INTRODUCTION TO INFORMATION SECURITY Introduction Information security protects sensitive information from unauthorized activities, including inspection, modification, recording, and any disruption or destruction. The goal is to ensure the safety and privacy of critical data such as customer account details, financial data or intellectual property. Security In general, security is “the quality or state of being secure to be free from danger.” Inother words, protection against adversaries from those who would do harm, intentionally or otherwise is the objective. National security, for example, is a multilayered system that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appropriate level of security for an organization also requires a multifaceted system. Multiple Layers of Security A successful organization should have the following multiple layers of security in Place to protect its operations: 1. Physical Security : Physical security, to protect physical items, objects, or areas from unauthorized access and misuse. 2 Personnel Security : Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations. 3. Operations Security : Operations Security, to protect the details of a particular operation or series of activities. 4. Communications Security : Communications security, to protect communications media, technology, and content. Network Security ; Network security, to protect networking components, Connections, and contents. a —_—_—<———————— to protect the confidentiality, inteyy, re + Information security, . 6. Information Security . tion ee whether in storage, processing, or transmission, ane ella of foo tion of policy, education, training and awareness, im It is achieved apple technology. CIA Triangle ‘Committee on National Security Systems (CNS) defines information security a, ee ion of information and its critical elements, including the systems and hardware ie and transmit that information.12 Figure 1-3 shows that information security io ee the broad areas of information security management, computer and data security, and network security. The CNSS model of information security evolved from a Concept developed by the computer security industry called the C.LA. triangle ~The CLA. triangle has been the industry standard for computer security since the it of the mainframe. It is based on the three characteristics of information that “give it value to organizations: confidentiality, integrity, and availability. ‘The C.LA. triangle - confidentiality, integrity, and availability - has expanded into a ‘More comprehensive list of critical characteristics of information. At the heart of the study of information security is the concept of policy. Policy, awareness, training, education, and technology are vital concepts for the protection of information and for keeping information systems from danger.. Ensuring 's organized in terms cf who needs to have access, as well as the sensitivity of the data. A breach of confidentiality may take place through different means, for instance hacking or social engineering. 2 Integrity: Data integrity refers to the certainty that the data is not tampered with or degraded during or after submission. It is the certainty that the data has not bees subject to unauthorized modification, either intentional or unintentional. There are two points during the transmission process during which the integrity could be | compromised: during the upload or transmission of data or during the storage of the document in the database or collection. 3. Availability: This means that the information is available to authorized users when itisneeded Fora system to demonstrate availability, it must have properly functioning computing systems, security controls and communication channels. Systems defined as critical (power generation, medical equipment, safety systems) often have extreme requirements related to availability. These systems must be resilient against cyber threats, and have safeguards against power outages, hardware failures and other events that might impact the system availability. These days, information plays an important role in day to day lives of every individual, whether it be a high profile businessman to being a small shop owner. Information is generated in different forms from being their Smartphone’s to their ‘tansaction receipts and buying patterns. This presents a wealth of opportunities for people “to steal data; that is why information security is a necessity. Offline sites security: The Information Security was limited to the access points e computers were stored, as they used to be large in sizes and required a huge a to be stored and operated. Multiple layers of security were installed overay acre .d other forms of cyber crimes Skyrchay 90s: Evolution of cyber- cycle. 1 rather were « afterth to the: worth. focuse system 1 produc Progra server follow’ [as 7 Progra hundre System to impINFORMATION SECURITY ity status of the information system to appropriate agency officials is an essential - ity of a comprehensive information security program. Information preservation : ensures that information is retained, as necessary, to conform to current legal requirements and to accommodate future technology changes that may render the retrieval method obsolete. Cc D. Media sanitization : ensures that data is deleted, erased, and written over as necessary. E. Hardware and software disposal:ensures that hardware and software is disposed of as directed by the information system security officer. ‘Adapted from Security Considerations in the Information System Development Life Cycle. It is imperative that information security be designed into a system from its inception, rather than added in during or after the implementation phase. Information systems that were designed with no security functionality, or with security functions added as an afterthought, often require constant patching, updating, and maintenance to prevent risk to the systems and information. It is a well-known adage that “an ounce of prevention is wortha pound of cure.” With this in mind, organizations are moving toward more security- focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their products. In early 2002, Microsoft effectively suspended development work on many of its products while it put its OS developers, testers, and program managers through an intensive program focusing on secure software development. It also delayed release of its flagship server operating system to address critical security issues. Many other organizations are following Microsoft's recent lead in putting security into the development process The information technology programs the primary mission of an information security rogram is to ensure that systems and their contents remain the same. Organizations expend of thousands of dollars and thousands of man-hours to maintain their information is to information and systems didn’t exist, these resources could be used he systems that support the information. However, attacks on information — il} ‘occurrence, and the need for information security grows along with é eee er ada 154 Basiness Needs The First Information security performs four important functions for an organi, ‘ ali 1, Protecting the organization’s ability to function. . 2. Enabling the safe operation of applications running on the organiza tion's systems. 3. Protecting the data the organization collects and uses. 4, Safeguarding the organization’s technology assets. 1. Protecting the Functionality of an Organization : Both general management an4 management are responsible for implementing information security that protects th organization's ability to function. Although many business and government manages shy away from addressing information security because they perceive it to bes technically complex task, in fact, implementing information security has more todo with management than with technology. Just as managing payroll has more to do with management than with mathematical wage computations, managing information security has more to do with policy and its enforcement than with the technology of its implementation. 