Chapter 11 Cybercrime and IT Security Solutions to End of Chapter Material Answers to What Would You Do Questions You are a member of the Human Resources Department of a software manufacturer that has several products and annual revenue in excess of $500 million. You’re on the phone with the manager of software development who has made a request to hire a notorious hacker to probe your company’s software products in an attempt to identify any vulnerabilities. The reasoning is that if anyone can find a vulnerability in your software, he can. This will give your firm a head start on developing patches to fix the problems before anyone can exploit them. You’re not sure, and you feel uneasy about hiring people with criminal records and connections to unsavory members of the hacker/cracker community. What do you say to this request? Some students may be in favor of hiring a hacker, while other may see it as endangering the company’s security system. Those students who view this move as a threat may mention that today’s computer attacker has greater depth of knowledge and expertise in getting around computer and network security safeguards. Today’s computer menace is better organized and may be part of an organized group (e.g., Anonymous, Chaos Computer Club, Lizard Squad, TeslaTeam) that has an agenda and targets specific organizations and Web sites. Some of these groups have ample resources, including money and sophisticated tools to support their efforts. Hence, it may not be safe for the organization to hire the hacker to test the software vulnerabilities. As a member of the Human Resources Department, it's crucial to prioritize the ethical and legal implications of any hiring decision. While the intention behind hiring a notorious hacker to identify vulnerabilities in your company's software may seem pragmatic, there are significant risks and considerations to weigh. First and foremost, hiring individuals with criminal records and associations with unsavory elements of the hacker/cracker community poses serious reputational and legal risks to the company. It could damage the company's reputation, erode trust with customers and stakeholders, and potentially result in legal repercussions. Furthermore, there are ethical concerns regarding rewarding individuals with questionable backgrounds, especially when there are likely other avenues for identifying software vulnerabilities that don't involve associating with criminal elements. It's important to uphold the company's values and standards of integrity. In response to the manager's request, I would express these concerns and advocate for exploring alternative approaches to identifying software vulnerabilities. This could include investing in robust cybersecurity measures, conducting thorough internal testing, engaging with reputable cybersecurity firms, or even establishing bug bounty programs that incentivize ethical hackers to report vulnerabilities. Ultimately, the goal should be to prioritize the security and integrity of the company's software products while upholding ethical standards and minimizing legal risks. You are the CFO of a sporting goods manufacturer and distributor with annual sales exceeding $500 million. Roughly 25 percent of your sales come from online purchases, but today, your firm’s Web site was not operational, costing the firm over $350,000 in lost sales. The IT group informed you that the site was the target of a distributed denial-of-service attack. You are shocked by an anonymous call later in the day in which the caller tells you that your site will continue to be attacked unmercifully unless you pay $250,000 to stop the attacks. What do you say to the blackmailer? It is essential to take this matter to the concerned authority and report the blackmail. It is vital to not pay the blackmailer and to get the issue solved at the earliest by contacting technical experts capable of resolving the denial-of-service attack. The CFO could also contact a different web hosting service provider to rent a new web hosting domain and launch the website on the new domain. As the CFO of the company, my immediate priority is to protect our business and its interests. Firstly, I would ensure that our IT team is taking all necessary steps to mitigate the impact of the ongoing distributed denial-of-service (DDoS) attack and restore functionality to our website as quickly as possible. Regarding the blackmail attempt, I would not engage with the blackmailer or entertain their demands. Paying the ransom would not only set a dangerous precedent but also potentially embolden the attacker to target us again in the future or target other companies within our industry. It's important to stand firm against such criminal behavior and instead work with law enforcement and cybersecurity experts to investigate the source of the attack and take appropriate legal action. Furthermore, I would communicate transparently with our customers and stakeholders about the situation, reassuring them of our commitment to their security and the integrity of our operations. This may involve providing updates on the status of our website, offering alternative means for purchasing our products, and outlining the measures we are taking to prevent similar incidents in the future. Ultimately, investing in robust cybersecurity measures, including DDoS protection and incident response protocols, is crucial to safeguarding our online presence and mitigating the financial and reputational risks associated with cyber threats. You have just heard on the news that there was a major data breach at your university and that personal identification information of all students, faculty, and employees may have been compromised. The incident occurred three months ago but is just now being communicated. What action should you take? Some students may feel that one, in the instance mentioned above, has to make sure that one’s devices such as smartphones, computers, and laptops have not been compromised. One should also ensure that one’s devices have not been hacked or have any viruses, worms, malware, Trojan horse, or advanced personal threats. Devices should also be checked for any data breach. In the event of a major data breach like this, taking prompt action is crucial to mitigate any potential harm. Here's what you should consider doing: Contact the University's IT Department: Immediately reach out to the university's IT department or the designated authority responsible for handling data breaches. They will likely have protocols in place to address such incidents and can provide guidance on next steps. Monitor Financial Accounts: Keep a close eye on your financial accounts for any suspicious activity. If you notice any unauthorized transactions, report them to your bank or credit card company immediately. Change Passwords: Even if your password was not compromised, it's a good practice to change your passwords for university-related accounts as a precautionary measure. Enable Two-Factor Authentication (2FA): If available, enable two-factor authentication for added security on your university accounts. Update Security Software: Ensure that your antivirus and antimalware software are up to date on all your devices. Be Wary of Phishing Attempts: Remain vigilant for any suspicious emails or messages that may attempt to capitalize on the breach. Avoid clicking on links or downloading attachments from unknown sources. Stay Informed: Keep yourself informed about any updates or developments regarding the breach through official university channels. Consider Credit Monitoring Services: If the university offers credit monitoring services or if you feel it's necessary, consider signing up for them to help detect any fraudulent activity related to your identity. Report Suspicious Activity: If you notice any unusual activity related to your identity, report it to the appropriate authorities, such as your university's IT department or local law enforcement. Seek Support: If you're feeling anxious or stressed about the breach, don't hesitate to seek support from friends, family, or counseling services provided by the university. Remember, swift action can help minimize the potential impact of a data breach on your personal information. Answers to Discussion Questions Do some research to gain