company in the first place and caused another disruptive day at work. He should have talked to the CIO or the CISO about retrieving the document from his USB drive on a closed system if possible to get what he needed before attempting to see if the worm had ‘died off.’