Chapter 10

Chapter 10

In Chapter Questions:

(Pages 399-400) Managing in the Digital World: Drive-By Hacking (Jay Babington)

1. How can organizations better secure their wireless networks to reduce security vulnerabilities? The increasing availability of insecure wireless networks (Wi-Fi) have allowed hackers to institute a new type of pursuit called “war driving.” This is where the hackers drive around densely populated areas looking for unsecured networks and usually find literally hundreds of potential unsuspecting victims. One common attack is “war spamming,” where the hackers link an e-mail server of an unsecured Wi-Fi network and send out millions of junk e-mails without the network administrators’ knowledge. Organizations can fight this by using technologies that generate thousands of bogus wireless network access points, thus stymieing hackers trying to access personal or corporate Wi-Fi networks. Some technologies, such as FakeAp, can also offer protection by confusing war drivers so that they are not able to locate the “real” access point among thousands of bogus ones. There are also cyberinsurance policies available for companies that can help recoup some of the losses associated with war driving and spamming.

2. Is using a wireless network without the owner’s permission wrong? If so, why? If not, why? Are there any ethical issues associated with “piggybacking” on your neighbor’s unsecured wireless network? Using a wireless network without the owner’s permission is wrong. The owner is usually paying a monthly fee of about $40 for Wi-Fi, and the person who would be using the network without the owner’s consent would be getting it for free. How is that scenario any different from stealing? The answer is no difference. As long as the person has the owner’s consent, there should be no problems with “piggybacking.” However, the owner should use caution. If the person’s computer was to become compromised by using the network and the owner knew that the network is extremely insecure, there is an ethical dilemma. That person’s computer would not have been compromised if they would not have used the owner’s network, and this is mostly due to negligence on the owner’s part.

3. Some believe that all wireless networks should be “open” to anyone. What are the pros and cons of this perspective? Some of the pros would be that the issue of “piggybacking” would be eliminated. Also, it puts everyone on an equal playing field. Proponents of this side argue that if all wireless networks were “open,” war hacking would go way down because the “open” networks would act as a deterrent to the activity. It would be very easy for anyone to war hack, so if one person did it the other person could easily get revenge on that person. The perpetrator would also become much more easy to detect. Some to the cons would be that cable companies would lose a substantial amount of revenue. If all networks were “open,” there would be no use in charging a fee. As opposed to the other side of the argument, more “open” networks would lead to less security. It would be much easier for people to participate in war hacking.

page 420 - Hacking an Airplane (Etienne Jahns)

1. If a passenger hacked into a plane's control system, even if no damage was done, how seriously do you think that passanger should be punished?

According to the definition of computer crime provided by the book, the use of a computer with the attempt of committing an illegal action is to be seen as a crime. Also, trying to commit a murder is as well a crime as actually committing the murder and should thus as well be punished, albeit not with the same harshness. The harshness of the punishment should thus be aligned with the intentions of the hacker; whether he or she wanted to kidnap the plane or just prove Boeing that the company has a security issue.

page 420- Hacking an Airplane (Etienne Jahns)

2. Given that air travel can never be perfectly safe, how safe should the networks be on a modern aircraft?

The solution of physically separating the internet access for passenger and the system controlling the plane seems fairly easy but might be more costly. It should in my opinion not be a cost based decision when choosing network options for a modern aircraft.

Assigned Problems:

1. Match the following terms to the appropriate definition:

i. Acceptable use policy- e. Computer and/or Internet use policy for people within an organization, with clearly spelled-out penalties for noncompliance. (Desmond Lloyd)

ii.Authentication- d. The process of identifying that the user is indeed who he or she claims to be typically by requiring something that the user knows (e.g., a password) together with something that the user carries with him or her or has access to (e.g., an identification card or file). (Desmond Lloyd)

iii.Cyberwar- c. An organized attempt by a contry's military to disrupt or destory the information and communication systems of another country (Melissa Pigott)

iv. Biometrics- a. A type of security that grants or denies access to a computer system through the analysis of fingerprints, retinal patterns in the eye, or other bodily characteristics (Melissa Pigott)