2, Enabling the Safe Operation of Applications : Today's organizations are undet immense pressure to acquire and operate integrated, efficient, and capable applications. A modern organization needs to create an environment that safeguards these applications, particularly those that are important elements of the organizations infrastructure— operating system platforms, electronic mail (e-mail), and insta | messaging (IM) applications. Organizations acquire these elements from a service Provider or they build their own. Once an organization’s infrastructure is in place ) management must continue to overs ee it, and not relegate its management to the IT department, 3 Protecting Data that Organizations Collect and Use : Without data, an organization loses its record of transactions and/or its ability to deliver value to its custome™ Any business, educational institution, or government agency operating within Eisdem context of connected and responsive services relies cx irformation 6y8" Even when transactions are not online, information syeteme and the data they proce enable the creation and movement of goods and services, Therefore, protecting aration and data at rest are both critical aspects of information security. The V2 Of cata motivates attackers to steal, aabotage, or corrupt it. an effective informatio" Security program implemented by managemy t protects the integrity and value the organization's data. necce waste —— KK tr rr and orga in w whic as pa ideas shoul unau may | conder Ey INFORMATION SECURITY 4, Safeguarding Technology Assets in Organizations : To perform effectively must employ secure infrastructure services appropriate to the size and of the enterprise. For instance, a small business may get by using an e-mail service provided by an ISP and augmented with a personal encrvrtion tool. When an organization grows, it must develop additional security services. For example, , organizational growth could lead to the need for public key infrastructure (PKI), an integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure. The categorization scheme consists of fourteen general categories that represent clear and present dangers to an organization's people, information, and systems. Each organization must prioritize the threats it faces, based on the particular security situation in which it operates, its organizational strategy regarding risk, and the exposure levels at which its assets operate. 1. Compromises to Intellectual Property ae ce ree Many organizations create, or support the development of, intellectual property (IP) as part of their business operations Intellectual property is defined as “the ownership of ideas and control over the tangible or virtual representation of those ideas. Use of another person's intellectual property may or may not involve royalty payments or permission, but should always include proper credit to the source.” ewe Intellectual property can be trade secrets, copyrights, trademarks, and patents. The unauthorized appropriation of IP constitutes a threat to information security. Employees may have access privileges to the various types of IP, and may be required to use the IP to conduct day-to-day business Organizations often purchase or lease the IP of other organizations, and must abide by the purchase or licensing agreement for its fair and responsible use. The most common IP breach is the unlawful use or duplication of software-based intellectual property, more commonly known as software piracy. Many individuals and organizations do not purchase Software as mandated by the owner's license agreements. Because most software is licensed toa particular purchaser, its use is restricted to a single user or to a designated user in an ‘Organization. Ifthe user copies the program to another computer without securing another license ©t transferring the license, he or she has violated the copyright. 2 Deliberate Software Attacks Deliberate software attacks occur when an individual or group designs and deploys ‘oftware to attack a system, Most of this software is referred to as malicious code or aioe ies Asus RULERSBCA malicious software, or sometimes malware. These software components 0; designed to damage, destroy, or deny service to the target sy: common instances of malicious code are viruses and worms, and back doors. Programs ‘stems. Some of the mop, Trojan horses, logic tomis 3. Deviations in Quality of Service An organization's information system depends on the successful Operation of many interdependent support systems, including power grids, telecom networks, parts suppias service vendors, and even the janitorial staff and garbage haulers. Any one of these suppor systems can be interrupted by storms, employee illnesses, or other unforeseen events Deviations in quality of service can result from incidents such as a backhoe taking out a fiber-optic link for an ISP. The backup provider may be online and in service, but may b able to supply only a fraction of the bandwidth the organization needs for full service This degradation of service is a form of availability disruption. Irregularities in Internet service, communications, and power supplies can dramatically affect the availability of information and systems. A. Internet Service Issues : In organizations that tely heavily on the Internet and the World Wide Web to support continued operations, can consicerably undermine the availability of info Sales staff and telecommuters working at rem, employees cannot contact the host systems, they must use manual procedures !° continue operations. Internet service provider failures mation. Many organizations have ‘te locations. When these offsite ice Provider Issues : Other utility services can affet Se are telephone, water, wastewater, trash picktP: * and custodial services. The loss of thes? services i ms . Bec HY of an organization to function. For instance, most Tequire water service to hua, &aa SS a ‘Sagem ow Dees & 2 wel ies ant Sead Semen of Sieccoen: aad bee cemiidensairt of miner. Wher at archers’ mavaden! = eS et epee wages Stade on ase sas Sve needs © acess Se ior goed op an Semmes Sse Some Docemesce setemns etrages: we gate legal qremmngie seine 2 Wet Seowse © peso erie: seach. These ieee echmgqes we iit odleciest competiors mrsinec= When picrmenon setheres expioy techmaqaes eecomes Ge Greeti ot whee = eed oe ete Ser re oe el spe present some of the most dangerous Soe wanes Sd Se Spend Se eel of + Soods, earthquakes, and lightning = ms. can Gisrupt not only the lives of indinidnalls tne sss Se scree Tecscasice. and se of Soo Some of fe mere comma. Sree = Sus Socp ae sted here 2 Bee ines comens wemelly 2 soccceel Se Set demeges 2 being housing eompating eqripment Sac comprises dl ox pat of am Eormation system, as well as smoke Camage md) or wae damage inom spine: systems ox firefighters. This threat can | temally be maigeted with fre casualty insurance and/or business interruption Care. (Reed: An overflowing of water onto an area that is normally dry, causing direct (damage to all or pact of she dormenon system oF to the building that houses alll orpower distribution components. It can also cause fires or other damage to the bu that houses all or part of the information system, and disrupt operations by interfer with access to the buildings that house all or part of the information system +" threat can usually be mitigated with multipurpose casualty insurance and/or business interruption insurance. d. Landslide or Mudslide: The downward sliding of a mass of earth and rock dre damaging all or part of the information system or, more likely, the building tha. houses it. Land or mudslides also disrupt operations by interfering with access to the buildings that house all or part of the information system. This threat can sometimes be mitigated with casualty insurance and/or business interruption insurance. e. Tornado or Severe Windstorm: A rotating column of air ranging in width from afew yards to more than a mile and whirling at destructively high speeds, usually accompanied by a funnel-shaped downward extension of a cumulonimbus cloud Storms can directly damage all or part of the information system or, more likely, the building that houses it, and can also interrupt access to the buildings that house allor part of the information system. This threat can sometimes be mitigated with casualty insurance and/or business interruption insurance. £, Hurricane or Typhoon: A severe tropical cyclone originating in the equatorial regio of the Atlantic Ocean or Caribbean Sea or eastern regions of the Pacific Ocee” (typhoon), travelling north, northwest, or northeast from its point of origin, and usually involving heavy rains. These storms can directly damage all or part of the information system or, more