CHAPTER 1: INTRODUCTION TO INFORMATION SECURITY “The quality or state of being secure—to be free from danger”.

A successful organization should

The History of Information Security have multiple layers of security in place:
• Began immediately following the development first mainframes A. Physical security - To protect the physical items, objects, or areas of an organization from
- Developed for code-breaking computations During World War II unauthorized access and misuse.
- Multiple levels of security were implemented B. Personal security - To protect the individual or group of individuals who are authorized to
• Primary threats access the organization and its operations.
- Defending against physical theft, espionage, and sabotage C. Operations security – To protect the details of a particular operation or series of activities.
D. Communications security – To protect an organization’s communications media,
The 1960s technology, and content.
• Advanced Research Project Agency (ARPA) - Examined feasibility of redundant networked E. Network security – To protect networking components, connections, and contents.
communications F. Information security - To protect the confidentiality, integrity and availability of
• Larry Roberts developed ARPANET from its inception information assets, whether in storage, processing, or transmission.
• Plan • The protection of information and its critical elements, including systems and hardware that
- Link computers use, store, and transmit that information
- Resource sharing • Necessary tools: policy, awareness, training, education, technology
- Link 17 Computer Research Centers
- Cost 3.4M KEY INFORMATION SECURITY CONCEPTS
• ARPANET is predecessor to the Internet 3 a. Access- a subject or object’s ability to use, manipulate, modify, or affect another
subject or object.
The 1970s and 80s b. Asset- the organizational resource that is being protected.
• ARPANET grew in popularity c. Exposure- a single instance of being open to damage.
• Potential for misuse grew d. Loss- When an organization’s information is stolen, it has suffered a loss.
• Fundamental problems with ARPANET security e. Exploit- to take advantage of weaknesses or vulnerability in a system.
- Individual remote sites were not secure from unauthorized users f. Attack- an act that is an intentional or unintentional attempt to cause damage or
- Vulnerability of password structure and formats compromise to the information and/or the systems that support it.
- No safety procedures for dial-up connections to ARPANET g. Control, Safeguard, or Countermeasure- security mechanisms, policies, or
- Non-existent user identification and authorization to system procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities,
• Rand Report R-609 and otherwise improve the security within an organization
- Paper that started the study of computer security h. Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain access
- Information Security as we know it began to a computer or system.
• Scope of computer security grew from physical security to include: i. Risk- the probability that something can happen.
- Safety of data j. Security Blueprint - the plan for the implementation of new security measures in the
- Limiting unauthorized access to data organization.
- Involvement of personnel from multiple levels of an organization k. Security Model - a collection of specific security rules that represents the
implementation of a security policy.
MULTICS - Early focus of computer security research l. Subjects and Objects - an active entity that interacts with an information system and
• System called Multiplexed Information and Computing Service (MULTICS) causes information to move through the system for a specific end purpose.
• First operating system created with security as its primary goal m. Threat - a category of objects, persons, or other entities that
• Several MULTICS key players created UNIX n. Threat Agent - a specific instance or component of a more general threat.
o. Vulnerability - weaknesses or faults in a system or protection mechanism that expose
Late 1970s information to attack or damage.
•Microprocessor expanded computing capabilities
•Mainframe presence reduced Critical Characteristics of Information
• Expanded security threats - The value of information comes from the characteristics it possesses:
• Availability- Enables users who need to access information to do so without interference or
The 1990s obstruction and in the
• Networks of computers became more common required format.
• Need to interconnect networks grew • Accuracy- Free from mistake or error and having the value that the end user expects
• Internet became first manifestation of a global network of networks • Authenticity- The quality or state of being genuine or original, rather than a reproduction or
• In early Internet deployments, security was treated as a low priority fabrication
2000 to Present • Confidentiality- The quality or state of preventing disclosure or exposure to unauthorized
• Millions of computer networks communicate individuals or systems
• Many of the communication unsecured and became more exposed to security threats. • Integrity- The quality or state of being whole, complete, and uncorrupted.
• Growing threat of cyber attacks has increased the need for improved security • Possession- The quality or state of having ownership or control of some object or item

