Need for Security

• Unlike any other business or information technology program, the primary

mission of an information security program is to ensure that information assets—
information and the systems that house them—remain safe and useful
• Organizations expend a lot of money and thousands of hours to maintain their
information assets
• the threat of attacks on information assets is a constant concern, and the need
for information security grows along with the sophistication of the attacks
• While some organizations lump both information and systems under their
definition of an information asset, others prefer to separate the true information-
based assets (data, databases, data sets, and the applications that may use data)
from media—the systems and networks that store and transmit data
Information security performs four
important functions for an
organization:
• Protecting the organization’s ability to function
• Protecting the data and information the organization collects and
uses, whether physical or electronic
• Enabling the safe operation of applications running on the
organization’s IT systems
• Safeguarding the organization’s technology assets
‡ Business Needs First
Key Terms:
• Data security Commonly used as a surrogate for information security,
data security is the focus of protecting data or information in its
various states—at rest (in storage), in processing, and in transmission
(over networks).
• Database A collection of related data stored in a structured form and
usually managed by a database management system.
• Database security A subset of information security that focuses on
the assessment and protection of information stored in data
repositories like database management systems and storage media.
 ‡ Business Needs First
Protecting Functionality:
• The three communities of interest—general management, IT
management, and information security management—are each
responsible for facilitating the information security program that
protects the organization’s ability to function.
• Many business and government managers shy away from addressing
information security because they perceive it to be a technically
complex task, implementing information security actually has more to
do with management than technology
• Each of an organization’s communities of interest must address
information security in terms of business impact and the cost of
business interruption, rather than isolating security as a technical
problem
 ‡ Business Needs First
Protecting Data That Organizations Collect and Use:
• Without data, an organization loses its record of transactions and its
ability to deliver value to customers.
• Any business, educational institution, or government agency that
operates within the modern context of connected and responsive
services relies on information systems.
• when transactions are not online, information systems and the data they
process enable the creation and movement of goods and services
• Therefore, data security—protecting data in transmission, in processing,
and at rest (storage)—is a critical aspect of information security
• The value of data motivates attackers to steal, sabotage, or corrupt it
• An effective information security program implemented by management
protects the integrity and value of the organization’s data
 ‡ Business Needs First
• Database security is accomplished by applying a broad range of control
approaches common to many areas of information security
• Managerial controls include policy, procedure, and governance.
• Technical controls used to secure databases rely on knowledge of access
control, authentication, auditing, application security, backup and
recovery, encryption, and integrity controls.
• Physical controls include the use of data centers with locking doors, fire
suppression systems, video monitoring, and physical security guards
 Enabling the Safe Operation of Applications
• Today’s organizations are under immense pressure to acquire and operate
integrated, efficient, and capable applications.
• A modern organization needs to create an environment that safeguards
these applications, particularly those that are important elements of the
organization’s infrastructure— operating system platforms, certain
operational applications, electronic mail (e-mail), and instant messaging
(IM) applications, like text messaging (short message service, or SMS)
• Organizations acquire these elements from a service provider or they
implement their own.
• Once an organization’s infrastructure is in place, management must
continue to oversee it and not relegate its management to the IT
department
Safeguarding Technology Assets in
Organizations
• To perform effectively, organizations must employ secure infrastructure
hardware appropriate to the size and scope of the enterprise
a small business may get by in its startup phase using a small-scale firewall, such as
a small office/home office (SOHO) device
• As an organization grows to accommodate changing needs, more robust
technology solutions should replace security technologies the
organization has outgrown
a robust solution is a commercial-grade, unified security architecture device
complete with intrusion detection and prevention systems, public key
infrastructure (PKI), and virtual private network (VPN) capabilities
Threats and Attacks
Key Terms :
• Attack An intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it. Attacks can be
active or passive and direct or indirect.
• Exploit A technique used to compromise a system.
• Vulnerability A potential weakness in an asset or its defensive control
systems
Types of Attacks
Attacks and Misuse Categories
The 12 Categories of Threats
• 12 general categories of threats that represent a clear and present danger
to an organization’s people, information, and systems.
• Each organization must prioritize the threats it faces based on the
particular security situation in which it operates, its organizational strategy
regarding risk, and the exposure levels of its assets.
• Theft performed by a hacker falls into the category of “theft,” but it can
also be preceded by “espionage or trespass” as the hacker illegally
accesses the information.
• The theft may also be accompanied by defacement actions to delay
discovery, qualifying it for the category of “sabotage or vandalism.”
 Compromises to Intellectual
Property
intellectual property (IP) The creation, ownership, and control of original ideas
• Many organizations create or support the development of intellectual property
(IP) as part of their business operations.
• IP includes trade secrets, copyrights, trademarks, and patents. IP is protected by
copyright law and other laws
Software Piracy : The unauthorized duplication, installation, or distribution of
copyrighted computer software, which is a violation of intellectual property
• The most common IP breach is the unlawful use or duplication of software-based
intellectual property, more commonly known as software piracy.
• Two organizations investigate allegations of software abuse: the Software &
Information Industry Association (SIIA) at www.siia.net, formerly known as the
Software Publishers Association, and the Business Software Alliance (BSA) at
www.bsa.org.
 Compromises to Intellectual
Property…
Copyright Protection and User Registration:
• A number of technical mechanisms—digital watermarks, embedded
code, copyright codes, and even the intentional placement of bad
sectors on software media—have been used to enforce copyright
laws.
• The most common tool is a unique software registration code in
combination with an end-user license agreement (EULA) that usually
pops up during the installation of new software
 Deviations in Quality of Service
Availability disruption : An interruption in service, usually from a service
provider, which causes an adverse event within an organization.
Downtime The percentage of time a particular service is not available
service level agreement (SLA): A document or part of a document that
specifies the expected level of service from a service provider. An SLA usually
contains provisions for minimum acceptable availability and penalties or
remediation procedures for downtime.
Uptime: The percentage of time a particular service is available; the opposite
of downtime.
• Internet Service Issues
• Communications and Other Service Provider Issues
• Power Irregularities
 Espionage or Trespass
• Competitive intelligence The collection and analysis of information about
an organization’s (business competitors) through legal and ethical means
to gain business intelligence and competitive advantage.
• Industrial espionage The collection and analysis of information about an
organization’s business competitors, often through illegal or unethical
means, to gain an unfair competitive advantage. Also known as corporate
spying
• Shoulder surfing The direct, covert observation
of individual information or system use.
Hackers
 Escalation of Privileges or Jail Breaking
• Once an attacker gains access to a system, the next step is to increase
his or her privileges .
• While most accounts associated with a system have only rudimentary
“use” permissions and capabilities, the attacker needs administrative or
“root” privileges
Hacker Variants:
Cracker : A hacker who intentionally removes or bypasses software
copyright protection designed to prevent unauthorized duplication or
use.
phreaker: A hacker who manipulates the public telephone system to
make free calls or disrupt services
Password Attack
Password power
Forces of Nature
• Forces of nature, sometimes called acts of God, can present some of the
most dangerous threats because they usually occur with little warning
and are beyond the control of people.
• These threats, which include events such as fires, floods, earthquakes,
landslides, mudslides, windstorms, sandstorms, solar flares, and lightning
as well as volcanic eruptions and insect infestations, can disrupt not only
people’s lives but the storage, transmission, and use of information
Human Error or Failure
• This category includes acts performed without intent or malicious purpose
or in ignorance by an authorized user
• When people use information systems, mistakes happen.
• Similar errors happen when people fail to follow established policy.
• Inexperience, improper training, and incorrect assumptions are just a few
things that can cause human error or failure.
• Regardless of the cause, even innocuous mistakes can produce extensive
damage.
social engineering
• social engineering is used by attackers to gain system access or
information that may lead to system access.
• There are several social engineering techniques, which usually involve a
perpetrator posing as a person who is higher in the organizational
hierarchy than the victim.
Social Engineering…
Information Extortion
• information extortion The act of an attacker or trusted insider who steals
or interrupts access to information from a computer system and demands
compensation for its return or for an agreement not to disclose the
information.
• ransomware Computer software specifically designed to identify and
encrypt valuable information in a victim’s system in order to extort
payment for the key needed to unlock the encryption
• Information extortion, also known as cyberextortion, is common in the
theft of credit card numbers..
Sabotage or Vandalism
• This category of threat involves the deliberate sabotage of a computer
system or business, or acts of vandalism to destroy an asset or damage
the image of an organization.
• These acts can range from petty vandalism by employees to organized
sabotage against an organization.
Software Attacks

