ISD705_CH5
1. How important was trust to Madoff's scheme?
Trust was critical to the success of his scheme. Madoff was trusted because he was a Wall Street fixture.
c. How serious was the intrusion, and when did it occur?
It is a serious one since it involved trade policy matters, policy negotiations, and conversations with businesses. It started in November 2009 and went on until May 2010, giving the intruders access to six months' worth of e-mails.
disabling Bluetooth and Wi-Fi;
never letting his phone out of his sight;
5. Identify and evaluate the actual and potential business risks and damages from LinkedIn's data breach.
Actual risks and damages: nearly $1M in cleanup costs, $2-$3M in upgrades, $500,000 to $1M for forensic work; steep fines for violating privacy laws and regulations; damage to its number of active members and membership growth; damage to its advertising business
3. What security features are built into Black?
Advanced features for cybersecurity in Black include:
15. What are the functions of an IDS and IPS?
An Intrusion Detection System (IDS) scans for unusual or suspicious traffic. An IDS can identify the start of a DoS attack by the traffic pattern, alerting the network administrator to take defensive action, such as switching to another IP address and diverting critical servers from the path of the attack.
1. Why is cybercrime expanding rapidly? Discuss some possible solutions.
Current cybersecurity technologies and policies are simply not keeping pace with fast- evolving threats. Executives are responding to the need to fund enhanced security activities and have substantially improved technology safeguards, processes, and strategies. Unfortunately, adversaries have done better.
7. Discuss why information security is a concern of senior managers.
Data security is a senior management concern and responsibility. It affects a company's operations, reputation, and customer trust, which ultimately impact revenue, profits, and competitive edge.
12. What are the risks caused by data tampering? Answers may vary.
Data tampering refers to an attack during which someone enters false or fraudulent data into a computer, or changes or deletes existing data. Data tampering is extremely serious because it may not be detected. This introduces dirty data with all of its inherent issues.
6. What is a critical infrastructure? List three types of critical infrastructures.
Critical infrastructure is defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
5. Explain why data on laptops and computers need to be encrypted.
Encryption is a part of a defense-in-depth approach to information security. The basic principle is that when one defense layer fails, another layer provides protection. For example, if a wireless network's security was compromised, then having encrypted data would still protect the data, provided that the thieves could not decrypt it.
6. Why is data encryption an important information security defense?
Encryption is needed to store sensitive information securely in the event of loss or theft of a mobile device or a hack into a network.
13. Explain what firewalls protect and what they do not protect.
Firewalls are designed as an access control. Because they are a perimeter defense technology, they mostly protect against external threats. They can restrict access to a network, but cannot protect against insider threats.
2. Explain fraud and occupational fraud.
Fraud is nonviolent crime because fraudsters use deception, confidence, and trickery. Fraudsters carry out their crime by abusing the power of their position or by taking advantage of the trust, ignorance, or laziness of others.
2. What else did Madoff rely upon to carry out his fraud?
Fundamentally, Madoff relied on social engineering and the predictability of human nature, not on financial expertise.
8. What is the number one cause of data loss or breaches?
Hacking is the number one cause of data loss.
8. What impact might huge fines have on how much a company budgets for IT security defenses?
Huge fines may deter companies from underinvesting (budgeting too little) in data protection but also might cause a company to overinvest. Companies should neither underinvest nor overinvest, but rather based their investment on what needs to be protected and a cost-benefit analysis.
6. Why should you set a unique password for each website, service, and device that you use?
If one site is compromised, revealing your username and password, then the hacker may be able to break into other accounts or devices that you have.
2. How did lax security impact Target's sales revenue and profit performance?
In February 2014 Target reported that its 2013 fourth-quarter (4Q) profit dropped 46 percent and sales revenue fell 5.3 percent.
4. What was the biggest data breach in history?
In October 2013 a data breach at Adobe exposed the account information of up to 152 million users—the largest data breach in history.
a. When are a company's security measures sufficient to comply with its obligations? For example, does installing a firewall and using virus detection software satisfy a company's legal obligations?
In order to comply with its obligations, a company's IT systems should be based upon three principles:
10. Define and give an example of an intentional threat.
Intentional threats are those where the individual(s) have intention to do harm or some illegal activity.
2. Create a list of best cybersecurity practices for travelers based on Lieberthal's methods.
Lieberthals' cybersecurity practices included:
4. LinkedIn's lax approach to members' information security and weak passwords was very surprising to members and information security professionals. Why?
LinkedIn collects and profits from vast amounts of data yet had taken a negligent approach to protecting their most vital asset.
