case analysis 2.1.docxby Urusha PandeySubmission date 2.docx

case analysis 2.1.docx
by Urusha Pandey
Submission date: 23-Apr-2020 04:33AM (UTC-0500)
Submission ID: 1305405317
File name: case_analysis_2.1.docx (17.9K)
Word count: 717
Character count: 3709
95%
SIMILARITY INDEX
0%
INTERNET SOURCES
%
PUBLICATIONS
95%
STUDENT PAPERS
1 94%

2 1%
Exclude quotes On
Exclude bibliography On
Exclude matches Off
ORIGINALITY REPORT
PRIMARY SOURCES
Submitted to Okaloosa-Walton Community
College
Student Paper
Submitted to Florida Institute of Technology
Student Paper
FINAL GRADE
/100
GRADEMARK REPORT
GENERAL COMMENTS
Instructor
PAGE 1

PAGE 3
PAGE 4
case analysis 2.1.docxby Urusha Pandeycase analysis
2.1.docxORIGINALITY REPORTPRIMARY SOURCEScase
analysis 2.1.docxGRADEMARK REPORTFINAL
GRADEGENERAL COMMENTSInstructor
Security Strategies in Windows Platforms and Applications
Lesson 14
Microsoft Windows and the
Security Life Cycle
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Cover image © Sharpshot/Dreamstime.com
Page ‹#›
Company
www.jblearning.com
1
Learning Objective(s)
Implement security controls to protect Microsoft Windows

systems and networks.
Describe techniques for protecting Windows application
software.
Page ‹#›
Company
www.jblearning.com
Key Concepts
System life cycle phases
Agile software development
Microsoft Windows operating system and application software
security management
secure development
revisions and change management
Page ‹#›
Company
www.jblearning.com
Understanding Traditional System Life Cycle Phases
Page ‹#›

Company
www.jblearning.com
Software Development Life Cycle (SDLC)
Formal model for the process of creating software.
Based on small project iterations, or sprints, instead of long
project schedules.
4
Commonly implemented as a waterfall approach in the past
Breaks down software development process into a number of
phases with the goal of standardizing and simplifying software
development management
Specific start and end dates with deliverables
Page ‹#›
Company

www.jblearning.com
5
An SDLC with 10 Phases
Page ‹#›
Company
www.jblearning.com
6
Agile Software Development
Based on small project iterations, or sprints, instead of long
project schedules
Produces smaller deliverables more frequently
Page ‹#›
Company
www.jblearning.com

Agile Development Cycle
Page ‹#›
Company
www.jblearning.com
10/17/2019
(c) ITT Educational Services, Inc.
8
Managing Microsoft Windows OS and Application Software
Security
Page ‹#›
Company
www.jblearning.com
9
Create one project to develop a complete software application.
Create a new project for each individual program.
Create a project for a group of related software programs.

Use the agile method for each project.
Microsoft Security Development Lifecycle (SDL)
Page ‹#›
Company
www.jblearning.com
10
Developing Secure Microsoft Windows OS and Application
Software
Building Security in Maturity Model (BSIMM)
Framework developed by a consortium of organizations to help
you design a development process
Defines 116 unique activities, along with frequency
Software Security Framework (SSF)
Framework of the 116 activities, that groups 12 practices into
four domains
Page ‹#›
Company
www.jblearning.com

11
The Software Security Framework (SSF)
Page ‹#›
Company
www.jblearning.com
12
Process of Developing
Secure Software, Simplified
Provide training in secure development
Include security from the beginning
Use secure programming techniques
Test for vulnerabilities
Page ‹#›
Company
www.jblearning.com
13

Common Pitfalls for Code
Page ‹#›
Company
www.jblearning.com
14
Lack of input validation
Information leakage through poor error handling
Sloppy authentication or encryption
Remote system access or code execution
Dynamic code execution
Implementing, Evaluating, and Testing Windows OS and
Application Software Security
Purpose of formal testing is to evaluate how well your
application meets overall performance, functionality, and
security goals

Every goal from original specification should have at least one
corresponding testing scenario
Testing scenario evaluates whether the application satisfies the
goal
Testing activities can be manual or automated
Page ‹#›
Company
www.jblearning.com
15
Possible Problems of Faulty Code
Inconsistent code and schema changes
Inconsistent interfaces with other programs
Faulty installation procedure
Page ‹#›
Company
www.jblearning.com
16
Maintaining the Security of Microsoft Windows OS and
Application Software

Keep development environment and tools up to date
Ensure OSs on software development computers have the latest
security patches
Address vulnerabilities discovered in your application software
as quickly as possible
Page ‹#›
Company
www.jblearning.com
17
Maintaining the Security of Microsoft Windows OS and
Application Software
Document changes and have a plan to reconcile production
changes with testing as soon as possible
Check that all maintenance procedures protect your data’s
security
Page ‹#›
Company
www.jblearning.com
18

Microsoft Windows OS and Application Software Revision and
Change Management
Page ‹#›
Company
www.jblearning.com
19
Software Development Areas of Difficulty
Phase identification
Software Control
Change control
Phase transition
Activity coordination
Baseline identification
Communication

