Compulsory assignment – 3

Analysis of Case Studies

Author: Enis Mucaj

Arba Lolja

Semester: Spring 2023

Discipline: Information
Systems Security

Course code: 1IK011

 Introduction

In this collection of case studies, we look at a range of situations that have had varying effects on
companies. Every case offers insightful information about the value of cybersecurity, data privacy,
and ethical behavior in the modern digital environment. These case studies provide insight into the
effects of security errors, the possibilities of new technology, and the difficulties businesses confront
in protecting sensitive data.
The first case study is centered on the well-known data breach that occurred at Alpha, a major retailer,
in 2014. We analyze the attack's history to identify crucial turning points when preventative action
would have stopped the intrusion by answering the questions. We learn more about the significance of
reconnaissance, third-party vendor security, and system vulnerabilities through this case study.
The second case study explores how blockchain technology was creatively used by Visa. We look at
Visa B2B Connect's evolution as a platform for international business-to-business payments. Visa
wants to increase the effectiveness, transparency, and security of international financial transactions
by partnering with blockchain startup Chain. This case study demonstrates how blockchain
technology has the ability to transform payment systems and make transactions safe and nearly fast.
A security lapse at the University of California, Berkeley is the focus of the third case study. Millions
of records were compromised as a result of unlawful access to sensitive data by hackers. We look at
the difficulties educational institutions face in keeping up strong security measures, the effects of
security failures, and the possible threats associated with compromised systems.
Finally, we look at the controversial DoubleClick issue, where a business choice led to criticism from
the general population. The purchase of Abacus Direct by DoubleClick sparked worries about user
privacy and the blending of identifying data with surfing habits. The ethical issues and public
perception around data collecting and targeted advertising are clarified by this case study.
These case studies offer important lessons and insights into the difficulties associated with data
privacy, cybersecurity, and responsible use of technology. We may better comprehend the difficulties
organizations meet and the value of proactive actions to secure sensitive information in the current
digital era by looking at real-world events.
 Case Study: Alpha under attack – lost millions of
customers sensitive information

1. What were the indicators for weak security infrastructure at Alpha? Highlight
the security vulnerabilities in their systems that could be exploited by potential
threats.

a) Lack of intrusion detection and reaction tools

Alpha is said to have lacked appropriate intrusion prevention systems (IPS) and intrusion
detection systems (IDS). Such technologies could have been able to recognize and alert the
organization about the odd attack actions and behavior, thereby possibly reducing the breach.
[1]
b) Lack of suitable point-of-sale (POS) system security
Malware that collected credit/debit card information damaged Alpha's POS systems. It
indicates that there must be more effective security controls, such as end-to-end encryption
and appropriate access controls, to safeguard sensitive data in POS systems.
c) Lack of sufficient information security awareness and reconnaissance
Simple internet searches might have given the attackers important details about Alpha's
infrastructure, such as its use of Microsoft virtualization software, centralized name
resolution, and POS system data. It means that Alpha failed to set up adequate safeguards to
prevent sensitive data from being easily available to potential attackers.
d) Internal system vulnerabilities
The exact nature of these vulnerabilities remains unclear, however, the attackers were able to
breach several internal Windows systems at Alpha. But there are certain possible results, such
as weak systems and SQL injection assaults. These deficiencies show that Alpha's patch
management, system hardening, and secure coding processes may be lacking.
e) Compromised third-party vendor
By hacking GW Mechanical, a third-party vendor, via a phishing email, the attackers got
access to Alpha's corporate network. This emphasizes the value of requiring appropriate anti-
malware software and implementing two-factor authentication for any providers with access
to the company's systems.
2. How could Alpha company improve its security infrastructure to avoid future
data breaches?