10. Why do users refuse to use strong passwords even though they know how dangerous weak passwords are?
Many people are too lazy to create passwords which meet the requirements.
1. Was cybersecurity a priority at Target? Explain.
No. In spite of numerous security warnings, from the federal government, private research firms, and their own cybersecurity staff, data security was not a top priority. As retailers receive numerous security warnings every week, it becomes difficult to identify or decide which ones are the most urgent.
b. An improved firewall that is 99.9988 percent effective and that costs $84,000, with a life of 3 years and annual maintenance cost of $16,000, is available. Should this firewall be purchased instead of the first one?
No. This would be an overinvestment. The projected savings would not justify the increased cost.
8. Explain why someone who used the same password for several sites would need to change all those passwords. In your opinion, was LinkedIn negligent in protecting its main asset? Explain.
Once their LinkedIn account was hacked, cybercriminals could use the information retrieved to locate and access other accounts, such as a corporate account, online banking, etc.
7. Why do organizations need a business continuity plan?
Organizations need a business continuity plan to maintain or quickly restore business functions when there is a major disruption. The plan covers business processes, assets, human resources, business partners, and more. Fires, earthquakes, floods, power outages, malicious attacks, and other types of disasters hit data centers. Like insurance, it is a cost without a return on the investment unless and until a disaster happens.
h. What other resources are at risk?
Other smaller organizations' trade secrets may be at risk and the companies may not be aware of it.
7. How are phishing attacks done?
Phishing is a deceptive method of stealing confidential information by pretending to be a legitimate organization, such as PayPal, a bank, credit card company, or other trusted source. Phishing messages include a link to a fraudulent phish website that looks like the real one. When the user clicks the link to the phish site, he or she is asked for a credit card number, social security number, account number, or password. Successful attacks depend on untrained or unaware users responding to phishing scams.
Most viruses, trojans, and worms are activated when an attachment is opened or a link is clicked.
Remote access trojans, or RATS, create an unprotected backdoor into a system through which a hacker can remotely control that system.
4. In addition to the data theft, what else was damaged by this incident?
Reputation of the firm was damaged, leading to financial and personnel repercussions.
6. Explain rogue app monitoring.
Rogue app monitoring is a type of defense to detect and destroy malicious apps in the wild. Several vendors offer 24/7 monitoring and detection services to monitor major app stores and shut down rogue apps to minimize exposure and damage.
3. According to experts, how was the data breach executed?
Several experts believe that POS malware bought from the criminal underground was responsible. This malware was installed on the stores' point-of-sale (POS) payment terminals in order to capture credit card data.
5. Why is a defense-in-depth model vital to a security smartphone such as Black?
Smartphones are mobile and used for a variety of tasks (calls, texts, emails, etc.) which may open multiple paths for a security breach. Black uses the defense-in-depth model to ensure that if one layer of security is compromised, other layers will continue to secure the device, its data, and transmissions.
9. Why is social engineering a technique used by hackers to gain access to a network?
Social engineering, also known as human hacking, is tricking users into revealing their credentials and then using those credentials to gain access to networks or accounts. It is a hacker's clever use of deception or manipulation of people's tendency to trust, be helpful, or simply follow their curiosity. Powerful IT security systems cannot defend against what appears to be authorized access. Humans are easily hacked, making them and their social media posts high-risk attack vectors. For instance, it is often easy to get users to infect their corporate network or mobiles by tricking them into downloading and installing malicious apps or backdoors.
1. How do social networks and cloud computing increase vulnerability?
Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack for organized criminal networks. Critical, sensitive, and private
14. Explain spear phishing.
Spear phishers often target select groups of people with something in common—they work at the same company, bank at the same financial institution, or attend the same university. The scam e-mails appear to be sent from organizations or people the potential victims normally receive e-mails from, making them even more deceptive.
2. In addition to hackers, what kinds of cybercriminals do organizations need to defend against?
Stealth, profit-motivated cybercriminals and hacktivists.
Step 1: Senior management commitment and support. Step 2: Acceptable use policies and IT security training. Step 3: IT security procedures and enforcement.
Step 4: Hardware and software.
2. Explain the three components of the CIA triad.
The CIA triad consists of three key cybersecurity principles: confidentiality, integrity, availability.
3. Why do the SEC and FTC impose huge fines for data breaches?
The SEC and FTC impose huge fines for data breaches to deter companies from underinvesting in data protection.
SOX and the SEC are making it clear that if controls can be ignored, there is no control. Approximately 85 percent of occupational fraud could have been prevented if proper IT- based internal controls had been designed, implemented, and followed. If a company shows its employees that it can find and prosecute a wrongdoer to the fullest extent under the law, then the likelihood of any employee adopting an "I can get away with it" attitude drops drastically.
