HS3011 Information Security Group Assignment

Part 1

1. A short summary of Kevin Mitnick

Kevin Mitnick was born on 6th August 1963. He is a computer security consultant as well as an author. Since, in the 20^th century, he was convicted for critical crimes related to various computer systems and communications platform. He hacked into several renowned companies’ computer systems incorporating Fujitsu Siemens, Motorola, Sun Microsystems, NEC as well as Nokia. In addition at the age of 15, he used bus transfer system of Los Angeles to attain free bus rides as well as evaded the FBI. On the other hand, he also hacked into the DEC systems in order to attain the VMS source codes. This was a significant criminal offense in the technological world which critically made him infamous. He also attained full administrative privileges at the Computer Learning Centre in Los Angeles to an IBM minicomputer for winning a bet. His activities were critical and impacted the existence of technological advancement. The activities not only created terror amongst companies but also the livelihood of general populace at wide extent.

Kevin Mitnick was charged with wire fraud and breaking in the computer systems of several multinational as well as renowned companies by the FBI. The FBI also caught him for such devious activities which threatened the technological advancement extensively. On 15^th February 1995, Kevin Mitnick was arrested due to the pressed charges against him at his apartment at Raleigh in North Carolina. Additionally, after he became a fugitive for more than two and a half years he attained unauthorized access to dozens of computer networks as well as used cloned cellular phones in order to hide his location and copied high-level software from computer companies. The reason behind Mitnick’s famous as being the CEO of the company Mitnick Security Consulting LLC, which is a computer security consultancy. He significantly wrote two books based on his expertise namely, ‘The Condor’ and ‘The Darkside Hacker’. On the other hand, he was critically infamous for his criminal activity based on unauthorized access to the computer system of large organizations for self-interest. Hence, there is a number of infamous activities which are pursued by Kevin Mitnick in his entire life which critically affected the confidentiality of large multinational companies.

Extracted from- (bigthink.com, 2018)

2. Current topic concerns of EFF organization

‘EFF Asks Appeals Court To Rule Copyright Can’t Be Used To Control the Public’s Access to Our Laws’

The prime reason for choosing this topic is to let general public as well as private organizations to get access to the rules and right of legal terms. Laws are framed to aware organizations to take steps which are significant for accurate working system marinating the limitation of information security. Hence, the rule of copyright can’t be used to control Public’s access to laws as it would enhance the security of information, (Krutz and Vines, 2010). Though it has been developed by a group of industries and they are concerned about the security systems but getting access to general laws and regulations is not a crime. Rather it can be helpful to have the knowledge of significant laws. Corynne McSherry, the EFF Legal Director argued in court stating that public must have the right to access, share and copy the law. On the other hand, they also argue that the industry groups must not violate such rights of the public by claiming ownership to those rules though they assisted in developing the legal rules. The Public.Resource.org critically was sued by private industry groups who worked on educational, fire, energy efficiency and safety testing standards. They critically claim that they have the copyright on the part of laws just because they have initiated it. They claim that they have only the right to copy and access that law; none of the other industries can have those accesses, (Miller et al. 2010).

It significantly relates to information security subject contents as few private organizations must not have the right to stop the access of rules and regulations. Information security is significant for every company but learning about the rules and regulation can never break any laws rather enhance the knowledge of distinct organizations. As proposed by (Peltier, 2010), the significance of information security is critical in every industry but enabling people to learn about laws is relevant in terms of information security. Hence, providing information about laws can never disrupt the system of information security as it would make sure that every laws and regulation are being followed.  The Public.Resource.org must be provided accessed by every organization as the laws framed by distinct industries needs to be analyzed by every organization to maintain the system of information security without disrupting its structure.

Extracted from – (eff.org, 2018)

3. Necessary steps to restore operations for the scenarios

1. A hacker breaks into the company network and deletes files from a server.

In case this kind of situation arises in the company, then this kind of issue is admissible in a court of law. This kind of activity entails high risks and in order to eliminate such risk in the system, significant action needs to be taken against the personnel. The hacker must be identified using cyber systems and should be charged for such inappropriate action, (Albrechtsen and Hovden, 2010, p.441). The professional of the cyber system can press charges against the hacker and take necessary information. The information deleted from the server can be restored by the company through its backup server and maintain its standards. In order to eradicate such kind of mishaps, the company needs to maintain strict disciplinary activities needs to follow by each member of the company extensively.

1. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers are damaged, but the fire is contained.

