1 | P a g e HS3011 Information Security T2 2017 HS3011 Information Security Group Assignment Friday Week 11, 5:00 PM Marks: Weighting 20% Assignment Overview For this assignment, you need to work as a group of 3-4 students PART 1 (1000-1500 words) Students are required to analyse and write a report about the following topics: 1. Using the Web, find out more about Kevin Mitnick. What did he do? Who caught him? Write a short summary of his activities and explain why he is infamous 2. Using a Web browser, go to www.eff.org. Choose one of the current top concerns of this organization and justify: a. Why this topic was chosen? b. How does it relate to information security subject contents? 3. Classify each of the following occurrences as an incident or disaster. If an occurrence is a disaster, determine whether business continuity plans would be called into play. a. A hacker breaks into the company network and deletes files from a server. b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers are damaged, but the fire is contained. c. A tornado hits a local power station, and the company will be without power for three to five days. d. Employees go on strike, and the company could be without critical workers for weeks. e. A disgruntled employee takes a critical server home, sneaking it out after hours. For each of the scenarios (aâ€“e), describe the steps necessary to restore operations. Indicate whether law enforcement would be involved. HOLMES INSTITUTE FACULTY OF HIGHER EDUCATION 2 | P a g e HS3011 Information Security T2 2017 PART 2 (Case Exercises) (1000-1500 words) With your team members, please go through each case and answer the relevant discussion questions CASE 1 One day at SLS found everyone in technical support busy restoring computer systems to their former state and installing new virus and worm control software. Amy found herself learning how to re-install desktop computer operating systems and applications as SLS made a heroic effort to recover from the attack of the previous day. a. Do you think this event was caused by an insider or outsider? Explain your answer. b. Other than installing virus and worm control software, what can SLS do to prepare for the next incident? c. Do you think this attack was the result of a virus or a worm? Explain your answer. CASE 2 Charlie was getting ready to head home when the phone rang. Caller ID showed it was Peter. â€œHi, Peter,â€ Charlie said into the receiver. â€œWant me to start the file cracker on your spreadsheet?â€ â€œNo, thanks,â€ Peter answered, taking the joke well. â€œI remembered my passphrase. But I want to get your advice on what we need to do to make the use of encryption more effective and to get it properly licensed for the whole company. I see the value in using it for certain kinds of information, but Iâ€™m worried about forgetting a passphrase again, or even worse, that someone else forgets a passphrase or leaves the company. How would we get their files back?â€ â€œWe need to use a feature called key recovery, which is usually part of PKI software,â€ said Charlie. â€œActually, if we invest in PKI software, we could solve that problem as well as several others.â€ â€œOK,â€ said Peter. â€œCan you see me tomorrow at 10 oâ€™clock to talk about this PKI solution and how we can make better use of encryption?â€ a. Was Charlie exaggerating when he gave Peter an estimate for the time required to crack the encryption key using a brute force attack? b. Are there any tools that someone like Peter could use safely, other than a PKI-based system that implements key recovery, to avoid losing his passphrase? Suppose Charlie had installed key logger software on all company computer systems and had made a copy of Peterâ€™s encryption key. Suppose that Charlie had this done without policy authority and without anyoneâ€™s knowledge, including Peterâ€™s. c. Would the use of such a tool be an ethical violation on Charlieâ€™s part? Is it illegal? Suppose that Charlie had implemented the key logger with the knowledge and approval of senior company executives, and that every employee had signed a release that acknowledged the company can record all information entered on company systems. Two days after Peterâ€™s call, Charlie calls back to give Peter his key: â€œWe got lucky and cracked it early.â€ Charlie says this to preserve Peterâ€™s illusion of privacy. d. Is such a â€œlittle white lieâ€ an ethical action on Charlieâ€™s part? 3 | P a g e HS3011 Information Security T2 2017 CASE 3 Charlie looked across his desk at Kelvin, who was absorbed in the sheaf of handwritten notes from the meeting. Charlie had asked Kelvin to come to his office and discuss the change control meeting from earlier that day. â€œSo what do you think?â€ Charlie asked. â€œI think I was blindsided by a bus!â€ Kelvin replied. â€œI thought I had considered all the possible effects of the change in my project plan. I tried to explain this, but everyone acted as if I had threatened their lives.â€ â€œIn a way you did, or rather you threatened their jobs,â€ Charlie stated. â€œSome people believe that change is the enemy.â€ â€œBut these changes are important.â€ â€œI agree,â€ Charlie said. â€œBut successful change usually occurs in small steps. Whatâ€™s your top priority?â€ â€œAll the items on this list are top priorities,â€ Kelvin said. â€œI havenâ€™t even gotten to the second tier.â€ â€œSo what should you do to accomplish these top priorities?â€ Charlie asked. â€œI guess I should reprioritize within my top tier, but what then?â€ â€œThe next step is to build support before the meeting, not during it,â€ Charlie said, smiling. â€œNever go into a meeting where you havenâ€™t done your homework, especially when other people in the meeting can reduce your chance of success.