星期二, 6月 14, 2011

Take Assessment: Test 4 Topic 4

Question 1
Which of the following is NOT identified as a intruder "class"? (6.1)

A.
 

B.
 

C.
 

D.
  

The following are identified by the text (page 177) as intruder classes;

1. Masquerader: An individual who is not authorized to use the computer and who
penetrates a system's access controls to exploit a legitimate user's account.

2. Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is not authorized, or who is authorized for such access but misuses his
or her privileges.

3. Clandestine user: An individual who seizes supervisory control
of the system and uses this control to evade auditing and access controls or to
suppress audit collection.

Question 2
Which of the following is NOT a desirable characteristics of an IDS? (6.5)

A.
 

B.
 

C.
 

D.
 

E.
 

F.
 

These are desirable characteristics (specified in textbook, p 183) of an IDS;

•Run continually with minimal human supervision.
•Be fault tolerant in the sense that it must be able to recover from system crashes
and reinitializations.
•Resist subversion. The IDS must be able to monitor itself and detect if it has been
modified by an attacker.
•Impose a minimal overhead on the system where it is running.
•Be able to be configured according to the security policies of the system that is
being monitored.
•Be able to adapt to changes in system and user behavior over time.
•Be able to scale to monitor a large number of hosts.
•Provide graceful degradation of service in the sense that if some components of
the IDS stop working for any reason, the rest of them should be affected as little as
possible.
•Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without
having to restart it. 

Question 3
Which of the following ARE useful for profile-based intrusion detection? (6.7)

A.
 

B.
 

C.
 

D.
 

E.
 

F.
 

All the following ARE useful for profile-based intrusion detection (see textbook page 186);

Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time.

Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity.

Interval timer:  The length of time between two related events.

Resource utilization: Quantity of resources consumed during a specified period.

 Question 4

Which of the following best describes the "operation" of a virus or worm? (7.3)

A.
 

B.
 

C.
 

D.
 

E.
 

F.
 

Typical phases (as described by the textbook on page 220) of operation are; a dormant phase, a propagation phase, a triggering phase, and an execution phase.

 Question 5
Which of the following is NOT an effective worm countermeasure? (7.7)

A.
 

B.
 

C.
 

D.
 

E.
 

F.
 

G.
 

 A "DNS base scanning worm detector" would likely fail to detect an IM worm outbreak, because an IM worm’s attack payload will most likely be forwarded through the IM server, using the target’s user ID instead of a target IP address (Yan, Xiao,& Eidenbenz, 2008 pg 2).

See page 236 of textbook for details on the following.
Signature-based worm scan filtering: This type of approach generates a worm
signature, which is then used to prevent worm scans from entering/leaving a
network/host. Typically, this approach involves identifying suspicious flows and
generating a worm signature. This approach is vulnerable to the use of
polymorphic worms: Either the detection software misses the worm or, if it is
sufficiently sophisticated to deal with polymorphic worms, the scheme may take a
long time to react. [NEWS05] is an example of this approach.

Filter-based worm containment: This approach is similar to class A but focuses on
worm content rather than a scan signature. The filter checks a message to
determine if it contains worm code. An example is Vigilante [COST05], which
relies on collaborative worm detection at end hosts. This approach can be quite
effective but requires efficient detection algorithms and rapid alert dissemination.

Payload-classification-based worm containment: These network-based
techniques examine packets to see if they contain a worm. Various anomaly
detection techniques can be used, but care is needed to avoid high levels of false
positives or negatives. An example of this approach is reported in [CHIN05],
which looks for exploit code in network flows. This approach does not generate
signatures based on byte patterns but rather looks for control and data flow
structures that suggest an exploit.

Threshold random walk (TRW) scan detection: TRW exploits randomness in
picking destinations to connect to as a way of detecting if a scanner is in operation
[JUNG04]. TRW is suitable for deployment in high-speed, low-cost network
devices. It is effective against the common behavior seen in worm scans.

