Module 1-5

Introduction
Information security is quickly becoming a top priority for the world. Computers have
evolved at such a high rate that the proper security measures surrounding that avenue
is severely lacking. The power of todays computer brings with it a high degree of
potential for catastrophic disasters for individuals, countries and even the world. We are
going to start out by discussion the history of information security to establish a
foundation of where we started and how we got where we are today. This should enable
us to better analyze and prepare for the implementation of good security measures to
aid in minimizing the potential for said disasters actually coming to fruition.
1.1 What is information security?

Information security and cybersecurity is essentially the same thing. According to
Merriam-Webster it is defined as measures taken to protect a computer or computer
system (as on the Internet) against unauthorized access or attack. The word
cybersecurity was first used in 1994. However, the concept of information security has
been around for thousands of years according to the history books.
Many people mistakenly believe that information security is the job of an information
technology professional solely. This is simply not true. Through this course, we aim to
show you that yes, mainly information technology persons handle said task. However,
every individual also plays an important role in keeping information secure. It is a
collaborative effort between all types of people holding all types of jobs. For example, a
system can require special authorization to view key data. However, if the individual that
has access gets up and leaves the information on their screen while going to lunch, this
information can be compromised, regardless of any technological security methods, by
a person walking by the desk and seeing it on the screen. Furthermore, in the private
sector individuals are critical in ensuring their information is protected.
There are 3 main attributes associated with good information security: confidentiality,
integrity and availability. This is known as the CIA triad and is considered one of the
core principles of information security. [1]
Figure 1 below shows the relationship of the triad attributes as they relate with other
aspects that compromise information security. It illustrates how all three attributes are
critical components to success. It important to note that there has been much debate
about the Triad representation surrounding the need for further elaboration and/or
development of it. The confidentiality portion covers the protection of information from
unauthorized viewing and/or usage. The integrity portion includes assurance that
information is consistent in all areas it is stored and/or used and that it is accurate
throughout the life of any data set. And the availability aspect covers ensuring that
information is available whenever it is needed and where ever it is needed.
Figure 1 CIA Triad (by John M. Kennedy, CC-BY-SA-3.0)

The following passage provides further detail regarding confidentiality, integrity and
availability and the importance within information security.
Confidentiality refers to preventing the disclosure of information to unauthorized

individuals or systems. For example, a credit card transaction on the Internet requires
the credit card number to be transmitted from the buyer to the merchant and from the
merchant to a transaction processing network. The system attempts to enforce
confidentiality by encrypting the card number during transmission, by limiting the places
where it might appear (in databases, log files, backups, printed receipts, and so on),
and by restricting access to the places where it is stored. If an unauthorized party
obtains the card number in any way, a breach of confidentiality has occurred.
Confidentiality is necessary for maintaining the privacy of the people whose personal
information is held in the system.
Integrity in information security, data integrity means maintaining and assuring the
accuracy and consistency of data over its entire life-cycle. This means that data cannot
be modified in an unauthorized or undetected manner. This is not the same thing as
referential integrity in databases, although it can be viewed as a special case of
Consistency as understood in the classic ACID model of transaction processing.
Integrity is violated when a message is actively modified in transit. Information security
systems typically provide message integrity in addition to data confidentiality.
Availability for any information system to serve its purpose, the information must be
available when it is needed. This means that the computing systems used to store and
process the information, the security controls used to protect it, and the communication
channels used to access it must be functioning correctly. High availability systems aim
to remain available at all times, preventing service disruptions due to power outages,
hardware failures, and system upgrades. Ensuring availability also involves preventing
denial-of-service attacks.
This passage was created by Wikipedia. (Creative Commons Attribution-ShareAlike License)

http://en.wikipedia.org/wiki/Information_security#Key_concepts
1.1.1 Origins
Since the early days of writing, politicians, diplomats and military commanders
understood that it was necessary to provide some mechanism to protect the
confidentiality of correspondence and to have some means of
detecting tampering. Julius Caesar is credited with the invention of the Caesar
cipher ca. 50 B.C., which was created in order to prevent his secret messages from
being read should a message fall into the wrong hands, but for the most part protection
was achieved through the application of procedural handling controls. Sensitive
information was marked up to indicate that it should be protected and transported by
trusted persons, guarded and stored in a secure environment or strong box. As postal
services expanded, governments created official organisations (instructor note: aka
organizations in the United States) to intercept, decipher, read and reseal letters (e.g.
the UK Secret Office and Deciphering Branch in 1653).
In the mid 19th century more complex classification systems were developed to allow
governments to manage their information according to the degree of sensitivity. The
British Government codified this, to some extent, with the publication of the Official
Secrets Act in 1889. By the time of the First World War, multi-tier classification systems
were used to communicate information to and from various fronts, which encouraged
greater use of code making and breaking sections in diplomatic and military
headquarters. In the United Kingdom this led to the creation of the Government Code
and Cypher School in 1919. Encoding became more sophisticated between the wars as
machines were employed to scramble and unscramble information. The volume of
information shared by the Allied countries during the Second World War necessitated
formal alignment of classification systems and procedural controls. An arcane range of
markings evolved to indicate who could handle documents (usually officers rather than
men) and where they should be stored as increasingly complex safes and storage
facilities were developed. Procedures evolved to ensure documents were destroyed
properly and it was the failure to follow these procedures which led to some of the
greatest intelligence coups of the war (e.g. U-570).

There has been a need for information security long before the invention of the
computer. A company may not use computer systems heavily at all in their business.
Nonetheless, the need to keep information secure still exists. World war government
efforts solidified this as needing to be included in defense efforts for multiple countries
just as much as any physical securing of property. They recognized that if the enemy
knew what they were thinking, planning and how they were going to do things, any
advantages were severely jeopardized, if not lost completely. Read the below passage
for historical details on the origins of the need for information security.
As the previous passage details, it took several years to fine tune and label Information
Security. Its models are still being refined today as the target of what is being secured is
always moving. It will never be a fixed target. Over time, numerous laws and regulations
have also been introduced to further dictate what Information security includes. It does
not only apply for computer usage.
A well-known model among information assurance professionals that is shown in figure

2, referred to as the 2PT, highlights the people and process portion of information
security still today. It states that people, process and technology are all required to work
together for a good security model to work. Processes without technology can fail. And
technology without clear documented processes will also fail. It further points out that
the people involved with these other two parts are just as important to the overall
success. In fact, the people portion is widely accepted as the weakest of the three in
terms of long term success. Historically, weve seen that the people and process portion
of the 2PT has been included from the start. There werent sophisticated encryption
tools and computers in the past to help make sure that if something fell into the wrong
hands, it would remain secret. Luckily, in todays world, we have technological advances
that greatly assist in this effort.
Figure 2 (2PT - People Process Technology)
1.1.2 Economic Influences

Weve come a long way from the days where farming was the most popular job around. Today, farming
seems to be less and less wide spread. People have evolved into what are known as white collar jobs
much more than in the past. The below passage summarizes how computing has embed itself into the
main stream of our everyday lives.
The end of the 20th century and early years of the 21st century saw rapid advancements in telecommu
computing hardware and software, and data encryption. The availability of smaller, more powerful and
equipment made electronic data processing within the reach of small business and the home user. The
became interconnected through the Internet.
The rapid growth and widespread use of electronic data processing and electronic business conducted
along with numerous occurrences of international terrorism, fueled the need for better methods of prote
the information they store, process and transmit. The academic disciplines of computer security and in
assurance emerged along with numerous professional organizations all sharing the common goals o
reliability of information systems.

To Do Activity #1
Click to watch this video: http://www.youtube.com/watch?v=QOCRkIn--
WE\
Note: If needed, there are CLOSED CAPTION buttons on the YouTube videos
that will enable you to read along while you watch. The Closed Caption buttons
are located bottom right of the video screen.
Submit your answers to the questions.

1. What is the goal of the cybersecurity program put together by Homeland
security?
2. What role does NIST play in this executive order?
3. Discuss how an executive order is different from legislation?
4. What type of systems does John Casaretto mention that if attacked could have
severe ramifications to our economy and/or society as a whole?
5. What types of incentives are being offered via the executive order?
1.2 Computer Crimes Past Present and

Future
Computer crimes basically started out as computer viruses that spread via use of floppy disks,
which are referred to as removable media. The primary motivation for hackers in the beginning
was to gain notoriety. This quickly changed, especially with the creation of ARPANET to much
more sophisticated attacks for much more serious reasons with much bigger ramifications.
The Advanced Research Projects Agency Network (ARPANET) was one of the
world's first operational packet switching networks, the first network to implement
TCP/IP, and the progenitor of what was to become the global Internet.
This passage was created by Wikipedia. (Creative Commons Attribution-ShareAlike
License) http://en.wikipedia.org/wiki/ARPANET
[1] Perrin, Chad. "The CIA Triad". Retrieved 31 May 2012

1.2.1 How They Began
Scams have been in existence since people have been in existence some would say.
Before the invention of the Interent and e-mail, scams were spread by letters
proclaiming either doom or great wealth if a person completed a task and sent the letter
to a bunch of other people. Viruses have made this no longer up to the individual to
make the scam a success. Before the invention of the internet, viruses spread via
removable media. People who owned computers shared information and software via
floppy disks, the dominant form of consumer accessible removable media. Floppy disks
were the only way people could get digital information from one computer to another.
And so they were naturally the perfect medium to spread viruses just like they were a
perfect way to share information and other legitimate programs and files.
To Do Activity #2
1. Open your e-mail box, if you have one, and look in the Junk or Spam folder and
review some of the flagged messages for these types of anomalies.
2. Analyze the below URL pay special attention to what it reads to the naked eye and
then hover your mouse over it (be sure not to click on it) and look at the link that
displays. It appears as if you will go to Googles website if you click the link when just
reading it. However, the hyperlink itself goes somewhere entirely different. Many
messages with links in e-mails do this same thing.
http://www.google.com
3. Click the link below and review the page listing a timeline of viruses and worms. Next,
answer the associated questions based on the information on that page.
(http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms)
A. How did the invention of the ARPANET aka the Internet enable virus activity to
explode?
B. Compare and contrast the noted viruses from the 1980s to the 2000s. In that, point
out how they became more sophisticated and how attack methods changed.
C. What is the name of the first IBM PC Compatible virus?
D. Describe how perception and fear were instilled into the public about the
Michelangelo virus in 1992.
1.2.2 Notorious Computer Crimes
In the beginning, computer viruses didnt really do much harm. Their creators solely
looked for fame in the creation of the viruses and worms that they created. A
computer virus is a man-made program or snippet of code that is capable of loading
itself onto a computer without authorization and executing without permission. The term
was first used to describe such an entity in November of 1983, by Frederick Cohen. The
viruses first introduced would make messages appear on the screen or leave cryptic
messages on computers. They didnt do what some of the more advanced viruses did,
which in some cases was to wipe out entire sets of data.
By the 1980s, viruses that were causing damage were in circulation. Since that time,
they have evolved into more targeted and less random attacks. Malware, in the form of
viruses and worms today is not the only type of cybercrime being committed. Worms
are like viruses only worse. A worm is a standalone malware computer program that
replicates itself in order to spread to other computers. Phishing and Spam are more
prevalent than viruses, in many cases. Spam is irrelevant or inappropriate messages
sent on the Internet to a large number of recipients. Luckily, antivirus programs that
scan email programs have become very good at catching these type of messages
before they reach a users in-box. However, some Spam still gets through to a persons
mail box. People need to be very aware of this fact and be cautious of any unexpected
messages regardless of how legitimate they may appear.
Many times a Spam message will trick a user into clicking on something that could
house malware. Malware is software that is intended to damage or disable computers
and computer systems. So, it is important that end-users not be presented with these
bogus messages as much as possible. Spam was able to fill up an end-users in-box so
much that a person would have a hard time picking out any legitimate message from
their in-box. Also, the Spam messages in some cases were very convincing and would
use fear to get users to click something. The message could then tell its creator that it
had found a real email users or install spyware onto the machine. These messages
almost always contain a unsubscribe feature that in itself was a trick. Users are
recommended to never click on an unsubscribe button. The main thing an unsubscribe
button would do is confirm youre a real person and not just a junk mail box or an invalid
address. The Spammers would not necessarily need to know real email addresses to
send out mass emails. They could use algorithms to figure out possible addresses and
just blast the messages out. Any unsubscribe replies that would return, confirmed that
real people had been contacted and that the reply from address should then be sent
more Spam. There are many times tell-tale signs of a message not being real that are
almost too subtle for people to pick up on. Some examples of Spam are shown below.
Example 1: the From address scam
The below message from the inbox view appears to be from an ADT authorized dealer.
Upon closer inspection you can see that the actual address to the right of the From label
isnt an ADT domain. This shows after the message is opened.
Screen shots created by Tonya M Davis CC BY 3.0
Example 2: the misspelled words
Notice the way savvings is spelled (not savings)
Figure 3 Misspelled words (by the Free Software Foundation, GNU General Public
License)
Look carefully at the message content, as well. Notice the misspelling of the
words received and discrepancy.
Figure 4 TrustedBank (by Andrew Levine, public domain)
Example 3: Bad grammar and form
Notice there is no actual customer name in the salutation.

The last sentenceWe are happy you have chosen us to do business with. is
not something a bank would write.
The link below looks like it will go to a web site matching the banner. However,
the actual hotlink address shown at the bottom of the screen when you hover the
mouse over the link goes to a different place altogether.
The above last example also illustrates what is known as a phishing attempt, as well.
We will discuss what phishing is later in this module.
1.2.3 Cybercrime Evolution
As cybercrime activity has grown since the early 1970s, it has evolved in sophistication
and target accuracy and impact. Originally, viruses werent created to destroy
everything in their path. However, they quickly evolved into having many identifiable evil
characteristics. Today, when we hear the word hacker, we get similar thoughts as
hearing the word criminal. After all, the hacker is a computer criminal and now the public
realizes this fact more so than ever. A hacker is a person who uses computers to gain
unauthorized access to data. There are many synonyms for the word hacker:
cybercriminal, keylogger and keystroke logger are a few.
Many people believe that cybercrimes are a new form of criminal activity. However, the
reality is that they are the same old crimes being committed using a new medium.
Crimes involving theft fraud, harassment have been going on since the creation of laws
to outlaw them and make them crimes. These same types of crimes are happening in
the virtual world now. The problem is that societies written laws dont cover these
physical crimes in the virtual world as they should yet. This is especially true when it
crosses state and even country lines. In recent years, several laws have been modified
and/or created to address many of these crimes in the cyber world. However, the
criminal cyber acts that cross country lines are still severely lacking in that there are not
nearly as many agreements in place between countries as there should be of what
constitutes crimes in the virtual world and consequences that can be imposed should a
criminal commit an act from another country. This is something every country should be
actively addressing.
A prominent type of cybercrime today and in the future is known as phishing, which we
previously saw an example of in this module. Phishing is a scam by which an e-mail
user is duped into revealing personal or confidential information which the scammer can
use illicitly. Phishing has in variations rapidly over the last decade as hackers have
become more sophisticated in their tactics and methods of attempting to commit crimes
via the Internet and technologies associated therein. Figure 4 below is showing the
increase in phishing reports from October 2004 to June 2005.
Figure 4 Phishing Chart (by ZeWrestler, English Wikipedia project)

