DISCUSSION
This exercise is to identify and characterize assets. Imagine there is a severe natural calamity in your area and your personal vehicles have been rendered immobile. The local mayor is running school buses on their routes to evacuate residents and drop them off to a central safe location. You are only allowed to bring in items that will fit within your lap. Excluding people assets and laptop, cell phones, and hard drives, identify an asset you will select from your home and take with you. Be creative and think about other assets in the remaining four categories. For the chosen asset, describe how it will benefit you in the given situation. As the discussion proceeds, demonstrate through meaningful dialogue how your selected asset is superior to the other competing assets proposed.
This is just for your information: There are 5 types of Assets:
- Information assets
- Personnel assets
- Hardware assets
- Software assets
- Legal Assets
CRITICAL THINKING EXERCISE-IRAQ CYBERWAR PLANS IN 2003
In August 2009, the New York Times reported that in 2003, when the US was planning the Iraq war, US Intelligence agencies and the Pentagon developed a plan to launch a cyber-attack with the goal of freezing the bank accounts operated by Saddam Hussein. There were billions of dollars in these accounts, which were used to pay the salaries of army personnel and purchase supplies. If successful, the cyber-attack would incapacitate Saddam Hussein's ability to wage war with kinetic (conventional) weapons.
As the New York Times reported, though the officials involved in developing the plans for cyber-attacks were confident of their ability to execute the attacks, they never got approval to execute on their plans. Officials in President Bush's administration were concerned about collateral damage, i.e., impacts on accounts owned by other individuals, if any part of the cyber-attack did not go according to plan. This could create financial chaos worldwide, beginning with the Middle East, but likely to spread to Europe and even the United States.
That was 2003. Since then technology has evolved, and cyberwarfare is increasingly becoming part of the military arsenal. Even during the Iraq war in 2003, the military attack included disrupting telephone systems inside Iraq. This temporarily affected civilian telephone services in countries neighboring Iraq. However, this collateral damage was considered acceptable at that time. But the uncertain damage from a cyber-attack gone haywire was not. Since then though, the US Government has felt comfortable using cyber-attacks to advance its goals, best documented in the case of the Stuxnet virus.
Critical Thinking Questions
1. What are some ways (however unlikely) in which the proposed cyber-attack on Saddam Hussein's accounts could have harmed you?
2. What are some ways in which a cyber-attack on a military target can harm civilians?
3. One traditional military constraint based on the Geneva conventions and the UN Charter is called proportionality, the idea that a punishment should befit the crime. Given the risks of cyber-attacks identified in the earlier questions, do you think cyber-attacks are more likely to cause disproportional harm to civilians than conventional weapons?
DESIGN CASE
The Help Desk at the College of Engineering at Sunshine University has special privileges. It can fix user access problems bypassing normal access control procedures.
How did this come about, you might wonder? Years ago, an Electrical Engineering professor with considerable prestige in the College was unable to submit a grant proposal because he had accidently locked his Engineering account over the weekend. The Dean of the College and the Department Chair were extremely unhappy. As a "temporary" solution, student workers at the Help Desk were given administrative privileges to the Engineering domain, so they can change passwords and unlock accounts without inconveniencing the faculty and staff. Years later, the so-called "temporary solution" has become permanent, and quick response over the weekend is expected by all users.
One Saturday morning, Adam, a new student hired as a Help Desk employee decides, against the College's policy, to install a BitTorrent client on his Help Desk computer. Later in the week, an investigation into reports of sluggish computers leads to the discovery of a botnet installation on most of the computers in the College. After days of investigation, the source of the botnet installations is discovered when a keylogger is found on the machine Adam used. He had inadvertently installed malware on the machine together with the BitTorrent installation and the keylogger malware had captured Adam's credentials.
The College Dean has asked you to have an incident report on his desk as soon as possible, including recommendations to prevent such incidents in the future.
Design Case Questions
1. List the threats and vulnerabilities that allowed this situation to occur.
1. Classify all the events found in 1 above, including:
a. Asset Affected, including asset classification and characterization.
b. Threat Agent (including internal, external, or partner)
c. Threat Action (type, etc)
d. Vulnerability used
2. What recommendations would you make to the Dean going forward?
3. In your opinion, what should be done with Adam, the student recently hired to the Help Desk position?