Information Security

Chapter #2

The Need for Security

Introduction
• Data: Items of fact collected by an organization. Data includes raw
numbers, facts, and words. Student quiz scores are a simple example
of data.

• Information: Data that has been organized, structured, and

presented to provide additional insight into its context, worth, and
usefulness. For example, a student’s class average can be
presented in the context of its value, as in “90 = A.”
Introduction

• Information asset: The focus of information security;

information that has value to the organization, and the
systems that store, process, and transmit the information.

• The security of Information + its Systems

Business Needs First
• Data security: Commonly used as a surrogate for information
security, data security is the focus of protecting data or information
in its various states—at rest (in storage), in processing, and in
transmission (over networks).

• Database security: A subset of information security that focuses on

the assessment and protection of information stored in data
repositories like database management systems and storage media
Information security performs four important
functions for an organization:

• Protecting the organization’s ability to function

• Protecting the data and information the organization collects and

uses

• Enabling the safe operation of applications running on the

organization’s IT systems.

• Safeguarding the organization’s technology assets

Information security functionalities
• Protecting Functionality: General management, IT management, and
information security management are each responsible for facilitating
the information security program that protects the organization’s
ability to function.

• Protecting Data That Organizations Collect and Use: Without data,

an organization loses its record of transactions and its ability to deliver
value to customers.
Information security functionalities

• Enabling the Safe Operation of Applications: Today’s organizations

are under immense pressure to acquire and operate integrated, efficient,
and capable applications.

• Safeguarding Technology Assets in Organizations: To perform

effectively, organizations must employ secure infrastructure hardware
appropriate to the size and scope of the enterprise such as IDs, IPs and
VPNs.
Threats and Attacks
Threats and Attacks

12 general categories of threats that represent a clear and present

danger to an organization’s people, information, and systems.

Each organization must prioritize the threats it faces based on the

particular security situation in which it operates, its organizational
strategy regarding risk, and the exposure levels of its assets.
Threats and Attacks
Compromises to Intellectual Property:

Intellectual Property (IP) The creation, ownership, and control of

original ideas as well as the representation of those ideas.

• IP is protected by copyright law and other laws and use of some IP

may require specific payments.

• The unauthorized appropriation of IP constitutes a threat to

information security.
Threats and Attacks

Software piracy: The unauthorized duplication, installation, or

distribution of copyrighted computer software, which is a violation of
intellectual property.

• The most common IP breach is the unlawful use or duplication of

software-based intellectual property, more commonly known as
software piracy.
Threats and Attacks

Deviations in Quality of Service:

An organization’s information system depends on the successful

operation of many interdependent support systems, including power
grids, data and telecommunications networks and service vendors.

Availability disruption: An interruption in service, usually from a

service provider, which causes an adverse event within an organization.
Deviations in Quality of Service:

Definitions:

Availability disruption: An interruption in service, usually from a service provider,

which causes an adverse event within an organization.

Downtime: The percentage of time a particular service is not available; the opposite
of uptime.

Uptime: The percentage of time a particular service is available; the opposite of

downtime.

Service level agreement (SLA): A document or part of a document that specifies the
expected level of service from a service provider.
Threats and Attacks

Deviations in Quality of Service:

Internet Service Issues:

In organizations that rely heavily on the Internet to support
continued operations, ISP failures can considerably undermine
the availability of information.
 Deviations in Quality of Service:
Availability disruption | Internet Service Issues:

• When an organization places its Web servers in the care of a Web hosting
provider, that provider assumes responsibility for all Internet services and
for the hardware and operating system software used to operate the Web site.
These Web hosting services are usually arranged with a service level
agreement (SLA). When a service provider fails to meet the terms of the
SLA, the provider may accrue fines to cover losses incurred by the client.
Threats and Attacks
Threats and Attacks

To be continued
Threats and Attacks
Threats and Attacks | Espionage
Espionage or Trespass:

• Espionage or trespass is a well-known and broad category of electronic and

human activities that can breach the confidentiality of information.

• When an unauthorized person gains access to information an organization

is trying to protect, the act is categorized as espionage or trespass.