an understanding of why BYOD policies are necessary for organizations that must abide by HIPAA regulations. Do you believe that employees of a large healthcare provider should be able to bring their own device to work? Why or why not? Some students may think that employees of a large healthcare provider should not be allowed to bring their own devices to work. It is difficult to protect data on devices given the portability of information. Employers should educate employees about non-compliance and have a strict rule that no client information should be compromised. BYOD (Bring Your Own Device) policies can be beneficial for organizations, including those in the healthcare sector that must comply with HIPAA regulations. Here's why: Flexibility and Productivity: BYOD allows employees to use devices they are familiar with, potentially increasing productivity as they can work more comfortably and efficiently. Cost Savings: Instead of providing every employee with a company-owned device, BYOD policies can save organizations money on hardware costs. Employee Satisfaction: Allowing employees to use their own devices can contribute to higher job satisfaction and morale, as they have more control over their work tools. However, in the healthcare sector, implementing BYOD policies while adhering to HIPAA regulations requires careful consideration. HIPAA (Health Insurance Portability and Accountability Act) mandates strict guidelines to protect the privacy and security of patients' health information. If employees bring their own devices to work, there's a risk that sensitive patient data could be compromised if proper security measures are not in place. To mitigate these risks, healthcare organizations need to ensure that BYOD policies include: Security Measures: Implementing encryption, password protection, remote wiping capabilities, and regular security updates to safeguard patient data on personal devices. Access Controls: Limiting access to sensitive information based on job roles and responsibilities, and implementing multi-factor authentication for added security. Training and Education: Providing comprehensive training to employees on HIPAA regulations, data security best practices, and the importance of safeguarding patient information. Monitoring and Auditing: Regularly monitoring and auditing employee devices to ensure compliance with HIPAA regulations and identifying any potential security breaches. In conclusion, while BYOD policies can offer benefits such as flexibility and cost savings, healthcare organizations must carefully balance these advantages with the need to protect patient privacy and comply with HIPAA regulations. With proper security measures and employee education, allowing employees to bring their own devices to work can be feasible for large healthcare providers, enhancing productivity while maintaining the integrity of patient data. A successful distributed denial-of-service attack requires the downloading of software that turns unprotected computers into zombies under the control of the malicious hacker. Should the owners of the zombie computers be fined or otherwise punished as a means of encouraging people to better safeguard their computers? Why or why not? Some students may suggest that the owners be fined to let people know the importance of protecting their computers. Punishing the owners would aid the organization in spending less money to recover from the distributed denial-of-service (DDoS) attack, and the organization would also have less downtime. Also, this would result in all computers being protected and not vulnerable to a DDoS attack. Punishing the owners of zombie computers might seem like a straightforward solution to encourage better cybersecurity practices, but it's not necessarily the most effective or fair approach. Here's why: Lack of Awareness: Many owners of zombie computers may not even realize that their devices have been compromised. They might be ordinary individuals who are not tech-savvy or are unaware of the signs of a compromised computer. Punishing them without providing education or assistance would be unjust. Victims of Exploitation: In many cases, the owners of zombie computers are themselves victims of exploitation. Their devices may have been compromised through malware or other malicious tactics without their knowledge or consent. Punishing them would be punishing the victims rather than addressing the root cause of the problem. Complexity of Cybersecurity: Safeguarding computers against being turned into zombies requires knowledge and resources that not everyone possesses. It's not just a matter of installing antivirus software; it involves staying informed about evolving threats, updating software regularly, and implementing various security measures, which can be challenging for the average user. Shared Responsibility: Cybersecurity is not solely the responsibility of individual computer owners. Internet service providers, software developers, and cybersecurity experts also play crucial roles in combating threats like DDoS attacks. Punishing individual users may overlook the broader systemic issues that contribute to the prevalence of zombie computers. Instead of punitive measures, a more effective approach would involve: Education and Awareness: Providing resources and information to help users understand the importance of cybersecurity and how to protect their devices. Collaborative Efforts: Encouraging collaboration between stakeholders, including government agencies, private sector companies, and cybersecurity experts, to develop proactive measures against DDoS attacks and other cyber threats. Incentives for Compliance: Offering incentives such as discounts on cybersecurity products or services for individuals who take proactive steps to secure their devices. Regulation and Enforcement: Implementing regulations that hold internet service providers and software developers accountable for security vulnerabilities and require them to take measures to mitigate the risk of DDoS attacks. By taking a comprehensive and collaborative approach, we can better address the issue of DDoS attacks and improve overall cybersecurity without unfairly punishing individual computer owners. Do research on the effectiveness of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. Would you recommend any changes to this act? If so, what changes would you like to see implemented and why? One change that students might suggest could be that the e-mail registration process be made more stringent so that spammers cannot sign up for more than one account at a time. Another suggestion could be to add CAPTCHA verification before a sender sends an e-mail to verify that the e-mail is sent by a human being and not a software program. If implemented, this will reduce the number of spam emails being received by an average user. The effectiveness of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act has been subject to debate since its enactment in 2003. The act aimed to regulate the sending of commercial email messages and provide consumers with the option to opt-out of receiving such emails. However, its effectiveness in reducing spam emails and protecting consumers from unwanted marketing has been questioned. Several studies have shown that while the CAN-SPAM Act has helped to reduce the volume of spam emails, it has not completely eliminated the problem. Many spammers continue to find ways to bypass the law's requirements, such as using deceptive subject lines or disguising the sender's identity. Additionally, enforcement of the law has been challenging, with limited resources dedicated to tracking down and penalizing violators. One area where the CAN-SPAM Act has been criticized is its reliance on an opt-out mechanism rather than an opt-in approach. Critics argue that requiring consumers to actively unsubscribe from unwanted emails places the burden on them, rather than on the senders to obtain explicit consent before sending commercial messages. This can result in consumers receiving emails they never signed up for and contribute to email fatigue. In light of these shortcomings, there are several changes that could be considered to improve the effectiveness of the CAN-SPAM Act: Stricter enforcement: Allocate more resources to enforce the