Chapter 2

The Need for Security

Introduction
• Primary mission of information security is to ensure
systems and contents stay the same
• If no threats existed, resources could be focused on
improving systems, resulting in vast improvements in
ease of use and usefulness
• Attacks on information systems are a daily
occurrence
Principals of Information
2
Security, Fourth Edition
Business Needs First

• Information security performs four important functions

for an organization
– Protects the organization’s ability to function
– Enables safe operation of applications implemented on its IT
systems
– Protects data the organization collects and uses
– Safeguards technology assets in use
 Protecting the Functionality of an
Organization
• Management (general and IT) responsible for
implementation

• Information security is both management issue

and people issue

• Organization should address information

security in terms of business impact and cost
 Enabling the Safe Operation of
Applications

• Organization needs environments that safeguard

applications using IT systems

• Management must continue to oversee

infrastructure once in place—not relegate to IT
department
 Protecting Data that Organizations
Collect and Use
• Organization, without data, loses its record of
transactions and/or ability to deliver value to
customers

• Protecting data in motion and data at rest are

both critical aspects of information security
 Safeguarding Technology Assets in
Organizations
• Organizations must have secure infrastructure
services based on size and scope of enterprise

• Additional security services may be needed as

organization grows

• More robust solutions may be needed to

replace security programs the organization
has outgrown
 THREATS

• Threat: an object, person, or other entity that represents a constant

danger to an asset

• Management must be informed of the different threats facing the

organization
Table 2-1 Threats to Information Security
 Compromises to Intellectual
Property
• Intellectual property (IP): “ownership of ideas and
control over the tangible or virtual representation of
those ideas”

• The most common IP breaches involve software piracy

• Two watchdog organizations investigate software abuse:

– Software & Information Industry Association (SIIA)
– Business Software Alliance (BSA)

• Enforcement of copyright law has been attempted with

technical security mechanisms
Deliberate Software Attacks
• Malicious software (malware) designed to damage,
destroy, or deny service to target systems
• Includes:
– Viruses
– Worms
– Trojan horses
– Logic bombs
– Polymorphic threats
– Rootkit
– Man-in-The-Middle
– Ransomware
– Adware
– Bot
 Deviations in Quality of Service
• Includes situations where products or services
are not delivered as expected

• Information system depends on many

interdependent support systems

• Internet service, communications, and power

irregularities dramatically affect availability of
information and systems
 Deviations in Quality of Service
(cont’d.)
• Internet service issues
– Internet service provider (ISP) failures can considerably
undermine availability of information
– Outsourced Web hosting provider assumes responsibility
for all Internet services as well as hardware and Web site
operating system software

• Communications and other service provider issues

– Other utility services affect organizations: telephone,
water, wastewater, trash pickup, etc.
– Loss of these services can affect organization’s ability to
function
 Deviations in Quality of Service
(cont’d.)
• Power irregularities
– Commonplace
– Organizations with inadequately
conditioned power are susceptible
– Controls can be applied to manage power
quality
– Fluctuations (short or prolonged)
• Excesses (spikes or surges) – voltage increase
• Shortages (sags or brownouts) – low voltage
• Losses (faults or blackouts) – loss of power
 Espionage or Trespass
• Access of protected information by
unauthorized individuals

• Shoulder surfing can occur anywhere a

person accesses confidential information

• Hackers use skill, guile, or fraud to bypass

controls protecting others’ information
Figure 2-5 Shoulder Surfing
Figure 2-6 Hacker Profiles
 Espionage or Trespass (cont’d.)
• Expert hacker
– Develops software scripts and program exploits
– Usually a master of many skills
– Will often create attack software and share with
others

• Unskilled hacker
– Many more unskilled hackers than expert hackers
– Use expertly written software to exploit a system
– Do not usually fully understand the systems they
hack
Espionage or Trespass (cont’d.)
• Other terms for system rule breakers:

– Cracker: “cracks” or removes software

protection designed to prevent
unauthorized duplication

– Phreaker: hacks the public telephone

network
 Forces of Nature
• Forces of nature are among the most dangerous
threats