In this kind of situation, using information about the initiation of the fire must be learned. For this issue, professional must be hired who can critically evaluate the situation and analyze the reason behind such disaster. This kind of issue can be also solved by using legal procedures in order to learn the cause of such incidents, (Alwi and Fan, 2010, p.151). Relevant steps must be taken to gain the information from the damaged computers. The damaged computers must be analyzed using experts to extract the information as well through legal procedures. Maintaining legal procedures can restore the operations and attract necessary information.

1. A tornado hits a local power station, and the company will be without power for three to five days.

In this kind of situation, the backup must be stored which can be accessed in outer network shell where relevant information can be extracted for the use of the company. High skilled professionals and integrated software system must be used to avoid such kind of issue, (Appari and Johnson, 2010, p.281). However, as it is a natural disaster backup must be done as a contingency plan to restore such happenings. Additionally, it cannot be restored using legal terms as it comes under act of god clause which cannot be charged to anyone but through effective strategies, it can be formulated and information can be extracted.

1. Employees go on strike, and the company could be without critical workers for weeks.

In this kind of situation legal actions can be taken against the employees if they are in a contract working for the company. However, if the employees are having a significant issue due to the negligence of the company then consultant must be hired to solve the issue and negotiated. Negotiation can be effective in such kind of situation which can assist the company to gain its employees and work accordingly, (Bulgurcu et al. 2010, p.541). Additionally, through legal actions, the person who started this kind of activity can be sued if that person is guilty on the professional ground.

1. A disgruntled employee takes a critical server home, sneaking it out after hours.

Legal actions in this kind of situation are mandatory as taking a critical server home is a serious offense and admissible by the court of law. Through legal actions, the disgruntled employee can be punished and significant action can be taken to restore the situations. By hiring legal representatives, significant data can also be extracted in case the employee has sold the valuable information to any rivalry companies, (Da Veiga and Eloff, 2010, p.201). On the other hand, there are companies who do not like to face media or come up into public for them they need to take legal action by their own legal team and extract the relevant information that has caused such activity. Additionally, the company can take down the matter to court for strict actions without facing any media coverage.

Part 2

Case 1

1. a) Not necessarily this kind of incident needs to be done by an outsider. This kind of issue can be created by an insider as well. An insider of the company could have been significantly involved in such situation, however; it can be done unintentionally by attaching a personal USB drive (removable) to the computer at the workplace without any knowledge of the owner that the worm or virus has been affected form elsewhere. This kind of issue can hamper the operating system only if the corrupted files in the external USB are inserted into the computer system, (Dubois et al. 2010, p.305). On the other hand, an outsider can only harm the operating system on a computer even if the power is coming through LAN in a case Hence, there is a huge chance that this kind of harm was caused by an insider without any intention.
2. b) Other than installing worm and virus control software, SLS can integrate a good backup system in case this kind of incidence reoccur in order to enable a backup in real time after the solving the problem. In addition, monitoring the resources can be also done in order to maintain the standardization of the workplace without wasting time, (Ericsson, 2010, p.1502). Updating operating system in every interval of time can be beneficial for the company as well as adopting significant policies of filter and industry standard firewalls can also be effective for the system. It can be assumed that the company does not have a robust security policy in the workplace that led to this critical mishap. It can be also stated that the company had cheap virus software installed at the workplace and needs to integrate high-quality virus software as a backup plan.
3. c) It can be analyzed that both the worm and virus are the reason behind such issue. (Johnston and Warkentin, 2010, p.563) put forward, a virus can disintegrate the computer system and on the other hand, a worm spreads it in the whole system. Hence, both of them are responsible for such attack. In addition, there can be other varying reason behind such attack as well. In case the desktops are connected to LAN using a switch then there is a huge possibility that due to some unintended power interruption this attack happened. Also, filters and firewalls alter or block the network traffic that uses the same operating system as well as CPU resources as significant applications. This can be a critical reason behind such problematic attack, (Popović and Hocenski, 2010, p.345). Hence, there are other possibilities behind such attack at SLS as well other than just worms and virus. In case it has been caused due to worms or viruses then both are responsible for such serious attack at computer systems.

