Principles of Information Security

Chapter 2 – The Need for Security

Based on the Fourth Edition of:

M. E. Whitman, H. J. Mattord:. Principles of Information Security

School of Business, Department of Information Technology

Introduction Business Needs First Threats Attacks

For our bad neighbor makes us early stirrers;

which is both healthful and good husbandry.

William Shakespeare (1564-1616)

Chapter 2 – The Need for Security Principles of Information Security 2

Introduction Business Needs First Threats Attacks

Learning Objectives

Demonstrate that organizations have a business need for

information security.

Explain why a successful information security program is the

responsibility of both an organization’s general management
and IT management.

Identify the threats posed to information security and the

more common attacks associated with those threats.

Chapter 2 – The Need for Security Principles of Information Security 3

Introduction Business Needs First Threats Attacks

Outline

1 Introduction

2 Business Needs First

3 Threats

4 Attacks

Chapter 2 – The Need for Security Principles of Information Security 4

Introduction Business Needs First Threats Attacks

Introduction

Primary mission of information security is to ensure systems

and contents stay the same

If no threats existed, resources could be focused on improving

systems, resulting in vast improvements in ease of use and
usefulness

Attacks on information systems are a daily occurrence

Chapter 2 – The Need for Security Principles of Information Security 5

Introduction Business Needs First Threats Attacks

Business Needs First

Information security performs the following four important

functions for an organization:
1 Protects the organization’s ability to function.

2 Enables the safe operation of applications implemented in the

organization’s IT systems.

3 Protects the data the organization collects and uses.

4 Safeguards the technology assets in use at the organization.

Chapter 2 – The Need for Security Principles of Information Security 6

Introduction Business Needs First Threats Attacks

Business Needs First (cont.)

1 Protecting the Functionality of an Organization

Both general management and IT management are responsible
for implementing information security to protect the ability of
the organization to function
Information security is both management issue and people
issue
Organization should address information security in terms of
business impact and cost

Chapter 2 – The Need for Security Principles of Information Security 7

Introduction Business Needs First Threats Attacks

Business Needs First (cont.)

2 Enabling the Safe Operation of Applications

Organization needs environments that safeguard applications
using IT systems.
Management must continue to oversee infrastructure once in
place –not defer to IT department.

Chapter 2 – The Need for Security Principles of Information Security 8

Introduction Business Needs First Threats Attacks

Business Needs First (cont.)

3 Protecting Data that Organizations Collect and Use

Organization, without data, loses its record of transactions
and/or ability to deliver value to customers.
Protecting data in motion and data at rest are both critical
aspects of information security.

Chapter 2 – The Need for Security Principles of Information Security 9

Introduction Business Needs First Threats Attacks

Business Needs First (cont.)

4 Safeguarding Technology Assets in Organizations

Organizations must have secure infrastructure services based
on size and scope of enterprise.
Additional security services may be needed as organization
expands.
More robust solutions may be needed to replace security
programs the organization has outgrown.

Chapter 2 – The Need for Security Principles of Information Security 10

Introduction Business Needs First Threats Attacks

Quick Quiz

1 The principal goal of the information security program should

be to .
Answer:

Chapter 2 – The Need for Security Principles of Information Security 11

Introduction Business Needs First Threats Attacks

Quick Quiz

1 The principal goal of the information security program should

be to .
Answer: ensure that systems and their contents remain the
same

Chapter 2 – The Need for Security Principles of Information Security 11

Introduction Business Needs First Threats Attacks

Quick Quiz

1 The principal goal of the information security program should

be to .
Answer: ensure that systems and their contents remain the
same

2 Information security has more to do with than with

.
Answer:

Chapter 2 – The Need for Security Principles of Information Security 11

Introduction Business Needs First Threats Attacks

Quick Quiz

1 The principal goal of the information security program should

be to .
Answer: ensure that systems and their contents remain the
same

2 Information security has more to do with than with

.
Answer: management, technology

Chapter 2 – The Need for Security Principles of Information Security 11

Introduction Business Needs First Threats Attacks

Quick Quiz

1 The principal goal of the information security program should

be to .
Answer: ensure that systems and their contents remain the
same

2 Information security has more to do with than with

.
Answer: management, technology

3 True or False: Many organizations find that their most

valuable asset is their data.
Answer:

Chapter 2 – The Need for Security Principles of Information Security 11

Introduction Business Needs First Threats Attacks

Quick Quiz

1 The principal goal of the information security program should

be to .
Answer: ensure that systems and their contents remain the
same

2 Information security has more to do with than with

.
Answer: management, technology

3 True or False: Many organizations find that their most

valuable asset is their data.
Answer: True

Chapter 2 – The Need for Security Principles of Information Security 11

Introduction Business Needs First Threats Attacks

Threats

A threat is an object, person, or other entity that represents a

constant danger to an asset.

Management must be informed of the different threats facing

the organization

Overall security is improving

The 2009 CSI/FBI survey found

64% of organizations had malware infections
14% indicated system penetration by an outsider

Chapter 2 – The Need for Security Principles of Information Security 12

Introduction Business Needs First Threats Attacks

Threats (cont.)

Table 2-1 Threats to Information Security4

Chapter 2 – The Need for Security Principles of Information Security 13

Introduction Business Needs First Threats Attacks

Threats (cont.)

Figure 2-1 World Internet usage3

Chapter 2 – The Need for Security Principles of Information Security 14
Introduction Business Needs First Threats Attacks

Threats –Compromises to Intellectual Property

Intellectual property (IP): ownership of ideas and control over

the tangible or virtual representation of those ideas.

The most common IP breaches involve software piracy.

Chapter 2 – The Need for Security Principles of Information Security 15

Introduction Business Needs First Threats Attacks

Threats –Compromises to Intellectual Property

Intellectual property (IP): ownership of ideas and control over

the tangible or virtual representation of those ideas.

The most common IP breaches involve software piracy.

Two watchdog organizations investigate software abuse:

1 Software & Information Industry Association (SIIA).
2 Business Software Alliance (BSA)

Enforcement of copyright law has been attempted with

technical security mechanisms (e.g. digital watermarks).

Chapter 2 – The Need for Security Principles of Information Security 15

Introduction Business Needs First Threats Attacks

Threats –Deliberate Software Attacks

Malicious software (malware) designed to damage, destroy, or

deny service to target systems. Includes viruses, worms,
Trojan horses, back doors, and denial-of-service attacks.

A macro virus is embedded in the automatically executing

macro code. A boot virus infects key operating system files
located in a computer’s boot sector.

Chapter 2 – The Need for Security Principles of Information Security 16

Introduction Business Needs First Threats Attacks

Threats –Deliberate Software Attacks

Malicious software (malware) designed to damage, destroy, or

deny service to target systems. Includes viruses, worms,
Trojan horses, back doors, and denial-of-service attacks.

A macro virus is embedded in the automatically executing

macro code. A boot virus infects key operating system files
located in a computer’s boot sector.

Worms are malicious programs that replicate themselves

constantly without requiring another program.

Trojan horses are software programs that hide their true

nature and reveal their designed behavior only when activated.

Chapter 2 – The Need for Security Principles of Information Security 16

Introduction Business Needs First Threats Attacks

Threats –Deliberate Software Attacks (cont.)

Figure 2-4 Trojan Horse Attack

Chapter 2 – The Need for Security Principles of Information Security 17

Introduction Business Needs First Threats Attacks

Threats –Espionage or Deliberate Acts of Trespass

Access of protected information by unauthorized individuals.

Competitive intelligence (legal) vs. industrial espionage

(illegal).

Shoulder surfing can occur anywhere a person accesses

confidential information.

Controls let trespassers know they are encroaching on

organization’s cyberspace.

Chapter 2 – The Need for Security Principles of Information Security 18

Introduction Business Needs First Threats Attacks

Threats –Espionage or Deliberate Acts of Trespass

Access of protected information by unauthorized individuals.

Competitive intelligence (legal) vs. industrial espionage

(illegal).

