Part II
Provide a minimum of one-page (single space) typed response to answer each question.
1. Review the attached amendment (see attached document in BlackBoard Documents) to a United States Code that addresses fraud and related activities in connection with computers. You are representing the United States Government as the prosecuting attorney. You have sufficient evidence that the individual committed fraud against a financial institution, causing damage that resulted in a loss of data. What punishment will you recommend and why? Identify 5 reasons to support your recommendation. (This question is worth 15 points.)
As the prosecuting attorney representing the United States government, I have enough evidence that this individual has committed fraud against a financial institution leading to a loss of data. In accordance with the Computer Fraud and Abuse Act (as amended 1994 and 1996) and under Section 1030 Fraud and related activity in connection with computers, I recommend that this individual should be punished accordingly as provided in subsection (c) 3 (B) of Section 1030.
Under this subsection, it is recommended that a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A), (a)(5)(B), (a)(5)(C), or (a)(7) of this section. In light with the aforementioned offences, these subsections easily fall in place with the charges of fraud against financial institutions and must be punished accordingly.
In order to properly back my recommendations, the following are some of the reasons why I feel like going with the provisions of subsection (c) 3 (B) of Section 1030 are best. First of all, subsection (a) (4) talks about knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period
Subsection 5 (A) makes known of the fact that whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization, to a protected computer shall be punished as provided by the subsection (c) of Section 1030.
Similarly, subsection 5 (B) also states that whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage must also face the consequences of their actions.
Subsection 5 (c) is also of the view that one who intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage leading to loss of data should be punished accordingly.
Moving on to subsection (7) which speaks on the intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer.
As it can be noted from the above, these are purely legitimate reasons within the boundaries of the law to recommend this punishment as it goes along with the recommendation of the constitution.
2. You work for the CIO at the University of Alabama, who is responsible for ensuring the IT Department implements the appropriate security controls and provides oversight to manage risk of their IT systems. Identify 2 commercial products that can support the security goals of the school’s Information Security General Operating Standards (see attached document in Blackboard Documents), and describe how 5 security functions for each product can reduce risk to an acceptable level. (This question is worth 20 points.)
The first product that can be used to support the security goals of the school’s ISGOS is Cisco’s firewall’s Secure PIX. Under this, five security functions can be identified that can reduce risk to an acceptable level.
The first one has to deal with Audit and Accountability.
AU-3 Content of Audit Records – In this, the information system captures sufficient information in audit records to establish what events occurred, the sources of the events and the outcomes of the event. These contents includes date and time of the event, the component of the information system, where the event occurred and the outcome of the event. The information system provides the capability to include additional, more detailed information in the audit records for audit events identified by type, location or subject.
AU-5 Audit Processing – In the event of an audit failure or audit storage capacity being reached, the information system alerts appropriate organizational officials and takes these additional steps: shutdown information system, overwrite oldest audit records, stop generating audit records. The information system provides a warning when allocated audit record storage volume reaches storage capacity.
Also, under Configuration Management we have;
CM-3 Configuration Change Control – The organization documents and controls changes to the information system. Appropriate organizational officials approve information system changes in accordance with organizational policies and procedures. It involves around the systematic proposal, justification, test, review and disposition of proposed changes. The organization employs automated mechanisms to document proposed changes to the information system, notify appropriate approval authorities, highlight approvals that have not been received in a timely manner, inhibit change until necessary approval are received and document completed changes to the information system.
CM-5 Access restrictions for change – The organization enforces access restrictions associated with changes to the information system. The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.
Finally under Access Control we have
AC-2 Account Management – The organization manages information system accounts including establishing, activating, modifying, reviewing, disabling and removing accounts. The organization reviews information system accounts. Organization should employ automated mechanisms to support the management of information systems accounts.
A second product that can be used is General Dynamic’s Fortress Mesh Point Security Targets. Over here, a few security functions can be identified.
Audit
AU-4 Audit storage capacity
The organization allocates sufficient audit record storage capacity and configures auditing to prevent such capacity being exceeded.
AU-9 Protection of audit information
The information system protects audit information and audit tools from unauthorized access, modification and deletion. The information system produces audit information on hardware-enforced, write-once media.
Identification and authentication.
IA-1 Identification and authentication policy and procedures
The organization develops, disseminates and periodically reviews/updates a formal, documented, identification and authentication policy that addresses purpose, scope and compliance and formal documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
IA-2 User identification and authentication
The information system uniquely identifies and authenticates users. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics or in the case of multifactor authentication, some combination therein.