Case 2

1. a) It is not at all possible. As with 256-bit encryption, a 100 trillion is critically an understatement based on the amount of time needed to crack the encrypted key with the available technology. The process of encryption uses quicker and easier based on advanced technology and a highly integrated processor for computer systems. For this process, multiple computers need to be chained together as well as elevated processing power can be significantly used in order to crack the encryption key in real time. However, wasting time and energy for cracking unapproved encryption is worthless, (Puhakainen and Siponen, 2010, p.771). Hence, in order to enhance the system the estimated time required for cracking the encryption key is minimal and worth full for the company in order to minimize external and internal threats. Therefore, it can be said that Charlie is exaggerating as Brute Force requires significant time but there are other alternative methods that can assist to retrieve passcode. (Ramgovind et al. 2010, p.6) stated that Brute Force can be used in case of easy texts passwords which do not involve numbers as well as case sensitivity.
2. b) Yes, definitely there are other tools which can assist Peter in recovery passphrase as well can be used safely. Several tools are also available on the online platform which can be downloaded to implement key recovery. In addition, there are numbers of ‘black hat’ software that is significantly present in the online platform and moreover, it can be used for white hat purposes also. Software such as Windows Password Changer, Hiren Boot CD and many more are present in an online platform that can be downloaded in order to avoid losing passphrase that Peter can adopt. LastPass is also a password management service available in an online platform that assists users to obtain their passwords in a safe manner, (Siponen and Vance, 2010, p.501). Though encryption is one of the most securing options, however, forgetting passphrase can be critical in order to recover. However, with software available in the market as well as an online platform can ease the process of recovery and assist Peter significantly other than KPI based recovery systems.
3. c) Installing keylogger software on company’s computer system without significant authorization from senior executives then is an ethical violation on Charlie’s part. Without anyone’s knowledge and policy authority, none of the employees of the company has the right to install any software. It would be considered as an ethical violation, (Takabi et al. 2010, p.30). As in this case, Charlie installed keylogger software without anyone’s knowledge and policy authority, it is illegal from his part and is punishable as it is an ethical violation and is admissible in a court of law.
4. d) Keylogger can also be termed as stroke logger which is used to record each key pressed in the keyboard of a computer. With the knowledge and approval of senior executives, Charlie installs a keylogger in the system cannot be taken any action on the ethical ground on his part. The keylogger would benefit the company to extract passkey as well as to check system logs, (Van Niekerk and Von Solms, 2010, p.485). In addition, Charlie gives the key to Peter without mishandling it. Hence, it can be said that ‘a little white lie’ is not an ethical action in the context of Charlie’s part.

Case 3

1. a) In this case, Kelvin needs to analyze the priorities of tasks. In order to attain successful result at the next meeting, he needs to prioritize his work based on work breakdown structure as well as attain a co-worker friendly job schedule to reduce the fear amongst his co-workers. He needs to attain the consent of every stakeholder in his team in order to attain his goals. Based on the project management, Kelvin must convert his top priorities into manageable tiers by breaking into smaller tasks. While breaking down the higher prioritized work into organizable and smaller task, he must re-assess each element and deliverable in the work break down the structure in order to accomplish his goals, (Zhang et al. 2010, p.1330). He must evaluate based on work to be accomplished, skill sets, start and end dates as well as the amount of effort required for his next meeting.
2. b) Before Kelvin goes to his next meeting, he must reconstruct change management activities as well as it would assist in easing employees into change resistance process. Earlier, the changes did not comply with such extent hence it is recommended that he makes the change process slowly in order to make the employees feel attractive towards the task and make them feel comfortable. The process he should adopt is to communicate, educate and involve the stakeholders in the change process for reducing their resistance to change significantly. In the early stages of planning, each member must be communicated about such activities in order to enhance their motivation level, (Okuhara et al. 2010, p.399).
3. c) In case I was placed in Kelvin’s position, I would have made significant changes to prepare a plan for the meeting. As I have discussed earlier, that Kelvin needs to rectify his change management and project management process, I would also conduct the work breakdown structure and interact with the members during the early stages of the project. For the WBS structure, I would have communicated with the co-workers to gain significant knowledge and make the changes with their consent. I would also consider The Lewin change model for the change management process which would involve three stages- unfreezing, move and freeze in order to make the process slower and easier to accept for the employees, (Lewin, 1945).
4. d) As he had significant details about the requirement for the next 10 years and had 7 controls listed, Kelvin did not have an ethical lapse through cherry-picking the information in relation to his presentation as he estimated low cost for implementing, developing and operating controls for the company. Ethical lapse is a critical judgment that creates any harmful result or loss in business. Kelvin offers a list of controls due to the loss in business and for the next ten years. He also provided most advantageous controls that are required for the company.
5. e) No, Kelvin did not commit an ethical lapse as each of the controls was listed based on the cost of implementation, development, and In case, he provides internal design specification to his friend it is legitimate as it would assist in attaining the appropriate vendor for the project, (Atzori et al. 2010, p.2801). He can choose data based on his favorite initiative due to the significance of the project.