Repeatable processes
Software Configuration Management (SCM)
Configuration identification
Configuration control
Configuration auditing
Configuration status accounting
Best Practices
Incorporate security early and often.
Adopt a software development model to help define your
organization’s development activities and flow.
Define activities for each phase in your model.
Ensure all developers are trained to develop secure applications.
Validate your software product at the end of every phase.
Page ‹#›
Company
www.jblearning.com

20
Best Practices (Cont.)
Create separate software projects for each related group of
programs or program changes.
Do not begin a software development project by writing code—
plan and design first.
Keep the three SDL core concepts in focus—education,
continuous improvement, and accountability.
Develop tests to ensure each component of your application
meets security requirements.
Page ‹#›
Company
www.jblearning.com
21
Study the most common application vulnerabilities and develop
programming standards to ensure you don’t include the
vulnerabilities in your application.
Identify and store programs, files, and schema definitions in a
centralized, secure repository.
Control and audit changes to programs, files, and schema
definitions.
Organize versioned programs, files, and schema definitions into
versioned components.

Page ‹#›
Company
www.jblearning.com
22
Organize versioned components and subsystems into versioned
subsystems.
Create baselines at project milestones.
Record and track requests for change.
Organize and integrate consistent sets of versions using
activities.
Maintain stable and consistent workspaces.
Ensure reproducibility of software builds.
Page ‹#›
Company
www.jblearning.com
23

Summary
System life cycle phases
security management
secure development
revisions and change management
Page ‹#›
Company
www.jblearning.com
24
Lesson 15
Best Practices for Microsoft Windows and Application Security
Company
www.jblearning.com
Cover image © Sharpshot/Dreamstime.com

Page ‹#›
Company
www.jblearning.com
1
Learning Objective(s)
Describe Microsoft Windows and application security best
practices.
Page ‹#›
Company
www.jblearning.com
Key Concepts
Microsoft Windows security best practices
Microsoft Windows security management trends
Page ‹#›
Company
www.jblearning.com
Administrative Best Practices

Page ‹#›
Company
www.jblearning.com
Develop and maintain policies to implement each of the best
practices in this section.
Educate users.
Establish incident response capabilities.
Ensure that you know which business functions are critical to
your organization. Then, take whatever steps necessary to
protect these functions in case of interruptions or disasters.
Develop a plan to continue all critical business functions in case
of an interruption. This business continuity plan (BCP) should
cover all aspects of your organization.
Define recovery time objectives (RTO) for each critical
resource. Identify resources required for the recovery process.
You’ll need to identify which parts of your recovery plan are
sequential and which ones you can work on simultaneously.
Develop a backup plan for each resource that minimizes the
impact on performance while keeping secondary copies of data
as up to date as possible. Explore various options, including
alternate sites and virtualization.
Document all backup and recovery procedures. Train all
primary and backup personnel on all procedures.
Test all recovery procedures rigorously. Conduct at least one
full interruption recovery test each year.
4
Develop and maintain policies.

Educate users.
Establish incident response.
Identify/protect critical business functions.
Develop a BCP.
Define recovery time objectives (RTOs).
Develop a backup plan.
Document backup and recovery procedures.
Test all recovery procedures.
Administrative Best Practices (Cont.)
Page ‹#›
Company
www.jblearning.com
Review your complete recovery plan quarterly (or more

frequently), and adjust for any infrastructure changes.
Update old password policies. Consult current National Institute
of Standards and Technology (NIST) guidelines
(https://pages.nist.gov/800-63-3/) for recommendations.
Do not write down passwords. Use passwords you can
remember. When you write down passwords, they are easier for
an attacker to find and use.
Never encrypt individual files—always encrypt folders. This
keeps any sensitive data from ever being written to the disk in
plaintext.
Designate two or more recovery agent accounts per
organizational unit. Designate two or more computers for
recovery, one for each designated recovery agent account.
Avoid using print spool files in your print server architecture,
or make sure that print spool files are generated in an encrypted
folder. This keeps sensitive information from being stored in
plaintext on a print server.
Require strong passwords for all virtual private network (VPN)
connections.
Trust only certificates from certificate authorities (CAs) or
trusted sites. Train users to reject certificates from unknown or
untrusted sites.
Require two-factor authentication (2FA) for access requests to
sensitive information.
5
Review recovery plan regularly.
Update old password policies.
Do not write down passwords.

Encrypt folders, not files.
Designate recovery agent accounts.
Avoid using print spool files.
Require strong passwords.
Trust only certificates from (CAs) or trusted sites.
Require two-factor authentication (2FA).
Technical Best Practices
Page ‹#›
Company
www.jblearning.com
Install anti-malware software on all computers.
Enable all real-time scanning (shield) options.
Update signature databases and software daily.
Perform a complete scan of all hard drives and Solid State
Drives (SSDs) at least weekly.
Perform a quick scan after installing or updating any software.
Enable boot-time virus checking, including boot sector and

memory scan at startup options.
6
Install anti-malware software.
Enable real-time scanning (shield) options.
Update signature databases and software daily.
Perform a complete scan at least weekly.
Perform a quick scan after installing or updating any software.
Enable boot-time virus checking.
Technical Best Practices (Cont.)
Page ‹#›
Company
www.jblearning.com
Remove administrator rights from all normal users.
Apply software and OS security patches.
Block outbound network connections that are not required for

your applications.
Automate as many backup operations as possible. Create logs
and reports that make problems with backup operations easy to
recognize.
Verify all backup operations. A secondary copy of data with
errors may be no better than damaged primary copy data.
Export all encryption recovery keys to removable media and
store the media in a safe place. Physically store your Encrypting
File System (EFS) or BitLocker recovery information in a
separate, safe location.
7
Remove administrator rights from all normal users.
Apply software and OS security patches.
Block outbound network connections.
Automate backup operations.
Verify all backup operations.
Export encryption recovery keys to removable media.
Page ‹#›