law and penalize violators. This could include imposing heavier fines on spammers and holding companies accountable for their marketing practices. Opt-in requirement: Shift from an opt-out to an opt-in model, where companies are required to obtain explicit consent from consumers before sending them commercial emails. This would give consumers more control over their inboxes and reduce the prevalence of unsolicited emails. Improved transparency: Require senders to provide clear and accurate information about their identity and the purpose of their emails. This would help consumers distinguish legitimate emails from spam and make it easier to report violations. Global cooperation: Work with international partners to develop consistent standards for combating spam and coordinating enforcement efforts across borders. Since spam often originates from overseas, global cooperation is essential to address the problem effectively. Overall, while the CAN-SPAM Act represented an important step in addressing the issue of unsolicited emails, there is room for improvement to better protect consumers and reduce the prevalence of spam. Implementing changes such as stricter enforcement, an opt-in requirement, improved transparency, and global cooperation could help to strengthen the effectiveness of the law and create a safer and more secure online environment. Provide a real-world example or describe a hypothetical situation in which a legitimate organization used spam in an effective and nonintrusive manner to promote a product or service. A student may cite an example of a company that sends an email to a broad cross-section of potential customers to announce the release of a new product in an attempt to increase initial sales. While it's challenging to provide a real-world example of a legitimate organization using spam effectively and non-intrusively, let's craft a hypothetical situation: Imagine a reputable online retailer that sells a variety of products, from electronics to clothing. This retailer has a substantial customer base and regularly sends out newsletters and promotional emails to keep customers informed about new products, sales, and discounts. In this hypothetical scenario, the retailer decides to conduct a targeted email campaign to promote a new line of eco-friendly products, such as sustainable clothing made from recycled materials. Instead of simply blasting out mass emails to everyone on their mailing list, they employ a carefully curated approach: Segmented Email Lists: The retailer divides its email list into segments based on customer preferences and past purchasing behavior. They identify a subset of customers who have previously shown interest in eco-friendly products or have purchased similar items in the past. Personalized Content: Rather than generic marketing messages, the retailer crafts personalized emails tailored to each segment of customers. They highlight the environmental benefits of the new product line, emphasizing how purchasing these items contributes to sustainability efforts. Opt-In Mechanism: The retailer ensures that all recipients of the promotional emails have explicitly opted in to receive marketing communications. They respect customers' privacy preferences and provide clear instructions for opting out of future emails. Limited Frequency: Understanding the importance of not overwhelming recipients with too many emails, the retailer limits the frequency of promotional messages. They send out the eco-friendly product campaign as a one-time special announcement rather than bombarding customers with repeated emails. Value-Driven Content: In addition to promoting the new product line, the retailer includes valuable content related to sustainability, such as tips for reducing environmental impact or information about ongoing conservation initiatives. By implementing these strategies, the hypothetical retailer ensures that their promotional emails are targeted, relevant, and respectful of recipients' preferences. While technically still a form of marketing communication, this approach minimizes the intrusiveness typically associated with spam and instead delivers value to customers who are genuinely interested in eco-friendly products and initiatives. Do research to determine typical starting positions and salaries for someone with a four-year degree in computer forensics. Do further research to find three universities that offer four-year degrees specializing in computer forensics. Compare the three programs, and choose the best one. Why did you choose this university? Students might perform a search engine query for universities offering a four-year degree in computer forensics. They could choose any three universities and then create a list of criteria that should be met by the graduates of the programs to be employed for a specific starting position at a set salary. Students could document the information in a table with a column titled “criteria” followed by the names of their chosen universities. Starting positions and salaries for individuals with a four-year degree in computer forensics can vary depending on factors such as location, level of experience, and specific job responsibilities. However, according to data from the U.S. Bureau of Labor Statistics (BLS), the median annual salary for computer forensics specialists was around $105,000 as of May 2020, with entry-level positions typically starting at around $60,000 to $70,000 per year. Here are three universities that offer four-year degrees specializing in computer forensics: Champlain College - Burlington, Vermont Program: Bachelor of Science in Computer and Digital Forensics Champlain College offers a comprehensive program in computer and digital forensics, covering topics such as cybersecurity, data analysis, and legal issues in digital investigations. The program provides hands-on experience through labs and internships, preparing students for real-world scenarios in computer forensics. Champlain College has a strong reputation in the field of cybersecurity and digital forensics, with experienced faculty members and industry connections. University of Advancing Technology (UAT) - Tempe, Arizona Program: Bachelor of Science in Digital Forensics UAT's program in digital forensics focuses on the technical skills needed to investigate and analyze digital evidence, including computer systems, networks, and mobile devices. Students have access to state-of-the-art labs and equipment, allowing for practical, hands-on learning experiences. UAT has a strong emphasis on industry partnerships and career preparation, with opportunities for internships and networking with professionals in the field. Purdue University - West Lafayette, Indiana Program: Bachelor of Science in Cybersecurity and Forensics Purdue's program combines cybersecurity and digital forensics, providing students with a broad understanding of both fields. The curriculum covers topics such as network security, incident response, and forensic analysis techniques. Purdue University is well-known for its strong engineering and technology programs, and its cybersecurity and forensics program benefits from the university's reputation and resources. Among these options, Champlain College stands out as the best choice for several reasons. Firstly, Champlain College has a dedicated focus on computer and digital forensics, offering a specialized program that covers all aspects of the field in-depth. Secondly, the college's strong reputation in cybersecurity and digital forensics ensures high-quality education and ample opportunities for students to engage with industry professionals and gain hands-on experience. Finally, Champlain's location in Burlington, Vermont, provides access to a thriving tech industry and numerous internship opportunities, further enhancing students' career prospects upon graduation. Overall, Champlain College offers a comprehensive and reputable program in computer forensics, making it the top choice among the three universities. Some IT security personnel believe that their organizations should employ former computer criminals who now claim to be white hat hackers to identify weaknesses in their organizations’ security defenses. Do you agree? Why or why not? Some student may suggest that employing former computer criminals