Information Security Report: Mitnick, Privacy, and Attacks
VerifiedAdded on 2020/03/28
|7
|2642
|37
Report
AI Summary
This report provides an in-depth analysis of information security, beginning with a discussion of Kevin Mitnick's hacking activities and the evolution of cyber threats. It then delves into the critical issue of user privacy in the digital age, focusing on Apple's stance against intrusive advertising practices and the implications of third-party tracking and cookie usage. The report further examines several case studies involving data breaches, disasters, and employee misconduct, offering insights into incident response and business continuity planning. These scenarios include network attacks, natural disasters, and insider threats. The report also explores ethical considerations related to information security, such as the responsibilities of security professionals and the importance of transparency and honesty in managing projects and influencing outcomes. Finally, the report highlights the importance of robust security measures, including firewalls, anti-virus software, and cloud backups, to mitigate risks and protect sensitive information.
Information Security
Name
Date
Name
Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Part 1
1. Kevin Mitnick is an American security (computer) expert and consultant, as well as an author and
a hacker. Kevin is famous for his 1995 arrest and subsequent controversial imprisonment for five
years for various communications and computer related charges. As a teenager, Mitnick employed
the skills of dumpster diving and social engineering to bypass the Los Angeles bus system card
punching system by using non utilized transfer slips he got from a dumpster adjacent to the bus
park. Having succeeded at this, he used social engineering later in life as his preferred method for
obtaining information, including for modem hone numbers and passwords and user names. At age
16, he gained unauthorized access to a network when he got a phone number form a friend for the
DEC (Digital Equipment Corporation). Mitnick broke into DEC computer networks and managed
to copy the company's software, a crime for which he was arrested and subsequently charged and
convicted for in 1988 by imprisonment for 12 months. He was further sentenced to three years of
supervised release but managed to hack the voice mail computers of Pacific Bell (Shimomura &
Markoff 1996). He fled after an arrest warrant was issued against him, becoming a fugitive for
almost three years. Records show that he managed to gain unauthorized access to several computer
networks while he was a fugitive; he could used cloned mobile phones to conceal his whereabouts
while engaging in digital mischief, including copying valuable proprietary software from the largest
computer and telephone corporations in America.
He stole, after managing to intercept, computer passwords and was able to break into private mails
(e-mail) and also alter computer networks. After a high profile pursuit by the FBI, he was arrested
in 1995 15th February in North Carolina for charges including wire and computer fraud and was
arrested with cloned codes and mobile phones and several pieces of fake identification documents.
He was indicted on 14 charges of wire fraud, intercepting electronic/ wire communications, 8
counts of possessing unauthorized devices, accessing a Federal/ Government Computer without
authorization, and damaging computers. He pleaded guilty as charged to four counts of electronic
fraud, one count of intercepting a wire communication illegally, and two computer fraud counts;
these were part of his plea agreement and was sentenced cumulatively to 68 months in prison. In all,
Mitnick served a five year jail term and was held in solitary internment apparently after authorities
convinced the judge that Mitnick had the capability to instigate a nuclear war just by accessing a
mobile phone and whistling into it (Greenberg, 2014). He is thus infamous for serious hacking
activity, in the age before the internet and modern communications devices
2. a. The chosen topic is Apple does right by users and advertisers are displeased
This topic has been chosen because advertisers have for many years abused the freedom of the
internet by developing their ‘economic’ model in which the privacy of users is violated by having
1. Kevin Mitnick is an American security (computer) expert and consultant, as well as an author and
a hacker. Kevin is famous for his 1995 arrest and subsequent controversial imprisonment for five
years for various communications and computer related charges. As a teenager, Mitnick employed
the skills of dumpster diving and social engineering to bypass the Los Angeles bus system card
punching system by using non utilized transfer slips he got from a dumpster adjacent to the bus
park. Having succeeded at this, he used social engineering later in life as his preferred method for
obtaining information, including for modem hone numbers and passwords and user names. At age
16, he gained unauthorized access to a network when he got a phone number form a friend for the
DEC (Digital Equipment Corporation). Mitnick broke into DEC computer networks and managed
to copy the company's software, a crime for which he was arrested and subsequently charged and
convicted for in 1988 by imprisonment for 12 months. He was further sentenced to three years of
supervised release but managed to hack the voice mail computers of Pacific Bell (Shimomura &
Markoff 1996). He fled after an arrest warrant was issued against him, becoming a fugitive for
almost three years. Records show that he managed to gain unauthorized access to several computer
networks while he was a fugitive; he could used cloned mobile phones to conceal his whereabouts
while engaging in digital mischief, including copying valuable proprietary software from the largest
computer and telephone corporations in America.