The SEC and FTC impose huge fines for data breaches to deter companies from underinvesting in data protection. Yet over investment can be a waste of resources and a drain on profitability. A cost-benefit analysis and an assessment of what needs to be protected should drive the defense strategy and controls to use.
2. What federal law requires effective internal controls?
The Sarbanes-Oxley Act (SOX) requires companies to set up comprehensive internal controls.
e. What information could the hackers have gleaned from the intrusion of the Chamber?
The emails revealed the names of companies and key government people in contact with the Chamber, as well as trade-policy documents, policy negotiations, trip reports and schedules.
8. What are the four steps in the defense-in-depth IT security model?
The four steps are:
d. What or whom did the hackers focus on? Why?
The hackers focused on four Chamber employees who worked on Asia policy, stealing six weeks of their email. The hackers' interest was to find out US trade policies with their country and those in the region. This intelligence was helpful for planning their actions in alignment with the trade policies.
1. Why are internal controls needed?
The internal control environment is the work atmosphere that a company sets for its employees. Internal control (IC) is a process designed to achieve:
1. The Wall Street Journal (WSJ.com) has detailed a cyberattack against the U.S. Chamber of Commerce in which e-mails were stolen. Review The Wall Street Journal interactive graphic "China Hackers Hit U.S. Chamber, Attacks Breached Computer System of Business-Lobbying Group; Emails Stolen," dated December 21, 2011. Also view the video.
The links are posted in the book's website at www.wiley.com/college/turban or you can search the WSJ.com website using the video title.
2. What causes or contributes to data breaches?
The main cause of a data breach is hacking, but the reason hacking is so successful is negligence—management not doing enough to defend against cyber-threats. Even high- tech companies and market leaders appear to be detached from the value of the confidential data they store and the threat that highly motivated hackers will try to steal them.
5. What are two types of mobile biometrics?
Two types of biometrics which can be implemented on mobile devices are voice and fingerprint.
Expected loss (daily) = P1 x P2 x L = .07% x 5% x $1.6M = .0007 x .05 x $1.6M = $56 daily. Given that this is the expected daily loss, the yearly amount comes to $20,440.
b. An insurance agent is willing to insure your facility for an annual fee of $15,000. Analyze the offer, and discuss whether to accept it.
• Accounting principles: These principles require that the integrity, availability, and reliability of data and information systems be maintained.
b. Is it necessary for an organization to encrypt all of its electronic records?
The announcement of the initial data breach was disclosed on December 19, 2013, with additional data theft again announced on January 10, 2014. Customers were scared away
causing 2013 fourth-quarter (4Q) profit to drop 46 percent and sales revenue to fall 5.3 percent and impacting profits throughout 2014. $61 million was incurred in breach- related expenses in Q4 2013, which harmed profitability. A security analyst at the tech firm Gartner estimated the costs of the breach from $400 million to $450 million. Target also faced at least 70 lawsuits related to alleged privacy invasion and negligence.
8. Why should websites be audited?
Auditing a website is a good preventive measure to manage the legal risk. Legal risk is important in any IT system, but in Web systems it is even more important due to the content of the site, which may offend people or be in violation of copyright laws or other regulations (e.g., privacy protection).
5. Explain authentication and two methods of authentication.
Authentication, also called user identification, is proving that the user is who he claims to be and is a part of access control.
leaving his smartphone and laptop at home and taking loaner devices which he
erased before leaving the U.S. and wiped clean upon return;
turning off his phone in meetings and removing the battery for fear his
microphone could be turned on remotely;
data, networks, hardware, and software that are company- or employee-
owned, as discussed in the opening case.
any unauthorized way.
• Availability: Data is accessible when needed by those authorized to do so.
• Defending yesterday. Relying on yesterday's cybersecurity practices is ineffective at combating today's threats.
• Bigger attack surface. The attack surface—consisting of business partners, suppliers, customers, and others—has expanded due to larger volumes of data flowing through multiple channels.
• Environmental hazards include volcanoes, earthquakes, blizzards, floods, power failures or strong fluctuations, fires (the most common hazard), defective air conditioning, explosions, radioactive fallout, and water-cooling system failures. In addition to the primary damage, computer resources can be damaged by side effects, such as smoke and water. Such hazards may disrupt normal computer operations and result in long waiting periods and exorbitant costs while computer programs and data files are recreated.
• Computer systems failures can occur as the result of poor manufacturing, defective materials, and outdated or poorly maintained networks. Unintentional malfunctions can also happen for other reasons, ranging from lack of experience to inadequate testing.
