Network Security WA, Coursework Example

1) [Ch 1, Project, no. 1]—Look up the PCI-DSS control objectives on the Internet. Give its URL. Which ones did TJX violate? Justify your list.

PCI-DSS control objectives include building and maintaining a secure network.  Protect cardholder data.  Maintain a vulnerability management program.  Implement strong access control measures.  Regularly monitor and test networks.  And maintain an information security policy.  http://www.securityprocedure.com/six-control-objectives-pci-dss

The TJX security breach of 2007 shows exactly how much a company can lose if they fail to comply with the necessary security measures.  The failure to protect and this breach ended up costing 94 million dollars in accounts being violated and the total loss in excess of 70 million dollars.  TJX violated all six areas listed in the website found above.  These security measures were mandated by the Payment Card Industry Data Security Standard (PCI-DSS).   If the companies had maintained a secure network, they would not have fallen victim to such a breach.  Protecting cardholder data and maintaining management program would have prevented or allowed the breach to have been caught much earlier, potentially saving millions of dollars.  By implementing strong access control measures there would have been no means for the breach to have happened in the first place.  Regularly monitor and test network could have shown early on the improper security measures and allowed them to catch it in a timely manner.  And finally maintaining an information security would have prevented millions of consumer’s information from being accessed and used fraudulently.
2) [Ch 1, Thought Questions, no. 4]—Addamark Technologies found that its Web servers had been accessed without authorization by an employee of competitor Arcsight.  Arcsight’s vice president for marketing dismissed the hacking, saying, “It’s simply a screen that asked for a username and password. The employee didn’t feel like he did anything illicit.” The VP went on to say the employee would not be disciplined. Comment on the Arcsight VP’s defense.

Having a secure log in, regardless of the complexity of the system is intended to monitor and prevent unauthorized users from accessing information not intended for their use.  In addition it allows companies to monitor their employee’s actions and performance while logged onto the network.   Regardless if the logon is complex or simple, it is intended for that specific user and accessing it any other way is unauthorized.  Most companies have written expectations for employee logons that include disciplinary actions in the event they are used inappropriately.  The VP dismissing the employee’s actions not only shows his personal integrity, but it shows that the company willingly acts in unethical manner as a means of business practices.  Competitors who hack their competitions servers to find out information in order to get the upper hand probably have little reservation for other questionable or unethical acts.  Addamark Technologies perhaps needs to implement a better security network that way next time a simple username and password will not be a dismissive measure for hacking their network.
3)[Ch 1, Thought Questions, no. 6]—Give three examples of social engineering not listed in the text.

Online social engineering is a good way for social engineers to get users passwords.  This is valuable because many users repeat their passwords for many accounts, allowing access to other information other than what it is being used for.  A common way that hackers get this information is from online forms that are sent out for sweepstakes or other similar questioners.  Another type of social engineering is baiting.  This is when the Trojan horse uses the physical media as a way to spark curiosity and greed with the victims.  It puts malware in flash drives or CD ROM’s waiting on the user to use it and infect their computer.  And lastly, is tailgating.  This is when access is sought through restricted areas and an individual simply follows behind someone who has real access.  It is simply a failure to validate information and accept the attacker has a valid reason for their entry.
4)[Ch 2, Thought Questions, no. 2]—Chapter 2 discussed three ways to view the IT security function—as a police force, as a military organization, and as a loving mother. Name another view and describe why it is good.

Another view is that of a business owner.  This is as important as military, police, and parental security as well.  This controls access of confidential and important information by restricting access to authorized individuals.  This security protects the company’s information and allows only necessary access in the workplace.   In business, it is important to allow access to individuals who need it, and prevent unauthorized access.  It is also important to eliminate the potential for altering and destruction of important information.
5) Provide definitions for each of the following terms and indicate any negative (or positive) experiences you have had:
a. viruses – viruses are malicious software programs that, by definition, exist on local disk drives and spread from one computer to the next through infected files.  A negative experience is when my computer was infected and it deleted several programs on it.
b. spyware – is defined as software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. Personally I had spyware that redirected my homepage and excessive pop-ups occurred.
c. spam and spim – spam is defined as a disruptive messages; especially commercial messages posted on a computer network or sent as e-mail.  Spim is defined as a type of spam that is sent by means of instant messaging.  This is something everyone has experienced. The fifty emails sent out soliciting or selling a product that you did not request information about.
d. botnets – is defined as a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g. to send spam messages. I had apparently sent out “male enhancement pills” email to everyone in my address book.
e. phishing – is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Personally I have never had an experience with this.
f. cookies – is a packet of data sent by an Internet server to a browser, which is returned by the browser each time it subsequently accesses the same server, used to identify the user or track their access to the server.  I clear my cookies and history on a daily basis in the event that my computer is accessed.
g. worms – a software program capable of reproducing itself that can spread from one computer to the next over a network; “worms take advantage of automatic file sending and receiving features found on many computers”.  As stated earlier with the emails sent from my email address, there were worms attached to this email which caused the computer to continually restart.
h. Trojan horses – is a program that appears desirable but actually contains something harmful; “the contents of a Trojan can be a virus or a worm”.  Again the only personal experience was linked to the email “I sent” regarding male enhancement pills.
Explain what information security auditing is and any exposure or experiences you have had with it.  Information security auditing is when an organization addresses its technologies to ensure they are up-to-date and the proper infrastructures are being applied.  It audits tests that make sure all information security is up to day with the requirements of the organization.  It also interviews the employees and their role in this security.  I personally have not had any personal experience with information security auditing.