Early 1990s notorious phishing attempts were targeted to the AOL user community. In
the beginning, lax programming enabled phishers to open accounts under bogus credit
card numbers. Systems didnt verify credit card numbers were actually active and in
use. They were just programmed to detect if they matched a format depending on the
type of card number the user said that they were providing. Also, there was a whole
community within AOL that shared and stored pirated software among other AOL users.
Once AOL fixed the credit card issue, the phishers moved onto trickster attempts
against legitimate account users. Some may say that hackers understand human
psychology better than the average person. The reason for this is the creativity in the
phishing scams. The scammer may send an email to a valid user that would look very
official and have words that would cause the average person to think that if they didnt
respond, they would lose access to their account or worse. Common tactics in e-mail
messages are subject titles reading AOL verification process or Immediate Action
Required. In other cases, there may be tempting offers of free stuff. They would spoof
the From address to read like it was from the AOL support team or AOL verification
team. This type of message originally didnt raise any red flags with end users. In the
messages, users would be told to give their password or other sensitive account
information in order to verify that they are who they say they are. In many cases, the
message also had an executable file in it that when ran would infect the machine; or
there may be a web link for the person to click on that would infect the machine. The
problem with that was that AOL itself never has conducted verification in such a manner.
Its bad practice to provide a password over e-mail.
These scams were conducted through e-mail with AOL and even instant messaging
chats. In both cases, so many users were becoming victims that AOL decided to place
text at the bottom of chat windows stating that AOL will not ask you for billing or
personal information via email or chats. A big problem with the scams at AOL was that
once users were tricked into providing information, the criminal could use the account to
conduct such things as spamming or phishing on other valid accounts with little to no
recourse possible. In the end, AOL cleaned up its usage policies enough to minimize
these scam attempts and get all the pirated software off their web servers. Also, they
developed automated processes to automatically deactivate accounts involved in
phishing. This turned it around from a reactive nightmare and most criminals left the
community as a result of the deterrences. Unfortunately, AOL got a very big black mark
on its reputation as a result of how rampant these problems were. For many in society,
AOLs story is the first time hearing or learning of what is now known as phishing. [1]
Some notorious phishing attempts in recent years used big names to hide behind such
as the IRS and TD Ameritrade. There are several known schemes using the IRS name.
The first known scam was in the form of a letter with an accompanying W-8BEN form
(Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding). It
asked non-residents to provide personal information that the real W-8BEN form doesnt
ask for. Information like passport numbers, mothers maiden name and account
numbers was requested. E-mail scams began shortly thereafter. The scams indicated in
some cases that recipients were eligible for refunds and in other cases claimed to be
from fraud and criminal investigations divisions of the IRS. In these types, recipients
were told to click on links that took them to fake IRS websites that would collect
information the actual IRS website doesnt ask for relative to financial and personally
identifiable information. In other cases, upon the user clicking on a link, viruses were
released. Some of the most tempting methods with the IRS have the promise of
rewards or refunds. End users are just so tempted with the possibility of getting free
money that they are willing to do whatever they are told and provide whatever is asked
for in order to get it.
In very recent years, scammers have become even more convincing as they are dual
contacting the recipients. They send an email and also a text message to the same
person. This falsely gives the impression that it must be legit as a scammer couldnt
possibly have both pieces of information. This is another showing of sophistication in
understanding human psychology. This particular scheme tells the recipients that a tax
payment made from their bank account was recently rejected. Again, this is not
something the IRS would do via email or through text messages ever. And not to be
forgotten are the old phone scams that still exist today. As recently as October of 2013 a
new phone scam was added to the IRS schemes web page. This page is used to notify
people of all known scams that use the IRS name. The way these phone scams have
changed is in the targets that they go after. They are more likely to succeed with the
targets that they choose. They know so much about their targets before they ever
attempt to contact them. They specifically weed out less likely to succeed attempts and
go after the sure things mainly. [2]
TD Ameritrade was the victim of data theft when hackers broke into a database housing data for users
interested in online trading. Over 6.3 million customer records were compromised. The data stolen
included name and contact details. With the information, criminals targeted these folks by offering them
investment advice via legitimate looking emails. The only problem is that they had not requested such
advice. A class action law suit was filed against TD Ameritrade as a result of this breach. And again the
companys reputation suffered. [3] The following excerpt provides the definitions of the various types of
phishing that exist today.
List of phishing techniques:
Phishing
Phishing is a way of attempting to acquire information such as
usernames, passwords, and credit card details by masquerading as a
trustworthy entity in an electronic communication.
Spear phishing
Phishing attempts directed at specific individuals or companies have been
termed spearphishing.[36] Attackers may gather personal information about
their target to increase their probability of success.
Clone phishing
A type of phishing attack whereby a legitimate, and previously delivered, email
containing an attachment or link has had its content and recipient address(es)
taken and used to create an almost identical or cloned email. The attachment
or Link within the email is replaced with a malicious version and then sent from
an email address spoofed to appear to come from the original sender. It may
claim to be a resend of the original or an updated version to the original.
This technique could be used to pivot (indirectly) from a previously infected
machine and gain a foothold on another machine, by exploiting the social trust
associated with the inferred connection due to both parties receiving the
original email.
Whaling
Several recent phishing attacks have been directed specifically at senior
executives and other high profile targets within businesses, and the
term whaling has been coined for these kinds of attacks.[37]

License) http://en.wikipedia.org/wiki/Phishing#Phishing_techniques
[1] http://en.wikipedia.org/wiki/Phishing
[2] http://www.irs.gov/uac/Phishing-and-Other-Schemes-Using-the-IRS-Name
[3] http://www.scmagazine.com/phishing-scams-may-target-ameritrade-breach-
victims/article/35699/
To Do Activity #3
Click the link below to watch this video and answer the questions below.
(You may start the video at the 20 minute mark).
Social Engineering & Social Media Security with James Crossman:

https://www.youtube.com/watch?v=T1FoDAhYh8o
Note: If needed, there are CLOSED CAPTION buttons on the

YouTube videos that will enable you to read along while you watch. The
Closed Caption buttons are located bottom right of the video screen.
1. Describe the differences between phishing and spear phishing?

2. What are 3 options for businesses to implement security according to James
Crossman?
3. What are some of the threats existing today?
4. James says, A study out of Australia says that if you are the manager of any type of
natural resource, like oil, gas or water, then odds are you are already the target of what?
Define what this is.
5. What are some exposure areas available to strangers in conference rooms?
6. What are 3 take-aways from the presentation?
7. What does Crossman say is always the weakest link to an organization?
1.2.4 Attack Vectors
There are numerous methods of attack used by cyber criminals today. A cyber criminal
can be anyone from a child, individual adult or group of adults all the way up to a state
actor, which would be a country. Each type costs millions, if not billions, of dollars
annually.
Some of the attack vectors are as follows:
Malware
Botnets
Viruses, worms & Trojans
Phishing and social engineering
Malicious insider
Malicious code
Web-based attacks
EMP electro-magnetic pulse
To Do Activity #4
Click the link below to watch the linked video for some details surrounding
the impact of these attack vectors on businesses and individuals today.
State of Cybercime Facts: http://youtu.be/WaKSF-lF3u4
Note: If needed, there are CLOSED CAPTION buttons on the YouTube videos that will enable you
to read along while you watch. The Closed Caption buttons are located bottom right of the video screen.
Weve touched on several of these attack vectors thus far in this module. We will delve
further into others as we progress through this course. We will discuss the malicious
insider in this module. A malicious insider is described as an employee or contractor
within a company that has access to proprietary secrets, data and IT systems that
intentionally seeks out to steal, damage or compromise in some way a business for
reasons such as greed, payback or both. A malicious insider often times doesnt make it
high on a priority list for prevention or mitigation efforts. And compared to the total
number of employees an organization may have, the number of malicious insiders is
usually small. However, a malicious insider payoff can be the highest of crimes
committed.
In summary, insider risk refers to any person employed in industry or government or a

military job that either willingly or unknowingly or mistakenly allows sensitive information
to fall into the wrong hands and therefore be compromised where by its value is
decreased or lost. Several studies have been conducted regarding prevention and/or
mitigation of insider risk. It seems that in almost every case of insider attacks, there
were warning signs that if recognized and acted upon, could have possibly prevented
the insider from being able to complete the attack. Furthermore, it appears that a
companies failure to have and/or enforce certain policies and procedures directly
contributes too and in some cases escalates an insider attack. One study published
through the Department of Defense titled Insider Risk Evaluation and Audit outlines
several factors that were indicative of an employee being at risk for becoming a
malicious insider. It states that the offenders themselves are frequently driven by the
same motivations greed, disgruntlement, conflicting loyalties, ego-satisfaction and
they often exhibit similar early indicators or precursors of subsequent damaging
behavior. (DOD, Vii) From analysis of employees that have moved over to the other
side, evidence indicates that the employees were problems at previous jobs in some
cases. Sometimes the way an employee is dealt with regarding behavioral issues
served to escalate the bad behaviors. So, it is critical for businesses to act appropriately
with employees throughout the life cycle of their employment. This includes appropriate
background screening before hiring occurs. (DOD, viii)
The malicious insider remains a serious threat, but will become more visible: Whether it was
Shakespeare's Caesar or America's Benedict Arnold, people have long known the pain of betrayal by t
they trust. Information technology simply made the betrayer's job easier. In 2014, a significant number
not almost half of data breaches will come at the hands of people on the inside. However, as the fed
government and individual states add muscle to privacy breach notification laws and enforcement regim
these hidden insider attacks will become more widely known.
Ryan said the insider threat, which often goes unreported, is insidious and complex.
"Thwarting it requires collaboration by general counsel, information security and human resources," he
"SEC breach disclosure of 'material losses' may be the model for rules requiring a company to be more
transparent and answerable for allowing bad actors to go unpunished."
This passage was created by http://www.businessnewsdaily.com/5563-7-cybersecurity-risks-for-2014.html Author

Brooks (not creative commons material)
The general public knows very little about the next attack vector type. It is the
electromagnetic pulse. This type of attack was accidentally discovered as a side effect
of bombs that were detonated. The result of an EMP is that all electronic devices within
range of the detonation are rendered useless. They dont go up in flames or anything.
Rather they become dead weight that is never to function again without replacement of
the electronic components in whatever devices are affected. These devices have a
relatively small impact range currently. However, the higher up in the air they are
detonated, the more ground they will impact. Wikipedia defines an EMP or
electromagnetic pulse, also called a transient disturbance, as a short burst of
electromagnetic energy. EMPs can occur naturally as lightning strikes, which in some
cases tend to cause more damage than a man-made EMP.
Module 2 Content: Personal Information

Security
Introduction
People today must be very cognizant of what information they provide to everyone from retail
stores to social networking sites. The importance of protecting oneself digitally has become
critical in a time when identity and credit card theft, as well as, cyberbullying and cyber stalking
have become a common occurrence. It is not a matter of avoiding information theft digitally;
rather it is more like when will it be stolen and what can be done with it if it is. The average
person may not realize the threats that exist today because of the digital world we live in today in
almost, if not, all modern civilizations.
The youth of today are especially at risk for cyber incidents due to their obsessive desires to
share information and socialize on the internet. Also, youths today have more digital and
electronic equipment in their possession at any given time than a household of people possessed
just 20 short years ago. This has greatly compounded the number of avenues of possible attack
and possible negative repercussions in the future. Furthermore, by natural occurrence children
and even teens and young adults dont yet realize the lifetime consequences of making certain
information available on the internet. Everything from a picture to a simple tweet will live on
the Internet long after all humans alive today are gone. And so making sure appropriate
information is the only information put on the internet becomes even more paramount.
Furthermore, employers today are using the Internet to screen and filter would be employees in
ways that were never possible before.
Several government agencies have been created in recent years to address the handling and
stewardship of the cyber world while trying to preserve the fundamental freedoms that helped to
make the Internet what it is today. These agencies work to protect our nations most valued
assets, as well as, educate the general public to the dangers we all face as a direct result of the
Internet. Training and awareness is our greatest weapon of defense to prevent cyber events from
occurring. The weakest link in our cyber defense both personally and professionally for
corporations is the human.
This module will discuss on a personal level how every individual can protect his or her PII or
Personally Identifiable Information and defend against would be attackers. PII as used in US
privacy law and information security, is information that can be used on its own or with other
information to identify, contact, or locate a single person, or to identify an individual in context.
There are several regulations and laws in specific industries that are meant to safeguard this
important uniquely identifying information about individuals. For example, HIPPA, for the
healthcare industry and FERPA for academics to name two.
2.1 Personal Protection
The first part of this module will address the general consumer in todays society. This person is
not someone who buys every product and service that they use from a physical store
anymore. In some instances, most shopping by some people is only done online in virtual
commerce markets. For example, it is possible do all of your grocery shopping online rather
than going to the local market. This involves many avenues of risk all throughout this
process. For example, a purchase made online is most certainly paid for via credit or debit
card. Once you give the vendor the card information to complete your purchase, your
information is only as safe as that companies electronic protection tools and procedures. This
means your identity and money is at risk of theft from a criminal that you most likely would
never meet and possibly never even know exists. People have lost everything including quality
of life from identity theft. Identity theft is the illegal use of someone elses personal identifying
information (such as Social Security number) in order to get money or credit.
2.1.1 Steps to Become More Secure Online

There are multiple ways an individual can help defend against identity theft and many other
cyber related incidents. Todays consumer typically has more than one electronic device that has
access to the Internet. Therefore, the exposure and vulnerabilities are compounded. There are
specific steps one can take to better protect themselves from a cyber-attack / incident depending
on the type of electronic device in use. However, most individuals are not familiar with how to
go about planning and implementing such defenses. The end-user training for cybersecurity is
referred to as Internet safety training.[1] Basically, the consumer / end-user needs to understand
first and foremost that if too many specific details about them are on the Internet, they are at a
much higher risk of identity theft. Furthermore, it makes things like identity theft, cyberstalking
and cyberbullying much easier for an offender.
Cyberstalking is basically the repeated pursuit of an individual using electronic or Internet-

capable devices. [2] It is stalking someone or a group of people or a company using the Internet
and computers instead of physical means, which is like sitting outside someones apartment
building or place of employment. A victim of cyberstalking develops instilled fear and panic and
loss of quality of life overall. Sometimes it aids an offender in committing physical stalking,
which can lead to physical altercations, but not always. It is important that people not broadcast
via social media updates their every move throughout their day. For example, posting that you
are at Red Lobster for lunch and then that you are going to Sears after work lets someone know
exactly how to find you if they wanted too. Over time, a pattern of your behavior would begin to
show and someone may even be able to predict where you will be at a given time without you
posting anything. This is not a good thing.
Take a few moments to watch one story of a Facebook user that approved all friend requests that
she received because it was for her business. Only the business page and her personal page were
intertwined into one. She posted where her parties and events were going to be and she posted
where she was going to be outside of events, as well. It is important that you keep any business
social media sites separate from your personal life both in person and online. This story is about
a female. However, both male and females can be victims of cyberstalking.
[1]Mowbray, Thomas J. Cybersecurity Managing Systems, Conducting Testing, and Investigating

Intrusions p.219
[2]Reyns, B. W., Henson, B., & Fisher, B. S. (2012). Stalking in the twilight zone: Extent
of cyberstalking victimization and offending among college students. Deviant behavior, 33, 1-
25. doi: 10.1080/01639625.2010.538364 p. 1
Video #1
Click the link to watch this video:
The Inside Story: One woman's terrifying experience with online stalking
https://www.youtube.com/watch?v=NmHg5dKHNg0
Note: If needed, there are CLOSED CAPTION buttons on the YouTube videos that will enable you to read along while
you watch. The Closed Caption buttons are located bottom right of the video screen.
Cyberbullying tends to be more frequent in younger individuals. However, the consequences

from it can last a lifetime and possibly even cause someone to lose or not get a job later in
life. All too often cyberbullying is directly responsible for suicide, as well. Since the word was
first coined in 2000, it has become a common household word. Cyberbullying is the electronic
posting of mean-spirited messages about a person (as a student) often done anonymously
according to Merriam-Webster. Individuals need to be careful not to take unflattering or overly
exposed pictures or videos of themselves even if they dont plan to share them or just plan to
share them with a significant other. Once a picture or video has been captured in electronic form
it can be stolen, if not purposely used to humiliate, blackmail or otherwise harass someone at a
later time.
Cyberbullying all too often has ultimately ended in suicide in young teens and
adults. Megan Meier and Phoebe Prince are two fairly well known cases where this has
occurred.
To Do Activity #1
Click the link below to read the article posted on the Megan Meier Foundation website
regarding the suicide of Megan Meier:
http://www.meganmeierfoundation.org/megans-story.html
Discussion Questions: (This exercise is meant to be for group discussion.)

