'Principles of Information Security, 4th Ed. – Michael E. Whitman Chap 01\r'

' certify to: CengageBrain substance ab recitationr commissi aced to: CengageBrain substance ab user Principles of study auspices, quaternary Edition Michael E. Whitman and Herbert J. Mattord Vice President editor programial, action drool pedagogy & Training Solutions: Dave Garza theater guideor of reading Solutions: Matthew Kane Exe cut upive editor: Steve Helba Managing Editor: Marah Bellegarde Product Manager: Natalie Pashoukos Development Editor: Lynne Raughley editorial Assistant: Jennifer Wheaton Vice President Marketing, C ber Education & Training Solutions: Jennifer Ann Baker Marketing Director: Deborah S.Yarnell Senior Marketing Manager: Erin Coffin colleague Marketing Manager: Shanna Gibbs Production Manager: Andrew Cr come forwardh satisfy Project Manager: Brooke Greenhouse Senior trick Director: Jack P destinationleton Manuf benduring Coordinator: Amy Rogers technical schoolnical Edit/ reference dominance: Green Pen Quality Assurance © 201 2 descent applied science, Cengage erudition For to a greater extent than discip get disc bothplace, contact or find us on the World immense meshing at: www. course. com ALL RIGHTS RESERVED. zero(prenominal)part of this bl curio in c tout ensembleplaceed by the copy pay herein whitethorn be reproduced, communicate, stored or utilize in to each one adjudge believe or by whatever convey graphic, electronic, or mechanical, including absolutely non limited to photocopying, recording, sfannyning, digitizing, taping, weave distri exclusivelyion, randomness net motions, or breeding store and convalescence strategys, shut as permitted nether Section 107 or 108 of the 1976 join States full Act, without the prior write authorization of the exhauster.For product use and technology assistance, contact us at Cengage cultivation Customer & Sales Support, 1-800-354-9706 For license to use material from this text or product, twist all requests onli ne at cengage. com/permissions Further permission questions bathroom be emailed to [email  nourished] comLibrary of Congress Control total: 2010940654 ISBN-13: 978-1-111-13821-9 ISBN-10: 1-111-13821-4 Course design 20 Channel focus on Boston, MA 02210 USA Cengage acquire is a tether provider of customized acquirement solutions with office situations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international. cengage. com/region. Cengage Learning products be re holded in Canada by Nelson Education, Ltd. For your lifelong culture solutions, visit course. cengage. com Purchase whatever of our products at your local college store or at our preferred online store www. engagebrain. com. Printed in the United States of America 1 2 3 4 5 6 7 8 9 14 13 12 11 10 Copy even up field 2011 Cengage Learning. exclusively Rights Reserved. may non be copied, s shtupned, or duplicated, in total or in part. collectible to electronic slumps, just about tierce base caller capacitance whitethorn be contain from the eBook and/or eChapter(s). Editorial give the axevas has deemed that all program line bailiwick does non materially par find out the boilersuit cultivation experience. Cengage Learning militia the regenerate to withdraw redundant meaning at whatsoever cartridge clip if sequent rights alleviationrictions want it. authorize to: CengageBrain exploiter hapter 1 k straight offledge sufficientness to training certification Do non figure on opponents non attacking; worry approximately your hold lack of preparation. BOOK OF THE FIVE RINGS For Amy, the day began worry whatsoever separate at the Sequential stigmatize and Supply Comp whatsoever (SLS) help desk. Taking war crys and destiny office workers with electronic info souror problems was non glamorous, alone she enjoyed the work; it was c lobbyenging and paid tumesce. m wh atsoever of her friends in the intentness worked at bigger companies, rough at cutting edge tech companies, but they all agreed that jobs in discipline technology were a good mien to pay the bills.The skirt rang, as it did on average around four sentences an hour and about 28 eras a day. The starting call of the day, from a unhinged user hoping Amy could help him out of a jam, commandmed typical. The call display on her manage gave al most(prenominal) of the facts: the user’s name, his phone reckon, the subdivision in which he worked, where his office was on the social club campus, and a list of all the calls he’d run into in the past. â€Å"Hi, Bob,” she utter. â€Å"Did you get that schedule info formatting problem squ bed away? ” â€Å" original did, Amy. hope we can figure out what’s exhalation on this clipping. ” â€Å"We’ll try, Bob. Tell me about it. ” â€Å"Well, my PC is acting weird,” Bob said. When I go to the screen that has my electronic mail program travel rapidly, it doesn’t respond to the mouse or the keyboard. ” â€Å"Did you try a reboot yet? ” 1 Copyright 2011 Cengage Learning. every(prenominal) Rights Reserved. may non be copied, scanned, or duplicated, in unit of measurement or in part. Due to electronic rights, both(prenominal) tertiary fel low-downship confine may be sm separateed from the eBook and/or eChapter(s). Editorial recap has deemed that both curb inwardness does non materially contact the general learning experience. Cengage Learning militia the right to draw out supererogatory satisfy at every(prenominal) time if sequent rights assuagementrictions claim it. licensed to: CengageBrain exploiter Chapter 1 â€Å"Sure did. But the temptdow wouldn’t close, and I had to bow it off. later it restarted, I unciviled the electronic mail program, and it’s just like it was in the fir st placeâ€no resolution at all. The another(prenominal)(a) stuff is operative OK, but really, really slowly. as yet my meshing browser is sluggish. ” â€Å"OK, Bob. We’ve try the usual stuff we can do over the phone. Let me open a reference, and I’ll drop off a tech over as presently as possible. ” Amy looked up at the LED curb board on the wall at the end of the room. She saw that there were still both technicians dispatched to deskside withstand at the moment, and since it was the day shift, there were four visible(prenominal). Shouldn’t be long at all, Bob. ” She hung up and typed her notes into ISIS, the long-familiarity’s Information Status and Issues trunk. She assigned the impertinently generated case to the deskside dispatch queue, which would page the roving deskside police squad with the details in just a a couple of(prenominal) minutes. A moment later, Amy looked up to bring down Charlie Moody, the s enior(a) manager of the server administration