Shoulder surfing can occur anywhere a person accesses

confidential information.

Controls let trespassers know they are encroaching on

organization’s cyberspace.

Hackers use skill, guile, or fraud to bypass controls protecting

others’ information

Chapter 2 – The Need for Security Principles of Information Security 18

Introduction Business Needs First Threats Attacks

Threats –Espionage or Deliberate Acts of Trespass

Figure 2-5 Shoulder Surfing

Chapter 2 – The Need for Security Principles of Information Security 19
Introduction Business Needs First Threats Attacks

Threats –Espionage or Deliberate Acts of Trespass

Expert hacker:
Develops software scripts and program exploits

Usually a master of many skills

Will often create attack software and share with others

Chapter 2 – The Need for Security Principles of Information Security 20

Introduction Business Needs First Threats Attacks

Threats –Espionage or Deliberate Acts of Trespass

Expert hacker:
Develops software scripts and program exploits

Usually a master of many skills

Will often create attack software and share with others

Unskilled hacker:
Many more unskilled hackers than expert hackers

Use expertly written software to exploit a system

Do not usually fully understand the systems they hack

Chapter 2 – The Need for Security Principles of Information Security 20

Introduction Business Needs First Threats Attacks

Threats –Espionage or Deliberate Acts of Trespass

Figure 2-6 Hacker Profiles

Chapter 2 – The Need for Security Principles of Information Security 21

Introduction Business Needs First Threats Attacks

Threats –Espionage or Deliberate Acts of Trespass

There are other terms for system rule breakers:

The term cracker is now commonly associated with an

individual who cracks or removes software protection that is
designed to prevent unauthorized duplication.

A phreaker hacks the public telephone network to make free

calls and/or disrupt services.

Chapter 2 – The Need for Security Principles of Information Security 22

Introduction Business Needs First Threats Attacks

Threats –Deliberate Acts of Information Extortion

Attacker steals information from computer system and

demands compensation for its return or nondisclosure.

Commonly done in credit card number theft.

Chapter 2 – The Need for Security Principles of Information Security 23

Introduction Business Needs First Threats Attacks

Threats –Acts of Human Error or Failure

This category includes the possibility of acts performed

without intent or malicious purpose by an individual who is an
employee of an organization.

Inexperience, improper training, making incorrect

assumptions, and other circumstances can cause problems.

Many threats can be prevented with controls, ranging from

simple procedures, such as requiring the user to type a critical
command twice, to more complex procedures, such as the
verification of commands by a second party.

Chapter 2 – The Need for Security Principles of Information Security 24

Introduction Business Needs First Threats Attacks

Threats –Acts of Human Error or Failure

Figure 2-8 Acts of Human Error or Failure

Chapter 2 – The Need for Security Principles of Information Security 25
Introduction Business Needs First Threats Attacks

Quick Quiz

1 A is an object, person, or other entity that represents

a constant danger to an asses.
Answer:

Chapter 2 – The Need for Security Principles of Information Security 26

Introduction Business Needs First Threats Attacks

Quick Quiz

1 A is an object, person, or other entity that represents

a constant danger to an asses.
Answer: threat

Chapter 2 – The Need for Security Principles of Information Security 26

Introduction Business Needs First Threats Attacks

Quick Quiz

1 A is an object, person, or other entity that represents

a constant danger to an asses.
Answer: threat

2 When an unauthorized individual gains access to the

information an organization is trying to protect, that act is
categorized as a deliberate acts of .
Answer:

Chapter 2 – The Need for Security Principles of Information Security 26

Introduction Business Needs First Threats Attacks

Quick Quiz

1 A is an object, person, or other entity that represents

a constant danger to an asses.
Answer: threat

2 When an unauthorized individual gains access to the

information an organization is trying to protect, that act is
categorized as a deliberate acts of .
Answer: trespass

Chapter 2 – The Need for Security Principles of Information Security 26

Introduction Business Needs First Threats Attacks

Quick Quiz

1 A is an object, person, or other entity that represents

a constant danger to an asses.
Answer: threat

2 When an unauthorized individual gains access to the

information an organization is trying to protect, that act is
categorized as a deliberate acts of .
Answer: trespass

