Cybersecurity BOR-3307-Lesson Assignment 2
This assignment requires you to do some research. While Wikipedia is not an acceptable source, there are a number of online sources that are valuable. Keep in mind the writing rubric requirements about sources. Write an essay that addresses the following: Imagine that you are an information security professional working for an organization of your choice (what kind of organization doesn’t really matter). All information security professionals typically have certain general skills in common. In addition to a strong understanding of processes and functions within their organization, these information security professionals possess the following attributes:
*They understand that information security requires firm support from management and the commitment of necessary resources. Information security is a business imperative, not simply a technical issue.
* Information security professionals need good interpersonal communication skills, strong writing skills, and a tolerance for the mistakes system users sometimes make.
* Information security professionals need to understand how policy and guidance fit into overall system security processes and procedures.
* They should be able to explain to members of the organization what information security policies and procedures need to be in place and why. Education and training reduces mistakes and makes for a smarter workforce. It helps the workforce become a part of the overall system security equation.
* Information security professionals should understand the nature of the threats facing an organization, see how these threats work to exploit vulnerabilities within the system.
* They should be able to assess risks to system security and be able to devise plans to balance system availability against known or suspected risks.
* Finally, they should have a good working knowledge of common information system technologies and should stay up to date on developments in the field. Use this list of attributes as a guide, while researching three or four well-publicized attacks on information systems. Examine the techniques used in the attacks (dumpster diving, social engineering, zero-day attacks, etc.), the vulnerabilities exploited (poor employee training, out-of-date software, misconfigured software or hardware, etc.), and the reaction of the victim of the attack (policy changes, education programs, public announcements, legal actions against the perpetrators, etc.) For example, Kevin Mitnick was one of the most notorious hackers in the early days of the Internet.
He used a variety of open-source research and social engineering techniques to collect technical system information in order to gain access to communications systems including early cellular telephone systems. He was successful in part because many of the organizations he targeted did not understand the nature of the threat. These were new technologies and people were just beginning to understand how they worked.
The organizations Mitnick targeted failed to grasp the extent of the vulnerabilities in those early systems and additionally, failed to educate their employees on how to detect and resist social engineering techniques or how to recognize and deal with unauthorized requests for personal or technical information. Many of Kevin Mitnick’s efforts could probably have been defeated if the organizations he targeted had policies and procedures in place for dealing with the release of personal or technical information and employees had been thoroughly trained on the nature of the potential threat and how to respond to it.
Using the list of attributes for information security professionals and the example of Kevin Mitnick, a modern information security professional could defend against him by ensuring that policies for handling requests for personal or technical information were in place and strictly enforced. The Privacy Act and the policies for the protection of Personally Identifiable Information (PII) have been around since at least the mid-1970s, but weren’t really widely recognized or enforced in many organizations until the late-1990s.
Additionally, there was almost no thought or effort given to employee training or education with respect to threats to information systems. These are just a few thoughts, there are many additional steps an organization and an information security professional could take to defend against an attacker like Kevin Mitnick. There are dozens of other well-known hackers such as Jeanson James Ancheta, Robert Tappan Morris, Kevin Poulsen, Adrian Lamo, or Kristina Svechinsaya, hacker organizations such as Anonymous or Global Hell, and government and organized crime sponsored hacker activities such as China’s unit 61398. Each individual or organization takes (or has taken) advantage of a variety of vulnerabilities, using a variety of exploitation techniques. The technical details of many successful techniques are not widely publicized (for obvious reasons).
It’s not important that you thoroughly examine the technical details of the vulnerabilities or exploits (in many cases, the technical details will not be available). The focus of this assignment is to use the topics covered in this course such as SecSDLC, risk assessment, risk management, legal and ethical issues, cryptosystems, physical security, education and training, and a broad understanding of defensive and threat detection technologies to:
* Identify several threats * Explore the nature of the threats you have identified
* Describe in general terms the history or applicability of those threats Who were they? What were their goals? What methods did they use? How successful were they? How would you as an information security professional defend against the threats you identified?
*How would you defend against the threat while still maintaining access to system resources for authorized users? *How would you communicate you plans with upper management or with employees throughout the organization? *Would you need to develop new policies? What would they be?
*What kind of support would you need from upper management?
*Would you need new training or education programs for employees? The final several paragraphs of your paper present your case that supports your conclusion.
In a persuasive essay, such as this, you have to state clearly what you want the reader to think, believe, or act on. It might be helpful to think of this as a persuasive argument. You have to have logical reasons for what you argue. Finally, you should demolish the opposition by considering other views and showing why they are not as valid as your arguments. Your paper should be 6-8 pages in length, double spaced, Times New Roman 12 pt. font, with 1 inch margins. Prepare your paper using APA or Chicago style. Incorporate a cover page and reference list (not counted as part of the paper length). You must use at least five (5) different credible references.