squad, walking briskly down the hall. He was creation trailed by troika of his senior technicians as he make a beeline from his office to the door of the server room where the guild servers were kept in a concealled purlieu. They all looked worried.Just thusly, Amy’s screen beeped to alert her of a novel e-mail. She glanced down. It beeped once againâ€and again. It started beeping constantly. She clicked on the envelope icon and, after a short delay, the mail window opened. She had 47 refreshed e-mails in her inbox. She opened one from Davey Martinez, an acquaintance from the regularity of invoiceing part. The caseful line said, â€Å"Wait till you see this. ” The message body read, â€Å"Look what this has to say about our managers’ salaries…” Davey much sent her interesting and funny e-mails, and she expireed to respect that the agitate attachment icon was unusual in front she cl icked it.Her PC showed the hourglass pointer icon for a instant and then the normal pointer reappeared. Nothing happened. She clicked the bordering e-mail message in the queue. Nothing happened. Her phone rang again. She clicked the ISIS icon on her calculating machine desktop to set off the call management parcel program and activated her headset. â€Å"Hello, Tech Support, how can I help you? ” She couldn’t make out the caller by name because ISIS had not responded. â€Å"Hello, this is Erin Williams in receiving. ” Amy glanced down at her screen. Still no ISIS.She glanced up to the tally board and was surp uprised to see the in kick-call-counter tallying up waiting calls like digits on a stopwatch. Amy had neer seen so galore(postnominal) calls come in at one time. â€Å"Hi, Erin,” Amy said. â€Å"What’s up? ” â€Å"Nothing,” Erin sayed. â€Å"That’s the problem. ” The rest of the call was a replay of Bobâ⠂¬â„¢s, except that Amy had to jot notes down on a healthy pad. She couldn’t dispatch the deskside concord team either. She looked at the tally board. It had gone dark. No song at all. Then she saw Charlie running down the hall from the server room. He didn’t look worried any to a greater extent. He looked frantic. Amy picked up the phone again.She wanted to disclose with her supervisor about what to do now. There was no dial tone. Copyright 2011 Cengage Learning. exclusively Rights Reserved. may not be copied, scanned, or duplicated, in full or in part. Due to electronic rights, near ternion party content may be moderate from the eBook and/or eChapter(s). Editorial hypercritical inspection has deemed that any suppress content does not materially locomote the boilers suit learning experience. Cengage Learning militia the right to mutilate excess content at any time if subsequent rights borderions require it. commissioned to: CengageBrain substance abuser ingress to Information surety 3LEARNING OBJECTIVES: Upon completion of this material, you should be able to: • • • • • see selective schooling shelter Recount the register of estimator gage, and explain how it evolved into randomness soldieryage Define key barriers and critical concepts of development shelterion Enumerate the phases of the surety remainss program line life wheel Describe the culture trade cherishion manipulations of professionals within an geological formation 1 foot James Anderson, executive consultant at Emagined warranter, Inc. , believes discipline shelter in an go- leading is a â€Å"well-informed sense of assurance that the training risks and controls are in sense of balance. He is not unaccompanied in his perspective. Many teaching pledge practitioners almost(prenominal)ise that aligning entropy certificate look ats with employment objectives moldiness be the top priority. This chapter’s opening night scenario illustrates that the instruction risks and controls are not in balance at Sequential Label and Supply. Though Amy deeds in a technical support role and her job is to solve technical problems, it does not come up to her that a malicious software program, like a bird louse or virus, powerfulness be the cistron of the association’s period ills.Management withal shows signs of confusedness and seems to stupefy no idea how to contain this sweet of incident. If you were in Amy’s place and were faced with a similar situation, what would you do? How would you react? Would it occur to you that something cold more insidious than a technical malfunction was happening at your keep company? As you research the chapters of this record and learn more about knowledge guarantor, you will bring into world better able to answer these questions. But before you can begin analyze the details of the discipline of learning shelter , you must first retire the history and evolution of the field.The History of Information bail The history of data guarantor begins with computer shelter. The get for computer auspices measuresâ€that is, the sine qua non to inviolate somatogenic locations, computer hardware, and software from brats†arose during World War II when the first mainframes, authentic to aid computations for colloquy regulation mistakeing (see approach pattern 1-1), were put to use. Multiple trains of security were utilize to comfort these mainframes and maintain the single of their information. gateway to sore military locations, for example, was controlled by means of badges, keys, and the facial realization of genuine personnel by security guards. The maturation ask to maintain national security in the end led to more complex and more technologically educate computer security safeguards. During these primordial days, information security was a straightforward rou tine sedate predominantly of physical security and simple archive classification schemes. The primary threats to security were physical sneakth of equipment, espionage against the products of the carcasss, and sabotage.One of the first documented security problems that fell out-of-door these categories occurred in the primordial 1960s, when a transcriptions administrator was working on an MOTD Copyright 2011 Cengage Learning. all(prenominal) Rights Reserved. whitethorn not be copied, scanned, or duplicated, in unscathed or in part. Due to electronic rights, some terzetto party content may be conquer from the eBook and/or eChapter(s). Editorial review has deemed that any subdue content does not materially equal the boilersuit learning experience. Cengage Learning reserves the right to clear up supererogatory content at any time if subsequent rights restrictions require it.Licensed to: CengageBrain User 4 Chapter 1 Earlier adaptations of the German code machine probl em were ? rst broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during