What is Security? Components of an information system

 - Information system (IS) is entire set of components necessary to use information as a resource B. Data custodian: responsible for storage, maintenance, and protection of information
in the organization C. Data users: end users who work with information to perform their daily jobs supporting the
o Software mission of the organization
o Hardware
o Data Communities of Interest - Group of individuals united by similar interests/values within an
o People organization
o Procedures • Information security management and professionals
o Networks • Information technology management and professionals
• Organizational management and professionals
Balancing Information Security and Access
• Impossible to obtain perfect security
• Process, not an absolute CHAPTER 2: THE NEED FOR SECURITY
• Security should be considered balance between protection Introduction
and availability  Primary mission of information security is to ensure systems and contents stay the same
• Must allow reasonable access, yet protect against threats  If no threats existed, resources could be focused on improving systems, resulting in vast
improvements in ease of use and usefulness
APPROACHES TO INFORMATION SECURITY  Attacks on information systems are a daily occurrence
A. : Bottom-Up Approach
- Grassroots effort -systems administrators drive Business Needs First
- Key advantage: technical expertise of individual administrators  Information security performs four important functions for an organization:
- Seldom works - Protects the organization’s ability to function
- Lacks number of critical features: Participant support ; Organizational staying power - Enables safe operation of applications implemented on its IT systems
- Protects data the organization collects and uses
B. Implementation: Top-Down Approach - Safeguards technology assets in use
- Initiated by upper management
 Issue policy, procedures, and processes Protecting the Functionality of an Organization
 Dictate goals and expected outcomes of project - Management (general and IT) responsible for implementation
 Determine accountability for each required action - Information security is both a management issue and a people issue
- Most successful - The organization should address information security in terms of business impact and
- Involves formal development strategy cost
- Systems development life cycle
SECURITY PROFESSIONALS AND THE ORGANIZATION Enabling the Safe Operation of Applications
- Wide range of professionals required to support a diverse information security program - Organization needs environments that safeguard applications using IT systems
- Senior management is key component - Management must continue to oversee infrastructure once in place—not relegate to IT
- Additional administrative support and technical expertise are required to implement details department
of IS program
Protecting Data that Organizations Collect and Use
Senior Management - Organization, without data, loses its record of transactions and/or ability to deliver value
1. Chief Information Officer (CIO) - Senior technology officer to customers
- Primarily responsible for advising senior executives on strategic planning - Protecting data in motion and data at rest are both critical aspects of information
security
2. Chief Information Security Officer (CISO) - Primarily responsible for assessment,
management, and implementation of IS in the organization Safeguarding Technology Assets in Organizations
- Usually reports directly to the CIO - Organizations must have secure infrastructure services based on size and scope of
enterprise
Information Security Project Team - A number of individuals who are experienced in one or - Additional security services may be needed as organization grows
more facets of required technical and nontechnical areas: - More robust solutions may be needed to replace security programs the organization has
1. Team leader outgrown
2. Security policy developers
3. Risk assessment specialists Threats
4. Security professionals  Threat: an object, person, or other entity that represents a constant danger to an asset
5. Systems administrators - Management must be informed of the different threats facing the organization
6. End users
CATEGORY OF THREATS
DATA RESPONSIBILITIES 1. Compromises to Intellectual Property
A. Data owner: responsible for the security and use of a particular set of information Example: piracy, copyright infringement
 - Intellectual property (IP): ownership of ideas and control over the tangible or virtual
representation of those ideas 6. Human Error or Failure
- Most common IP breaches involve software piracy Example: accidents, employees mistakes
- Acts performed without malicious intent due to inexperience, improper training, incorrect
Two Watchdog organizations investigating software abuse: assumptions
o Software & Information Industry Association (SIIA) - Employees are among the greatest threats to an organization’s data
o Business Software Alliance (BSA) - Employees mistakes can lead to: revelation of classified data, entry erroneous data,
accidental data deletion or modification, data storage in unprotected areas and failure to
- Enforcement of copyright law has been attempted with technical security mechanisms
protect information.
- Many of these threats can be prevented with controls
2. Deliberate Software Attacks
- Malicious software (malware) designed to damage, destroy, or deny service to target
7. Information Extortion
systems
Example: blackmail, information disclosure
- Includes: viruses, worms, Trojan horses, logic bombs, polymorphic threats, rootkit, man-in-
- Attackers steals information from computer system and demands compensation for its return
the-middle, ransomware, adware, bot
or nondisclosure
- Commonly done in credit card number theft
3. Deviations in Quality of Service
Example: ISP, power, or WAN services issues from service providers
8. Missing, Inadequate, or Incomplete Organizational Policy or Planning and Controls
- Situations where products or services are not delivered as expected
Example: loss of access to information systems due to disk-in-place drive failure without proper
- Information system depends on many interdependent support systems