â€ a. What project management tasks should Kelvin perform before his next meeting? b. What change management tasks should Kelvin perform before his next meeting, and how do these tasks fit within the project management process? c. Had you been in Kelvinâ€™s place, what would you have done differently to prepare for this meeting? Suppose Kelvin has seven controls listed as the top tier of project initiatives. At his next meeting with Charlie, he provides a rank-ordered list of these controls with projected losses over the next 10 years for each if it is not completed. Also, he has estimated the 10-year cost for developing, implementing, and operating each control. Kelvin has identified three controls as being the most advantageous for the organization in his opinion. As he prepared the slides for the meeting, he â€œadjustedâ€ most projected losses upward to the top end of the range estimate given by the consultant who prepared the data. For the projected costs of his preferred controls, he chose to use the lowest end of the range provided by the consultant. d. Do you think Kelvin has had an ethical lapse by cherry-picking the data for his presentation? Suppose that instead of choosing data from the range provided by the consultant, Kelvin simply made up better numbers for his favourite initiatives. Is this an ethical lapse? Suppose Kelvin has a close friend who works for a firm that makes and sells software for a specific control objective on the list. When Kelvin prioritized the list of his preferences, he made sure that specific control was at the top of the list. Kelvin planned to provide his friend with internal design specifications and the assessment criteria to be used for vendor selection for the initiative. e. Has Kelvin committed an ethical lapse? 4 | P a g e HS3011 Information Security T2 2017 Assessment Criteria: Score Very Good (9-10) Good (7-8) Satisfactory (5-6) Unsatisfactory (3-4) Presentation and writing style /10 marks -Information is well organized. Correct layout including times new roman, f
ont size 12 or calibri, font size10, double spaced. About the right length. -Very well written, excellent paraphrasing and proper grammar and punctuation are used throughout. -Information is organized, Correct layout including times new roman, font size 12 or calibri, font size10, double spaced. About the right length. -Well written, some paraphrasing and proper grammar and punctuation. -Information is somewhat organized, Some elements of layout or length incorrect. -Proper grammar and punctuation mostly used, but overuse of direct quotes. -Information is poorly organized, Some elements of layout or length incorrect. Proper grammar and punctuation not always used. -Excessive overuse of direct quotes. Score Very Good (12-15) Good (9-11) Satisfactory (8-10) Unsatisfactory (5-7) Criteria completion /15 Evidence of understanding of the nature and purpose of the discussed requirements. Evidence of understanding of the implications for the organisation The discussion has the capacity to address challenges identified within the organisation. Evidence of understanding of the implications for the organisation. You gain marks for ensuring that all of the requirements mentioned above are covered in your report. Score Very Good (9-10) Good (7-8) Satisfactory (5-6) Unsatisfactory (3-4) Evidence of Research /10 marks Substantial range of appropriate and current, supportive evidence Good range of appropriate and current, supportive evidence. Suitable range of supportive evidence used. Not always appropriate and/or current. Minimum cited. Insufficient range or number of supportive evidence used. Score Very Good (12-15) Good (9-11) Satisfactory (8-10) Unsatisfactory (5-7) Development of Discussion /15 marks Logical, insightful, original discussion with well-connected paragraphs. Evidence of full engagement with relevant and detailed analysis. Detailed, original discussion develops logically with some connection between adjoining paragraphs. Understanding of requirements shown. Some relevant analysis. Adequate discussion develops logically. Understanding of requirements shown. Few relevant analysis. Inadequate discussion of issues and/or lacking in logical flow Little/no demonstrated understanding of requirements. None/little discussion or analysis. Score Very Good (5) Good (4) Satisfactory (3) Unsatisfactory (2) Conclusion /5 marks An interesting, well written summary of the main points. An excellent final comment on the subject, based on the information provided. A good summary of the main points. A good final comment on the subject, based on the information provided. Satisfactory summary of the main points. A final comment on the subject, but introduced new material. Poor/no summary of the main points. A poor final comment on the subject and/or new material introduced. 5 | P a g e HS3011 Information Security T2 2017 Score Very Good (5) Good (4) Satisfactory (3) Unsatisfactory (2) Referencing /5 marks Correct referencing (Harvard) All quoted material in quotes and acknowledged. All paraphrased material acknowledged. Correctly set out reference list and bibliography included. Mostly correct referencing (Harvard) All quoted material in quotes and acknowledged. All paraphrased material acknowledged. Mostly correct setting out reference list and bibliography included. Mostly correct referencing (Harvard) Some problems with quoted material and paraphrased material Some problems with the reference list or bibliography. Not all material correctly acknowledged. Some problems with the reference list or bibliography. Total /60 marks Final marks /20 Submission Requirements: The assignment should include a list of at least 7 references and a bibliography of the wider reading done to familiarize oneself with the topic. Submission: ï‚· Soft copy to self-check and Final Submission with cover sheet You are reminded to read the â€œPlagiarismâ€ section of the course description. Your research should be a synthesis of ideas from a variety of sources expressed in your own words. All reports must use the Harvard referencing style. Marking rubrics are attached.