a) Improve employee training and awareness

The importance of best practices including identifying and avoiding phishing efforts,
managing sensitive information correctly, and maintaining strong passwords should be
emphasized in Alpha's thorough security awareness and training programs for staff.
b) Perform thorough risk analyses
Alpha ought to regularly assess its systems to identify weaknesses and threats. This includes
reviewing the network, application, and infrastructure security as well as looking for any gaps
in the third-party vendor management processes.
c) Establish effective vendor management procedures
All vendors who need access to Alpha's systems should meet strict security regulations,
which should include the usage of up-to-date anti-malware software, two-factor
authentication, and regular security audits. They ought to frequently double-check on and
verify the security practices of vendors.
d) Boost data security measures
To safeguard sensitive data both at rest and while in transit, Alpha should put adequate
security measures in action. This includes adopting secure transmission of information
methods, encrypting POS system data, and setting in place access controls and monitoring
systems to look toward unauthorized access attempts.
e) Strengthening network security
Effective intrusion detection and prevention systems (IDS/IPS) should be established by
Alpha to maintain and react to any odd network activity. This can assist in real-time attack
detection and response.
f) Create an incident response strategy
To ensure a prompt and efficient reaction in the case of a breach, Alpha should create and
routinely test an incident response strategy. This includes roles and duties that are clearly
defined, communication methods, and procedures for containing and minimizing the breach.
g) Enhance application and system security
Given the objective of finding and fixing vulnerabilities in its internal systems and
applications, Alpha ought to set a priority on secure coding methods and frequently carry out
security assessments, penetration testing, and code reviews. This includes handling typical
online application vulnerabilities like SQL injection and cross-site scripting (XSS), secure
server settings, and proper patch management.
3. What IP protocols are suitable to build a secure environment?

a) IPsec (Internet Protocol Security) [3]:

IPsec secures and authenticates IP packets to offer secure communication throughout IP
networks. To secure data transmission between networks or between remote users, it can be
utilized for setting up virtual private networks (VPNs).
b) DNSSEC (Domain Name System Security Extensions)
DNSSEC adds an extra layer of security to the Domain Name System (DNS) by digitally
signing DNS records. It helps prevent DNS spoofing and ensures the authenticity and
integrity of DNS responses.
c) SNMPv3 (Simple Network Management Protocol version 3) [3]:
SNMPv3 includes security enhancements such as authentication and encryption to protect
network management traffic. It ensures secure communication between network devices
and network management systems.
d) SSL/TLS (Secure Sockets Layer/Transport Layer Security) [3]
SSL/TLS protocols provide secure online communication between clients and servers. They
ensure confidentiality, integrity, and authentication of data exchanged between web browsers
and servers, commonly used for secure HTTPS connections.
e) HTTPS (Hypertext Transfer Protocol Secure) [3]
HTTPS is an extension of the HTTP protocol that uses SSL/TLS encryption to secure web
communication. It provides secure and encrypted communication between web browsers and
servers, protecting sensitive data transmitted over the internet.
f) SSH (Secure Shell) [3]
SSH provides secure remote login and file transfer capabilities over an unsecured network. It
encrypts data transmission and provides authentication mechanisms to protect against
unauthorized access.
 Case study: Visa Goes Blockchain

1. Unprecedented transparency of transactions makes financiers uneasy.

How do you think Visa will be able to successfully balance secrecy and
transparency in the context of blockchain adoption?

Transparency is an inherent attribute of blockchain technology given that it keeps an

unchanging record of all transactions that are public to all network users. While this
disclosure might assist in security and accountability, it can also concern financiers who may
opt to keep a little information about their transactions confidential. Visa can use the
following tactics in order to achieve a balance between secrecy and transparency in the
implementation of blockchain technology:

a) Features that improve privacy:

Visa can use modern cryptographic methods to guarantee security and confidentiality within
the blockchain network. In order to do this whilst retaining the integrity and transparency of
the entire transaction history, it may be important to use methods of encryption to hide
necessary transaction details.

b) Blockchain architecture with permissions:

By using a permissioned blockchain, Visa has the capacity to handle network access and
limits participation to trustworthy organizations. By doing this, they are still able to make use
of blockchain technology's transparency and security advantages while keeping secrecy
among authorized parties.

c) Selective disclosure of information:

Within the blockchain network, Visa may set up restrictions that enable users to select which
third parties to expose specific transaction information. By providing limited access to secret
material, they can strike a balance between accessibility and confidentiality.

d) Regulation compliance:

Visa has to make sure that its utilization of blockchain corresponds with all existing data
protection and privacy regulations. By implementing privacy-enhancing measures and
abiding by regulations, Visa can show that it is serious about protecting private data while
embracing the transparency benefits offered by blockchain.