He stole, after managing to intercept, computer passwords and was able to break into private mails
(e-mail) and also alter computer networks. After a high profile pursuit by the FBI, he was arrested
in 1995 15th February in North Carolina for charges including wire and computer fraud and was
arrested with cloned codes and mobile phones and several pieces of fake identification documents.
He was indicted on 14 charges of wire fraud, intercepting electronic/ wire communications, 8
counts of possessing unauthorized devices, accessing a Federal/ Government Computer without
authorization, and damaging computers. He pleaded guilty as charged to four counts of electronic
fraud, one count of intercepting a wire communication illegally, and two computer fraud counts;
these were part of his plea agreement and was sentenced cumulatively to 68 months in prison. In all,
Mitnick served a five year jail term and was held in solitary internment apparently after authorities
convinced the judge that Mitnick had the capability to instigate a nuclear war just by accessing a
mobile phone and whistling into it (Greenberg, 2014). He is thus infamous for serious hacking
activity, in the age before the internet and modern communications devices
2. a. The chosen topic is Apple does right by users and advertisers are displeased
This topic has been chosen because advertisers have for many years abused the freedom of the
internet by developing their ‘economic’ model in which the privacy of users is violated by having
their browsing activity tracked and monitored for the purposes of sending adverts, without the
consent or agreement of the Internet users. Many internet sites include stealthy scripts that track,
collect, and share your browsing data with third parties. The domains set cookies on web sites a
user visits and this enables these sites to recognize the user from previous web visits, although
without tracking other site visits (Jegatheesan 2013). However, other third party domains apart from
those a user visits also sets cookies and circumvent the original purpose and design of cookies. The
third party domains then track all the sites a user visits, without their knowledge even where its
trackers are not loaded. Websites then use these third party cookies for tracking and undertake
analysis and data brokerage, aggregating individual profiles that are then fed into real time auction
processes. Companies then bid to have the right to send the user, based on their aggregated
browsing information, advertisements whenever they visit a site.
b. This is an important privacy issue; a topic on information security issue because it violates the
privacy of internet users when the internet is supposed to be free. Cookies are like a surveillance
tool; tracking user information and activity while browsing and collecting and aggregating their
online behavior and selling these off, through auctions, to advertisers. The user does not benefit in
any way; yet their activity is tracked without their consent and used for commercial purposes.
Hackers can get their hands on this information and use them for malicious attacks, social
engineering attacks, or theft of information and data, and hence should be considered as a serious
security issue. It breaches user privacy and exposes them to further risks, without even giving the
user the chance to decide whether they can allow their activity to be tracked and how this
information abut them is used and by whom (Barker, 2014).
3. a A hacker breaking into the network of a company and deleting data is a serious disaster as
crucial information is lost; in this case, the company should have in place a business process
continuity contingency, such as having virtual real time cloud back ups of their data.
