Information Security Group Assignment
PART 1 -
Students are required to analyse and write a report about the following topics:
1. Using the Web, find out more about Kevin Mitnick. What did he do? Who caught him? Write a short summary of his activities and explain why he is infamous
2. Using a Web browser, go to eff website. Choose one of the current top concerns of this organization and justify:
a. Why this topic was chosen?
b. How does it relate to information security subject contents?
3. Classify each of the following occurrences as an incident or disaster. If an occurrence is a disaster, determine whether business continuity plans would be called into play.
a. A hacker breaks into the company network and deletes files from a server.
b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers are damaged, but the fire is contained.
c. A tornado hits a local power station, and the company will be without power for three to five days.
d. Employees go on strike, and the company could be without critical workers for weeks.
e. A disgruntled employee takes a critical server home, sneaking it out after hours.
For each of the scenarios (a-e), describe the steps necessary to restore operations. Indicate whether law enforcement would be involved.
PART 2 - Case Exercises
With your team members, please go through each case and answer the relevant discussion questions
CASE 1 - One day at SLS found everyone in technical support busy restoring computer systems to their former state and installing new virus and worm control software. Amy found herself learning how to re-install desktop computer operating systems and applications as SLS made a heroic effort to recover from the attack of the previous day.
a. Do you think this event was caused by an insider or outsider? Explain your answer.
b. Other than installing virus and worm control software, what can SLS do to prepare for the next incident?
c. Do you think this attack was the result of a virus or a worm? Explain your answer.
CASE 2 - Charlie was getting ready to head home when the phone rang. Caller ID showed it was Peter. "Hi, Peter," Charlie said into the receiver. "Want me to start the file cracker on your spreadsheet?" "No, thanks," Peter answered, taking the joke well. "I remembered my passphrase.
But I want to get your advice on what we need to do to make the use of encryption more effective and to get it properly licensed for the whole company. I see the value in using it for certain kinds of information, but I'm worried about forgetting a passphrase again, or even worse, that someone else forgets a passphrase or leaves the company. How would we get their files back?" "We need to use a feature called key recovery, which is usually part of PKI software," said Charlie. "Actually, if we invest in PKI software, we could solve that problem as well as several others." "OK," said Peter. "Can you see me tomorrow at 10 o'clock to talk about this PKI solution and how we can make better use of encryption?"
a. Was Charlie exaggerating when he gave Peter an estimate for the time required to crack the encryption key using a brute force attack?
b. Are there any tools that someone like Peter could use safely, other than a PKI-based system that implements key recovery, to avoid losing his passphrase?
Suppose Charlie had installed key logger software on all company computer systems and had made a copy of Peter's encryption key. Suppose that Charlie had this done without policy authority and without anyone's knowledge, including Peter's.
c. Would the use of such a tool be an ethical violation on Charlie's part? Is it illegal?
Suppose that Charlie had implemented the key logger with the knowledge and approval of senior company executives, and that every employee had signed a release that acknowledged the company can record all information entered on company systems. Two days after Peter's call, Charlie calls back to give Peter his key: "We got lucky and cracked it early." Charlie says this to preserve Peter's illusion of privacy.
d. Is such a "little white lie" an ethical action on Charlie's part?
CASE 3 - Charlie looked across his desk at Kelvin, who was absorbed in the sheaf of handwritten notes from the meeting. Charlie had asked Kelvin to come to his office and discuss the change control meeting from earlier that day. "So what do you think?" Charlie asked. "I think I was blindsided by a bus!" Kelvin replied. "I thought I had considered all the possible effects of the change in my project plan. I tried to explain this, but everyone acted as if I had threatened their lives." "In a way you did, or rather you threatened their jobs," Charlie stated. "Some people believe that change is the enemy."
"But these changes are important." "I agree," Charlie said. "But successful change usually occurs in small steps. What's your top priority?" "All the items on this list are top priorities," Kelvin said. "I haven't even gotten to the second tier." "So what should you do to accomplish these top priorities?" Charlie asked. "I guess I should reprioritize within my top tier, but what then?" "The next step is to build support before the meeting, not during it," Charlie said, smiling. "Never go into a meeting where you haven't done your homework, especially when other people in the meeting can reduce your chance of success."
a. What project management tasks should Kelvin perform before his next meeting?
b. What change management tasks should Kelvin perform before his next meeting, and how do these tasks fit within the project management process?
c. Had you been in Kelvin's place, what would you have done differently to prepare for this meeting?
Suppose Kelvin has seven controls listed as the top tier of project initiatives. At his next meeting with Charlie, he provides a rank-ordered list of these controls with projected losses over the next 10 years for each if it is not completed. Also, he has estimated the 10-year cost for developing, implementing, and operating each control. Kelvin has identified three controls as being the most advantageous for the organization in his opinion. As he prepared the slides for the meeting, he "adjusted" most projected losses upward to the top end of the range estimate given by the consultant who prepared the data. For the projected costs of his preferred controls, he chose to use the lowest end of the range provided by the consultant.
d. Do you think Kelvin has had an ethical lapse by cherry-picking the data for his presentation?
Suppose that instead of choosing data from the range provided by the consultant, Kelvin simply made up better numbers for his favourite initiatives. Is this an ethical lapse? Suppose Kelvin has a close friend who works for a firm that makes and sells software for a specific control objective on the list. When Kelvin prioritized the list of his preferences, he made sure that specific control was at the top of the list. Kelvin planned to provide his friend with internal design specifications and the assessment criteria to be used for vendor selection for the initiative.
e. Has Kelvin committed an ethical lapse?