2. How would blockchain adoption enable security in the transfer of funds?

a) Consensus mechanisms:

Consensus algorithms are applied by blockchain networks to ensure accuracy and agree on
the ledger's present status. Given the decentralized consensus, there is a reduced potential of
fraudulent or unauthorized transactions happening while numerous participants verify each
transaction.

b) Sophisticated contracts:

The self-executing contracts referred to as "smart contracts," that abide by predefined rules
and conditions, are often supported by blockchain systems. Smart contracts provide secure,
automated fund transfers based on previously established standards, reducing the risk of
hostile manipulation or human error.

c) The removal of intermediaries:

Traditional payments frequently involve intermediaries, which could result in security flaws.
By utilizing blockchain, parties can conduct transactions directly with each other, taking
away the need for intermediaries and potential points of failure.

d) Security via cryptography:

Blockchain uses cutting-edge cryptography techniques to safeguard transactions.

Cryptography is a technique or protocol that secures information from any third party during
communication. Each transaction is signed electronically using cryptography to ensure its
accuracy and integrity. A secure chain of transaction history is produced as well by using
cryptographic hashing for linking blocks.[4]

e) A transparent and unchanging record:

The distributed ledger technology used by blockchain provides an immutable record of

transactions. Each transaction is archived in a block, linked to previous blocks, and split
across multiple network nodes. Given the high level of data integrity and audibility that
comes with this, it affirms that transaction data cannot be easily modified. [5]
 a) Review the above, try to discuss individual vendor solutions affecting the
"multi-actor" ICT landscape they operate in. Compare with phone and power
companies, how do they handle "multi-actor" environments without creating
operational roadblocks or security hazards?

It is important for sustaining effective performance and security in a "multi-actor" ICT

landscape where many vendors, organizations, and stakeholders are involved without causing
risks or barriers. Individual vendor solutions can address this in several different ways:

a) Secure communication channels:

To be able to protect the data transferred between various parties, vendors must
establish secure communication channels, such as encrypted connections and secure
protocols. This contributes to preserving the confidentiality and integrity of sensitive data by
preventing unwanted access, data interception, or tampering.
b) Interoperability and standard methods:
Vendors must follow defined interoperability standards and protocols. Vendors can guarantee
compatibility and easy integration with other systems and vendors by adhering to common
standards. This makes data sharing and communication more efficient while lowering the
possibility of operational issues or security flaws.
c) Authentication and access control
To ensure that only authorized actors can access the system or specific functions, vendors
ought to create strong access control techniques. These mechanisms may involve strong
authentication and authorization protocols. This avoids unwanted visitors from posing a
threat to security or disrupting activities.
d) Response to incidents and recovery:
To respond to safety concerns in a timely manner, vendors must have established incident
response plans and procedures. Along with backup and recovery plans to reduce operational
disruptions, this includes systems for identifying, evaluating, and responding to security
breaches.
e) Security evaluations and audits
Vendors should regularly perform security audits and assessments to find and minimize any
potential risks or vulnerabilities. To proactively detect and address security vulnerabilities,
involves carrying out penetration testing, vulnerability scanning, and code reviews.