b When there is a fire breakout and fire sprinklers automatically come on with some computers
being damaged and the fire is contained, this is an incident. Business process continuity plans
should still come into play; such as by having RAID architectures on the computers so that even if
one or a few are physically damaged, the data contained in them is mirrored to other computers/
virtual computers and ensures business process continuity (Radvanovsky & Brodsky 2016)
c A tornado hitting the local power station is an incident and business continuity can be attained by
having virtual backups running or using emergency power supplies, such as UPS or standby
generators for business processes to continue
d When employees are on strike, this is an incident and even if they are without critical workers for
weeks, some activities can be automated or outsourced to other firms, such as call centers as the
issue with employees is tackled
consent or agreement of the Internet users. Many internet sites include stealthy scripts that track,
collect, and share your browsing data with third parties. The domains set cookies on web sites a
user visits and this enables these sites to recognize the user from previous web visits, although
without tracking other site visits (Jegatheesan 2013). However, other third party domains apart from
those a user visits also sets cookies and circumvent the original purpose and design of cookies. The
third party domains then track all the sites a user visits, without their knowledge even where its
trackers are not loaded. Websites then use these third party cookies for tracking and undertake
analysis and data brokerage, aggregating individual profiles that are then fed into real time auction
processes. Companies then bid to have the right to send the user, based on their aggregated
browsing information, advertisements whenever they visit a site.
b. This is an important privacy issue; a topic on information security issue because it violates the
privacy of internet users when the internet is supposed to be free. Cookies are like a surveillance
tool; tracking user information and activity while browsing and collecting and aggregating their
online behavior and selling these off, through auctions, to advertisers. The user does not benefit in
any way; yet their activity is tracked without their consent and used for commercial purposes.
Hackers can get their hands on this information and use them for malicious attacks, social
engineering attacks, or theft of information and data, and hence should be considered as a serious
security issue. It breaches user privacy and exposes them to further risks, without even giving the
user the chance to decide whether they can allow their activity to be tracked and how this
information abut them is used and by whom (Barker, 2014).
3. a A hacker breaking into the network of a company and deleting data is a serious disaster as
crucial information is lost; in this case, the company should have in place a business process
continuity contingency, such as having virtual real time cloud back ups of their data.
b When there is a fire breakout and fire sprinklers automatically come on with some computers
being damaged and the fire is contained, this is an incident. Business process continuity plans
should still come into play; such as by having RAID architectures on the computers so that even if
one or a few are physically damaged, the data contained in them is mirrored to other computers/
virtual computers and ensures business process continuity (Radvanovsky & Brodsky 2016)
c A tornado hitting the local power station is an incident and business continuity can be attained by
having virtual backups running or using emergency power supplies, such as UPS or standby
generators for business processes to continue
d When employees are on strike, this is an incident and even if they are without critical workers for
weeks, some activities can be automated or outsourced to other firms, such as call centers as the
issue with employees is tackled
e. A disgruntled employee sneaking out a critical server after hours is a disaster because not only is
data lost, but crucial information could be leaked. Continuity can be ensured if the company’s ICT
security staff had envisaged such issues and had backups for all servers, through virtual and cloud
backups and RAID architectures for servers do there is a mirror copy of the server to enable
business continuity (Radvanovsky & Brodsky 2016)
Part 2
Case 1
a. While the attack could have come from outside the company’s network, such as through malware
(virus, worm, Trojan), the real cause is most likely to have come from the inside. Insider threats are
the biggest threats to IT security; through human actions or omission and/ or commission either
through deliberate or accidental acts. The biggest cyber threats come from within the company; fr
instance, a malware may have been sent embedded into mail, or a link in the mail that a user
inadvertently clicked and enabled the malware to self replicate, wiping out data from SLS
computers. Or an employee used an external device that was infected, thereby infecting the entire
company’s systems with an anti virus and causing the loss of data (Jouini, Rabai & Aissa 2014)
b. Anti virus and worm control software should be part of an integrated security system; SLS should
have its networks compartmentalized and isolated such that crucial crucial resources remain isolated
and encrypted. SLS should start by implementing a strong firewall (physical and software) that is
regularly updated. Importantly, the company should engage in a company wide sensitization
program and educate employees on what kinds of files never to open (McCoogan 2017). This
should be augmented using strong internal security policies, including strong authentication and
passwords and restricting access to certain resources by unauthorized employees. Further, SLS
should implementing an off-site cloud backup of its systems with virtual backups so that files can
be restored in the event a serious attack incident occurs (Kharraz, Robertson, Balzarotti, Bilge &
Kirda 2015)
c. The attack was likely the result of a worms; this is because worms exploit network security holes
and spread rapidly through the network, installing themselves on computers and causing havoc,
including deleting files, rendering computers unusable, or encrypting files such that they cannot be
accessed. Because SLS lost its data and re-installation was being done on the computers, It means
the attack spread too fast within the network and caused damage; the difference is in how they
spread; worms spread through network s very rapidly but cause similar damages as viruses can,
including file deletion (Wong & Zhu 2016).
