Ch 2 Homework
1. Consider that an individual threat agent, like a hacker, can be a factor in more than one threat category. If a hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many different threat categories does the attack fall into?
· Deliberate acts are the main threat category for this type of attack because the hacker is deliberately trying to cause harm. This attack could fall under different subcategories, such as deliberate acts of espionage or trespass, deliberate acts of sabotage or vandalism, and deliberate acts of theft.
· Compromises to intellectual property—copying files, defacing a Web page, and stealing credit card numbers.
· Technical failures. For instance, if part of the organization’s software has an unknown trap door, this type of hacker attack could occur.
· Management failure. This type of hacker attack could happen if management used insufficient planning and foresight to anticipate the technology need for evolving business requirements.
Mafiaboy’s exploits consisted of a series of DDoS attacks on 11 corporate networks. According to investigators, the attacks caused approximately $1.7 billion in losses to the companies, although the accuracy of that figure is disputed. The attacks made some corporate Web sites and networks difficult to reach. In other cases, they crashed completely, remaining offline from hours to several days. Because the attacks were so large, authorities were prompted to investigate. They found that someone by the name of Mafiaboy was bragging about the attacks on Web sites, message boards, and even his own site. In addition, authorities were able to associate an IP address to the attacks, which in turn was linked to an Internet service provider (ISP). With the ISP’s help, authorities linked the IP address to an account whose phone numbers were linked to Mafiaboy’s father.
Shortly after the Board of Directors meeting, Charlie was named chief information security officer to fill a new leadership position that reports to the CIO, Gladys Williams. The primary role of the new position is to provide leadership for SLS’s efforts to improve its information security profile.
1. Before the discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that?
Answer: Before the discussion, Fred, Gladys, and Charlie focused on other ends in regards to information security. Fred was more concerned with adding additional software to fix the malware issues when clearly there were easier steps that need to be taken.
2. How should Fred measure success when he evaluates Gladys’ performance for this project? How should he evaluate Charlie’s performance?
Answer: Glady’s performance should be based on the new security measures and protocol that she has in place for the organization. This of course, is putting a lot of trust into Charlie’s performance as she was the one to introduce Charlie with his new plan on the organization’s new security. She practically had him nominated for CIO.
3. Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?
Answer: Because the original threat was initiated by an employee’s flash drive, Charlie may look at human errors first. Establishing safe use policies and having employees confirm data can greatly reduce the risk of errors. Charlie may also take into consideration software attacks. In the event of human errors (Even after reformed policies) Antivirus software is a good first defense in preventing damage.
Ethical Decision Making
Instead of Charlie being named CISO, suppose instead that Fred hired his son-in-law, an unemployed accountant, to fill the role. Assuming the person had no prior experience or preparation for a job in information security, did Fred make an ethical choice? Explain your answer.
Answer: Absolutely not! By hiring an unexperienced family member over a trained professional, Fred is letting his emotions get the better of him. Fred should consult with Gladys on whether his son-in-law is a good candidate for the position or not. Rather than sacrifice company security, Fred could possibly find his son-in-law a position in the companies’ financial or human resources departments.
Suppose that SLS has implemented the policy prohibiting use of personal USB drives at work. Also, suppose that Davey Martinez brought in the USB drive he had used to store last month’s accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. It’s obvious that Davey violated policy, but did he commit ethical violations as well?
Answer: Policies are set up in companies to protect resources, employees and information. Davey is at fault for breaking a company policy. The policy was created because of a worm attack the previous month. I believe Davey also made an ethical violation because he did not seek any help on his issue.