Task 6

1. Why is information security a management problem? What can management do that technology
cannot?

Both general management and IT management are responsible for implementing information security to
protect the ability of the organization to function.

Decision-makers in organizations must set policy and operate their organization in a manner that
complies with the complex, shifting political legislation on the use of technology. Management is
responsible for informed policy choices and the enforcement of decisions that affect applications and
the IT infrastructures that support them. Management can also implement an effective information
security program to protect the integrity and value of the organization's data.

2.Why is data the most important asset an organization possesses? What other assets in the
organization require protection?

Data is important in the organization because without it an organization will lose its record of
transactions and/or its ability to deliver value to its customers. Since any business, educational
institution, or government agency that functions within the modern social context of connected and
responsive service relies on information systems to support these services, protecting data in motion
and data at rest are both critical.

Other assets that require protection include the ability of the organization to function, the safe
operation of applications, and technology assets.

Task 7

1. When an attacker is able to control access to an asset, it can be held hostage to the attacker's
demands. For example, if an attacker is able to gain access to a set of data in a database and then
encrypt that data, they may extort money or other value from the owner in order to share the
encryption key so that the data can be used by the owner.

2.Employees are the greatest threats since they are the closest to the organizational data and will have
access by nature of their assignments. They are the ones who use it in everyday activities, and employee
mistakes represent a very serious threat to the confidentiality, integrity, and availability of data.
Employee mistakes can easily lead to the revelation of classified data, entry of erroneous data,
accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect
information.
3. The best way for an individual to avoid shoulder surfing is to avoid, as far as possible, the accessing of
confidential information when another person is present. The individual should limit the number of
times he/she accesses confidential data, and do it only when he/she is sure that nobody can observe
them. One should be constantly aware of who is around when accessing sensitive information.

Task 8

1. Common types of malware are viruses, worms, Trojan horses, logic bombs, and back doors.

Computer viruses are segments of code that induce other programs to perform actions. Worms are
malicious programs that replicate themselves constantly without requiring another program to provide
a safe environment for replication.

Once a trusting user executes a Trojan horse program it will unleash viruses or worms to the local
workstation and the network as a whole.

2.Polymorphism causes greater concern because it makes malicious code more difficult to detect.

The code changes over time, which means commonly used anti-virus software, which uses
preconfigured signatures for detection, will be unable to detect the newly changed attack. This makes
polymorphic threats harder to protect against.

Assignment
1. If a hacker hacks into a network and does damage such as copying files, defacing the Web page, and
stealing credit card numbers, then this attack falls into the following categories:

1. Compromise of intellectual property (stealing credit card numbers)

2. Espionage or trespass (hacking the network)

3. Sabotage or vandalism (defacing the webpage)

4. Theft (of credit card information and copies of files)

2.Mafiaboy is known as the “bratty-kid” who took down the internet. Michael Calce (Mafiaboy) was
born 1986 in West Island, Quebec. He brought down several commercial websites, including Yahoo!,
Fifa.com, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. At the time, Yahoo! was the most popular
search engine. In 2000, he compromised these sites when he was only 15 years old by creating denial-of-
service attacks on these companies. He was eventually caught by the FBI, who was doing surveillance on
him. He was charged with 50+ crimes and sentenced to eight months in a youth group home. Today,
Calce is what's called a white hat hacker, which means companies hire him to help them recognize their
security flaws in their company and design better security features.

3. Phone phreaking is the act of using strange and illegal methods so that you don’t have to pay for any
kind of communication service. It usually involves illegal machines that defeat the security system in
place for the communication device. “The Official Phreakers Manaual” would help a security
administrator to protect a communications system because it could allow them to protect their
communications system. The manual provides many ways to find loop-holes and alternate ways around
different communication system security. After reading this manual, system administrators would be
more aware of and could use different approaches to implement a security program.

4. Microsoft: Vulnerabilities down, threats up http://www.securityfocus.com/brief/727

-Five common Web application vulnerabilities https://www.symantec.com/connect/articles/five-

common-web-application-vulnerabilities

5.There are 12 categories of threats. An example of each threat is listed below:

1. Compromise to intellectual property – Stealing credit card information (like in #1)

2. Deviations in quality of service – Internet service provider, power, or WAN service problems
(Charter internet going down)

3. Espionage or trespass – Unauthorized access and/or data collection (Equifax security breach)

4. Forces of nature – fire, floods, earthquakes, lightning, tornadoes, hurricanes (not a person)

5. Human error – accidents (mistakes)

6. Information extortion – blackmail, information disclosure (information being leaked)

7. Sabotage or vandalism – defacing a webpage, ruining a system software

8. Software attacks – viruses, worms, macros, denial of service (Mafiaboy’s attacks)

9. Technical hardware failure or errors – equipment failure

10. Technical software failure or errors – bugs, code problems, unknown loopholes

11. Technological obsolescence – outdated technology

12. Theft – illegal confiscation of equipment or information (stealing person information such as credit
card numbers, drivers licenses, social security numbers, etc.)
Case

1. Answer: Before the discussion, Fred, Gladys, and Charlie focused on other ends in regards to
information security. Fred was more concerned with adding additional software to fix the malware
issues when clearly there were easier steps that need to be taken.

2.Answer: Glady’s performance should be based on the new security measures and protocol that she
has in place for the organization. This of course, is putting a lot of trust into Charlie’s performance as she
was the one to introduce Charlie with his new plan on the organization’s new security. She practically
had him nominated for CIO.

3.Answer: Because the original threat was initiated by an employee’s flash drive, Charlie may look at
human errors first. Establishing safe use policies and having employees confirm data can greatly reduce
the risk of errors. Charlie may also take into consideration software attacks. In the event of human
errors (Even after reformed policies) Antivirus software is a good first defense in preventing damage.