Company
www.jblearning.com
Encrypt the My Documents folder for all users. Since most
people use My Documents for most document files, encrypting
this folder will protect the most commonly used file folder.
Use multifactor authentication when using BitLocker on OS
volumes to increase volume security.
Store recovery information for BitLocker in Active Directory
Domain Services (AD DS) to provide a secure storage location.
Disable standby mode for portable computers that use
BitLocker. BitLocker protection is in effect only when
computers are turned off or in hibernation.
When BitLocker keys have been compromised, either format the
volume or decrypt and encrypt the entire volume to remove the
BitLocker metadata.
8
Encrypt the My Documents folder.
Use multifactor authentication.
Store recovery information for BitLocker in AD DS.
Disable standby mode for portable computers that use
BitLocker.
When BitLocker keys have been compromised, remove
BitLocker metadata.

Page ‹#›
Company
www.jblearning.com
Use the strongest level of encryption that your situation allows
for VPNs.
Use Secure Socket Tunneling Protocol (SSTP) IKEv2 for VPNs
when possible. IKEv2 is the newest VPN protocol from
Microsoft.
Disable Service Set Identifier (SSID) broadcasting for wireless
networks.
Never use Wired Equivalent Privacy (WEP) for wireless
networks—use only Wi-Fi Protected Access
(WPA/WPA2/WPA3).
9
Use strong encryption for VPNs.
Use SSTP IKEv2 for VPNs when possible.
Disable SSID broadcasting for wireless networks.
Never use WEP for wireless networks.

Audit and Remediation Cycles
Page ‹#›
Company
www.jblearning.com
Plan—Establish your objectives and processes to meet a stated
goal. In the context of routine
auditing, the goal should be to assess specific security controls.
Do—Implement the process you planned in the previous step.
Check—Measure the effectiveness of the new process and
compare the results against
the expected results from your plan. You’ll compare the
expected results of your auditing
information with a baseline.
Act—Analyze the differences between expected results and
measured results. Determine
the cause of any differences. Then, proceed to the Plan process
to develop a plan to
improve the performance.
10
Do

Check
Act
Plan
Audit and Remediation Cycles
Maintain current backups of all audit information.
Do not enable Read or List auditing on any object unless you
really need the information.
Do not enable Execute auditing on binary files.
Limit enabling all auditing actions to files, folders, programs,
and certain other resources.
Page ‹#›
Company
www.jblearning.com
Maintain current backups of all audit information so, you can
recover historical audit
information in the case of a disaster.
Do not enable Read or List auditing on any object unless you
really need the information.
Read/List access auditing can create a tremendous amount of
information.
Do not enable Execute auditing on binary files except for
administrative utilities that
attackers commonly use. Do turn auditing on for these utilities

to help monitor their use.
Limit enabling all auditing actions to files, folders, programs,
and other resources that are
important to your business functions. Don’t be afraid to enable
auditing for any object—
just ensure you need the information you’ll be saving.
11
Audit and Remediation Cycles (Cont.)
Enable auditing for all change actions for your Windows install
folder and any folders you use in normal business operation.
Audit all printer actions.
Ignore Read and Write actions for temporary folders but audit
Change Permissions, Write Attributes, and Write Extended
Attributes actions.
Page ‹#›
Company
www.jblearning.com
Enable auditing for all change actions for your Windows install
folder and any folders you
use in normal business operation. It is also a good idea to audit
changes to the Program
Files folder.
Audit all printer actions. You may need to know who printed a
document that found its
way into the wrong hands.
Ignore Read and Write actions for temporary folders but audit
Change Permissions,
Write Attributes, and Write Extended Attributes actions. These

actions can help identify
attacker activities.
12
Audit and Remediation Cycles (Cont.)
Develop Windows policies and Group Policy Objects (GPOs)
that are as simple as possible and still satisfy your security
policy.
Develop clear guidelines to evaluate each element of your
security policy.
Know what you will be looking for before you search through
lots of audit data.
Page ‹#›
Company
www.jblearning.com
Develop Windows policies and Group Policy Objects (GPOs)
that are as simple as possible
and still satisfy your security policy. Complex policies are
difficult to verify.
Develop clear guidelines to evaluate each element of your
security policy. An audit should
be a structured process to verify your security policy, not an
unorganized hunt for problems.
Know what you will be looking for before you search through
lots of audit data.
13
Security Policy Conformance Checks

