Principles of Information Security, 4th Ed. – Michael E. Whitman Chap 01

accredited to CengageBrain customr licensed to CengageBrain officer Principles of randomness credential, tetradthly Edition Michael E. Whitman and Herbert J. Mattord Vice President tower, C atomic number 18er education & Training Solutions Dave Garza managing director of acquirement Solutions Matthew Kane Exe thinningive Editor Steve Helba Managing Editor Marah Bellegarde Product handler Natalie Pashoukos training Editor Lynne Raughley Editorial Assistant Jennifer Wheaton Vice President Marketing, C ber Education & Training Solutions Jennifer Ann Baker Marketing Director Deborah S.Yarnell Senior Marketing Manager Erin Coffin Associate Marketing Manager Shanna Gibbs Production Manager Andrew Cr egressh depicted objected Project Manager Brooke Greenhouse Senior Art Director poop Pendleton Manuf shamuring Coordinator Amy Rogers Technical Edit/ musical none Assurance Green Pen Quality Assurance 2012 mannikin engineering science, Cengage Learning For to a greater e xtent entropy, contact or pose us on the World Wide Web at www. course. com wholly in all(prenominal) RIGHTS RESERVED.No fibre of this work covered by the copy remedy herein whitethorn be reproduced, air outted, stored or employ in whatever form or by all(prenominal) means graphic, electronic, or mechanical, including besides non curb to photocopying, recording, s shagning, toilitizing, taping, Web distri andion, development ne devilrks, or schooling entrepot and retrieval carcasss, shut as permitted d testifystairs Section 107 or 108 of the 1976 United States copy recompense Act, without the preceding written consent of the publisher.For product nurture and engineering assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use existent from this text or product, submit all requests on th infer at cengage. com/permissions Further permission questions arse be emailed to emailprotected comLibrary of Congress Control Number 2010940654 ISBN-13 978-1-111-13821-9 ISBN-10 1-111-13821-4 Course Technology 20 Channel Center Boston, MA 02210 USA Cengage Learning is a leading provider of customized schooling solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. identify your local office at inter home base(a). cengage. com/region. Cengage Learning products ar re postureed in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit course. cengage. com Purchase all of our products at your local college store or at our preferred online store www. engagebrain. com. Printed in the United States of America 1 2 3 4 5 6 7 8 9 14 13 12 11 10 procure 2011 Cengage Learning. all(prenominal) Rights Reserved. May non be copied, s fecal matterned, or duplicated, in in all or in part. due(p) to electronic proper(a)s, any(prenominal) three whatsoever companionship message may be inhibit from the eBook and/or eChapter(s). Editorial go off has deemed that any subdue cognitive confine does non materially actuate the boilers suit learning experience. Cengage Learning militia the right to fill extra issue at any meter if closureant rights eternal sleeprictions learn it. Licensed to CengageBrain exploiter hapter 1 mental home to instruction protection Do non figure on opponents not polishing misgiving more than or less your own lack of preparation. BOOK OF THE FIVE RINGS For Amy, the solar day began uniform any other at the Sequential Label and yield Company (SLS) help desk. Taking calls and helping office proles with calculating machine puzzles was not glamorous, entirely she enjoyed the work it was challenging and paid well. aroundwhat of her friends in the persistence worked at bigger companies, well-nigh at cutting-edge tech companies, but they all agreed that chores in randomness technology were a unspoilt way to pay the bills.The phone ran g, as it did on average about four quantifys an hour and about 28 ms a day. The number 1 call of the day, from a worried substance ab user hoping Amy could help him out of a jam, enamormed typical. The call display on her monitor gave rough of the facts the users name, his phone number, the department in which he worked, where his office was on the gild campus, and a list of all the calls hed do in the past. Hi, Bob, she tell. Did you get that chronicle formatting problem squ atomic number 18d away(p)? Sure did, Amy. Hope we chiffonier figure out whats spill on this succession. Well try, Bob. Tell me about it. Well, my PC is acting weird, Bob said. When I go to the screen that has my e-mail program path, it doesnt respond to the hook or the keyboard. Did you try a reboot yet? 1 steady-going 2011 Cengage Learning. every(prenominal) Rights Reserved. May not be copied, s merchantmanned, or duplicated, in whole or in part. payable to electronic rights, rough t rey society limitedness may be suppress from the eBook and/or eChapter(s). Editorial go over has deemed that any hold in gist does not materially furbish up the general learning experience. Cengage Learning militia the right to channelise excess message at any snip if ulterior rights characterizeions hire it. Licensed to CengageBrain exploiter Chapter 1 Sure did. But the window wouldnt close, and I had to exploit it off. After it restarted, I opened the e-mail program, and its just give cargon it was in the beginningno response at all. The other stuff is works OK, but really, really slowly. Even my meshing browser is sluggish. OK, Bob. Weve tried the mutual stuff we pot do over the phone. Let me open a case, and Ill score a tech over as currently as doable. Amy looked up at the LED tally board on the wall at the end of the room. She saw that there were and two technicians dispatched to deskside co-occurrence at the af confinesath, and since it was the day shift, there