Chapter 2

1.Management is responsible for implementing information security to protect the

ability of the organization to function.They must set policy and operate the
organization in a manner that complies with the laws that govern the use of
technology.
Technology alone cannot solve information security issues.Management must make
policies choices and enforce those policies to protect the value of organization's
data .

2.Date is important to an organization because without it an organization will lose

its record of transaction and/or its ability to furnish valuable deliverables to
its costumers.
others assets that require protection include the ability of the organization to
function , the safe operation of applications, and technology assets.

3.Both general management and IT management are responsible for emplementing

information security.

4.The implementation of networking technology created more or less risk for

businesses that use information technology because business networks are now
connected to the internet and other networks external to the organization.
This has made it easier for people to gain unauthorized access to the
organization's networks.

5.Information extortion occurs when an attacker steals information from a computer

system anddemands compensation for its return or for an agreement not to disclose
it. For example, if a
hacker gains unauthorized access to a celebrity�s computer and discovers
embarrassing photos
or videos of the star, he could then blackmail the star into giving him money in
exchange forkeeping the photos quiet. This causes not only a monetary loss for the
celebrity, but also a lossof privacy and security.

6.Employees constitute one of the greatest threats to information security because

employeemistakes can lead to the revelation of classified data, entry of erroneous
data,
accidentaldeletion or modification of data, the storage of data in unprotected
areas, or they could fail tofollow procedures to protect data

7.Individuals can protect themselves against shoulder surfing by not accessing

personal or private
information when another person is present and can see what is being entered.

8.The perception of a hacker has evolved from being a male, age 13-18, with limited
parental
supervision who spends all his free time at the computer to the current profile
of being male or
female, aged 12-60, with varying technical skill who could be internal or
external to an
organization.

9.An expert hacker is one who develops software scripts and codes to exploit
unknown
vulnerabilities. An expert hacker is a master of several programming languages,
networking
protocols, and operating systems. An unskilled hacker is one who uses scripts and
code
developed by skilled hackers. They rarely create or write their own hacks, and are
unskilled in
programming languages, networking protocols, and operating systems. Protecting
against
expert hackers is difficult because they use newly developed attack code not yet
detectable by
anti-virus programs. Protecting against unskilled hackers is easier because they
use hacking
codes that are publicly available and can be thwarted by simply staying up-to-date
on the latest
software patches and being aware of the latest tools being published by expert
hackers.

10.The various types of malware include: viruses, worms, Trojan horses, logic
bombs, and back
doors. Worms differ from viruses in that they do not require a program environment
to replicate
itself. Trojan horses can disguise both viruses and/or worms as a non-threatening
piece of
software to get it into a computer network.

11.Polymorphism causes greater concern than traditional malware because the

malicious code
changes the way it appears over time which makes these threats harder to detect.
Anti-virus
software is not able to detect the signature of the virus after it changes making
the anti-virus
software ineffective.

12.The most common form of violation of intellectual property involves the unlawful
use or
duplication of software-based intellectual property, or software piracy. Some ways
that an
organization can protect against it are digital watermarks, embedded code,
copyright codes, and
requiring an online registration to be able to use all of the software features.
There are two organizations that investigate software piracy , the Software and
Information
Industry Association (SIIA) and the Business Software Alliance (BSA).

13.Force majeure refers to forces of nature, or acts of God, that people do not
have control over.
Some examples of force majeure include fires, floods, earthquakes, lightning
strikes, landslides,
tornados, windstorms, hurricanes, tsunamis, electrostatic discharge, and dust
contamination.
The greatest concern for an organization in Las Vegas might be dust contamination,
in Oklahoma
City tornados, in Miami hurricanes, and in Los Angeles earthquakes.

14.Technological obsolescence occurs when an organization�s computer infrastructure

becomes
outdated, which leads to unreliable and untrustworthy systems. As a result, there
is a risk of loss
of data integrity from attacks. Two ways to prevent against this is through proper
planning by
management and systematic replacement of outdated technologies.

15.The intellectual property owned by an organization does have value. The weight
of the value
depends on the type and popularity of the intellectual property. Attackers can
threaten that
value because they can gain access to that data and make the property public so
that the
organization does not have exclusive use of the intellectual property anymore.

16.The types of password attacks are password cracks, brute force and dictionary
attacks. To
protect against password attacks, security administrators can implement controls
that limit the
number of password entry attempts allowed, require the use of numbers and special
characters
in passwords, and restrict the use of passwords that are found in a dictionary.

17.A denial-of-service attack is accomplished when an attacker sends a large number

of connection
or information requests to a target and therefore overloading the system. A
distributed denialof-service attack is where an attacker coordinates a stream of
requests against a target from
many different locations and overloading the system. Distributed denial-of-service
attacks are
more dangerous because there are no definitive controls that an organization can
implement to
defend against such an attack.

18.In order for a sniffer attack to succeed, an attacker must gain access to a
network in order to
install the sniffer. An attacker could use social engineering to trick an employee
of an
organization into giving him access to the network.

19.Social engineering is the process of using social skills to convince people to

reveal access
information and/or other important information. An example of this could be a
hacker posing as
an executive of an organization calling to retrieve information. The hacker could
also pose as a
new hire or other employee of the organization begging for information to prevent
getting fired.
An attack targeted toward a data-entry clerk could be successful by just mentioning
an
executive�s name and threatening the wrath of the executive if they do not get
certain
information. An attack targeting an administrative assistant would probably need
more details
and other information to make the inquiries more credible.

20.A buffer overflow is an application error that occurs when more data is sent to
a program buffer
than it can handle. These types of errors can be used against a web server by
attaching
malicious code at the end of the extra data allowing the attacker to take over the
server and run
any code that the attacker wants.