v. Firewall- b. Specialized hardware and software that are used to keep unwanted users out of a system or to let user in with restricted access and privileges. (Stan Roberts)

vi. Phishing- g. An e-mail that attempts to trick financial account and credit card holders into giving away their private information. (Stan Roberts)

vii. Risk Analysis- f. A process in which the value of the assets being protected is assessed, the likelihood of their being compromised is determined, and the costs of their being compromised are compared with the costs of the protections to be taken. (Markus Simmons)

viii. Spyware- i. Software that covertly gathers information about a user through an Internet connection without the knowledge of the owner. (Markus Simmons)

ix. Unauthorized Access- An IS security breach where an unauthorized individual sees, manipulates, or otherwise handles electronically stored information. (Matt Stapleton)

x.Zombie Computer- A computer that has been infected with a virus allowing an attacker to control it without the knowledge of the owner. (Matt Stapleton)

13. What levels of user authentication are used at your school and/or place of work? Do they seem to be effective? What if a higher level of authentication were necessary? Would it be worth it, or would the added steps cause you to be less productive? (Kristy Wilson)

Professors tend to lock their office doors when not in their office so that their computers are unable to be easily accessed. Students and faculty are assigned identification numbers and create individual passwords for authentication. This level of user authentication seems to be effective. If a higher level of authentication were necessary, it may be too complex to implement and could cause the user to be less productive, since the current level is adequate.

Review Questions

 1. List and describe the primary threats to IS security. (Julia Bradley) 

 ·         Natural disasters: power outages, hurricanes, floods

 ·         Accidents: inexperienced or careless computer operators (or cats walking across keyboards)

 ·         Employees and consultants: people within an organization who have access to electron files

 ·         Links to outside business contacts: electronic information can be at risk when it travels between or among business affiliates as part of doing business.

 ·         Outsiders: hackers and crackers who penetrate networks and computer systems to snoop or to cause damage (viruses, perpetually rampant on the Internet, are included in this category)

2. Define computer crime and list several examples of computer crime. (Paula Byrd)

'''Computer crime is defined as the act of using a computer to commit an illegal act. Examples include:'''

'''1. Someone gains unauthorized entry to a computer system in order to cause damage to the computer system or the data it contains.'''

'''2. Computer criminals may steal credit card numbers form Web sites or a company's database, skim money from bank accounts, or make unauthorized electronic fund transfers from financial institutions.'''

<p class="MsoListParagraphCxSpLast" style="margin-left: 58.5pt; text-indent: -0.25in;">'''3. Drug dealers and other professional criminals may use computers to store records of their illegal transactions. '''

<p class="MsoNormal">3. Explain the purpose of the Computer Fraud and Abuse act of 1986 and the Electronic Communications Privacy act of 1986. (Richard Collingwood)

<p class="MsoNormal">The purpose of the Computer Fraud Act of 1986 is to prohibit the following:

<p class="MsoListParagraphCxSpFirst" style="margin-left:38.25pt;mso-add-space: auto;text-indent:-.25in;mso-list:l0 level1 lfo1"> ·            stealing or compromising data about national defense, foreign relations, atomic energy, or other restricted information

<p class="MsoListParagraphCxSpMiddle" style="margin-left:38.25pt;mso-add-space: auto;text-indent:-.25in;mso-list:l0 level1 lfo1"> ·            gaining unauthorized access to computers owned by any agency or department of the U.S. government

<p class="MsoListParagraphCxSpMiddle" style="margin-left:38.25pt;mso-add-space: auto;text-indent:-.25in;mso-list:l0 level1 lfo1"> ·            Violating data belonging to banks or other financial institutions

<p class="MsoListParagraphCxSpMiddle" style="margin-left:38.25pt;mso-add-space: auto;text-indent:-.25in;mso-list:l0 level1 lfo1"> ·            Intercepting or otherwise intruding on communication between states of foreign countries

<p class="MsoListParagraphCxSpLast" style="margin-left:38.25pt;mso-add-space: auto;text-indent:-.25in;mso-list:l0 level1 lfo1"> ·            Threatening to damage computer systems in order to extort money or other valuables from persons, businesses, or institutions

<p class="MsoNormal">The Electronic Communication Privacy Act of 1986 makes it a crime to break into any electronic communications service, including telephone services. The act also prohibits the interception of any type of electronic communication.