• Contractual penalties or loss of contractual bonuses
• Customer dissatisfaction or defection
• Prevent attacks by having network intrusion defenses in place.
• Detect, diagnose, and respond to incidents and attacks in real time.
• Hardware crypto engine to protect both stored and transmitted data
• Embedded secure components to enable trusted operations
• Promote secure and legal sharing of information among authorized persons and partners.
• Ensure compliance with government regulations and laws.
• Encryption to store sensitive information securely
• Hardware root of trust to ensure software authenticity
Examples: Answers may vary.
• Human error can occur in the design of the hardware or information system. It can also occur during programming, testing, or data entry. Not changing default passwords on a firewall or failing to manage patches creates security holes. Human errors also include untrained or unaware users responding to phishing scams or ignoring security procedures.
• Make data and documents available and accessible 24/7 while simultaneously restricting access.
• Implement and enforce procedures and acceptable use policies (AUPs) for
• Confidentiality: No unauthorized data disclosure.
• Integrity: Data, documents, messages, and other files have not been altered in
a. Should management buy the firewall?
Current losses amount to $156,000 per year, on average ($130,000 x 1.2).
9. How is expected loss calculated?
Expected loss is calculated as: Expected loss = P1 x P2 x L
where
P1 = probability of attack (estimate, based on judgment)
• Lost sales and income
• Delayed sales or income
1. Why was 2013 dubbed the "Year of the Breach"?
2013 has been dubbed the "Year of the Breach" because there were 2,164 reported data breaches that exposed an estimated 823 million records. Almost half of the 2013 breaches occurred in the United States, where the largest number of records were exposed—more than 540 million data records or 66 percent.
Several vendors are listed by the biometric mechanism used. In the text two common biometrics are discussed. Others include: Hand and finger geometry, Iris, palm prints, voice, and face recognition. In the analysis, one needs to consider both false positive and false negative probabilities. From the text:
A biometric control is an automated method of verifying the identity of a person, based on physical or behavioral characteristics. For example, fingerprint scanners are used for identification, as shown in Figure 5.11. Most biometric systems match some personal characteristic against a stored profile. The most common biometrics are:
6. What are biometric controls? Give an example.
A biometric control is an automated method of verifying the identity of a person, based on physical or behavioral characteristics. Most biometric systems match some personal characteristic against a stored profile.
13. Define botnet and explain its risk.
A botnet is a collection of bots, which are malware-infected computers. Infected computers, called zombies, can be controlled and organized into a network of zombies on the command of a remote botmaster. Embedding a botnet agent within thousands or even millions of computers increases processing power of the attack to that of a supercomputer. Zombies can be commanded to monitor and steal personal or financial data—acting as spyware. Botnets are used to send spam and phishing e-mails and launch DDoS attacks. Botnets are extremely dangerous because they scan for and compromise other computers, and then can be used for every type of crime and attack against computers, servers, and networks.
10. Explain business impact analysis.
A business impact analysis (BIA) estimates the consequences of disruption of a business function and collects data to develop recovery strategies. The BIA identifies both operational and financial impacts resulting from a disruption. Several examples of impacts to consider include (Ready.gov, 2014):
5. What is a contract hacker?
A contract hacker is a hacker available for hire and may supply complete hack attacks and 24/7 support through hacking help desks.
7. What are the motives of hacktivists?
A hacktivist is someone who does hacking as a way to protest for a cause.
7. Why is a mobile kill switch or remote wipe capability important?
A mobile kill switch or remote wipe capability is needed in the event of loss or theft of a device.
f. What did the Chamber do to increase cybersecurity after learning of the intrusion and cybertheft?
A thorough overhaul of the network security was carried out. USCC put in place various types of security protections. They also started applying the do-not-carry rules.
11. Explain why APT attacks are difficult to detect.
APT is a stealth network attack in which an unauthorized person gains access to a network and remains undetected for a long time. Skilled hackers launch APT attacks to steal data continuously (e.g., daily) over months or year—rather than to cause damage that would reveal their presence. APTs require a new information-protection model that focuses on continuous monitoring of network activity and high-value information. Most U.S organizations lack these capabilities.
4. In what ways do users make themselves vulnerable to cybercrimes?
Answers may vary. By revealing credentials via social engineering; by using unsecured devices, particularly their own devices; by not following company policy for device usage or online activities; by losing their device(s) or having them stolen (not physically secured); by not using encryption on devices; by not using secure passwords.
6. Why might management not treat cyberthreats as a top priority?
Answers may vary. Cost likely is a principal contributor, as Target estimated that technological changes to harden its IT security would cost more than $100 million. The lack of security might have been a result of underinvestment by senior management.