Case 2
a. Charlie was lying about the time it would require to recover an encryption key using brute force
attacks because depending on the encryption; a 256 bit AES encryption will require 2 128 times
data lost, but crucial information could be leaked. Continuity can be ensured if the company’s ICT
security staff had envisaged such issues and had backups for all servers, through virtual and cloud
backups and RAID architectures for servers do there is a mirror copy of the server to enable
business continuity (Radvanovsky & Brodsky 2016)
Part 2
Case 1
a. While the attack could have come from outside the company’s network, such as through malware
(virus, worm, Trojan), the real cause is most likely to have come from the inside. Insider threats are
the biggest threats to IT security; through human actions or omission and/ or commission either
through deliberate or accidental acts. The biggest cyber threats come from within the company; fr
instance, a malware may have been sent embedded into mail, or a link in the mail that a user
inadvertently clicked and enabled the malware to self replicate, wiping out data from SLS
computers. Or an employee used an external device that was infected, thereby infecting the entire
company’s systems with an anti virus and causing the loss of data (Jouini, Rabai & Aissa 2014)
b. Anti virus and worm control software should be part of an integrated security system; SLS should
have its networks compartmentalized and isolated such that crucial crucial resources remain isolated
and encrypted. SLS should start by implementing a strong firewall (physical and software) that is
regularly updated. Importantly, the company should engage in a company wide sensitization
program and educate employees on what kinds of files never to open (McCoogan 2017). This
should be augmented using strong internal security policies, including strong authentication and
passwords and restricting access to certain resources by unauthorized employees. Further, SLS
should implementing an off-site cloud backup of its systems with virtual backups so that files can
be restored in the event a serious attack incident occurs (Kharraz, Robertson, Balzarotti, Bilge &
Kirda 2015)
c. The attack was likely the result of a worms; this is because worms exploit network security holes
and spread rapidly through the network, installing themselves on computers and causing havoc,
including deleting files, rendering computers unusable, or encrypting files such that they cannot be
accessed. Because SLS lost its data and re-installation was being done on the computers, It means
the attack spread too fast within the network and caused damage; the difference is in how they
spread; worms spread through network s very rapidly but cause similar damages as viruses can,
including file deletion (Wong & Zhu 2016).
Case 2
a. Charlie was lying about the time it would require to recover an encryption key using brute force
attacks because depending on the encryption; a 256 bit AES encryption will require 2 128 times
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
attempts to crack the key since the 256 bit AES encryption has 2 256 different combinations; even to
crack it would require very powerful GPU’s and not even CPU’s
b. Apart from PKI’s the best way to ensure the keys are managed properly in the first place; for
instance, the data can be restored and recovered at a point in time before it was encrypted. However,
in the event the recovery keys are lost, a data recovery agent can be used because when files are
encrypted, the recovery keys for the data agent are also added to the files that have been encrypted,
as an automated process. The recovery agent becomes the local administrator account if the
computer is not on a domain. Using operating systems such as Windows 2000 and above that
contains the Cipher.exe tool’; the tool can be used to decrypt, encrypt, and extract encrypted files
information (Posey, 2017).
c. Given that they are in an organization and have various access limitations; undertaking this
without informing Peter or getting policy authority, then this would be illegal and a violation; this
should only be done as part of company policy as with those key logs, the access codes can be
stoled; using spy ware, for instance, and have the data stolen or its access blocked by a malicious
attacker, again rendering the files fully inaccessible.
d. The little white lie is not unethical; this is because insider threats are the biggest hindrance to
cyber security; if Peter knows that his activities are being tracked using a key logger, then he might
become more cautious and use other stealthy methods to perpetrate malicious attacks. However,
without this knowledge, Peter would not know he is being tracked and this would enable the
company prevent, or track user activity in the event of an insider breach.
