Reading review problem. Consider the following examples of computer crime:
• In June of 2005, news broke that breach at a third-party payment processor had affected 40 million credit cards. The intruders were able to export names, card numbers, and card security codes from approximately 20,000 of the affected cards. (CNN.com)
• Beginning early Saturday, January 25, 2003, a worm known as Sapphire (aka SQL Slammer) began propagating through the Internet. It was the fastest-spreading worm ever released on the Internet, the number of infected hosts doubling every 8.5 seconds during the first minutes of propagation. Sapphire exploited vulnerability in MS-SQL, for which Microsoft had released a patch in July 2002. It is estimated that the worm infected at least 75,000 hosts, causing major network slowdowns and outages that led to canceled flights, ATM failures, and many other impacts to both large and small organizations. (CAIDA.org)
• In recent years, online gambling sites have become the targets of cyber-extortionists threatening to bring down sites unless the companies behind these sites pay “protection” money. Online gambling sites are particularly vulnerable to online extortion as transactions are high volume and high impulse, customers turning to another site if the one they are attempting to access is unavailable. The perpetrators of these schemes have started taking advantage of information technology to launch large-scale denial-of-service attacks against the sites. (TheRegister.co.uk)
• On June 8, 2005, the former IT manager of a software maker pleaded guilty to computer crime charges. Within two weeks of his termination, he gained unauthorized access to the computer system of his former employer and deleted an e-mail server domain, accessed the e-mail account belonging to the president, and made configuration changes to the mail servers that caused e-mails to be rejected. (Cybercrime.gov)
a. Use Carter’s taxonomy for computer crime to classify each of the preceding examples.
b. What business risk(s)/threat(s) are exemplified by each situation?
c. Which element(s) of the C-I-A triad was/were compromised in each example?
d. What internal controls would you recommend to address each example?
e. Discuss elements of the Co BIT framework that are relevant to each example.