QUESTION 1
(a) What is cyber terrorism & information warfare in relation to?
(b) What can be made on the subject of cyber terrorism?
(c) When it comes to IT Related Risks. Are we at risk at home, and what can we do to locked our home computers?
QUESTION 2
Natter the term Risk Management, its methods and core principles.
CASE STUDY – 1
QUESTION 3
Global Airlines (GA) wants to be an well-organized, yet customer-friendly airline company. clientele are business passengers, who demand reliable, fast and private services. In order to get better these services and thereby strengthen their market position, the board of directors decided to study the use of RFID chips injected in the arms of passengers for recognition
Wikipedia declares on about RFID:
Radio Frequency Identification (RFID) is a means of remotely storing and retrieving data using devices called RFID tags. An RFID tag is a small object such as a bonding agent sticker that can be fastened to or incorporated into a product. RFID tags contain antennae to facilitate them to receive and respond to radio-frequency queries from an RFID transceiver.”
The practice as such is fairly old, legitimately invented by Harry Stockman in 1948 in his report “Communication by Means of Reflected Power”, but already being utilized all through World War II by the UK to distinguish English airplanes from German ones. Recently, RFID has a lot of attention due to its implementation in very small chips, competent enough of being attached to all kinds of objects to track them or to store in sequence about the object.
Preceding implementations from the 60s and 70s were single-bit and only capable of telling that `an object’ was present, for instance in anti-theft ways in section stores. In this time, much effort was invested in getting RFID to a higher level; letting it do more, like an attempt to get electronic permit plates in various states of the USA. Most attempts failed, but this led to the technology maturing very quickly.
The modern RFID tags can for example replace barcodes in supermarkets, making it possible to scan a complete shopping cart in an instant, without the need of placing every single product on the counter. They can also be used to identify and track certain objects, an idea which privacy supporters do not like, as it is also probable to track identified persons who then have little or no privacy.
Currently there is an ongoing discussion on the use (and abuse) of RFID, about its advantages and disadvantages and also about the social changes the introduction of modern RFID will entail & Implementation of RFID chips in the business model of an airline company, leaving irrelevant details out of scope. First, observations about the case and current RFID topics are collected. Secondly, an records of the risks is made, together with probable solutions to resolvable issues.
GA requirements
The GA has put out a few requirements to which the RFID service must provide an improvement.
a. Reduce waiting times before check in (last-minute check in)
b. Personalized service to clientele
c. Easy listing of special programs (e.g. frequent flyer miles)
d. Easy imbursement of additional services (e.g. consumables at the airport or tax-free shopping during the flight
Each of them has to be taken into account (consideration) , for they can be conflicting when considering safety and ease of use.
a) We know that technologically, RFID experiences from privacy issues and consumers will reject it. With traceability attacks on three different layers inherent in the arrangement. Which three layers of the seven OSI layers does it relate to and how are they extravagancy?
b) Confer about the Social Problem of RFID?
c) You are now considering risks linked to the use of an RFID system. The risks need to be assessed in a categorized manner using the CIA safekeeping Paradigm. You should also deem accountability as a fourth to the three categories. Chat on the various categories in relation to the RFID.
d) Finally, you are to suggest policy based solutions to your risk assessments made above and you should categorize your solutions in the same manner as per your previous evaluation.
CASE STUDY – 2
QUESTION 4
Many companies spend hundreds of thousands of dollars to ensure corporate computer safekeeping. The safekeeping protects company coverts, assists in compliance with centralized laws, and imposes privacy of company clients. unluckily, even the best safekeeping mechanisms can be bypassed through Social Engineering. Social Engineering uses very minimal cost and low technology means to overcome impediments posed by information safekeeping measures. These paper aspects a Social Engineering attack executed against a company with their permission. The bother yielded sensitive company information and numerous user passwords, from many areas within the concern, giving the attackers the ability to cripple the company despite extremely good technical information safekeeping measures. The results would have been comparable with almost any other company. The paper bring to a closes with recommendations for minimizing the Social Engineering threat.
There are millions of dollars spent on both Information safety measures and research and development in this area. These measures are designed to foil unauthorized people from gaining access to computer systems, as well as preventing authorized users from gaining supplementary privileges. The proper technical safekeeping measures can effectively combat almost any technical threat posed by an outsider. Unfortunately, the most solemn attack may not be technical in nature.
Social Engineering is the term the hacker society associates with the process of using social interactions to obtain information about a “victim’s” computer system. In many cases, a hacker will accidentally call a corporation and ask people for their passwords. In more elaborate circumstances, a hacker may go through the garbage or pose as a safekeeping guard to obtain critical information. A recent edition of 2600: The Hacker’s quarterly detailed methods for obtaining a job as a janitor within a company. While these methods appear to be ridiculous, and possibly even comical, they are extremely effective. Social Engineering provides hackers with efficient short cuts, and in many cases facilitates attacks that would not be possible through other means. For example, the Masters of Dishonesty, who significantly penetrated the United States’ telecommunications system, were only able to do so after obtaining information found in the garbage of the New York Telephone corporation.
