Winning Answers to 500 Interview Questions - Page 12

The first operational phase of the RM process is the identification of risk. As a reminder, risk assessment includes risk identification as well as risk analysis and risk determination. Risk identification begins with the process of self-examination. As Sun Tzu stated, the organization must know itself to understand the risk to its information assets and where that risk resides. At this stage, managers must

identify the organization’s information assets,

classify them,

categorize them into useful groups, and

prioritize them by overall importance.

This can be a daunting task, but it must be done to identify weaknesses and the threats they present.

The RM process team must initially confirm or define the categories and classifications to be used for the information assets, once identified. Some organizations prefer to collect the inventory first and then see what natural categories and classifications emerge; those areas are discussed later in this module. Once the risk management team has its organization formalized, it begins with the first major task of risk identification.

Identification of Information Assets The risk identification process begins with the identification and cataloging of information assets, including people, procedures, data, software, hardware, and networking elements. This step should be done without prejudging the value of each asset; values will be assigned later in the process.

One of the toughest challenges in the RM process is identifying information assets with precision for the purposes of risk management. In the most general sense, an information asset is any asset that collects, stores, processes, or transmits information, or any collection, set, or database of information that is of value to the organization. For these purposes, the terms data and information are commonly used interchangeably. In some RM efforts, the information and its supporting technology—hardware, software, data, and personnel—are defined separately, and the decision whether to include a specific category or component is made by the RM process team.

Some commercial RM applications simplify the decision by separating information assets from media. Media in this context include hardware, integral operating systems, and utilities that collect, store, process, and transmit information, leaving only the data and applications designed to directly interface with the data as information assets for the purposes of RM. When the application interfaces with an external database or data file (data set), each is treated as a separate, independent information asset. When an application has data that is integral to its operations, it is treated as a single information asset.

By separating components that are much easier to replace (hardware and operating systems) from the information assets that are in some cases almost irreplaceable, the RM effort becomes much more straightforward. After all, what is the organization most concerned with? Is it the physical server used to host a critical application? Or is it the application and its data? Servers, switches, routers, and most host technologies are relatively interchangeable. If a server dies, the organization simply replaces it and then reloads the applications and data that give that server purpose in the organization. If an application dies, the replacement effort may be much more substantial than simply reinstalling an off-the-shelf application. Most core applications are heavily customized or even custom-developed for a particular purpose. This is not to insinuate that some assets don’t have value to the organization, but that they are not necessarily integral to an RM program.

Some organizations choose to focus narrowly on their initial RM process and then add information assets in later iterations. They may begin with data and core applications, add comm

The Roles of the Communities of Interest.

Each community of interest has a role to play in managing the risks that an organization encounters. Because members of the information security community best understand the threats and attacks that introduce risk into the organization, they often take a leadership role in addressing risk to information assets. Management and users, when properly trained and kept aware of the threats the organization faces, play a part in early detection and response.

Management must also ensure that sufficient time, money, personnel, and other resources are allocated to the information security and information technology groups to meet the organization’s security needs. Users work with systems and data and are therefore well positioned to understand the value these information assets offer the organization. Users also understand which assets are the most valuable. The information technology community of interest must build secure systems and operate them safely. For example, IT operations ensure good backups to control the risk of data loss due to hard drive failure. The IT community can provide both valuation and threat perspectives to management during the risk management process. The information security community of interest must pull it all together in the risk management process.

All communities of interest must work together to address all levels of risk, which range from disasters that can devastate the whole organization to the smallest employee mistakes. The three communities of interest—InfoSec, IT, and general management—are also responsible for the following:

• Evaluating current and proposed risk controls
• Determining which control options are cost-effective for the organization
• Acquiring or installing the needed controls
• Ensuring that the controls remain effective

Because threats to assets are constantly changing, all three communities of interest must conduct periodic managerial reviews or audits, with general management usually providing oversight and access to information retained outside the IT department. The first managerial review is of the asset inventory. On a regular basis, management must ensure that the completeness and accuracy of the asset inventory is verified, usually through an IT audit. In addition, IT and information security must review and verify threats and vulnerabilities in the asset inventory, as well as current controls and mitigation strategies. They must also review the cost-effectiveness of each control and revisit decisions for deploying controls. Furthermore, managers at all levels must regularly verify the ongoing effectiveness of every deployed control. For example, a business manager might assess control procedures by periodically walking through the office after the workday ends, ensuring that all classified information is locked up, that all workstations are shut down, that all users are logged off, and that offices are secured. Managers may further ensure that no sensitive information is discarded in trash or recycling bins. Such controls are effective ways for managers and employees alike to ensure that no information assets are placed at risk. Other controls include following policy, promoting training and awareness, and employing appropriate technologies.

By the end of this module, you should be able to:

Define risk management and describe its importance.

Explain the risk management framework and process model, including major components.

Define risk appetite and explain how it relates to residual risk.

Describe how risk is identified and documented.

Discuss how risk is assessed based on likelihood and impact.

Describe various options for a risk treatment and risk control strategy.

Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis.

Compare and contrast the dominant risk management methodologies.

Introduction to Risk Management

The upper management of an organization is responsible for overseeing, enabling, and supporting the structuring of IT and information security functions to defend its information assets. Part of upper management’s information security governance requirement is the establishment and support of an effective risk management (RM) program. The IT community must serve the information technology needs of the entire organization and at the same time leverage the special skills and insights of the InfoSec community in supporting the RM program. The InfoSec team must lead the way with skill, professionalism, and flexibility as it works with other communities of interest to balance the usefulness and security of information systems, as well as evaluating and controlling the risks facing the organization’s information assets.

In the early days of IT, corporations used computer systems mainly to gain a definitive advantage over the competition. Establishing a superior business model, method, or technique enabled an organization to provide a product or service that created a competitive advantage. In the modern business environment, however, all competitors have reached a certain level of technological competence and resilience. IT is now readily available to all organizations that make the investment, allowing them to react quickly to changes in the market. In this highly competitive environment, organizations cannot expect the implementation of new technologies to provide a competitive lead over others in the industry. Instead, the concept of avoidance of competitive disadvantage—working to prevent falling behind the competition—has emerged. Effective IT-enabled organizations quickly absorb relevant emerging technologies not just to gain or maintain competitive advantage, but to avoid loss of market share from an inability to maintain the highly responsive services required by their stakeholders.

To keep up with the competition, organizations must design and create safe environments in which their business processes and procedures can function. These environments must maintain confidentiality and privacy and assure the integrity of an organization’s data—objectives that are met by applying the principles of risk management. As an aspiring information security professional, you will play a key role in risk management.

This module explores a variety of risk management approaches and provides a discussion of how risk is identified and assessed. The module includes a section on selecting and implementing effective control strategies for the protection of information assets in the modern organization.