1. What do you believe caused Megan to commit suicide?
2. Do you feel that Megan would have committed suicide on the day she died had
the online encounter with Josh not occurred?
3. Do you feel that Megan would have eventually committed suicide at some point?
Why or why not?
To Do Activity #2
Click the link below to read the article regarding cyberbullies from the DHS US-CERT website.
http://www.us-cert.gov/ncas/tips/ST06-005

1. Compare and contrast bullying in the past to todays tactics and
methods.
2. Why do you think documenting the activity of a bully, especially
preserving electronic evidence, is of great importance?
3. Predict a possible worst case scenario of publicizing all of your
personal information on the Internet via social media.
4. How can you avoid escalating the situation with a cyberbully?
The term catfish, no longer only refers to a fish in the river or lake. Rather, a catfish is someone
who pretends to be someone theyre not using Facebook or other social media to create false
identities, particularly to pursue deceptive online romances according to Urban dictionary. This
is another reason that an individual should make sure that his/her live, including photos are not
available for public consumption. It is important to make sure the appropriate security settings
are in place at all times in an online environment. In the case of Megan Meier, she was what is
referred to as catfished among other things. There are several red flags to look for when dealing
with online dating to help avoid being catfished as provided by the Dr. Phill show (none of these
are full proof indicators and not all, if any, may apply for you):
1. A non-typical mate reaches out to you for a relationship.
In this case, people have a type of people that they date or are attracted to and are
attracted to them in return. If a person claiming to be a model or actor with a totally
awesomely beautiful picture suddenly reaches out to you as being in love or super
attracted to you, this may be a red flag. It isnt to say that this cannot happen. It needs to
make one stop and think, why is a model or actor having to use a dating site to meet
people.
2. An online relationship partner can only share old or previously taken pictures with you.
In todays world, almost every computer has a built-in webcam with picture taking
capability. Not to mention, that most cell phones, even if they cant get on the Internet
have a camera. A person could take a picture with a cell phone and send it as a text
message. Be wary of people unwilling to take photos of themselves and send them to
you on the fly. This indicates staging may be taking place and that the person isnt
providing real pictures of themselves. The problem here is that the person has a
computer and has Internet access or this online relationship wouldnt be taking place. So,
excuses about real-time photos dont make sense.
3. Refusal to talk on the phone with you.
If the person doesnt want to talk on the phone, it indicates that they may not want you to
hear their real voice. If they continually make excuses as to why they cant talk on the
phone over a long period of time that is a warning sign.
4. Refusal to meet with you in person.
Starting an online relationship with someone from another state automatically makes it
harder to get to know that person and have a meaningful relationship. In the case of
being catfished, this is ideal. The person that makes up excuses even when you offer to
drive or fly to meet them as to why you cant isnt being truthful and will make up
sometimes very creative excuses as to why a meeting just isnt ever possible. They often
go through a series of terrible and tragic events that are meant to distract you and also
gain sympathy at the same time. For example, they may have a car accident near a time
when you are suggesting or trying to meet them in person. This will immediately stop the
pressure of a meeting. As time goes by, you may again try to meet with them and they
may experience a death in the family or lose their job. These are excuses meant to deter
you so that they are not found out.
These are just some of the warning signs to look out for. There are others some more
subtle and some not. In many cases, these online relationships dupe unsuspecting people
out of money to help pay for surgeries or car repairs or debt that doesnt exist. Over time,
the pursuer finds reasons that they need more and more money from the person with
whom they are having the online relationship. The victims keep giving more money
because they think they are in love and loved by someone that doesnt exist. Use these
precautions to aid in avoidance of becoming a victim.
2.2 Daily Life Protection
This section will briefly discuss several areas of exposure for cyber incidents in daily lives and
actions to help minimize the risks therein.
Watch the below video clips that will highlight some of todays technology that is meant for
good and how it can be hacked and controlled by bad actors.
Video #2
Click the link below to watch the video. There are no questions to answer.
http://money.cnn.com/2014/03/31/technology/security/tesla-hack/index.html?hpt=hp_t3
Note: If needed, there are CLOSED CAPTION buttons on the YouTube videos that will enable you to
read along while you watch. The Closed Caption buttons are located bottom right of the video screen.
To Do Activity #3
Click the link below and watch this video.
http://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked.html
Note: If needed, there are CLOSED CAPTION buttons on the YouTube videos that will
enable you to read along while you watch. The Closed Caption buttons are located bottom right
of the video screen.
Submit your answers to these questions.

1. Hackers that hack into an automobiles computer system can obtain
radio speaker control for surveillance purposes. True or False?
2. How are the multitude of a vehicles parts connected and how can it be
accessed?
3. Anything that has software is vulnerable to attack? True or False?
4. List 3 of the attacks that were possible on ICDs.
5. What was used to determine what a person was typing on a
smartphone by stealing keystrokes?
6. Name at least one organization that uses the P25 device.
2.2.1 Home
Figure 1: Smart House Control Panel on an IPad (by Nick McCarth, CC-BY 3.0)
Todays home has more technology in it than was available in an entire town 30 years ago. There
are smart lights, TVs, appliances and home security systems available on the market. The
problem is that these appliances have very little built-in security or defenses. For example, there
are smart refrigerators that can tell you when you need more milk. They can literally update a
grocery list that you may keep on your mobile phone. There are issues with this seemingly
harmless ability though. Read the below linked article on how hackers used a refrigerator in the
first ever cyber attack of this type.
Assigned Reading #1
Click the link to read the article: Hackers Use Refrigerator in Cyberattack
(http://www.foxnews.com/tech/2014/01/20/hackers-use-refrigerator-in-cyber-attack/?intcmp=features)
As the article outlines, the appliances in our house have the ability to communicate with
other devices. The problem is that the security aspect of these devices is an
afterthought. After the device is on the market and has been sold to thousands or
millions of people is too late to start thinking about good security practices with these
types of equipment. However, that is exactly what has happened. And as a result,
hackers were able to use unsuspected devices to send millions of unwanted Spam
messages. Furthermore, many of these devices do not offer a way to lock down or
change default access codes. And all specifications for these types of things are readily
available on the Internet. It is there as a way to help consumers and technicians
troubleshoot and/or repair the appliances in case of failures. The problem is that it has
made it low hanging fruit for hackers just waiting to be picked and exploited.
A quote from the article deserves a bit more discussion. "Botnets are already a major
security concern -- and the emergence of thingbots may make the situation much
worse," Proofpoint's David Knight said. Botnets are a group of infected computers all
controlled by cybercriminals. In this, the individual infected PCs are referred to
as zombies. Botnets are controlled by one or more master machines known as
botmasters. These machines give instructions to servers that are under their control
who then in turn give the instructions to the zombie machines. They do things like
instruct the zombies to send enormous amounts of Spam, collect personal information
and commit DDoS attacks against other servers. See figure 2 for an illustration of one
way a botnet operates. In this example, it is being used to send Spam.
Figure 2 -How a botnet operates (by tom-b, CC-BY 3.0)

How a Botnet Works:
1. A botnet operator sends out viruses or worms, infecting ordinary users' computers,
whose payload is a malicious application the bot.
2. The bot on the infected PC logs into a particular command and control (C&C) server
(often an IRC server, but, in some cases a web server).
3. A spammer purchases access to the botnet from the operator.
4. The spammer sends instructions via the IRC server to the infected PCs, causing
them to send out spam messages to mail servers.

License) https://en.wikipedia.org/wiki/Botnet
Figure 3: Innocent enough looking smart appliance (by David Berkowitz, CC-BY 3.0)
The thingbot represents the smart device that is not a computer or laptop. It is the
smart TV, refrigerator, home security system, oven etc. As weve discussed these
devices have even less security than an end-users home computer in almost all cases.
So, they are much easier to command and control.
2.2.2 Credit Cards
More and more people are spending less time in retail shopping malls and more time
shopping online for everything from clothes to cars to groceries. The only way to
purchase something online is via the use of a credit card. Hence, it is extremely critical
to make sure of several things while shopping online:
1. Make sure that you know the company. Research the company for any
complaints that may have been filed about them and for the reputation of the
safety on shopping online with them. Review customer feedback comments
before making any purchase. If you see anything suspicious in any of these, you
should think twice about providing your private credit card information online to
them regardless of how bad you want the product.
2. Ensure that when buying online the transactions are processed via encryption.
There are two easy ways to tell you this. One is to look for the gold padlock in the
address bar and also the address should start out as https:// versus http://. See
the below figure 4 for an example.
Figure 4: Secure Site Indicators
3. It may sound archaic, but it would be best to use the drive-up teller at the bank
and go inside to pay for your gas to give yourself better peace of mind in these
self-serve environments. Todays card skimmers come in all shapes and sizes
and are virtually undetectable in most cases. They look exactly like the real
product.
4. If number 3 is out of the question, use safe practices when using self-serve
equipment as often times there are hidden cameras that capture pin numbers as
they are entered or other personal information. So, always place one hand or
something over the hand that is entering pin or zip code information to better
conceal what is being entered.
5. Finally, the less sophisticated, and becoming less common unfortunately, devices
arent as good in quality. So, always tug on the card reader to make sure it isnt
loose before you put your card in the slot. If it is loose at all or comes off, it is a
fake.
Sadly, all of these precautions will not guarantee that you will not become a victim.
They may help to minimize your risk though. Using a credit card versus a debit card
is a good alternative as you can more easily dispute credit card charges than debit
card charges. This is especially important because the devices used to capture and
steal credit and/or debit card information, skimmers, are so difficult to detect. Also,
the debit immediately comes out of your savings and is gone and you have to fight to
get it back. This is not the case with a credit card.
2.2.3 Smart PDAs
The risks faced when using smart phones or other mobile devices is linked directly
to how they are used. What types of things a person does on the smart device is a
key factor in determining what risks exist. All communications and actions are
subject to monitoring by government entities and hackers. An unprotected mobile
device is like a sitting duck waiting for an attacker to find it and exploit and steal
information from unsuspecting individuals. As a general rule, it is wise to go with
trusted antivirus and antimalware providers for these devices. Take note in the
famous quote by Robert A. Heinlein, Nothing of value is free. Even the breath of life
is purchased at birth only through gasping effort and pain. While deciding on what
protection to have on your mobile devices, keep this in mind. If it is a free product, it
may be laced with malware. There are some free products on the market that get
good reviews, so it is not out of the question and may be better than nothing. Just
keep the quote in mind and research anything you download for protection whether
free or for a monetary value before you make a final decision.
The simplest way to offer protection to mobile devices is to password protect them.
Never leave a mobile device with a default password or no password at all.
Commonly devices are lost or stolen and without a password, the thief has direct
access to your personal information. And if you do banking or other private
transaction type tasks on that device, they have access to that information, too.
Furthermore, do not allow a mobile device to store a password to a web site. It is
safest to enter the credentials to any web site accessed every time.
To Do Activity #4
Go to the Federal Communications Commission website and identify the steps

recommended to protect your mobile operating system. Click on the link below to
access the web site.
Click on this link: Smartphone Security

(http://www.fcc.gov/smartphone-security)
(Note: If you dont own a smart mobile device, choose one or more and review it for
future reference.)
Submit a list of recommendations for protecting your device.
2.2.4 Email
We briefly reviewed some email safety tips in the first module. We are going to review
some of the details you were asked to investigate in the first module in the following
demonstration. We will discuss how to analyze your email messages and better
determine those that slip through to your inbox that are really Spam. Also, we will
discuss the importance of reviewing your Junk mail box periodically.
Video #3
Click the link below to watch this short tutorial on Spam identification.
Spam Identification
(https://www.dropbox.com/s/teb049rpb19f6qn/Hotmail_Investigation_2_DOL_READY2.mp4)
Note: If needed, there are CLOSED CAPTION buttons on the YouTube videos that will
enable you to read along while you watch. The Closed Caption buttons are located bottom right
of the video screen.
Another important point in regards to email is that you should have more than one email
address. Given that one can be obtained free from many different sources, this should
not be hard to do. For example, for legitimate business correspondence, have a special
email address that is not used for any other things like couponing or blogging or
socializing on the Internet. If you do online banking, again it should be a separate email
address used solely for that purpose. None of the different email accounts should use
the same password or the same security questions, if possible. This way if one is
compromised, it doesnt give an intruder full access to everything you do online where
correspondence via email or using an email address is involved.
2.2.5 Web Surfing
In regards to surfing the web as you look up various topics for fun, research or out of
necessity, there are a few things to be on the look-out for:
1. Anytime you go to a website and see an ad or a pop-up that comes up saying
something like the following: your machine has some random number of malware
and spyware on it. Click here to scan and fix the problems or improve
performance. Do not do it! This is more often than not going to install malware
and spyware onto your machine. By clicking the button, you give it permission to
run and install whatever it wants.
2. Furthermore, there may be a Cancel button in the box itself. Do not click that
button either. Rather, you should first try to use the ESC key to see if the window
goes away. If it doesnt then click the window close button, which is the top right
X in the frame of the window itself. Often times all buttons inside malicious pop-
ups do the same thing, install spyware or malware or viruses.
3. Many times you will be surfing the internet to try to find an application, tool or
document that you want to download and install. On the download screens, be
careful about choosing the real download button. These screens often times
show advertisements that will look just like you would expect the download
button to look like. By law, they have to say that they are an advertisement, but it
is very subtle and hard to notice when looking at a full screen. Look at figure 5
below for two examples of download buttons that are really advertisements.
Figure 5: Advertisements that look like Download buttons.
2.2.6 Social Media

Weve touched on social media aspects throughout this module. Social media and
social networking has solidified the notion that humans will sacrifice privacy for
attention, especially in younger generations. Social media is forms of electronic
communication (as web sites for social networking and microblogging) through which
users create online communities to share information, ideas, personal messages, and
other content (as videos) according to Merriam-Webster. Grouping people and
organizations because of like-minded opinions, hobbies and activities of enjoyment
where they can collaborate and interact in person, in writing or online is social
networking. [1]
The joys of social media and social networking can also make one a victim of malice
social engineering among other things. Before the Internet, social networking was done
primarily in person or in hand or typed letters. However, with the explosion of Internet
usage and popular social networking sites such as MySpace, Facebook and Twitter, it is
becoming more and more predominant online. Even social networking that takes place
in person for people, includes a social networking Internet aspect now. People
broadcast their every action, like, dislike, location, preference etc. in online forums. This
is like opening your home of all your personal files and locked away valuables and
putting them in your yard with labels on them for everyone to see and take.
Furthermore, by broadcasting location information people can easily track other people
which can lead to cyberstalking. Worse yet, broadcasting information about upcoming
vacations and while on vacation gives a thief firsthand knowledge of the fact that your
physical valuables are unprotected in a sense. Its almost as if the someone saying that
they are going on vacation or are on vacation should go ahead and broadcast the rest
of the secret information about where things are hidden in their house and ask nicely
that a thief just locate the valuables and not mess up anything else in their house when
the go to rob them.
Sadly, people dont realize that they are exposing themselves to so much risk when
using social media and social networks. Social networking web sites are being
monitored by the bad guys just as much as anyone else to find the weak or vulnerable
targets. These sites offer loads of personal information about a person including phone
number, birth date, full name, relatives names, pets names, hobbies and even
addresses can be gleamed from such sites. All of these details about a person can aid
social engineers and hackers to better identify passwords, answers to secret questions
on accounts, etc. So, thinking to oneself, I said Im going on vacation but no one knows
where I live, is a very bad assumption and is simply not true because these social
networking sites use GPS to show locations youve been too and frequent, including
your home. Social engineering from an information security aspect refers to using
trickery to get people to divulge information or perform actions that they normally
wouldnt do. Read the below article to find out the various known types of social
engineering that were used for bad versus good.
[1] Ciampa, Mark (2012). Security Awareness Applying practical security in your world, Third Edition.
2010; p. 122
To Do Activity #5
RClick the link below to read the article from Symantec on Social Engineering
Fundamentals, Part 1: Hacker Tactics. You are not required to delve deeper into the
article by reading all the linked information within the article for the purpose of this
module. However, there is a Part 2 linked at the bottom that may assist you in
answering the discussion question below.
Click on this link: http://www.symantec.com/connect/articles/social-engineering-

fundamentals-part-i-hacker-tactics
Discussion Question: Choose one of the methods mentioned in the article and define
what it is as well as discuss avoidance tactics that should be put in place. Submit your
answers.
2.3 We Must All Be Stewards
As weve seen in this module, there are several areas of risk in personal, as well as,
professional lives of every individual. This applies to even those that say I dont use the
Internet. The fact is that all individuals have personal information being stored
somewhere on the Internet and most likely have someone close to them that does use
the Internet. Therefore, we are all at risk and vulnerable. To reiterate what was said
earlier in this course, humans are the weakest link to information security. Regardless of
the amount of protection put in place with technology, this fact remains true.
Furthermore, training and awareness are key to safe guarding all individuals from
exploitation, not just the protection of corporate assets. So, as individuals one thing that
we can do to help humans as a whole is warn others and make them aware of these
risks and protection actions that can be taken. It will take every person contributing to
safety to minimize exploitation.
A final thought is the consideration of insurance or identity protection services. Many

states require owners/drivers to have car insurance in order to drive legally. Will the
nation one day require that we all have identity insurance? Should we be required to
have it? These questions would most certainly lead to debate in groups. These types of
services are receiving some attention in the media and by consumers as a result of all
the publicity surrounding massive breaches occurring at popular shopping locations,
government web sites, etc. Its important to understand that these services have both
positive aspects and well not so positive aspects.
As an individual, obtaining protection services doesnt ensure that your identity will not
be stolen. Its really just an alerting type service and can assist with mitigation efforts. A
report published by CONSUMER REPORTS IN 2013 discusses this topic in detail and
points out that many of the offerings of these services can be done by consumers
themselves at little to no cost. It points out that several of these businesses have been
fined and reprimanded by regulators for deceptive marketing practices. [1] These one
stop protection services offer services that many places are already handled within
specific organizations, particularly credit card and banking facilities. And some of the
other services can be monitored by consumers at much lower costs and in some cases
free of charge. The article points out that many of the costs and damages from identity
theft or credit card fraud are exaggerated. It states, Two-thirds of cases of ID theft
reported to the annual national Crime Victimization Survey involve stolen credit cards,
not stolen identities. Federal regulations limit your liability, usually to $50 per account,
and even that is often waived by card issuers. [2] In many cases, consumers need only
report something as fraud and any charges are cancelled or moneys refunded. As a
best practice people should monitor their accounts daily anyway, in which case any
breaches of bank accounts would be seen by the owner. The article goes on to point out
that the 1 million dollars of protection offered as part of the service is not necessary as
typical loss of an id-theft victim averages $309 for breach of an existing account and
$1,205 for new account fraud. [3] And the services themselves only cover what isnt
covered by federal consumer protections, homeowners or renters insurance, or a
merchant, which is usually what covers such losses. [4]
To read the full article click on the link below:
Don't Get Taken Guarding Your ID