World War II. The more and more complex versions of the Enigma, in particular the submarine or Unterseeboot version of the Enigma, caused considerable anguish to completelyied forces before ? nally organism cracked. The information gained from decrypted transmissions was used to anticipate the actions of German arm forces. Some ask why, if we were reading the Enigma, we did not win the war earlier. One might ask, instead, when, if ever, we would pick out win the war if we hadn’t read it. ”1 issue 1-1 The Enigma Source: Courtesy of inwrought protective covering theatrical (message of the day) file, and another administrator was editing the word of honor file. A software glitch mixed the two files, and the entire parole file was printed on every output file. 2 The 1960s During the Cold War, many more mainframes were brought online to a ccomplish more complex and sophisticated tasks.It became necessary to enable these mainframes to communicate via a less(prenominal) cumbersome bring than mailing magnetic tapes between computer centers. In response to this need, the Department of defense apparatus’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant, meshed communications establishment to support the military’s exchange of information. Larry Roberts, know as the founder of the net, actual the projectâ€which was called ARPANETâ€from its inception. ARPANET is the predecessor to the Internet (see trope 1-2 for an excerpt from the ARPANET schedule Plan).The 1970s and 80s During the close decade, ARPANET became popular and more widely used, and the potential for its defame grew. In December of 1973, Robert M. â€Å"Bob” Metcalfe, who is assented Copyright 2011 Cengage Learning. All Rights Reserved. may not be copied, scanned, or duplicated, in a ll or in part. Due to electronic rights, some third party content may be contain from the eBook and/or eChapter(s). Editorial review has deemed that any moderate content does not materially strike the overall learning experience.Cengage Learning reserves the right to revoke additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 5 1 epitome 1-2 Development of the ARPANET Program Plan3 Source: Courtesy of Dr. Lawrence Roberts with the development of Ethernet, one of the near popular engagementing protocols, identified essential problems with ARPANET security. Individual unconnected sites did not have sufficient controls and safeguards to protect information from unauthorized remote users.Other problems abounded: vulnerability of password twist and formats; lack of safety procedures for dial-up connections; and non lastent user realisation and authorization to the establishment. Phone falls were widely distributed and openly publicized on the walls of phone booths, giving political hacks well-situated entryway to ARPANET. Because of the range and frequency of computer security violations and the explosion in the numbers of hosts and users on ARPANET, network security was referred to as network insecurity. In 1978, a famous study entitled â€Å" protective cover compendium: Final Report” was anesthetiseed. It focused on a project underinterpreted by ARPA to discover the vulnerabilities of aim schema security. For a timeline that includes this and other seminal studies of computer security, see Table 1-1. The movement toward security that went beyond protect physical locations began with a item-by-item study sponsored by the Department of Defense, the Rand Report R-609, which attempted to define the two-fold controls and mechanisms necessary for the resistance of a multilevel computer constitution.The document was sort for almost ten years, an d is now considered to be the paper that started the study of computer security. The securityâ€or lack thereofâ€of the trunks sharing alternatives within the Department of Defense was brought to the attention of researchers in the throttle and summer of 1967. At that time, systems were being acquired at a rapid rate and securing them was a pressing charge for both the military and defense contractors. Copyright 2011 Cengage Learning. All Rights Reserved.May not be copied, scanned, or duplicated, in self-colored or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 6 Chapter 1 Date 1968 1973 1975 1978 Documents Maurice Wilkes discusses password s ecurity in Time-Sharing estimator Systems.Schell, Downey, and Popek examine the need for additional security in military systems in â€Å" introductory Notes on the Design of Secure Military Computer Systems. ”5 The Federal Information Processing Standards (FIPS) examines digital Encryption Standard (DES) in the Federal Register. Bisbey and Hollingworth publish their study â€Å" protective cover Analysis: Final Report,” discussing the Protection Analysis project created by ARPA to better view the vulnerabilities of operating system security and examine the mishap of automated vulnerability detection techniques in quick system software. Morris and Thompson author â€Å"Password Security: A Case History,” make in the Communications of the tie-in for figure Machinery (ACM). The paper examines the history of a formula for a password security scheme on a remotely finded, time-sharing system. Dennis Ritchie publishes â€Å"On the Security of UNIX” an d â€Å"Protection of info File Contents,” discussing insure user IDs and seize group IDs, and the problems inherent in the systems. Grampp and Morris write â€Å"UNIX operating(a) System Security. In this report, the authors examine four â€Å" key handles to computer security”: physical control of set forth and computer facilities, management commitment to security objectives, grooming of employees, and administrative procedures aimed at increased security. 7 Reeds and Weinberger publish â€Å"File Security and the UNIX System Crypt Command. ” Their premise was: â€Å"No technique can be secure against fittapping or its equivalent on the computer. Therefore no technique can be secure against the systems administrator or other privileged users … the naive user has no chance. 8 1979 1979 1984 1984 Table 1-1 distinguish Dates for Seminal industrial plant in Early Computer Security In June of 1967, the Advanced Research Projects Agency formed a tas k force to study the process of securing classified information systems. The Task Force was assembled in October of 1967 and met regularly to formulate recommendations, which ultimately became the confine of the Rand Report R-609. 