could tarnish the reputation of any organization. Employing former computer criminals could endanger confidential data stored on the organization’s server and database. The idea of hiring former computer criminals, or "black hat hackers" turned "white hat hackers," to identify weaknesses in security defenses is a topic of debate in the IT security community. There are arguments both for and against this approach. Proponents argue that former black hat hackers can bring valuable insights and expertise to the table. These individuals often possess an intimate understanding of hacking techniques, tools, and methodologies, which can help organizations identify vulnerabilities that traditional security measures might miss. Their firsthand knowledge of how malicious actors operate can be instrumental in strengthening defenses and staying ahead of emerging threats. Additionally, hiring reformed hackers can serve as a form of redemption and rehabilitation, providing them with legitimate employment and a chance to contribute positively to society. On the other hand, there are valid concerns about the risks associated with employing former criminals in sensitive security roles. There's always the possibility that these individuals could revert to their old ways or misuse their skills for personal gain. Trust is a critical factor in cybersecurity, and organizations may hesitate to place their faith in individuals with a history of illegal activity. Moreover, there's a moral and ethical dimension to consider, as some may argue that rewarding former criminals with employment sends the wrong message and undermines the efforts of law-abiding security professionals. Ultimately, whether or not to employ former black hat hackers in white hat roles depends on various factors, including the individual's background, skills, motivations, and the organization's risk tolerance. If adequate safeguards are in place to mitigate potential risks and ensure accountability, hiring reformed hackers could be a strategic decision to bolster cybersecurity defenses. However, careful consideration and thorough vetting are essential to minimize the inherent challenges and uncertainties associated with this approach. You are a computer security trainer for your firm’s 200 employees and contract workers. What are the key topics you would cover in your initial one-hour basic training program on security for non-IT personnel? What sort of additional security-related training might be appropriate once people have the basics covered? Some students may suggest that the computer security trainer should cover topics such as “why computer incidents are so prevalent today,” “the types of exploits faced by most users,” “solutions for each exploit,” and “measures that could avoid the exploit.” The additional security-related training could be about resolving an exploit faced by a user. This training would let the user know what to do after he or she falls victim to an exploit. For an initial one-hour basic security training program for non-IT personnel, the key topics to cover would include: Password Security: Teach the importance of strong passwords, avoiding common passwords, and not sharing passwords with anyone. Phishing Awareness: Educate about recognizing phishing emails, avoiding clicking on suspicious links or attachments, and verifying sender legitimacy. Social Engineering Awareness: Discuss techniques used by attackers to manipulate individuals into divulging sensitive information or performing actions. Data Protection: Emphasize the importance of handling sensitive information securely, including proper storage, transmission, and disposal. Device Security: Cover basic security measures such as locking devices when not in use, keeping software up to date, and avoiding public Wi-Fi networks for sensitive tasks. Physical Security: Highlight the importance of securing physical workspaces, such as locking screens when away from desks and not leaving sensitive documents unattended. Reporting Security Incidents: Provide guidance on how to report suspicious activities, security incidents, or potential breaches promptly. Once employees have covered the basics, additional security-related training might include: Advanced Phishing Awareness: Delve deeper into sophisticated phishing techniques, including spear phishing and pretexting. Cybersecurity Best Practices: Explore more advanced security measures, such as two-factor authentication, encryption, and secure browsing habits. Secure Remote Work Practices: Provide guidance on securely accessing company resources and data while working remotely, including the use of virtual private networks (VPNs) and secure file transfer methods. Security Compliance Training: Offer training on industry-specific security regulations and compliance requirements relevant to the organization. Incident Response Training: Conduct simulations or tabletop exercises to practice responding to security incidents effectively. Security Awareness Games or Challenges: Engage employees with interactive activities to reinforce security concepts and encourage ongoing vigilance. Specialized Training for Specific Roles: Tailor training sessions to address the unique security risks and responsibilities associated with different job roles within the organization. Continuing education and regular security updates are crucial to maintaining a strong security posture, so periodic refresher courses and updates on emerging threats should also be provided. Additionally, encouraging a culture of security awareness and vigilance among employees through ongoing communication and reinforcement is essential. Hundreds of a bank’s customers have called the customer service call center to complain that they are receiving text messages on their phone telling them to log on to a Web site and enter personal information to resolve an issue with their account. What action should the bank take? Students may suggest that the bank convince its customers that it was an act of a hacker and that they should not log on the website as there could be potential malware, virus, or Trojan horses. The bank should communicate with its customers as early as possible. A last course of action that the bank could take would be to shut down the Web site until the issue is resolved. The bank should take immediate action to protect its customers from potential fraud or phishing attempts. Here are some steps they should consider: Issue a Warning: The bank should issue a warning to all its customers via email, text message, or through their online banking portal informing them about the scam and advising them not to respond to any such messages. Investigate: The bank should conduct an internal investigation to determine the source of the fraudulent messages and how they managed to obtain customers' contact information. Notify Authorities: If necessary, the bank should notify relevant authorities, such as law enforcement agencies and regulatory bodies, about the scam to help prevent further fraud. Enhance Security Measures: The bank should review and strengthen its security measures to prevent similar incidents in the future. This might involve improving customer verification procedures or enhancing cybersecurity protocols. Customer Education: Educating customers about common scams and how to identify fraudulent messages can help prevent them from falling victim to such schemes in the future. The bank could provide tips and resources on its website or through other channels. Offer Assistance: The bank should offer assistance to customers who may have inadvertently provided personal information in response to the fraudulent messages. This might involve helping them change their account passwords, monitoring their accounts for suspicious activity, or providing identity theft protection services. Communication: Keeping open lines of communication with customers throughout the process is crucial. Providing regular updates on the situation and any actions being taken can help reassure customers and maintain their trust in the bank. By taking these steps, the bank can demonstrate its commitment to customer security and mitigate the impact of the fraudulent messages. Draft a legitimate-looking phishing email that would strongly tempt its recipients to click on a link to