International Islamic University, Islamabad

Department of Computer Science & Software Engineering

GE – 112 Professional and Ethical Issues

Assignment # 2

Rules and Guidelines:

1. This is an individual assignment.
2. Submission deadline is Friday 27thDec, 2019 for all sections.
3. Attach title page. Use following naming conventions for Assignment
Name (Your Complete Name)
Reg # (XXXX-FBAS/BSIT/F17)
4. Copying from web, books, class fellows or any other sources is strictly prohibited. This may lead
course failure.
5. Please send soft copy of your assignment through email to your CR
6. There is a post assignment assessment that will be distributed among students in any of the class after
this assignment. This assignment will be treated and marked as a quiz Students should be able to
complete this assignment if this assignment is completed successfully and on their own.

1. You have been assigned to be a computer security trainer for your firm’s 2,000 employees and contract
workers. What are the key topics you would cover in your initial one-hour basic training program for non-
IT personnel? What sort of additional security-related training might be appropriate once people have the
basics covered?
Ans: To prevent staff-related incidents, organizations must implement a viable security training program. The
ideal program should incorporate the following training exercises:
1. Clean Desk Policy
Sensitive information on a desk such as sticky notes, papers and printouts can easily be taken by thieving hands
and seen by prying eyes.
2. Bring-Your-Own-Device (BYOD) Policy
BYOD covers the employees’ personal computing possessions which might be used in a work setting. They
may include mobile devices, audio players, digital cameras and various other portable electronic devices which
could be utilized to steal sensitive data.
3. Data Management
There are numerous types of data (such as a backup copy of customer contracts or mission statements) and a lot
of employees may not be aware of this fact. These employees do not realize the significance of classified data
4. Removable Media
It’s more common than you think for employees to find a removable thumb drive or external hard drive in the
parking lot, bring it inside and plug it into their computer to see who it belongs to, only to find the device was
planted there to either destroy or take over their computer with malware.
5. Safe Internet Habits
Almost every worker, especially in tech, has access to the Internet. For this reason, the secure usage of the
Internet is of paramount importance for companies. Security training programs should incorporate safe Internet
habits that prevent attackers from penetrating your corporate network.
6. Physical Security and Environmental Controls
Security awareness isn’t just about what resides in your company’s computers or handheld devices. Employees
should be aware of potential security issues originating in physical aspects of the workplace. This includes
spatial awareness as well as physical components.
7. Social Networking Dangers
Nowadays, enterprises use social networking as a powerful tool to build a brand (either locally or globally) and
generate online sales. Unfortunately, social networking also opens the floodgates for phishing attacks that can
lead your company towards an immense disaster.
8. Email Scams
Email scams involve fraudulent and unsolicited emails that claim to offer a bargain for nothing. A scam email
lures a user for the free offer, bogus business opportunity, guaranteed loans or credit, easy money, health and
diet schemes and so forth.
9. Malware
A training session on malware should illustrate malware types and their implications. Malware types should
include adware, spyware, viruses, Trojans, backdoors, rootkits, ransomware, botnets, logic bombs and armored
viruses. Employees should learn how to identify malware and what to do if their device or network has been
infected
10. Hoaxes
A hoax is defined as a falsehood or deception that is fabricated deliberately to subterfuge and victimize the
users. The attackers generally use hoaxes through emails to harm employees.

2. A successful distributed denial-of-service attack requires the downloading of software that turns
unprotected computers into zombies under the control of the malicious hacker. Should the owners of the
zombie computers be fined or otherwise punished as a means of encouraging people to better safeguard
their computers? Why or why not?
Ans: The domain name system (DNS) is one of the most critical components of global internet infrastructure.
When a portion of the DNS is compromised or unavailable, users cannot reach the associated resources on
the internet. This is because the DNS operates as the address book for the internet and is responsible for
translating Internet Protocol (IP) addresses, such as 162.219.54.2 or 2001:500:80:2::12, into human-
friendly domain names, such as example.ca, and much more. Taking down elements of the DNS means
entire swaths of the internet become unreachable. It is no wonder, then, that the DNS is a perennial target
for cyber attackers.
We have now arrived at an inflection point where securing those internet-connected digital assets against
inevitable cyber attacks is critically important. The cyber security landscape has changed dramatically, with
major distributed denial of service (DDoS)1 attacks and ransomware schemes2 routinely making headlines.
According to a report by the Center for Strategic and International Studies (CSIS) and McAfee, the global
cost of cybercrime was estimated at US$600 billion for 2017 — a significant jump from US$445 billion in
2014 (Lewis 2018). As more people come online and access essential services via the internet, bad actors
stand to benefit a great deal from a successful attack.
Prevention of data theft remains a high priority in the technology industry, but threats to infrastructure
posed by IoT-enabled botnets are growing in frequency and severity. There is no silver bullet for mitigating the
threats that cyber attacks pose to data security or critical internet infrastructure. The network operator industry
and wider internet community have responded to new threats with a multi-layered approach, including
everything from threat monitoring and knowledge-sharing to redesigning networks and developing entirely new
protocols.

Cyber security requires not just a single solution, but an array of approaches that reinforce one another. As a
TLD operator, CIRA constantly monitors its systems in order to detect attacks and mitigate risk. We’re also
acutely aware that the world of cyber security does not stand still. New attack vectors and seemingly "black
 swan" events are constantly cropping up, requiring ongoing vigilance and adjustments to the changing
landscape.

3. How would you distinguish between a hacktivist and a cyberterrorist? Should the use of hacktivists by a
country against enemy organizations be considered an act of war? Why or why not? How about the use of
cyberterrorists?
Ans: Hacktivists or Cyberterrorists? The Changing Media Discourse on Hacking by Sandor Vegh
This paper scrutinizes the language of government reports and news media sources to shed light on their
role in forming a negative image of politically motivated hacking in general, and online political activism,
in particular. It is argued that the mass media's portrayal of hacking conveniently fits the elite's strategy to
form a popular consensus in a way that supports the elite's crusade under different pretexts to eradicate
hacking, an activity that may potentially threaten the dominant order.,.

Especially put into the context of other types of terrorist alerts (e.g., against bridges, water supply facilities,
nuclear reactors, airports, or embassies abroad), one is left wondering whether these alerts are strategically
distributed according to a planned agenda, with the additional benefits of indirectly putting blame on countries
or technologies that stand in the way of U.S. global political, economic, and cultural hegemony, by carefully
injecting them into the text of these warnings.

Perhaps there is no government agenda. Yet, the majority of these articles are from wire service reports
prompted by government-issued alerts and press briefings. Perhaps there is intelligence that specifically points
to plans against U.S. cyberspace. Yet, the language and sources are extremely vague, making it look like an
attempt to issue warnings about all imaginable scenarios; just in case any of them happens, the government can
always say they did warn the public. Perhaps consequent legislation was only meant to serve the protection of
the American people. Yet, it also protects the government from any other political dissent, or at least gives them
the power to monitor their citizens, as well as it protects businesses from loss revenue from "copyleft," "peer-to-
peer," and "open source" initiatives. Perhaps it is only sensationalist reporting by newspapers to sell more
copies. Yet, it influences public opinion, creates a negative image of hacking, online political activism, free
software and other counter-corporate-cultural movements, blurs the boundaries of cyberactivism and
cyberterrorism, and consequently prompts unwarranted restrictive legislation, induces misguided policy-
making, and causes the curtailment of civil liberties.

****************