Case 3
a. kelvin should create a list of stakeholders and a stakeholder sheet, detailing all the stakeholders,
their positions, level of interest, and how they can influence the project as well as the
communication plan for interacting with them.
b. Change management tasks should entail preparing the people the change will affect, including
getting their opinions before hand and asking for the best way forward. Kelvin should also explain
what the change is, what benefits it will bring, and how it will affect the employees and prepare
them psychologically for any adverse effects
c. I would have know who the stakeholders are and known how they would impact the project, and
contacted them before hand (before the meeting) giving them prior information on the coming
changes and calling them to the meeting; this way, resistance would reduce as the people would
already have an expectation
d. yes, kelvin has an ethical lapse by creating the wrong impression and expectations for the losses
and costs of implementing the controls.
crack it would require very powerful GPU’s and not even CPU’s
b. Apart from PKI’s the best way to ensure the keys are managed properly in the first place; for
instance, the data can be restored and recovered at a point in time before it was encrypted. However,
in the event the recovery keys are lost, a data recovery agent can be used because when files are
encrypted, the recovery keys for the data agent are also added to the files that have been encrypted,
as an automated process. The recovery agent becomes the local administrator account if the
computer is not on a domain. Using operating systems such as Windows 2000 and above that
contains the Cipher.exe tool’; the tool can be used to decrypt, encrypt, and extract encrypted files
information (Posey, 2017).
c. Given that they are in an organization and have various access limitations; undertaking this
without informing Peter or getting policy authority, then this would be illegal and a violation; this
should only be done as part of company policy as with those key logs, the access codes can be
stoled; using spy ware, for instance, and have the data stolen or its access blocked by a malicious
attacker, again rendering the files fully inaccessible.
d. The little white lie is not unethical; this is because insider threats are the biggest hindrance to
cyber security; if Peter knows that his activities are being tracked using a key logger, then he might
become more cautious and use other stealthy methods to perpetrate malicious attacks. However,
without this knowledge, Peter would not know he is being tracked and this would enable the
company prevent, or track user activity in the event of an insider breach.
Case 3
a. kelvin should create a list of stakeholders and a stakeholder sheet, detailing all the stakeholders,
their positions, level of interest, and how they can influence the project as well as the
communication plan for interacting with them.
b. Change management tasks should entail preparing the people the change will affect, including
getting their opinions before hand and asking for the best way forward. Kelvin should also explain
what the change is, what benefits it will bring, and how it will affect the employees and prepare
them psychologically for any adverse effects
c. I would have know who the stakeholders are and known how they would impact the project, and
contacted them before hand (before the meeting) giving them prior information on the coming
changes and calling them to the meeting; this way, resistance would reduce as the people would
already have an expectation
d. yes, kelvin has an ethical lapse by creating the wrong impression and expectations for the losses
and costs of implementing the controls.
e. In this case as well, Kelvin has an ethical lapse because he is trying to influence the outcome for
the supplier using psychological conditioning such that his friend’s company gets a mathematically
higher chance for supplying the software, rather than having the best company supply it. He is
canvassing for the friend using insider knowledge (Stamatellos, 2008)
the supplier using psychological conditioning such that his friend’s company gets a mathematically
higher chance for supplying the software, rather than having the best company supply it. He is
canvassing for the friend using insider knowledge (Stamatellos, 2008)
References Used
Barker, D. (2014). Is the Cookie Law Being Enforced in the UK? - Dan Barker. [online] Dan
Barker. Available at: http://barker.co.uk/cookielaw [Accessed 22 Sep. 2017].