(http://www.consumerreports.org/cro/magazine/2013/01/don-t-get-taken-guarding-your-id/index.htm)
4, 5, 6, 7
Consumer Reports magazine (2013). Dont get taken guarding your ID, Do-it-
yourself safeguards are just as effective as paid services
Critical Thinking
Write an on-line safety plan and discuss implementation of said plan including
prioritization of the items included in the plan.
Dramatize a personal security event and develop a mitigation plan for future
avoidance.
Research your states laws pertaining to cyberstalking and cyber harassment and
cyberbullying. Write a brief summary about the items included and not included in
the laws.
Compare and contrast key concepts: Give students the table below and ask them to fill it in using
two given concepts.
Concept #1 Concept #2
Define or explain Cyber-bullying Physical-bullying

each concept
Explain how the

concepts are similar
Explain how each

concept is different
with respect to
specific attributes
Further Study
There are an endless number of articles that give tips and warnings for online safety.
For more information, click the links below.
How to Protect Your Computer From Viruses and Hackers
(http://www.foxnews.com/tech/2014/05/02/how-to-protect-your-computer-from-viruses-and-hackers/)
Scams Safety
(http://www.fbi.gov/scams-safety)
Module 3 Content: Corporate Security

Concerns
Introduction
The idea of business continuity, also known as enterprise continuity, has always been
considered important. However, many organizations are severely lacking in their
business continuity planning and preparedness efforts and others have no plans in
place at all. Businesses focus most of their efforts on staying up and running versus
getting back up and running after an event that may never happen. Business
continuity comes into play after a disaster or adverse event occurs. It is defined as the
ability of an organization to maintain its operations and services during a disruptive
event, including any recovery efforts that may be required after an event. [1] This
includes both natural and man-made events. Natural disaster events include such
things as fires, hurricanes, floods and earthquakes. A man-made disaster event can be
an enterprise infection from a computer virus, a break-in from hackers where one or
more systems are compromised and also DOS attacks to name a few. It can also
include an insider attack. Business continuity planning should include mitigation and
resolution steps clearly defined for any and all foreseen and even those not foreseeable
events that could occur at any time. The ultimate goal of business continuity is to
restore any services and data assets to normal operations as quickly as possible
without the loss of any data integrity or assets.
In order to successfully recover from a disaster, a good business continuity plan will
encompass three main areas: redundancy planning, disaster recovery procedures, as
well as incident response. [2]
Redundancy Planning: The process of implementing excess physical assets such as

servers, storage, networks, power sources and even sites that can take over for
production systems as needed. The extent to which redundancy is necessary and
implemented into an organization depends on the type of business.
The servers, storage, internet access, power and network infrastructure that companies
use for regular day-to-day business are referred to as the production systems.
Depending on the size of a company and the criticality of business and services, data
services and systems redundancy is implemented in either real-time, near-to-real-time
or not-real-time.
For servers that host a companys main business service (i.e. ecommerce web site)
real-time or near-to-real-time redundancy may be necessary as a company could not
afford to have one of their main revenue generating applications down for any lengthy
period of time. The dollars lost with such a web site down can quickly add up. So, in this
case a real-time or near-to-real time redundancy plan would be implemented. This could
include such things as hot swappable hardware for the production servers. Or it could
include a fully functioning server that has the production system data replicated to it in
real-time or near-to-real-time, so that it could take over automatically or manually in the
event of a production system failure. In this example, manual hardware swap outs
and/or data restores to a server that sits on standby would be the near-to-real-time
scenario. This is because it would take some amount of time to replace any hardware
and/or restore applications and redirect traffic in the network to the new take-over
equipment as part of getting the services and data running and accessible by end users.
Examples of real-time redundancy required services and data involve businesses
related to the financial markets like banks and the stock market and healthcare facilities
like hospitals. These services and the data that they work with must always be available
and the data integrity must be upheld. In these businesses, there is no time to have
someone manually switch out hardware or do any kind of data restores. So, the only
feasible redundancy planning that can be done is real-time, which is more costly up
front. Yet, it can ensure the business doesnt skip a beat even in a disaster from a
systems standpoint. This type of planning involves hot swappable equipment and
servers that will always be able to either keep running even if a component of them fails
or in the case of hot swappable servers, automatically take over for any failing severs in
an organization without manual intervention. These types of systems could be set up
and integrated within an existing production. They could be in the same physical site as
production systems. However, they may not be. They may be in completely different
physical locations. We will talk about physical sites in more detail later in this module as
we deep dive into topic of disaster recovery.
A not-real-time redundancy example would be something like an intranet web site used
to allow users to input requests for service from the information technology group (i.e.
new user setup requests or new equipment requests). If a server like this was down for
a day or two, it wouldnt represent a business critical need in that it must be up and
running again right away or even for a few days possibly. In this case, there really is no
redundancy in place other than backed up data and it is most likely only backed up on a
daily basis. A new server would be put together and then a data restore would take
place to get the application back up and running. And in this case, there may have been
some data lost. Remember backups arent being done real-time. So, if a server like this
goes down at lunch time and the back up for it was done at midnight the night before,
any new request put in by users that morning would be considered lost. An easy enough
resolution to this would be to send a communication to impacted users letting them
know of the situation and that any requests entered during a specified period of time
should be redone.
Figure 1: Personal UPS device for one PC 15 minute life (by Tonya M Davis)
In all of these cases, some form of redundant power is usually in place. The most
common form of power redundancy is the use of UPSs. A UPS also known as a battery
backup, is an uninterruptible power supply device that keeps systems running in the
event of a main source power failure caused by any number of things. Servers do not
handle hard crashes from power failures. They need to be shut down properly and
manually to allow the systems time to commit any in transit data actions or commands.
The use of a UPS device gives administrators time to manually shut down servers so
that they dont crash. A crash on a server is when it unexpectedly powers off while
operating under normal conditions. This can cause all kinds of problems like data
corruption and even data loss. In critical businesses the UPS can be big enough to
power entire rooms and all systems therein for anywhere from 10-15 minutes to a few
hours. Generators are used as the power supply for entire rooms and the systems
therein should power not be restored within a short amount of time. A generator is
defined as a dynamo or similar machine for converting mechanical energy into
electricity. A UPS will not last as it gets power from a battery and eventually the battery
will die. It is meant to give you enough time to power your systems down gracefully in
an emergency situation. A generator is powered by fuel, so as long as the fuel is
replenished, they can keep facilities running for as long as necessary. In cases, where
storm damage occurs, this can be necessary for several days to weeks in some cases.
Only critical systems should remain powered on in the event of a main source power
loss when a generator has to take over in order to conserve fuel. Figure 2 shows a
powerful generator designed to keep an entire computer room running for 48 to 96
hours depending on the load of machines left running. The black tank on top holds the
diesel fuel.
Figure 2: Powerful Computer Room Generator (by Tonya Davis)
2010; p. 193
2010; p. 193
Video #1
Watch this short humorous 2.5 minute video. http://www.youtube.com/watch?

v=cxE940f7iq0
Note: If needed, there are CLOSED CAPTION buttons on the YouTube videos that will enable you to read along while
you watch. The Closed Caption buttons are located bottom right of the video screen.
**Class Discussion**
Module 3 Discussion #1
Where do you live? What type of physical disasters are most likely to occur where you
live? Prioritize preparedness planning for the 5 most likely natural disasters that could
impact a business in your area. Click on the Start a New Thread button to post your
response to this question.
Disaster Recover and Incident Response Preparedness, as well as, more details
regarding Business Continuity will be covered in the next sections.
3.1 Disaster Recovery Planning
Disaster recovery has been likened to car insurance by many professionals over the
years. It is something that a company may never have to call upon. Yet, it is so critical in
the event of an emergency. A disaster recovery plan aka DR plan is the preparation
for and recovery from a disaster, whether it be natural or man-made. The goal of DR
planning is to minimize loss of information and business interruption in the event of a
disaster. [1] This preparation will be different depending on the physical location of a
business and also the types of technology the company has in place. Furthermore, it
depends greatly on the number of business processes within an organization and the
criticality of those processes to the survival of the business overall. A DR plan is not a
vanilla procedure that can just be copied and put in place by all. It must be carefully
tailored for the business it is created to protect. And every business regardless of the
type should prepare for unforeseen incidents. This can involve significant investment of
time and money for an organization. Therefore, an overarching step in this process is
for senior management to agree on and establish a clear and concise policy of support
for contingency planning, which includes business impact analysis, incident response,
DR planning and business continuity planning. All of these efforts combined are meant
to get a business back up and running at a business as usual state for the lowest cost
with as little as possible down time. We will now outline a process of creating a DR plan
from the ground up.
A company should perform a risk assessment through a traditional risk assessment

methodology. We will not be going into detail on this particular aspect. However, there is
a plethora of information and templates available on the internet to aid in this task. The
deliverable from a risk assessment is a risk management plan which identifies all risks
and ensures that there are controls in place to handle and protect those assets deemed
critical. This would include all possible adverse events that could occur to interrupt the
normal functioning of a business process or business as a whole. The likelihood of the
adverse events should also be determined along with the impact severity if said event
were to occur. The primary purpose here is to prioritize where the organization
would/should focus resources, including funds, in the development of incident response
and disaster recovery plans. The assessment basically outlines all possible threats and
vulnerabilities an organization may face at any given time. The threats an organization
faces in the natural sense are dependent on where its information assets live in some
regards and also on the systems that run the business. Some natural threats exist
regardless of geographical location. For example, a company located in California or
Japan should be prepared with a higher priority for an earthquake. Whereas, a
company located on the coast of South or North Carolina should be prepared with a
higher priority for a hurricane. Fires can happen anywhere at any time and so all
locations should be prepared for a disaster involving fire. The lowest priority type of a
disaster would be a civil disturbance. The likelihood of a civil disturbance occurring
within the United States is lower than that of a fire. Because of this fact, companies
located in the states may not implement much in regards to DR planning due to a civil
disturbance. [2]
Also included in this effort is a business impact analysis. The BIA determines what
the consequences are for some particular aspect of the business operation involving
the use of threat scenarios identified from the risk assessment. The main difference
between risk management and a business impact analysis is that the BIA assumes that
any controls in place to handle identified risks have failed and that a disaster has
occurred. It requires that recovery procedures be performed to get the business back to
a business as usual state. It, also, further aids in the determination of the most critical
business processes. Finally, it determines resource requirements for the processes,
including systems, man-power and equipment including possible backup and restore
equipment.
[1] Conklin, Wm. Arthur, Shoemaker, Dan (2012). Cybersecurity The Essential Body of
Knowledge; p. 199
Knowledge; p. 199
To Do Activity #1 Part 1:
Review the wiki page for an overview of what is included in a Business Impact Analysis.
Click the link to access the information: http://applicableapps.wikidot.com/business-impact-

analysis
Class Exercise: Summarize the key points of the BIA for an in-class activity.
A company must perform an inventory of all digital assets and the information contained
therein. The inventory should be detailed information kept in a chart or other
manageable format. For example, the system should be described. The data items it
contains should be listed. The backup procedures surrounding the information should
be described along with the retention timeframes. The digital assets should be classified
and tied to one or more business processes. A business process can be thought of
like a department (i.e. sales or procurement) that works in support of the overall
success of a business. This information in this step can be separated or included in the
business impact analysis. Often this is part of the risk management process, as well. In
a larger organization it should be separate so as to be able to more easily identify any
gaps that may hinder recovery. One way or another, this step needs to be done and
documented. It may also highlight areas that should be addressed for general continuity
needs. For example, if a system was deemed critical and the below information showed
that it wasnt being backed up or that it wasnt being retained long enough, this problem
could be addressed, as well.
System Data Items System Backup; Data Bus. Importance

Purpose Retention Available Process (H, M or L)
Period somewhere
else? Yes,
No or Some
Outlook / email related Handle Yes; 30 Some; All M
Windows 2012 fields like To: on days contact
server; 32 GB From and incoming details
RAM, 160 GB Body of and maintained
storage messages. outgoing in
Also, contact email. Salesforce
forms: Maintain application
contact all end
name, phone user
number, contact
company etc.records
Salesforce; Customer Track all Yes; 30 Some; Sales M
Unix Server resource customer days contact
management details details
application including available in
used by sales some sales
sales revenue personnel
personnel and email; sales
primary information
contact kept in data
details as warehouse
well as
contact
history
Mainframe/Leg Product Keeps Yes; 7 some All H
acy system; details; track of years
OS/400 inventory all
details; product
customer inventory
price sheets, and
open and details
closed therein;
orders; customer
shipment price
details; sheets,
master open and
customer closed
records orders;
shipment
details;
master
customer
records
Figure 3: Information Systems Assets example (by Tonya M Davis)
This is just one example of what an IT systems inventory document may look like. In the
above examples, we would use the system information to help us prioritize which
systems to address first and how to prioritize our response time planning, as well. So,
we wouldnt work on the email system first in the event of a disaster or incident. We
would have to focus our attention on the critical system defined, which is the mainframe.
We see from above that it is prioritized as high where the other two only have a medium
priority. And we can further see the importance of the information maintained in the
mainframe by the retention period on the backups. It is significantly longer than the
other two systems.
With the above two documents, we can effectively determine business process and
system criticality to begin development of a disaster recovery plan with a clear
understanding of what to work on first based on priority. It is important to note that DR
only comes into play when it is determined that a business and/or critical business
process will be unavailable through normal channels for an extended period of time. A
fair marker would be if a company knows that they will be down for more than a day. In
this case, it is worthwhile to invoke all or some DR procedures to get back up and
running with at least the critical systems as soon as possible to avoid significant
revenue and business loss. Now, if a main system is down and technicians determine
that they will be unable to recover the system it lives on, the DR procedure involving
that system could be activated in as little as 2 4 hours. The reason for this is that the
main system may be an integral part of how revenue or business transactions can
occur. And with it being down, essentially business has stopped. The BIA highlights the
tolerance level of a system being down so that the recovery team can effectively and
with a high degree of certainty know when to activate all or part of the DR plan. These
documents leave no room for someone to be on the fence about whether something in
DR should be done or not. If everything at the primary location is down and it is
determined that it will take less time to bring everything up at a designated alternate
site, the DR plan would be activated as a whole.
Assuming all or part of a DR plan has been activated, it is also important to note that the
plan may not go off as expected. Therefore, it is important to have escalation
procedures in place to handle any unforeseen events that may occur during a DR
procedure. Technicians need to know exactly when they should escalate an issue to
avoid increased damage from an event.
The below series of videos are offered via the www.ready.gov website created by NIST.
NIST stands for National Institute of Standards and Technology. The National Institute
of Standards and Technology, or NIST, is a non-regulatory federal technology agency
under the Department of Commerce headquartered in Gaithersburg, Maryland. They
work with industry to develop and apply technology, measurements and standards.
NIST has published several guidelines and templates businesses and people alike can
use to incorporate safe practice into their lives and organizations. These videos walk
through a logical stepped approach to the development and implementation of a
business continuity plan.
To Do Activity #1 Part 2: Business Continuity Training

Why is Business Continuity Planning Important?
Click the link below to view the page on business continuity planning.
http://www.ready.gov/business-continuity-planning-suite)
Click the link below and watch the video, then answer the questions below.
http://www.fema.gov/media-library/assets/videos/80233
1. Why is business continuity planning important?

2. Why should businesses do business with suppliers that have continuity plans in place?
3. How was an auto company impacted by the Japanese tsunami?
4. Many companies today refuse to work with vendors that dont have continuity plans in place? Tr
5. After a disaster, what percentage of companies never reopen their doors?