3. Why are cybercriminals so successful?
Answers may vary. Current cybersecurity technologies and policies are simply not keeping pace with fast-evolving threats. Reasons for their success include:
4. In your opinion, how were so many red flags ignored given the risk that investors faced?
Answers may vary. Greed and a sense of exclusivity and security contributed.
4. Why is voice encryption an important digital security measure?
Answers may vary. Information may come in voice form as well as data. Both are digital and can be hacked. Therefore, protecting voice communication with encryption is an important digital security measure, just as protecting data is.
4. What are two red flags of internal fraud?
Answers may vary. Internal fraud may be indicated by anomalous patterns, such as excessive hours worked, deviations in patterns of behavior, copying huge amounts of data, attempts to override controls, unusual transactions, and inadequate documentation about a transaction.
1. Why do you think government-issued smartphones are a target for data theft and transmission theft?
Answers likely will include issues of spying, government secrets (e.g., as in diplomacy), and defense.
17. Discuss why the Sarbanes-Oxley Act focuses on internal control. How does that focus influence information security?
Answers may vary.
2. Companies are often slow to self-detect data breaches so a cyberattack can occur without a company even knowing it has a problem. What effect do you think LinkedIn's failure to self-detect its massive data breach had on its popularity and credibility?
Answers may vary.
3. Given your answers, what should users and organizations do and/or not do to reduce the threat of botnets?
Answers may vary.
4. Visit cio.com and search for a recent article on security, privacy, or compliance. What three lessons are learned from the article?
Answers may vary.
b. Explain the reasons for these trends.
Answers may vary.
15. Some insurance companies will not insure a business unless the firm has a computer disaster recovery plan. Explain why.
Answers may vary. A disaster recovery plan is an important part of cybersecurity. Full operation cannot resume without full recovery. Time is of the essence in order to minimize or limit losses. A recovery plan explains how to fix a damaged information system as quickly as possible.
3. What is a red flag?
Answers may vary. A red flag is an indication that something is suspect. If not ignored, red flags could have made this fraud detectible much earlier.
5. Research vendors of biometrics. Select one vendor, and discuss three of its biometric devices or technologies. Prepare a list of major capabilities. What are the advantages and disadvantages of its biometrics?
Answers may vary. A site to start with is: http://www.biometrics.org/vendors.php
12. Why should information control and security be of prime concern to management?
Answers may vary. All enterprises are subject to federal and state laws and regulations. Compliance with regulations always requires internal controls to ensure that sensitive data are protected and accurate.
7. Research recent news concerning this data breach. Has Target recovered from it? Explain.
Answers may vary. Although the impact continued to have effect during 2014, Target indicated that sales trends were improving.
5. Could such a large investment fraud happen again—or are there internal fraud prevention and detection measures in place that would prevent or stop it from occurring? Explain your answer.
Answers may vary. Although this scheme has made investors and the SEC more wary, caused additional fraud detection measures to be implemented, and provoked Congress to provide funds for additional enforcement officials, it is possible but more difficult for a large investment fraud if investors and the SEC do not remain cautious and vigilant.
14. Why are authentication and authorization important in e-commerce?
Answers may vary. Authentication (proving the user is who he claims to be) and authorization (having the right to access) are parts of access control. These are important for e-commerce to prevent identity theft and fraud.
a. Explain the importance and the role of social engineering in this intrusion and cybertheft.
Answers may vary. It isn't clear exactly how the hackers broke in to the Chamber's systems. Evidence suggests they were in the network at least from November 2009 to May 2010. It appears that the hackers may have used "spear-phishing" to entice an employee into clicking a link or opening a document embedded with spyware. This social engineering approach likely was used to make the initial entry into the system, after which the hackers established six backdoors to the network to obtain stolen data. (Not many details are given on what exactly took place with regards to social engineering.)
3. Most corporate security incidents are uncovered by a third party, like a security firm, that picks up on evidence of malicious activity. Why do you think IT security experts and not LinkedIn discovered the data breach?
Answers may vary. LinkedIn had a very negligent approach to data security.
1. Many firms concentrate on the wrong questions and end up throwing a great deal of money and time at minimal security risks while ignoring major vulnerabilities. Why?
Answers may vary. Negligence; failure to do a risk assessment; failure to do a business impact analysis; not doing an appropriate IS audit; thinking that not underspending is all that matters; not understanding that data protection requires a multilayered approach security is an ongoing unending process, and not a problem that can be solved with hardware or software. Hardware and software security defenses cannot protect against irresponsible business practices.
a. Describe the recent trends in phishing attacks.
