In: Computer Science
Case StudiesWhen the average person thinks of network security within a school, they often think of the student trying to hack into the system to change their grade, to see if they can take over their friend’s computer, or to put a prank up on the school website.
In light of the current network dangers these may be some of least of the school system worries.All of the following cases are based upon real situations. Read all of the case studies below and for answer the following questions for each of the three case studies:
What should be the very first course of action?
Should the public be informed about the situation? If so, how will their trust be regained?
What steps should be taken to prevent similar attacks in the future?
What are the ethical issues of this situation?
How should students be dealt with if they were the people initiating the attack?
Breached Passwords
There are many ways for people to get passwords. What they do once they have them can be devastating. The important first step in data security is for everyone to take password security seriously. Choosing good passwords, not posting it on your computer, making sure no one is looking when you are typing it in are all simple steps in password security.
Brute force
Hackers used brute force password cracking program to break into the district’s computers and initiated a batch of bogus transfers out of the school’s payroll account. The transfers were kept below $10,000 to avoid the anti-money laundering reporting requirements. The hackers had almost 20 accomplices they had hired through work at home job scams. Over $100,000 was successfully removed from the account. Two days later a school employee noticed the bogus payments. Unfortunately, unlike consumers who typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges, organizations and companies have roughly two business days to spot and dispute unauthorized activity. This is because school organizations that bank online fall under the Uniform Commercial Code. Due to this law, the district was able to get less than $20,000 of the transfers reversed.
Shoulder surfing
A former student “shoulder surfed” (physically observed) the password of an employee while still in high school. After graduating, he used this information to get into the district’s student information system. From there, he gained access to a different district’s payroll data including birth dates, social security numbers, and bank account information of 5000 current and former employees. This information was then used for identity theft purposes including requesting and using credit cards, creating checks and altering bank account information. The perpetrator was caught and arrested after attempting to use a fake check at a local store. At a cost of $62,000 the district gave all of the affected employees fraud prevention and resolution services. According to the district superintendent, the district suffered “damage to our reputation with the public and our employees. Hundreds of hours were spent investigating the extent of the compromised data and developing the plans and procedures to protect staff from further exposure to fraud.... answering employee questions and preparing internal and external communications. It is impossible to measure lost productivity as employees worried about their financial security and work to change bank account and payroll information.
"Key logger
A group of students installed a keystroke-tracking program (this could also fall under malware or student hacking) on computers at their high school to grab the usernames and passwords of about 10% of the students, teachers, parents, and administrators that use the system. The students then used this password information to access the system to change grades for themselves and others. They did not seem to do anything else to the system while they had access.
The very first action that needs to be taken is report the concerned authorities and making them aware of the current situation and shutting down the system to prevent any further loss at the time.
Yes, the public needs to be imformed as it is the fundamental right of the citizen to have the right to imformation and thgey should be imformed regarding the same and should be made to believe that the authorities are working there level best to find the criminal and they will esnure that necessary action will be taken against them and future similiar scenario will be decreased by using latest and moe secure technique to protect data.
The ditrict should ask the user to not share and hide their password as anyone can use it for their use and can result in the loss of the someone , the district should also ask the citizen to use more complex password so that it wont be easy for anyone to guess and serve it purpose to provide security and district should implement proper encryption techniques for storing the data and use protcol like TCP/IP to protect the data while in transmission
The ethical issue of this situation is the protection of the data and confidentiality of the user which is being compromised here and the criminal should be charged accrodinglt for their crime and should be sentenced to jail.
If student are found indulging in this kind of activity they should be dealt with as a adult criminal but should be sentenced to jail and they should be made to learn what their action can cause to their life and what are privacy law that can they have been violating and what are the consequece of violating these laws and their electronice should be monitored for a interval of time.