Rate limiting: This class limits the rate of scanlike traffic from an infected host.
Various strategies can be used, including limiting the number of new machines a
host can connect to in a window of time, detecting a high connection failure rate,
and limiting the number of unique IP addresses a host can scan in a window of
time. [CHEN04] is an example. This class of countermeasures may introduce
longer delays for normal traffic. This class is also not suited for slow, stealthy
worms that spread slowly to avoid detection based on activity level.

Rate halting: This approach immediately blocks outgoing traffic when a threshold
is exceeded either in outgoing connection rate or diversity of connection attempts
[JHI07]. The approach must include measures to quickly unblock mistakenly
blocked hosts in a transparent way. Rate halting can integrate with a signature- or
filter-based approach so that once a signature or filter is generated, every blocked
host can be unblocked. Rate halting appears to offer a very effective
countermeasure. As with rate limiting, rate-halting techniques are not suitable for
slow, stealthy worms.

Yan, G., Xiao, Z. & Eidenbenz, S., 2008. Catching instant messaging worms with change-point detection techniques. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats.  San Francisco, California: USENIX Association, pp. 1-10. Available at: http://portal.acm.org/citation.cfm?id=1387715 [Accessed March 14, 2010].

Question 6
Which of the following is NOT a typical USE of a BOT? (7.8)

A.
 

B.
 

C.
 

D.
 

E.
 

F.
 

G.
 

H.
 
  
See page 240 of the textbook for details.The following are uses for bots; Distributed Denial of Service (DDoS) attack, Spamming, an attacker is able to send massive amounts of bulk e-mail (spam), Keylogging, captures keystrokes on the infected machine, Spreading new malware, Botnets are used to spread new bots, Installing advertisement add-ons and browser helper objects (BHOs), Botnets are used to gain finanical advantages, Attacking IRC chat networks, Botnets are also used for attacks against internet relay channel (IRC) networks, and Manipulating online pols / games, since every bot will have a unique ip address, every vote will have the same crediability as a vote by a realp person.

星期六, 6月 11, 2011

COMPUTER CONTROL AUDITING AND SECURITY > TAKE ASSESSMENT: TEST 6 TOPIC 6

Question 1 text   Question 1

Question 1 answers
A.
B.
C.
D.
E.
F.
G.

The direct threat is the damage caused by the fire itself. The indirect threats are from heat, release of toxic fumes, water damage from fire suppression, and smoke damage.

Question 2 text   Question 2

Question 2 answers

Prevention and mitigation measures for water threats must encompass the range of such threats. For plumbing leaks, the cost of relocating threatening lines is generally difficult to justify. With knowledge of the exact layout of water supply lines, measures can be taken to locate equipment sensibly. The location of all shutoff valves should be clearly visible or at least clearly documented, and responsible personnel should know the procedures to follow in case of emergency. To deal with both plumbing leaks and other sources of water, sensors are vital. Water sensors should be located on the floor of computer rooms, as well as under raised floors, and should cut off power automatically in the event of a flood.

Question 3 text   Question 3

Question 3 answers
A.
B.
C.
D.


To deal with brief power interruptions, an uninterruptible power supply (UPS) should be employed for each piece of critical equipment. The UPS is a battery backup unit that can maintain power to processors, monitors, and other equipment for a period of minutes. UPS units can also function as surge protectors, power noise filters, and automatic shutdown devices when the battery runs low. For longer blackouts or brownouts, critical equipment should be connected to an emergency power source, such as a generator. For reliable service, a range of issues need to be addressed by management, including product selection, generator placement, personnel training, testing and maintenance schedules, and so forth.

Question 4 text   Question 4

Question 4 answers
A.
B.
C.
D.
E.

1. Improving employee behavior
2. Increasing the ability to hold employees accountable for their actions
3. Mitigating liability of the organization for an employee's behavior
4. Complying with regulations and contractual obligations

Question 5 text   Question 5

Question 5 answers
A.
B.
C.
D.

An organizational security policy is a formal statement of the rules by which people that are given access to an organization's technology and information assets must abide.

