You are on page 1of 10

Principles of Information Security, 4th Edition Chapter 2 Review Questions

1. Why is information security a management problem? What can management do that technology cannot? Both general management and IT management are responsible for implementing information security to protect the ability of the organization to function. Decision-makers in organizations must set policy and operate their organization in a manner that complies with the complex, shifting political legislation on the use of technology. Management is responsible for informed policy choices and the enforcement of decisions that affect applications and the IT infrastructures that support them. Management can also implement an effective information security program to protect the integrity and value of the organizations data. 2. Why is data the most important asset an organization possesses? What other assets in the organization require protection? Data is important in the organization because without it an organization will lose its record of transactions and/or its ability to deliver value to its customers. Since any business, educational institution, or government agency that functions within the modern social context of connected and responsive service relies on information systems to support these services, protecting data in motion and data at rest are both critical. Other assets that require protection include the ability of the organization to function, the safe operation of applications, and technology assets. 3. Which management groups are responsible for implementing information security to protect the organizations ability to function? Both general management and IT management are responsible for implementing information security that protects the organizations ability to function. Although many business and government managers shy away from addressing information security because they perceive it to be a technically complex task, in fact, implementing information security has more to do with management than with technology. Just as managing payroll has more to do with management than with mathematical wage computations, managing information security has more to do with policy and its enforcement than with the technology of its implementation. Has the implementation of networking technology created more or less risk for business that use information technology? Why? Networking is usually considered to have created more risk for businesses that use information technology. This is due to the fact that potential attackers have more and readier access to these information systems when they have been networked, especially if they are interconnected to the Internet. What is information extortion? Describe how such an attack can cause losses, using an example not found in the text.



When an attacker is able to control access to an asset, it can be held hostage to the attackers demands. For example, if an attacker is able to gain access to a set of data in a database and then encrypt that data, they may extort money or other value from the owner in order to share the encryption key so that the data can be used by the owner. 6. Why do employees constitute one of the greatest threats to information security? Employees are the greatest threats since they are the closest to the organizational data and will have access by nature of their assignments. They are the ones who use it in everyday activities, and employee mistakes represent a very serious threat to the confidentiality, integrity, and availability of data. Employee mistakes can easily lead to the revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information. 7. What measures can individuals take to protect against shoulder surfing? The best way for an individual to avoid shoulder surfing is to avoid, as far as possible, the accessing of confidential information when another person is present. The individual should limit the number of times he/she accesses confidential data, and do it only when he/she is sure that nobody can observe them. One should be constantly aware of who is around when accessing sensitive information. 8. How has the perception of the hacker changed over recent years? What is the profile of a hacker today? The classic perception of the hacker is frequently glamorized in fictional accounts as someone who stealthily manipulates their way through a maze of computer networks, systems, and data to find the information that resolves the dilemma posed in the plot and saves the day. However, in reality, a hacker frequently spends long hours examining the types and structures of the targeted systems because he or she has to use skill, guile, or fraud to attempt to bypass the controls placed around information that is the property of someone else. The perception of a hacker has evolved over the years. The traditional hacker profile was male, age 13-18, with limited parental supervision who spent all his free time at the computer. The current profile of a hacker is a male or female, age 12 60, with varying technical skill levels, and can be internal or external to the organization. Today there are both expert hackers and unskilled hackers. The expert hackers create the software and schemes to attack computer systems while the novice hackers are the ones who merely utilize the software created by the expert hacker. 9. What is the difference between a skilled hacker and an unskilled hacker (other then the lack of skill)? How does protection against each differ? An expert hacker in one who develops software scripts and codes to exploit relatively unknown vulnerabilities. The expert hacker is usually a master of several programming languages, networking protocols, and operating systems. An unskilled hacker is one who uses scripts and code developed by skilled hackers. They rarely create or write their own hacks, and are often relatively unskilled in programming languages, networking protocols, and operating systems.