Similar difficulties are faced by them when contrasted with phone and power service
providers, which operate in multi-actor various settings. These companies take on such issues
by:
  Placing industry standards
Industry standards for data transmission, device interoperability, and communication
protocols are complied with by the phone and power sectors. This supports system
interoperability between those different vendors and reduces functioning difficulties.
 Regulation compliance
Regulations and standards concerning data privacy, security, and the reliability of
infrastructure are complied with by phone and power companies. To safeguard the stability of
their actions, they follow the rules issued by regulatory bodies.
 Collaboration partnerships
With other stakeholders such as network providers, supplies makers, and regulatory bodies,
these companies form cooperation and collaborate. This cooperation allows the coordinated
handling of problems with interoperability and security concerns.
 Dependable infrastructure
Companies that provide phones and energy make major expenditures on infrastructure, such
as redundant systems, standby power supplies, and monitoring tools, to guarantee
uninterrupted service and reduce operational difficulties or security risks.
 Constant observation and response:
To find anomalies, issues with performance, or security breaches, these businesses use
monitoring systems. They employ specialized teams for incident response and recovery, so
they are able to react fast to any operational difficulties or threats to security.
 Case study: The Hack at UC Berkley

1. Name policies and procedures that would enable universities to limit vulnerabilities while still
allowing students access to systems.
In today's digital age, universities face a difficult task of maintaining secure systems while providing
students with the resources they need to pursue their education. Recent events, such the break-in at the
University of California, Berkeley, emphasize the necessity for robust rules and processes to prevent
vulnerabilities.

a) Strong authentication
Strong authentication is the use of trustworthy and secure procedures to validate users' identities
before they may access university systems, services, and resources. Universities must take all
necessary precautions to safeguard private information, intellectual property, and sensitive data
against unauthorized access and online threats. Multiple factors are frequently used in strong
authentication techniques to confirm a user's identity, adding an additional layer of protection over
simple username and password combinations. Here are some commonly employed strong
authentication techniques in universities:
• Multi-Factor Authentication (MFA): MFA requires users to provide two or more different
types of authentication factors to access university systems.
• One-Time Passwords (OTP): OTPs are randomly generated passwords that are valid for a
single login session or transaction [6]
• Biometric Authentication: Biometric authentication uses unique physical or behavioral
characteristics of an individual for identification.
b) Regular Security Training
Regular security training in universities is essential to equip students, faculty, and staff with the
knowledge and skills necessary to defend against cybersecurity threats. Individuals who regularly
participate in cybersecurity awareness and training programs can better comprehend common dangers
like phishing attempts and learn how to handle sensitive data safely. Institutions may decrease the
possibility of security events being caused by human mistake by educating the college community.
c) User Access Control
Universities can limit system access based on particular responsibilities by implementing role-based
access control (RBAC). Universities can reduce the possibility of unwanted modifications or data
breaches by assigning privileges and permissions only to authorized persons.
d) Patch management
A strong patch management procedure ensures that security updates and patches are applied on
schedule to all systems and applications. Universities can repair vulnerabilities quickly and lower the
risk of hacker exploitation by conducting routine monitoring and reviews of patching progress.
Universities can actively safeguard their systems and critical data by keeping up with patching.
e) Data Encryption and Protection
To protect sensitive data, universities should implement strong encryption measures for both data in
transit and data at rest. Data encryption adds an extra layer of protection, ensuring confidentiality and
integrity.

2. Ultimately, who should be held accountable for ensuring a sound security policy is in place?
a) The university administration should bear overall responsibility for establishing a strong
security posture. They should give cybersecurity priority as an essential component of
institutional governance and devote adequate resources to security-related efforts. They have
a responsibility to set policies, give the institution strategic direction, and promote a security-
conscious culture. [7]
b) The IT department is essential to the implementation and management of security technology
and procedures. They must to be in charge of carrying out risk evaluations, creating security
procedures, keeping an eye on network activities, administering access limits, and putting in
place technical safeguards. Along with maintaining strong incident response and recovery
capabilities, they must also make sure that systems receive frequent upgrades and patches.[7]
c) Faculty and staff should be held responsible for adhering to security protocols, including
strong password usage, data handling policies, and knowledge of social engineering
techniques. They ought to actively take part in security training and immediately report any
security-related incidents or issues. Faculty members who work on research projects
involving sensitive data must also make sure that security regulations are followed.
d) As part of the university community, students are also accountable for maintaining security
norms. They should abide by the established security guidelines, guard the privacy of their
login information, report any suspicious activity, and use caution when logging into resources
and handling sensitive information. [7]