were four visible(prenominal). Shouldnt be long at all, Bob. She hung up and typed her notes into ISIS, the conjunctions training location and Issues System. She assigned the newly generated case to the deskside dispatch queue, which would page the roving deskside group with the details in just a some minutes. A moment former(a)r, Amy looked up to see Charlie Moody, the old manager of the innkeeper administration team, travel briskly down the hall. He was world trailed by three of his senior technicians as he made a beeline from his office to the door of the horde room where the confederation servers were kept in a controlled environment. They all looked worried.Just then(prenominal), Amys screen beeped to alert her of a new e-mail. She glanced down. It beeped againand again. It started beeping invariably. She clicked on the envelope photo and, after a short delay, the mail window opened. She had 47 new e-mails in her inbox. She opened one from Dav ey Martinez, an acquaintance from the Accounting Department. The submit line said, Wait till you see this. The message body read, opinion what this has to say about our managers salaries Davey often sent her interesting and funny e-mails, and she failed to denounce that the shoot down attachment icon was unusual before she clicked it.Her PC showed the hourglass cursor icon for a second and then the normal pointer reappeared. goose egg happened. She clicked the next e-mail message in the queue. Nothing happened. Her phone rang again. She clicked the ISIS icon on her estimator desktop to activate the call management parcel scheme and activated her headset. Hello, Tech Support, how groundwork I help you? She couldnt acknowledge the caller by name because ISIS had not responded. Hello, this is Erin Williams in receiving. Amy glanced down at her screen. Still no ISIS.She glanced up to the tally board and was surprised to see the inbound-call-counter tallying up waiting call s like digits on a stopwatch. Amy had never seen so many calls come in at one time. Hi, Erin, Amy said. Whats up? Nothing, Erin answered. Thats the problem. The rest of the call was a replay of Bobs, moreover that Amy had to jot notes down on a legal pad. She couldnt dispatch the deskside support team either. She looked at the tally board. It had gone dark. No poesy at all. Then she saw Charlie running down the hall from the server room. He didnt look worried anymore. He looked frantic. Amy picked up the phone again.She wanted to check with her supervisor about what to do now. There was no dial tone. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. ascribable to electronic rights, some third society heart may be suppressed from the eBook and/or eChapter(s). Editorial canvass has deemed that any suppressed message does not materially affect the boilersuit learning experience. Cengage Learning militia the r ight to have additional content at any time if later(prenominal) rights restrictions regard it. Licensed to CengageBrain User Introduction to discipline surety 3LEARNING OBJECTIVES Upon completion of this material, you should be able to Define training protective covering agreement Recount the history of ready reckoner guarantor, and explain how it evolved into selective tuition tribute Define key basis and faultfinding concepts of randomness warrantor Enumerate the phases of the auspices department systems development life cycle per second Describe the instruction aegis roles of professionals within an makeup 1 Introduction James Anderson, executive advisor at Emagined hostage, Inc. , believes education protective cover in an enterprise is a well-informed sense of assurance that the learning risks and controls are in balance. He is not alone in his perspective. Many selective breeding credentials practitioners recognize that aligning cultivation guarantor measures deprivations with vocation objectives moldiness be the top priority. This chapters opening scenario illustrates that the culture risks and controls are not in balance at Sequential Label and Supply. though Amy works in a technical support role and her job is to solve technical problems, it does not occur to her that a malicious software package package program, like a sprain or virus, expertness be the actor of the companys current ills.Management alike shows signs of confusion and seems to bring no idea how to contain this kind of incident. If you were in Amys place and were go about with a similar situation, what would you do? How would you react? Would it occur to you that something far more insidious than a technical malfunction was happening at your company? As you explore the chapters of this contain and learn more about reading warrantor, you will twist better able to answer these questions. But before you can begin studying the details o f the discipline of tuition protective covering department, you must first know the history and evolution of the field.The History of learning protection The history of information credentials begins with ready reckoner security. The need for computing machine securitythat is, the need to secure physical locations, ironware, and software from affrights arose during World War II when the first mainframes, real to aid enumerations for communication code breaking (see attribute 1-1), were put to use. Multiple levels of security were implemented to protect these mainframes and maintain the virtue of their info.Access to sensitive military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorize personnel by security guards. The growing need to maintain national security ultimately led to more interlacing and more technologically sophisticated calculating machine security safeguards. During these early years, information security was a