_____________________________________________________________________________________________ Page: 2

Protecting against an expert hacker is much more difficult, due in part to the fact that most of the time the expert hacker is using new, undocumented attack code. This makes it almost impossible to guard against these attacks at first. Conversely, an unskilled hacker generally uses hacking tools that have been made publicly available. Therefore, protection against these hacks can be maintained by staying up-to-date on the latest patches and being aware of hacking tools that have been published by expert hackers. 10. What are the various types of Malware? How do worms differ from viruses? Do Trojan horses carry viruses or worms? Common types of malware are viruses, worms, Trojan horses, logic bombs, and back doors. Computer viruses are segments of code that induce other programs to perform actions. Worms are malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication. Once a trusting user executes a Trojan horse program it will unleash viruses or worms to the local workstation and the network as a whole. 11. Why does polymorphism cause greater concern than traditional malware? How does it affect detection? Polymorphism causes greater concern because it makes malicious code more difficult to detect. The code changes over time, which means commonly used anti-virus software, which uses preconfigured signatures for detection, will be unable to detect the newly changed attack. This makes polymorphic threats harder to protect against. 12. What is the most common form of violation of intellectual property? How does an organization protect against it? What agencies fight it? The most common violations involve the unlawful use or duplication of software-based intellectual property known as software piracy. Some organizations have used such security measures as digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media. Also, most companies file patents, trademarks or copyrights which can allow a company to legally pursue a violator. Another effort to combat piracy is the online registration process. During installation, software users are asked or even required to register their software to obtain technical support, or the use of all features. There are two major organizations that investigate allegations of software abuse: Software and Information Industry Association (SIIA) and the Business Software Alliance (BSA). 13. What are the various types of force majeure? Which type is of greatest concern to an organization in Las Vegas? Oklahoma City? Miami? Los Angeles? Force majeure refers to forces of nature or acts of God that pose a risk, not only to the lives of individuals, but also to information security. Force majeure includes fire, flood, earthquake, lightning, landslide or mudslide, tornado or severe windstorm, hurricane or typhoon, tsunami, electrostatic discharge (ESD), and/or dust contamination.
_____________________________________________________________________________________________ Page: 3

A major concern to an organization in Las Vegas might be dust contamination. Tornado is a concern for Oklahoma City, OK. Miami, FL would be most concerned with hurricanes or tsunamis. Earthquakes, mud-slides, wildfires and riots would be of concern to LA. 14. How does technology obsolescence constitute a threat to information security? How can an organization protect against it? Technological obsolescence is a security threat caused by managements potential lack of planning and failure to anticipate the technology needed for evolving business requirements. Technological obsolescence occurs when the infrastructure becomes outdated, which leads to unreliable and untrustworthy systems. As a result, there is a risk of loss of data integrity from attacks. One of the best ways to prevent this is through proper planning by management. Once discovered, outdated technologies must be replaced. Information Technology personnel must help management identify probable obsolescence so that any necessary replacement (or upgrade) of technologies can be done in a timely fashion. 15. Does the intellectual property owned by an organization usually have value? If so, how can attackers threaten that value? Yes, the IP of an organization may be its highest value asset. Attackers can threaten its value by reducing or removing its availability to the owner or by stealing and then selling copies of the asset thus causing a loss in the economic value of the assets. 16. What are the types of password attacks? What can a systems administrator do to protect against them? The types of password attacks include: Password Crack, Brute Force, and Dictionary: Password crack: Attempting to reverse calculate the password is called cracking. Cracking is used when a copy of the Security Account Manager data file can be obtained. A possible password is taken from the SAM file and run through the hashing algorithm in an attempt to guess the password. Brute Force: The application of computing and network resources to try every possible combination of options for a password. Dictionary: A form of brute force for guessing passwords. The dictionary attack selects specific accounts and uses a list of commonly used passwords with which to guess. To protect against password attacks, security administrators can: a. Implement controls that limit the number of attempts allowed. b. Use a disallow list of passwords from a similar dictionary. c. Require use of additional numbers and special characters in passwords. 17. What is the difference between a denial-of-service attack and a distributed denialof-service attack? Which is potentially more dangerous and devastating? Why?