Other Sources of Security Frameworks

Many public and private organizations promote solid best security practices. Professional societies often provide information on best practices for their members. The Technology Manager’s Forum (www.techforum.com) has an annual best practice award in several areas, including information security. The Information Security Forum (www.securityforum.org) has a free publication titled “Standard of Good Practice for Information Security,” which outlines information security best practices.

Many organizations hold seminars and classes on best practices for implementing security; in particular, the Information Systems Audit and Control Association (www.isaca.org) hosts regular seminars. The International Association of Professional Security Consultants (www.iapsc.org) has a listing of best practices. At a minimum, information security professionals can peruse Web portals for posted security best practices. Several free portals dedicated to security have collections of best practices, such as SearchSecurity.com and NIST’s Computer Resources Center.

Design of the Security Architecture.

To inform the discussion of information security program architecture and to illustrate industry best practices, the following sections outline a few key components of security architecture. Many of these components are examined in detail in later modules of the book, but this overview can help you assess whether a framework and blueprint are on target to meet an organization’s needs.

Spheres of Security

The spheres of security, shown in Figure 3-10, are the foundation of the security framework. Generally speaking, the spheres of security illustrate how information is under attack from a variety of sources. The right side of Figure 3-10 illustrates the ways in which internal users access information. For example, users can access hard copies of documents and information directly. Information, as the most important asset in this model, is at the center of the sphere. Information is always at risk from attacks whenever it is accessible by people or computer systems. Networks and the Internet are indirect threats, as exemplified by the fact that a person attempting to access information from the Internet must traverse local networks.

The left side of Figure 3-10 illustrates that a layer of protection must exist between each layer of the sphere of use. For example, “Policy and law” and “Education and training” are protections placed between people and the information. Controls are also implemented between systems and the information, between networks and the computer systems, and between the Internet and internal networks. This reinforces the concept of defense in depth. A variety of controls can be used to protect the information. The items of control shown in the figure are not intended to be comprehensive, but they illustrate some of the safeguards that can protect the systems closer to the center of the sphere. Because people can directly access each ring as well as the information at the core of the model, the side of the sphere of protection that attempts to control access by relying on people requires a different approach to security than the side that uses technology. The members of the organization must become a safeguard that is effectively trained, implemented, and maintained, or they too will present a threat to the information.

Information security is designed and implemented in three layers: policies, people (education, training, and awareness programs), and technology. These layers are commonly referred to as PPT. Each layer contains controls and safeguards to protect the information and information system assets that the organization values. But, before any technical controls or other safeguards can be implemented, the policies that define the management philosophies behind the security process must be in place.

NIST Security Models.

Other approaches to security are described in the many documents available from the NIST Computer Security Resource Center (http://csrc.nist.gov). Because the NIST documents are publicly available at no charge and have been for some time, they have been broadly reviewed by government and industry professionals, and were among the references cited by the U.S. government when it decided not to select the ISO/IEC 17799 (now 27000 series) standards. The following NIST documents can assist in the design of a security framework:

SP 800-12, Rev. 1: “An Introduction to Information Security”

SP 800-18, Rev. 1: “Guide for Developing Security Plans for Federal Information Systems”

SP 800-30, Rev. 1: “Guide for Conducting Risk Assessments”

SP 800-37, Rev. 2: “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”

SP 800-39: “Managing Information Security Risk: Organization, Mission, and Information System View”

SP 800-50: “Building an Information Technology Security Awareness and Training Program”

SP 800-55, Rev. 1: “Performance Measurement Guide for Information Security”

SP 800-100: “Information Security Handbook: A Guide for Managers”

Many of these documents have been referenced elsewhere in this book as sources of information for the management of security. The following sections examine select documents in this series as they apply to the blueprint for information security.

NIST SP 800-12.

SP 800-12, Rev. 1, “An Introduction to Information Security,” is an excellent reference and guide for the security manager or administrator in the routine management of information security. It provides little guidance, however, for the design and implementation of new security systems, and therefore should be used only as a precursor to understanding an information security blueprint.

NIST SP 800-14.

SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems,” provides best practices and security principles that can direct the security team in the development of a security blueprint. Even though this legacy publication has been “retired,” there is not yet a replacement document in the NIST SP series that provides a better basic grounding in information security. In addition to detailing security best practices across the spectrum of security areas, it provides philosophical principles that the security team should integrate into the entire information security process:

Security supports the mission of the organization—Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program.

Security is an integral element of sound management—Effective management includes planning, organizing, leading, and controlling. Security enhances management functions by providing input during the planning process for organizational initiatives. Information security controls support sound management via the enforcement of managerial and security policies.

Security Education.

Everyone in an organization needs to be trained and made aware of information security, but not everyone needs a formal degree or certificate in information security. When management agrees that formal education is appropriate, an employee can investigate courses in continuing education from local institutions of higher learning. Several universities have formal coursework in information security. For people who are interested in researching formal information security programs, resources are available, such as the DHS/NSA-designated National Centers of Academic Excellence program. This program identifies universities that have had their coursework and practices in information security reviewed and found to meet national standards. Other local resources can also provide information on security education, such as Kennesaw State University’s Institute for Cybersecurity Workforce Development (cyberinstitute.kennesaw.edu).

Security Training.

Security training provides employees with detailed information and hands-on instruction to prepare them to perform their duties securely. Management of information security can develop customized in-house training or outsource the training program.

Alternatives to formal training programs are industry training conferences and programs offered through professional agencies such as SANS, I S C square, and I S S A. All of these agencies are described in other modules. Many of these programs are too technical for the average employee, but they may be ideal for the continuing education requirements of information security professionals.

A new venue for security training for both security professionals and the average end user is Massive Open Online Courses, which are available from a number of vendors, including Coursera. Many of these courses are free to enroll in, and a certificate of completion is provided upon payment of a nominal fee. The list of available topics ranges from the traditional academic introduction to security to technical topics and general information.

Several resources for conducting SETA programs offer assistance in the form of sample topics and structures for security classes. For organizations, the Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area.

Policies are living documents that must be managed. It is unacceptable to create such an important set of documents and then shelve them. These documents must be properly distributed, read, understood, agreed to, uniformly applied, and managed. How they are managed should be specified in the policy management section of the issue-specific policy described earlier. Good management practices for policy development and maintenance make for a more resilient organization. For example, all policies, including security policies, undergo tremendous stress when corporate mergers and divestitures occur. In such situations, employees are faced with uncertainty and many distractions. System vulnerabilities can arise, for instance, if incongruent security policies are implemented in different parts of a newly merged organization. When two companies merge but retain separate policies, the difficulty of implementing security controls increases. Likewise, when one company with unified policies splits in two, each new company may require different policies.

To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date.