9 The Rand Report R-609 was the first widely recognized published document to identify the role of management and insurance policy issues in computer security.It tell that the wide economic consumption of networking fixingss in information systems in the military introduced security risks that could not be mitigated by the moment practices then used to secure these systems. 10 This paper signaled a pivotal moment in computer security historyâ€when the scope of computer security spread out significantly from the safety of physical locations and hardware to include the interest: Securing the selective information Limiting random and unauthorized entrance feeion to that data Involving personnel from quintuple levels of the formation in matters pertaining to information securityMULTICS Much of the early research on computer security revolve around on a system called Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to integrate security into Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in safe and sound or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 7 its core functions. It was a mainframe, time-sharing operating system developed in the mid1960s by a consortium of planetary Electric (GE), Bell Labs, an d the Massachusetts Institute of applied science (MIT). In mid-1969, not long after the restructuring of the MULTICS project, several of its developers (Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlro) created a new operating system called UNIX.While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not. Its primary function, text processing, did not require the kindred level of security as that of its predecessor. In fact, it was not until the early 1970s that up to now the simplest component of security, the password function, became a component of UNIX. In the late 1970s, the microprocessor brought the buck private computer and a new age of figure. The PC became the workhorse of modern compute, thereby moving it out of the data center.This decentralization of data processing systems in the eighties gave rise to networkingâ€that is, the interconnecting of individualized computers and mainframe computers, which enabled the entire computing community to make all their resources work together. 1 The 1990s At the close of the twentieth century, networks of computers became more common, as did the need to connect these networks to each other. This gave rise to the Internet, the first global network of networks. The Internet was made available to the general public in the 1990s, having previously been the domain of government, academia, and dedicated sedulousness professionals.The Internet brought connectivity to close to all computers that could reach a phone line or an Internet-connected local area network (LAN). After the Internet was commercialized, the technology became pervasive, reaching almost every corner of the globe with an expanding array of uses. Since its inception as a overlyl for sharing Defense Department information, the Internet has capture an interconnection of millions of networks. At first, these connections were base on de facto standards, because industry standards for int erconnection of networks did not exist at that time.These de facto standards did little to get word the security of information though as these precursor technologies were widely adoptive and became industry standards, some degree of security was introduced. However, early Internet deployment treated security as a low priority. In fact, many of the problems that plague e-mail on the Internet today are the pass on of this early lack of security. At that time, when all Internet and e-mail users were (presumably trustworthy) computer scientists, mail server entitlemark and e-mail encryption did not seem necessary.Early computing approaches relied on security that was built into the physical environment of the data center that housed the computers. As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more candid to security threats. 2000 to pendant Today, the Internet bring s millions of unsecured computer networks into continuous communication with each other. The security of each computer’s stored information is now contingent on the level of security of every other computer to which it is connected.Recent years have seen a festering awareness of the need to amend information security, as well as a realization that information security is definitive to national defense. The growing threat of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 8 Chapter 1 cyber attacks have made governments and companies more a ware of the need to defend the computer-controlled control systems of utilities and other critical infrastructure. There is also growing concern about nation- give ins engaging in information warfare, and the possibility that moving in and personal information systems could become casualties if they are undefended.What Is Security? In general, security is â€Å"the persona or bow of being secureâ€to be free from danger. ”11 In other words, aegis against adversariesâ€from those who would do harm, designedly or otherwiseâ€is the objective. field of study security, for example, is a multilayered system that protects the sovereignty of a give in, its assets, its resources, and its mickle. Achieving the detach level of security for an organization also requires a multifaceted system.A successful organization should have the succeeding(a) multiple layers of security in place to protect its operations: Physical security, to protect physical items, objects, or a reas from unauthorized access and misuse Personnel security, to protect the respective(prenominal) or group of individuals who are authorized to access the organization and its operations Operations security, to protect the details of a particular operation or series of activities Communications security, to protect communications media, technology, and content Network security, to protect networking components, connections, and contents Information security, to protect the hole-and-corner(a)ity, fairness and availability of information assets, whether in retentiveness, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.The Committee on theme Security Systems (CNSS) defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. 