_____________________________________________________________________________________________ Page: 4

A denial-of-service attack occurs when an attacker sends a large number of connection or information requests to a target. A distributed denial-of-service attack occurs when a coordinated stream of requests is launched against a target from many locations at the same time. A distributed denial-of-service attack is potentially more dangerous and devastating. In most DDoS attacks, numerous machines are first compromised and used as zombies to carry out the denial-of-service attack against a single target. DDoS attacks are most difficult to defend against, and there are currently no controls any single organization can apply. 18. For a sniffer attack to succeed, what must the attacker do? How can an attacker gain access to a network to use the sniffer system? The attacker must first gain access to a network to install the sniffer. Social engineering offers the best way for an attacker to gain access to a network to install a physical sniffer device. By convincing an unwitting employee to instruct the attacker as to the whereabouts of the networking equipment, the installation of the sniffer can be accomplished. 19. What method does a social engineering hacker use to gain information about a users login and password? How would this method differ if it were targeted towards an administrators assistant versus a data-entry clerk? Social Engineering is the process of using social skills to obtain access credentials or other valuable information. Role-playing can do this, where the attacker represents himself or herself as someone of authority requesting information. This may also be accomplished by installing bogus software on user machines that will gather access information, or by using deception to act on the conscience of users. Tactics change based on the target. A data-entry clerk could likely be swayed just by mentioning the name of the CEO and describing his anger at not getting the requested information promptly. Conversely, someone higher up the chain of command, who perhaps even works directly with those in power, would require more convincing proof. This could be anything from a few additional details regarding a particular project or something as precise as an authorization password or document. 20. What is a buffer overflow and how is it used against a web server? A buffer overflow occurs when more data is sent to a buffer than it can handle. It can be caused over a network when there is a mismatch in the processing rates between the two entities involved in the communication process.

_____________________________________________________________________________________________ Page: 5

1. Consider the statement: an individual threat, like a hacker, can be represented in more than one threat category. If a hacker hacks into a network, copies a few files, defaces the Web page, and steals credit card numbers, how many different threat categories does this attack cover? Deliberate acts are the main threat category for this type of attack because the hacker is deliberately trying to cause harm. Different sub-categories that this attack could fall under are deliberate acts of espionage or trespass, deliberate acts of sabotage or vandalism, and deliberate acts of theft. Compromises to intellectual property copying of files, defacing the web page, and stealing credit card numbers. Technical failures. For instance, if part of the organizations software has an unknown trap door then this type of hacker attack could occur. Management failure. This hacker attack could happen if management were to have a lack of sufficient planning and foresight to anticipate the technology need for evolving business requirements. 2. Using the web, determine what was the extent of Mafiaboy's exploits. How many sites did he compromise and how? How was he caught? Mafiaboy's exploits consisted of a series of DDoS (Distributed Denial of Service) attacks on 11 corporate networks. The attacks caused, according to investigators, approximately 1.7 billion dollars in loss for these companies but there is dispute regarding the accuracy of that figure. The attacks caused some of these companies' websites and networks to be difficult to reach. In some cases, they crashed completely, remaining offline from mere hours to as long as several days. Since the attacks were so large, it prompted the authorities to investigate. Authorities found that someone by the name of Mafiaboy was bragging about the attacks on websites, message boards and even on his own site. In addition to this, the authorities were able to associate an IP address to the attacks, which in turn linked to the ISP, and then, with the ISP's help, they linked the IP address to an account whose phone numbers linked to Mafiaboy's father's number. Alternate Answer One example of a novice using pre-coded exploits was that of Mafiaboy, a teen that launched distributed denial-of-service attacks against several high profile websites. MafiaBoys denial-of-service attacks brought down many of the Internet's largest sites. The tools used for these attacks are widely available on the Internet and require little computer knowledge to use, being simple enough for use by script kiddies. Mafiaboy simply ran a computer script that clogged networks full of garbage data. He was deemed an unskilled attacker because of a number of indicators, primarily that he failed to take basic steps to cover his tracks, such as erasing logs. A series of computer taps led to Mafiaboys arrest.