Page ‹#›
Company
www.jblearning.com
Define organizational units (OUs) that reflect your
organization’s functional structure.
Create OU GPOs for controls required in your security policy.
Use meaningful names for GPOs to make maintenance and
administration easier.
Deploy GPOs in a test environment before deploying to your
live environment.
Use security filtering and Windows Management
Instrumentation (WMI) filters to restrict settings when
necessary.
Back up your GPOs regularly.
Do not modify the default policies—instead, create new GPOs.
Use the Group Policy Settings Reference spreadsheets for more
information on available GPO settings. You can find these
spreadsheets by visiting the website
http://www.microsoft.com/downloads, and searching for Group
Policy Settings Reference. Microsoft provides several versions
to cover different Windows releases.
Acquire the Windows Server Security Compliance Management
resource from Microsoft to help design, deploy, and monitor
your server baselines.
Acquire the Windows 10 Security Compliance Management
resource from Microsoft to help design, deploy, and monitor
your workstation baselines.
Use the Local Policy Tool (LPT) to automatically deploy
recommendations from the Security Compliance Management
toolkits.
14

Group Policy
Develop comprehensive Group Policy; use it to apply settings
and ensure settings are correct
Important component of secure Windows environments
Helps centralize settings that ensure conformance with security
policy
Security Baseline Analysis
Page ‹#›
Company
www.jblearning.com
15
Valuable for showing known values
Valuable for showing compliance

Security Baseline Guidelines
Create initial baselines.
Use tools such as Security Configuration and Analysis (SCA)
and Microsoft Baseline Security Analyzer (MBSA).
Schedule scans using batch files.
Page ‹#›
Company
www.jblearning.com
Create initial baselines that represent a secure starting point for
each computer. Develop
security templates in Security Configuration and Analysis
(SCA) that contain the security
settings for each type of workstation and server. Change the
templates as needed and use
them when building new computers. You can apply up-to-date
templates to new Windows
installations to quickly configure a new computer to your
security standards.
Run SCA/Microsoft Baseline Security Analyzer (MBSA) using
command-line interface
options to compare computer settings and configurations with
your standards. Schedule
scans to run periodically (weekly or monthly), and review the
resulting output files for
any identified problems.
Develop batch files to run scans and collect ongoing operational
information. Collect information
using a set daily, weekly, or monthly schedule and archive
collected data files.

16
OS and Application Checks and Upkeep
Page ‹#›
Company
www.jblearning.com
17
Deploy security controls
Harden operating systems
Harden applications
Network Management Tools and Policies
Identify and protect sensitive data.
Establish unique domain user accounts.
Enforce strong passwords.
Limit rights and permission for services.
Don’t allow services to run as a domain admin user.
Use Kerberos.
Install firewalls to create a DMZ.
Use encryption.

Establish firewall rules.
Page ‹#›
Company
www.jblearning.com
18
Network Management Tools and Policies (Cont.)
Install anti-malware software.
Update software and signature databases daily.
Use WPA, WPA2, or WPA3.
Disable SSID broadcasts.
Disable Wi-Fi Protected Setup (WPS).
Do not enable wireless or mobile broadband cards while
connected to your organization’s internal network.
Don’t allow visitors to roam facilities using wireless LAN.
Avoid connecting to Wi-Fi public networks.
Install a separate wireless access point for guests.
Disable or uninstall any services you don’t need.
Page ‹#›
Company
www.jblearning.com
19

Software Testing, Staging, and Deployment
Page ‹#›
Company
www.jblearning.com
Do not begin a software development project by writing code—
plan and design first.
Keep the three Security Development Lifecycle (SDL) core
concepts in focus—education, continuous improvement, and
accountability.
Develop tests to ensure each component of your application
meets security requirements.
Study the most common application vulnerabilities and develop
programming standards to ensure you don’t include the
vulnerabilities in your application.
Identify and store programs, files, and schema definitions in a
centralized, secure repository.
Control and audit changes to programs, files, and schema
definitions.
Organize versioned programs, files, and schema definitions into
versioned components.
Organize versioned components and subsystems into versioned
collections.
Create baselines at project milestones.
Record and track requests for change.
Organize and integrate consistent sets of versions using
activities.
Maintain stable and consistent workspaces.
Ensure reproducibility of software builds.
20

Adopt
Define
Ensure
Validate
Create
Adopt a software development model to help define your
organization’s development activities and flow.
Define activities for each phase in your model.
Ensure all developers are trained on developing secure
applications.
Validate your software product at the end of every phase.
Create separate software projects for each related group of
programs or program changes.

Compliance/Currency Tests on Network Entry
Accounts
Global groups
Universal groups
Local groups
Permissions
Page ‹#›
Company
www.jblearning.com
To maintain secure access for remote clients, check this list of
best practices:
Map your proposed remote access architecture, including
redundant and backup connections. Use one of the several
available network mapping software products to make the
process easier. Update the network map any time you make
physical changes to your network.
Install at least one firewall between your VPN endpoint and
your internal network.
Select a VPN provider that your clients can easily access. If you
select a vendor-specific VPN solution, develop a method to
distribute and maintain the VPN client software to your users.
Use global user accounts whenever possible: Use strong
authentication for all user accounts.
Create a limited number of administrative accounts with
permissions for remote administration.
Develop a backup and recovery plan for each component in the
Remote Access Domain. Do not ignore backing up and

recovering configuration settings for network devices.
Implement frequent update procedures for all OSs, applications,
and network device software and firmware in the Remote
Access Domain.
Monitor VPN traffic for performance and suspicious content.
Carefully control any configuration setting changes or physical
changes to domain nodes. Update your network map after any
changes.
Require encryption for all communication in the Remote Access
Domain.
Enforce anti-malware minimum standards for all remote
computers as well as server computers in the Remote Access
Domain. Ensure all anti malware software and signature
databases remain up to date.
21
Trends in Microsoft Windows OS and Application Security
Management
Page ‹#›
Company
www.jblearning.com
Scams by questionable security consulting or software firms
that use fear tactics to get users to purchase their product to
remove security problems
22
Social engineering