Answers may vary. Payment Services followed by Financial are the most-targeted industries. The US continues to be the top country hosting the most phishing sites due mainly to the fact that a large percentage of the world's Web sites and domain names are hosted in the U.S. The second quarter of 2014 had the second-highest number of phishing sites detected in a quarter, but it was only slightly higher than the first quarter of 2014. New online payment services and crypto‐currency sites are being targeted more frequently. There has been a recent increase in PUPs (Potentially Unwanted Programs) such as spyware and adware. This contributed to higher global infection rates.
16. Explain why risk management should involve the following elements: threats, exposure associated with each threat, risk of each threat occurring, cost of controls, and assessment of their effectiveness.
Answers may vary. Risk management is the process of identifying, assessing, and reducing risk to an acceptable level. To accomplish this, management must be aware of potential threats and the risk of that threat exploiting a vulnerability. Following the principle of economic use of resources, the risk and potential exposure of a threat must be balanced with the costs of controls and how well they actually protect against the threat.
6. Give an example of a weak password and a strong password.
Answers may vary. Some examples are: "1234546", "password", "mypassword". Weak passwords are easily guessable, short, common, or a word in the dictionary.
4. What are the two types of controls in a defense strategy?
Answers may vary. The major categories of general controls are physical controls, access controls, data security controls, communication network controls, and administrative controls.
8. Assuming that the CEO and CIO were forced to resign, what message does that send to senior management at U.S. companies?
Answers may vary. The message is that data security must be a top priority, well worth the investments required. Senior management must consider not only the financial impact to their companies and stockholders and the impact on customers, but the probable impact on their own jobs for not making data security a top priority.
g. Explain why cars and appliances can be hack targets.
Answers may vary. They can be used to trace the targeted individual's activities.
7. How can malware be stopped from stealing or disclosing data from an organization's network?
Answers may vary. They should demonstrate that the company has implemented effective corporate governance and fraud prevention measures.
3. What are the major motives of cybercriminals?
Answers may vary. To demonstrate the vulnerability of web sites; for political motives; for profit, fame, revenge, or an ideology; to wage warfare, terrorism, or an antiterrorism campaign; or to disable their target.
1. Many travelers might consider Lieberthal's method too inconvenient. Clearly, his electronically clean methods are time consuming and expensive. In your opinion, is there a tradeoff between cybersecurity and convenience? Explain.
Answers may vary. Yes, there is a tradeoff between cybersecurity and convenience. The more secure a person tries to keep their devices by ensuring that they cannot be hacked or are not accidentally transmitting data, the greater the amount of effort on the users' part. In the long run, such measures can prevent serious long term problems and inconveniences.
3. Research a botnet attack. Explain how the botnet works and what damage it causes. What preventive methods are offered by security vendors?
Answers may vary. ZD Net published an article on July 20, 2012 (http://www.zdnet.com/russian-held-over-botnet-attack-on-amazon-com-7000001298/) about a Russian who was arrested for launching a DDOS (Distributed Denial of Service) attack against Amazon.com. The botnet attacks that he launched slowed Amazon's services and prevented legitimate customers from accessing the Web site and completing transactions. The botnet (or collection of zombie software robot computers) made requests for large, resource-intensive Web pages, producing a magnitude of additional traffic by 600 to 1000 percent of normal traffic levels.
1. LinkedIn does not collect the credit card or other financial account information of its members. Why then would profit-motivated hackers be interested in stealing LinkedIn's stored data? What data would they be most interested in?
At most e-commerce and social sites, usernames are e-mail addresses—making them our universal username for online accounts. If the e-mail is a work account, then everyone also knows where we work and our login name. Therefore, knowing users' usernames and passwords provides authorized access to corporate accounts with almost no risk of being detected. Hackers attacked LinkedIn to gain access to over 161 million members' credentials as a means to gain access to much more valuable business networks and databases.
3. What is an attack vector? Give an example.
Attack vectors are entry points for malware, hackers, hacktivists, and organized crime. Answers may vary. An example is anyone's improperly secured mobile device.
4. Why does BYOD raise serious and legitimate areas of concern?
BYOD raises serious and legitimate areas of concern. Hackers break into employees' mobile devices and leapfrog into employers' networks—stealing secrets without a trace. New vulnerabilities are created when personal and business data and communications are mixed together. All cybersecurity controls—authentication, access control, data confidentiality, and intrusion detection—implemented on corporate-owned resources can be rendered useless by an employee-owned device. Also, the corporation's mobile infrastructure may not be able to support the increase in mobile network traffic and data processing, causing unacceptable delays or requiring additional investments.