What is the Business Continuity Planning Process?
Click the link below to read the page.
(http://www.ready.gov/business-continuity-planning-suite)
Click the link below to watch the video, then answer the questions below.
1. A well developed plan takes _______________.

2. What are some of the questions a business should start off by asking in starting a business con
3. What are the steps to a business continuity process according to the video and in what order?

Click the link below to view the page.
Step 1: Prepare.
(http://www.ready.gov/business-continuity-planning-suite)
Click the link below to watch the video, then answer the questions below:
1. List at least 5 things that an organization should gather and have in a detailed list
of while preparing for the BC planning process.
2. What kind of detailed lists should be developed?
To Do Activity #2 part 2: Business Continuity Training

Step 2: Define
http://www.ready.gov/business-continuity-planning-suite
1. How can you start the process of defining your objectives?

2. How do you determine your recovery time objective?
3. What are some questions to ask surrounding RTO?
To Do Activity #2, Part 3: Business Continuity Training

Step 3: Identify
1. How does the video state you should begin this step?
2. What is the approach the video describes to do for assessing your business?

Step 4: Develop
1. What is a deciding factor in determining where your management team will

operate in the event of a disaster?
2. It is only necessary to develop strategies to address the high and medium risk
items that were identified in your business impact analysis? True or False?
3. For production or manufacturing businesses, what kinds of issues do the
strategies that you develop specific to your business present?
4. Name at least 3 ways issues can be mitigated in recovery efforts.
5. Why is it important to address community and employee needs in this effort?
6. Why should communications recovery be considered critical in this effort?
7. What are at least 4 of the suggestions for the IT recovery effort?

Step 5: Teams
1. List the 5 suggested team names that a business may create as part of the
continuity effort.
2. What type of format would be best for tasks for each team to follow in the event
of having to execute the continuity plan?

Step 6: Test
Click the link below to watch the video, then answer the questions
below.
1. Why would it be important to test a plan?

2. How often should testing be performed?
3. Why is it more crucial for a small to medium business to have a continuity plan in
place versus not as critical for a larger organization?
3.1.1 DEEP DIVE INTO RECOVERY TIMES
As part of determining tolerance levels of systems and business processes, there are
four factors that come into play according to the NIST. The four factors are MTD, RTO,
RPO and WRT. We will briefly discuss the meaning of each these variables. These
factors are critical in deciding final strategies for incident response and disaster
recovery.
According to NIST, MTD stands for maximum tolerable downtime and is defined as
the total amount of time the system owner/authorizing official is willing to accept for a
mission/business process outage or disruption and includes all impact considerations.
NIST warns that failure to determine this value could result in a planning team being left
without a clear understanding of the depth of detail that is needed in creating recovery
methods or worse an ambiguous direction leading to the selection of inappropriate
recovery methods. This is basically a system/process which cannot be down any longer
than this no matter what it takes to get it back up value. [1]
The next variable RTO stands for recovery time objective according to NIST. It is the
maximum amount of time that a system resource can remain unavailable before there is
an unacceptable impact on other system resources, supported mission/business
processes, and the MTD. RTO represents the availability sector in respect to the
cybersecurity triad that was introduced in Module 1. This basically means that a system
or process cannot be down or unavailable any longer than this value or things start to
suffer negatively and so the goal is to have it back up by this time. For example, a
companys main legacy system that is used to enter all their orders and track their
inventory etc. couldnt be down for very long without all business essentially coming to a
halt as that system would be critical to perform any sales of products. [2]
The RPO is known as the recovery point objective. This differs from the RTO in that it
is not talking about how soon the goal is to have a system back up. Rather, it is
referring to how current the data has to be when the system does come back up. The
recovery point objective according to NIST is defined as the point in time, prior to a
disruption or system outage, to which mission/business process data can be recovered
(given the most recent backup copy of the data) after an outage. So, when a system is
brought back up are we going to be missing a whole day of information because the
system was only backed up nightly and the outage happened at 4:30 PM the following
business day. Or are we going to only be missing an hours worth of data because the
system is near-to-real-time backed up on an hourly basis. NIST adds, RPO is not
considered as part of the MTD. Rather, it is a factor of how much data loss the
mission/business process can tolerate during the recovery process. To have a low RPO
investments must be made in backing up and properly handling data more frequently so
that it would be more current when restored to a system that experienced a
disruption." [3]
[1] Whitman, Michael E. & Herbert J. Mattord; Management of Information Security.
Fourth Edition 2014; p 83
Module 3 Discussion #2
/**Class Discussion**
Discuss why a hospital or the stock market would have a much more critical RPO than a
book store or bakery.
A newer variable that has recently been added to the RTO is the WRT. NIST specifically
hasnt added this variable. However, other organizations have added it out of necessity.
The reason is that just because data has been restored to a system and it is back up
and live so to speak, that doesnt mean it is ready for end user consumption so to
speak. It may require specialized resources to work more on the system before it is
ready for use by the masses. This is the WRT or Work Recovery Time variable. This is
basically defined as the amount of time it will take after a system is restored to a running
state before it can be used by the end users. WRT is added to the RTO as to when a
system will really be available again. This may change the approach in developing a
restoration plan and require more funding and resources to meet the goal of the
RTO. [1]
[1] Whitman, Michael E. & Herbert J. Mattord; Management of Information Security. Fourth Edition 2014;
p 83
3.1.2 Deep Dive into Recovery Locations
In developing a thorough disaster recovery plan, organizations often have to consider

alternate locations for recovery. It can take upwards of 2 or more weeks for normal
operations to be restored in the event of a hurricane or tornado even if a building is not
completely destroyed due to surrounding utility issues or debris that prohibits the
regular building from normal operations. In the event of an ice storm even main roads
can be blocked by fallen trees sometimes for days in more rural areas. And at a
minimum a day in more populated areas. This would prevent employees from being
able to physically get to work.
The good thing about information technology in todays society is that telecommuting is
often possible for IT staff. So, if computer operations arent disrupted for a nationwide or
worldwide company, many employees for the main headquarters, assuming that is
where the IT department personnel work, could still service the organizations need from
a technology standpoint for those areas that were not impacted by a localized disaster
or event. Organizations may just need to relocate their IT staff to another location and
set up a mobile shop for a temporary time while the main headquarters is being
recovered. This is all true when IT equipment doesnt live in the same building where
the IT staff work. This type of setup is becoming more common place for larger
organizations. They are realizing that they need to have the data centers located in low
probability for disaster locations. 20 years ago, IT staff had to be able to put their
hands on actual servers and equipment to service or work on the equipment in order to
fulfill their daily duties. Technology advancements like remote control and remote
access software have made this constraint obsolete. As such, there is more flexibility to
get critical equipment into the safest place that an organization can afford up front. An
example of this type of setup would be a corporate office where IT staff generally come
to work every day being in Charleston, SC. And all the IT equipment for the organization
that these IT staffers manage and service being located in a data center 100 miles
inland in a location like Columbia, SC. And in reality the equipment could be located
inside of a mountain in Utah or Idaho. As long as there is network connectivity, the
personnel can do what they need to remotely to fulfill their daily job duties.
For those organizations that cannot feasibly have this type of setup where systems are
already in safe locations, there should be heavier considerations for relocation of
information technology equipment. And it should be noted that even if equipment is
already in a safe place, disasters can happen anywhere. So, relocation contingency
planning needs to be considered, period. It may just be that we may not have to be
prepared to move our equipment every time. Companies like Verizon, AT&T and other
vendors have heavily fortified data centers that organizations can rent out to house their
system all the time. Such data centers are so prepared for any type of disaster,
including fire and water damage, that a company may not have to prepare as much as
a company that houses their own data systems.
We will briefly discuss some of the options a company can consider in choosing an
alternate location. The relocation strategies we will discuss are hot, cold and warm
sites.
A hot site is essentially an exact duplicate of the original production site including all
equipment, peripherals, desks, phones and work areas. It is a location that the
organization pays to maintain all power, water and Internet connectivity, etc as the
regular site. It has the exact same equipment in it ready to take over for a data center
that has failed due to a disaster of any kind. This is a very costly option for an
organization, in fact the most expensive option that there is currently on the market. It
may be hard to justify for manufacturing or production organizations because the
servers and equipment that will have to be purchased and setup in the hot site will
duplicate the cost of the real site, which can be in the millions. All of the equipment has
to match the specifications of the production site in order to know it can take over within
minutes if needed. [1]
The only thing necessary for this site to take over is to get the latest backups to it and
restore them onto the equipment and get the employees there or connected somehow.
In this case, an organization may consider real-time backups, so that this equipment is
always current to what their production data systems were. For an organization that can
handle near-to-real-time backups, some cost savings can be obtained. Backups could
be transported to the location and manually restored onto the equipment to restore
services. This takes a bit more time, but many organizations can handle a day of down
time to make all this happen. Also, in the restoration process, the company should have
already defined what systems are to be restored first to get critical operations back up
and running as soon as is physically possible. There is a high degree of overhead in
maintaining the equipment that would live in a hot site. For example, all maintenance
that is done on production servers has to be done on the hot site equipment to make
sure that the quickest recovery can be done should the need arise. As we all are
probably aware, every computer system and software package from time to time has
some type of maintenance or service pack released for it that administrators have to
install.
A warm site is very similar to the hot site in that it does include the utilities and office
equipment and servers, including peripherals like keyboards and monitors needed. The
servers are not configured at all though and software is not already installed on them in
that only a restore from a backup has to be done. Rather, getting one of these servers
operational will require personnel to install and configure software and applications and
then a restore from backups would be performed. Because the equipment is not already
installed and configured with the expectation of being able to immediately take over for
systems, no regular maintenance is necessary. This type of setup can take more than a
day to get operational though unlike a hot site. [2]
The cold site is also an option to consider. A cold site is basically an empty room that
just has power and water and heat, possibly AC that provides only these basic services
and a roof over head. Everything has to be brought to the site upon move in or it can be
added as an add-on cost in the contract negotiations. This is the lowest cost option for
obvious reasons. The main reason a company may consider this is to be assured that
they have somewhere to go in the event of a disaster to setup shop. [3]

3.2 Physical
Physical security is very important when it comes to an overall information technology

plan for an organization. However, many physical security people dont realize this fact
and how important it is nor do they realize what their role is in an information security
plan and process. As a result businesses are often breached the good 'ole fashioned
way, requiring no high tech skillsets to access sensitive equipment and data assets. An
unlocked door is still an unlocked door and the easiest way for a thief to steal
something when no one is looking.
When we think of physical security, we may think of a guard manning a gate at the
entrance to a facility or even a guard patrolling a facility. There is much more to physical
security than this though. In every organization there are physical areas of sensitivity
(i.e. computer rooms, human resources desk) and areas where security is not as much
of a concern. Knowing the difference within an organization is critical for all employees.
Even those employees that dont work in information technology or physical security
need to understand protected space and take action if something is not right within a
protected space. Protected space is an area that an organization deems as requiring
physical security features to protect it. All assets that require security should be
maintained within protected space in one way or another. An organization should
inventory all of their physical assets needing security as a first step in physical security
planning.
3.2.1 Architectural Design

Physical security considerations should be done prior to any building or remodeling of a
new facility. The amount of physical security in place is typically dictated by the
availability of security resources, including funding, as well as the required levels of
security for the various assets classified as needing security. In designing a new or
remodeling a physical location there are several areas of physical security to consider.
However, it is important to note that this is an ongoing process as things change over
time. Physical security requirements dont change as often as digital security
requirements.
Deterrence methods are a common way to add physical security to a location. The
goal of deterrence methods is to convince potential attackers that a successful attack is
unlikely due to strong defenses. [1] This involves external elements such as the
following: warning signs, well-lit entry-ways, fences and gates, bollards and landscaping
techniques, real or fake surveillance equipment posted in a very visible area. Warning
signs should be posted outside of any protected space. Bollards are short thick posts
that are meant to keep traffic out of a particular area. Figure 4 provides an illustration of
bollards that restrict vehicle entry to sensitive areas.
Figure 4: Bollards (by Tonya M Davis)
Landscaping such as trenches are placed strategically to prevent easy entry into a
location. Also, a 10- to 20-foot wooded area left in front of a facility may be left instead
of cleared to help with privacy concerns. A long grassy open field can be created in front
of or beside or behind a facility for security reasons, as well. In a long open field, an
intruder would be easily spotted as out of place. Figure 5 shows manicured landscaping
that prevents intruders from hiding out close to buildings. Notice that it is well below any
window entry.
/
Figure 5: Appropriately Manicured Landscaping (by Tonya M Davis)
Warning signs not only serve to deter would-be intruders, they also serve as defense in
the event a breach does occur. A lawyer would certainly use the fact that there were no
warning signs against an organization if the opportunity were to arise. Figure 6 provides
3 examples of warning signs, which should be posted in highly visible areas.
/ / /
/
C. Highly Noticeable
Danger/Keep Out Sign
A. Surveillance / CCTV B. Warning with physical

deterrence
Figure 6: Warning signs (image A. by openclipart.com, CC-BY3.0, image B. by Edward,
CC-BY 3.0, and image C. by Mykl Roventine, CC-BY 3.0)
Note regarding Figure 6B pictured above. As you can see there is a sign warning folks
of danger if they climb the wall in that the top is covered with sharp spikes. If a person
were to have climbed the wall to try to break into the facility and gotten hurt and that
sign had not been there, the injured persons lawyer would be able to most likely win a
suit against the company. Despite the fact that the person was trying to rob the
company, without the sign the company could be held liable for the would-be robbers
injuries. This is just one example as to how the signs are not only there for deterrence,
but to protect the company as well.
[1] http://en.wikipedia.org/wiki/Physical_security#Elements_and_design
To Do Activity #3
Research and discuss in the Discussion area of the course shell where a company was
sued for injury by a would-be robber. Did the company win or the would-be robber and
why?
Click the Start a New Thread button to post your response. Click the link to access
the Module 3 To Do Activity #5 discussion.
3.2.2 Workplace Security

Many of the previously mentioned physical security features for outside of a facility may
be applicable for placement inside a facility, as well. After all, the most sensitive
protected space should be fortified behind several barriers, if you will, to help minimize
the possibility of a breach. An example of this might be a computer room or wiring
closet. Inside these locations, access to the digital infrastructure of a facility is fairly
easy if one can physically get in one of these types of locations. This is true regardless
of what kind of perimeter network security is in place. A firewall protecting the perimeter
of a companys network does no good to an intruder that has gained physical access to
a computer room and/or an unlocked server. Secure space should always be accessed
through secure perimeters. [1] Its critical to make sure any protected space have
access control mechanisms in place. Furthermore, only authorized personnel should be
given access to such areas. Least privilege applies in this case, just as it does in
system access. The principle of Least Privilege dictates that employees should be
granted the least amount of access that they need to do their job and no more. In the
case of physical access, only those that must perform duties in a protected space
should be granted access to that location.
Intrusion detection is another classification of physical security methods. This would

involve such things as the following: guard gates, motion detectors, alarm systems and
CCTV (video surveillance). There is a negative aspect to the alarm systems and tripped
alarms though. One negative may be the reaction time it takes to address an alarm.
Due to the large number of false alarms, many monitoring entities require verification of
an intrusion prior to dispatching emergency response personnel. In the case of an
intruder, they could test this out and determine just how much time they would have to
do their deed before being caught. This particular scenario would involve a closed
business. There are many information security breaches that occur during regular
business hours due to physical security breaches. See the Case Scenario Lobby
Attendant below for one example.
Case Scenario Lobby Attendant:
A visitor comes into an office where he is met by a lobby attendant. The