a Web site or open an email attachment. The phishing email must be similar to that of the email in Figure 11-3 on page 319 of the text. Subject: Urgent Action Required: Your Account Security is at Risk! Dear [Recipient's Name], We hope this message finds you well. We are reaching out to you today regarding an urgent matter that requires your immediate attention to safeguard your account security. Our system indicates that there has been some suspicious activity detected on your account recently. To ensure the safety and integrity of your personal information, we kindly request that you take immediate action by clicking on the link below to verify your account details: [Insert Phishing Link Here] By verifying your account, you will help us prevent any unauthorized access and potential security breaches. Failure to verify your account within the next 24 hours may result in temporary suspension or closure of your account to prevent further risks. We understand the importance of keeping your account secure, which is why we urge you to act swiftly. If you have any concerns or questions regarding this matter, please do not hesitate to contact our support team at [Insert Fake Support Email or Phone Number]. Thank you for your cooperation in ensuring the safety of your account. We apologize for any inconvenience this may cause and appreciate your prompt attention to this matter. Best regards, [Your Company Name] [Your Company Logo (if available)] [Optional: Disclaimer about not sharing personal information via email and verifying sender's legitimacy] How would you distinguish between a hacktivist and a cyberterrorist? Should the use of hacktivists by a country against enemy organizations be considered an unethical act of war? Why or why not? How about the use of cyberterrorists? A hacktivist is an individual who hacks computers or Web sites in an attempt to promote a political ideology. A cyberterrorist is someone who attempts to destroy the infrastructure components of governments, financial institutions, utilities, and emergency response units. Some students may feel that it is unethical for countries to employ hacktivists against enemy organizations. They may feel this way as hacking is an act of crime intended to damage the enemy organization. The use of cyberterrorists may also be considered as an unethical act for the same reason. Hacktivists and cyberterrorists both operate within the realm of cyberspace, but they have different motivations and objectives. Distinguishing between Hacktivists and Cyberterrorists: Hacktivists: Hacktivists are individuals or groups who use hacking techniques to promote a social or political agenda. They may engage in activities such as website defacement, data breaches, or distributed denial-of-service (DDoS) attacks to raise awareness about issues or to protest against organizations or governments. Cyberterrorists: Cyberterrorists, on the other hand, use similar hacking techniques but with the intention of causing fear, disruption, or harm for ideological, political, or religious reasons. Their actions often aim to destabilize societies, economies, or governments, and they may target critical infrastructure or civilian populations. Ethics of Using Hacktivists or Cyberterrorists as Tools of War: Hacktivists: Using hacktivists as tools of war raises ethical concerns, particularly regarding accountability and control. While hacktivists may share similar goals with a nation-state, relying on non-state actors to carry out cyber operations can lead to unintended consequences and loss of control over the situation. Additionally, hacktivist actions may escalate tensions or provoke retaliation, potentially resulting in broader conflicts. Cyberterrorists: Employing cyberterrorists as instruments of war is highly unethical and likely illegal under international law. Cyberterrorism involves intentional attacks on civilians or civilian infrastructure with the aim of causing harm or instilling fear. States have a responsibility to protect civilian populations, and using cyberterrorists to carry out attacks would violate this principle. Furthermore, sponsoring cyberterrorism could lead to diplomatic and legal repercussions, as well as damage to a country's reputation and international standing. In summary, while the use of hacktivists or cyberterrorists by a country against enemy organizations may seem tempting from a strategic perspective, it raises serious ethical, legal, and practical concerns. Such actions could lead to unintended consequences, escalate conflicts, and undermine international norms and stability. Additionally, employing cyberterrorists would constitute a grave violation of ethical principles and could result in severe repercussions for the sponsoring state. Outline action steps necessary to implement trustworthy computing. Trustworthy computing is a method of computing that delivers secure, private, and reliable computing experiences based on sound business practices—which is what organizations worldwide are demanding today. Software and hardware manufacturers, consultants, and programmers all understand that this is a priority for their customers. A strong security program begins by assessing threats to the organization’s computers and network, identifying actions that address the most serious vulnerabilities, and educating end users about the risks involved and the actions they must take to prevent a security incident. An organization’s IT security group must lead the effort to prevent security breaches by implementing security policies and procedures, as well as effectively employing available hardware and software tools. However, no security system is perfect, so systems and procedures must be monitored to detect a possible intrusion. If an intrusion occurs, there must be a clear reaction plan that addresses notification, evidence protection, activity log maintenance, containment, eradication, and recovery. What is the difference between risk assessment and an IT security audit? Risk assessment is the process of assessing security-related risks to an organization’s computers and networks from both internal and external threats. The goal of risk assessment is to identify which investments of time and resources will best protect the organization from its most likely and serious threats. A security audit is a prevention tool that evaluates whether an organization has a well-considered security policy in place and if it is being followed. The audit should also review who has access to particular systems and data and what level of authority each user has. A thorough security audit should also test system safeguards to ensure that they are operating as intended. The goal of such a test is to ensure that all such known passwords have been changed. Some organizations will also perform a penetration test of their defenses. This entails assigning individuals to try to break through the measures and identify vulnerabilities that still need to be addressed. Action Needed You are one of the top students in your university’s computer science program of 100 students, and you have agreed to meet with a recruiter from the Department of Homeland Security. Over dinner, he talks to you about the increasing threat of cyberterroist attacks launched on the United States by foreign countries and the need to counter those attacks. The agency has a strong need for people that can both develop and defend against new zero-day exploits that could be used to plant malware in the software used by the government and military computers. At the end of the dinner, the recruiter turns to you and asks: “Would such a role be of interest to you?” How do you respond? However, students may mention Section 814 of the USA Patriot Act. This act defines cyberterrorism as any hacking attempts designed to gain unauthorized access to a protected computer, which, if successful, would cause a person an aggregate loss greater than $5000; adversely affect someone’s medical examination, diagnosis, or treatment; cause a person to be injured; cause a threat to public health or safety; or cause damage to a governmental computer that is used as a tool to administer justice, national defense, or national security. Those convicted of cyberterrorism are subject to a prison term of 5 to 20 years. Given the