• Attackers can use many different methods to access the information stored
in an information system.
Threats and Attacks | Espionage

Espionage or Trespass:

• Competitive Intelligence: The collection and analysis of information

about an organization’s business competitors through legal and ethical
means to gain business intelligence and competitive advantage.
Threats and Attacks | Espionage
Espionage or Trespass:

• Industrial Espionage: The collection and analysis of information

about an organization’s business competitors, often through illegal or
unethical means, to gain an unfair competitive advantage. Also
known as corporate spying

• Trespass: Unauthorized entry into the real or virtual property of

another party.
Threats and Attacks | Espionage

Espionage or Trespass:

Shoulder surfing: The

direct, covert observation
of individual information
or system use.
Threats and Attacks | Espionage
The classic perpetrator of espionage or trespass is the hacker

Hacker Skills and Abilities:

Expert hacker: A hacker who uses extensive knowledge of the inner

workings of computer hardware and software to gain unauthorized
access to systems and information.
Hacker: A person who accesses systems and information without
authorization and often illegally.
Threats and Attacks | Espionage
Hacker Skills and Abilities:

• Novice hacker: A relatively unskilled hacker who uses the work of

expert hackers to perform attacks. Also known as a neophyte, n00b, or
newbie.

• Penetration tester: An information security professional with

authorization to attempt to gain system access in an effort to identify and
recommend resolutions for vulnerabilities in those systems.
Threats and Attacks | Espionage
Hacker Skills and Abilities:

• Professional hacker: A hacker who conducts attacks for personal

financial benefit or for a crime organization or foreign government.

• Cracker: A hacker who intentionally removes or bypasses software

copyright protection designed to prevent unauthorized duplication or
use.
Threats and Attacks | Espionage
Hacker Skills and Abilities:

Password Attacks:

• Password rule or Policy: An industry recommendation for password

structure and strength that specifies passwords should be at least 10
characters long and contain at least one uppercase letter, one lowercase
letter, one number, and one special character.
Threats and Attacks | Espionage
• Brute force password attack: An attempt to guess a password by
attempting every possible combination of characters and numbers in
it.

• Dictionary password attack: A variation of the brute force password

attack that attempts to narrow the range of possible passwords guessed
by using a list of common passwords and possibly including attempts
based on the target’s personal information.
Threats and Attacks | Forces of Nature
Forces of Nature:

• Forces of nature, sometimes called acts of God, can present some of

the most dangerous threats because they usually occur with little
warning and are beyond the control of people.

• These threats, which include events such as fires, floods, earthquakes

and volcanic eruptions , can disrupt not only people’s lives but the
storage, transmission, and use of information.
Threats and Attacks | Forces of Nature

• Organizations must implement controls to limit damage and prepare

contingency plans for continued operations, such as disaster recovery
plans, business continuity plans, and incident response plans. These
threats and plans are discussed in detail in Chapter 5, “Planning for
Security.” Protection mechanisms are discussed in additional detail in
Chapter 9, “Physical Security.”
Threats and Attacks | Human Error or Failure
Category of threat Examples
Compromise to intellectual property Privacy, copyright infringement

Software attacks Viruses, worms, macros, denial of

service
Espionage or trespass Unauthorized access and/or data
collection
Forces of nature Fire, flood, earthquake, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage Destruction of system or Information

Software attacks Viruses, worms, trojan horses, etc.

Threats and Attacks | Theft

Definition:

Theft: The illegal taking of another’s property, which can be physical,

electronic, or intellectual.

• The threat of theft is a constant. The value of information is

diminished when it is copied without the owner’s knowledge.
Threats and Attacks | Theft

• Physical theft can be controlled easily using a wide variety of measures,

from locked doors to trained security personnel and the installation of alarm
systems.

• Electronic theft, however, is a more complex problem to manage and

control. When someone steals a physical object, the loss is easily detected;
if it has any importance at all, its absence is noted. When electronic
information is stolen, the crime is not always readily apparent.
Chapter Recap

• The Need for Security

• Data vs Information

• Four Functions of InfoSec for an organizations

• Threats and attacks

End chapter two