3. An IDS test did show the intrusion, why only then? Possible and plausible causes for this?
There could be several possible causes for the intrusion being detected only during the IDS test,
despite the presence of an active intrusion:
a) Inadequate monitoring : It's possible that the university's security monitoring procedures were
poor, which delayed a detection. If the university had not implemented robust monitoring
systems or had not allocated sufficient resources for continuous monitoring, the intrusion
might have gone unnoticed until the IDS test.
b) Misconfiguration or Mismanagement : The IDS itself may have been improperly configured
or managed, which prevented real-time detection of the intrusion. The IDS may have been
less effective due to improper configuration, incorrect rules, or a lack of routine updates and
maintenance.
c) Insufficient logging and monitoring : ls: It's possible that the logging and analysis systems in
place weren't fully utilized. It is challenging to spot suspicious or anomalous behavior
suggestive of an intrusion without adequate network activity logging and thorough log
analysis.
d) Limited resources: The security team at the university may not have enough staff or resources
to adequately monitor and handle security incidents. Delays in detection and reaction times
might be the result of this.
4. It was reported that a software patch could have foiled the attack. Any reasons why this
wasn’t done?
There could be several reasons why the software patch was not applied, leading to the successful
attack on the computer at the University of California at Berkeley.
a) Lack of awareness: It's possible that the administrators were unaware that a patch was
available to fix the security weakness. Active monitoring and knowledge of the most recent
vulnerabilities and fixes are necessary to stay current with security advisories and patches.
The administrators would not have been able to apply the patch if they were not aware that it
existed.
b) Negligence or oversight: The computer system administrators may have neglected to address
the known security vulnerability or may have undervalued the significance of immediately
applying the patch. They might have neglected to give the patching process priority or they
might have been preoccupied with other things.
c) Lack of resources: Universities, like other institutions, may experience a lack of resources,
such as a shortage of IT staff or financial restrictions. The capacity to quickly address security
vulnerabilities and apply required patches could be impacted by a lack of resources. The
patching process may have been postponed or ignored if insufficient personnel or resources
were allocated for cybersecurity measures.
d) Inefficient patch management techniques: Effective patch management entails establishing
procedures and guidelines to guarantee that patches are identified, tested, and deployed in a
timely manner. It's possible that the failure to apply the patch was caused by the university's
poor patch management procedures, such as a lack of centralized oversight or a clear
accountability structure.
 Case study: The DoubleClick Case

1. How can a balance be established between consumer needs for privacy and company
(business) needs to know their customers?
Establishing a balance between consumer privacy and business needs to know their customers is a
complex and ongoing challenge. Here are some approaches and considerations that can help strike a
balance:
a) Privacy-by-design approach: Organizations should put privacy first by taking it into account
when designing and developing their goods and services. Instead of being an afterthought,
privacy should be regarded as a fundamental requirement.
b) Data minimization: Companies should avoid gathering excessive or unnecessary personal
information and should only gather the data necessary to fulfill specific purposes. This rule
ensures that data collection is directly related to business requirements and reduces privacy
risks.
c) Transparency and control: It is essential to provide detailed information about data practices,
including how data is gathered, used, shared, and retained. Businesses should provide clear
privacy policies and simple controls that let customers manage their preferences, manage how
their data is used, and exercise their legal rights.
d) Anonymization and aggregation: Companies can protect individual privacy while still
extracting insights from data by using strategies like anonymization and aggregation.
Businesses can gain useful information while protecting privacy by removing personally
identifiable information or aggregating data in a way that prevents re-identification.
e) Legal and regulatory compliance: In order to ensure that consumer privacy rights are
respected and protected, businesses must adhere to all applicable privacy laws and regulations
in the jurisdictions in which they conduct business.