3 A hacks the public telephone network to make free

calls or disrupt services.
Answer:

Chapter 2 – The Need for Security Principles of Information Security 26

Introduction Business Needs First Threats Attacks

Quick Quiz

1 A is an object, person, or other entity that represents

a constant danger to an asses.
Answer: threat

2 When an unauthorized individual gains access to the

information an organization is trying to protect, that act is
categorized as a deliberate acts of .
Answer: trespass

3 A hacks the public telephone network to make free

calls or disrupt services.
Answer: phreaker

Chapter 2 – The Need for Security Principles of Information Security 26

Introduction Business Needs First Threats Attacks

Threats –Deliberate Acts of Sabotage or Vandalism

Attacks on the face of an organization –its Web site. Threats

can range from petty vandalism to organized sabotage.

Web site defacing can erode consumer confidence, dropping

sales and organization’s net worth.

Chapter 2 – The Need for Security Principles of Information Security 27

Introduction Business Needs First Threats Attacks

Threats –Deliberate Acts of Sabotage or Vandalism

Attacks on the face of an organization –its Web site. Threats

can range from petty vandalism to organized sabotage.

Web site defacing can erode consumer confidence, dropping

sales and organization’s net worth.

Today, security experts are noticing a rise in another form of

online vandalism, hacktivist or cyberactivist operations. A
more extreme version is referred to as cyberterrorism, who
hack systems to conduct terrorist activities via network or
Internet pathways.

Chapter 2 – The Need for Security Principles of Information Security 27

Introduction Business Needs First Threats Attacks

Threats (cont.)

Figure 2-9 Cyber Activists Wanted

Chapter 2 – The Need for Security Principles of Information Security 28
Introduction Business Needs First Threats Attacks

Threats –Deliberate Acts of Theft

Theft is the illegal taking of another’s property. Within an

organization, that property can be physical, electronic or
intellectual.

The value of information suffers when it is copied and taken

away without the owner’s knowledge.

Chapter 2 – The Need for Security Principles of Information Security 29

Introduction Business Needs First Threats Attacks

Threats –Deliberate Acts of Theft

Theft is the illegal taking of another’s property. Within an

organization, that property can be physical, electronic or
intellectual.

The value of information suffers when it is copied and taken

away without the owner’s knowledge.

Physical theft can be controlled quite easily. Many measures

can be taken, including locking doors, training security
personnel, and installing alarm systems.

Electronic theft, however, is a more complex problem to

manage and control. Organizations may not even know it has
occurred.

Chapter 2 – The Need for Security Principles of Information Security 29

Introduction Business Needs First Threats Attacks

Threats –Forces of Nature

Forces of nature, force majeure, or acts of God pose some of

the most dangerous threats, because they are unexpected and
can occur with very little warning (e.g. Fire, Flood,
Earthquake, Tsunami, etc.).

Disrupt not only individual lives, but also storage,

transmission, and use of information.

Organizations must implement controls to limit damage and

prepare contingency plans for continued operations.

Chapter 2 – The Need for Security Principles of Information Security 30

Introduction Business Needs First Threats Attacks

Threats –Deviations in Quality of Service

This category represents situations in which a product or

services are not delivered to the organization as expected.

Internet service, communications, and power irregularities

dramatically affect availability of information and systems.

Other utility services can impact organizations as well. Among

these are telephone, water, wastewater, trash pickup, cable
television, natural or propane gas, and custodial services.

Chapter 2 – The Need for Security Principles of Information Security 31

Introduction Business Needs First Threats Attacks

Threats –Technical Hardware Failures or Errors

Occur when manufacturer distributes equipment containing

flaws to users.

Can cause system to perform outside of expected parameters,

resulting in unreliable or poor service.

Some errors are terminal in that they result in the

unrecoverable loss of the equipment. Some errors are
intermittent in that they only periodically manifest
themselves, resulting in faults that are not easily repeated.

