Based on the below and using the 12 categories of threats identify 3 examples you can find online, in the media for each of the threats listed on the right column. You can use news articles to justify the threats. Use the most current news article you can find. Add the reference link for each article and place in APA format. Prepare a memo to your CEO with your finding. On the same memo research current vendors that provide phishing email tools to train your employees and provide a recommendation to the CEO about which to buy. Compare at least 2 vendors and identify the following. Features Cost Add the Phishing Quiz Exercise discussed in class to the bottom of your memo pages. Take the quiz and answer the below Identify which questions you got wrong from the quiz Provide a brief explanation on why you got it wrong. What did you learn about phishing emails and what would you recommend in order to avoid falling for a phishing email? Solution 1) Threat to intellectual property: Hacking , After conducting a forensic review of the drives, Bailey(CEO of IT company) learned that intruders had been lurking on two of his company’s servers for almost a year. These hackers, who were traced to a university in Beijing, had entered the company’s extranet through an unpatched vulnerability in the Solaris operating system. As far as Bailey could tell, they hadn’t accessed any classified information. But they were able to view mountains of intellectual property, including design information and product specifications related to transportation and communications systems, along with information belonging to the company’s customers and partners. Activist hackers, or hacktivists, can also be a danger to companies. For example, early last year members of Anonymous, the hacker collective, copied and publicly released sensitive files of H.B. Gary Federal, a security company. Cpoyrights deviation or piracy : Intellectual property theft involves robbing people or companies of their ideas, inventions, and creative expressions—known as “intellectual property”—which can include everything from trade secrets and proprietary products and parts to movies, music, and software. It is a growing threat—especially with the rise of digital technologies and Internet file sharing networks. And much of the theft takes place overseas, where laws are often lax and enforcement is more difficult. All told, intellectual property theft costs U.S. businesses billions of dollars a year and robs the nation of jobs and tax revenues. Preventing intellectual property theft is a priority of the FBI’s criminal investigative program. It specifically focuses on the theft of trade secrets and infringements on products that can impact consumers’ health and safety, such as counterfeit aircraft, car, and electronic parts. Key to the program’s success is linking the considerable resources and efforts of the private sector with law enforcement partners on local, state, federal, and international levels. .

1. Based on the below and using the 12 categories of threats identify 3 examples you can find
online, in the media for each of the threats listed on the right column. You can use news articles
to justify the threats. Use the most current news article you can find. Add the reference link for
each article and place in APA format. Prepare a memo to your CEO with your finding. On the
same memo research current vendors that provide phishing email tools to train your employees
and provide a recommendation to the CEO about which to buy. Compare at least 2 vendors and
identify the following. Features Cost Add the Phishing Quiz Exercise discussed in class to the
bottom of your memo pages. Take the quiz and answer the below Identify which questions you
got wrong from the quiz Provide a brief explanation on why you got it wrong. What did you
learn about phishing emails and what would you recommend in order to avoid falling for a
phishing email?
Solution
1) Threat to intellectual property: Hacking , After conducting a forensic review of the drives,
Bailey(CEO of IT company) learned that intruders had been lurking on two of his company’s
servers for almost a year. These hackers, who were traced to a university in Beijing, had entered
the company’s extranet through an unpatched vulnerability in the Solaris operating system. As
far as Bailey could tell, they hadn’t accessed any classified information. But they were able to
view mountains of intellectual property, including design information and product specifications
related to transportation and communications systems, along with information belonging to the
company’s customers and partners.
Activist hackers, or hacktivists, can also be a danger to companies. For example, early last year
members of Anonymous, the hacker collective, copied and publicly released sensitive files of
H.B. Gary Federal, a security company.
Cpoyrights deviation or piracy :
Intellectual property theft involves robbing people or companies of their ideas, inventions, and
creative expressions—known as “intellectual property”—which can include everything from
trade secrets and proprietary products and parts to movies, music, and software.
It is a growing threat—especially with the rise of digital technologies and Internet file sharing
networks. And much of the theft takes place overseas, where laws are often lax and enforcement
is more difficult. All told, intellectual property theft costs U.S. businesses billions of dollars a
year and robs the nation of jobs and tax revenues.
Preventing intellectual property theft is a priority of the FBI’s criminal investigative program. It
specifically focuses on the theft of trade secrets and infringements on products that can impact
consumers’ health and safety, such as counterfeit aircraft, car, and electronic parts. Key to the