Conclusion

Conclusively, after conducting the complete report it can be stated that each of the section is significant in relation to information security system. From part 1 it has been analyzed that Kevin Mitnick would have chosen the alternative path for existence he could have gained several acknowledgments around the world other than becoming infamous for his cybercrime.

The topic chosen is also significant for EFF as it enhances the relevance of information security by passing down the laws and legal requirements required for maintaining standardization in an organization extensively. Through legal actions and organizational policies, the scenarios can be also normalized.

From part 2, it has been identified from case 1 that there is a huge chance that this kind of harm was caused by an insider without any intention and case 2 assisted to understand the significance of keyloggers and software for extracting pass keys. Case 3 forecasted the need for change management process and project management.

References

Books

Krutz, R.L. and Vines, R.D., 2010. Cloud security: A comprehensive guide to secure cloud computing. Wiley Publishing.

Lewin, K., 1945. Resolving social conflicts. Harper And Row; New York.

Miller, D.R., Harris, S., Harper, A., VanDyke, S. and Blask, C., 2010. Security Information and Event Management (SIEM) Implementation (Network Pro Library). McGraw Hill.

Peltier, T.R., 2010. Information security risk analysis. Auerbach publications.

Journals

Albrechtsen, E. and Hovden, J., 2010. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29(4), pp.432-445.

Alwi, N.H.M. and Fan, I.S., 2010. E-learning and information security management. International Journal of Digital Society (IJDS), 1(2), pp.148-156.

Appari, A. and Johnson, M.E., 2010. Information security and privacy in healthcare: current state of research. International journal of Internet and enterprise management, 6(4), pp.279-314.

Atzori, L., Iera, A. and Morabito, G., 2010. The internet of things: A survey. Computer networks, 54(15), pp.2787-2805.

Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), pp.523-548.

Da Veiga, A. and Eloff, J.H., 2010. A framework and assessment instrument for information security culture. Computers & Security, 29(2), pp.196-207.

Dubois, É., Heymans, P., Mayer, N. and Matulevičius, R., 2010. A systematic approach to define the domain of information system security risk management. In Intentional Perspectives on Information Systems Engineering (pp. 289-306). Springer, Berlin, Heidelberg.

Ericsson, G.N., 2010. Cyber security and power system communication—essential parts of a smart grid infrastructure. IEEE Transactions on Power Delivery, 25(3), pp.1501-1507.

Johnston, A.C. and Warkentin, M., 2010. Fear appeals and information security behaviors: an empirical study. MIS quarterly, pp.549-566.

Okuhara, M., Shiozaki, T. and Suzuki, T., 2010. Security architecture for cloud computing. Fujitsu Sci. Tech. J, 46(4), pp.397-402.

Popović, K. and Hocenski, Ž., 2010, May. Cloud computing security issues and challenges. In MIPRO, 2010 proceedings of the 33rd international convention(pp. 344-349). IEEE.

Puhakainen, P. and Siponen, M., 2010. Improving employees’ compliance through information systems security training: an action research study. Mis Quarterly, pp.757-778.

Ramgovind, S., Eloff, M.M. and Smith, E., 2010, August. The management of security in cloud computing. In Information Security for South Africa (ISSA), 2010 (pp. 1-7). IEEE.

Siponen, M. and Vance, A., 2010. Neutralization: new insights into the problem of employee information systems security policy violations. MIS quarterly, pp.487-502.

Takabi, H., Joshi, J.B. and Ahn, G.J., 2010. Security and privacy challenges in cloud computing environments. IEEE Security & Privacy, 8(6), pp.24-31.

Van Niekerk, J.F. and Von Solms, R., 2010. Information security culture: A management perspective. Computers & Security, 29(4), pp.476-486.

Zhang, X., Wuwong, N., Li, H. and Zhang, X., 2010, June. Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2010 IEEE 10th International Conference on (pp. 1328-1334). IEEE.

Websites–

bigthink.com. 2018. Gots, J. Hacker for the Hell of It: The Adventures of Kevin Mitnick. [online] Big Think. Available at: http://bigthink.com/think-tank/hacker-for-the-hell-of-it-the-adventures-of-kevin-mitnick [Accessed 13 May 2018].

eff.org. 2018. Anon. [online] Available at: https://www.eff.org./press/releases/hearing-monday-eff-asks-appeals-court-rule-copyright-cant-be-used-control-publics-0 [Accessed 13 May 2018].