Chapter 2 – The Need for Security Principles of Information Security 32

Introduction Business Needs First Threats Attacks

Threats –Technical Software Failure or Errors

This category involves threats that come from purchasing

software with unknown, hidden faults

Combinations of certain software and hardware can reveal new

software bugs

Large quantities of computer code are written, debugged,

published, and sold before all of their bugs are detected and
resolved

Chapter 2 – The Need for Security Principles of Information Security 33

Introduction Business Needs First Threats Attacks

Quick Quiz

1 When an individual steals information from computer system

and demands compensation for its return or nondisclosure,
that act is categorized as a deliberate acts of .
Answer:

Chapter 2 – The Need for Security Principles of Information Security 34

Introduction Business Needs First Threats Attacks

Quick Quiz

1 When an individual steals information from computer system

and demands compensation for its return or nondisclosure,
that act is categorized as a deliberate acts of .
Answer: information extortion

Chapter 2 – The Need for Security Principles of Information Security 34

Introduction Business Needs First Threats Attacks

Quick Quiz

1 When an individual steals information from computer system

and demands compensation for its return or nondisclosure,
that act is categorized as a deliberate acts of .
Answer: information extortion

2 Attacks on the face of organization (i.e. its Web site), is

categorized as a deliberate acts of .
Answer:

Chapter 2 – The Need for Security Principles of Information Security 34

Introduction Business Needs First Threats Attacks

Quick Quiz

1 When an individual steals information from computer system

and demands compensation for its return or nondisclosure,
that act is categorized as a deliberate acts of .
Answer: information extortion

2 Attacks on the face of organization (i.e. its Web site), is

categorized as a deliberate acts of .
Answer: sabotage or vandalism

Chapter 2 – The Need for Security Principles of Information Security 34

Introduction Business Needs First Threats Attacks

Quick Quiz

1 When an individual steals information from computer system

and demands compensation for its return or nondisclosure,
that act is categorized as a deliberate acts of .
Answer: information extortion

2 Attacks on the face of organization (i.e. its Web site), is

categorized as a deliberate acts of .
Answer: sabotage or vandalism

3 are software programs that hide their true nature and

reveal their designed behavior only when activated.
Answer:

Chapter 2 – The Need for Security Principles of Information Security 34

Introduction Business Needs First Threats Attacks

Quick Quiz

1 When an individual steals information from computer system

and demands compensation for its return or nondisclosure,
that act is categorized as a deliberate acts of .
Answer: information extortion

2 Attacks on the face of organization (i.e. its Web site), is

categorized as a deliberate acts of .
Answer: sabotage or vandalism

3 are software programs that hide their true nature and

reveal their designed behavior only when activated.
Answer: Trojan horses

Chapter 2 – The Need for Security Principles of Information Security 34

Introduction Business Needs First Threats Attacks

Attacks

A vulnerability is an identified weakness of a controlled system

where controls are not present or are no longer effective.

An attack is a deliberate act that exploits a vulnerability to

compromise a controlled system.

An attack is accomplished by a threat agent that damages or

steals an organization’s information or physical asset.

Chapter 2 – The Need for Security Principles of Information Security 35

Introduction Business Needs First Threats Attacks

Attack (cont.)

New Table

Table 2-2 Attack Replication Vectors

Chapter 2 – The Need for Security Principles of Information Security 36
Introduction Business Needs First Threats Attacks

Attack (cont.)

Malicious code: includes execution of viruses, worms, Trojan

horses, and active Web scripts with intent to destroy or steal
information.

Hoaxes: transmission of a virus hoax with a real virus

attached; more devious form of attack.

Back door: gaining access to system or network using known

or previously unknown/newly discovered access mechanism.

Password crack: attempting to reverse calculate a password.

Brute force attack: trying every possible combination of

options of a password.

Chapter 2 – The Need for Security Principles of Information Security 37

Introduction Business Needs First Threats Attacks

Attacks (cont.)

Dictionary attack: selects specific accounts to attack and uses

commonly used passwords (i.e., the dictionary) to guide
guesses.