Responsible Manager

Just as information systems and information security projects must have champions and managers, so must policies. The policy manager is often called the policy administrator. Note that the policy administrator does not necessarily have to be proficient in the relevant technology. While practicing information security professionals require extensive technical knowledge, policy management and policy administration require only a moderate technical background. It is good practice, however, for policy administrators to solicit input both from technically adept information security experts and from business-focused managers in each community of interest when revising security policies. The administrator should also notify all affected members of the organization when the policy is modified.

It is disheartening when a policy that required hundreds of staff hours to develop and document is ignored. Thus, someone must be responsible for placing the policy and all subsequent revisions into the hands of people who are accountable for its implementation. The policy administrator must be clearly identified in the policy document as the primary point of contact for additional information or suggested revisions to the policy.

How policy is developed and implemented can help or hinder its usefulness to the organization. If an organization takes punitive action on an effective policy, the individual affected may sue the organization, depending on its action in implementing the penalties or other actions defined in the policy. Employees terminated for violating poorly designed and implemented policies could sue their organization for wrongful termination. In general, policy is only enforceable and legally defensible if it is properly designed, developed, and implemented using a process that assures repeatable results.

For policies to be effective and legally defensible, the following must be done properly:

• Development—Policies must be written using industry-accepted practices and formally approved by management.
• Dissemination—Policies must be distributed using all appropriate methods.
• Review—Policies must be readable and read by all employees.
• Comprehension—Policies must be understood by all employees.
• Compliance—Policies must be formally agreed to by act or affirmation.
• Enforcement—Policies must be uniformly applied to all employees.

We will examine each of these stages in the sections that follow. Before we do, however, you should realize that almost every organization has a set of existing policies, standards, procedures, and/or practices. This installed base of guidance may not always have been prepared using an approach that delivers consistent or even usable results. Most of the situations you find yourself in will involve more policy maintenance than policy development. Prior to implementation, policy should be reviewed by the organization’s legal counsel to ensure it is acceptable within the limits of the law and that implementation of the policy and its corresponding penalties would, in fact, be defensible in the event of a legal dispute.

Developing Information Security Policy

It is often useful to view policy development as a three-part project. In the first part of the project, policy is designed and written (or, in the case of an outdated policy, redesigned and rewritten). In the second part, a senior manager or executive at the appropriate level and the organization’s legal counsel review and formally approve the document. In the third part of the development project, management processes are established to distribute and enforce the policy within the organization. The first part is an exercise in project management, whereas the latter two parts require adherence to good business practices and legal regulation.

While issue-specific policies are formalized as written documents readily identifiable as policy, systems-specific security policies (SysSPs) sometimes have a different look. SysSPs often function as standards or procedures to be used when configuring or maintaining systems. For example, a SysSP might describe the configuration and operation of a network firewall. This document could include a statement of managerial intent; guidance to network engineers on the selection, configuration, and operation of firewalls; and an access control list that defines levels of access for each authorized user. SysSPs can be separated into two general groups, managerial guidance SysSPs and technical specifications SysSPs, or they can be combined into a single policy document that contains elements of both.

Managerial Guidance SysSPs

A managerial guidance SysSP document is created by management to guide the implementation and configuration of technology and to address the behavior of employees in ways that support information security. For example, while the method for configuring a firewall belongs in the technical specifications SysSP, the firewall’s configuration must follow guidelines established by management. An organization might not want its employees to access the Internet via the organization’s network, for instance; in that case, the firewall should be configured accordingly.

Firewalls are not the only technology that may require systems-specific policies. Any system that affects the confidentiality, integrity, or availability of information must be assessed to evaluate the trade-off between improved security and restrictions.

Systems-specific policies can be developed at the same time as ISSPs, or they can be prepared in advance of their related ISSPs. Before management can craft a policy informing users what they can do with certain technology and how to do it, system administrators might have to configure and operate the system. Some organizations may prefer to develop ISSPs and SysSPs in tandem so that operational procedures and user guidelines are created simultaneously.

Technical Specifications SysSPs

While a manager can work with a systems administrator to create managerial policy, as described in the preceding section, the systems administrator in turn might need to create a policy to implement the managerial policy. Each type of equipment requires its own set of policies, which are used to translate management’s intent for the technical control into an enforceable technical approach. For example, an ISSP may require that user passwords be changed quarterly; a systems administrator can implement a technical control within a specific application to enforce this policy. There are two general methods of implementing such technical controls: access control lists and configuration rules.

TABE reading score and guideline

Enterprise Information Security Policy.

An enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. The EISP is an executive-level document, usually drafted by or in cooperation with the organization’s chief information officer. This policy is usually two to 10 pages long and shapes the philosophy of security in the IT environment. The EISP usually needs to be modified only when there is a change in the strategic direction of the organization.

The EISP guides the development, implementation, and management of the security program. It sets out the requirements that must be met by the information security blueprint. It defines the purpose, scope, constraints, and applicability of the security program. It also assigns responsibilities for the various areas of security, including systems administration, maintenance of the information security policies, and the practices and responsibilities of users. Finally, it addresses legal compliance. According to NIST, the EISP typically addresses compliance in two areas:

General compliance to ensure that an organization meets the requirements for establishing a program and assigning responsibilities therein to various organizational components.

The use of specified penalties and disciplinary action.

When the EISP has been developed, the CISO begins forming the security team and initiating necessary changes to the information security program.

Planning Levels

Once the organization’s overall strategic plan is translated into strategic plans for each major division or operation, the next step is to translate these plans into tactical objectives that move toward reaching specific, measurable, achievable, and time-bound accomplishments. The process of strategic planning seeks to transform broad, general, sweeping statements into more specific and applied objectives. Strategic plans are used to create tactical plans, which in turn are used to develop operational plans.

Tactical planning focuses on undertakings that will be completed within one or two years. The process of tactical planning breaks each strategic goal into a series of incremental objectives. Each objective in a tactical plan should be specific and should have a delivery date within a year of the plan’s start. Budgeting, resource allocation, and personnel are critical components of the tactical plan. Tactical plans often include project plans and resource acquisition planning documents (such as product specifications), project budgets, project reviews, and monthly and annual reports. The CISO and security managers use the tactical plan to organize, prioritize, and acquire resources necessary for major projects and to provide support for the overall strategic plan.

Managers and employees use operational planning derived from tactical planning to organize the ongoing, day-to-day performance of tasks. An operational plan includes the necessary tasks for all relevant departments as well as communication and reporting requirements, which might include weekly meetings, progress reports, and other associated tasks. These plans must reflect the organizational structure, with each subunit, department, or project team conducting its own operational planning and reporting. Frequent communication and feedback from the teams to the project managers and/or team leaders, and then up to the various management levels, will make the planning process more manageable and successful.