Mobile devices used as bots
Scams by questionable security consulting or software firms
Trends in Microsoft Windows OS and Application Security
Management (Cont.)
Page ‹#›
Company
www.jblearning.com
23
Data-focused attacks
Cloud computing
Expansion of malware
Summary
Microsoft Windows security best practices
Microsoft Windows security management trends

Page ‹#›
Company
www.jblearning.com
24
APA format
No resources before 2015
DO all parts of below assignment
Communication is a key part of a successful incident response
plan. Assume you are the CSIRT team lead of a large
corporation that just experienced a significant security breach.
Answer the following question(s):
Should you inform the chief executive officer (CEO)
immediately when the breach is discovered? Why or why not?

Should customers be informed immediately? Why or why not?
To complete this assignment, you must do the following:
A) Create a new thread.
B) Select AT LEAST 3 other students' threads and post
substantive comments on those threads, evaluating the pros and
cons of that student’s recommendations.
Your comments should extend the conversation started with the
thread.
ALL original posts and comments must be substantive. (I'm
looking for about a paragraph - not just "I agree.")
NOTE: These discussions should be informal discussions, NOT
research papers. If you MUST directly quote a resource, then
cite it properly. However,
I would much rather simply read your words.

Smash That Like Button: Facebook’s Chris Cox Is Messing with
One of the Most Valuable Features on the Internet
Inside Facebook’s Decision to Blow Up the Like Button
The most drastic change to Facebook in years was born a year
ago during an off-site at the Four Seasons Silicon Valley, a 10-
minute drive from headquarters. Chris Cox, the social network’s
chief product officer, led the discussion, asking each of the six
executives around the conference room to list the top three
projects they were most eager to tackle in 2015. When it was
Cox’s turn, he dropped a bomb: They needed to do something
about the “like” button.
The like button is the engine of Facebook and its most
recognized symbol. A giant version of it adorns the entrance to
the company’s campus in Menlo Park, Calif. Facebook’s 1.6
billion users click on it more than 6 billion times a day—more
frequently than people conduct searches on Google—which
affects billions of advertising dollars each quarter. Brands,
publishers, and individuals constantly, and strategically, share
the things they think will get the most likes. It’s the driver of
social activity. A married couple posts perfectly posed selfies,
proving they’re in love; a news organization offers up what’s
fun and entertaining, hoping the likes will spread its content.
All those likes tell Facebook what’s popular and should be
shown most often on the News Feed. But the button is also a
blunt, clumsy tool. Someone announces her divorce on the site,
and friends grit their teeth and “like” it. There’s a devastating
earthquake in Nepal, and invariably a few overeager clickers
give it the ol’ thumbs-up.
Changing the button is like Coca-Cola messing with its secret
recipe. Cox had tried to battle the like button a few times
before, but no idea was good enough to qualify for public
testing. “This was a feature that was right in the heart of the

way you use Facebook, so it needed to be executed really well
in order to not detract and clutter up the experience,” he says.
“All of the other attempts had failed.” The obvious alternative,
a “dislike” button, had been rejected on the grounds that it
would sow too much negativity.
Cox told the Four Seasons gathering that the time was finally
right for a change, now that Facebook had successfully
transitioned a majority of its business to smartphones. His top
deputy, Adam Mosseri, took a deep breath. “Yes, I’m with you,”
he said solemnly.
Later that week, Cox brought up the project with his boss and
longtime friend. Mark Zuckerberg’s response showed just how
much leeway Cox has to take risks with Facebook’s most
important service. “He said something like, ‘Yes, do it.’ He was
fully supportive,” Cox says. “Good luck,” he remembers
Zuckerberg telling him. “That’s a hard one.”
The solution would eventually be named Reactions. It will
arrive soon. And it will expand the range of Facebook-
compatible human emotions from one to six.
Cox isn’t a founder, doesn’t serve on the boards of other
companies, and hasn’t written any best-selling books. He’s not a
billionaire, just a centi-millionaire. He joined Facebook in
2005, too late to be depicted in The Social Network, David
Fincher’s movie about the company’s early days. While
Zuckerberg manages an expanding portfolio of side businesses
and projects—Instagram, WhatsApp, the Oculus Rift virtual-
reality headset, a planned fleet of 737-size, carbon-fiber,
Internet-beaming drones—Cox runs “the big blue app.” That’s
Facebook’s term for the social network that we all compulsively
check a few dozen times a day. He’s also the keeper of the
company’s cultural flame, the guy who gives a rousing welcome
speech to new recruits every Monday morning at 9 a.m. It’s a
safe bet that all 12,000 Facebook employees know his name.