12 Figure 1-3 shows that information security includes the broad areas o f information security management, computer and data security, and network security. The CNSS framework of information security evolved from a concept developed by the computer security industry called the C. I. A. triangle. The C. I. A. triangle has been the industry standard for computer security since the development of the mainframe. It is ground on the three characteristics of information that demonstrate it comfort to organizations: mysteriousity, integrity, and availability.The security of these three characteristics of information is as important today as it has constantly been, but the C. I. A. triangle model no longer adequately addresses the constantly changing environment. The threats to the confidentiality, integrity, and availability of information have evolved into a vast collection of events, including inadvertent or intentional stultification, destruction, theft, unintended or unauthorized variety, or other misuse from human or anthropoidal threats. This new environment of many constantly evolving threats has prompted the development of a more robust model that addresses the complexities of the current information security environment.The expanded model consists of a list of critical characteristics of information, which are described in the next Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 9 1 Information security Figure 1-3 Components of Information SecuritySource: Course Technology/Cengage Learning section. C. I. A. triangle terminology is used in this ch apter because of the breadth of material that is based on it. Key Information Security Concepts This book uses a number of terms and concepts that are essential to any intervention of information security. Some of these terms are illustrated in Figure 1-4; all are cover in greater detail in subsequent chapters. Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability. asset: The organizational resource that is being protected. An asset can be logical, much(prenominal) as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other perceptible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect. endeavor: An intentional or unintentional act that can cause wrong fulness to or otherwise compromise information and/or the systems that support it. fires can be active or unresisting, intentional or unintentional, and direct or con flyingatory. someone casually reading cranky information not intended for his or her use is a passive attack.A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a fire in a building is an unintentional attack. A direct attack is a hacker using a personal computer to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems, for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the attacker’s choosing, can take autonomously or under the attacker’s direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself.Indirect attacks origina te from a compromised system or resource that is malfunctioning or working under the control of a threat. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 10 Chapter 1 Vulnerability: Buffer overflow in online database Web interfaceThreat: Theft Threat agent: Ima cab Exploit: Script from MadHackz Web site Attack: Ima Hacker downloads an entreat from MadHackz web site and then accesses buybay’s Web site. Ima then applies the script which runs and compromises buybays security controls and steals client data. These actions cause buybay to exp erience a passing game. Asset: buybay’s client database Figure 1-4 Information Security Terms Source: Course Technology/Cengage Learning Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.The various levels and types of controls are discussed more fully in the following chapters. Exploit: A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker. Exploits make use of existing software tools or custom-made software components. Exposure: A condition or state of being exposed. In information secur ity, exposure exists when a vulnerability cognize to an attacker is present.Loss: A single instance of an information asset suffering damage or unintended or unauthorized modification or divine revelation. When an organization’s information is stolen, it has suffered a loss. Protection profile or security positioning: The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 11 organization i mplements (or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the term security program, although the security program lots comprises managerial aspects of security, including planning, personnel, and subordinate programs. danger: The probability that something unwanted will happen. Organizations must disparage risk to match their risk appetiteâ€the measuring stick and nature of risk the organization is willing to accept.Subjects and objects: A computer can be either the subject of an attackâ€an agent entity used to conduct the attackâ€or the object of an attackâ€the intent entity, as shown in Figure 1-5. A computer can be both the subject and object of an attack, when, for example, it is compromised by an attack (object), and is then used to attack other systems (subject). Threat: A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undir ected. For example, hackers purposefully threaten open information systems, while blunt storms incidentally threaten buildings and their contents. Threat agent: The item instance or a component of a threat.For example, all hackers in the world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone systems, is a particularized threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of weighty storms. Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered). 1 circumstantial Characteristics of InformationThe measure of information comes from the characteristics it possesses. When a characteristic of informat ion changes, the apprize of that information either increases, or, more commonly, decreases. Some characteristics affect information’s value to users more than others do. This can depend on circumstances; for example, seasonableness of information can be a critical factor, because information loses much or all of its value when it is delivered too late. Though information security professionals and end users share an understanding of the characteristics of subject object Figure 1-5 Computer as the Subject and Object of an Attack Source: Course Technology/Cengage LearningCopyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any t ime if subsequent rights restrictions require it. Licensed to: CengageBrain User 12 Chapter 1 information, tensions can arise when the need to secure the information from threats conflicts with the end users’ need for unhindered access to the information.For instance, end users may see a tenth-of-a-second delay in the computation of data to be an unnecessary annoyance. Information security professionals, however, may perceive that tenth of a second as a minor delay that enables an important task, like data encryption. Each critical characteristic of informationâ€that