1) [Ch 1, Project, no. 1]—Look up the PCI-DSS control objectives on the Internet. Give its URL. Which ones did TJX violate? Justify your list.
PCI-DSS control objectives include building and maintaining a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. And maintain an information security policy. http://www.securityprocedure.com/six-control-objectives-pci-dss
The TJX security breach of 2007 shows exactly how much a
company can lose if they fail to comply with the necessary security
measures. The failure to protect and
this breach ended up costing 94 million dollars in accounts being violated and
the total loss in excess of 70 million dollars. TJX violated all six areas listed in the
website found above. These security
measures were mandated by the Payment Card Industry Data Security Standard
(PCI-DSS). If the companies had
maintained a secure network, they would not have fallen victim to such a
breach. Protecting cardholder data and
maintaining management program would have prevented or allowed the breach to
have been caught much earlier, potentially saving millions of dollars. By implementing strong access control
measures there would have been no means for the breach to have happened in the
first place. Regularly monitor and test
network could have shown early on the improper security measures and allowed
them to catch it in a timely manner. And
finally maintaining an information security would have prevented millions of consumer’s
information from being accessed and used fraudulently.
2) [Ch 1, Thought Questions, no. 4]—Addamark Technologies found that its Web servers had been accessed without authorization by an employee of competitor Arcsight. Arcsight’s vice president for marketing dismissed the hacking, saying, “It’s simply a screen that asked for a username and password. The employee didn’t feel like he did anything illicit.” The VP went on to say the employee would not be disciplined. Comment on the Arcsight VP’s defense.
Having a secure log in, regardless of the complexity of
the system is intended to monitor and prevent unauthorized users from accessing
information not intended for their use.
In addition it allows companies to monitor their employee’s actions and
performance while logged onto the network.
Regardless if the logon is complex or simple, it is intended for that
specific user and accessing it any other way is unauthorized. Most companies have written expectations for
employee logons that include disciplinary actions in the event they are used
inappropriately. The VP dismissing the employee’s
actions not only shows his personal integrity, but it shows that the company
willingly acts in unethical manner as a means of business practices. Competitors who hack their competitions
servers to find out information in order to get the upper hand probably have
little reservation for other questionable or unethical acts. Addamark Technologies perhaps needs to
implement a better security network that way next time a simple username and
password will not be a dismissive measure for hacking their network.
3)[Ch 1, Thought Questions, no. 6]—Give three examples of social engineering not listed in the text.
Online social engineering is a good way for social
engineers to get users passwords. This
is valuable because many users repeat their passwords for many accounts,
allowing access to other information other than what it is being used for. A common way that hackers get this
information is from online forms that are sent out for sweepstakes or other
similar questioners. Another type of
social engineering is baiting. This is
when the Trojan horse uses the physical media as a way to spark curiosity and
greed with the victims. It puts malware
in flash drives or CD ROM’s waiting on the user to use it and infect their
computer. And lastly, is
tailgating. This is when access is
sought through restricted areas and an individual simply follows behind someone
who has real access. It is simply a
failure to validate information and accept the attacker has a valid reason for
4)[Ch 2, Thought Questions, no. 2]—Chapter 2 discussed three ways to view the IT security function—as a police force, as a military organization, and as a loving mother. Name another view and describe why it is good.
Another view is that of a business
owner. This is as important as military,
police, and parental security as well.
This controls access of confidential and important information by
restricting access to authorized individuals.
This security protects the company’s information and allows only
necessary access in the workplace. In business, it is important to allow access
to individuals who need it, and prevent unauthorized access. It is also important to eliminate the
potential for altering and destruction of important information.
5) Provide definitions for each of the following terms and indicate any negative (or positive) experiences you have had:
a. viruses – viruses are malicious software programs that, by definition, exist on local disk drives and spread from one computer to the next through infected files. A negative experience is when my computer was infected and it deleted several programs on it.
b. spyware – is defined as software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. Personally I had spyware that redirected my homepage and excessive pop-ups occurred.
c. spam and spim – spam is defined as a disruptive messages; especially commercial messages posted on a computer network or sent as e-mail. Spim is defined as a type of spam that is sent by means of instant messaging. This is something everyone has experienced. The fifty emails sent out soliciting or selling a product that you did not request information about.
d. botnets – is defined as a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g. to send spam messages. I had apparently sent out “male enhancement pills” email to everyone in my address book.
e. phishing – is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Personally I have never had an experience with this.
f. cookies – is a packet of data sent by an Internet server to a browser, which is returned by the browser each time it subsequently accesses the same server, used to identify the user or track their access to the server. I clear my cookies and history on a daily basis in the event that my computer is accessed.
g. worms – a software program capable of reproducing itself that can spread from one computer to the next over a network; “worms take advantage of automatic file sending and receiving features found on many computers”. As stated earlier with the emails sent from my email address, there were worms attached to this email which caused the computer to continually restart.
h. Trojan horses – is a program that appears desirable but actually contains something harmful; “the contents of a Trojan can be a virus or a worm”. Again the only personal experience was linked to the email “I sent” regarding male enhancement pills.
Explain what information security auditing is and any exposure or experiences you have had with it. Information security auditing is when an organization addresses its technologies to ensure they are up-to-date and the proper infrastructures are being applied. It audits tests that make sure all information security is up to day with the requirements of the organization. It also interviews the employees and their role in this security. I personally have not had any personal experience with information security auditing.