JARAMOGI OGINGA ODINGA UNIVERSITY OF SCIENCE AND

TECHNOLOGY

NAME: GILBERT ANYIMU OGECHI

REG NO.: I132/0626/2016s

SCHOOL: SIIS

COURSE: BSc. COMPUTER SECURITY AND FORENSICS

COURSE UNIT: IT SECURITY ARCHITECTURE AND DESIGN

COURSE CODE: IIT 3411

TASK: CAT
 TAKE HOME

COURSE CODE: IIT 3411

QUESTION 1

Jooust has decided to initiate a one-to-one initiative. Each Student will be issued an internet and wireless enabled
laptop for use both in and outside of University. Since this is a significant investment, the University Management
would like a system put into place for theft protection. The system administrator installs a program for remote
access of each computer with the capability to track the IP address and take a picture of the current user. If a
computer is reported as missing the system will be activated and the information can be used to recover the
computer. There is no mention of this software to the students or parents. If a thief was aware of this software
they may be able to disable it, defeating its purpose. Only two University employees have the capability to activate
this system. A student was called into the office by the Director of ICT and accused of wrong-doing. The proof
supplied included a picture of the student taken by his University issued laptop’s webcam after learning hours in
the privacy of his hostel.

a) Is this type of system appropriate for use on a University computer?

No. This is because it is in breach of the Privacy of the Users (Students), and there consent has not been
confirmed.
b) Should students be made aware of this type of system being installed on the computer?
Yes, Invasion of privacy is a tort based in common law allowing an aggrieved party to bring a lawsuit against
an individual who unlawfully intrudes into his/her private affairs, discloses his/her private information,
publicizes him/her in a false light, or appropriates his/her name for personal gain
c) How can the University ensure this system is used correctly?
Only one administrator should be using this program and remove the control for taking picture of the current
user. Tracking the system should be implemented instead.
The university should disclose the security measures put in place by the university and Provide a non-disclosure
agreement between the users (students) and come up with a policy statement disclosing to the students how
their information will be used in accordance with the Laws and regulations.
The system should only be used for tracking of thieves and theft prevention and under no circumstances should
it be used for any other activity by the institution. And all this should be captured in the privacy statement and
both parties sign to the agreement.
d) What other methods could be used for theft protection and prevention?

Preventive measures against computer theft and loss

 1. Keep track of important data - Write down the computer serial number and model number, the
support phone number, and any other useful details about the computer and store that information in
your files. Keep the receipts of your computer and associated equipment. This information will come in
handy when you need to report the laptop as stolen
2. Make sure to lock the doors and windows when no one is in the room.
3. Computers should be stored in a cabinet, etc. with a lock when they are not in use.
4. Using anti-theft devices
 Laptop computers that are not carried by the user should be affixed in a place, such as on a desk,
etc., with anti-theft wire.
 Use an anti-theft alarm to alert surrounding people in case of theft.
5. Be careful not to leave your computer or USB memory stick behind (or unattended) when you go out.
 Ensure that equipment storing confidential information is kept with you.
 Ensure that equipment storing confidential information is kept with you even during a break
times at academic conferences, etc
6. Issue laptops with fingerprint identification function. Biometrics authentication reduces the risk of a
third party stealing and abusing a password.
7. Encrypt sensitive data – Make sure to encrypt or password protect confidential data
8. Password protect the laptop – Create a boot password in CMOS setup so that the computer will
prompt a password before it boots.
QUESTION 2

A school computer containing no confidential information was hooked to the network containing the
personal information of over 15,000 students. This computer was breached with malware designed to
steal sensitive data. Names, addresses, phone numbers, dates of birth and Social Security numbers were
all part of the database that was potentially exposed to this malware. It is uncertain if any of this
information was actually accessed, but the malware was found to have been on the breached computer
for approximately five years.

a) What should be the very first course of action?

The first step is to assemble a task force of Computer Incident Response Team (CIRT) whose overall
responsibility will be to respond the security breach and prevent it from further spreading.
The response team should clearly follow the guidelines and procedures stipulated in the Organization’s policy.
When assembling the team appoint one leader who will have the overall responsibility for responding to the
breach. Obvious choices are the CIO. The leader should have a direct reporting line to top level management so
decisions can be made quickly.
b) Should the public be informed about the situation? If so, how will their trust be regained?
The public shouldn’t be informed about the situation, only the involved parties should be penalized for what
they’ve done.
c) What steps should be taken to prevent similar attacks in the future?
The school should be more IT security team should be more vigilant of what’s happening and be more sensitive
about information.
d) What are the ethical issues of this situation?
Breach of privacy of the student’s data
The fact that the School has the responsibility to make the attack public
e) How should students be dealt with if they were the people initiating the attack?
They should be suspended from going to school for some amount of time and do a public apology for the parties
involved.