likely, the building that houses it. Organizations locat®! im coastal or low-lying areas may experience flooding (see above). These storms ™4Y also disrupt operations by interrupting access to the buildings that house all o PX of the information system. This threat can sometimes be mitigated with casual insurance and/or business interruption insurance. & Tounami: A very large ocean wave caused by an underwater earthquake or volcan ; oa a ak directly damage all or part of the information syste™ a a eat ” i that houses it. Organizations located in coastal ares ™! ii saieorcts ee rere may also cause disruption to operations thro¥? or electrical power to the buildings that house all or Pi’ ‘system. This threat can sometimes be mitigated with casualty ins! interruption insurance, a i n d gaoo ay 2. a £MN INFORMATION SECURITY ———— Ee across a carpet can be costly or dangerous when it ignites flammable mixtures and damages costly electronic components. Static electricity can draw dust into clean- room environments or cause products to stick together. The cost of ESD-damaged electronic devices and interruptions to service can range from only a few cents to several millions of dollars for critical systems. Loss of production time in information processing due to ESD impact is significant. While not usually viewed as a threat, ESD can disrupt information systems, but it is not usually an insurable loss unless covered by business interruption insurance. Dust Contamination: Some environments are not friendly to the hardware components of information systems. Because dust contamination can shorten the life of information systems or cause unplanned downtime, this threat can disrupt normal operations. Since it is not possible to avoid force of nature threats, organizations must implement controls to limit damage, and they must also prepare contingency plans for continued operations, such as disaster recovery plans, business continuity plans, and incident response plans. 6, Human Error or Failure This category includes acts performed without intent or malicious purpose by an authorized user. When people use information systems, mistakes happen. Inexperience, improper training, and the incorrect assumptions are just a few things that can cause these misadventures. Regardless of the cause, even innocuous mistakes can produce extensive damage. One of the greatest threats to an organization's information security is the ‘organization's own employees. Employees are the threat agents closest to the organizational data. Because employees use data in everyday activities to conduct the organization’s business, their mistakes represent a serious threat to the confidentiality, integrity, and ‘availability of data—data—even, suggests, relative to threats from outsiders. 7. Information Extortion Information extortion occurs when an attacker or trusted insider steals information ftom a computer system and demands compensation for its return or for an agreement not '» dlclse it. Extortion is common in credit card number theft, For example, Web-based Grail CD Universe was the victim of a theft of data files containing customer credit card” culprit was a Russian hacker named Maxus, who hacked the online vendor and 7 d thousand credit card numbers. When the company refused to payblackmail, he posted the card numbers to a Wel criminal community. His Web site became so popular he had Missing, Inadequate, or Incomplete Organizational Policy or Planning : Missing, inadequate, or incomplete or; planning makes an organization vulnerable to loss, dam information assets when other threats lead to attacks. Information core, a management function. The organization’s executive leaders! for strategic planning for security as well as for IT and business known as governance. b site, Offering the to restrict access, Sanizational policy Missing, Inadequate, or Incomplete Controls Missing, inadequate, or incomplete controls—that is, information asset protection controls that are missing, misconfi, designed or managed —make an organization more likely to suf security safeguards ani igured, antiquated, or poorly ffer losses when other threats s first network using small equipment you might have ipment as it becomes large, ation loss. Routine security Protection help to ensure the continuous protection of lead to attacks. For example, if a small organization installs it office/ home office (SOHO) equipment (which is similar to the on Your home network) and fails to upgrade its network equi the increased traffic can affect performance and cause inform audits to assess the current levels of organization’s assets, Sabotage or Vandalism theft— the illegal taking of another‘ be physical te property, which can be P! Value of information is diminished when it* Physical theft can be controlled quite easily * doors to trained security personnel is a more complex problem” the loss is easily detected: cont fault worl 13. all th for be secur them Provi very | 14,| INFORMATION SECURITY crime is not always readily apparent. If thieves are clever and cover their tracks carefully, sp one may ever know of the crime until it is far too late 4p. Technical Hardware Failures or Errors Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. Some ‘eqrors are terminal—that is, they result in the unrecoverable loss of the equipment. Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily repeated, and thus, equipment can sometimes stop working, or | work in unexpected ways. 43, Technical Software Failures or Errors | Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved. Sometimes, combinations of certain software and hardware reveal new bugs. These failures range from bugs to untested failure conditions. Sometimes these bugs are not errors, but rather purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes into programs that bypass security checks are called trap doors and can cause serious security breaches. Software bugs are so commonplace that entire Web sites are dedicated to documenting them, Among the most often used is Bugtraq, found at www.securityfocus.com, which provides up-to-the-minute information on the latest security vulnerabilities, as well as a very thorough archive of past bugs. | 14, Technological Obsolescence Antiquated or outdated infrastructure can lead to unreliable and untrustworthy ‘ystems. Management must recognize that when technology becomes outdated, there is a ‘isk of loss of data integrity from attacks. Management's strategic planning should always include an analysis of the technology currently in use. Ideally, proper planning byto compromise hed by a threat agent that damages or steals asset. A vulnerability is an identified weakn system, where controls are not Present or are no longer effecti always present, attacks only exist when a specific act may threat of damage from a thunderstorm is present throughor but an attack and its associated risk thunderstorm. contotag an organization s in information or physica a Controlled ve. Unlike threats, which ate cause a loss. For example, ut the summer in m ‘any places, of loss only exist for th e duration of an actu Major Types of Attacks used Against Controlled Systems The following sections discuss each of the major types of attacks used a igainst controlled systems. 