<p class="MsoNormal">4, Contrast hackers versus crackers. (Robert Collingwood)

<p class="MsoNormal">Hackers refer to individuals who are knowledgeable enough to gain access to a computer system without authorization. Crackers refer to individuals who break into computer systems with the intention of doing damage or committing a crime.

<p class="MsoNormal" style="margin: 0in 0in 10pt;">5. Define unauthorized access and give several examples from recent media reports. (Courtney Cox)

<p class="MsoNormal" style="margin: 0in 0in 10pt;">Unauthorized access is an information systems security breach where an uauthorized individual sees,   manipulates, or otherwise handles electronically stored information.

<p class="MsoNormal" style="margin: 0in 0in 10pt;">An example of unauthorized access is when thieves steal credit card numbers and/or Social Security numbers from electronic databases then use the stolen information to charge thousands of dolars in merchandise to victims. Recent media reports mention an incident where this occurred. "Black Friday" shoppers that purchased items from Target were all victims of unauthorized access. The thief hacked Target's database and was able to access the credit card information of every individual that made a credit purchase on that day. Media also reports a similar occurance but was limited to one person, PayPal's president. On a visit to the United Kingdom, his credit card information was stolen. This is very common today and people need to be aware that these thieves are out there.

<p class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;"><span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;">6. Define malware and give several examples. (Travis Hart)

<p class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;"><span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;">         Malware is short for malicious software. These include viruses, worms, and Trojan horses.

<p class="MsoListParagraphCxSpMiddle" style="margin: 0in 0in 0pt 0.5in; text-indent: -0.25in; mso-list: l0 level1 lfo1;"><span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;"><span style="line-height: 115%; font-family: Symbol; font-size: 12pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol;"> ·<span style="font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;">         <span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;">A virus is a destructive program that disrupts the normal functioning of computer systems.

<p class="MsoListParagraphCxSpMiddle" style="margin: 0in 0in 0pt 0.5in; text-indent: -0.25in; mso-list: l0 level1 lfo1;"><span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;"><span style="line-height: 115%; font-family: Symbol; font-size: 12pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol;"> ·<span style="font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;">         <span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;">A worm is a variation of a virus that is targeted at networks, takes advantage of security holes in operating systems and other software to replicate endlessly across the internet.

<p class="MsoListParagraphCxSpLast" style="margin: 0in 0in 10pt 0.5in; text-indent: -0.25in; mso-list: l0 level1 lfo1;"><span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;"><span style="line-height: 115%; font-family: Symbol; font-size: 12pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol;"> ·<span style="font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;">         <span style="line-height: 115%; font-family: "Times New Roman","serif"; font-size: 12pt;">A Trojan is like a virus, but remains hidden to perform underlying functions that the user does not know about.

<p class="MsoListParagraphCxSpLast" style="margin: 0in 0in 10pt 0.5in; text-indent: -0.25in; mso-list: l0 level1 lfo1;">

<p class="MsoNormal">7. Define and contrast spyware, spam, and cookies. (Trent Hillis)

<p class="MsoNormal">Spyware is any software that covertly gathers information about a user through an Internet connection without the user's knowledge. Spam is electronic junk mail or junk newgroup posting, usually for the purpose of advertising. Cookies are messages passed to a Web browser on a user's computer by a Web server.

<p class="MsoNormal">

<p class="MsoNormal"><span style="mso-fareast-font-family:Cambria;mso-fareast-theme-font:minor-latin; mso-bidi-font-family:Cambria;mso-bidi-theme-font:minor-latin"> 8. Define and contrast  Cyberharassment, Cyberstalking, and Cyberbullying. (Etienne Jahns)

<p class="MsoNormal">Cyberharassment refers to the use of a computer to communicate obscene, vulgar, or threatening content that causes a reasonable person to endure distress. While Cyberharassment can be done by a single message, Cyberstalking consists of repeated contacts with the victim and can take many different forms. In contrast to Cyberstalking, Cyberbullying cannot go undetected by the victim, while its intent is to deliberately cause distress in the victim.