Question 6 text   Question 6

Question 6 answers
A.
B.
C.
D.

1. Significant employee work time may be consumed in non-work-related activities, such as surfing the Web, playing games on the Web, shopping on the Web, chatting on the Web, and sending and reading personal e-mail.
2. Significant computer and communications resources may be consumed by such non-work-related activity, compromising the mission that the IS resources are designed to support.
3. Excessive and casual use of the Internet and e-mail unnecessarily increases the risk of introduction of malicious software into the organization's IS environment.
4. The non-work-related employee activity could result in harm to other organizations or individuals outside the organization, thus creating a liability for the organization.
5. E-mail and the Internet may be used as tools of harassment by one employee against another.
6. Inappropriate online conduct by an employee may damage the reputation of the organization.

星期三, 6月 01, 2011

Octopus card scandal

In Hong Kong, almost everyone has at least one Octopus card (on average each person possess two cards!), which is a rechargeable contactless stored value smart card using the RFID technology. It is widely used in Hong Kong because it brings a lot of convenience to the people for shopping, eating in restaurants, taking class attendance in almost all the high schools of HK etc…and almost all public transportation (especially for the mass transit system (MTR)). Each card has a built-in microchip containing an electronic purse which can actually calculate and store all the information regarding the holders’ transaction details. It is also recognised internationally and wins many prestigious awards. Many companies from different regions and countries visited Octopus Company (which is mainly owned by MTR company of HK) to learn the advanced technology and management of Octopus system. While Octopus cards can be purchased anonymously for cash, over 2.4 million customers have registered for the widely adopted Octopus Rewards program with their personal information, according to the information posted in its website.

However, such a “giant” and “prestigious” company suddenly became a controversial target in this July (2010) when it was disclosed by a local media that the management of the Octopus company has been selling nearly 2 million customers’ private data to merchants since 2006. The Octopus company made a total revenue of HK$44 million by selling these customer’s personal data.

The Octopus controversy, the company's CEO first denies that clients' personal data has been sold to third parties for direct marketing. With further investigation by local legislators, she admitted that her earlier denial was erroneous because she did not have critical information when she issued her first denial. She later revealed that Octopus had made HK$44 million in revenue selling information on 1.97 million customers to six companies during the past 4.5 years.

As CEO of the company and the person who might well initiate such deals, she should have had full knowledge of the business. Through her public denial when confronted by the media and legislators who pressed serious concerns on behalf of the public, she has shown a lack of honesty, lack of business ethics, and lack of social responsibility.

Under the pressure of all the medium (newspaper, TV, radio etc.) and the direct intervention of the local government, the MTR board (which owns 57% of share of Octopus company) apologized to the public for “inconsistencies and errors in public communications made by Octopus management.” The octopus management team has decided to donate all the money earned by selling the privacy to merchants to charity.

However, the people responsible involved in this scandal will not face any lawsuit because there are not any existing privacy laws to regulate this kind of scandal (which might be a bit surprising). Octopus’ privacy policy explicitly states that customer data may be used by “any of [Octopus'] selected business partners” for marketing and Octopus asks for information irrelevant to the card’s operation). Therefore the public has urged to form the legislature to set up the laws/rules to forbid the sale of personal information immediately. The public is outraged at being lied to and outraged that the company has denied selling information for years.

So please discuss what you learned from such example. And what social responsibility, business ethics, and privacy responsibility should a large corporation have? How can regulation of companies such as Octopus, with strong government support, be achieved without these companies failing to comply with the rules themselves? Should local privacy law be revised and regulatory control over Octopus be strengthened concerning supervision and monitoring of business ethics of the business giants? How?

------------------------------

Example 1:

When i was child, I still use my coins and run to the LTR station. Then being hurry to buy ticket because i was going to miss a class. Since Octopus was established, i begin to take a contract with it and have a great convenience for my transportation. Of course, i still didn't know what privacy is.