1, Malicious Code : The malicious code atta Trojan horses, and active Wel The state-of-the-art maliciou: ick includes the execution of viruses, worms b scripts with the intent to destroy or steal information, s code attack is the polymorphic, or multivector, worm Bru atta call canINFORMATION SECURITY rate Force : The application of computing and network resources to try every sible password combination is called a brute force attack. Since the brute force ftiack is often used to obtain passwords to commonly used accounts, itis sometimes called a password attack. If attackers can narrow the field of target accounts, they can devote more time and resources to these accounts. That is one reason to always change the manufacturer's default aciministrator account names and passwords. password attacks are rarely successful against systems that have adopted the manufacturer's recommended security practices. Controls that limit the number of ccessful access attempts allowed per unit of elapsed time are very effective agains unsuc p P: brute force attacks, 6 Dictionary :The dictionary attack isa variation of the brute force attack which narrows the field by selecting s passwords (the dictionary) similar dictionaries to disallow passwords during the reset process and thus guard against easy-to-guess passwords. In addition, rules requiring numbers and/or special ecific target accounts and using a list of commonly used stead of random combinations. Organizations can use characters in passwords make the dictionary attack less effective 7, Denial-of-Service (DoS) and Distributed : Denial-of-Service (DDoS) In a denial-of- service (DoS) attack, the attacker sends a large number of connection or information requests to a target. So many requests are made that the target system becomes overloaded and cannot respond to legitimate requests for service. The system may crash or simply become unable to perform ordinary functions. A distributed denialof- service (DDoS) is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised. The compromised machines are turned into zombies, machines that are directed remotely (usually by a transmitted command) by the attacker to participate in the attack, DDoS attacks are the most difficult to defend against, and there are presently no controls that any single organization can. apply, There are, however, some cooperative efforts to enable DDoS defenses among groups of service providers; among them is the Consensus Roadmap for Defeating Distributed Denial of Service Attacks. Spoofing : Spoofing is a technique used to gain unauthorized access to computers, Wherein the intruder sends messages with a source IP address that has been forged toindicate that the messages are coming froma trusted host. To engage in IP spoofing, | hackers use a variety of techniques to obtain trusted IP addresses, and then modify = Ce10. nu. 12. arrangements can offer protection against IP spoofing, Man-in-the-Middle : In the well-known man-in-the-middle or TCP jj an attacker monitors (or sniffs) packets from the network, modifies them, ang them back into the network. This type of attack uses IP spoofing to enable an atta, to impersonate another entity on the network. It allows the attacker to cavesdn well as to change, delete, reroute, add, forge, or divert data. A variant * hijacking, involves the interception of an encryption key exchange, which enab| hacker to act as an invisible man-in-the-middle—that is, an ea encrypted communications. aking Tehabls iy FOP er oy, Spam : Spam is unsolicited commercial e-mail. While many consider spam a yg nuisance rather than an attack, it has been used as a means of enhancing malcou code attacks. In March 2002, there were reports of malicious code embedded in py files that were included as attachments to spam.40 The most significant consequene of spam, however, is the waste of computer and human resources. Many organization attempt to cope with the flood of spam by using e-mail filtering technologies, Other organizations simply tell the users of the mail system to delete unwanted message, Mail Bombing : Another form of e-mail attack that is also a DoS is called a mai bomb, in which an attacker routes large quantities of e-mail to the target. This cante accomplished by means of social engineering (to be discussed shortly) or by exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP). The target of “the attack receives an unmanageably large volume of unsolicited e-mail. By sending large e-mails with forged header information, attackers can take advantage of pootly configured e-mail systems on the Internet and trick them into sending many e-mais fo an address chosen by the attacker. If many such systems are tricked into Participating in the event, the target e-mail address is buried under thousands even millions of unwanted e-mails, Sniffers : A sniffer is a program or device that can monitor data traveling over # network. Sniffers can be used both for le; ies gitimate network management function and for stealing information. Unauthori: slates zed sniffers can be extremely dangerous !* ‘ork’s security, because they are virtually impossible to detect and can be ins almost anywhere. This makes them a favorite weapon in the hacker's arsenal. Sniffe* often Work on TCP/IP networks, where they're sometimes called packet srif* ‘ Se many systems and users send inf © in clear text. A sniffer program shows all the data goin Be) te 14. oe ee |See INFORMATION SECURITY a including passwords, the data inside files—such as word-processing documents — and screens full of sensitive data from applications. In the context of information security, social engineering is the of using social skills to convince people to reveal access credentials or other ‘valuable information to the attacker. There are several social engineering techniques, which usually involve a perpetrator posing as a person higher in the organizational ierarchy than the victim. To prepare for this false representation, the perpetrator may have used social engineering tactics against others in the organization to collect seemingly unrelated information that, when used together, makes the false GFREE oF representation more credible. Pharming : Pharming is “the redirection of legitimate Web traffic (e.g., browser requests) to an illegitimate site for the purpose of obtaining private information. cy Pharming often uses Trojans, worms, or other virus technologies to attack the Internet browser's address bar so that the valid URL typed by the user is modified to that of the illegitimate Web site. Pharming may also exploit the Domain Name System (DNS) by causing it to transform the legitimate host name into the invalid site’s IP address; this form of pharming is also known as DNS cache poisoning. 15, Timing Attack : A timing attack explores the contents of a Web browser's cache and stores a malicious cookie on the client's system. The cookie (which is a small quantity of data stored by the Web browser on the local system, at the direction of the Web server) can allow the designer to collect information on how to access password- protected sites. Another attack by the same name involves the interception of cryptographic elements to determine keys and encryption algorithms Systems consist of hardware, software, networks, data, procedures, and people using i the system. Many of the information security issues described in this chapter have their Toot cause in the software elements of the system. Secure systems require secure, or at last securable, software. The development of systems and the software they use is often ne ‘using a methodology, such as the systems development life ¢ DLO). Peaeeaerk R22 SF FSoftware Assurance and the SA Common Body of Knowledge _ The organizations are increasingly working to build Security into the rapes Pree erty poten toe they pn. A rang _ Underway to create a common body of knowledge focused on secure software is DPBS Department of Defence (DoD) launched a Software Assy 2008. This initial process was led by Joe Jarzombek and was endorsed and suppor, "the Department of Homeland Security (DHS), which joined the program in 2004. Ty, program initiative resulted in the publication of the Secure Software Assurance (4 Common Body of Knowledge (CBK). E A working group drawn from industry, government, and academia Was 1.204 4, examine two key questions: af rance Mitiative i What are the engineering activities or aspects of activities that are relevantto achieving secure software? 