straightforward process composed pre prevalently of physical security and honest put down classification schemes. The primary scourges to security were physical thieving of equipment, espionage against the products of the systems, and sabotage. unrivaled of the first inventoryed security problems that fell outside these categories occurred in the early 1960s, when a systems decision maker was workings on an MOTD Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. repayable to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial appraise has deemed that any suppressed content does not materially affect the general learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.Licensed to CengageBrain User 4 Chapter 1 Earlier versions of the German code machine E nigma were ? rst broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during World War II. The increasingly complex versions of the Enigma, e particular(a)ly the submarine or Unterseeboot version of the Enigma, ca apply considerable anguish to consort forces before ? nally being cracked. The information gained from decrypted transmissions was use to anticipate the actions of German fortify forces. Some ask why, if we were reading the Enigma, we did not win the war earlier. One might ask, instead, when, if ever, we would have won the war if we hadnt read it. 1 Figure 1-1 The Enigma starting time dexterity of National bail say-so (message of the day) file, and another administrator was editing the password file. A software hemipteron mixed the two files, and the entire password file was printed on all(prenominal) output file. 2 The 1960s During the Cold War, many more mainframes were brought online to touch more complex an d sophisticated tasks.It became needed to enable these mainframes to communicate via a less cumbersome process than mailing magnetic tapes between reckoner centers. In response to this need, the Department of excuses Advanced research Project Agency (ARPA) began examining the feasibility of a redundant, networked communications system to support the militarys re-sentencing of information. Larry Roberts, known as the founder of the Internet, true the projectwhich was called ARPANETfrom its root. ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the ARPANET Program Plan).The mid-seventies and 80s During the next decade, ARPANET became popular and more widely utilize, and the potential for its ill-use grew. In December of 1973, Robert M. Bob Metcalfe, who is credited Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. cod to electronic rights, some third party content may be suppre ssed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 5 1 Figure 1-2 Development of the ARPANET Program Plan3 initiation Courtesy of Dr. Lawrence Roberts with the development of Ethernet, one of the most popular networking protocols, identified fundamental problems with ARPANET security. man-to-man remote sites did not have sufficient controls and safeguards to protect entropy from unauthorised remote users.Other problems abounded photo of password structure and formats lack of safety procedures for dial-up connections and vanished user identification and authorization to the system. Phone numbers were widely distributed and openly publicized on the walls of phone booths, giving hackers easy entrance fee to ARPANET. Because of the rate and frequency of computer security violations and the explosion in the numbers of hosts and users on ARPANET, network security was referred to as network insecurity. In 1978, a illustrious study entitled security measure analytic thinking Final hatch was promulgated. It rivet on a project under affiancen by ARPA to discover the vulnerabilities of operating system security. For a timeline that includes this and other seminal studies of computer security, see Table 1-1. The causa toward security that went beyond protecting physical locations began with a iodine melodic theme sponsored by the Department of Defense, the Rand Report R-609, which attempted to define the quadruplicate controls and mechanisms necessary for the protection of a multilevel computer system.The document was classified for close to ten years, and is now considered to be the paper that started the study of computer security. The securityor lack thereofof the systems sharing resources inside the Department of Defense was brought to the attention of researchers in the spring and summer of 1967. At that time, systems were being acquired at a rapid rate and securing them was a pressing concern for some(prenominal) the military and defense bringors. Copyright 2011 Cengage Learning. All Rights Reserved.May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 6 Chapter 1 Date 1968 1973 1975 1978 Documents Maurice Wilkes discusses password security in Time-Sharing cipher device Systems.Schell, Downey, and Popek examine the need for additional security in military syst ems in Preliminary Notes on the Design of Secure military machine Computer Systems. 5 The Federal Information Processing Standards (FIPS) examines Digital encoding Standard (DES) in the Federal Register. Bisbey and Hollingworth publish their study Protection Analysis Final Report, discussing the Protection Analysis project created by ARPA to better learn the vulnerabilities of operating system security and examine the surmise of automated vulner efficacy detection techniques in existing system software. Morris and Thompson author Password Security A Case History, published in the Communications of the Association for reckon Machinery (ACM). The paper examines the history of a design for a password security scheme on a remotely doored, time-sharing system. Dennis Ritchie publishes On the Security of UNIX and Protection of information File Contents, discussing secure user IDs and secure group IDs, and the problems inbuilt in the systems. Grampp and Morris write UNIX Operating System Security. In this report, the authors examine four important handles to computer security physical control of premises and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increase security. 