Programs

InfoSec operations that are specifically managed as separate entities are called “programs.” An example would be a security education, training, and awareness (SETA) program or a risk management program. SETA programs provide critical information to employees to maintain or improve their current levels of security knowledge. Risk management programs include the identification, assessment, and control of risks to information assets. Other programs that may emerge include a physical security program, complete with fire protection, physical access, gates, and guards. Some organizations with specific regulations may have additional programs dedicated to client/customer privacy, awareness, and the like. Each organization will typically have several security programs that must be managed.

Protection

The protection function is executed via a set of risk management activities, as well as protection mechanisms, technologies, and tools. Each of these mechanisms or safeguards represents some aspect of the management of specific controls in the overall InfoSec plan.

People

People are the most critical link in the InfoSec program. This area encompasses security personnel (the professional information security employees), the security of personnel (the protection of employees and their information), and aspects of the SETA program mentioned earlier.

Projects

Whether an InfoSec manager is asked to roll out a new security training program or select and implement a new firewall, it is important that the process be managed as a project. The final element for thoroughgoing InfoSec management is the application of a project management discipline to all elements of the InfoSec program. Project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal.

Information Security Planning and Governance

Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. Strategic planning should guide organizational efforts and focus resources toward specific, clearly defined goals. After an organization develops a general strategy, it generates an overall strategic plan by extending that general strategy into plans for major divisions. Each level of each division then translates those plan objectives into more specific objectives for the level below. To execute this broad strategy, the executive team must first define individual responsibilities. (The executive team is sometimes called the organization’s C-level, as in CEO, COO, CFO, CIO, and so on.)

Information Security Leadership

The leadership of the information security function that delivers strategic planning and corporate responsibility is best accomplished using an approach industry refers to as governance, risk management, and compliance (GRC). GRC seeks to integrate these three previously separate responsibilities into one holistic approach that can provide sound executive-level strategic planning and management of the InfoSec function. The subjects themselves are neither new nor unique to InfoSec; however, recognition of the need to integrate the three at the board or executive level is becoming increasingly important to practitioners in the field. Note that the management of risk is not limited to an organization’s information security. Although organizations increasingly seem to manage their risk challenges with an integrated InfoSec approach focused on GRC, many types of organizations face many types of risk and have developed specific strategies to manage them.

1. Your essay must contains 500 words or more

2. Your essay must contains a title page with your name, title, name of the class (CPP), School (Gerald R. Ford Job Corps Center) and today's date.

3. If you use a website for additional information, you must cite your source. and provide a reference page with the author's last name and first initial, the title of the article, the date the article was published, today's date and the link where you found the article. Remember copying without citing the source is plagiarizing, and will result in a termination from the program.

4. Your essay must be about the eight Career Success Standards as described below.

5. The essay must have 12 font size, double space, and Time New Roman.

6. The essay must be error free, and in paragraph form. You can use all of the tools available to you, to check your spelling errors and sentence structures.

Upon completion of this material, you should be able to:

• Describe the different management functions with respect to information security.
• Define information security governance and list the expectations of the organization’s senior management with respect to it.
• Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.
• List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization.
• Explain what an information security blueprint is, identify its major components, and explain how it supports the information security program.

Upon completion of this material, you should be able to.

Describe the different management functions with respect to information security.

Define information security governance and list the expectations of the organization’s senior management with respect to it.

Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.

List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization.

Explain what an information security blueprint is, identify its major components, and explain how it supports the information security program.

Back Doors

Using a known or newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Viruses and worms can have a payload that installs a back door or trap door component in a system, allowing the attacker to access the system at will with special privileges. Examples of such payloads include Subseven and Back Orifice.

Sometimes these doors are left behind by system designers or maintenance staff; such a door is referred to as a maintenance hook.* More often, attackers place a back door into a system or network they have compromised, making their return to the system that much easier the next time. A trap door is hard to detect because the person or program that places it often makes the access exempt from the system’s usual audit logging features and makes every attempt to keep the back door hidden from the system’s legitimate owners.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target (see Figure 2-16). So many requests are made that the target system becomes overloaded and cannot respond to legitimate requests for service. The system may crash or simply become unable to perform ordinary functions. In a distributed denial-of-service (DDoS) attack, a coordinated stream of requests is launched against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised. The compromised machines are turned into bots or zombies, machines that are directed remotely by the attacker (usually via a transmitted command) to participate in the attack. DDoS attacks are more difficult to defend against, and currently there are no controls that any single organization can apply. There are, however, some cooperative efforts to enable DDoS defenses among groups of service providers; an example is the “Consensus Roadmap for Defeating Distributed Denial of Service Attacks.”* To use a popular metaphor, DDoS is considered a weapon of mass destruction on the Internet. The MyDoom worm attack in February 2004 was intended to be a DDoS attack against www.sco.com, the Web site of a vendor for a UNIX operating system. Allegedly, the attack was payback for the SCO Group’s perceived hostility toward the open-source Linux community.

Deliberate software attacks occur when an individual or group designs and deploys software to attack a system. This attack can consist of specially crafted software that attackers trick users into installing on their systems. This software can be used to overwhelm the processing capabilities of online systems or to gain access to protected systems by hidden means.

Malware.

Malware, also referred to as malicious code or malicious software, includes the viruses, worms, and other scripts and applications designed to harm a target computer system. Other attacks that use software, like redirect attacks and denial-of-service attacks, also fall under this threat. These software components or programs are designed to damage, destroy, or deny service to targeted systems. Note that the terminology used to describe malware is often not mutually exclusive; for instance, Trojan horse malware may be delivered as a virus, a worm, or both.

Malicious code attacks include the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. The most state-of-the-art malicious code attack is the polymorphic worm, or multivector worm. These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in common information system devices. Many successful malware attacks are completed using techniques that are widely known; some have been in use for years. When an attack makes use of malware that is not yet known by the antimalware software companies, it is said to be a zero-day attack.

Other forms of malware include covert software applications—bots, spyware, and adware—that are designed to work out of users’ sight or be triggered by an apparently innocuous user action. Bots are often the technology used to implement Trojan horses, logic bombs, back doors, and spyware.* Spyware is placed on a computer to secretly gather information about the user and report it. One type of spyware is a Web bug, a tiny graphic that is referenced within the Hypertext Markup Language (HTML) content of a Web page or e-mail to collect information about the user viewing the content. Another form of spyware is a tracking cookie, which is placed on users’ computers to track their activity on different Web sites and create a detailed profile of their behavior.* Each of these hidden code components can be used to collect user information that could then be used in a social engineering or identity theft attack.

Table 2 dash 7 draws on three surveys to list some of the malware that has had the biggest impact on computer users to date. While this table may seem out of date, the values still hold up as of mid-2020. It seems that newer malware cannot break into the all-time top 10, possibly because of the proliferation of malware variants and do-it-yourself malware kits. It’s hard for any one new piece of malware to “break out” when so many variations are in play. It seems we are entering the days of precisely targeted malware.

Tabe testing instruction and policy.

Human Error or Failure.