2. What knowledge is needed to Perform these activities or aspects? Based on the findings of this working group, and standards, the SwA CBK was developed and published to serve as a guideline. While _this work has not yet been adopted asa standard or even a policy requirement of, ‘government agencies, itserves as.a strongly recommended guide to developing more secure applications ‘The SwAA CBK, which is a work in progress, contains the following sections: 1. Nature of Dangers 2. Fundamental Concepts and Principles 3. Ethics, Law, and Governance 4 5) =~ and a host of existing external documents Secure Software Requirements 5. Secure Software Design a ae Secure Software Construction Seen os eee AS oh! ts ee ek ennaam amen gto the soimase Design Principles Good software development should result in» finished product that meets all of ite design pecitications Information security consuter ations entical component of those that has not always been true Leaders in software development JH Seltzer and MDS hroeder note that article, ) ‘the protection of information in computer systems |. and] the usefulness of a set of protection mechariisrns depends upon the ability of nt security violations. ; ‘This statement could be about century, but actually dates bach (0 1 tecame critical factors for many insight into what are now common 4. Economy of mechanism: Keep the design a» simple and small as possible Fall-safe defaults Base a Complete mediation: very ace Open design: The design should not be secret, but rather depend on the possession of eys or passwords: 5, Separation of privilege: Where feasible, a protection mechanism should require two keys to unlock, rather than one 6, Least privilege: Every program and every user of the system should operate using } the least set of privileges necessary to complete the job. | 7. Least common mechanism: Minimize mechanisms (or shared variables) common to le than one user and depended on by all users. acceptability: It is essential that the human interface be designed for that users routinely and automatically apply the protection mechaniems stern to pt Atware de arly part of the 21st before information security and software assurance In this same article, the authors provide in vecurity principles than exclusion. cisions on permission rath to every object must be checked for authority. re = feeBCA Youran, who at the time was the Director of the Department of Home! = ‘a land Security y Cyber Security Division. Along These problem areas are described in the following sections, 1. Buffer Overruns : Buffers are used to manage mismatches in the Process between two entities involved in a communication process. A butfo, eee buffer overflow) is an application error that occurs when more dats 0 sent, Program buffer than itis designed to handle. During a buffer overrun, attack can make the target system execute instructions, or the attacker can take advanta of some other unintended consequence of the failure. Sometimes this is li denial-of-service attack. In any case, data on the attacke ited to, d system loses integrity, Command Injection : Command i directly to a compiler or interpret to ensure that command input is injection problems occur when user input is pases er. The underlying issue is the developers fulye Validated before it is used in the program. Cross-site Scripting : Cross site scripting (or XSS) occurs when an application running er in order to steal it, An attacker can use sted to a friendly Web server are, in fat. This allows the attacker to acquire valuable information, such as account credential Is, account numbers, or other critical dat. a cae an attacker encodes a malicious link and Places it in the target server, making iBlook less suspicious, After the data is collected by the hostile application, it sends what appears to bea valid Tesponse fro) es m the intended server. lure to Errors ; ‘i pee ‘What happens when a system or application encounters a" Cena that itis not prepared to i (reading or writ : ee ? With the i ireless a 8towing popularity of wii “data will be increase itted intercepted. Most wire, tisk that wirelessly transmi Aaworks are installed and operated wit! on pen between the client and th of public networks found i"Tee ee INFORMATION SECURITY " féee shops, bookstores, and hotels, Without appropriate encryption (such as that afforded by WPA), attackers can intercept and view your dat Traffic on a wired network is also vulnerable to interception in some situations. On networks using hubs instead of switches, any user can install a packet sniffer and collect communications to and from users on that network. Periodic se ‘unauthorized packet sniffers, unauthorized connections to the network, and general for awareness of the threat can mitigate this problem. failure to Store and Protect Data Securely : a large enough issue to be the core subject of this entire text, Programmers are joring, and protecting data securely is responsible for integrating access controls into, and keeping secret information out : of, programs. Access controls, the subject of later chapters, regulate who, what, when, ailure to properly rict . where, and how individuals and systems interact with data, implement sufficiently strong access controls makes the data vulnerable. Overly s access controls hinder business users in the performance of their duties, and as a result the controls may be administratively removed or bypassed. The integration of secret information—such as the “hard coding” of passwords, encryption keys, or other sensitive information—can put that information at risk of disclosure. 7. failure to Use Cryptographically Strong Random Numbers : Most modern cryptosystems, like many other computer systems, use random number generators. However, a decision support system using random and pseudo-random numbers for Monte Carlo method forecasting does not require the same degree of rigor and the same need for true randomness as a system that seeks to implement cryptographic procedures. These “random” number generators use a mathematical algorithm, based on a seed value and another other system component (such as the computer clock) to simulate a random number. Those who understand the workings of such a “random” number generator can predict particular values at particular times. & Format String Problems : Computer languages often are equipped with builtin ‘ es to reformat data while they’re outputting it. The formatting instructions sources as a format string.56 An attacker may embed characters formatting directives (e.g., %x, %d, %p, ete.) into i ete10. 1. Of overwrite very targeted choosing. portions of the program's stack with data of th ay Neglecting Change Control : Developers use a process know, ensure that the working system delivered to users Tepres, developers. Early in the development process, do not work at cross purposes by altering the same programs or Parts of ope the same time. Once the system is in production, change control pr x Ces that only authorized changes are introduced and that all changes cee tested before being released. M as chan, ents the inten, my change control ensures thane a Improper File Access : If an attacker changes the ex; Pected location ofa fe, intercepting and modifying a program code call, the attacker can force Pee use files other than the ones the program is supposed to use This type of ata could be used to either substitute a bogus file for a legitimate file (as in passwy, files), or trick the system into running a malware executable, The Potential for danop or disclosure is great, so it is critical to Protect not only the location of the files by: also the method and communications channels by which these files are accessed Tmproper Use of SSL : Programmers use Secure Sockets Layer (SSL) to transés sensitive data, such as credit card num! bers and other personal information, betwex a client and server, While most Programmers assume that using SSL guarantees Security, unfortunately they more often than not mishandle this technology. SSL ant its Successor, Transport Layer Security (TLS), both need certificate validation to te uly secure, Failure to use Hypertext Tr: insfer Protocol Secure (HTTPS), to validee the certificate authority and then validate the certificate itself, or to validate the information against a certificate revocation list (CRL), can compromise the secutitj Of SSL traffic. Information Leakage : One of the most common methods of obtaining inside and classified informat tion is directly or indirectly from an individual, usually an employee is usually anemplo Ee World War Il military poster warned that “loose lips sink ships,” emphasizi"8 isk sozaval deployments from enemy atta isc ies k should the sailors, marines, or thel Beis these venscu: tene widely-shared fear that of the program results in a confi Tara PusuicaTo* 14. 15.rc over access to the same system resource. This conflict does not need to involve steams re ‘the program, since current operating systems and processor technology ly break a program into multiple threads that can be executed | If the threads that result from this process share any resources, they ‘may interfere with each other. ‘SQL Injection SQL injection occurs when developers fail to properly validate user input before using it to query a relational database. Poor Usability Employees prefer doing things the easy way- When faced with an official way” of performing a task and an “unofficial way” —which is easier —they prefer the easier method. The only way to address this issue is to only provide one way—the secure way! Integrating security and usability, adding training and awareness, and ensuring solid controls all contribute to the security of information. ‘Allowing users to default to easier, more usable solutions will inevitably lead to loss.LCCC 1. What is information security? Explain about History and Critical character information? ¢ 2. Discuss briefly about NSTISSC security model. 