Now, when i see the news talking that the company of Octopus will sell their customers including me and my parents, the personal information. I feel a bit horrible. Sometimes, personal information is not too important for me, but it does not mean that the company should sell our personal information and the important point is they denies that.

To be honest, the deal is already noted that the personal information maybe used by other partners of Octopus. That can be the residents problem that we never see the policy to purchase Octopus with private data. Moreover, it just making the advertisement always phone us, and still not make us a critical lost i think. Why we don't see the policy and information of every deal detail? If the information for us is really important, we should beware for this even more.

About the CEO, she should admitted that her denial earlier. In the business, the important thing is honest. Honest also is the major thing of social responsibility and business ethics. If a person lies just once, no one will trust him again, like he dig a hole in his honest. The hole can't be fixed forever. When he lies more, there will be more holes. However, the CEO of Octopus company can admitted her false earlier, instead of after it become a scandal and too late.

The customers has lack of knowledge for their privacy and Octopus’ privacy policy explicitly states that customer data may be used. It exactly is legal for their personal data being used, but the customers has not enough knowledge so they look like being lies. The problem is, the company use that to make the great amount revenue and the revenue is just for the company themselves. So i think it is not moral and unfair for the customers. Customers can't sense their important information should not be given to company.

The resident especially children doesn't know what privacy is yet. However, the government can promote the education about the privacy for the student, remind that i didn't know what privacy is when i still was a child. So there should be some education for child, teach them what information themselves should not be issued to strangers, make stronger about the privacy education. Let them always remember these rules until they become independent. So that they will have a better defence with their privacy, which maybe more important than their money. Although Octopus card's fee is low, customers may lose more money when their important information is given to others.

Octopus does a false event, but i still would like to use it. It is too convenience in our life and sometimes we will be given back our money because of many discount (e.g. MTR student 50% fee). Without this card, transportation and other things will be more costly and trouble.


---------------------------------------------

Example 2:

Hong Kong’s Octopus Holdings Limited sold customers’ personal information to other companies and has been paid HK$44 million since January 2006. It raised a lot of discussions among the society regarding the social responsibility of enterprises. In fact, it is not something new to identify what people need by analyzing the customers’ data and then determine how to market the products. It is widely accepted by customers. However, when enterprises do not take the customer value seriously for a short-term profit, the customers were not likely to continue paying for their products.

In the local corporate culture, most managers of practices have business backgrounds, especially in marketing and promotion. Maximizing profit is their only target and they pay less attention to the public interests. Like the Octopus Holdings Limited, it has a weak customers’ privacy scheme. Opt-out instead of opt-in mechanism is used for their services where customers’ data will be available to others. The company then claims that it is the user’s responsibility to dig for it. The Octopus Holdings Limited sold user's personal information and even not giving them sufficient opportunities to know how their personal data would be used. The company has not promoted human rights protection in the business policies. It obviously violated corporate social responsibility.

Selling customers’ data by the Octopus Holdings Limited is just one of examples showing that customers’ personal data is not well protected by corporates. The case also relates to the control of unsolicited commercial electronic messages, such as faxes, emails, short messages, pre-recorded telephone messages, etc. If the Hong Kong Government can do a deeper research for the cases, it may find that both the Unsolicited Electronic Messages Ordinance enforced by the Office of the Telecommunications Authority and Personal Data (Privacy) Ordinance enforced by the Office of the Privacy Commissioner for Personal Data, Hong Kong have been broken at the same time. Since the enforcement of the two ordinances is co-related, it is advised that the two offices can work together and exchange information.

Octopus is one of the world’s leading smart card payment systems. The public thus has a very high expectation to the Octopus Holdings Limited. After the case, both the customer relationship and trust to the company are damaged. An enterprise should seek for a balance between business and social values. If it takes care about the social responsibility, the image of company and the employers’ sense of belonging will be improved. It will benefit from the situation.

-----------------------------------


Example 3:

In Hong Kong, many people use Octopus card. We use octopus card everywhere, transportation, convenience shop, fast food shop, etc. Octopus card become an important part of us.