2. program’s success is linking the considerable resources and efforts of the private sector with law
enforcement partners on local, state, federal, and international levels.
§The most common IP breaches involve software piracy
§Two watchdog organizations investigate software abuse:
§Software & Information Industry Association (SIIA)
§Business Software Alliance (BSA)
§Enforcement of copyright law has been attempted with technical security mechanisms
2)Deviations in quality of service from service providers :
§Includes situations where products or services are not delivered as expected
§Information system depends on many interdependent support systems
§Internet service, communications, and power irregularities dramatically affect availability of
information and systems
3)Deliberate acts or tresspass :
§Access of protected information by unauthorized individuals
§Competitive intelligence (legal) vs. industrial
espionage (illegal)
§Shoulder surfing can occur anywhere a person accesses confidential information
§Controls let trespassers know they are encroaching on organization’s cyberspace
§Hackers use skill, guile, or fraud to bypass controls protecting others’ information
§Expert hacker
§Develops software scripts and program exploits
§Usually a master of many skills
§Will often create attack software and share with others
§Unskilled hacker
§Many more unskilled hackers than expert hackers
§Use expertly written software to exploit a system
§Do not usually fully understand the systems they hack
§Other terms for system rule breakers:
§Cracker: “cracks” or removes software protection designed to prevent unauthorized duplication
§Phreaker: hacks the public telephone network
§Attacker steals information from computer system and demands compensation for its return or
nondisclosure
§Commonly done in credit card number theft
4)Forms of nature :
§Forces of nature are among the most dangerous threats
§Disrupt not only individual lives, but also storage, transmission, and use of information

3. §Organizations must implement controls to limit damage and prepare contingency plans for
continued operations
5)Human error or failure :
§Includes acts performed without malicious intent
§Causes include:
§Inexperience
§Improper training
§Incorrect assumptions
§Employees are among the greatest threats to an organization’s data
§Employee mistakes can easily lead to:
§Revelation of classified data
§Entry of erroneous data
§Accidental data deletion or modification
§Data storage in unprotected areas
§Failure to protect information
§Many of these threats can be prevented with controls
6)Threat of information disclosure : HTML Page Comments Threat, Website Error Message
Threat, View-State Threat
HTML Page Comments Threat
It is very common that developers include detailed metadata and comments on their source code.
However, such information included into the HTML source code might expose to a potential
hacker internal intelligence that should not be accessible to them. HTML pages usually contain
too much subsidiary-sensitive information in the form of comments and metadata such as
usernames, passwords, SQL code, internal IP addresses, debugging information, improper server
configurations or page responses for valid versus invalid data, and failure to clean out such
HTML comments containing sensitive information could pose a serious vulnerability to a Web
application.
Website Error Message Threat
Many web applications return informative error messages when unexpected events occur. These
messages may be useful for attackers. Most web applications are written in languages that are
more complex than simple scripts like Java, C#, and Visual Basic .NET. When an unhandled
error occurs, it is common to see full stack traces being returned to the browser in those
languages. The following login page is showing an example of a real web site for authenticating
users. It is obvious that the programmer would have implemented some validation mechanism in
order to validate the correct user name and password. Here is the hack, and if the programmer
had not handled it properly, lots of interesting information could be disclosed.