This category includes acts performed without intent or malicious purpose or in ignorance by an authorized user. When people use information assets, mistakes happen. Similar errors happen when people fail to follow established policy. Inexperience, improper training, and incorrect assumptions are just a few things that can cause human error or failure. Regardless of the cause, even innocuous mistakes can produce extensive damage. In 2017, an employee debugging an issue with the Amazon Web Services (A W S) billing system took more servers down than he was supposed to, resulting in a chain reaction that took down several large Internet sites. It took time to restart the downed systems, resulting in extended outages for several online vendors, while other sites were unable to fully operate due to unavailable A W S services.

In 1997, a simple keyboarding error caused worldwide Internet outages.

In April 1997, the core of the Internet suffered a disaster. Internet service providers lost connectivity with other ISPs due to an error in a routine Internet router-table update process. The resulting outage effectively shut down a major portion of the Internet for at least twenty minutes. It has been estimated that about 45 percent of Internet users were affected. In July 1997, the Internet went through yet another more critical global shutdown for millions of users. An accidental upload of a corrupt database to the Internet’s root domain servers occurred. Because this provides the ability to address hosts on the Net by name (i.e., eds.com), it was impossible to send e-mail or access Web sites within the dot com and dot net domains for several hours. The dot com domain comprises a majority of the commercial enterprise users of the Internet.

Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usually occur with little warning and are beyond the control of people. These threats, which include events such as fires, floods, earthquakes, landslides, mudslides, windstorms, sandstorms, solar flares, and lightning as well as volcanic eruptions and insect infestations, can disrupt not only people’s lives but the storage, transmission, and use of information. Severe weather was suspected in three 2008 outages in the Mediterranean that affected Internet access to the Middle East and India.

Password attacks fall under the category of espionage or trespass just as lock picking falls under breaking and entering. Attempting to guess or reverse-calculate a password is often called cracking. There are several alternative approaches to password cracking, these include:

• Brute force
• Dictionary
• Rainbow tables
• Social engineering

The application of computing and network resources to try every possible password combination is called a brute force password attack. If attackers can narrow the field of target accounts, they can devote more time and resources to these accounts. This is one reason to always change the password of the manufacturer’s default administrator account.

Brute force password attacks are rarely successful against systems that have adopted the manufacturer’s recommended security practices. Controls that limit the number of unsuccessful access attempts within a certain time are very effective against brute force attacks. As shown in Table 2 dash 6, the strength of a password determines its ability to withstand a brute force attack. Using best practice policies like the 10.4 password rule and systems that allow case-sensitive passwords can greatly enhance their strength.

The dictionary password attack, or simply dictionary attack, is a variation of the brute force attack that narrows the field by using a dictionary of common passwords and includes information related to the target user, such as names of relatives or pets, and familiar numbers such as phone numbers, addresses, and even Social Security numbers. Organizations can use similar dictionaries to disallow passwords during the reset process and thus guard against passwords that are easy to guess. In addition, rules requiring numbers and special characters in passwords make the dictionary attack less effective.

A far more sophisticated and potentially much faster password attack is possible if the attacker can gain access to an encrypted password file, such as the Security Account Manager (SAM) data file. While these password files contain hashed representations of users’ passwords—not the actual passwords, and thus cannot be used by themselves—the hash values for a wide variety of passwords can be looked up in a database known as a rainbow table. These plain text files can be quickly searched, and a hash value and its corresponding plaintext value can be easily located. Module 10, “Cryptography,” describes plaintext, ciphertext, and hash values in greater detail.

While social engineering is discussed in detail later in the section called “Human Error or Failure,” it is worth mentioning here as a mechanism to gain password information. Attackers posing as an organization’s I T professionals may attempt to gain access to systems information by contacting low-level employees and offering to help with their computer issues. After all, what employee doesn’t have issues with computers? By posing as a friendly help-desk or repair technician, the attacker asks employees for their usernames and passwords, and then uses the information to gain access to organizational systems. Some even go so far as to resolve the user’s issues. Social engineering is much easier than hacking servers for password files.

In 2017, the Singapore Ministry of Defense invited hackers to test its publicly accessible system for vulnerabilities. In March 2016, General Motors (GM) invited computer researchers to look for vulnerabilities in the software used in its vehicles and Web site, offering a reward to anyone who found an undocumented issue. In April 2015, the U.S. government did the same thing, inviting hackers to “Hack the Pentagon,” of all places—a program that continues to this day. This type of “bug bounty” program is an effort to convince both ethical and unethical hackers to help rather than hinder organizations in their security efforts. Other companies that recently invited such attacks include Tesla Motors, Inc., the ride-share company Uber, and Google.

Once an expert hacker chooses a target system, the likelihood is high that he or she will successfully enter the system. Fortunately for the many poorly protected organizations in the world, there are substantially fewer expert hackers than novice hackers.

A new category of hacker has emerged over the last few years. The professional hacker seeks to conduct attacks for personal benefit or the benefit of an employer, which is typically a crime organization or illegal government operation (see the section on cyberterrorism). The professional hacker should not be confused with the penetration tester (or pen tester), who has authorization from an organization to test its information systems and network defense and is expected to provide detailed reports of the findings. The primary differences between professional hackers and penetration testers are the authorization provided and the ethical professionalism displayed.

Expert hackers often become dissatisfied with attacking systems directly and turn their attention to writing software. These programs are automated exploits that allow novice hackers to act as script kiddies or packet monkeys. The good news is that if an expert hacker can post a script tool where a script kiddie or packet monkey can find it, then systems and security administrators can find it, too. The developers of protection software and hardware and the service providers who keep defensive systems up to date also stay informed about the latest in exploit scripts. As a result of preparation and continued vigilance, attacks conducted by scripts are usually predictable and can be adequately defended against.

Hacker Variants

Other terms for system rule breakers may be less familiar. The term cracker is now commonly associated with software copyright bypassing and password decryption. With the removal of the copyright protection, software can be easily distributed and installed. With the decryption of user passwords from stolen system files, user accounts can be illegally accessed. In current usage, the terms hacker and cracker both denote criminal intent.

Phreakers grew in fame in the 1970s when they developed devices called blue boxes that enabled them to make free calls from pay phones. Later, red boxes were developed to simulate the tones of coins falling in a pay phone, and finally black boxes emulated the line voltage. With the advent of digital communications, these boxes became practically obsolete. Even with the loss of the colored box technologies, however, phreakers continue to cause problems for all telephone systems.

Knowledge Check Activity 2

A short-term decrease in electrical power availability is known as a.

A. Surge

B. Spike

C. Sag

D. Swell

The correct answer is C. Sag.

A spike, a swell or a surge is an increase in power availability.