He’s probably the closest thing Internet users have to an editor-
in-chief of their digital life. Cox’s team manages the News
Feed, that endless scroll of Facebook updates. Invisible
formulas govern what stories users see as they scroll, weighing
baby pictures against political outrage. “Chris is the voice for
the user,” says Bret Taylor, Facebook’s former chief technology
officer. “He’s the guy in the room with Zuckerberg explaining
how people might react to a change.”
Cox’s ascension has been gradual and, for the past few years,
clearly visible to Facebook watchers. Many first met him during
the 2012 initial public offering roadshow, when the company
distributed a video of executives talking about its mission.
Along with Chairman and Chief Executive Officer Zuckerberg
and Chief Operating Officer Sheryl Sandberg, the film included
Cox, who gazed earnestly into the camera at close range while
employing some seriously overheated rhetoric: “We are now
changing within a generation the fabric of how humanity
communicates with itself.”
He’s frequently seen at Zuckerberg’s side. Here are Zuckerberg
and Cox running a three-legged race for a company game day,
with Cox wearing a banana suit; embracing after Facebook
started trading on the Nasdaq (Zuckerberg hugged Sandberg
first and Cox second); riding a float together during San
Francisco’s gay pride parade.
Zuckerberg says Cox is one of his closest friends and “one of
the people who makes Facebook a really special place.” He
mentions Cox’s IQ and EQ—emotional intelligence—and how
“it’s really rare to find people who are very good at both.” He’s
also cool in a way that Zuckerberg, in particular, isn’t. Cox,
who moonlights as a keyboard player in a reggae band, dresses
fashionably, usually leaving a button open on the top of his
neatly tailored work shirts. He’s also irksomely handsome and
displays the casual cheer of someone who knows it.
Look a little deeper, though, and Cox’s record isn’t quite as

tidy. He’s been in charge of some of Facebook’s biggest duds: a
nicely designed news-reading app for smartphones called Paper,
which no one used, and a major revamp of the News Feed that
was scrapped because it didn’t work well on small screens. If
you look at the things poised to deliver big growth opportunities
at Facebook—Instagram and WhatsApp being the biggest—
they’re mostly acquisitions, not reinventions of the big blue
app.
In Silicon Valley fashion, Cox prefers to recast past mistakes as
healthy experiments and valuable learning experiences. “I think
any good company is trying things, is forcing itself to try
things, and you need to be able to put things out there and try
and learn,” he says. “People only get in trouble if they’re not
honest about failure.”
Cox first heard of job opportunities at Facebook while pursuing
a master’s degree in computer-human interaction at Stanford. A
roommate already worked there and badgered Cox to interview,
primarily because there was a $5,000 recruiting bonus. Cox was
skeptical. Wasn’t Facebook just a glorified dating site?
The headquarters back then were on University Avenue, Palo
Alto’s main drag. When he got there, co-founder Dustin
Moskovitz described Facebook as a crowd sourced directory of
everyone. He drew circles on a whiteboard, then lines
connecting them to represent “friending” on the site. By looking
at each other’s profiles, friends could bypass the first awkward
five minutes of every conversation—those rote questions like
“where are you from?”—and move on to deeper connections.
Cox was riveted.
He dropped out of Stanford (naturally) and joined the company
when it had about 30 employees. His first job was developing
the News Feed, the feature that made Facebook a global
addiction. At the time, though, he and Zuckerberg badly
misjudged user reaction: People hated it. They felt as if their

private interactions were suddenly being exposed. “It wasn’t our
best product rollout,” Cox concedes. He learned that people
tend to be suspicious of well-capitalized Silicon Valley startups
preaching lofty values such as “openness” and “sharing.”
In late 2007, after Facebook hired its 100th employee,
Zuckerberg decided he needed to put someone he trusted in
charge of personnel. This became Cox’s strangest career move:
Zuckerberg asked him to become the company’s first human
resources chief. Zuckerberg now says he thought it was “an
opportunity to take a different approach than other companies
and to bring a technical spirit to defining all these different
aspects” of the company’s culture.
Cox scheduled one-on-one meetings with every employee and
became a sort of in-house therapist. “He had to endure the
slings and arrows of people’s complaints from all over the
company,” Yishan Wong, an early employee, wrote on the
community website Quora. “And he did so without becoming a
cynical, uncaring shell of a man.”
Cox says the HR job gave him a way of looking at things
through other people’s eyes. It also led him to ponder
Facebook’s mission in the world, which is when he started
reading the works of communications theorist Marshall
McLuhan. Each wave of media technology, McLuhan wrote, is
initially greeted with anger and mistrust.
That was comforting to Cox, because it explained some of the
hostility that Facebook was encountering. “We were in this
period back then where people really didn’t understand
Facebook and didn’t believe it could become anything,” he says.
“McLuhan helped tell that story in a broader context.”
Cox returned to engineering in 2008, but he’s still the
company’s cultural ambassador. He weaves McLuhan’s lesson
into his Monday morning speeches to the new recruits. The talks
usually start with a question: “What is Facebook?” He lets the