4. View-State Threat
The Web forms data or changes lost while round tripping to the server due to the stateless nature
of HTTP. Hence, the ASP.NET uses View-State as a client side state management mechanism
for storing values of a web page during round tripping from the server. Once your web page code
has finished running, the ASP.NET examines all the controls on your page. If any of these
properties has been changed from its initial state, ASP.NET makes a note of this information in a
Name/ Value collection. Finally, ASP.NET takes all the information it has combined and then
serializes it as a Base64 string. The View-State is typically accumulated in a hidden field with an
ID __VIEWSTATE.
7)Sabotage:
§Attacks on the face of an organization—its Web site
§Threats can range from petty vandalism to organized sabotage
§Web site defacing can erode consumer confidence, dropping sales and organization’s net worth
§Threat of hacktivist or cyberactivist operations rising
§Cyberterrorism: much more sinister form of hacking
7)Software attacks:
§Malicious software (malware) designed to damage, destroy, or deny service to target systems
§Includes viruses, worms, Trojan horses, logic bombs, back doors, and denial-of-service attacks
8)Technical hardware failures:
§Occur when manufacturer distributes equipment containing flaws to users
§Can cause system to perform outside of expected parameters, resulting in unreliable or poor
service
§Some errors are terminal; some are intermittent
9) technical software failures :
§Purchased software that contains unrevealed faults
§Combinations of certain software and hardware can reveal new software bugs
§Entire Web sites dedicated to documenting bugs
10)Technological obselence :
§Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems
§Proper managerial planning should prevent technology obsolescence; IT plays large role
11) Theft :
§Illegal taking of another’s physical, electronic, or intellectual property
§Physical theft is controlled relatively easily
§Electronic theft is more complex problem; evidence of crime not readily apparent
part 2 ) Venodrs which provide pishing tools to train employees :
Anti-Phishing Working Group

5. The Anti-Phishing Working Group offers a variety of resources, including a phishing education
landing page that companies can use in conjunction with their anti-phishing campaigns. Some of
the vendors below, including Phishme and KnowBe4, also offer free resources.
Another free tool is MSI Simple Phish from MicroSolved, which allows security teams to run
their own phishing tests inside their organization.
BetterCloud, which offers security and monitoring services for cloud-based office applications,
started worrying about phishing when another company in their office building lost $2 million to
a phishing scam, and their cybersecurity insurance would not cover the cost.
"Their business took a really bit hit," said Austin Whipple, the company's senior security
engineer. "It was hard to recover from that."
In response, BetterCloud ran a company-wide training, then created its own phishing email
campaign that seemed to be a note from the HR system, but actually came from an external email
address. This was followed up with more education.
"Compared to other organizations, or to the Verizon report, we did fairly well," he said. "But
there are still some areas we can improve on."
Once some time has passed, there will be another phishing test, he added. The employees
forward suspicious emails to him personally, he added, and it's clear that the company has
already been specifically targeted because some of the real phishing emails include inside
information that would have required some research.
According to Whipple, setting up an anti-phishing training program is not too difficult.
"Any one tech person can do this whole thing," he said. "It doesn't take a massive amount of
set up. Educate your people, do the test, then educate the people again, and do a follow-up test."
PhishMe
PhishMe’s phishing simulation, training and reporting platform is used by more than 800
customers world-wide, including nearly half of the Fortune 100, to proactively engage thousands
of employees in simulations that condition them to detect and report phishing threats.
PhishMe also offers a phishing incident response platform, which automates and prioritizes
reported phishing emails for faster response, and a threat intelligence service that helps threat
analysis vet the phishing activity they see against verified external threats.
By combining awareness training, easy reporting, and appropriate security responses, employees
can go from being a company's biggest security weakness to its first line of protectiong.
"Humans are the most powerful layer of defense against spear phishing, and organizations need
to leverage every security benefit humans can provide to remain protected against this top attack
vector," said Rohyt Belani, CEO at PhishMe.
PhishMe also offers a dozen free training modules, available in the form of interactive PDF files
or SCORM-compliant files that can be run through a company's learning management system.

6. PhishLabs
Customers include four of the top five U.S. financial institutions, seven of the top 25 global
financial institutions, leading social media and career sites, and top healthcare, retail, insurance
and technology companies.
"Make the simulations as realistic as possible," recommends John LaCour, founder and CEO at
PhishLabs. "If you want your employees to spot and report real-world attacks, the simulations
need to mirror the real-world attacks they are most likely to see."
In addition, once employees do report the attacks, a company needs to have processes in place so
that they can respond to targeted attacks early on, when they're the least costly to mitigate.
part 3 ) quiz : Only one question went wrong : Topic is paypal and in the email there were
spelling mistakes and there is a link to login . Which is not correct as paypal doesnot include
login links in emails .