Espionage or trespass

Espionage or trespass is a well-known and broad category of electronic and human activities that can breach the confidentiality of information. When an unauthorized person gains access to information an organization is trying to protect, the act is categorized as espionage or trespass. Attackers can use many different methods to access the information stored in an information system. Some information-gathering techniques are legal—for example, using a Web browser to perform market research. These legal techniques are collectively called competitive intelligence. When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting industrial espionage. Many countries that are considered allies of the United States engage in industrial espionage against American organizations. When foreign governments are involved, these activities are considered espionage and a threat to national security.

Some forms of espionage are relatively low-tech. One example, called shoulder surfing, is pictured in Figure 2 dash 5. This technique is used in public or semipublic settings when people gather information they are not authorized to have. Instances of shoulder surfing occur at computer terminals, desks, and ATMs; on a bus, airplane, or subway, where people use smartphones and tablets; and in other places where employees may access confidential information. Shoulder surfing flies in the face of the unwritten etiquette among professionals who address information security in the workplace: If you can see another person entering personal or private information into a system, look away as the information is entered. Failure to do so constitutes not only a breach of etiquette but an affront to privacy and a threat to the security of confidential information.

To avoid shoulder surfing, try not to access confidential information when another person is present. People should limit the number of times they access confidential data, and should do it only when they are sure nobody can observe them. Users should be constantly aware of the presence of others when accessing sensitive information.

Hackers

Acts of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems without permission. Controls sometimes mark the boundaries of an organization’s virtual territory. These boundaries give notice to trespassers that they are encroaching on the organization’s cyberspace. Sound principles of authentication and authorization can help organizations protect valuable information and systems. These control methods and technologies employ multiple layers or factors to protect against unauthorized access and trespass.

The classic perpetrator of espionage or trespass is the hacker, who is frequently glamorized in fictional accounts as a person who stealthily manipulates a maze of computer networks, systems, and data to find information that solves the mystery and heroically saves the day. However, the true life of the hacker is far more mundane. The profile of the typical hacker has shifted from that of a 13 to 18-year-old male with limited parental supervision who spends all of his free time on the computer; by comparison, modern hackers have fewer known attributes (see Figure 2 dash 6). In the real world, a hacker frequently spends long hours examining the types and structures of targeted systems and uses skill, guile, or fraud to attempt to bypass controls placed on information owned by someone else.

Hackers possess a wide range of skill levels, as with most technology users. However, most hackers are g

Deviations in Quality of Service

An organization’s information system depends on the successful operation of many interdependent support systems, including power grids, data and telecommunications networks, parts suppliers, service vendors, and even janitorial staff and garbage haulers. Any of these support systems can be interrupted by severe weather, intentional or accidental employee actions, or other unforeseen events. Deviations in quality of service can result from such accidents as a backhoe taking out the organization’s Internet connection or phone lines. The backup provider may be online and in service but may be able to supply only a fraction of the bandwidth the organization needs for full service. This degradation of service is a form of availability disruption. Irregularities in Internet service, communications, and power supplies can dramatically affect the availability of information and systems.

Communications and Other Service Provider Issues

Other utility services can affect organizations as well. Among these are telephone, water, wastewater, trash pickup, cable television, natural or propane gas, and custodial services. The loss of these services can impair the ability of an organization to function. For instance, most facilities require water service to operate an air-conditioning system. Even in Minnesota in February, air-conditioning systems help keep a modern facility operating. If a wastewater system fails, an organization might be prevented from allowing employees into the building. While several online utilities allow an organization to compare pricing options from various service providers, only a few show a comparative analysis of availability or downtime.

Power Irregularities

Irregularities from power utilities are common and can lead to fluctuations such as power excesses, power shortages, and power losses. These fluctuations can pose problems for organizations that provide inadequately conditioned power for their information systems equipment. In the United States, we are supplied 120-volt, 60-cycle power, usually through 15 and 20-amp circuits. Europe as well as most of Africa, Asia, South America, and Australia use 230-volt, 50-cycle power. With the prevalence of global travel by organizational employees, failure to properly adapt to different voltage levels can damage computing equipment, resulting in a loss. When power voltage levels vary from normal, expected levels, such as during a blackout, brownout, fault, noise, sag, spike, or surge, an organization’s sensitive electronic equipment—especially networking equipment, computers, and computer-based systems, which are vulnerable to fluctuations—can be easily damaged or destroyed. With small computers and network systems, power-conditioning options such as surge suppressors can smooth out spikes. The more expensive uninterruptible power supply (UPS) can protect against spikes and surges as well as sags and even blackouts of limited duration.

Other Studies of Threats

Several studies in recent years have examined the threats and attacks to information security. One of the most recent studies, conducted in 2015, found that 67.1 percent of responding organizations suffered malware infections.

More than 98 percent of responding organizations identified malware attacks as a threat, with 58.7 percent indicating they were a significant or severe threat. Malware was identified as the second-highest threat source behind electronic phishing and spoofing.

Table 2-2 shows these and other threats from internal stakeholders. Table 2-3 shows threats from external stakeholders. Table 2-4 shows general threats to information assets.

Today’s organizations are under immense pressure to acquire and operate integrated, efficient, and capable applications. A modern organization needs to create an environment that safeguards these applications, particularly those that are important elements of the organization’s infrastructure—operating system platforms, certain operational applications, electronic mail (e-mail), and instant messaging (IM) applications, like text messaging (short message service, or SMS). Organizations acquire these elements from a service provider, or they implement their own. Once an organization’s infrastructure is in place, management must continue to oversee it and not relegate its management to the IT department.

To perform effectively, organizations must employ secure infrastructure hardware appropriate to the size and scope of the enterprise. For instance, a small business may get by in its start-up phase using a small-scale firewall, such as a small office/home office (SOHO) device.

In general, as an organization grows to accommodate changing needs, more robust technology solutions should replace security technologies the organization has outgrown. An example of a robust solution is a commercial-grade, unified security architecture device, complete with intrusion detection and prevention systems, public key infrastructure (PKI), and virtual private network (VPN) capabilities. Modules 8, 9 and 10 describe these technologies in more detail.

Information technology continues to add new capabilities and methods that allow organizations to solve business information management challenges. In recent years, we have seen the emergence of the Internet and the Web as new markets. Cloud-based services, which have created new ways to deliver IT services, have also brought new risks to organizational information, additional concerns about the ways these assets can be threatened, and concern for how they must be defended.

Around 500 B.C., the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise that emphasizes the importance of knowing yourself as well as the threats you face.* To protect your organization’s information, you must

1. know yourself—that is, be familiar with the information to be protected and the systems that store, transport, and process it—and
2. know your enemy; in other words, the threats you face.