Denial-of-service (DoS): attacker sends large number of

connection or information requests to a target.
Target system cannot handle successfully along with other,
legitimate service requests,
May result in system crash or inability to perform ordinary
functions.

Chapter 2 – The Need for Security Principles of Information Security 38

Introduction Business Needs First Threats Attacks

Attacks (cont.)

Dictionary attack: selects specific accounts to attack and uses

commonly used passwords (i.e., the dictionary) to guide
guesses.

Denial-of-service (DoS): attacker sends large number of

connection or information requests to a target.
Target system cannot handle successfully along with other,
legitimate service requests,
May result in system crash or inability to perform ordinary
functions.
Distributed denial-of-service (DDoS): coordinated stream of
requests is launched against target from many locations
simultaneously.

Chapter 2 – The Need for Security Principles of Information Security 38

Introduction Business Needs First Threats Attacks

Attacks (cont.)

Figure 2-11 Denial-of-Service Attacks

Chapter 2 – The Need for Security Principles of Information Security 39

Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer:

Chapter 2 – The Need for Security Principles of Information Security 40

Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer: True

Chapter 2 – The Need for Security Principles of Information Security 40

Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer: True

2 Applying computer and network resources to try exhaustive

combinations for access is called a(n) attack.
Answer:

Chapter 2 – The Need for Security Principles of Information Security 40

Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer: True

2 Applying computer and network resources to try exhaustive

combinations for access is called a(n) attack.
Answer: brute force

Chapter 2 – The Need for Security Principles of Information Security 40

Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer: True

2 Applying computer and network resources to try exhaustive

combinations for access is called a(n) attack.
Answer: brute force

3 When a program tries using all commonly used passwords,

this is known as a(n) .
Answer:

Chapter 2 – The Need for Security Principles of Information Security 40

Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer: True

2 Applying computer and network resources to try exhaustive

combinations for access is called a(n) attack.
Answer: brute force

3 When a program tries using all commonly used passwords,

this is known as a(n) .
Answer: dictionary attack

Chapter 2 – The Need for Security Principles of Information Security 40

Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer: True

2 Applying computer and network resources to try exhaustive

combinations for access is called a(n) attack.
Answer: brute force

3 When a program tries using all commonly used passwords,

this is known as a(n) .
Answer: dictionary attack

4 When a program tries to reverse-calculate passwords, this is

known as a(n) .
Answer:
Chapter 2 – The Need for Security Principles of Information Security 40
Introduction Business Needs First Threats Attacks

Quick Quiz

1 True or False: Warnings of attacks that are not valid are

usually called hoaxes.
Answer: True

2 Applying computer and network resources to try exhaustive

combinations for access is called a(n) attack.
Answer: brute force

3 When a program tries using all commonly used passwords,

this is known as a(n) .
Answer: dictionary attack

4 When a program tries to reverse-calculate passwords, this is

known as a(n) .
Answer: password crack
Chapter 2 – The Need for Security Principles of Information Security 40
Introduction Business Needs First Threats Attacks

Attacks (cont.)

Spoofing is a technique used to gain unauthorized access to

computers, wherein the intruder sends messages to a
computer containing an IP address that indicates that the
messages are coming from a trusted host.

Man-in-the-middle: attacker monitors network packets,

modifies them, and inserts them back into network.

Chapter 2 – The Need for Security Principles of Information Security 41

Introduction Business Needs First Threats Attacks

Attacks (cont.)

Spoofing is a technique used to gain unauthorized access to

computers, wherein the intruder sends messages to a
computer containing an IP address that indicates that the
messages are coming from a trusted host.

Man-in-the-middle: attacker monitors network packets,

modifies them, and inserts them back into network.

Spam: unsolicited commercial e-mail; more a nuisance than

an attack, though is emerging as a vector for some attacks.

Mail bombing: also a DoS; attacker routes large quantities of

e-mail to target.

Chapter 2 – The Need for Security Principles of Information Security 41

Introduction Business Needs First Threats Attacks

Attacks (cont.)

Figure 2-12 IP Spoofing

Chapter 2 – The Need for Security Principles of Information Security 42

Introduction Business Needs First Threats Attacks

Attacks (cont.)