is, the expanded C. I. A. triangleâ€is defined in the sections below. availableness Availability enables authorized usersâ€persons or computer systemsâ€to access information without interference or obstruction and to find out it in the required format. Consider, for example, research libraries that require appointment before entrance.Librarians protect the contents of the library so that they are a vailable only to authorized patrons. The librarian must accept a patron’s identification before that patron has free access to the book stacks. Once authorized patrons have access to the contents of the stacks, they expect to find the information they need available in a useable format and familiar language, which in this case typically means bound in a book and written in English. Accuracy Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally change, it is no longer blameless. Consider, for example, a checking account.You assume that the information contained in your checking account is an accurate saluteation of your finances. Incorrect information in your checking account can result from external or inseparable errors. If a assert teller, for instance, mistakenly adds or subtracts too much from your account, the value of the information is changed. Or, y ou may by luck enter an incorrect amount into your account register. all way, an inaccurate bank balance could cause you to make mistakes, such as bouncing a check. authenticity Authenticity of information is the quality or state of being genuine or original, alternatively than a reproduction or fabrication.Information is authentic when it is in the very(prenominal) state in which it was created, placed, stored, or transferred. Consider for a moment some common assumptions about e-mail. When you receive e-mail, you assume that a particular individual or group created and transmitted the e-mailâ€you assume you know the origin of the e-mail. This is not always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem for many pot today, because ofttimes the modified field is the address of the originator. Spoofing the sender’s address can fool e-mail recipients into persuasion that messages are legitimate traffic, thus inducing them to open e-mail they otherwise might not have.Spoofing can also alter data being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing, which can enable the attacker to get access to data stored on computing systems. some other variation on spoofing is phishing, when an attacker attempts to obtain personal or fiscal information using fraudulent means, most often by posing as another individual or organization. Pretending to be someone you are not is sometimes called pretexting when it is undertaken by law enforcement agents or private investigators. When used in a phishing attack, e-mail spoofing lures victims to a Web server that does not represent the organization it purports to, in an attempt to steal their private data such as account numbers and passwords.The most common variants include posing as a bank or brokerage company, e-commerce organization, or Internet service provider. Even when authorized, pretexting does not always lead to a satisfactory outcome. In 2006, the chief operating officer of Hewlett-Packard Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.Licensed to: CengageBrain User Introduction to Information Security 13 Corporation, Patricia Dunn, authorized contract investigators to use pretexting to â€Å"smokeout” a corporate director suspected of leaking confidential information. The resulting firestorm of proscribe publicity led to Ms. Dunn’s eventual termination from the company. 13 1 Confidentiality Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is developed.To protect the confidentiality of information, you can use a number of measures, including the following: Information classification Secure document storage Application of general security policies Education of information custodians and end users Confidentiality, like most of the characteristics of information, is interdependent with other characteristics and is most closely related to the characteristic known as hiding. The relationship between these two characteristics is covered in more detail in Chapter 3, â€Å" healthy and Ethical Issues in Security. ” The value of confidentiality of information is especially high when it is personal information about employees, customers, or patients. Individuals who transact with an organiza tion expect that their personal information will remain confidential, whether the organization is a federal official agency, such as the Internal Revenue Service, or a business. Problems arise when companies disclose confidential information.Sometimes this disclosure is intentional, but there are times when disclosure of confidential information happens by mistakeâ€for example, when confidential information is mistakenly e-mailed to someone outside the organization rather than to someone inside the organization. Several cases of privacy violation are outlined in Offline: unknowledgeable Disclosures. Other examples of confidentiality transgresses are an employee throwing away a document containing critical information without shredding it, or a hacker who successfully breaks into an internal database of a Web-based organization and steals sensitive information about the clients, such as names, addresses, and credit card numbers.As a consumer, you give up pieces of confidential i nformation in exchange for convenience or value almost daily. By using a â€Å"members only” card at a marketplace store, you disclose some of your spending habits. When you fill out an online survey, you exchange pieces of your personal history for access to online privileges. The bits and pieces of your information that you disclose are copied, sold, replicated, distributed, and at long last coalesced into profiles and even complete dossiers of yourself and your life. A similar technique is used in a criminal enterprise called salami theft. A deli worker knows he or she cannot steal an entire salami, but a few slices here or there can be taken home without notice.Eventually the deli worker has stolen a whole salami. In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that pickings more would be noticedâ€but eventually the employee gets something complete or useable. Integrity Information has integrity when it is whole, complete, and un depressed. The integrity of information is threatened when the information is exposed to corruption, Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 14 Chapter 1 Offline unknowledgeable Disclosures In February 2005, the data aggregation and brokerage firm ChoicePoint revealed that it had been duped into releasing personal information about 145,000 heap to indistinguishability thieves during 2004. The culprits used stolen identities to create obstensibly legitimate business entities, which then subscribed to ChoiceP oint to acquire the data fraudulently.The company reported that the criminals opened many accounts and recorded personal information on individuals, including names, addresses, and identification numbers. They did so without using any network or computer-based attacks; it was simple fraud. 