Few years before, Octopus company starting a reward promotion called “Earn and Redeem Reward”. Customers can redeem points by using Octopus card. But while the customers apply for the “Earn and Redeem reward”, they should sign for an agreement, the terms and condition inside contain a few pages of terms, including some terms with 1-1.5mm font. How many of us will read the terms and condition Octopus company state? A public survey revealed that more than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services, reports Bloomberg.

In July, while the Octopus “Earn and Redeem reward” happening occur. The Hong Kong citizens start to pay attention to the privacy problem. This happen tells us that we should pay more attention to protect our personal information and the Hong Kong companies should pay attention to their social responsibility, business ethics and privacy responsibility.

In this case, Octopus Company trying to conceal the information of the terms and conditions, Octopus company only concern to fulfill the privacy law of government but ignore customer’s reception to selling our personal information. This is an action lack of social responsibility and business ethics, makes the customers very disappointed.

In fact, the companies have responsibility to explain the terms and condition to us clearly, and let us know clearly how they will handle our personal information ,because many people will not read the terms themselves, some of them are not able or don’t have enough knowledge to read the terms. For example, they can make the fonts bigger, or explain the terms to us while we sign the contract, to let customers from every ages clearly watch the terms and condition.

As the biggest shareholder of Octopus, Government also to be one's unshirkable responsibility, they take not enough monitor to the company. I think it’s the time for them to revise the local privacy law. Maybe they can revise the law, ensure a readable font size in the terms and condition, or ensure all the companies should monitor by an individual organization, to protecting the privacy information.

In conclusion, Hong Kong companies should make more improvement to their social responsibility, business ethics and privacy responsibility. Many times, we have no choice to choose a service providers, it’s hard for us to decline the contract. So, responsible companies are very important. They should monitor themselves to protect the customer information. A good company will not always face to money, they will concern more about the social responsibility, these action cannot earn much money, but it can improve their business ethics, also can build their brand, the outcome is more great.



-----------------------------



Example 4:


In today’s modern society, corporate company should not only concern on the profit of their company but also on business ethics and social responsibility. Company shouldn’t just look at the minimum requirement of the law, the company’s decision will not face any lawsuit or harm to the public, but this might lose the public trust.


Octopus card help to save transaction time for transportations, settle payment of fast-food chain and gives our life more convinience. However such a a “giant” and “prestigious” company suddenly become a big seller by selling our personal information for 4.5 years without our consent.


Although Octopus had stated that the applicant information would be used by “any of [Octopus'] selected business partners”, how many people had awared of this statement or denied to apply such a convenience service due to this reason?


“More than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services”2, reports Bloomberg.
I believe that they hadn’t read through the terms and condition when signing any contract including submit the data for apply service and was caused by the font size, wordings and voluminousness of the statement.


Recently we had received a lot of advertising phone calls, we cannot clarify if this is related to Octopus or not, but the trend is many companies gain revenue by selling customer’s information to their business partner. If the government still not revising the local privacy law, the problem will get worse.


The goverment has the responsibility to revise the local privacy law to constrain the companies, which have to provide options for applicants to choose if they are willing to accept their personal information will be disclosed to or used by the third party companies. The government should check whether those companies have failed to comply with the rules, and reveal the result to the public in order to enhance the transparency of the companies.


If the company was listed in failing to comply with rules or denies to the public like the CEO of Octopus, its company image will be discredited. It takes times to re-build the public image of Octopus company after the public knew they sold their information, “Octopus must do more than replace its chief executive officer to regain public trust”1, two lawmakers said.


Hong Kong residents lack knowledge for their privacy protection and it is legal for their personal information being used by companies, which the company business operate as opaque system, the residents could not know whether their privacy have been well protected. The government should provide education through programmes and advertisement to elevate how to protect personal information.


The Octopus issue is an alert for people in Hong Kong starting to protect their personal information by read through the statement when signing contract or apply any kind of services.