room hang in silence until someone is brave enough to say, “It’s
a social network.” Wrong. Facebook is a medium, Cox says,
referring to McLuhan’s famous dictum, “The medium is the
message.” In other words, how Facebook presents content and
the way in which it allows users to read, watch, comment on,
and like that content influences how all 1.6 billion members see
the world around them.
Cox spends most of his days in the new Frank Gehry-designed
Building 20 on the Menlo Park campus. The structure is a huge,
430,000-square-foot rectangle. A grassy park is on the roof,
with a hot dog stand on one side and a smoothie shop on the
other. Inside the cavernous space, full of rustic art and
chalkboard walls, Facebook employees tie silver balloons to
their movable standing desks to mark their “Faceversary,”
celebrating how long they’ve worked there. Cox had his 10th
Faceversary last fall.
On a Wednesday in November, he enters a conference room for
the second of five meetings and confesses that he’s breaking the
rules: Executives are discouraged from scheduling meetings on
Wednesdays, which is supposed to be a day engineers and
designers can work without interruption. Nevertheless, Cox and
his team need to talk about tailoring the Facebook smartphone
app for India. On a screen at the front of the room, there’s a bar
chart of Indian users on Android phones, broken down by the
estimated speed of the cellular network they use most often—
2G, 3G, and so forth.
“Can you just hang on that stat for a sec?” Cox asks, peering at
the chart with his elbows on his knees. “4G is a whopping 0.2
percent.”
“It’s just one guy hanging out there,” says a product manager,
Chris Struhar.
The team can’t afford to wait for India to speed up its mobile
networks—frustrated users will simply stop using Facebook. (Or

worse. The company recently faced street protests in the
country for its plan to offer Free Basics, a stripped-down, free
Internet service that includes Facebook and not much else.)
Struhar proposes to use less data in the app, in part by recycling
older stories that don’t have to be freshly downloaded. Cox
agrees. “My intuition, which we could prove wrong, is people
just want more stuff,” he says. He imagines himself as the user,
looking for any hit of digital nicotine that will stave off
boredom at, say, a bus stop. “That’s definitely what I want. I
just want more stories.” Cox then reviews a couple of other
ideas, like a spinning icon on photos that will let users know the
app is loading, potentially decreasing what the company calls
“rage quits.”
Near the end of the meeting, he wonders aloud how to get other
Facebook employees to start thinking about the particular
challenge of building features that will work on yesterday’s
mobile networks, still in use around the world. Someone
proposes switching everyone at the company to a 2G connection
once a week. Cox loves the idea. “This is our tool for empathy,”
he says. “Happy Wednesday, you’re in Delhi!” Two weeks later,
the company implements 2G Tuesdays.
“Empathy” is a word Cox throws around a lot, and which his
colleagues often use about him. Facebook blundered in the past
when it didn’t take the time to talk to and understand its users.
In the old days, product teams tested features in New Zealand,
which has the advantage of having an isolated, English-speaking
population but is hardly an accurate representation of the world.
Under Cox, Facebook’s product team is tackling more sensitive
subjects, such as designing a way for accounts to become
memorials after someone’s death, or helping users navigate the
aftermath of a breakup by selectively blocking pictures of the
ex. His goal, which he admits Facebook hasn’t reached, is to
make the News Feed so personalized that the top 10 stories a
user sees are the same they’d pick if they saw every possibility
and ranked it themselves. A side effect of making things easier
for users: happy advertisers. Under Cox, Facebook found a way

to make advertising work on its smartphone app, and came up
with video ads that play automatically.
Since Cox was elevated to chief product officer in 2014, his
team has consulted with an outside panel of about 1,000
Facebook users who rate every story in their feed and offer
feedback. There are also a handful of product test stations
scattered around Facebook’s offices that look a little like
interrogation rooms—tiny spaces with brightly lit desks. A
camera is attached to a test subject’s smartphone to film their
actions while Facebook employees watch through a one-way
mirror. Sessions can go on for hours. Sometimes they’re live-
streamed to a larger audience of employees.
Cox applied this testing regimen to the revamping of the like
button. He wasn’t part of the team that originally developed the
button from 2007 to 2009, but colleagues have war stories about
how hard they had to work to get Zuckerberg on board.
According to longtime executive Andrew Bosworth, there were
so many questions about the button—should likes be public or
private? would they decrease the number of comments on
stories?—many thought the feature was doomed. Even its
champions had no idea of the impact it would have on the
company’s fortunes. It was simply meant to make interactions
easier—just click like on someone’s post about their new job,
instead of being the 15th person to say congratulations.
Eventually the button became a crucial part of how Facebook’s
technology decides what to show users.
If you like beauty tips a friend shares from some Kardashian or
other, the software calculates that you should also see ads and
articles from People magazine and Sephora. “The value it has
generated for Facebook is priceless,” says Brian Blau, an
analyst at Gartner.
It’s a way of creating a connection, even if it’s superficial. If
users click like on a post about the Red Cross’s disaster relief

efforts, they feel as if they’ve done something to help. (In
January, Sandberg went so far as to suggest that likes could
help defeat Islamic State: By promoting the posts of survivors,
users could somehow drown out the hate.) Liking someone’s
photo is an awkwardness-free way to make contact with
someone you haven’t seen in years. Alternatives to like will let
Facebook users be a little more thoughtful, or at least seem to
be, without having to try very hard.
Facebook researchers started the project by compiling the most
frequent responses people had to posts: “haha,” “LOL,” and
“omg so funny” all went in the laughter category, for instance.
Emojis with eyes that transformed into hearts, GIF animations
with hearts beating out of chests, and “luv u” went in the love
category. Then they boiled those categories into six common
responses, which Facebook calls Reactions: angry, sad, wow,
haha, yay, and love.
The team consulted with outside sociologists about the range of
human emotion, just to be safe. Cox knows from experience that
he doesn’t have all the answers: When the company redesigned
the News Feed in 2013, it looked great on the iMacs in
Facebook’s headquarters but made the product harder to use
everywhere else. “There are a million potholes to trip over,”
Cox said.
Facebook Reactions won’t get rid of like—it will be an
extension. Within the company, there was some debate on how
to add the options without making every post look crowded with
things to click. The simpler Facebook is to use, the more people
will use it. Zuckerberg had a solution: Just display the usual
thumbs-up button under each post, but if someone on her
smartphone presses down on it a little longer, the other options
will reveal themselves. Cox’s team went with that and added
animation to clarify their meaning, making the yellow emojis
bounce and change expression. The angry one turns red, looking
downward in rage, for example. Once people click their