3. What are the Components of an information system? Explain briefly abouts the components. 4. Explain about Balancing security and access in information security, What is SDLC? Explain about the security SDLC. 6. What is the Need for Security? Explain about Business needs, Threats, Attacks ai secure software development, 5.LEGAL, ETHICAL AND PROFESSIONAL ISSUES The information security professional plays an important role in an organization’s approach to managing liability for privacy and security risks. In the modern litigious societies of the world, sometimes laws are enforced in civil courts, where large damages can be awarded to plaintiffs who bring suits against organizations. Sometimes these damages are punitive —assessed as a deterrent. To minimize liability and reduce risks from electronic and physical threats, and to reduce all losses from legal action, information security practitioners must thoroughly understand the current legal environment, stay current with laws and regulations, and watch for new and emerging issues. By educating the management and employees of an organization on their legal and ethical obligations and the proper use of information technology and information security, security professionals can help keep an organization focused on its primary objectives. In general, people elect to trade some aspects of personal freedom for social order. As Jean Jacques Rousseau explains in The Social Contract, or Principles of Political Right, the tules the members of a society create to balance the individual rights to self-determination against the needs of the society as a whole are called laws. Laws are rules that mandate or prohibit certain behavior; they are drawn from ethics, Which define socially acceptable behaviors. The key difference between laws and ethics is that laws carry the authority of a governing body, and ethics do not. Ethics in turn are based on cultural mores: the fixed moral attitudes or customs of a particular group. Some sthical standards are universal. For example, murder, theft, assault, and arson are actions ‘hat deviate from ethical and legal codes throughout the world. Organizational Liability and the Need for Counsel Fed is the legal obligation of an entity that extends beyond criminal or contract it includes the legal obligation to make restitution, or to compensate for wrongs The bottom line is that if an employee, acting with or without the authorizationBCA of the employer, performs an legal or unethical act that employer can be held financially liable for that ac if it refuses to take measures known as due care. Due care standards are met when an organization makes Sure that every g knows what is acceptable or unacceptable behavior, and knows the consequences oft” OF unethical actions. Due diligence requires that an organization maka Valid egg Protect others and continually maintains this level of effort. Given the Internets a reach, those who could be injured or wronged by an organization's employees sar : anywhere in the world, auses Some degree of h N organization increag Under the U.S. legal system, any court can assert its authority over an individual ¢, organization if it can establish jurisdiction—that is, the court’s Tight to hear a case it; wrong is committed in its territory or involves its citizenry. This is sometimes refered as long arm jurisdiction —the long arm of the law ex tending across the country or argu the world to draw an accused individual into its court systems, Trying a case in the injure Party’s home area is usually favorable to the injured party. Policy versus Law Within an organization, information security professionals help maintain security vs the establishment and enfor cement of policies. These policies— guidelines that descrie acceptable and unacceptable em ployee behaviors in the workplace — function a organizational laws, complete with penalties, judicial practices, and sanctions to require compliance. Because these Policies function as laws, they must be crafted and implemented With the same care to ensure that they are complete, appropriate, and fairly applied everyone in the workplace. The difference een, i eee pets @ policy and a law, however, fe i is that ignorance of a policy isan for a policy to b five criteria: Policy to become enforce: able, it must meet the following ion): izati aes “vant policy has been oe The organization must be able to demonstrate that Teadily available f ‘i Common tion techniques include notable for review by the employee. Co ¢ Copy and electronic distribution. cane esti i, Pie PRA be able to demanatrate that it disseminateé and reading-imoe oi’ £01, including versione for illiterate, non-Englst wl ioe Paited employees, C, Policy in. English comm, | Ad al and altemate languages, “°chnques include recordings } The organiza tion must be able rate sant to demonstrate th fuitements and cont itent of icy. Common other ee the policy.a INFORMATION SECURITY ' techniques include logon banners, which 1 i iy equire a specific action (mouse click o1 Ks eystroke) to erewieake agreement, or a signed document clearly indicatin pine employee has read, understood, and agreed to comply with the policy. : 5, Uniform enforcement:The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment BF FF / wy Only when all of these conditions are met can an organization penalize employees who violate the policy without fear of legal retribution. ee. Types of Law Civil law comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people. Criminal law addresses activities and conduct harmful to society, and is actively enforced by the state. Law can also be categorized as private or public. Private law encompasses family law, commercial law, and labor law, and regulates the relationship between individuals and Barta organizations. Public law regulates the structure and administration of governmentagencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law. Historically, the United States has beena leader in the development and implementation of information security legislation to prevent misuse and exploitation of information and information technology. The implementation of information security legislation contributes toa more reliable business environment, which in turn, enables a stable economy. In its global leadership capacity, the United States has demonstrated a clear understanding of the importance of securing information and has specified penalties for people and organizations that breach US. civil statutes. Most important U.S. laws that apply to information security The sections that follow present the most important U.S. laws that apply to information security, 1. General Computer Crime Laws : There are several key laws relevant to the field of information security and of particular interest to those who live or work in the United States. The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of Many computer-related federal laws and enforcement efforts. It was amended in fe 996 by the National Information Infrastructure Protection Act of 1996, which | several sections of the previous act and increased the penalties for selected s. The punishment for offenses prosecuted under this statute varies from fines Tarof the employer, performs an illegal or unethical act that causes some ¢, “Bree of hat, employer can be held financially liable for that action. An organization increases gg 4 ety. if it refuses to take measures known as due care. Due care standards are met when an organization makes sure that every know’ what is acceptable or unacceptable behavior, and knows the consequences, or unethical actions. Due diligence requires that an organization make a yajiq ea 7 Protect others and continually maintains this level of effort Given the Interney, teach, those who could be injured or wronged by an organization's employees at th anywhere in the world. Under the U.S. legal system, any court can assert its authority over an ingiy dual, organization if it can establish jurisdiction—that is, the court's right to hear g case i, ‘wrong is committed in its territory or involves its citizenry. This is sometimes refer, as long arm jurisdiction — the long arm of the law extending across the country o; the world to draw an accused individual into its court systems. Trying a case in the in party’s home area is usually favorable to the injured party. 