7 Reeds and Weinberger publish File Security and the UNIX System Crypt Command. Their premise was No technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the systems administrator or other privileged users the naive user has no chance. 8 1979 1979 1984 1984 Table 1-1 Key Dates for Seminal Works in Early Computer Security In June of 1967, the Advanced Research Projects Agency formed a task force to study the process of securing classified information systems. The project Force was assembled in October of 1967 and met regularly to formulate recommendations, which ultimately became the circumscribe of the Rand Report R-609. 9 The Rand Rep ort R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security.It remark that the wide utilization of networking pieces in information systems in the military introduced security risks that could not be mitigated by the routine practices then used to secure these systems. 10 This paper signaled a pivotal moment in computer security historywhen the scope of computer security expand significantly from the safety of physical locations and ironware to include the next Securing the entropy Limiting random and un definitive access to that data Involving personnel from triplex levels of the memorial tablet in matters pertaining to information securityMULTICS Much of the early research on computer security centered on a system called Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to integrate security into Copyr ight 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 7 its core functions. It was a mainframe, time-sharing operating system developed in the mid1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts bring in of Technology (MIT). In mid-1969, not long after the restructuring of the MULTICS project, some(prenominal) of its developers (Ken Thompson, Dennis Ritchie, rudd Canaday, and Doug McIlro) created a new operating system called UNIX.While the MULTICS system implemented multiple security level s and passwords, the UNIX system did not. Its primary function, text touch, did not require the equal level of security as that of its predecessor. In fact, it was not until the early seventies that even the simplest component of security, the password function, became a component of UNIX. In the late 1970s, the microprocessor brought the personal computer and a new age of computing. The PC became the workhorse of ultramodern computing, thereby moving it out of the data center.This decentralization of data processing systems in the 1980s gave rise to networkingthat is, the interconnecting of personal computers and mainframe computers, which enabled the entire computing community to make all their resources work together. 1 The 1990s At the close of the twentieth century, networks of computers became more common, as did the need to connect these networks to each other. This gave rise to the Internet, the first global network of networks. The Internet was made available to the gene ral public in the 1990s, having previously been the domain of government, academia, and dedicated fabrication professionals.The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local reach network (LAN). After the Internet was commercialized, the technology became pervasive, reaching or so either corner of the globe with an expanding array of uses. Since its inception as a besidesl for sharing Defense Department information, the Internet has break down an interconnection of millions of networks. At first, these connections were based on de facto commonplaces, because industriousness standards for interconnection of networks did not exist at that time.These de facto standards did little to correspond the security of information though as these precursor technologies were widely adopted and became labor standards, some degree of security was introduced. However, early Internet deployment treated security as a low priority. In fact, many of the problems that plague e-mail on the Internet today are the result of this early lack of security. At that time, when all Internet and e-mail users were (presumably trustworthy) computer scientists, mail server documentation and e-mail encryption did not seem necessary.Early computing approaches relied on security that was built into the physical environment of the data center that housed the computers. As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more exposed to security threats. 2000 to Present Today, the Internet brings millions of unsecured computer networks into continuous communication with each other. The security of each computers stored information is now contingent on the level of security of every other computer to which it is connected.Recent years have seen a growing sentiency of the need to improve information security, as well as a realization that information security is important to national defense. The growing threat of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 8 Chapter 1 cyber bangs have made governments and companies more witting of the need to defend the computer-controlled control systems of utilities and other searing infrastructure. There is also growing concern about nation- reconciles engaging in information warfare, and the possibility that business and personal information systems could become casualties if they are undefended.What Is Security ? In general, security is the quality or state of being secureto be liberate from danger. 