attendant is required by policy to not allow any visitors past a certain point
without an escort. However, the lobby doesnt have a bathroom and the
attendant is strictly prohibited from leaving the post. The guest pleads with the
attendant that they have to go to the bathroomit has been a 2 hour drive and
they cannot wait or some kind of excuse, many would be believable. What does
the attendant do? All too often, the innocent enough looking visitor is allowed into
the operating area of a business unescorted. The visitor is now free to browse
peoples desks and roam wherever they want that isnt under another lock and
key. They could plant their own surveillance equipment, photograph sensitive
information on employees desks or worse, insert a USB flash drive into an
unlocked unattended employee computer and unleash a harmful virus or steal
proprietary secret information.
This can all happen in the amount of time one may think it takes to go to the
bathroom, or worse the attendant who is now busy answering phones and
performing other duties could forget altogether that they allowed an unauthorized
visitor inside. This would leave the visitor free to roam for long periods of time.
In a medium to large business where employees dont know each other in the
office real well, the visitor could be left to roam indefinitely.
This leads to the point of making sure that all employees practice proper
techniques in keeping confidential or proprietary information or assets out of
reach should the wrong set of eyes and/or hands be at their desk unattended. It
is critical that all employees know that they must lock their computer screens
anytime they leave their desk. It doesnt matter if they are just going to get a
coffee refill or just going to the cubicle next door for a quick chat or leaving for
lunch. An intruder could steal valuable information off an unlocked machine in a
matter of minutes. This is unfortunately something that many employees dont do
when they think they will be right back. Technology helps with this to a degree.
Administrators will set policies that make computers automatically lock after
being unattended for a period of time. However, that period of time is usually 30
minutes. A detrimental worm could be unleashed in that time or worse entire hard
drives of data could be stolen via USB flash drives in a fraction of that time.
It should be noted that a physical breach doesnt have to end with access to a
computer system to be called a success. Again, employees leaving important
secret information on their desks could leak information that could negatively
impact a companys bottom line. Most people carry smart phones these days
that have very good cameras native to them. So, if private papers are left on an
empty desk, pictures are easy to take, as well. There are usually multiple entry
ways into a facility. Once the visitor gets what they came for, they can quietly exit
the facility with no one realizing a breach has occurred.
Knowledge; p. 335
/ Video #2
Watch these short videos related to physical security breaches allowed by unsuspecting
employees.
1) http://youtu.be/D7BZkubZOFY
2) http://www.youtube.com/watch?v=tmOGJVDvJaQ
Note: If needed, there are CLOSED CAPTION / buttons on the YouTube videos that will enable you to
read along while you watch. The Closed Caption buttons are located bottom right of the video screen.
3.3 Concerns in the Building
As weve discussed, there are several different ways a company can add physical
defense to their organization. Notice that we ended the previous topic with talking about
employees and their role in that effort. Remember the human is the weakest link.
Defense-in-depth is a concept that many security practitioners are well aware of.
Defense-in-depth is defined as the practice of arranging defensive lines or fortifications
so that they can defend each other, especially in case of an enemy incursion. The
important thing about it is that it doesnt mean that you just have multiple layers of
technology tools for defense; rather it is important for an organization to have multiple
layers of defense that include employee training and awareness so that their actions
are always keeping security in mind. As you can see in the Layers of Defense-in-Depth
figure below, the people, which is the Policies, Procedures and Awareness section, and
physical layers are the first layers to successful defense methods. We will discuss
defense-in-depth technology methods later in this course.
Figure 7 - Layers of Defense-in-Depth created by Tonya M Davis
Considerations for inside the workplace related to physical security also includes the
use of White Noise. Quite simply it is noise containing many frequencies with equal
intensities. Many offices today have large layouts of cubicles that enable the placement
of many workers in a smaller amount of space. In some cases, this means managers
and employees may be sitting next to each other. White noise is used to help not only
with minimizing disruptions to neighboring cube mates, but making sure that sensitive
discussions are not easily heard. Managers should be trained to not have sensitive
conversations at their desk, especially matters involving employees. However, the
reality is that humans get lackadaisical sometimes in following protocol. And so White
Noise helps in these situations making it harder for prying ears to hear conversations
that they shouldnt.
To Do Activity #4
/ Listen to these short audio clips illustrating white noise. *Hearing impaired students
are not required to perform this task.
1. Click the link to view the web

page. https://archive.org/details/TenMinutesOfWhiteNoisePinkNoiseAndBrownianNoise
2. Once you are on the page, look for the area shown in the picture below to play the
clips.
Figure 8: Illustration of where on web page to click and play the 3 clips created (by
Tonya M Davis)
3. Play all three videos and notice the difference in the pitches. One would be selected
to play constantly depending on how much of the surrounding sounds a company wants
to muffle.
Points to consider for the physical layout of a building with windows. There are a few
things to do when designing and building the facility, as well as when moving in furniture
and people. This is especially true if driving by and or walking by is possible within 20 or
30 feet of the building from a main roadway like the figure shows below.
/
Figure 9: Building close to road (Google maps, cropped by Tonya M Davis, public
domain)
Figure 9 shows a building close to the road with windows that offer good light but also
insight as to what may be valuable inside.
It would seem pointless to have windows that have heavy curtains on them or perhaps
such dark tint that no light could be utilized to save on electricity or enhance the
aesthetics inside. So, instead as we see in the figure above there is a reflective tint on
the outside of the window. This still offers some protection while letting in the light.
Notice the clean area outside of the windows. The area is neatly landscaped without
hedges. There is no hiding opportunity near the building.
It is important to carefully consider what goes on the other side of windows, as well.
This is especially true when specialized devices like computers and printers are used
by all employees. If cubicles are lined along a wall where there are windows, consider
placing sliding doors that will offer some privacy. The reason for this is not necessarily
for the employee. Instead it is to mask the equipment that is inside, especially in the
evening hours when the building is most likely empty. Instruct employees that sit in
these types of areas as to why the doors are there and what their responsibility is with
them. Mainly, it should be standard procedure to close any doors of cubicles where
visibility is to the outside due to windows upon leaving the job for the day. Failure to do
so, should result in some consequence as it puts the company assets in jeopardy. A
criminal looking in at night that cant see into the cubicles isnt going to know what there
might be in there to steal. Wide open cubicles displaying all sorts of papers, computers
and monitors and printers look very appealing and make it more worthwhile to consider
trying to break-in.
To Do Activity #5
1. Look at the below picture and outline the good and bad physical security aspects
of the layout.
/
Figure 10: Physical security design considerations with Windows and roadways (by
Tonya M Davis)
3.3.1 Human Resources Personnel

In medium and large organizations there can be 10s or 100s and even 1000s of
associates that specifically work in the human resources department. This group has a
raised level of security concerns specifically involving people and their PII (personally
identifiable information). For this reason, the human resources department needs extra
precaution in the physical design of where it resides in the building. Privacy is of the
utmost concern. If a company cannot definitively show the ability to protect against and
respond to privacy incidents within their organization, there could be steep penalties
imposed. Specific procedures for protection of personal information should ensure due
diligence when it comes to effective incident management, secure access, retention,
and disposal of personal data. [1] Human resources department personnel are critical
to the development and successful implementation of all such procedures especially
since they have access to the most sensitive PII in a company.
Specific training must be given to all HR personnel surrounding how to properly

maintain privacy for employees and employee data based on the physical
characteristics of their working facility both in verbal and written correspondents as well
as record maintenance and retention and the distribution of information. A good practice
is to isolate HR personnel in a specific portion of a building away from all other
department workers in an organization. This would include real separating walls, not
just those in the midst of a cubicle farm. There should be a separate secure access
mechanism to enter such an area during non-business hours. This could be a
combination key or key fob access mechanism at the entrance to the department
location.
If the building does not lend itself to physically separating HR from the rest of an
organization, steps must be taken to ensure any phone calls or in-person meetings with
employees are kept private. The HR person must make sure to have any such
correspondence in a conference room, where the door can be closed, or perhaps even
offsite if a private room is not available onsite. While not every employee in an
organization needs a shredder at their desk, all HR personnel may because of the
nature of the information that they handle.
Another good practice, albeit not really physical in nature, is to isolate all HR systems
and data from the rest of an organizations network. This further minimizes an
accidental or intentional breach of PII. After all, new employees like to click around and
see whats available on their network. Having a completely separate HR network
ensures that they cant accidentally click into an employee data repository.
ERM training for employees and compliance assurance for the policies and procedure
enforcement is usually the responsibility of human resources. ERM involves all
company personnel. ERM aka electronic records management involves the storage,
transmission and retention of electronic records that are used to conduct business. It is
also important that confidential information be properly handled and disposed of. There
should be strict procedures in place for any employee that handles confidential
information, and that includes more than just PII. Customer specific details, supplier
specific details and operational documents that may lead to loss of trade secrets or
proprietary information should it fall into the wrong hands must be properly handled,
stored and destroyed when no longer needed or required to be retained. On the other
side of this is the issue of records retention. There are legal and regulatory laws
surrounding ERM. Several regulatory agencies have furthered records management
inclusion to that of electronic communications like e-mail and instant messaging. Those
agencies include the SEC (Securities and Exchange Commission), NASD (National
Association of Securities Dealers) and NYSE (New York Stock Exchange). Some of the
recent changes stem from practicality and others from law itself.
SEC Rule 17a-4(b) (4) requires covered entities to keep for a period of not less than
three years original copies of all communications sent and received via email, IM
(instant messaging) or any other communications means. This includes any inter-office
communications even if via paper that is related to the business must be kept.
Furthermore, the first two years of the retained information must be maintained as
easily accessible. It cannot be stored somewhere on media that is hard to obtain and
make accessible. And it is important to note that certain types of records do have to be
maintained for even longer than three years. This rule applies to all brokers, exchange
members and dealers as per the SEC.
There are strict requirements that apply here for records management including:
1. Rule 17a-4 paragraph (f) was amended to allow electronic retention of records
for brokers-dealers with the constraint that they must preserve the records
exclusively in a non-rewritable and non-erasable media and still only for the
required retention period not indefinitely with the creation of this amendment.
o Entities asked for clarification as to if this was restricted to the use of only
media like CD-ROMS and DVDs where digital information is written and
then cannot be changed. They argue that they could achieve the
requirement of non-rewriteable and non-erasable through systems with
integrated software code that manage inherently rewriteable media and
therefore make it meet the requirements. The SEC commission agreed
that either method was acceptable for meeting the requirement in the end
by stating that it was putting forth standards that must be met versus
specifying specific media to be used.
o An additional requirement of the rule requires an entity to have a
documented audit and supervisory processes in place. The process must
be verifiably approved by senior management in an official record type
format.
o Finally, after the time of the required retention periods passes for any type
of record, the record(s) may be discarded and do not have to be
permanently maintained. This frees up storage media to handle more data
than if records had to be kept indefinitely.
o SEC Interpretation: Electronic Storage of Broker-Dealer
Records: http://www.sec.gov/rules/interp/34-47806.htm
Case Study: Enron Does electronic records management really matter?
The Enron scandal is probably one of the most perfect examples of why these checks
and balances are in place. Yet, due to so much corruption at so many levels, they were
able to swindle billions of dollars out of the economy and into the pockets of top
executives within Enron, as well as, several other firms such as Arthur Anderson.
Anderson consulting, with a stellar reputation at the time, was supposed to be the
auditors ensuring that all the reports from Enron were legitimate. Instead they took the
bogus bonuses from Enrons shady fraudulent deals and kept the secrets tucked away
in fraudulent reports. The reports falsified profits and also concealed the over 30 billion
in debt that Enron had racked up by the time it fell. Upon Enrons demise, Anderson
frantically shredded thousands of files that were kept about Enron to try to hide all the
corruption. It would prove to not be enough in the end though. Thousands of people lost
everything in the scandal and were left literally penniless. Several thousand consumers
aka shareholders just like you and me should be able to trust that the strict regulations
in place keep information regarding profit and loss statements as verifiably true and
trustworthy.
Some reports of the Enron story show that Enron employees knew that their deal
numbers were being inflated. However, most ignored it and didnt question top
management. In the end, 20,000 employees lost their jobs as a result of the Enron
scandal along with their insurance. Yet, top management left with bonuses totaling $55
million. There was over 1.2 billion lost in retirement funds by those employees and the
already retired people lost over 2 billion in pension funds. [2]
Knowledge; p. 139
[2] http://www.youtube.com/watch?v=Uxd9AeXft64
/ Videos #3-5
Watch the following videos regarding the Enron Scandal.
1. http://youtu.be/Mi2O1bH8pvw
2. http://www.youtube.com/watch?v=Uxd9AeXft64
3. http://www.youtube.com/watch?v=stwcqdk7C_w
3.3.2 Security Officers

According to the Essential Body of Knowledge issued by the Department of Homeland
Security, there are 3 types of personnel that play a critical corollary role for organization
security as a whole. They are the physical security professional, which we have talked
about indirectly so far and the privacy professional and procurement professional.
The physical security professional is responsible for the design, installation, testing
and updating of all physical security controls. An example would be a security guard
that maintains a post at the gate entrance to a facility and checks in all guests and
employees as per set policies and procedures. Or the security guard that patrols a
facility on a regular basis and handles any public safety issues. This person may be
referred to as Public Safety, as well. Public safety would be responsible for handling
any incidents of a physical nature in an organization and also responsible for contacting
state and local authorities when necessary should an incident warrant it. This role
should also be involved in the physical access securing methods used to secure
protected space from unauthorized entry. In smaller to medium-sized organizations, this
role may fall to an operations manager or office manager type position.
Figure 11: Public Safety office on patrol (by Tonya M Davis)
The privacy professional is the role responsible for the protection of PII. Weve
likened this to human resources personnel from our discussions thus far. System
administrators responsible for maintaining security in applications like the company
intranet and/or email also play a vital role in privacy. They often have super access to
systems that contain personal and sensitive information. If they fall victim to a phishing
scam or dont practice safe practices with their desk and computers, a breach could
easily occur. Anytime a system administrator leaves their desk, they must lock their
screen, ensure confidential information is not left visible on the desk, etc. The person(s)
with this role, should not be placed physically in a high traffic location within the
organization so that passing curious eyes may be able to see something that they
shouldnt.
/
Figure 12: Example of what a system administrators desk may look like with multiple
devices (by Mike Russell, CC BY-SA 3.0 )
They must also know what information that they administer and how to keep it secure.
In dealing with new applications that the company may be commissioning or developing
in house, this role will contribute to ensuring the screens of information displayed dont
violate privacy rights of individuals. For example, on a new problem report screen or
new procurement request screen, we should not ask the requester to enter their social
security number to retrieve identity information for the request. Rather, we should use
something like employee number or unique user name information as the key to
tracking the request to completion. This role must be well aware of legal, regulatory and
standards compliance requirements in order to ensure privacy is maintained. [1]
We will discuss the third type of role outlined by the Essential Body of Knowledge, the
procurement professional, later in this course as we discuss security regarding
procurement and the supply chain.
Knowledge; p. 130-144
Module 4 Content: Privacy and Security
Security and Privacy Protection Laws
In recent history, several privacy protection laws and regulations both federal and state
have been created. Laws and regulations vary by industry in that there are sometimes
specific restrictions depending on the type of information a company deals with whether
it be health care or financial, etc. We will briefly discuss some of the laws in this section.
All of these further emphasize the individual freedoms and rights of United Stated
citizens granted by the Constitution.
4.1 The Privacy Act of 1974
The Privacy Act of 1974, 5 U.S.C. 552a, establishes a code of fair information
practices that governs the collection, maintenance, use, and dissemination of
information about individuals that is maintained in systems of records by federal
agencies. A system of records is a group of records under the control of an agency from
which information is retrieved by the name of the individual or by some identifier
assigned to the individual.
The Privacy Act requires that agencies give the public notice of their systems of records
by publication in the Federal Register. Click here to see a list of DOJ systems of records
and their Federal Register citations. The Privacy Act prohibits the disclosure of a record
about an individual from a system of records absent the written consent of the
individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The
Act also provides individuals with a means by which to seek access to and amendment
of their records, and sets forth various agency record-keeping requirements. [1]
Case Study -- Doe v. Chao, 540 U.S. 614 (2004
The plaintiff in the case, coal miner Buck Doe, filed for benefits under the federal Black
Lung Benefits Act. The Department of Labor, which ran the benefits program, required
applicants to provide a Social Security number as a part of the application. The
government's practice was to use the number for identification purposes, and as a
result, claimants such as Doe had their Social Security numbers displayed on various
legal documents and published in case reports and online legal research databases.
Doe, along with six other black lung claimants, sued the Department of Labor for
violating their rights under the Privacy Act. The government conceded that it had
violated the statute. At trial, Doe testified that he suffered "distress" from the release of
his private information. The district court awarded Doe $1000, which was the statutory
minimum amount of damages that could be awarded under the statute.
The Fourth Circuit reversed. It interpreted the statute to require a plaintiff to show some
actual damages before the statutory minimum damages could be awarded. Further, it
found that plaintiff's testimony about his "distress" was not legally sufficient to show that
he had been damaged by the disclosure.
The Court's 6-3 decision determined that the latter interpretation was correct; as a
result, it will be more difficult for a plaintiff to prevail as he or she must now prove both a
violation and some damages before being entitled to recovery. SOURCE:
(http://en.wikipedia.org/wiki/Doe_v._Chao)
4.2 The Health Insurance Portability and Accountability Act - 1996
(HIPAA)
This act was signed into law by President Bill Clinton on August 21, 1996. HIPAA is
focused toward the health care industry and protects PHI. PHI is personal health
information including any details held by a covered entity which concerns health
status, provision of health care, or payment for health care that can be linked to an
individual. [2] There are numerous regulatory agencies that work to ensure compliance
with this act. A violation of HIPAA results in mandatory penalties whether intentional or
accidental. For this reason, health care providers implemented and exercise strict
policies and practices with regards to patient confidentiality. HIPAA covers PHI in all
forms be protected whether it is oral communications, written or electronic in form.
The Security Rule within HIPAA dictates among other safeguards, the following with
regard to physical safeguards:
Controlling physical access to protect against inappropriate access to protected data
o Controls must govern the introduction and removal of hardware and