2 Policy versus Law Within an organization, information security professionals help maintain secu the establishment and enforcement of policies. These policies — guidelines that acceptable and unacceptable employee behaviors in the workplace —fund organizational laws, complete with penalties, judicial practices, and sanctions to rea compliance. Because these policies function as laws, they must be crafted and impl with the same care to ensure that they are complete, appropriate, and fairly applied = everyone in the workplace. The difference between a policy and a law, however, acceptable defense. Thus, five criteria: is that ignorance of a poli for a policy to become enforceable, it must meet the follo 1. Dissemination (distribution): The organization must be able to demonstrate th relevant policy has been made readily available for review by the employee. Com ition techniques include hard copy and electronic distribution. om Review (reading): The organization must be able to demonstrate that it dissemi the document in an intelligible form, including versions for illiterate, not é reading, and reading-impaired employees, Common techniques include record" the policy in English and alternate languages, os Mmm opoors ft sw onmmrmrroeINFORMATION SECURITY ues include logon banners, which require / quire a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly icici the employee has read, understood, and agreed to comply with the policy. 5, Uniform enforcement:The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment. Only when alll of these conditions are met can an organization penalize employees who violate the policy without fear of legal retribution, Tee Civil law comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people. Criminal law addresses activities and conduct harmful to society, and is actively enforced by the state. Law can also be categorized as private or public. Private law encompasses family law, ‘commercial law, and labor law, and regulates the relationship between individuals and organizations. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law. Historically, the United States has been a leader in the development and implementation of information security legislation to prevent misuse and exploitation of information and information technology. The implementation of information security legislation contributes toa more reliable business environment, which in turn, enables a stable economy. In its global leadership capacity, the United States has demonstrated a clear understanding of the importance of securing information and has specified penalties for people and organizations that breach U.S. civil statutes. Most important U.S. laws that apply to information security ‘The sections that follow present the most important U.S, laws that apply to information security, 1 General Computer Crime Laws : There are several key laws relevant to the field ofra ‘ to imprisonment up to 20 years, or both. The severi ty of the penalty de Value of the information obtained and whether the offense i committed: a) ce ‘ Nd —: is judged tg hae For purposes of commercial advantage For private financial gain 3. In furtherance of a criminal act The previous law, along with many others, was further modified by the USA, PATRI Act of 2001, which provides law enforcement agencies with broader latitude” to combat terrorism-related activities. In 2006, this act was amended by the ee PATRIOT Improvement and Reauthorization Act, which made permanent fourien, iH the sixteen expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity. The act also reset the date of expiration writen the law as a so-called sunset clause for certain wiretaps under the Foreign Intelligence Surveillance Act of 1978 (FISA), and revised many of the criminal penalties anj procedures associated with criminal and terrorist activities. Another key law is the Computer Security Act of 1987. It was one of the first attemps s to protect federal computer systems by establishing minimum acceptable securiy practices. The National Bureau of Standards, in cooperation with the National Securi Agency, is responsible for developing these security standards and guidelines Privacy : Privacy has become one of the hottest topics in information security at the beginning of the 21st century. Many organizations are collecting, swapping, and selling personal information as a commodity, and many people are looking to governmen's for protection of their privacy. The ability to collect information, combine facts from separate sources, and merge It 5 all with other information has resulted in databases of information that were previous!) ; impossible to set up. One technology that was Proposed in the past was intended © monitor or track private communications, In response to the pressure for privacy protection, the number of statutes addressing an individual's right to privacy has grown. It must be understood, however, th from observation, but rather is a mo intrusion,” Privacy in this context is not absolute freedom Precise “state of being free from unsanctioneda a INFORMATION SECURITY law attempts to prevent trade secrets from being illegally shared, The Security and Freedom through Encryption Act of 1999 provides guidance on the use © vai and provides protection from government intervention. The that: of encryption acts include provisions 1. _ Reinforce an individual's right to use or sell encryption algorithms, without concern for regulations requiring some form of key registration. Key registration is the storage of a cryptographic key (or its text equivalent) with another party to be used to break the encryption of data. This is often called y escrow.” 2, Prohibit the federal government from requiring the use of encryption for ? contracts, grants, and other official documents and correspondence. 3, _ State that the use of encryption is not probable cause to suspect criminal activity 4, _ Relax export restrictions by amending the Export Administration Act of 1979. 5, _ Provide additional penalties for the use of encryption in the commission of a criminal act. U.S. Copyright Law : Intellectual property is a protected asset in the United States. The US. copyright laws extend this privilege to the published word, including electronic formats. Fair use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and a number of similar activities, as long as the use is for educational or library purposes, is not for profit, and is not excessive. As long as proper acknowledgement is provided to the original author of such works, including a proper description of the location of source materials (citation), and the work is not represented as one’s own, it is entirely permissible to include portions of someone else’s work as reference. For more detailed information on copyright regulations, visit the US. Copyright Office Web site at www.copyright.gov. 5. Financial Reporting : The Sarbanes-Oxley Act of 2002 is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. This law seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies. Penalties for non-compliance range from fines to jail terms. Executives working in firms covered by this law seek assurance on the reliability and quality of information systems from senior information technology managers. In turn, TT managers are likely to ask information security managers to verify the confidentiality and integrity of those information systems in a process known in the industry as sub- certification. + Freedom of Information Act of 1966 (FOIA) : The Freedom of Information Act allows ny person to request access to federal agency records or information not determined 10 be a matter of national security. Agencies of the federal government are required to disclose any requested information on receipt of a written request: This requirement a ‘ ___ [ailis enforceable in court, Some information is, however, Protected from, the act does not apply to state or local government agencies or to or individuals, although many states have their own version of the For, ty State and Local Regulations : In addition to the national and international reg Placed on