11 In other words, protection against adversariesfrom those who would do trauma, by design or other thanis the objective. National security, for example, is a multilayered system that protects the sovereignty of a state, its summations, its resources, and its passel. Achieving the appropriate level of security for an organization also requires a multifaceted system.A successful organization should have the following multiple layers of security in place to protect its operations Physical security, to protect physical items, objects, or areas from unlicensed access and misuse Personnel security, to protect the individual(a) or group of individuals who are authorized to access the organization and its operations operations security, to protect the details of a particular operation or serial publication of activities Communications security, to protect communications media, technology, and content Network security, to protect networking components, connections, and contents Information security, to protect the orphicity, legality and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. 12 Figure 1-3 shows that information security includes the broad areas of information security management, computer and data security, and network security. The CNSS model of information security evolved from a concept developed by the computer security industry called the C. I. A. triplicity. The C. I. A. triplicity has been the industry standard for computer security since the development of the mainframe. It is based on the three featu res of information that give it jimmy to organizations confidentiality, integrity, and availability.The security of these three characteristics of information is as important today as it has eer been, but the C. I. A. triangle model no hourlong adequately addresses the constantly changing environment. The threats to the confidentiality, integrity, and availability of information have evolved into a vast appeal of events, including accidental or lettered vituperate, destruction, theft, unintended or unauthorized fitting, or other misuse from human or nonhuman threats. This new environment of many constantly evolving threats has prompted the development of a more robust model that addresses the complexities of the current information security environment.The expanded model consists of a list of critical characteristics of information, which are described in the next Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in p art. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 9 1 Information security Figure 1-3 Components of Information SecuritySource Course Technology/Cengage Learning section. C. I. A. triangle terminology is used in this chapter because of the pretension of material that is based on it. Key Information Security Concepts This book uses a number of terms and concepts that are essential to any sermon of information security. Some of these terms are illustrated in Figure 1-4 all are covered in greater detail in subsequent chapters. Access A clear or objects ability to use, set up, modify, or affect another subject or object. Auth orized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability. plus The organizational resource that is being protected. An asset can be logical, such(prenominal) as a Web site, information, or data or an asset can be physical, such as a person, computer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts they are what those efforts are attempting to protect. fire An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. Attacks can be progressive or passive, intentional or unintentional, and direct or indirect. Someone nervelessly reading sensitive information not intended for his or her use is a passive fill out.A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a fire in a construct is an unintentional attack. A direct attack is a hacker development a personal computer to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems, for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the assailants choosing, can operate autonomously or under the attackers direct control to attack systems and err user information or conduct distributed denial-of- helper attacks. Direct attacks jump from the threat itself.Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Lea rning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 10 Chapter 1 photo Buffer overflow in online database Web interfaceThreat Theft Threat ingredient Ima plug Exploit Script from MadHackz Web site Attack Ima Hacker downloads an exploit from MadHackz web site and then accesses buybays Web site. Ima then applies the script which runs and compromises buybays security controls and steals customer data. These actions cause buybay to experience a impairment. Asset buybays customer database Figure 1-4 Information Security Terms Source Course Technology/Cengage Learning Control, safeguard, or countermeasure Security mechanisms, policies, or procedures that can success spaciousy counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.The various levels and types of controls are discussed more fully in the following chapters. Exploit A technique used to compromise a system. This term can be a verb or a noun. Threat performers may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a exposure or exposure, usually in software, that is either inherent in the software or is created by the attacker. Exploits make use of existing software tools or custom-made software components. Exposure A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present.Loss A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organizations information is stolen, it has suffered a loss. Protection compose or security posture The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the Copyright 2011 Cengage Learning. All Rights Reserve d. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 11 organization implements (or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the term security program, although the security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs. Risk The probability that something unloved will happen. Organizations must minimize risk to match their risk impulsethe quantity and nature of risk the organization is willing to accept.Subjects and objects A computer can be either t he subject of an attackan agent entity used to conduct the attackor the object of an attackthe sign entity, as shown in Figure 1-5. A computer can be twain the subject and object of an attack, when, for example, it is compromised by an attack (object), and is then used to attack other systems (subject). Threat A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purpose-built or undirected. For example, hackers purposefully threaten unprotected information systems, while knockout storms incidentally threaten buildings and their contents. Threat agent The precise instance or a component of a threat.For example, all hackers in the world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms. Vulnerability A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published others perch latent (or undiscovered). 1 Critical Characteristics of InformationThe value of information comes from the characteristics it possesses. When a characteristic of information changes, the value of that information either increases, or, more commonly, decreases. Some characteristics affect informations value to users more than others do. This can look on circumstances for example, timeliness of information can be a critical factor, because information loses lots or all of its value when it is delivered too late. Though information security professionals and end users share an understanding of the characteristics of subject object Figure 1-5 Computer as the Subject and Object of an Attack Source Course Techno logy/Cengage LearningCopyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 12 Chapter 1 information, tensions can rustle when the need to secure the information from threats conflicts with the end users need for unhindered access to the information.For instance, end users may embrace a tenth-of-a-second delay in the computation of data to be an unnecessary annoyance. Information security professionals, however, may perceive that tenth of a second as a minor delay that enables an important task, like data encryption. Each critical characteristic of info rmationthat is, the expanded C. I. A. triangleis defined in the sections below. Availability Availability enables authorized userspersons or computer systemsto access information without interference or resister and to receive it in the required format. discover, for example, research libraries that require identification before entrance.Librarians protect the contents of the library so that they are available only to authorized patrons. The librarian must accept a patrons identification before that patron has free access to the book stacks. erstwhile authorized patrons have access to the contents of the stacks, they expect to find the information they need available in a useable format and acquainted(predicate) language, which in this case typically means bound in a book and written in English. Accuracy Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally modifie d, it is no longer accurate. Consider, for example, a checking level.You turn in that the information contained in your checking account is an accurate representation of your finances. Incorrect information in your checking account can result from external or intragroup errors. If a posit teller, for instance, mistakenly adds or subtracts too much from your account, the value of the information is changed. Or, you may accidentally enter an incorrect amount into your account register. Either way, an away bank balance could cause you to make mistakes, such as brisk a check. Authenticity Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.Information is original when it is in the same state in which it was created, displace, stored, or transferred. Consider for a moment some common assumptions about e-mail. When you receive e-mail, you assume that a specific individual or group created and genetical the e -mailyou assume you know the origin of the e-mail. This is not always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem for many people today, because often the modified field is the address of the originator. Spoofing the vectors address can fool e-mail recipients into thinking that messages are legitimate traffic, thus inducing them to open e-mail they otherwise might not have.Spoofing can also alter data being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing, which can enable the attacker to get access to data stored on computing systems. Another variation on spoofing is phishing, when an attacker attempts to gain personal or financial information using fraudulent means, most often by posing as another individual or organization. Pretending to be someone you are not is sometimes called pretexting when it is undertaken by law enforcement agents or private investigators. When used in a phi shing attack, e-mail spoofing lures victims to a Web server that does not represent the organization it purports to, in an attempt to steal their private data such as account numbers and passwords.The most common variants include posing as a bank or brokerage company, e-commerce organization, or Internet service provider. Even when authorized, pretexting does not always lead to a satisfactory outcome. In 2006, the CEO of Hewlett-Packard Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.Licensed to CengageBrain User Introduction to Information Security 13 Corporation, Patricia Dunn , authorized contract investigators to use pretexting to smokeout a corporate director suspected of leaking confidential information. The resulting firestorm of blackball publicity led to Ms. Dunns eventual departure from the company. 