software from the network. (When equipment is retired it must be
disposed of properly to ensure that PHI is not compromised.)
o Access to equipment containing health information should be carefully
controlled and monitored.
o Access to hardware and software must be limited to properly authorized
individuals.
o Required access controls consist of facility security plans, maintenance
records, and visitor sign-in and escorts.
o Policies are required to address proper workstation use. Workstations
should be removed from high traffic areas and monitor screens should not
be in direct view of the public.
o If the covered entities utilize contractors or agents, they too must be fully
trained on their physical access responsibilities.
Passage created by
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act under
Creative Commons Attribution-ShareAlike License
A simple example as an individual of how HIPAA has impacted and changed the way
personal information is handled within the health care industry would be an individual 10
years ago with health insurance probably had their social security number listed on their
benefits card. As a result of HIPAA, this is no longer allowed. That information is private
and should be protected.
See the figure below for a statistical breakdown of HIPAA Privacy Violations by Type.
Notice the largest area is from physical failures.
Figure 1: HIPAA Privacy Violations by Type
Health care information is valuable for multiple reasons. For example. Employees have
a right to expect their health information will reasonably be kept private. If managers or
other employees find out private information, that could be used against them and lead
to termination of or discrimination against the employee. This would enable the
employee to rightfully sue the organization and most likely win if able to be proven that
PHI contributed to the action. Alternatively, employees could be physically harmed
based on known medications or allergies that apply to the employee. For example, a
supervisor trying to become manager that finds out the current manager has an allergy
or takes a certain medicine. They could switch that medicine or introduce the allergy in
a hidden way to cause sickness and or death to get the manager out of the way. Or just
cause them to become ill, which could lead to missing of work and eventually
termination for excessive absence. If health information can be ascertained, it can be
manipulated, as well, usually. External entities that ascertain the information can figure
out who needs money because of high medical bills or that they have a sick family
member and target them for bribery or blackmail. It could be used in smear campaigns
or to raise doubt as to someone that may have HIV or cancer or STD in a top position
as to their ability to handle the responsibility or character assassination.
HIPAA Case Study: Utah's health data breach was a costly mistake
Utah's 2012 health data breach a security slip that exposed the personal information
of three-quarters of a million residents to hackers was a costly mistake. The state
has spent about $9 million on security audits, upgrades and credit monitoring for victims
and that's just the beginning. An estimated 122,000 victims will fall prey to identity
theft, each spending an average of 20 hours and $770.49 resolving the fraud, predicts
Javelin Strategy & Research. The total amount of fraud perpetrated, a cost largely
borne by banks and retailers, could approach $406 million.
The group singled out Utah's breach for analysis because it shows how much havoc
can be wreaked by simple human error, noting it should serve as a wake-up call to
consumers. Data breaches happen with frightening frequency in the public and private
sectors. But Utah's security lapse stands out for its size, because it involved health
information and was something that could easily have been avoided. In late March
2012, hackers broke into a Medicaid server that a technician had placed online without
changing the factory password and downloaded the personal information of 780,000
Utahans. Some were on Medicaid, but also affected were the privately insured,
uninsured and retirees on Medicare whose providers had sent their data to Medicaid in
the hopes of billing the low-income program.
Most at risk are the 280,000 individuals whose Social Security numbers were exposed.
A survey of the top 25 financial institutions in America found 80 percent use Social
Security numbers to verify a customer's identity. Get someone's number and pair it with
other information, such as an account holder's name and birthdate, and you can raid a
person's bank account, change online passwords or open up a new line of credit. And
once a Social Security number is lost, it's virtually impossible to replace. The effort has
cost the state Department of Health $3.4 million:
$467,000 to hire an ombudsman, staff a hotline, run ads and hold community meetings
to notify victims.
$1.9 million to provide two years of credit monitoring for those whose Social Security
numbers were compromised.
$741,000 on a legal consultant and forensic security audit.
$300,000 to create an Office of Health Information and Data Security.
The Department of Technology Services spent $1.2 million on a security assessment of
all state servers. And this year the Legislature appropriated $4.4 million for security
upgrades, according to the agency's spokeswoman, Stephanie Weiss. But none of this
is any good to victims unless they protect themselves, including taking advantage of
credit monitoring. To date, only 59,500 have signed up. At least 10 breach victims have
reported instances of fraud, health department records show. Three individuals claim
someone filed fraudulent tax returns under their names or their child's name. Some
have been denied public aid due to their identities being stolen by someone who used it
to gain employment. A man from New Haven complained someone opened a $2,000
line of credit under his name, which he was able to remove from his credit report.
Another said a thief, using the last four digits of his Social Security number, was able to
add cellphones to his AT&T contract and make an inquiry for a car loan. One victim was
even stopped by police who said he had outstanding warrants; he was also informed by
the IRS of suspicious earnings on his Social Security number. "In all cases we
recommend these individuals contact law enforcement and file a police report. Most
have, and we are not aware of any instances of misuse of a SSN being traced back to
the breach. Further, we look for trends among those who have reported misuse and
have been unable to detect any," said health department spokesman Tom Hudachko.
"Unfortunately, identity theft is always occurring and with a breach involving as many
victims as this one did, there will undoubtedly be some 'coincidental ID theft.'"
Nevertheless, he encourages all breach victims who detect misuse of their Social
Security number to contact the ombudsman. SOURCE:
(http://www.sltrib.com/sltrib/news/56210404-78/security-breach-health-data.html.csp)
Figure 2: Top 10 Healthcare Data Breaches of 2012
4.2.1 HITECH
The Health and Information Technology for Economic and Clinical Health Act or
HITECH Act was introduced as part of the long-term strategic efforts of creating an
electronic health record system among healthcare providers. It was introduced as part
of the American Recovery and Reinvestment Act (AARA) in 2009. Key points of how the
HITECH Act are outlined below:
1. Providers that show or act with willful neglect toward compliance of HIPAA and
HITECH regulations will have mandatory civil penalties imposed and those
penalties will be much higher. Penalties can range up to $250,000 as first
offenses and repeated violation penalties can reach $1.5 million.
1. Willful neglect examples include evidence found from audits like the following:
i. Having patients sign legal documents and

then not having a process in place to manage and store
them appropriately.
ii. Having legal documents for patients to
sign that dont meet the regulatory requirements of said
documents.
iii. A provider cannot show any

demonstrable proof that they are actively training staff
regarding regulations or that they cannot show when staff
was last trained by show of proof.
iv. Providers that are still not in compliance

cannot show proof of a plan in place to get into
compliance.
v. Electronic health records and their housing

servers are stored in an unsecured physical location.
vi. Employees clearly do not practice safe

and secure information security best practices such as
not writing down and displaying passwords in plain sight.
vii. There is no documented plan on

notification procedures in the event of a breach.
1. Mandatory audits are required for all covered entities and business
associates.
2. Notification is now required for any breaches that occur involving unsecured
personal health information or PHI. This is specifically regarding unencrypted
information.
3. Individuals now have the right to obtain their information in an electronic format
where providers have implemented electronic health records. Furthermore, they
have the right to designate 3rd parties to receive such information, as well. There
are limits as to what fees providers can impose for such delivery methods in that
the cost cannot exceed what labor cost is involved in completing the request.
4. The entire supply chain of a provider is now able to be held accountable, so their
business associates and vendors are also liable whereas before it was only
through the use of contractual agreements (where the wording was done
correctly) that the business associates could be held liable.
1. There are incentives to providers for implementing electronic health
records systems EHR that encompass meaningful use of said systems,
as well. So, you cant just have an electronic system in place that no one
can get any information or reporting from. It has to be useful.[3]
1. An example of meaningful use is providing lab test results to patients in an
online certified EHR secure portal so that the patient can actually see and
do what they like with the results.
a. An example of meaningful use is providing lab test results to patients in an
online certified EHR secure portal so that the patient can actually see and do what
they like with the results.
[1] http://www.justice.gov/opcl/privacyact1974.htm
[2] http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
[3] http://www.hipaasurvivalguide.com/hitech-act-summary.php
4.3 The Sarbanes-Oxley Act - 2002 (Sarbox)
Sarbox was created to help corporations avoid corporate fraud and corruption. It
applies to all publicly traded companies. This particular regulation was enacted
shortly after the Enron and WorldCom scandals. Because of these scandals, the
government became painfully aware of how corporate fraud can drastically
impact the integrity of the financial sector and the economy as a whole. Congress
amended the Securities and Exchange Act of 1934 with the Sarbanes-Oxley Act
of 2002. Sarbox basically requires corporations to self-audit financial reporting. It
mandates that an organization specifically top management, internal auditors
and legal representation -- implement a set of strict internal controls surrounding
their financial reporting practices. The act applies to all publicly traded
companies. The act places accountability and liability in the officers and
executives of a company such as the CEO (chief executive officer), CFO (chief
financial officer) and because of the direct relationship with the systems that will
aid the controls and reporting of an organization, the CIO (chief information
officer). The officers are further mandated to maintain confidentiality
requirements where necessary while making appropriate information regarding
the financials of an organization available and accurate. Any worker in an
organization that knowingly participates in fraud can be held accountable and
liable, not just upper management.
SarBox Requirements on an organization include:
The creation of an overarching public accounting board

Public companies must review and publicly release details surrounding the
effectiveness of their internal policies and procedures related to financial
reporting. Furthermore, independent or 3 rd party auditors must also attest to the
released information and its accuracy
Financial reports must be certified by both CEOs and CFOs
Companies listed on the stock exchange must have unrelated audit committees
that monitor and oversee the relationship with an organization and its auditing
firm.
Personal loans to any current executive officer or director within an organization
are not allowed.
Insider trade reporting must be accelerated
Insider trades are prohibited during pension fund blackout periods
Higher criminal and civil penalties for securities law violations including much
longer jail sentences along with heftier fines for any executive who willingly and
knowingly misstates or supports misstated financial document
Whistleblower compensation and protections allow for any corporate employee
that files an OSHA complaint within 90 days to win back employment, back
wages including benefits, reasonable attorney fees and costs, financial
compensation for damages and abatement orders.[1]
SEC & SarBox Case Study: Homestore.com, Inc. Securities Litigation
The parties involved in the class action lawsuit were Plaintiff, California State Teachers
Retirement System or CALSTRS and Defendant HOMESTORE.com, Inc. along with
several executives and officers of the company including Stuart H. Wolff. Stuart Wolff
founded Homestore.com and served as the CEO of the company, as well as served on
the Board of Directors for a period of time. This case had eerie similarities to the Enron
scandal in that it was well thought out, well hidden and the scheme seemingly flawlessly
executed for many years with many involved parties having dirty hands in the mix.
Wolff was ultimately convicted on all charges of securities fraud. Under the same
executives and officers that helped hide the ruse, Homestore.com was heightened up to
elite status as a dot-com during the initial Internet explosion for the dot-com industry.
The company was accused of using a scheme known as roundtripping. This term
describes the act of selling and buying the products or services via agreements
between two organizations which lack any kind of monetary material substance while
allowing organizations to make their financial reports look better on paper. For example,
Company B buys stock in company A to the tune of $100,000 at a knowingly overpriced
share price and then company A in a separate transaction agrees to pay Company B
$100,000 for some bogus service(s). These types of schemes make shareholders
believe that money exists where in actuality it does not. Where Homestore is concerned
the roundtripping allegations stated that the defendants structured and negotiated
fraudulent "round-trip" transactions for the purpose of artificially inflating Homestore's
on-line advertising revenues to exceed Wall Street analysts' expectations, even though
these transactions had no economic substance. In these round-trip transactions,
Homestore paid inflated sums to various vendors for services or products, and, in turn,
the vendors used these funds to buy advertising from two media companies. The media
companies then bought advertising from Homestore, and Homestore improperly
recorded the money it received from the sale of such advertising as revenue in its
financial statements. The essence of these transactions was a circular flow of money by
which Homestore recognized its own cash as revenue. [2]
The SEC ultimately additionally charged a total of 11 individuals for their parts in the
fraudulent financial schemes involving Homestore. Of those 7 people were also charged
criminally by the United States Attorney in LA, California. All of the additional individuals
charged knowingly hid information from outside auditors.
Complete the case study by reading entirely an online press release from the SEC
website and an article released by the LA Times:
1. http://www.sec.gov/news/press/2003-120.htm
2. http://articles.latimes.com/2006/jun/23/business/fi-homestore23
[1] Whitman, Michael E., Herbert J. Mattord, Management of Information Security

Fourth Edition; 2014
[2] http://www.sec.gov/news/press/2003-120.htm
4.4 The Gramm-Leach Bliley Act (GLBA) - 1999
The GLBA pertains to the financial industry including banks, lending organizations in all
shapes and sizes, mortgage brokers, check cashing stores etc. and the protection of
customer and financial information. The regulation requires that board members along
with management oversee and approve development and implementation of an
information security program within an organization. It further requires monitoring of the
maintenance of the program to ensure it is kept current and up to date. It also requires
that all financial institutions must provide written notice to their customers as to their
practices of how and who with they share customer information. The regulation requires
the safeguarding of all written and electronic forms of covered non-public personally
identifiable financial information. [1]
GLBA Case Study -- Victoria's Secret and Financial Privacy:
Outside Washington, D.C., it is not well known that a Victoria's Secret catalog is one of
the key reasons that Congress included privacy protections for financial information
when passing the Gramm-Leach-Bliley Act (GLBA). The GLBA sought to "modernize"
financial services--that is, end regulations that prevented the merger of banks, stock
brokerage companies, and insurance companies. The removal of these regulations
raised significant risks that these new financial institutions would have access to an
incredible amount of personal information, with no restrictions upon its use.
In a session where House Commerce Committee Members drafted a version of the

