Chapter 2 Exercise Questions
1. Consider the statement: an individual threat agent, like a hacker, can be a factor in more than one threat category. If a hacker hacks into a network, copies a few files, defaces the Web page, and steals credit card numbers, how many different threat categories does this attack fall into?
If a hacker hacks into a network and does damage such as copying files, defacing the Web page, and stealing credit card numbers, then this attack falls into the following categories:
1. Compromise of intellectual property (stealing credit card numbers)
2. Espionage or trespass (hacking the network)
3. Sabotage or vandalism (defacing the webpage)
4. Theft (of credit card information and copies of files)
2. Using the Web, research Mafiaboy’s exploits. When and how did he compromise sites? How was he caught?
Mafiaboy is known as the “bratty-kid” who took down the internet. Michael Calce (Mafiaboy) was born 1986 in West Island, Quebec. He brought down several commercial websites, including Yahoo!, Fifa.com, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. At the time, Yahoo! was the most popular search engine. In 2000, he compromised these sites when he was only 15 years old by creating denial-of-service attacks on these companies. He was eventually caught by the FBI, who was doing surveillance on him. He was charged with 50+ crimes and sentenced to eight months in a youth group home. Today, Calce is what's called a white hat hacker, which means companies hire him to help them recognize their security flaws in their company and design better security features.
3. Search the Web for “The Official Phreakers Manual”. What information in this manual help a security administrator to protect a communications system?
Phone phreaking is the act of using strange and illegal methods so that you don’t have to pay for any kind of communication service. It usually involves illegal machines that defeat the security system in place for the communication device. “The Official Phreakers Manaual” would help a security administrator to protect a communications system because it could allow them to protect their communications system. The manual provides many ways to find loop-holes and alternate ways around different communication system security. After reading this manual, system administrators would be more aware of and could use different approaches to implement a security program.
4. The chapter discussed many threats and vulnerabilities to information security. Using the Web, find at least 2 other sources of information about threats and vulnerabilities. Begin with www.securityfocus.com and using a keyword search on “threats”.
-Microsoft: Vulnerabilities down, threats up http://www.securityfocus.com/brief/727
-Five common Web application vulnerabilities https://www.symantec.com/connect/articles/five-common-web-application-vulnerabilities
5. Using the categories of threats mentioned in this chapter and various attacks described, review several current media sources, and identify examples of each threat.
There are 12 categories of threats. An example of each threat is listed below:
1. Compromise to intellectual property – Stealing credit card information (like in #1)
2. Deviations in quality of service – Internet service provider, power, or WAN service problems (Charter internet going down)
3. Espionage or trespass – Unauthorized access and/or data collection (Equifax security breach)
4. Forces of nature – fire, floods, earthquakes, lightning, tornadoes, hurricanes (not a person)
5. Human error – accidents (mistakes)
6. Information extortion – blackmail, information disclosure (information being leaked)
7. Sabotage or vandalism – defacing a webpage, ruining a system software
8. Software attacks – viruses, worms, macros, denial of service (Mafiaboy’s attacks)
9. Technical hardware failure or errors – equipment failure
10. Technical software failure or errors – bugs, code problems, unknown loopholes
11. Technological obsolescence – outdated technology
12. Theft – illegal confiscation of equipment or information (stealing person information such as credit card numbers, drivers licenses, social security numbers, etc.)