9. Define and contrast cyberwar & cyberterrorism (Desmond Lloyd)

Cyberwar refers to an organized attempt by a country's military to disrupt or destory the information and communication system of another country. While cyberterrorism is launched not by governments but by individuals and organized groups. it uses computers and networking technologies against persons or property to intimidate or coerce governements, civilians, or any segment of society in order to attain polictical, religious, or ideological goals.

10. Describe risk analysis as it relates to IS security and explain three ways to approach systems security risk. (Melissa Pigott)

Risk analysis is a process in which you assess the value of the assets being protected, determine their likelihood of being compromised, and compare the probable costs of their being compromised with the estimate costs of whatever protections you might have to take. This is done to ensure more money is not being spent on protecting an IS asset than the asset is worth. There are three approaches to systems security risk, Risk Reduction, Risk Acceptance, and Risk Transference. Risk Reduction is the approach taken that actively attempts to protect your system such as installing firewalls. Risk Acceptance is when the company decides any protection efforts will cost more than the asset is worth and takes no measures to protect the asset. With Risk Acceptance, the company will just absorb any damages it the asset. Risk Transference is when a company takes out insurance or outsources certain functions to allow the risk of the damage to be transfered to another entity.

11. What are physical access restrictions, and how do they make an information system more secure? (Stan Roberts)

Physical access restrictions are procedures for safeguarding stored information by actually locking away storage devices with access through a key or lock combination. Only authorized personnel would be able to physically interact with the systems.

<p style="margin-top:1em;margin-bottom:1em;border-bottom-width:0px;border-left-width:0px;font-style:inherit;font-weight:inherit;margin-right:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;vertical-align:baseline;">12. Describe several methods for preventing and/or managing the spread of computer viruses.

<p style="margin-top:1em;margin-bottom:1em;border-bottom-width:0px;border-left-width:0px;font-style:inherit;font-weight:inherit;margin-right:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;vertical-align:baseline;">One method for preventing viruses is an IS audit. First, risk analysis is employed to assess the value of the assets being protected, determine their likelihood of being compromised, and compare the probable costs of their being compromised with the estimated costs of whatever protections you might have to take. This leads to three general methods of reaction:


 * 1) Risk reduction- Taking active countermeasures to protect your systems, such as installing firewalls like those described in the chapter.
 * 2) Risk acceptance- Implementing no countermeasures and simply absorbing any damages that occur.
 * 3) Risk transference- Having someone else absorb the risk, such as by investing in insurance or by outsourcing certain functions to another organization with specific expertise. (Markus Simmons)

13.  Describe three human-based approaches for safeguarding information systems. (Matt Stapleton)

1. Ethics- Relates to a broad range of standards of appropriate conduct by users and educating              potential users at an early age as to what constitutes appropriate behavior

2. Laws- There are numerous federal and state laws against unauthorized use of networks and computer systems

3. Effective management- Having a good system of internal control regarding IS

<p class="MsoNormal">14. What is an IS security plan, and what are the five steps for developing such a plan? (Kristy Wilson)

<p class="MsoNormal">An IS security plan is a plan that all organizations should develop, which involves assessing and planning ways to reduce risks. The plan is then implemented and involves ongoing monitoring. The five steps for developing this plan include:

<p class="MsoNormal">1) Risk Analysis –   In this step, organizations should determine the value of electronic information and assess threats to the confidentiality, integrity, and availability of information. Risk analysis includes determining which computer operations have high vulnerability to security breaches, and it also includes an assessment of the current security policies. Organizations recommend changes to existing practices and/or policies that will improve computer security.

<p class="MsoNormal">2) Policies and Procedures – Policies and procedures are created, which generally include the following: information policy, security policy, use policy, backup policy, account management policy, incident handling procedures and a disaster recovery plan.

<p class="MsoNormal">3) Implementation – The plan is implemented as network security mechanisms, intrusion detection systems, and other aspects of the IS security plan are put in place.