To make sound decisions about information security, management must be informed about the various threats to an organization’s people, applications, data, and information systems. As discussed in Module 1, a threat represents a potential risk to an information asset, whereas an attack represents an ongoing act against the asset that could result in a loss. Threat agents damage or steal an organization’s information or physical assets by using exploits to take advantage of vulnerabilities where controls are not present or no longer effective. Unlike threats, which are always present, attacks exist only when a specific act may cause a loss. For example, the threat of damage from a thunderstorm is present throughout the summer in many places, but an attack and its associated risk of loss exist only for the duration of an actual thunderstorm. The following sections discuss each of the major types of threats and corresponding attacks facing modern information assets.

To investigate the wide range of threats that pervade the interconnected world, many researchers have collected information on threats and attacks from practicing information security personnel and their organizations. While the categorizations may vary, threats are relatively well researched and understood.

Protecting Data That Organizations Collect and Use.

Without data, an organization loses its record of transactions and its ability to deliver value to customers. Any business, educational institution, or government agency that operates within the modern context of connected and responsive services relies on information systems. Even when transactions are not online, information systems and the data they process enable the creation and movement of goods and services. Therefore, protecting data in transmission, in processing, and at rest (storage) is a critical aspect of information security. The value of data motivates attackers to steal, sabotage, or corrupt it. An effective information security program implemented by management protects the integrity and value of the organization’s data.

Organizations store much of the data they deem critical in databases, managed by specialized software known as a database management system (DBMS). Database security is accomplished by applying a broad range of control approaches common to many areas of information security. Securing databases encompasses most of the topics covered in this textbook, including managerial, technical, and physical controls. Managerial controls include policy, procedure, and governance. Technical controls used to secure databases rely on knowledge of access control, authentication, auditing, application security, backup and recovery, encryption, and integrity controls. Physical controls include the use of data centers with locking doors, fire suppression systems, video monitoring, and physical security guards.

The fundamental practices of information security have broad applicability in database security. One indicator of this strong degree of overlap is that the International Information System Security Certification Consortium (ISC), the organization that evaluates candidates for many prestigious information security certification programs, allows experience as a database administrator to count toward the experience requirement for the Certified Information Systems Security Professional (CISSP).

Security Professionals and The Organization

It takes a wide range of professionals to support a diverse information security program.

To develop and execute specific security policies and procedures, additional administrative support and technical expertise is required.

Senior Management

The senior technology officer is typically the chief information officer (CIO), although other titles such as vice president of information, VP of information technology, and VP of systems may be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on strategic planning that affects the management of information in the organization. The CIO translates the strategic plans of the entire organization into strategic information plans for the information systems or information technology division of the organization. Once this is accomplished, CIO work with subordinate managers to develop tactical and operational plans for the division and to enable planning and management of the systems that support the organization.

The chief information security officer (CISO) has primary responsibility for the assessment, management, and implementation of information security in the organization. The CISO may also be referred to as the manager for I T security, the security administrator, or by a similar title. The CISO usually reports directly to the CIO, although in larger organizations, one or more layers of management might exist between the two. However, the recommendations of the CISO to the CIO must be given equal if not greater priority than other technology and information-related proposals. The most common placement of CISO in organizational hierarchies, along with their assigned roles and responsibilities, is illustrated in Figure 1-13. Note that the placement and accountabilities of the CISO have been the subject of debate across the industry for decades.

Student pay information.

The software component of an IS includes applications (programs), operating systems, and assorted command utilities. Software is perhaps the most difficult I S component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The IT industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, from smartphones that crash to flawed automotive control computers that lead to recalls.

Software carries the lifeblood of information through an organization. Unfortunately, software programs are often created under the constraints of project management, which limit time, costs, and manpower. Information security is all too often implemented as an afterthought rather than developed as an integral component from the beginning. In this way, software programs become an easy target of accidental or intentional attacks.

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted hardware access is possible.

Before September 11, 2001, laptop thefts in airports were common. A two-person team worked to steal a computer as its owner passed it through the conveyor scanning devices. The first perpetrator entered the security area ahead of an unsuspecting target and quickly went through. Then, the second perpetrator waited behind until the target placed the computer on the baggage scanner. As the computer was whisked through, the second perpetrator slipped ahead of the victim and entered the metal detector with a substantial collection of keys, coins, and the like, slowing the detection process and allowing the first perpetrator to grab the computer and disappear in a crowded walkway.

While the security response to September 11 did tighten the security process at airports, hardware can still be stolen in offices, coffee houses, restaurants, and other public places. Although laptops and notebook computers might be worth a few thousand dollars, the information stored on them can be worth a great deal more to disreputable organizations and individuals. Consider that unless plans and procedures are in place to quickly revoke privileges on stolen devices like laptops, tablets, and smartphones, the privileged access that these devices have to cloud-based data stores could be used to steal information that is many times more valuable than the device itself. 

Knowledge check activity 1:

What is security?

A. Freedom from fear.

B. Protection from loss.

C. keeping secrets.

D. Being secure and free from danger.

The answer is D. Being secure and free from danger.

Only this answer is complete. Fear has little to do with security; many are fearful even when secure. Security does not mean losses cannot occur, just that they are planned for and survivable. Confidentiality (secrets) is just one of the three key aspects of security.

Components of information security include, computer security, data security, and network security.

The CIA triads is the industrial standards for computer security since the development of the mainframe; the standards is based on three characteristics that describe the attributes of information that are important to protect. These include confidentiality, integrity and availability.

Some key terms to remember:

Access - a subject or object’s ability to use, manipulate, modify, or affect another subject or object.

Asset - the organizational resource that is being protected.

Attack - an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.

Control, safeguard, or countermeasure—Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization.

Exploit - a technique used to compromise a system.

Exposure - a condition or state of being exposed.

Loss - a single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.

Protection profile or security posture - entire set of controls and safeguards that the organization implements to protect the asset.

Risk - the probability of an unwanted occurrence.

Subjects and objects - a computer can be either an agent entity used to conduct an attack or the target entity.

Threat agent - the specific instance or a component of a threat.

Threat source - a category of objects, people, or other entities that represents a danger to an asset.

Vulnerability - weaknesses or faults in a system or protection mechanism that expose information to attack or damage.

The value of information comes from the characteristics it possesses.

Availability - Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.

Accuracy - Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity - The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality - The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity - The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Utility - The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession - The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

The value of information comes from the characteristics it possesses.

Availability - Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format. 

Accuracy - Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity - The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality - The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity - The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Utility - The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession - The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

The model, which was created by John McCumber in 1991, provides a graphical representation of the architectural approach widely used in computer and information security; it is now known as the McCumber Cube. As shown in Figure 1 dash 9, the McCumber Cube shows three dimensions. When extrapolated, the three dimensions of each axis become a 3 by 3 by 3 cube with 27 cells representing areas that must be addressed to secure today’s information systems. To ensure comprehensive system security, each of the 27 areas must be properly addressed. For example, the intersection of technology, integrity, and storage requires a set of controls or safeguards that address the need to use technology to protect the integrity of information while in storage. One such control might be a system for detecting host intrusion that protects the integrity of information by alerting security administrators to the potential modification of a critical file. A common mission from such a model is the need for guidelines and policies that provide direction for the practices and implementations of technologies. The need for policy is discussed in subsequent modules of this book.