2. What security precautions is Boeing taking with respect to the manufacture and sale of Black?
Black is manufactured in the United States, where higher security can be maintained. Few details about the wireless network operators or manufacturer have been released. Sales are intended for government agencies and contractors who need secure data and communications. If tampered with, the phone self-destructs.
Black is manufactured as a sealed device, with both epoxy around the casing and screws with tamper-proof covering. The phone encrypts voice and data communication and, if tampered with, self-destructs. For instance, any attempt to open the Black's casing deletes all data and software on the device and leaves it inoperable.
Black uses the defense-in-depth model which ensures that if one layer of security is compromised, other layers will continue to secure the device, its data, and transmissions. Multilayered defense-in-depth models are absolutely necessary for a secure device.
1. What are botnets used for?
Botnets are computers which are under control of an outside cybercriminal in order to send transmissions, such as spam or a virus, to other computers. They can be commanded to direct transmissions to a specific computer (as in DDoS attacks) or to many computers (as in spam distribution.)
9. Why are BYOD, BYOA, and do-not-carry rules important to IT security? Why might users resist such rules?
Bring your own device (BYOD) and bring your own apps (BYOA) are practices that move enterprise data and IT assets to employees' mobiles and the cloud, creating a new set of tough IT security challenges and putting organizations at a greater risk of cyberattack.
3. What is consumerization of information technology (COIT)?
Consumerization of information technology (COIT) is a trend where users are obtaining for personal use an increasing amount of information technology (e.g., personal mobile devices, such as smartphones and tablets, and powerful home PCs and laptops) which often is mobile, unsecured, and in some cases, better than that provided by their employer.
1. What are the two categories of crime?
Crime can be divided into two categories depending on the tactics used to carry out the crime: violent and nonviolent.
6. Explain how identity theft can occur.
Criminals have always obtained information about other people—by stealing wallets or dumpster digging. But widespread electronic sharing and databases have made the crime worse. A variety of cybercrime, including the use of botnets, have been used to steal identities.
12. What are the objectives of cybersecurity?
The objectives of cybersecurity are to:
8. What are the purposes of do-not-carry rules?
The purposes of do-not-carry rules are to prevent compromise, not only of the device but of the company and/or government network, as a response to mobile security threats. Travelers can bring only "clean" devices and are forbidden from connecting to the government's network while abroad.
5. Why do malware creators alter their malware?
The simple answer is to avoid detection. Most antivirus (AV) software relies on signatures to identify and then block malware. Malware authors evade detection by AV software and firewalls by altering malware code to create variants, which have new signatures.
3. What defenses help prevent internal fraud?
The single-most effective fraud prevention tactic is making employees know that fraud will be detected by IT monitoring systems and punished, with the fraudster possibly turned over to the police or FBI. The fear of being caught and prosecuted is a strong deterrent. IT must play a visible and major role in detecting fraud.
11. How can the risk of occupational fraud be decreased?
The single-most effective fraud prevention tactic is making employees know that fraud will be detected by IT monitoring systems and punished, with the fraudster possibly turned over to the police or FBI. The fear of being caught and prosecuted is a strong deterrent. IT must play a visible and major role in detecting fraud. Internal audits and internal controls are essential to the prevention and detection of occupation frauds.
4. What is an exploit? Give an example.
The term exploit has more than one meaning. An exploit is a hacker tool or software program used to break into a system, database, or device. An attack or action that takes advantage of a vulnerability is also called an exploit.
5. Describe the basic method of a distributed denial-of-service (DDoS) attack.
The textbook answer of "A distributed denial-of-service (DDoS) attack bombards a network or website with traffic (i.e., requests for service) to crash it and leave it vulnerable to other threats." actually describes any DoS attack. The difference between a DoS attack and a DDoS attack is the word, distributed - the attack originates from multiple sources.
10. What are two BYOD security risks?
The user-owned device may become infected due to personal use, at home or mobile.
• Delay of new business plans
These costs and losses should be compared with the costs for possible recovery strategies. The BIA report should prioritize the order of events for restoration of the business, with processes having the greatest operational and financial impacts being restored first.
2. Why are patches and service packs needed?
They are needed to keep software up to date and protected as fully as possible. When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, patches are released by the vendor or security organization. Patches, sometimes called service packs, are software programs that users download and install to fix a vulnerability.
1. What are threats, vulnerabilities, and risk?
Threat: Someone or something that can cause loss, damage, or destruction. Vulnerability: Weakness or flaw in a system that allows an attack to be successful. Risk: Probability of a threat exploiting a vulnerability and the resulting cost of the loss, damage, disruption, or destruction. Risk = f (Threat, Vulnerability, Cost of the impact)
b. What can be done to prevent this type of intrusion from occurring again?