The case study depicted in this paper does not represent a single operation. To defend the authors’ clients, the case study symbolizes a compilation of several real attacks against large financial institutions. These attacks were demeanour as part of a comprehensive vulnerability analysis for the organizations. While the commercial officers were aware of a potential attack, the remnants of the companies’ employees were not. Everything portrayed in the case study has occurred on multiple occasions.
The “attackers” were restricted to gathering information over the telephone, and were specifically trained not to exploit the system with the information. The assault was limited to four man-days of effort, requiring the attackers to be more “bold” than is normally required. A real Social Engineering does violence to would be accomplished over weeks, if not months. Since the potential recompense for an assailant would be very great, a real show aggression would have included several physical visits to the company’s offices and possibly even obtaining a job at the company.
THE ATTACK
Initially, the attackers performed explore on Internet library resources to obtain an initial perspective on the organization. Diverse databases, revealed the names of numerous company employees and officials. A hunt of a local telephone directory provided the telephone number of a company office in the vicinity of the attackers. A call to the workplace obtained a copy of the company’s annual report as well as the company’s toll free telephone number. No rationalization was needed to obtain this information in a row.
Combining the data from the annual report with the data that was obtained from the Internet provided the attackers with names and positions of many senior officials, along with information on the assignments they are working on. The next logical step was to obtain a corporate telephone directory, which exposed the names of additional employees and a comprehensive view of the company’s corporate structure.
Using the toll free telephone number, a call was placed to the foremost telephone number to contact the Mail Room. The caller stated that they were a new employee and needed to know what information was required to ship packages both within the United States and abroad. It was erudite that there were generally two numbers required to perform a operation within the company; an worker Number and a Cost Center Number. A call to get hold of similar information from the Graphics department confirmed the importance of the numbers.
The attackers determined which executive they knew the most about. Calling through the key telephone number, the executive’s escritoire was contacted by an attacker claiming to be from the company’s Public Relations Department. contained by a sequence of basic and harmless questions about the executive’s surroundings, the attacker asked for, and obtained, the executive’s member of staff Number. A later call to the secretary, by another mugger, obtained the Cost Center of the executive through the imitation of an auditor confirming appropriate computer charging.
Another call, through the main telephone number, connected the attackers with the branch responsible for distributing corporate telephone directories. By impersonating the supervisory, it was requested that a telephone directory be sent to a “subcontractor”. The executive’s Employee Number and Cost Center were supplied, and the listing was shipped via overnight courier to the subcontractor.
Using the telephone directory, the attackers contacted dozens of employees in various departments to obtain additional Employee Numbers that could be used for additional molests. The numbers were regularly obtained by impersonating a Human Resources employee who accidentally contacted the wrong employee, and needed the employees Employee Number to clear up the “confusion”.
The attackers then determined that they would attempt to obtain the names of new workforce who were probably least aware of any threats to the concern. Using the information obtained from the initial phase of the attack, the name of a very senior company management was acknowledged. The telephone directory revealed the name of an employee who most likely worked for the supervisory. At this occasion it was determined that the best method to obtain the names of the new employees was to claim that the managerial wanted to personally welcome new employees to the company. The mugger would claim to work for the executive, and that the executive was extremely upset, since the information was overdue.
As luck would have it, an initial call to the New Hire Administration Office was answered by an answering machine. The message (text) on the machine revealed: 1) the office had moved, 2) the name of the one assigned to the telephone number, and 3) the new telephone number. The name of the person was critical, since knowledge of a specific name increases the legitimacy of the caller. It was belatedly in the day and the explicit person had left. This sanctioned the mugger to indicate that the absent person usually provides the information. The aggressors also claimed that a very prominent executive was extremely upset. The “pleas” of the attacker encouraged the person that answered the telephone to provide the requested information. The names of all of the employees that began employment during the current week were obtained, along with the subdivision of many of the employees.
It was then determined that the attackers should avoid contacting Information Systems employees, for the reason that they were more likely to be aware of the importance of protecting passwords. The attackers pretend to bed an Information Systems employee and contacted the new appoints under the guise of providing new workforce with a telephone “Computer Safekeeping Awareness Briefing”. At some stage in the briefing, the attacker obtained “basic” information, including the types of computer systems used, the software applications used, the member of staff Number, the employee’s computer ID, and the password. In one case, the mugger suggested that the new member of staff change their password, for the reason that it was easy to guess.
A Demon Dialer and a call to the Information Systems Help Desk obtained the telephone numbers of the company’s modems. The modem numbers provided the aggressors with the capability to exploit the compromised user accounts. To acquire the modem information effectively circumvented a very sophisticated Firewall system and rendered it useless. For the duration of a later attack, the attackers used similar methods to have the company provide them with their own computer account. The aggressors also were able to convince company employees to send them announcements software that accessed a “secure” connection.
a) Using the case study above. You are requested to provide your views as lessons learned and propose at least SIX important points with a concluding remark to help such a corporation with stepping away from social engineering.