2. Is it ethical to collect user data and track their movement on the Internet?
The ethics of collecting user data and tracking their movement on the Internet is a complex topic.
There are various ways to look at this issue, and viewpoints can differ.
Data collection supporters claim that it has a wide range of advantages. Companies can, for instance,
deliver personalized and targeted advertisements, which can improve user experiences and the
efficiency of marketing campaigns. In order to better meet the needs and preferences of their
customers, businesses can tailor their products and services with the aid of this. Data gathering can
also aid in the creation of new ideas and technologies.
On the other hand, privacy issues and the potential for user data to be misused have prompted
criticism of data collection methods. Some contend that people have a right to their personal
information as well as a right to privacy. Without the user's express consent, data collection and
tracking may be considered an invasion of privacy. Data breaches and unauthorized access are
potential issues, as well as the security and protection of user data. Furthermore, concerns about the
possibility of discrimination, manipulation, and exploitation are raised by the collection and analysis
of enormous amounts of personal data.
The collection and use of user data is governed by legal frameworks and regulations in many
jurisdictions, such as data protection laws and privacy regulations. These rules seek to strike a balance
between the advantages of data collection and the defense of peoples' right to privacy.
Ultimately, whether collecting user data and tracking their movements on the Internet is ethical
depends on various factors, including degree of transparency in data collection practices, the
motivation and justification behind the data collection, the level of user consent obtained, the security
measures in place to safeguard the data, and compliance with relevant laws and regulations.

3. What kind of codes of conduct security managers at DoubleClick (and Google) should be
familiar with?
Security managers at DoubleClick (and Google) should be familiar with various codes of conduct and
best practices related to information security and privacy. Some important codes of conduct that they
should consider are:
a) International Organization for Standardization (ISO) 27001 [8]: This standard offers
instructions for creating, putting into practice, maintaining, and constantly enhancing an
information security management system. It covers a range of information security topics,
such as risk management, security controls, and compliance. [9]

b) NIST Cybersecurity Framework [8]: This framework, which was created by the National
Institute of Standards and Technology (NIST), offers a risk-based strategy for managing
cybersecurity. For identifying, safeguarding, detecting, responding to, and recovering from
cybersecurity incidents, it provides best practices and guidelines. [9]

c) Cloud Security Alliance (CSA) Code of Conduct [8]: The security and privacy of customer
data in cloud environments are the main goals of this code of conduct, which is unique to
cloud service providers. It covers topics like data sovereignty, access management, incident
handling, and transparency. [9]

d) Global Information Assurance Certification (GIAC) [8]: It is an organization that provides

professional certifications and training programs in the field of information security. GIAC
certifications are highly regarded and recognized within the industry, validating the
knowledge and skills of individuals in various specialized areas of cybersecurity. [10]

e) Ethical guidelines and corporate policies [8]: The company's internal ethical standards and
corporate policies regarding data privacy, security, and handling of personal information
should also be familiar to security managers. These policies offer detailed instructions on
acceptable employee behavior, job duties, and regulatory compliance.
 Personal Reflection

After reviewing the four case studies, it is evident that data breaches and privacy issues continue to
pose significant challenges in today's digital landscape. These case studies highlight various aspects of
data breaches, including the attack vectors, vulnerabilities, and the consequences faced by the affected
organizations. Here are some personal reflections on these case studies:

Alpha under attack – lost millions of customer’s sensitive information:

The Alpha case study highlights how crucial it is to take preventative security measures and respond
to incidents. It demonstrates that the breach still had serious effects due to slow detection and
response, even with a third-party forensic team in place. To prevent and lessen such attacks, it
highlights the importance of strong cybersecurity practices, such as regular system audits, vendor
security assessments, and employee training.
Visa's Goes Solution:
The use of blockchain for B2B payments by Visa demonstrates the potential of cutting-edge
technologies to improve transaction security, speed, and transparency. The growing interest in
blockchain as a solution for safe and effective financial transactions is reflected in this case study. It
emphasizes how crucial it is for seasoned financial institutions and creative startups to work together
to advance the payments sector.
The Hack at UC Berkley:
The University of California at Berkeley case study demonstrates the difficulties that educational
institutions face in keeping up effective cybersecurity measures. It serves as an example of the
consequences of ignoring known security flaws and the potential repercussions of unauthorized access
to sensitive data. In academic institutions, it serves as a reminder of the necessity of ongoing security
assessments, patch management, and extensive training programs.
The DoubleClick Case:
The DoubleClick case study clarifies the ethical concerns surrounding the privacy of user data and the
accountability of businesses when handling personal information. It illustrates the potential negative
effects of combining various datasets and the potential invasion of user privacy. This case study
emphasizes how crucial it is to uphold user confidence in the digital ecosystem through transparency,
consent, and adherence to privacy laws.
Overall, these case studies highlight the ever-evolving nature of cybersecurity and data privacy
challenges. They emphasize the need for organizations to prioritize security measures, remain vigilant
against potential vulnerabilities, and maintain a strong ethical stance regarding user data. Continuous
education, collaboration, and adherence to best practices are crucial in creating a safer and more
secure digital environment for individuals and businesses.
 References

https://www.checkpoint.com/cyber-hub/network-security/what-is-an-intrusion-detection-system-ids/ids-vs-ips/
Intrusion Detection System (IDS) Vs Intrusion Prevention System (IPS) – First paragraph/ Case Study: Alpha
under attack – lost millions of customers sensitive information/ Question 1 [1]

https://www.techtarget.com/searchsecurity/tip/How-to-prevent-a-data-breach-10-best-practices-and-tactics/
How to prevent a data breach: 10 best practices and tactics by Anrew Froehlich / Case Study: Alpha under
attack – lost millions of customers sensitive information/ Question 2 [2]

https://www.microsoftpressstore.com/articles/article.aspx?p=2224050&seqNum=4 /The Microsoft Press Store

by Pearson -Objective 1.4 / Case Study: Alpha under attack – lost millions of customers sensitive information/
Question 3 [3]

https://www.analyticsvidhya.com/blog/2022/09/concept-of-cryptography-in-blockchain / / Concept of
Cryptography in Blockchain - ANURAG SINGH CHOUDHARY – What is cryptography in blockchain? / Case
study: Visa Goes Blockchain / Question 2 [4]

https://www.blockchain-council.org/blockchain/what-is-blockchain-distributed-ledger-technology/ WHAT IS
BLOCKCHAIN (DISTRIBUTED LEDGER TECHNOLOGY)? - Toshendra Kumar Sharma - Blockchain &
Distributed Ledger Technology: How It Works?/ Case study: Visa Goes Blockchain / Question 2 [5]

https://www.onelogin.com/learn/otp-totp-hotp /What’s the Difference Between OTP, TOTP and HOTP? /Case
study: The Hack at UC Berkley/ Question 1 [6]

https://ww1.odu.edu/about/policiesandprocedures/computing/standards/01/02 / Old Dominion University

Information Technology Standard/ Case study: The Hack at UC Berkley/ Question 2 [7]

https://mymoodle.lnu.se/pluginfile.php/7777084/mod_resource/content/1/InfoSec%20Lecture-6%202023.pdf /
Lecture 6/ Page 23/ Information Security in Organizations / Sarfraz Iqbal and Lars Magnusson/ Linnaeus
University / Case study: The DoubleClick Case / Question 3 [8]

https://databrackets.com/comparing-nist-iso-27001-soc-2-and-other-security-standards-and-frameworks/
Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks / Case study: The
DoubleClick Case / Question 3 [9]

https://en.wikipedia.org/wiki/Global_Information_Assurance_Certification / Global Information Assurance

Certification from Wikipedia – First Paragraph/ Case study: The DoubleClick Case / Question 3 [10]