As shown in Figure 1-10, an information system (IS) is much more than computer hardware and software; it includes multiple components, all of which work together to support personal and professional operations. Each of the I S components has its own strengths and weaknesses, as well as its own characteristics and uses. Each component of the IS also has its own security requirements.

The 1990s.

At the close of the 20th century, networks of computers became more common, as did the need to connect them to each other. This gave rise to the Internet, the first global network of networks. The internet was made available to the general public in the 1990s after decades of being the domain of government, academia, and dedicated industry professionals. The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area network (LAN). After the Internet was commercialized, the technology became pervasive, reaching almost every corner of the globe with an expanding array of uses.

Since its inception as ARPANET, a tool for sharing defense department information, the Internet has become an interconnection of millions of networks. At first, these de facto standards did little to ensure the security of information, through some degree of security was introduced as precursor technologies were widely adopted and became industry standards. However, early Internet deployment treated security as a low priority. In fact, many problems that plague e-mail on the Internet today result from this early lack of security. At that time, when all Internet and e-mail users were presumably trustworthy computer scientists, mail server authentication and e-mail encryption did not seem necessary. Early computing approaches relied on security that was built into the physical environment of the data enter that housed the computers. As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more exposed to security threats. In 1993, the first DEFCON conference was held in Las Vegas. Originally, it was established as a gathering for people interested in information security, including authors, lawyers, government employees, and law enforcement officials. A compelling topic was the involvement of hackers in creating an interesting venue for the exchange of information between two adversarial groups - the "white hats" of law enforcement and security professionals and the  "black hats" of hackers and computer criminals. In the late 1990s, and into the 2000s, many large corporations began publicly integrating security into their organizations. Antivirus products became extremely popular, and information security began to emerge as an independent discipline.

The 1960s.

During the 1960s, the Department of Defense’s Advanced Research Projects Agency (ARPA) began examining the feasibility of a redundant networked communications system designed to support the military’s need to exchange information. Larry Roberts, known as the founder of the Internet, developed the project from its inception.

The ARPANET became more popular between the 1970s and 1980s. As people continue to use the ARPANET, the increase for potential misuse was also increasing. In 1973, Internet pioneer Robert M. Metcalfe identified fundamental problems with ARPANET security. As one of the creators of Ethernet, a dominant local area networking protocol, he know that individual remote sites did not have sufficient controls and safeguards to protect data from unauthorized remote users. Other problems abounded, including vulnerability of password structure and formats, lack of safety procedures for dial-up connections, and nonexistent user identification and authorizations.

Phone numbers were widely distributed and openly publicized on the walls of phone booths, giving hackers easy access to ARPA NET. Because of the range of frequency of computer security violations and the explosion in the numbers of hosts and users on ARPANET, network security was commonly referred to as network insecurity.

RAND Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security. It noted that the wide use of networking components in military information systems introduced security risks that could not be mitigated by the routine practice then used to secure these systems. If you turn your textbook to page 6, in figure dash 4, you will see an illustration of computer network vulnerabilities from the 1979 release of this document. This paper signaled a pivotal moment in computer security history, the scope of computer security expanded significantly from the safety of physical locations and hardware to include the following:

Securing the data.

Limiting random and unauthorized access to data.

Involving personnel from multiple levels of the organization in  information security.

MULTICS.

Much of the early research on computer security centered on a system called multiplexed information and computing service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to integrate security into its core functions. It was a mainframe, time-sharing operating system developed in the mid-19 60s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT).

Welcome to module one, introduction to information security. 

By the end of this chapter, you will be able to define what is information security.

Discuss the history of computer security and explain how it evolved into information security.

Be able to define some key terms and critical concepts of information security.

And describe the information security roles of professionals within an organization. 

Introduction. 

Every company, and organization that does business using computers and network will have some kind of information they want to protect.

All organizations have a responsibility to their stakeholders to protect the information they've obtained from their customers, employees and investors.

Protecting the information is important. However, their are not enough security professionals to go around, that is why, when it comes to information security, it is everyone's responsibility, and if you are not part of the solution, you're part of the problem.

27. What kind of games do you like to play?

Why this question is being asked: The interviewer wants to better understand who you are outside of the job.

Strategy: Focus on games that require solving puzzles and strategic thinking as these are valued skills in most jobs.

Sample answer: I enjoy playing chess. It's the type of game that no matter how skilled you become, there is always someone better. It motivates me to continue to learn and improve.

28. What do you do in your leisure time?

Why this question is being asked: The interviewer wants to know if you are a well rounded person.

Strategy: There is really no wrong answer here but you should avoid any controversial answers. This is not really the place to discuss hunting or governmental protests.

Sample answer: I dedicate much of my time to my job but I find that it is important to find the time to relax. I enjoy spending time with my wife and daughter. We like to go to the park, see friends and go out to eat.

29. What do you do to deal with stress?

Why this question is being asked: As work is naturally stressful, the interviewer wants to know how you manage yours.

Strategy: Be honest that you do get stressed. Provide concrete examples to show how you can manage the stress.

Sample answer: I try to remain calm and prioritize my time when thinking about what needs to be done first. If it is an especially stressful time of year, I make sure to spend my lunch away from my desk and to get some exercise. I find that it makes me feel refreshed so that I have the energy to deal with the work.

24. What accomplishment has given you the most satisfaction?

Why this question is being asked: A predictor of your ability to accomplish things in the future is partly based on what you've accomplished in the past.

Strategy: Provide an accomplishment that would be relevant to the job you are interviewing for. Paint a picture of what you accomplished, how you went about accomplishing it and why it was important.

Sample answer: I've always been good at multi-tasking but I was not sure that I'd be able to go to school full-time while working and raising a family. It wasn't always easy but I was able to do it successfully. I'd study on the train, wake up early, go to sleep late and learned how to manage everything that I do more effectively.

25. What are your hobbies?

Why this question is being asked: The interviewer wants to understand who you are outside of the job.

Strategy: There is really no wrong answer here but you should avoid any controversial answers. This is not really the place to discuss hunting or governmental protests.

Sample answer: Since my job is desk-based, Hike to do hobbies that give me exercise and allow me to spend time with my family. I like to play sports and go camping.

26. What sports do you play?

Why this question is being asked: The interviewer wants to understand who you are outside of the job. There is some perception that active, healthier people are more productive.

Strategy: If possible, provide some examples of sports you participate in to show that you are active and are not all about work. To show a competitive spirit isn't a bad thing either.

Sample answer: Informally, I run regularly. Hike to compete with myself in breaking my fastest time. I have a competitive spirit so when time allows, I like to participate in pickup basketball games.