Greenberg, A. (2017). Kevin Mitnick, Once the World’s Most Wanted Hacker, Is Now Selling Zero-
Day Exploits. [online] WIRED. Available at: https://www.wired.com/2014/09/kevin-mitnick-
selling-zero-day-exploits/ [Accessed 22 Sep. 2017].
Jegatheesan, M. (2013). Cookies – Invading Our Privacy for Marketing, Advertising and Security
Issues. Security, Privacy, and Usability. https://arxiv.org/pdf/1305.2306.pdf
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of Security Threats in Information
Systems. Procedia Computer Science. 32, 489-496.
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the Gordian Knot:
A Look Under the Hood of Ransomware Attacks.
McGoogan, C. (2017). How to protect yourself from ransomware. [online] The Telegraph. Available
at: http://www.telegraph.co.uk/technology/0/protect-ransomware/ [Accessed 22 Sep. 2017].
Posey, B. (2017). Techniques for performing EFS recovery. [online] Tech Target. Available at:
http://searchdatabackup.techtarget.com/tip/Techniques-for-performing-EFS-recovery [Accessed 22
Sep. 2017].
Radvanovsky, R., & Brodsky, J. (2016). Handbook of SCADA/control systems security. Boca Raton,
CRC Press, Taylor & Francis Group.
Shimomura, T., & Markoff, J. (1996). Take-down: The pursuit and capture of Kevin Mitnick,
America's most wanted computer outlaw--by the man who did it. New York: Hyperion.
Stamatellos, G. (2008). Computer ethics: a global perspective. Sudbury, Mass, Jones and Bartlett.
Wong, W. Eric, & Zhu, Tingshao. (2016). Computer Engineering and Networking Proceedings of
the 2013 International Conference on Computer Engineering and Network. Springer Verlag.
Barker, D. (2014). Is the Cookie Law Being Enforced in the UK? - Dan Barker. [online] Dan
Barker. Available at: http://barker.co.uk/cookielaw [Accessed 22 Sep. 2017].
Greenberg, A. (2017). Kevin Mitnick, Once the World’s Most Wanted Hacker, Is Now Selling Zero-
Day Exploits. [online] WIRED. Available at: https://www.wired.com/2014/09/kevin-mitnick-
selling-zero-day-exploits/ [Accessed 22 Sep. 2017].
Jegatheesan, M. (2013). Cookies – Invading Our Privacy for Marketing, Advertising and Security
Issues. Security, Privacy, and Usability. https://arxiv.org/pdf/1305.2306.pdf
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of Security Threats in Information
Systems. Procedia Computer Science. 32, 489-496.
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the Gordian Knot:
A Look Under the Hood of Ransomware Attacks.
McGoogan, C. (2017). How to protect yourself from ransomware. [online] The Telegraph. Available
at: http://www.telegraph.co.uk/technology/0/protect-ransomware/ [Accessed 22 Sep. 2017].
Posey, B. (2017). Techniques for performing EFS recovery. [online] Tech Target. Available at:
http://searchdatabackup.techtarget.com/tip/Techniques-for-performing-EFS-recovery [Accessed 22
Sep. 2017].
Radvanovsky, R., & Brodsky, J. (2016). Handbook of SCADA/control systems security. Boca Raton,
CRC Press, Taylor & Francis Group.
Shimomura, T., & Markoff, J. (1996). Take-down: The pursuit and capture of Kevin Mitnick,
America's most wanted computer outlaw--by the man who did it. New York: Hyperion.
Stamatellos, G. (2008). Computer ethics: a global perspective. Sudbury, Mass, Jones and Bartlett.
Wong, W. Eric, & Zhu, Tingshao. (2016). Computer Engineering and Networking Proceedings of
the 2013 International Conference on Computer Engineering and Network. Springer Verlag.
1 out of 7
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.