13 1 Confidentiality Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is despoiled.To protect the confidentiality of information, you can use a number of measures, including the following Information classification Secure document storage Application of general security policies Education of information custodians and end users Confidentiality, like most of the characteristics of information, is interdependent with other characteristics and is most closely related to the characteristic known as privacy. The relationship between these two characteristics is covered in more detail in Chapter 3, Legal and Ethical Issues in Security. The value of confidentiality of information is especially high when it is personal information about employees, customers, or tolerants. Individuals who transact with an organization expect that their personal information will expect confidential, whether the organization is a federal agency, such as the Internal tax income Service, or a business. Problems arise when companies disclose confidential information.Sometimes this disclosure is intentional, but there are times when disclosure of confidential information happens by mistakefor example, when confidential information is mistakenly e-mailed to someone outside the organization rather than to someone inside the organization. Several cases of privacy violation are outlined in Offline Unintentional Disclosures. Other examples of confidentiality breaches are an employee throwing away a do cument containing critical information without shredding it, or a hacker who successfully breaks into an internal database of a Web-based organization and steals sensitive information about the clients, such as names, addresses, and credit card numbers.As a consumer, you give up pieces of confidential information in exchange for convenience or value almost daily. By using a members only card at a grocery store, you disclose some of your spending habits. When you fill out an online survey, you exchange pieces of your personal history for access to online privileges. The bits and pieces of your information that you disclose are copied, sold, replicated, distributed, and eventually coalesced into profiles and even complete dossiers of yourself and your life. A similar technique is used in a criminal enterprise called salami theft. A deli worker knows he or she cannot steal an entire salami, but a few slices here or there can be taken home without notice.Eventually the deli worker has s tolen a whole salami. In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that victorious more would be noticedbut eventually the employee gets something complete or useable. Integrity Information has integrity when it is whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 14 Chapter 1 Offline Unintentional Disclosures In February 2005, the data assemblage and broker age firm ChoicePoint revealed that it had been duped into releasing personal information about 145,000 people to personal identity thieves during 2004. The perpetrators used stolen identities to create obstensibly legitimate business entities, which then subscribe to ChoicePoint to acquire the data fraudulently.The company reported that the criminals opened many accounts and put down personal information on individuals, including names, addresses, and identification numbers. They did so without using any network or computer-based attacks it was simple fraud. 14 While the the amount of damage has yet to be compiled, the fraud is feared to have allowed the perpetrators to arrange many hundreds of instances of identity theft. The giant pharmaceutical organization Eli Lilly and Co. released the e-mail addresses of 600 patients to one another in 2001. The American Civil Liberties Union (ACLU) denounced this breach of privacy, and information technology industry analysts noted that it w as likely to influence the public debate on privacy legislation.The company claimed that the mishap was caused by a program error that occurred when patients who used a specific drug produced by the company signed up for an e-mail service to access support materials provided by the company. About 600 patient addresses were exposed in the mass e-mail. 15 In another incident, the smart property of Jerome Stevens Pharmaceuticals, a small prescription drug manufacturer from vernal York, was compromised when the FDA released documents the company had filed with the agency. It remains unclear whether this was a deliberate act by the FDA or a simple error but either way, the companys secrets were posted to a public Web site for several months before being removed. 16 damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being stored or transmitted.Many computer viruses and worms are designed with the explicit purpose of corrupting dat a. For this reason, a key method for detecting a virus or worm is to look for changes in file integrity as shown by the surface of the file. Another key method of assuring information integrity is file chop uping, in which a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value. The hash value for any combination of bits is unique. If a computer system performs the same hashing algorithm on a file and obtains a different number than the recorded hash value for that file, the file has been compromised and the integrity of the information is lost.Information integrity is the cornerstone of information systems, because information is of no value or use if users cannot verify its integrity. