Yunze Wang

ITS 370

2/6/2020

 

CH2

 

Exercises

 

  1. Consider that an individual threat agent, like a hacker, can be a factor in more than one threat category. If a hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many different threat categories does the attack fall into?

Answer:

Deliberate acts are the main threat category for this type of attack because the hacker is deliberately trying to cause harm. This attack could fall under different subcategories, such as deliberate acts of espionage or trespass, deliberate acts of sabotage or vandalism, and deliberate acts of theft.

Compromises to intellectual property—copying files, defacing a Web page, and stealing credit card numbers.

Technical failures. For instance, if part of the organization’s software has an unknown trap door, this type of hacker attack could occur.

Management failure. This type of hacker attack could happen if management used insufficient planning and foresight to anticipate the technology need for evolving business requirements.

 

  1. Search the Web for “The Official Phreaker’s Manual.” What information in this manual might help a security administrator to protect a communications system?

Answer:

Phone phreaking is the act of using mischievous and mostly illegal methods to avoid paying for a telecommunications invoice, order, transfer, or other service. It often involves usage of illegal boxes and machines to defeat security that is set up to avoid such tactics. This security includes “blocking networks”—networks that under certain conditions may be unable to form a transmission path from one end to the other. In general, all networks used within the Bell Systems are of the blocking type.

Security administrators could benefit from studying “The Official Phreaker’s Manual” because it could allow them to better protect their communications systems. From the system administrator’s point of view, this information could reveal many common ways of finding loopholes and alternate methods around communications system security measures.

 

Case Exercises:

Discussion Questions

1.      Do Before the discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that?

Answer:

Before the discussion, Fred, Gladys, and Charlie focused on other ends in regards to information security. Fred was more concerned with adding additional software to fix the malware issues when clearly there were easier steps that need to be taken

2.      How should Fred measure success when he evaluates Gladys’ performance for this project? How should he evaluate Charlie’s performance?

Answer:

Gladys’s performance should be based on the new security measures and protocol that she has in place for the organization. This of course, is putting a lot of trust into Charlie’s performance as she was the one to introduce Charlie with his new plan on the organization’s new security. She practically had him nominated for CIO.

 

3.      Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?

Answer:

Before considering outside threats, internal threats should be looked into early in the planning process. Internal threats do not necessarily mean that the employees have malicious intent, but the case of human error and failure can also be a negative contribution to cybersecurity. Creating a security program and education end users by creating a security policy guidance is one of the best ways to prevent simple cybersecurity issues from starting.

 

Ethical Decision Making

1.      Would it be ethical for Amy to open such a file?

Answer:

No. It would be unethical to open such files as it might have a virus and malware which again might attack the systems and be a huge loss to the organization.

 

2.      Also, suppose that Davey Martinez brought in the USB drive he had used to store last month’s accounting worksheet. When he plugged in the drive, the worm outbreak started again and infected two servers. It’s obvious that Davey violated policy, but did he commit ethical violations as well?  

Answer:

Policies are setup in companies to protect resources, employees and information. Davey is at fault for breaking a company policy. the policy was created because of a worm attack the previous month. I believe Davey also made an ethical violation because he did not seek any help on his issues.