USCC shut down the spy operation. A thorough overhaul of the network security was carried out. It appears that some peripheral devices are still connected to the spy network. It is important to keep firewalls and antivirus software updated. It is also important to educate organization employees on social engineering and its various forms, how to recognize it, and what to do to prevent falling victim to it.
9. Define and give an example of an unintentional threat.
Unintentional threats fall into three major categories: human error, environmental hazards, and computer system failures.
11. List and define three types of malware. Answers may vary.
Viruses, worms, trojans, rootkits, backdoors, botnets, and keyloggers are types of malware.
With the firewall, the expected loss at a 50% chance of attack = .5 x .000012 x $200,000 = $1.20
With the firewall, the expected loss at a 0% chance of attack = $0
With the firewall, the expected loss at a 50% chance of attack = .5 x .0002 x $200,000 = $20
With the firewall, the expected loss at a 0% chance of attack = $0
The cost of the firewall, including $16,000 maintenance, for one year is $44,000.
With the firewall, the expected loss at a 30% chance of attack = .3 x .000012 x $100,000 = $0.36
The cost of the firewall, including $5,000 maintenance, for one year is $27,000. The cost of the firewall, including $20,000 maintenance, for one year is $42,000.
With the firewall, the expected loss at a 30% chance of attack = .3 x .0002 x $100,000 = $2
5. Was this cybersecurity incident foreseeable? Was it avoidable?
Yes, it was foreseeable. Months before the attack there were multiple warnings, both from inside the company as well as outside, indicating new types of malware targeting payment terminals.
7. Should an employer notify employees that their usage of computers is being monitored? Why or why not?
Yes. Even if employers are not legally required to notify employees, they should do so. The single-most effective fraud prevention tactic is making employees know that fraud will be detected by IT monitoring systems and punished, with the fraudster possibly turned over to the police or FBI. The fear of being caught and prosecuted is a strong deterrent.
i. Does this incident indicate about how widespread hacking is? Explain your answer.
Yes. It took the FBI to discover the breach and that was after more than six months. More organizations could be facing the same espionage attacks. Also, it took more than a year before it was made public.
2. What is needed to get started in the botnet industry? Explain why?
You need a computer attached to the Internet and a small investment in the software. You need to know how to obtain the proper tools and be willing to direct them at a target.
6. Assume that the daily probability of a major earthquake in Los Angeles is .07 percent. The chance of your computer center being damaged during such a quake is 5 percent. If the center is damaged, the average estimated damage will be $1.6 million.
a. Calculate the expected loss (in dollars).
connecting to the Internet only through an encrypted, password-protected channel;
and never typing in a password directly, but copying and pasting his password from a USB thumb drive.
• Implementing before securing. Popular technologies like cloud computing, mobile, and BYOD (bring your own device) are implemented before they are secured.
• Not ready for next-generation cyberthreats. Few organizations are prepared to manage future threats. According to Gary Loveland, a principal in PwC's security practice, "What's needed is a new model of information security, one that is driven by knowledge of threats, assets, and the motives and targets of potential adversaries" (PWC, 2014).
• Reliability of financial reporting, to protect investors
• Operational efficiency
• Principle of economic use of resources: This principle is the basic cost- benefit principle.
• Principle of legality: This principle requires that companies invest in information security to meet minimum legal requirements.
• Maintain internal controls to prevent unauthorized alteration of data and records.
• Recover from business disasters and disruptions quickly.
• Compliance with laws
• Regulations and policies
• Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
• Regulatory fines
• Thumbprint or fingerprint. Each time a user wants access, a thumbprint or fingerprint (finger scan) is matched against a template containing the authorized person's fingerprint to identify him or her.
• Retinal scan. A match is attempted between the pattern of the blood vessels in the back-of-the-eye retina that is being scanned and a pre-stored picture of the retina. Biometric controls are now integrated into many e-business hardware and software products. Biometric controls do have some limitations: they are not accurate in certain cases, and some people see them as an invasion of privacy.
• Trusted platform modules to provide secure key storage
• Secure boot to maintain device image integrity
• Something only the user has, for example, a smart card or a token
• Something only the user is, such as a signature, voice, fingerprint, or retinal
Answers may vary. Authentication methods include:
• Something only the user knows, such as a password
• Unsafe cloud. While 47 percent of respondents use cloud computing, only 18 percent include provisions for cloud in their security policy.
• Unprepared for advanced persistent threats (APT). APTs require a new information-protection model that focuses on continuous monitoring of network activity and high-value information. Most U.S organizations lack these capabilities.