• Disrupt not only individual lives, but also storage,

transmission, and use of information

• Organizations must implement controls to limit

damage and prepare contingency plans for
continued operations
 Human Error or Failure
• Includes acts performed without malicious
intent
• Causes include:
– Inexperience
– Improper training
– Incorrect assumptions
• Employees are among the greatest threats to
an organization’s data
 Human Error or Failure (cont’d.)
• Employee mistakes can easily lead to:
– Revelation of classified data
– Entry of erroneous data
– Accidental data deletion or modification
– Data storage in unprotected areas
– Failure to protect information

• Many of these threats can be prevented with

controls
Figure 2-8 Acts of Human Error or Failure
 Information Extortion
• Attacker steals information from computer
system and demands compensation for its
return or nondisclosure

• Commonly done in credit card number theft

 Missing, Inadequate, or
Incomplete Organizational Policy
or Planning and Controls
• Can make organizations vulnerable to loss,
damage, or disclosure of information assets

• Can make an organization more likely to

suffer losses when other threats lead to
attacks
 Sabotage or Vandalism
• Threats can range from petty vandalism to organized
sabotage

• Web site defacing can erode consumer confidence,

dropping sales and organization’s net worth

• Threat of hacktivist or cyber-activist operations rising

• Cyberterrorism: much more sinister form of hacking

Theft
• Illegal taking of another’s physical,
electronic, or intellectual property

• Physical theft is controlled relatively easily

• Electronic theft is more complex problem;

evidence of crime not readily apparent
Technical Hardware Failures or
Errors
• Occur when manufacturer distributes
equipment containing flaws to users

• Can cause system to perform outside of

expected parameters, resulting in
unreliable or poor service.

• Some errors are terminal; some are

intermittent
Technical Software Failures or Errors

• Purchased software that contains unrevealed

faults.

• Combinations of certain software and

hardware can reveal new software bugs.

• Entire Web sites dedicated to documenting

bugs.
Technological Obsolescence
• Antiquated/outdated infrastructure can
lead to unreliable, untrustworthy systems

• Proper managerial planning should prevent

technology obsolescence

• IT plays large role

 Attacks
• Attacks
– Acts or actions that exploits vulnerability (i.e., an identified weakness) in
controlled system
– Accomplished by threat agent that damages or steals organization’s
information

• Types of attacks
– Malicious code: includes execution of viruses, worms, Trojan horses, and
active Web scripts with intent to destroy or steal information

– Hoaxes: transmission of a virus hoax with a real virus attached; more devious
form of attack.
 Attacks (cont’d.)
• Types of attacks (cont’d.)

– Back door: gaining access to system or network

using known or previously unknown/newly
discovered access mechanism

– Password crack: attempting to reverse calculate a

password

– Brute force: trying every possible combination of

options of a password

– Dictionary: selects specific accounts to attack and

uses commonly used passwords (i.e., the
dictionary) to guide guesses
 Attacks (cont’d.)
• Types of attacks (cont’d.)

– Denial-of-service (DoS): attacker sends large

number of connection or information requests to a
target
• Target system cannot handle successfully along
with other, legitimate service requests
• May result in system crash or inability to
perform ordinary functions

– Distributed denial-of-service (DDoS): coordinated

stream of requests is launched against target from
many locations simultaneously
Figure 2-11 Denial-of-Service Attacks
 Attacks (cont’d.)
• Types of attacks (cont’d.)

– Spoofing: technique used to gain

unauthorized access; intruder assumes a
trusted IP address

– Man-in-the-middle: attacker monitors

network packets, modifies them, and
inserts them back into network

– Mail bombing: also a DoS; attacker routes

large quantities of e-mail to target
Figure 2-12 IP Spoofing
Figure 2-13 Man-in-the-Middle Attack
 Attacks (cont’d.)
• Types of attacks (cont’d.)
– Sniffers: program or device that monitors data
traveling over network; can be used both for
legitimate purposes and for stealing information
from a network

– Phishing: an attempt to gain personal/financial

information from individual, usually by posing as
legitimate entity

– Pharming: redirection of legitimate Web traffic

(e.g., browser requests) to illegitimate site for the
purpose of obtaining private information
 Attacks (cont’d.)
• Types of attacks (cont’d.)
– Social engineering: using social skills to convince
people to reveal access credentials or other valuable
information to attacker

– “People are the weakest link. You can have the best
technology; firewalls, intrusion-detection systems,
biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby.
They got everything.” — Kevin Mitnick

– Timing attack: relatively new; works by exploring

contents of a Web browser’s cache to create malicious
cookie