responses, the posts in News Feed show a tally of how many
wows, hahas, and loves each generated.
This update may seem trivial. All it’s doing is increasing the
number of clickable responses. People already comment on
posts with emojis or, in some cases, actual words. But the
feature will probably make Facebook even more addictive. And
it will certainly give Cox’s team a lot more information to
throw into the News Feed algorithm, thereby making the content
more relevant to users—and, of course, to advertisers.
In October the team got close enough to a final design that
Zuckerberg felt comfortable mentioning the project in a public
interview, giving no details except that there wouldn’t be a
dislike button. Cox worried it was too soon to talk about the
emotions Facebook picked. (Yay was ultimately rejected
because “it was not universally understood,” says a Facebook
spokesperson.) Cox says he spent the next morning parsing
through responses to the announcement, reading what users
thought the social network needed and preparing to start over if
necessary.
A few weeks later, the team began testing Reactions in Spain
and Ireland, then Chile, the Philippines, Portugal, and
Colombia. In early January, Cox flew to Tokyo to sell Reactions
to Japan. “You can love something, you can be sad about
something, you can laugh out loud at something,” he said to a
crowd of reporters at Facebook’s offices in the Roppongi
district. “We know on phones people don’t like to use
keyboards, and we also know that the like button does not
always let you say what you want.”
He explained Facebook’s goal: a universal vocabulary that lets
people express emotion as they scroll through their feed. In a
sense, Reactions is an adaptation of digital culture in Asia,
where messaging apps such as Line and WeChat have already
established a complex language of emojis and even more
elaborate “stickers.”

Cox says Reactions’ biggest test so far was during the
November terrorist attacks in Paris. Users in the test countries
had options other than like, and they used them. “It just felt
different to use Facebook that day,” he says.
Facebook won’t give a specific date for when Reactions will be
introduced in the U.S. and around the world, just that it’ll be
“in the next few weeks.” Cox says the data he has looks good
and that users will take to Reactions, though he takes pains not
to sound in any way triumphant. “We roll things out very
carefully,” he says. “And that comes from a lot of lessons
learned.”
Source: Frier, S., “Smash That Like Button,” Bloomberg
Businessweek, February 1–7, 2016. Copyright © 2017. All
rights reserved. Used with permission of Bloomberg L.P.
Questions for Discussion
1 How would you describe Chris Cox’s personal leadership
style, and what sources of power does he possess?
2 What traits do you think he is high on, and to what extent
does he engage in consideration and initiating structure?
3. Do you think Cox is a transfor-mational leader? Why or why
not?
4. Do you think Cox is high on emotional intelligence? Why or
why not?
Leadership Case Guidelines
The following Guidelines are to be helpful in analyzing the
cases. The Guidelines are not intended to be a rigid format,
however, that the student just mechanically goes through. Each
question is intended to surface information that will be helpful
in analyzing and resolving the case. Each case is different, and
some parts of the Guidelines may not apply in every case. Also,
the student should be attentive to the questions for discussion at
the end of each case. These questions should be answered in any

complete case analysis. The heart of any case analysis is the set
of recommendations made. The Problem and Issue Identification
and Analysis and Evaluation steps should be focused on
generating and defending the most effective set of
recommendations.
GUIDELINES FOR ANALYZING CASES
Problem and Issue Identification
1. What are the central facts of the case and assumptions you
are making based on these facts?
2. What is the major overriding issue in this case? (What major
question or issue does this case address that merits its study in
this course and in connection with the chapter or material you
are now covering?)
3. What subissues or related issues are present in the case that
merit consideration and discussion?
Analysis and Evaluation
4. Who are the stakeholders in the case and what are their
stakes? (Create a stakeholder map if this is helpful.) What
challenges, threats, and opportunities do these stakeholders
pose?
5. What economic, legal, ethical, and discretionary
responsibilities does the company have, and what exactly is the
nature and extent of the responsibilities?
6. If the case involves a company’s actions, evaluate what the
company did or did not do in handling the issue affecting it.
Recommendations
7. What recommendations do you have for this case? If a
company’s strategies or actions are involved, should the
company have acted the way it did? What actions should the
company take now, and why? Be as specific as possible, and
include a discussion of alternatives you have considered but

decided not to pursue. Mention and discuss any important
implementation considerations.

case analysis 2.1.docxby Urusha PandeySubmission date 2.docx

Recommended

Recommended

More Related Content

Similar to case analysis 2.1.docxby Urusha PandeySubmission date 2.docx

Similar to case analysis 2.1.docxby Urusha PandeySubmission date 2.docx (20)

More from cowinhelen

More from cowinhelen (20)

Recently uploaded

Recently uploaded (20)

case analysis 2.1.docxby Urusha PandeySubmission date 2.docx