organizational use of computer technology, each state or locality ma number of its own applicable laws and regulations. Information Securit Profed, aye ‘Must therefore understand state laws and regulations and ensure that the organioag Security policies and procedures comply with those laws and regulatio; we ae in 1991 the state of Georgia passed the Georgia Computer Systems P discos. Private by,’ P rOtection ty which seeks to protect information, and which establishes Penalties for the ‘tse . information technology to attack or exploit information systems. It is important for IT professionals and information security practitioners to realize that when their organizations do business on the Internet, they do business globally, Asa result, these professionals must be sensitive to the laws and ethical values of many different sultures, societies, and countries. While it may be impossible to please all of the people al ‘of the time, dealing with the laws of other states and nations is one area where it is certainly ‘Not easier to ask for forgiveness than for permission. = A le s ° 2 c 2 < 7 i i ‘ ] i 3. ba> INFORM ‘Asis true with much complex international | — Speeds provistore for enc nal legislation, the Convention on C. a aera jon on Cybercrime sarplify the acquisition of information for law . Werall goal of the conventi ‘ . enforce Tapa! ff international crimes. I also simplifies the etien hee ee more thant = Bad Srisdebest nan ovecty sinpinda chee eee soy erly simplistic attempt to control a on Trade-Related As Z pects of Intellectual Pr i on Trade-Related Aspects of Intellectual Property Rights fatal Rh ee Trade Organization (WTO) and negotiated over the tes asa aes s 1986-1994, introduced intellectual property rules into the multilateral trade system. It is the first significant international effort to protect intellectual property rights. It outlines require! “4 it 7 ‘ n r ements fo governmental oversight and legislation of WTO member countries to provide nae vels of protection for intellectual property. The WIO TRIPS agreement covers five issues: YY How basic principles of the trading system and other international intellectual property agreements should be applied ? ¥ How to give adequate protection to intellectual property rights How countries should enforce those rights adequately in their own territories ? ¥ How to settle disputes on intellectual property between members of the WTO? Y Special transitional arrangements during the period when the new system is being introduced ? 3. Digital Millennium Copyright Act (DMCA) : The Digital Millennium Copyright Act (DMCA) is the American contribution to an international effort by the World Intellectual Properties Organization (WIPO) to reduce the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright jon measures. This law was created in response to the 1995 adoption of Directive 95/46/EC by the European Union, which added protection for individuals with regard to the processing of personal data and the use and movement of such data, The United Kingdom has implemented a version of this law called the Database order to comply with Directive 95/46/EC. A includes the following provisions: countermeasures implemented by ted content. o circumyent protections and fs the circumvention protections and ‘owners to control access to protec! e manufacture of devices te ; that control access to protected content. an devices actured to circumvent protections and content. poe karts >Prohibits the altering of information attache d or imbedded ; material. Pr 5. Excludes Internet service providers from certain forms of Contributory, infringement. TPM Many Professional groups have explicit rules governing ethical behavior ing workplace. For example, doctors and lawyers who commit egregious yi ie iolations og the i Professions’ canons of conduct can be removed from practice. Unlike th medical ang Tepe, fields, however, the information technology field in general, and th formation secur field in particular, do not have a binding code of ethics. Instead, professional ASSOCiation, such as the Association for Computing Machinery (ACM) and the Information Systems Security Association—and certification agencies —such as the International Information Systems Security Certification Consortium, Inc., or (ISC) —work to establish the Professions ethical codes of conduct. While these professional or; ganizations can prescribe ethical condi, they do not always have the authority to banish violators from practicing their trade 1 begin exploring some of the ethical issues particular to information security, the Ten Commandments of Computer Ethics in the nearby Offline. take a look at Ethical Differences across Cultures Cultural differences can make it difficult to determine what is and is not ethical- especially when it comes to the use of com, reveal that people of different nationali when one nationality’s ethical behavior example, to Western cultures, puters. Studies on ethics and computer ux ities have different perspectives; difficulties arse violates the ethics of another national group. Fot many of the ways in which Asian cultures use comput? - This ethical conflict arises out of Asian traditions of collective with intellectual property copy restrictions than others, A study published in 1999 examined computer use ethics of eight nations: Singapo" Hong Kong, the United States, England, Australia, Sweden, Wales, and the Netherland This study selected a number of computer-use vignettes (see the Offline titled The Us" Scenarios in Computer Ethics itiINFORMATION SECURITY Software License Infringement : Th. i is routinely covered by the popular es ae i pay wee erly ca hegre Aone Prin Netherlands showed statistically significant differences i attitudes f group. Participants from the United States were significantly less Sica Gey ‘gnificantly more permissive. Although other Wgement, oF piracy, its, attitudes toward ] nited States and the studies have reported that the Pacific Rir m coun i N the hotbeds of software piracy, this study found ASE stein ea ses a a 1 ei those countries to be moderate, as were attitudes in England, Wales, Aelia Sa Bal Sweden. This could mean that the individuals surveyed understood what eee rity license infringement was, but felt either that their use was not piracy, or that their ns ~ society permitted this piracy in some way. tems Peer pressure, the lack of legal disincentives, the lack of punitive measures, and number tion of other reasons could a explain why users in these alleged piracy centers disregarded lon’s intellectual property laws despite their professed attitudes toward them. Even though duct, participants from the Netherlands displayed a more permissive attitude toward piracy, >. To that country only ranked third in piracy rates of the nations surveyed in this study. a 2. Illicit Use : The study respondents unilaterally condemned viruses, hacking, and other forms of system abuse. There were, however, different degrees of tolerance for such activities among the groups. Students from Singapore and Hong Kong proved to be significantly more tolerant than those from the United States, Wales, England, and ul- Australia. Students from Sweden and the Netherlands were also significantly more bse tolerant than those from Wales and Australia, but significantly less tolerant than those rise from Hong Kong, The low overall degree of tolerance for illicit system use may be a For function of the easy correspondence between the common crimes of breaking and iter entering, trespassing, theft, and destruction of property and their computer-related ive counterparts, 4 5. Misuse of Corporate Resources : The scenarios used to examine the levels of tolerance for misuse of corporate resources each presented a different degree of non company se of corporate assets without specifying the company’s policy on personal use of ce company resources, In general, individuals displayed a rather lenient view of personal z Use of company equipment. Only students from Singapore and Hong Kong view personal of 4se of company equipment as unethical. : ‘Were several substantial differences in this category, with students from the se Tevealing the most lenient views. With the exceptions of those from fe Hong Kong, it is apparent that many people, regardless of cultural it that unless an organization explicitly forbids personal use of its , Such use is acceptable. It is interesting to note that only Gt