IA-6 Authenticator feedback
The information system provides feedback to a user during an attempted authentication and that feedback does not compromise the authentication mechanism. The information system may obscure feedback of authentication information during the authentication process.
3. Our Client, a renowned trading company, suffered a sudden, devastating power outage that caused their server to cease functioning. The company took the hard-drive to a local computer repair company that was unable to read the corrupt drive. At this point, the company contacted you, a forensics consultant, to recover the information. What actions will you take? Provide 5 specific steps and explain how these actions will help. (This question is worth 15 points.)
After receiving corrupt hard-drive, the first thing to be done is to calculate the amount of unallocated storage space. By doing this, you would be able to identify the space that had belonged to the files that were corrupted. It should be an indicator of what to expect from the corrupted drive. After doing this, the next step is to use the software to search for keywords from files, file stacks and also from the unallocated space. These key words should be able to help us identify certain files that are absolutely important to the trading company. After making headway with the search, what can be done is to document the names of the files, the dates as well as the time. By doing this, it gives us proper knowledge of what these files contain and what they mean as well in order to properly place them in the future. You then have to identify the file, program and storage anomalies and then work on them accordingly. Once they have been documented appropriately, this step should be quiet straightforward as you have everything in the right order. Now that the data you need has been recovered using the software, you have to evaluate program functionality to ensure that everything is running well.
4. You are the CIO for a mid-sized financial company, 5000 employees. You are reviewing your options to determine whether to select Symmetric Key or Asymmetric Key cryptography. Either approach will satisfy the company’s security requirements. Identify the (5) advantages and (5) disadvantages for each, and the planning considerations. (This question is worth 20 points)
As the CIO, after reviewing my options I came to the conclusion that either the Symmetric Key or Asymmetric key option of cryptography will satisfy my company’s security requirements and I would take a look at the advantages and disadvantages for each option as well as some planning considerations.
With regards to symmetric key cryptography, some advantages are that it is more efficient as it can handle high rates of data throughput. This means its processing ability is of a greater kind. Also, the keys for the symmetric-key cryptosystems are shorter. Another advantage is that it is relatively cheap and available on the market so getting it should not require too much of an effort or search. Also, the encryption key and the decryption key are the same key and as such, the sender and receiver have to agree on a key before secure communication can be made. A final advantage of having a symmetric key is that it requires less computing overhead, making it easier to operate.
Some disadvantages of using symmetric key cryptography can be that they require much more security mechanisms in order to work at 100%. Also, the fact that all parties involved have to exchange the key used to encrypt the data before they can decrypt it can be a problem especially when one party is unavailable. Another disadvantage is that anyone outside of the people who have the right to have the key who know the secret key can go ahead and decrypt the message. A fourth disadvantage is that the security of the key is dependent on the secrecy of the key as well as the key length. A final disadvantage is that it might be impossible for the other party to decrypt the files you send them when they do not know the key yet.
When it comes to asymmetric key encryption, one advantage is keys can be used as session keys and discarded after its maiden session. With that, in case data is compromised, only the data sent within that session would be at risk. Also, one advantage is that no secret channel is necessary for the exchange of the public key as the receiver needs only to be assured of the authenticity of the public key. Another advantage can be the fact that they create lesser key-management problems as compared to symmetric keys. A fourth can be that it does not need to remain secure as it creates a shared session key which is then communicated through symmetric key cryptography using the shared session key. Finally, they are very useful when it comes to lifespan and can remain intact for years abound without any threat to system’s security.
Some disadvantages of asymmetric key encryption can be that one cannot be one hundred percent sure that the public key belongs to the person it specifies and thus everyone has to verify that their public keys belong to them. Another disadvantage can be the fact that it’s encryption can be slow compared to symmetric encryption and can be a problem when decrypting bulk messages. Widespread security compromise is also possible as once an intruder gains entry into the system, all the user’s information may be easily accessed. A fourth disadvantage can be the fact that it requires a lot more computer supplies to operate in comparison to symmetric encryption. Finally, all received messages may not be decrypted once there is a loss of the key.
With regards to considerations when it comes to planning, we have to be responsible for making sure that the company’s systems and data are secure from unauthorized access. It limits the gaining of access to production servers to personnel with a legitimate purpose for it. Firewalls should be used to protect the production network from internal as well as external invasion and limit the nature and source of network activities with the potential of causing harm. It should be required that passwords used should contain the minimum character length as well as a combination of numbers and special characters and also the afore mentioned passwords be changed from time to time. Also, the necessary staff members must be trained on how the new systems work so that there would be a reduced number of errors. Finally, cost figures should also be considered when the final decision is made with regards to the company’s budget and affordability.