Figure 2-13 Man-in-the-Middle Attack

Chapter 2 – The Need for Security Principles of Information Security 43

Introduction Business Needs First Threats Attacks

Attacks (cont.)
A Sniffer is a program or device that monitor data traveling
over a network; can be used both for legitimate purposes and
for stealing information from a network.

Social engineering is the process of using social skills to

convince people to reveal access credentials or other valuable
information to attacker.

Chapter 2 – The Need for Security Principles of Information Security 44

Introduction Business Needs First Threats Attacks

Attacks (cont.)
A Sniffer is a program or device that monitor data traveling
over a network; can be used both for legitimate purposes and
for stealing information from a network.

Social engineering is the process of using social skills to

convince people to reveal access credentials or other valuable
information to attacker.

Phishing: an attempt to gain personal/financial information

from individual, usually by posing as legitimate entity.

Pharming: redirection of legitimate Web traffic (e.g., browser

requests) to illegitimate site for the purpose of obtaining
private information.

Timing attack: relatively new; works by exploring contents of

a Web browser’s cache to create malicious cookie.
Chapter 2 – The Need for Security Principles of Information Security 44
Introduction Business Needs First Threats Attacks

Attacks (cont.)

Figure 2-14 Example of a Nigerian 4-1-9 Fraud

Chapter 2 – The Need for Security Principles of Information Security 45

Introduction Business Needs First Threats Attacks

Quick quiz
1 Using a known or previously installed access mechanism is
called using a .
(a) hidden bomb
(b) vector
(c) spoof
(d) back door
Answer:

Chapter 2 – The Need for Security Principles of Information Security 46

Introduction Business Needs First Threats Attacks

Quick quiz
1 Using a known or previously installed access mechanism is
called using a .
(a) hidden bomb
(b) vector
(c) spoof
(d) back door
Answer: (d)

Chapter 2 – The Need for Security Principles of Information Security 46

Introduction Business Needs First Threats Attacks

Quick quiz
1 Using a known or previously installed access mechanism is
called using a .
(a) hidden bomb
(b) vector
(c) spoof
(d) back door
Answer: (d)
2 Unsolicited commercial e-mail is also called .
Answer:

Chapter 2 – The Need for Security Principles of Information Security 46

Introduction Business Needs First Threats Attacks

Quick quiz
1 Using a known or previously installed access mechanism is
called using a .
(a) hidden bomb
(b) vector
(c) spoof
(d) back door
Answer: (d)
2 Unsolicited commercial e-mail is also called .
Answer: spam

Chapter 2 – The Need for Security Principles of Information Security 46

Introduction Business Needs First Threats Attacks

Quick quiz
1 Using a known or previously installed access mechanism is
called using a .
(a) hidden bomb
(b) vector
(c) spoof
(d) back door
Answer: (d)
2 Unsolicited commercial e-mail is also called .
Answer: spam
3 Another name for TCP hijacking is .
(a) man-in-the-middle
(b) mail bombing
(c) spoofing
(d) denial of service
Answer:
Chapter 2 – The Need for Security Principles of Information Security 46
Introduction Business Needs First Threats Attacks

Quick quiz
1 Using a known or previously installed access mechanism is
called using a .
(a) hidden bomb
(b) vector
(c) spoof
(d) back door
Answer: (d)
2 Unsolicited commercial e-mail is also called .
Answer: spam
3 Another name for TCP hijacking is .
(a) man-in-the-middle
(b) mail bombing
(c) spoofing
(d) denial of service
Answer: (a)
Chapter 2 – The Need for Security Principles of Information Security 46
Introduction Business Needs First Threats Attacks

Additional Resources

1 Governing for Enterprise Security Implementation Guide

[Link]

2 Build Security In:Secure Software Development Lifecycle

[Link]
[Link]/bsi/articles/knowledge/sdlc/[Link]

3 Verizon Data Breach Investigationsw Report (2010)

[Link] 2010-
data-breach-report en [Link]

Chapter 2 – The Need for Security Principles of Information Security 47