<p class="MsoNormal">4) Training- People within the organization are trained to know the security policy and the plan for disaster recovery. Training includes preparing personnel to perform routine and disaster related tasks.

<p class="MsoNormal">5) Auditing – Tests are conducted to make sure that the computer security measures are working.

15. Describe how the Sarbanes-Oxley Act impacts the IS security of an organization. (Elston Wyatt)

While SOX addressed primarily the accounting side of organizations, it did greatly increase the demand for IS auditors. Regulations put in place by SOX require companies to have controls in place to prevent misuse of fraid, controls to detect potential problems, and effective measures to correct any problems found. Information systems are key in today's business environments to handle the mass flow of data transmitted on a daily basis. These systems, however, need to be regularly checked to ensure that they are performing their roles effectively.

SOX also placed upon businesses a requirement to preserve evidence to document compliance and for potential lawsuits. Since many of these documents have important information, safeguards need to be put in place to prevent private information from being leaked or accessed. Once again, the fact that seemingly everything is digital means that the safeguards are mostly or all technological in nature, again emphasizing IS security.

Multiple Choice

1. What is the common rule for deciding if an information system faces a security risk? (Jay Babington)

A. Only desktop computers are at risk. B. Only network servers are at risk. C. All systems connected to networks are vulnerable to security violations.

D. Networks have nothing to do with computer security.


 * 2. Those individuals who break into computer systems with the intention of doing damage or committing a crime are usually called ___________. (Ellie Bailey)


 * A. backers


 * B. crackers


 * C. computer geniuses


 * D. computer operatives

4.   Information modification attacks occur when _____________________. (Julia Bradley)

<p class="MsoNormal" style="text-indent:.5in">A. An authorized user changes a Web site address

<p class="MsoNormal" style="text-indent:.5in">B. A Web site crashes

<p class="MsoNormal" style="text-indent:.5in">C. The power is cut off

<p class="MsoNormal" style="text-indent:.5in">D. <span style="font-size:12.0pt;font-family:Cambria;mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"ＭＳ明朝";mso-fareast-theme-font:minor-fareast; mso-hansi-theme-font:minor-latin;mso-bidi-font-family:"TimesNewRoman"; mso-bidi-theme-font:minor-bidi;mso-ansi-language:EN-US;mso-fareast-language: EN-US;mso-bidi-language:AR-SA">Someone who is not authorized to do so changes electronic information  5. Technological safeguards used to protect information include______________. (Paula Byrd)


 * A. laws


 * B. effective management


 * C. firewalls and physical access restrictions


 * D. ethics

6. Limiting access to electronic information usually involves________________. (Richard Collingwood)


 * A. something you have


 * B. something you know


 * C. something you are


 * D. all of the above  

7. Which of the following is the the process of determinig the true, accurate identity of a user of an information system? (robert collingwood)

A. audit

B. authentication

C. firewall

D. virtual private network

8. The use of computer and networking technologies by individuals and organized groups against persons or property to intimidate or coerce governments, civilians, or any segment of society in order to attain political, religious, or ideological goals is known as _________. (Courtney Cox)


 * A. cyberwar


 * B. cybercrime


 * C. cyberterrorism


 * D. none of the above

9.  A(n) ________ is a system composed of hardware, software, or both that is designed to detect intrusion and prevent unauthorized access to or from a private network. (Trent Hillis)

A. encryption

B. firewall

C. alarm

D. logic bomb

10. ___________ is the process of encoding messages before they enter the network or airwaves, <span style="font-size:11.0pt;line-height:115%; font-family:"Calibri","sans-serif";mso-ascii-theme-font:minor-latin;mso-fareast-font-family: Calibri;mso-fareast-theme-font:minor-latin;mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi; mso-ansi-language:EN-US;mso-fareast-language:EN-US;mso-bidi-language:AR-SA">then decoding them at the receiving end of the transfer so that recipients can read or hear them. (Etiene Jahns)


 * A. Encryption


 * B. Biometrics


 * C. Authentification


 * D. Disaster recovery



<p class="MsoNormal" style="text-indent:.5in">