• Deliberate software attacks occur when an individual or group designs and

deploys software to attack a system.
• This attack can consist of specially crafted software that attackers trick
users into installing on their systems.
• This software can be used to overwhelm the processing capabilities of
online systems or to gain access to protected systems by hidden means
Malware:
Malware is referred to as malicious code or malicious software. Other
attacks that use soft ware, like redirect attacks and denial-of-service attacks,
also fall under this threat. These software components or programs are
designed to damage, destroy, or deny service to targeted systems
Denial-of-Service (DoS) and
Distributed Denial-of-Service (DDoS)
Attacks
• bot An abbreviation of robot, an automated software program that
executes certain commands when it receives a specific input.
• An attack that attempts to overwhelm a computer target’s ability to
handle incoming communications, prohibiting legitimate users from
accessing those systems.
• Distributed denial-of-service (DDoS) attack A form of DoS attack in which
a coordinated stream of requests is launched against a target from many
locations at the same time using bots or zombies.
DOS…
Technical Hardware Failures or
Errors
• Technical hardware failures or errors occur when a manufacturer
distributes equipment containing a known or unknown flaw.
• These defects can cause the system to perform outside of expected
parameters, resulting in unreliable service or lack of availability.
• Some errors are terminal—that is, they result in the unrecoverable loss of
the equipment
Technical Software Failures or Errors
• Large quantities of computer code are written, debugged, published, and
sold before all their bugs are detected and resolved.
• Sometimes, combinations of certain software and hardware reveal new
failures that range from bugs to untested failure conditions.
• Sometimes these bugs are not errors, but purposeful shortcuts left by
programmers for benign or malign reasons.
Technological Obsolescence
• Antiquated or outdated infrastructure can lead to unreliable and
untrustworthy systems.
• Management must recognize that when technology becomes outdated,
there is a risk of losing data integrity from attacks.
• Management’s strategic planning should always include an analysis of the
technology currently in use.
• Ideally, proper planning by management should prevent technology from
becoming obsolete, but when obsolescence is clear, management must
take immediate action.
• IT professionals play a large role in the identification of probable
obsolescence.
Theft

The illegal taking of another’s property, which can be physical, electronic, or

intellectual.
The value of information is diminished when it is copied with out the owner’s
knowledge.
Physical theft can be controlled easily using a wide variety of measures, from
locked doors to trained security personnel and the installation of alarm systems.
Electronic theft, however, is a more complex problem to manage and control.
When someone steals a physical object, the loss is easily detected; if it has any
importance at all, its absence is noted.
When electronic information is stolen, the crime is not always readily apparent.
If thieves are clever and cover their tracks carefully, the crime may remain
undiscovered until it is too late