Octopus did a wrong action and Hong Kong resident had lost their confidence on using octopus, but it is too convinient to our daily life, we will keep using it for transportation but might not go for further extend on other usage.


Now there is a pressing need to revise the privacy law and regulatory control over and strengthened the concerning supervision and monitoring of business ethics, forbid the sale of personal information immediately after revealing Octopus had sold customers’ information. The public is outage and didn’t know whether there are other companies had followed the same track several years ago.


The Octopus data leak has sparked public outrage over privacy laws in Hong Kong, with many voicing concern that their private information is being exposed and there are few laws to protect them.”Currently the highest penalty for privacy infringement is a fine of a few thousand HK dollars, which is an insufficient deterrent for large multi-million enterprises.”3 Dr. Wilson Wong said (Assistant Professor of Politics and Public Administration at the Chinese University of Hong Kong, )
“the current laws fail to protect citizens and leave them exposed to information abuse.”4 Emily Lau said (Member of the Legislative Council)


From my point of view, hopefully the Government can revised the local privacy law before such kind of issue happen again and well protect all resident’s personal information.


_______________________________


1 Bloomberg Businessweek , August 05, 2010
www.businessweek.com/news/2010-08-05/octopus-must-do-more-to-regain-trust-lawmakers-say.html


2, 3, 4 Theepochtimes, by Liang Lsui & Sonya Bryskine, August 05, 2010 www.theepochtimes.com/n2/content/view/40410/

-------------------------------------


Example 5:

For the case of selling customers’ personal data, I believe that the fiasco is just the tip of the iceberg. Although Octopus’ privacy policy clearly states that customer data may be used by “any of [Octopus'] selected business partners” for marketing and Octopus asks for information irrelevant to the card’s operation, how many customers read the personal information statements?

Bloomberg.com found that more than 90 per cent of the respondents in a public survey said they hadn’t read the personal information statements when they provided data to apply for Octopus services. I believe that it is true as the font size of privacy policy in personal information statements is very small, and there are many words in privacy policy.

Certainly, many people will ignore the personal information statements, as font sizes are small and lots of words in there. Moreover, the aged people cannot read the statements well, should staff of octopus explain the details of Octopus’ privacy policy well when customer purchase the octopus card?

I am sure there are cardholders who don’t mind Octopus Company selling their personal data. In fact two companies exchange their customers personal data without make announcement already make customers antipathy.

So that in the future, when I buy any products and services, I will study privacy policy provided clearly to protect myself. In addition, I will also remind people I know to study any statement and policy related with them to avoid any unlucky things happen such as personal data was sold.

Society expects that organizations should provide products and services that are needed and desired by customers. However, people in Hong Kong really feel disappointed about it, as customers do not want to spread of their personal information. Customers provide their personal data because they believe that company needs their information to provide good services. However, Octopus Company did not protect personal data of its customers well, and after sold the personal data, customers will only receive more advertisement from other companies, but services provided by Octopus Company did not improved.

Government may check companies have failing to comply with the rules themselves or not in a fixed period, and show out the result. If a company is in the list of “failing to comply with the rules themselves”, its goodwill should be decrease and net profit will also decrease. Companies will not fail to fulfill with rules themselves, as they need customers’ trust. Moreover, business ethics of company people can understand which company is worth to trust or not.

In addition, government may provide some training course or information through social media to let people understand more how to protect their personal information. Also, government may also let managers of companies to understand how important of social responsibility, business ethics, and privacy responsibility.

Besides, local privacy law should be revised and regulatory control. One of reasons of Octopus Card admits making money selling personal data to third parties is there are not any existing privacy laws to regulate this kind of scandal. The people responsible involved in this scandal will not face any lawsuit. It is because people who purchased Octopus Card must be agreeing that customer data can be used by any of Octopus' selected business partners”. I think that customer should have their right to control the usage of their personal information between company bases on local privacy law.

Be honest, if personal information of managers in Octopus Company were sold or exchanged by another company, will they feel good? I wish local privacy law could be well to protect people in Hong Kong,