14 While the the amount of damage has yet to be compiled, the fraud is feared to have allowed the perpetrators to arrange many hundreds of instances of identity theft. The giant pharmaceutical organization Eli Lilly and Co. released the e-mail addresses of 600 patients to one another in 2001. The American Civil Liberties sodality (ACLU) denounced this breach of privacy, and information technology industry analysts noted that it was likely to influence the public debate on privacy legislation.The company claimed that the mishap was caused by a programming error that occurred when patients who used a specific drug produced by the company signed up for an e-mail service to access support materials p rovided by the company. About 600 patient addresses were exposed in the circumstances e-mail. 15 In another incident, the intellectual place of Jerome Stevens Pharmaceuticals, a small prescription drug manufacturing business from New York, was compromised when the FDA released documents the company had filed with the agency. It remains unclear whether this was a deliberate act by the FDA or a simple error; but either way, the company’s secrets were posted to a public Web site for several months before being removed. 16 damage, destruction, or other disruption of its authentic state. rottenness can occur while information is being stored or transmitted.Many computer viruses and worms are designed with the straightforward purpose of corrupting data. For this reason, a key manner for detecting a virus or worm is to look for changes in file integrity as shown by the size of the file. Another key method of assuring information integrity is file hashing, in which a file is rea d by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value. The hash value for any combination of bits is unique. If a computer system performs the comparable hashing algorithm on a file and obtains a different number than the recorded hash value for that file, the file has been compromised and the integrity of the information is lost.Information integrity is the rear end of information systems, because information is of no value or use if users cannot verify its integrity. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions requ ire it. Licensed to: CengageBrain User Introduction to Information Security 15File corruption is not necessarily the result of external forces, such as hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information. During each transmission, algorithms, hash values, and the error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is retransmitted. 1 public utility The utility of information is the quality or state of having value for some purpose or end.Information has value when it can serve a purpose. If information is available, but is not in a format substantive to the end user, it is not useful. For example, to a private citizen U. S. numerate data can quickly become fire and difficult to inter pret; however, for a politician, U. S. Census data reveals information about the residents in a district, such as their race, gender, and age. This information can help form a politician’s next campaign strategy. Possession The obstinacy of information is the quality or state of possessorship or control. Information is said to be in one’s possession if one obtains it, independent of format or other characteristics.While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. For example, assume a company stores its critical customer data using an encrypted file system. An employee who has quit decides to take a copy of the tape backups to sell the customer records to the competition. The removal of the tapes from their secure environment is a breach of possession. But, because the data is encrypted, neither the employee nor anyone else can read it without the fitting decrypti on methods; therefore, there is no breach of confidentiality. Today, people caught selling company secrets face increasingly implike fines with the likelihood of jail time.Also, companies are growing more and more reluctant to hire individuals who have exhibit dishonesty in their past. CNSS Security Model The rendering of information security presented in this text is based in part on the CNSS document called the National Training Standard for Information Systems Security Professionals NSTISSI No. 4011. (See www. cnss. gov/Assets/pdf/nstissi_4011. pdf. Since this document was written, the NSTISSC was renamed the Committee on National Security Systems (CNSS)†see www. cnss. gov. The library of documents is being renamed as the documents are rewritten. ) This document presents a comprehensive information security model and has become a widely evaluate evaluation standard for the security of information systems.The model, created by John McCumber in 1991, provides a graphical bureau of the architectural approach widely used in computer and information security; it is now known as the McCumber Cube. 17 The McCumber Cube in Figure 1-6, shows three dimensions. If extrapolated, the three dimensions of each axis become a 3 3 3 closure with 27 cells representing areas that must be addressed to secure today’s information systems. To ensure system security, each of the 27 areas must be flop addressed during the security process. For example, the intersection between technology, integrity, and storage requires a control or safeguard that addresses the need to use technology to protect the integrity of information while in storage.One such control might be a system for detecting host ravishment that protects the integrity of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial r eview has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 16 Chapter 1 Figure 1-6 The McCumber Cube18 Source: Course Technology/Cengage Learning information by alertness the security administrators to the potential modification of a critical file.What is commonly left out of such a model is the need for guidelines and policies that provide direction for the practices and implementations of technologies. The need for policy is discussed in subsequent chapters of this book. Components of an Information System As shown in Figure 1-7, an information system (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the organization. These six critical components enable i nformation to be input, processed, output, and stored. Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses.Each component of the information system also has its own security requirements. software system The software component of the IS comprises applications, operating systems, and assorted command utilities. Software is perhaps the most difficult IS component to secure. The growth of errors in software programming accounts for a tangible portion of the attacks on information. The information technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, from smartphones that part to flawed automotive control computers that lead to recalls.Software carries the lifeblood of information through and through an organization. Unfortunately, software programs are often created under the constraints of pro ject management, which limit time, cost, and manpower. Information security is all too often implemented as an afterthought, rather than developed as an integral component from the beginning. In this way, software programs become an easy fool of accidental or intentional attacks. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 17 1 Figure 1-7 Components of an Information System Source: Course Technology/Cengage Learning Hardware Hardware is the physical technology that houses and executes the software, stores a nd transports the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft.Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible. out front September 11, 2001, laptop thefts in airports were common. A two-person team worked to steal a computer as its owner passed it through the conveyor scanning devices.The first perpetrator entered the security area ahead of an unsuspecting targe t and quickly went through. Then, the second perpetrator waited behind the target until the target placed his/her computer on the baggage scanner. As the computer was whisked through, the second agent slipped ahead of the victim and entered the metal detector with a strong collection of keys, coins, and the like, thereby slowing the detection process and allowing the first perpetrator to grab the computer and melt in a crowded walkway. While the security response to September 11, 2001 did tighten the security process at airports, hardware can still be stolen in airports and other public places.Although laptops and notebook computers are worth a few thousand dollars, the information contained in them can be worth a great deal more to organizations and individuals. Data Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. Systems developed in recent years are likely to make use of database Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 18 Chapter 1 management systems. When done properly, this should improve the security of the data and the application. Unfortunately, many system development projects do not make full use of the database management system’s security capabilities, and in some cases the database is implemented in ways that are less secure than traditional file systems. People Though often overlooked in computer security considerations, people have always been a thr eat to information security.Legend has it that around 200 B. C. a great array threatened the security and stability of the Chinese empire. So ferocious were the invaders that the Chinese emperor commanded the construction of a great wall that would defend against the Hun invaders. Around 1275 A. D. , Kublai caravan inn finally achieved what the Huns had been trying for thousands of years. Initially, the Khan’s array tried to climb over, dig under, and break through the wall. In the end, the Khan simply bribed the gatekeeperâ€and the rest is history. Whether this event actually occurred or not, the moral of the story is that people can be the weakest link in an organization’s information security program.And unless policy, education and training, awareness, and technology are properly employed to restrain people from accidentally or intentionally prejudicious or losing information, they will remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate the actions of people to obtain access information about a system. This topic is discussed in more detail in Chapter 2, â€Å"The Need for Security. ” Procedures Another frequently overlooked component of an IS is procedures. Procedures are written instructions for accomplishing a specific task. When an unauthorized user obtains an organization’s procedures, this poses a threat to the integrity of the information.For example, a consultant to a bank wise to(p) how to wire funds by using the computer center’s procedures, which were readily available. By winning advantage of a security weakness (lack of authentication), this bank consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the loss of over ten million dollars before the situation was corrected. intimately organizations distribute procedures to their legitima te employees so they can access the information system, but many of these companies often fail to provide proper education on the protection of the procedures. Educating employees about safeguarding procedures is as important as physically securing the information system.After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of the organization only on a need-to-know basis. Networks The IS component that created much of the need for increased computer and information security is networking. When information systems are connected to each other to form local area networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. The physical technology that enables network functions is becoming more and more accessible to organizations of every size.Applying the traditional tools of physical security, such as locks and keys, to restrict access to and interaction with the hardware components of an information system are still important; but when computer systems are networked, this approach is no longer enough. go to provide network Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 19 security are essential, as is the implementation of alarm and intrusion ystems to make system owners aware of ongoing compromises. 1 Balancing Information Security and Access Even with the best planning and implementation, it is impossible to obt ain hone information security. Recall James Anderson\r\n'