escalating threat of cyberterrorism and the critical need for individuals with expertise in developing and defending against zero-day exploits, I would definitely be interested in exploring a role within the Department of Homeland Security. As one of the top students in my university's computer science program, I am passionate about leveraging my skills to contribute to national security efforts. I believe that working in such a role would not only be personally fulfilling but also allow me to make a meaningful impact in safeguarding our nation's digital infrastructure. You are the CFO of a midsized manufacturing firm. You have heard nothing but positive comments about the new CIO you hired three months ago. As you listen to her outline what needs to be done to improve the firm’s computer security, you are impressed with her energy, enthusiasm, and presentation skills. However, your jaw drops when she states that the total cost of the computer security improvements will be $300,000. This seems like a lot of money for security, given that your firm has had no major incident. Several other items in the budget will either have to be dropped or trimmed back to accommodate such an expenditure. In addition, the $300,000 is above your spending authorization and will require approval by the CEO. This will force you to defend the expenditure, and you are not sure how to do this. You wonder if this much spending on security is really required. What do you say to the new CIO? Students may mention that the CFO should appreciate the efforts taken by the CIO to identify any security vulnerabilities and create solutions and measures that could be taken to avoid these instances at any cost. The CFO could ask the CIO to rank every solution or measure based on priority. This would indicate which security measures are of high priority, and the low priority measures could be adopted by the firm at a later time. Another method to identify vulnerabilities is to rank every IT security vulnerability based on the probability of its occurrence. The firm could then adopt the measures for those vulnerabilities with high and medium probabilities of occurrence. The measures for the security vulnerabilities with low probability of occurrence could be adopted at a later time. It's important to approach this situation with an open mind and a willingness to understand the rationale behind the proposed security improvements. Here's a suggestion on how you could address this concern with the new CIO: "Thank you for presenting your plan for improving our computer security. I appreciate the thoroughness and detail you've put into it. However, I have some concerns about the proposed budget of $300,000. Given that we haven't experienced any major security incidents in the past, I'm struggling to see why such a significant investment is necessary at this point. Could you help me understand the specific risks and vulnerabilities that you've identified that justify this level of spending? Additionally, I'd like to explore whether there are any alternative solutions or strategies that could achieve our security goals at a lower cost. Are there any areas within the proposed budget where we could potentially trim expenses without compromising our overall security posture? Finally, I want to make sure that we're aligning our spending with the broader strategic goals of the company. How do these proposed security improvements contribute to our long-term success and competitiveness in the market? I'm committed to ensuring that we have robust security measures in place, but I also need to ensure that we're making prudent financial decisions. Let's work together to find the right balance between security needs and budget constraints." It appears that someone is using your firm’s corporate directory—which includes job titles and email addresses—to contact senior managers and directors via email. The email requests that the recipient click on a URL, which leads to a Web site that looks as if it were designed by your Human Resources organization. Once at this phony Web site, the employees are asked to confirm the bank and account number to be used for electronic deposit of their annual bonus check. You are a member of IT security for the firm. What can you do? Students may suggest that the member of IT security inform his or her superiors so that they can take immediate action. Next, the member should send an email informing all the employees about the phishing email and asking them not to share their bank and account number on any Web site until notified again. As a preventive measure, students may also suggest blocking the Web site entirely till the issue is resolved. This scenario describes a classic phishing attack, where attackers impersonate a trusted entity to trick individuals into divulging sensitive information. As a member of the IT security team, there are several steps you can take to mitigate this threat: Alert Employees: Immediately notify all employees about the phishing attempt. Provide clear instructions not to click on any suspicious links or provide personal information unless they can verify the authenticity of the request through official channels. Investigate the Source: Use forensic techniques to trace the origin of the phishing emails. Look for patterns, IP addresses, or any other clues that might help identify the attackers or their methods. This information can be useful for blocking future attacks and potentially prosecuting the perpetrators. Block the URL: Work with your network security team to block access to the phishing website URL from within the corporate network. Additionally, consider reporting the URL to relevant authorities or services that track and block malicious websites. Enhance Email Filtering: Review and update email filtering rules to better detect and block similar phishing attempts in the future. Implement advanced threat detection mechanisms that can identify suspicious URLs, attachments, and email content. Educate Employees: Conduct cybersecurity awareness training sessions to educate employees about the dangers of phishing attacks and how to recognize them. Teach them to scrutinize email addresses, look for signs of phishing (e.g., generic greetings, urgent requests), and verify requests for sensitive information through official channels. Implement Multi-Factor Authentication (MFA): Require employees to use MFA for accessing sensitive systems or performing critical tasks, such as changing bank account information. This adds an extra layer of security by requiring multiple forms of verification. Monitor Bank Transactions: Collaborate with finance and accounting departments to monitor bank transactions closely, especially those involving changes to employee payment details. Implement procedures for verifying and authorizing such changes to prevent unauthorized modifications. Review Corporate Directory Access Controls: Evaluate and strengthen access controls for the corporate directory to prevent unauthorized access or misuse of employee information. Limit access to sensitive data only to those who require it for their job responsibilities. Incident Response Plan: Ensure that the organization has a well-defined incident response plan in place to handle security incidents effectively. This plan should include procedures for reporting, investigating, and mitigating phishing attacks promptly. By taking these proactive measures, you can minimize the risk of successful phishing attacks and protect both your organization's sensitive information and its employees' personal data. Web-Based Case Anatomy of Anthem Attack Do research to learn just how the Anthem network administrators were targeted. Determine what other major cyberattacks have targeted network administrators and what solutions cybersecurity companies have presented to prevent such attacks. They could learn about the incident from newspaper articles, or videos or via the Internet. Students could document their observations in a table with columns titled “Cyberattack,” “Name of the organization,” and “Solution to avoid the cyberattack.” The Anthem cyberattack in 2015 targeted the health insurance company's network administrators through a sophisticated phishing scheme. The attackers sent spear-phishing emails with malicious links to these administrators, tricking them into providing their credentials. Once the attackers gained access to the network, they were able to exfiltrate sensitive data, including personal information of around 78.8 million current and former members and employees. Similar attacks targeting network administrators have occurred in various other cyber incidents. For instance, the 2013 Target data breach, one of the largest retail hacks in history, began with attackers stealing network credentials from a third-party vendor. The 2014 JPMorgan Chase breach also involved attackers compromising the credentials of an employee to gain access to the bank's network. To prevent such attacks, cybersecurity companies have proposed several solutions: Employee Training and Awareness: Providing comprehensive training to network administrators and employees about phishing techniques and how to identify suspicious emails can significantly reduce the risk of falling victim to phishing attacks. Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by requiring additional verification steps, such as a code sent to a mobile device, in addition to passwords. Even if attackers obtain login credentials, they would still need access to the second factor to authenticate. Endpoint Security Solutions: Utilizing endpoint security solutions, such as antivirus software and endpoint detection and response (EDR) tools, can help detect and prevent unauthorized access to network systems. Network Segmentation: Segmenting networks can limit the extent of a breach by restricting the movement of attackers within the network. This way, even if attackers gain access to one segment, they'll have difficulty accessing other parts of the network containing sensitive information. Continuous Monitoring and Threat Detection: Implementing continuous monitoring and threat detection mechanisms can help identify suspicious activities and potential security breaches in real-time, allowing organizations to respond promptly and mitigate the damage. Privileged Access Management (PAM): Implementing PAM solutions helps manage and monitor access to critical systems and resources, reducing the risk of unauthorized access by attackers, especially those targeting privileged accounts like network administrators. By combining these solutions and adopting a proactive approach to cybersecurity, organizations can better defend against attacks targeting network administrators and mitigate the risk of data breaches. Case Study Sony’s Response to North Korea’s Cyberattack Discussion Questions How did the Sony hack differ from most other hacks? Students may mention that the hackers had stolen reams of sensitive data, including the Social Security numbers of 47,000 current and former employees, system passwords, salary lists, contracts, and even copies of some Sony employees’ passports. The hackers accessed hundreds of Outlook mailboxes as well as Sony IT audit documents. They also stole media files and placed pirated copies of five of Sony’s movies on illegal file-sharing servers. Sony was forced to completely shut down its IT system in an attempt to stem the data breach. Ultimately, Sony would determine that the damage done by the hackers was far more extensive than it first believed. Not only had data been stolen, but 75 percent of the company’s servers had been destroyed and several internal data centers had been wiped clean. The Sony hack of 2014 was particularly notable for its scale, impact, and the geopolitical context surrounding it. Here's how it differed from most other hacks: Geopolitical Context: The Sony hack wasn't just about cybercrime; it had significant geopolitical implications. The attackers were allegedly linked to North Korea, which added a layer of complexity to the incident. It was believed to be a response to Sony's planned release of "The Interview," a comedy film depicting the assassination of North Korean leader Kim Jong-un. Targeting a Specific Organization: While many cyberattacks aim for financial gain or data theft, the Sony hack specifically targeted Sony Pictures Entertainment. The attackers sought to damage the company's reputation and disrupt its operations rather than solely focusing on financial gain or stealing sensitive data. Scale of Damage: The attackers behind the Sony hack caused significant damage to the company. They leaked unreleased films, confidential emails, and other sensitive information, leading to embarrassment, financial losses, and legal issues for Sony Pictures Entertainment. The scale and impact of the attack were substantial, making it stand out from many other cyber incidents. Publicity and Media Attention: The Sony hack garnered widespread media attention due to its sensational nature and the involvement of a major entertainment company. The leaking of unreleased films and sensitive emails fueled public interest and raised awareness about the potential consequences of cyberattacks on corporations. Response and Attribution: The attribution of the attack to North Korea and the subsequent response from both Sony and the U.S. government were significant aspects of this incident. The U.S. government condemned the attack and imposed sanctions on North Korea in response. Sony also took various measures to mitigate the damage and enhance its cybersecurity posture. Overall, the Sony hack differed from most other hacks due to its geopolitical context, targeting of a specific organization, scale of damage, media attention, and the response it elicited from both the affected company and government authorities. How did the U.S. government respond to the attack? Was the response appropriate? Students may mention that the U.S. government disclosed that it had proof that the North Koreans had made good on their threat. The U.S. National Security Agency (NSA) had reportedly penetrated the North Korean cyberwarfare unit four years prior to the attack and had been monitoring its capabilities since then. After Sony had alerted the FBI, the NSA was able to trace the attack back to North Korea, using a digital fingerprint the hackers had left in the malware. Several weeks after the attack, FBI Director James Comey revealed in a speech that the Sony hackers had been sloppy. “We could see that the IP [Internet protocol] addresses that were being used to post and to send the emails were coming from IPs that were exclusively used by the North Koreans.” The U.S. government responded to the attack with a combination of military action, diplomatic efforts, and heightened security measures. Immediately following the attack, there was a surge in military activity in the region where the attack originated, aimed at targeting the perpetrators and disrupting their networks. Additionally, diplomatic efforts were made to garner international support and condemnation of the attack, with the U.S. government working closely with allies and partners to coordinate a unified response. In terms of domestic security, there was a significant increase in surveillance and security measures, particularly at key transportation hubs and critical infrastructure sites. The government also implemented various measures to enhance intelligence gathering and information sharing among law enforcement agencies to prevent future attacks. Whether the response was appropriate is subjective and can depend on various factors, including the effectiveness of the actions taken, the impact on civilian populations, and the broader geopolitical context. Some may argue that the response was necessary to ensure national security and prevent further attacks, while others may criticize certain aspects of the response, such as potential infringements on civil liberties or the use of military force. Ultimately, the appropriateness of the response is a matter of debate and may vary depending on one's perspective. How did Sony respond to the attack? Will Sony’s response encourage or discourage future attacks? Students may mention that Sony did not give in to the threats made by the hackers. Sony found alternatives to releasing the movie “The Interview” on Christmas day. The movie was made available through video-on-demand outlets such as Amazon.com, and within less than a month, the movie had brought in over $40 million in revenue. Several hundred movie theaters that opted to screen