_____________________________________________________________________________________________ Page: 6

Nonetheless, his skill deficit did not stop him from successfully shutting down a number of prominent websites. MafiaBoy gained illegal access to 75 computers in 52 different networks and planted a DoS tool on them which he then activated and used to attack 11 Internet sites by sending up to 10,700 phony information requests in 10 seconds., Yahoo!,, as well as more than 1,200 other sites CNN hosts worldwide, and eBay are among the sites Mafiaboy was able to cripple. The cost to these companies is estimated to be in the millions, perhaps even billions, of dollars. For example, for a company whose only storefront is web-based, this type of attack can be a disaster, as it is estimated that thousands of dollars of revenue is lost per hour of non-operation. Because Amazon.coms website was inaccessible for more than a day, it is estimated they lost several million dollars. and Yahoo! offered more concrete numbers; each company lost a million dollars every four hours that their networks were inaccessible. References: 1. DoS Attacks Cripple Yahoo, CNN, Amazon and Irish News. February 9, 2001. 2. One year after DoS attacks, vulnerabilities remain. February 8, 2001. 3. Search the Web for The Official Phreakers Manual. What information contained in this manual can help a security administrator to protect a communications system. Phone phreaking is the act of using mischievous and mostly illegal methods in order to avoid having to pay for some sort of telecommunications invoice, order, transfer, or other service. It often involves usage of highly illegal boxes and machines in order to defeat the security that is set up to avoid this sort of tactic. This security includes blocking networks. A blocking network is a network that, under certain conditions, may be unable to form a transmission path from one end of the network to the other. In general, all networks used within the Bell Systems are of the blocking type. A security administrator could benefit from studying "The Official Phreaker's Manual" as it could allow them to better protect their communications system. From the system administrator's point of view, this information would prove useful due to the fact that it provides many common ways of finding loop-holes and alternate ways around different communications system security measures. Equipped with this information, a system administrator would be aware of and could utilize different approaches in implementing a more extensive security program. The chapter discussed many threats and vulnerabilities to information security. Using the Web, find at least two other sources of information on threat and vulnerabilities. Begin with Using a keyword search on threats. - This site has details about new security standards that should be adopted by organizations and the reasons for the security standards ranging from cryptology to network security.


_____________________________________________________________________________________________ Page: 7 - This site is a searchable index of information on computer vulnerabilities. - This site has a number of articles with information security concerns for various industry experts on a wide variety of issues especially in the corporate world. - Information on reported threats., - Microsofts listing of important announcements for security and privacy - lists threats, vulnerabilities, and advisories - This site has information on the latest viruses and security advisories. - The Registers listing of the latest threats - This site has information on any new information about the Technology industry including breaches of security of various companies information systems. 5. Using the categories of threats mentioned here, as well as the various attacks described, review several newspapers and locate examples of each. 1. Potential acts of human error or failure 2. Compromises to intellectual property,1283,54681,00.html 3. Deliberate acts of espionage or trespass-

_____________________________________________________________________________________________ Page: 8

4. Deliberate acts of information extortion 5. Deliberate acts of sabotage of vandalism 6. Deliberate acts of theft-,2125,50025,00.html 7. Deliberate software attacks- 8. Forces of nature 9. Potential deviations in quality of service from service provides 10. lay.html 11. Technical hardware failure,2000025001,202665721,00.htm 12. Technical software failure,1282,15459,00.html 13. Technological obsolescence,1287,10124,00.html Virus Attack: VBS.Melhack.B is an intended mass mailing virus that is written in Visual Basic. It copies itself as OsamaLaden.vbs into two locations. ( tml) Worm Attack: W32.Efno.Worm is a worm that attempts to spread using the popular KaZaA file-sharing program. The worm is written in Visual Basic, and therefore it requires Visual Basic runtime libraries (Msvbvm60.dll) to run. When this worm runs, it changes several KaZaA registry keys. This causes the worm to be accessible to other users on the KaZaA network. The worm spreads using the file name "Win XP SP1 cracker.exe." However, it is possible to change the file name to other names that may appeal to people. html Trojan Horse:

_____________________________________________________________________________________________ Page: 9

Trojan.IrcBounce is the detection for a collection of programs that a hacker can use to conceal intrusion and obtain administrator-level access to Microsoft Windows environments. These programs can be used to attack Windows environments that

Have the default installation, in which the Administrator account has no password Use user names and passwords that are very common. After it is installed into victim's system, it gives a remote attacker unobstructed access to the compromised computer.

Back Door: Backdoor.FunFactory allows unauthorized access to an infected computer. It also allows voice communication from the intruder to the user of the compromised computer.

_____________________________________________________________________________________________ Page: 10