backup and recovery plan organizational policy or planning; network compromised because no
- Internet service, communications, and power irregularities dramatically affect the availability
firewall security controls
of information and systems.
- Can make organizations vulnerable to loss, damage or disclosure of information assets.
a. Internet service issues – Internet service provider (ISP) failures can considerably
- Can make an organization more likely to suffer losses when other threats lead to attacks
undermine availability of information – Outsourced Web hosting provider assumes
responsibility for all Internet services as well as hardware and Web site operating
9. Sabotage or Vandalism - Example: destruction of systems or information
system software.
- Threats can range from petty vandalism to organized sabotage
b. Communications and other service provider issues – Other utility services affect
- Web site defacing can erode consumer confidence, dropping sales and organization’s net
organizations: telephone, water, wastewater, trash pickup, etc. – Loss of these
worth
services can affect organization’s ability to function
- Threat of hacktivist or cyber-activist operations rising
c. Power irregularities – Commonplace
• Cyberterrorism: much more sinister form of hacking
– Organizations with inadequately conditioned power are susceptible
– Controls can be applied to manage power quality
10. Theft
– Fluctuations (short or prolonged)
- Illegal taking of another physical, electronic, or intellectual property
• Excesses (spikes or surges) – voltage increase
- Physical theft is controlled relatively easily
• Shortages (sags or brownouts) – low voltage
- Electronic theft is more complex problem; evidence of crime not readily apparent
• Losses (faults or blackouts) – loss of power
11. Technical Hardware/Software Failures or Errors: Example: equipment failure; bugs,
4. Espionage or Trespass
code problems, unknown loopholes
- Access of protected information by unauthorized individuals
- Occur when manufacturer distributes equipment/software contains flaws to users
- Shoulder surfing can occur anywhere a person accesses confidential information
- Can cause system to perform outside of expected parameters, resulting in unreliable or poor
- Hackers use skill, guile, or fraud to bypass controls protecting others’ information
service.
 Expert hacker – Develops software scripts and program exploits – Usually a master of
- Some errors are terminal: some are intermittent
many skills – Will often create attack software and share with others
- Purchased software that contains unrevealed faults.
 Unskilled hacker – Many more unskilled hackers than expert hackers – Use expertly
- Combinations of certain software and hardware can reveal new software bugs.
written software to exploit a system – Do not usually fully understand the systems they
- Entire Web sites dedicated to documenting bugs.
hack
 Other terms for system rule breakers:
12. Technological Obsolescence : Example: antiquated or outdated technologies
o Cracker: “cracks” or removes software protection designed to prevent unauthorized
- Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems
duplication
- Proper managerial planning should prevent technology obsolescence. IT plays large role
o Phreaker: hacks the public telephone network
ATTACKS - Acts or actions that exploits vulnerability (i.e., an identified weakness) in controlled
5. Forces of Nature
system – Accomplished by threat agent that damages or steals organization’s information
Example: Fire, flood, earthquake, lighting
Types of attacks
- Among the most dangerous threats
a. Malicious code: includes execution of viruses, worms, Trojan horses, and active Web
- Disrupt not only individuals lives but also storage, transmission, and use of information
scripts with intent to destroy or steal information
- Organizations must implement controls to limit damage and prepare contingency plans for
b. Hoaxes: transmission of a virus hoax with a real virus attached; more devious form of
continued operations
attack.
 c. Back door: gaining access to system or network using known or previously
unknown/newly discovered access mechanism
d. Password crack: attempting to reverse calculate a password
e. Brute force: trying every possible combination of options of a password
f. Dictionary: selects specific accounts to attack and uses commonly used passwords
(i.e., the dictionary) to guide guesses
g. Denial-of-service (DoS): attacker sends large number of connection or information
requests to a target.
- A hacker compromises a system and uses that to attack the target computer, flooding it
with more request for services than the target can handle
 Target system cannot handle successfully along with other, legitimate service
requests
 May result in system crash or inability to perform ordinary functions
h. Distributed denial-of-service (DDoS): coordinated stream of requests is launched against
target from many locations simultaneously.
- Dozens or even hundreds of computers (known as zombies) are compromised, loaded with
DoS attack software, and then remotely activated by the hacker to conduct a coordinated
attack.
i. Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP
address
j. Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them
back into network
k. Mail bombing: also a DoS; attacker routes large quantities of e-mail to target
l. Sniffers: program or device that monitors data traveling over network; can be used both for
legitimate purposes and for stealing information from a network
m. Phishing: an attempt to gain personal/financial information from individual, usually by
posing as legitimate entity
n. Pharming: redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site
for the purpose of obtaining private information
o. Social engineering: using social skills to convince people to reveal access credentials or
other valuable information to attacker

– “People are the weakest link. You can have the best technology; firewalls, intrusion-
detection systems, biometric devices ... and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything.” — Kevin Mitnick

p. Timing attack: relatively new; works by exploring contents of a Web browser’s cache to
create malicious cookie