GLBA, they introduced an amendment that would add privacy protections. This
amendment (the Markey Amendment) was strongly opposed by the banking industry. It
added "Title V" to the Act, giving individuals notice and an ability to control some
information sharing.
Critical support for the amendment came from Representative Joe Barton (R-TX).
Barton expressed concern that his credit union had sold his address to Victoria's Secret.
Representative Barton noted that he started receiving Victoria's Secret catalogs at his
Washington home. This was troublinghe didn't want his wife thinking that he bought
lingerie for women in Washington, or that he spent his time browsing through such
material.
Barton explained that he maintained an account in Washington for incidental expenses,

but used it very little. Neither he nor his wife had purchased anything from Victoria's
Secret at the Washington address. Barton smelled a skunk; he reasoned that since he
spent so little money in Washington, his credit union was the only business with his
address. Barton believed that he should be able to stop financial institutions from selling
personal information to third parties, and supported the Markey Amendment. Congress
enacted the bill, and now individuals have the right to direct financial institutions not to
sell personal information to third parties. SOURCE:
(http://epic.org/privacy/glba/victoriassecret.html)
To Do Activity #1 [GH1]
Instructions: Search at least two sites that allow you to enter either your name, address,
and phone number and/or your email to either unsubscribe OR put your information on
a do not call list. What act does this align with? Print out copies confirming your
submissions.
4.5 Computer Fraud and Abuse Act (CFAA)
Originally, this act was passed in 1986 with a focus on protection toward government
computers and some financial institutions. Over the years, it has been amended several
times. The primary focus of the CFAA was to make it a federal crime to access a
computer with improper access. Over the years, it has been amended several times for
various reasons. It was notably amended in 1994 to allow private business to use it in
pursuit of civil complaints. It was notably amended, as well by the USA Patriot Act.
The below Wikipedia summary best describes criminal offenses punishable under the
act:
(a) Whoever
(1) having knowingly accessed an computer without authorization or exceeding

authorized access, and by means of such conduct having obtained information that has
been determined by the United States Government pursuant to an Executive order or
statute to require protection against unauthorized disclosure for reasons of national
defense or foreign relations, or any restricted data, as defined in paragraph y. of section
11 of the Atomic Energy Act of 1954, with reason to believe that such information so
obtained could be used to the injury of the United States, or to the advantage of any
foreign nation willfully communicates, delivers, transmits, or causes to be
communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit
or cause to be communicated, delivered, or transmitted the same to any person not
entitled to receive it, or willfully retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized

access, and thereby obtains
(A) information contained in a financial record of a financial institution, or of a

card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are defined in the Fair
Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a

department or agency of the United States, accesses such a computer of that
department or agency that is exclusively for the use of the Government of the United
States or, in the case of a computer not exclusively for such use, is used by or for the
Government of the United States and such conduct affects that use by or for the
Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access, and by means of such conduct furthers the
intended fraud and obtains anything of value, unless the object of the fraud and the
thing obtained consists only of the use of the computer and the value of such use is not
more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage without
authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a

result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a

result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any
password or similar information through which a computer may be accessed without
authorization, if
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in
interstate or foreign commerce any communication containing any
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization

or in excess of authorization or to impair the confidentiality of information
obtained from a protected computer without authorization or by exceeding
authorized access; or
(C) demand or request for money or other thing of value in relation to damage to
a protected computer, where such damage was caused to facilitate the extortion.
[2]
Read the linked website to review a summary of out the USA Patriot Act changed the
CFAA: http://www.shroomery.org/forums/showflat.php/Number/462754
CFAA Case Study -- International Airport Centers, L.L.C. v. Citrin, 2006
The IAC is a real estate conglomerate. Jacob Citrin worked at the organization for a
period of time as an acquisitions analyst for potential properties the organization should
buy. This job required him to travel around to various locations and as such he was
issued a company laptop.
Jacob ultimately quit IAC and went into business for himself. In doing so, he purchased
and installed a permanent eraser software program to remove all files from his company
issued laptop. One main reason he did this was to hide misconduct with the laptop
during his employment. The program made it impossible to recover usually recoverable
files from his computer. Included in the destruction was property data sheets that he had
created during his employment. These documents were legally the property of IAC and
not his to permanently delete.
The Computer Fraud and Abuse Act provides that whoever knowingly causes the
transmission of a program, information, code, or command, and as a result of such
conduct, intentionally causes damage without authorization, to a protected computer
violates the Act. Because of the way the lawsuit was originally brought against him,
Citrin was able to argue that his erasing of data didnt equate to a transmission as
defined by the Act. The court agreed and dismissed the case. However, later a Circuit
Judge named Posner looked at the permanent eraser software and specifically its
installation onto the laptop. He stated that damage from this included any impairment to
the integrity or availability of data, a program, a system, or information. [3]
The court ruled that Citrins authorization terminated with his breach of his duty of
loyalty in quitting, and that his actions were exceeding authorized access, as defined
by the CFAA to be access[ing] a computer with authorization andus[ing] such access
to obtain or alter information in the computer that the accesser is not entitled so to
obtain or alter. While Citrin argued that his employment contract authorized him to
return or destroy data in the laptop, it was unlikely that this was intended to authorize
him to irreversibly destroy data that the company had no copies of, or data that
incriminated him in misconduct. Therefore, the judgment was reversed with directions to
reinstate the suit. [4]
[1] Ciampa, Mark (2012). Security Awareness Applying practical security in your world,
Third Edition. 2010; p. 14
[2] http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
[3] AJH. "International Airport Centers v. Citrin." Cases of Interest. Risch, Michael. 23
Apr 2010. 6 Feb 2012.
[4] http://en.wikipedia.org/wiki/International_Airport_Centers,_L.L.C._v._Citrin
[GH1] with the amount of information provided in this module, 2 practice opportunities
are not enough. Please add 2 or so opportunities for students to apply/practice the
information and concepts presented in this module.
4.6 USA Patriot Act 2001
Figure 3: DOJ Seal
The USA Patriot Act, which stands for Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism" was signed by
President Bush on October 25, 2001. The Act outlines some of the most substantial
changes to U.S. federal cybercrime laws in recent history. The changes directly impact
the method and processes involved with the way digital age corporations react to
cybercrime incidents. The Act was pushed through Congress quickly at the urging of
officials in the wake of the 9/11 terror attack on the United States.
According to the Department of Justice, the Act enables the United States to better
counteract terrorism in a number of ways. One of these ways directly impacts U.S.
citizens in a positive light. It is the section that is updated to reflect new technologies
and threats that come with that. Allows victims of computer hacking to request law
enforcement assistance in monitoring the "trespassers" on their computers. This change
made the law technology-neutral; it placed electronic trespassers on the same footing
as physical trespassers. Now, hacking victims can seek law enforcement assistance to
combat hackers, just as burglary victims have been able to invite officers into their
homes to catch burglars. [1] Many have expressed concerns regarding the depth and
changes the USA Patriot Act has made on citizens' privacy rights as a whole and as
such in a negative way. We will not be focusing on those in this course.
Please follow the link to the following website for further content regarding this Act:
http://www.justice.gov/archive/ll/highlights.htm
USA PATRIOT ACT Case Study -- Mayfield v. US:
Brandon Mayfield, an American attorney, was involved in one of the most publicized
cases involving the USA Patriot Act. He was held for two weeks by the FBI and accused
of being a material witness to the 2004 Madrid train bombings.
The FBI suspected Mayfield of being connected to the bombings after they claimed that
they had found his fingerprints on key evidence in the case. Several weeks before his
arrest, Mayfield suspected that he was being watched by federal agents his house
was even broken into twice although nothing was stolen. FBI agents had wiretapped
his phones and searched his house on more than one occasion.
Spanish authorities ultimately determined that Mayfield was not a suspect because his
fingerprints did not match. The FBI, however, ignored this and continued surveillance on
Mayfield and his family. It was determined that the fingerprints found at the scene
matched a total of 20 people, of which Mayfield was one. They launched an
investigation and collected medical, financial, and employment records on all suspects
and their families.
When the FBI arrested Mayfield, they refused to tell him or his family where he was to
be held or why he was being arrested. Once Spanish authorities found an exact match
for their fingerprints (an Algerian named Ouhnane Daoud), Mayfield was released.
Mayfield later sued for invasion of privacy. US District Court Judge Ann Aiken ruled that
the laws used against Mayfield were unconstitutional although this ruling was
overturned in the Ninth Circuit court. SOURCE:
(https://wikispaces.psu.edu/display/IST43208/Example+of+a+Case+Involving+the+Patri
ot+Act)
4.7 Childrens Online Privacy Protection Act - 1998 (COPPA)
The Federal Trade Commission was directed by the U.S. Congress in 1998 to create
the framework for its implementation. COPPA was introduced with stated goals to
minimize the collection of personal information from children and create a safer, more
secure online experience for them, even as online technologies, and childrens uses of
such technologies, evolve. [2] Some of the rules included are the requirement that any
website created for use by children under age 13 must get parental consent before it
can collect, use, share and even display personal information about the child. It further
restricts sites from requiring children to disclose more personal information about
themselves before they can advance or use certain areas of the site. This is an
enticement tactic that is still used today for adult website makers in an effort to better
understand their consumer to among other things target ad placements for example.
Unless the information is reasonably necessary for participation, it cannot be required.
The rules set forth by the FTC went into effect in April of 2000.
Case Study COPPA -- Web Site Targeting Girls Settles FTC Privacy Charges:
Lisa Frank, Inc., manufacturer of popular girls toys and school supplies, and operator of
a Web site featuring those products, will pay $30,000 in civil penalties to settle Federal
Trade Commission charges that it violated the Childrens Online Privacy Protection Rule
(COPPA Rule) and the FTC Act. The settlement also bars the company from certain
future violations of the law. This is the fourth law enforcement action the FTC has taken
to enforce the COPPA Rule since it became effective in April, 2000.
This case was brought to the FTCs attention by the Childrens Advertising Review Unit
(CARU) of the Council of Better Business Bureaus. CARU evaluated the Lisa Frank
Web site in late 2000, after the COPPA Rule became effective. According to CARU, Lisa
Frank, Inc. committed serious violations of the COPPA Rule and, despite CARUs
urging, failed to make the changes needed to bring the Lisa Frank Web site into
compliance with the Rule.
In its complaint, the FTC alleges that the Lisa Frank Web site, is directed to children, as
that term is defined by the Rule. It further alleges that between April 21 and January
2001, lisafrank.com asked girls to register before they accessed many areas of the site.
The registration form asked girls for their first and last names, street addresses, phone
numbers, e-mail addresses and birth dates, as well as their favorite color and season.
Although directed to children, the site did not obtain consent from parents before
collecting this information as required by the Rule. The complaint further alleges that, in
violation of the Rule, Lisa Frank did not provide direct notice to parents about the
companys privacy practices and did not inform parents that the company wanted to
collect information from their children and that prior parental consent was required.
Additionally, the company failed to include in its Web site privacy policy required notices
that an operator is prohibited from conditioning a childs participation in an activity on
the childs disclosing more personal information than is reasonably necessary to
participate in such activity. Finally, the complaint alleges that the company violated the
FTC Acts prohibition on deceptive practices because lisafrank.coms privacy policy
falsely claimed that the site required parental consent for children 13 and younger and
that parents would be required to fill in a registration form agreeing to the collection
practices.
Settlement of the FTC charges permanently bars Lisa Frank, Inc. from future violations
of the COPPA Rule; enjoins it, in connection with the operation of any Web site or other
online service, from failing to comply with certain representations about childrens
privacy; and requires that if the company operates a child-directed site in the future, it
place a hyperlink to the FTC s website pages about the COPPA Rule within that sites
privacy policy and on notices to parents about collection of information from children.
SOURCE: (http://www.ftc.gov/news-events/press-releases/2001/10/web-sitetargeting-
girls-settles-ftc-privacy-charges)
4.8 Civil Rights Act
With all the above it would be a shame not to mention the first of these that all United
States citizens are covered under, which is the Civil Rights Act. The act signed into law
in 1964 prohibits any form of discrimination based on race, gender, nationality or age. It
requires employers to provide a non-hostile workplace at all times and states that they
are legally responsible for maintaining such an environment at all times. The act applies
to any employer having a staff of more than 15 associates.
For example, lets take a fictitious scenariosomething that may seem harmless to
some and not otherslets say there is a picture of a woman in a bikini. She may be
overly endowed up topand the picture is revealing overall with skimpiness of the
bikini. Now, lets say that picture is printed by an employee and is left on a printer in an
organizations coffee room and found by a woman who gets offended. Does she have
grounds for a lawsuit under the Civil Rights Act? Yes, she does and she can most likely
win as long as she keeps the evidence to prove it. This type of thing can make a claim
for a hostile work environment.
This type of thing along with emailed jokes and verbal discussions around the water
cooler can all contribute to a hostile work environment claim. In these cases, a company
must either take drastic actions such as firing key personnel to show corrective action
and avoid losing a law suit or pay the fines imposed from an actual lawsuit via settling
out of court or taking it to court.
Case Study Civil Rights Act 4 Women Sue Chevron for Sexual Harassment
Chevron Corp. settled a suit involving 4 women that sued the corporations with
accusations of retaliation against them after they had complained of sexual harassment.
They claimed that they were the targets of unwanted sexual advances from other
management and co-workers in Chevrons Information Technology Co. They claimed to
have discovered pornographic messages on company computer equipment. And one of
the accusers further claimed receipt of an anonymous sadistic pornographic picture
via the company email system.
According to the complaint, after the women complained, Chevron started watching the
women relentlessly. They began monitoring all phone and email communications of the
women and even installed video surveillance near one of the womens offices. The
women were made out to be troublemakers and other workers were cautioned with a
possible loss of their job if they associated with them.
One critical piece of evidence was an email message that several employees had
forwarded within the company that outlined 25 reasons why beer is better than women.
The message was used in the suit to show proof of a hostile work environment. The
email itself and the fact that it was allowed to be forwarded; so much via the email
system showed that such behavior was tolerated by Chevron since no controls had
been put in place to prevent such harassment.
Chevron ultimately settled the suit agreeing to implement any court-ordered policy and
procedural changes. They also agreed to pay restitution in the amount of $2.2 million to
the plaintiffs. One of the women received $1.3 million, another received $500,000 and
the other two each received $200,000. This case remains one of the largest sexual
harassment lawsuits in the United States.
Attribution for the whole case study: http://articles.latimes.com/1995-02-22/business/fi-

34837_1_sexual-harassment
[1] http://www.justice.gov/archive/ll/highlights.htm
[2] http://www.ftc.gov/sites/default/files/documents/rules/children%E2%80%99s-online-
privacy-protection-rule-coppa/130117coppa.pdf
To Do Activity #2
Instructions: Research and discuss a published court case where one of the above laws
was used to either win or lose. Discuss the case in the Discussions are of the course.
Click the link to access the tool: Module 4 Discussion - To Do Activity #2
Critical Thinking
Compare and contrast key concepts: give students the table below and ask them to fill it in using
two given concepts.
Concept #1 Concept #2
Define or explain The Privacy Act of 1974- Childrens Online Privacy

each concept Protection Act-
Explain how the
concepts are similar
Explain how each

concept is different
with respect to
specific attributes
Further Study
For more information visit the following links:

The Privacy Act of 1974
http://www.justice.gov/opcl/privacyact1974.htm
The Health Insurance Portability and Accountability Act - 1996 (HIPAA)
http://www.gpo.gov/fdsys/pkg/CRPT-104hrpt736/pdf/CRPT-104hrpt736.pdf
Computer Fraud and Abuse Act
http://energy.gov/sites/prod/files/cioprod/documents/ComputerFraud-AbuseAct.pdf

Module 1-5

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Module 1-5

Enviado por

Direitos autorais:

Formatos disponíveis

Introduction

1.1 What is information security?

Figure 1 CIA Triad (by John M. Kennedy, CC-BY-SA-3.0)

Confidentiality refers to preventing the disclosure of information to unauthorized

This passage was created by Wikipedia. (Creative Commons Attribution-ShareAlike License)

This passage was created by Wikipedia. (Creative Commons Attribution-ShareAlike License)

A well-known model among information assurance professionals that is shown in figure

Figure 2 (2PT - People Process Technology)

1.1.2 Economic Influences

This passage was created by Wikipedia. (Creative Commons Attribution-ShareAlike License)

Submit your answers to the questions.

1.2 Computer Crimes Past Present and

[1] Perrin, Chad. "The CIA Triad". Retrieved 31 May 2012

Submit your answers to the questions.

Example 1: the From address scam

Screen shots created by Tonya M Davis CC BY 3.0

Example 2: the misspelled words

Notice the way savvings is spelled (not savings)

Figure 4 TrustedBank (by Andrew Levine, public domain)

Example 3: Bad grammar and form

Notice there is no actual customer name in the salutation.

1.2.3 Cybercrime Evolution

Figure 4 Phishing Chart (by ZeWrestler, English Wikipedia project)

List of phishing techniques:

This passage was created by Wikipedia. (Creative Commons Attribution-ShareAlike

Social Engineering & Social Media Security with James Crossman:

Note: If needed, there are CLOSED CAPTION buttons on the

1. Describe the differences between phishing and spear phishing?

1.2.4 Attack Vectors

Some of the attack vectors are as follows:

In summary, insider risk refers to any person employed in industry or government or a

This passage was created by http://www.businessnewsdaily.com/5563-7-cybersecurity-risks-for-2014.html Author

Module 2 Content: Personal Information

2.1 Personal Protection

2.1.1 Steps to Become More Secure Online

Cyberstalking is basically the repeated pursuit of an individual using electronic or Internet-

[1]Mowbray, Thomas J. Cybersecurity Managing Systems, Conducting Testing, and Investigating

Cyberbullying tends to be more frequent in younger individuals. However, the consequences

Discussion Questions: (This exercise is meant to be for group discussion.)

Submit your answers to the questions.

3. Refusal to talk on the phone with you.

4. Refusal to meet with you in person.

2.2 Daily Life Protection

Submit your answers to these questions.

Figure 2 -How a botnet operates (by tom-b, CC-BY 3.0)

3. A spammer purchases access to the botnet from the operator.

This passage was created by Wikipedia. (Creative Commons Attribution-ShareAlike

2.2.2 Credit Cards

Figure 4: Secure Site Indicators

2.2.3 Smart PDAs

Go to the Federal Communications Commission website and identify the steps

Click on this link: Smartphone Security

Submit a list of recommendations for protecting your device.

2.2.5 Web Surfing

Figure 5: Advertisements that look like Download buttons.

2.2.6 Social Media

Click on this link: http://www.symantec.com/connect/articles/social-engineering-

2.3 We Must All Be Stewards

A final thought is the consideration of insurance or identity protection services. Many

To read the full article click on the link below:

Don't Get Taken Guarding Your ID

Define or explain Cyber-bullying Physical-bullying

Explain how the