the movie generated another $6 million. Over the next two months, Sony also released the movie on Netflix, on DVD and Blu-Ray, and in theaters in other countries. Given that Sony has already suffered a cyberattack, it is safe to say that the corporation would be taking all kinds of precautionary measures to ensure that it does not face any hacks anytime soon. However, some students may feel that the scale at which Sony was targeted could encourage future attacks. In response to the cyberattack on Sony in 2014, the company took several measures to address the situation. Initially, Sony temporarily shut down its entire computer network in order to prevent further damage and assess the extent of the breach. They also brought in cybersecurity experts to investigate the incident and bolster their defenses. Additionally, Sony communicated with its employees, customers, and the public about the situation, acknowledging the breach and providing updates on their response efforts. They offered support to affected individuals and worked to restore their systems and operations as quickly as possible. In terms of whether Sony's response would encourage or discourage future attacks, it's a complex issue. On one hand, Sony's swift and transparent response demonstrated their commitment to addressing the breach and mitigating its impact. This could potentially deter future attackers by showing that Sony takes cybersecurity seriously and will take decisive action to protect its systems and data. On the other hand, the high-profile nature of the attack and the attention it received in the media may have inadvertently encouraged other attackers by highlighting vulnerabilities in Sony's systems and potentially inspiring copycat attacks. Ultimately, the effectiveness of Sony's response in deterring future attacks depends on various factors, including the strength of their cybersecurity measures, the motivations of potential attackers, and broader trends in cybercrime and cybersecurity. In what ways does the Sony hack reflect emerging cyberthreats that could be made on critical infrastructure? Students may mention that the Sony hack proved that hackers can steal reams of sensitive data, including the Social Security numbers of employees, system passwords, salary lists, contracts, and even copies of some employees’ passports. The hackers also accessed hundreds of Outlook mailboxes as well as the corporation’s IT audit documents. Hackers could also destroy data centers and have them wiped clean. The Sony hack in 2014 was a watershed moment in cybersecurity, showcasing the potential vulnerabilities of even major corporations and their critical infrastructure. Here are some ways it reflects emerging cyber threats applicable to critical infrastructure: Sophisticated Cyberattacks: The Sony hack involved highly sophisticated techniques, including malware deployment, data theft, and destruction of critical systems. Similar methods could be employed against critical infrastructure, such as power grids or transportation networks, leading to severe disruptions or even physical damage. State-Sponsored Cyber Warfare: The Sony hack was widely attributed to North Korea, signaling the increasing involvement of nation-states in cyber warfare. This highlights the potential for state-sponsored actors to target critical infrastructure as part of geopolitical conflicts, posing significant threats to national security and public safety. Supply Chain Vulnerabilities: The attack on Sony also exposed vulnerabilities in the supply chain, as hackers gained access through compromised third-party vendors. Similarly, critical infrastructure often relies on interconnected systems and suppliers, making them susceptible to attacks through weak links in the chain. Ransomware and Extortion: While the Sony hack was not a ransomware attack, the incident shed light on the growing trend of ransomware targeting businesses and organizations. Ransomware attacks on critical infrastructure could disrupt essential services and operations, leading to widespread chaos and potentially endangering lives. Social Engineering and Insider Threats: The Sony hack involved elements of social engineering, with hackers exploiting human vulnerabilities to gain access to sensitive information. Insider threats, whether intentional or unintentional, pose significant risks to critical infrastructure, as employees or contractors with access to systems could be manipulated or coerced into facilitating attacks. Lack of Preparedness and Response: The aftermath of the Sony hack revealed shortcomings in both cybersecurity preparedness and incident response. Similarly, many organizations responsible for critical infrastructure may lack the necessary measures to prevent, detect, and mitigate cyber threats effectively, leaving them vulnerable to potentially catastrophic attacks. Addressing these emerging cyber threats requires a concerted effort from governments, businesses, and cybersecurity professionals to enhance resilience, improve information sharing, and develop robust defense strategies to safeguard critical infrastructure from cyber attacks. What steps should be taken so that all businesses and the U.S. government can work together to prevent both real-world terrorist violence and cyberattacks? Students may describe any of the preventive tools discussed in the chapter. They could also describe methods of trustworthy computing such as risk assessment, establishing a security policy, educating employees and contract workers, detection, and response. To foster collaboration between businesses and the U.S. government in preventing both real-world terrorist violence and cyberattacks, several steps can be taken: 1. Establish Clear Communication Channels: Create formalized communication channels between government agencies and private sector businesses to share threat intelligence, vulnerabilities, and best practices. 2. Develop Joint Threat Assessments: Collaborate on comprehensive threat assessments that identify potential targets, attack vectors, and emerging trends in both physical and cyber domains. 3. Implement Information Sharing Platforms: Utilize secure platforms where businesses and government entities can share real-time information about suspicious activities, breaches, and incidents. 4. Foster Public-Private Partnerships: Facilitate partnerships between government agencies (such as the Department of Homeland Security) and industry-specific organizations to develop sector-specific security guidelines and response protocols. 5. Conduct Joint Training and Exercises: Organize regular training sessions and simulated exercises that involve both government and private sector stakeholders to enhance preparedness and coordination in responding to terrorist threats and cyberattacks. 6. Promote Regulatory Compliance and Standards: Establish regulatory frameworks and industry standards that mandate businesses to implement robust security measures and adhere to best practices in cybersecurity and physical security. 7. Encourage Information Sharing Incentives: Offer incentives such as liability protections or tax benefits to businesses that actively participate in information sharing initiatives and adopt recommended security measures. 8. Invest in Research and Development: Allocate resources towards research and development efforts aimed at advancing technologies and strategies for countering both physical and cyber threats. 9. Enhance International Collaboration: Foster collaboration with international partners to share threat intelligence, coordinate responses to transnational threats, and harmonize cybersecurity regulations and standards. 10. Promote Public Awareness and Education: Educate businesses and the general public about the importance of vigilance against terrorist threats and cyberattacks, including raising awareness about common tactics used by threat actors and how to report suspicious activities. By implementing these steps, businesses and the U.S. government can enhance their collective ability to prevent, detect, and respond to both real-world terrorist violence and cyberattacks, ultimately strengthening national security and safeguarding critical infrastructure. Solution Manual for Information Technology for Managers George W. Reynolds 9781305389830
Close