CHAPTER 2

1. Consider the statement: an individual threat agent, like a hacker, can be a factor in more
than one threat category. If a hacker hacks into a network, copies a few files, defaces the
Web page, and steals credit card numbers, how many different threat categories does this
attack fall into?
This attack fall into following categories

Hacking into the network- This is case of illegal trespassing. This attack could also fall

under deliberate acts of sabotage and act of theft.

Copies a few files- Hacker copying few files from network into his own system it is

compromises to intellectual property.

Defacement of the web page- It is the result of malfunctioning of source code and
compromises with integrity of the information also known as software attack. This occurs

when software has unknown trap door.

Steals credit card numbers- Stealing credit card numbers due to vulnerabilities or
loopholes in the network, lack of sufficient planning to protect information this data
could be used for their personal profit.

3. Search the Web for the The Official Phreakers Manual. What information contained
in this manual might help a security administrator to protect a communications system?
Official Phreakers Manual is a document published after particular time, contain the entire
encyclopedia of phone hacking. It explains all the necessary information regarding phone
working and companys management. It contains information about the Electronic Toll Fraud
(ETF) and also mention all the available toll frauds and explains how they are performed. This
information may help the security administrator to identify any fraud and take necessary steps. It

explains the working of blue box, black box, cheese box and red box. So to keep pace with
upcoming technology Security Administrator of various companies need to review these manuals
regularly and countercheck their telecom system against such threats discussed in manual. All the
possible threats by a phreaker to a company is discussed in this manual completely.
http://www.phreak.ch/files/phreakmanual.txt

4. The chapter discussed many threats and vulnerabilities to information security. Using
the Web, find at least two other sources of information on threat and vulnerabilities. Begin
with www.securityfocus.com and use a keyword search on threats.
Foot Printing It is a technique of gathering information i.e. the loopholes or vulnerabilities in
the network where the hacker wants to intrude. First of all the objective and location of intrusion
is known and after that information is gathered through various methods such as social
engineering, conducting a whois query to check out for various associated networks, and
enquiring about the technologies being used by that network such as hardware technology,ip
addresses, operating systems etc.
http://searchsecurity.techtarget.com/definition/footprinting
Packet Sniffing is a technique that has been used since the original release of Ethernet. Packet
sniffing allows user to capture data which is being transmitted over the network. This technique
is used by network professionals to resolve network issues and also used by malicious users to
capture unencrypted data such as password and username in network traffic. Packet sniffing can
be done only in the particular subnet i.e. we cannot sniff packets from a remote network. To
protect data, one is advised to work on encrypted protocols and encrypt all sensitive data. Packet

modification.-involves one system intercepting and modifying a packet destined for another
system. Packet information may not only be modified, it could also be destroyed.

CHAPTER 3

1. What does CISSP stand for? Use the Internet to identify the ethical rules CISSP holders
have agreed to follow.
CISSP denotes Certified Information Systems Security Professional. It is a globally recognized
certification which confirms an individuals knowledge in the field of security. It is governed by
a nonprofit information organization known as International Information Systems Security
Certificate Consortium (ISC2). To retain their certification Professionals need to abide the code
of ethics that has four canons. First of all Certified individual should promote public interest in
information and systems. They should also throw cold water on unsafe information security
practices. Secondly it is necessary on individual to act responsive, honest and honorable. Thirdly
Professional must retain the trust placed in them by higher personnels and deliver service only if
he is capable and qualified to do so. Fourth canon is to promote their profession and introduce
advancements in them. If Professionals dont abide by these ruling than their certification is
withdrawn.
http://www.ehow.com/list_7378134_ethical-rules-cissp.html
2. For what kind of information security jobs does the NSA recruit? Use the Internet to
visit its Web page and find out.
NSA stands for National Security Agency. Its chief task to protect U.S national security systems
and to produce foreign signals intelligence information. NSA recruits employees with education
in following fields:

Data Analysis

Information Assurance

Info Systems Management

Mathematics

Project Management

Risk Assessment

Security Product Development

Threat Analysis

Vulnerability Discovery

Link reference: http://www.nsa.gov/careers/career_fields/ia.shtml

4. Using a Web browser go to www.eff.org. What are the current top concerns of this
organization?

Electronic Frontier Foundation is a group established later 90s to protect individuals and latest
technologies from misdirected legal threats and even to expose government unscrupulousness.
EFFs major concerns are the following:

Providing freedom to speak in forums, social networking sites and accessing all the

important information.
It ensures that digital and internet technologies continue to empower individual as

creator, innovator, scholar and citizen.

To protect new developers from previous well settled tycoons.
Extending privacy rights in digital world
Promoting transparent working of government.

https://www.eff.org/