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) . Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 15File corruption is not necessarily the result of external forces, such as hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information. During each transmission, algorithms, hash values, and the error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is retransmitted. 1 Utility The utility of information is the quality or state of having value for some purpose or end.Information has value when it can serve a purpose. If information is available, but is not in a format meaningful to the end user, it is not useful. For example, to a private citizen U. S. enumerate data can quickly become overwhelming and difficult to take however, for a politician, U. S. Census data reveals information about the residents in a district, such as their race, gender, and age. This information can help form a politicians next campaign strategy. Possession The possession of information is the quality or state of ownership or control. Information is said to be in ones possession if one obtains it, self-sufficient of format or other characteristics.While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. For example, assume a company stores its critical customer data using an encrypted file system. An employee who has quit decides to take a copy of the tape backups to sell the customer records to the competition. The removal of the tapes from their secure environment is a breach of possession. But, because the data is encrypted, neither the employee nor anyone else can read it without the proper decryption methods therefore, there is no breach of confidentiality. Today, people caught exchange company secrets face increasingly stiff fines with the likelihood of jail time.Also, companies are growing more and more reluctant to hire individuals who have demo dishonesty in their past. CNSS Security Model The definition of information security presented in this text is based in part on the CNSS document called the National Training Standard for Information Systems Security Professionals NSTISSI No. 4011. (See www. cnss. gov/Assets/pdf/nstissi_4011. pdf. Since this document was written, the NSTISSC was renamed the Committee on National Security Systems (CNSS) see www. cnss. gov. The library of documents is being renamed as the documents are rewritten. ) This document presents a compr ehensive information security model and has become a widely accepted evaluation standard for the security of information systems.The model, created by John McCumber in 1991, provides a pictorial representation of the architectural approach widely used in computer and information security it is now known as the McCumber stop. 17 The McCumber Cube in Figure 1-6, shows three dimensions. If extrapolated, the three dimensions of each axis become a 3 3 3 cube with 27 cells representing areas that must be address to secure todays information systems. To ensure system security, each of the 27 areas must be properly addressed during the security process. For example, the intersection between technology, integrity, and storage requires a control or safeguard that addresses the need to use technology to protect the integrity of information while in storage.One such control might be a system for detecting host assault that protects the integrity of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 16 Chapter 1 Figure 1-6 The McCumber Cube18 Source Course Technology/Cengage Learning information by alerting the security administrators to the potential modification of a critical file.What is commonly left out of such a model is the need for guidelines and policies that provide direction for the practices and implementations of technologies. The need for policy is discussed in subsequent chapters of this book. Components of an Information System As shown in Figure 1-7, an information system (IS) is much more than computer hardware it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the organization. These six critical components enable information to be input, processed, output, and stored. Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses.Each component of the information system also has its own security requirements. software The software component of the IS comprises applications, operating systems, and assorted command utilities. Software is mayhap the most difficult IS component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The information technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by goofy software, from smartphones that crash to flawed automotive control computers that lead to recalls.Software carries the lifeblood of information done an organization. Unfortunately, software programs are often created under the constraints of project management, which limit time, cost, and manpower. Information security is all too often implemented as an afterthought, rather than developed as an integral component from the beginning. In this way, software programs become an easy target of accidental or intentional attacks. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 17 1 Figure 1-7 C omponents of an Information System Source Course Technology/Cengage Learning Hardware Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft.Applying the handed-down tools of physical security, such as locks and keys, restricts access to and fundamental interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot plight any level of information security if unrestricted access to the hardware is possible. Before September 11, 2001, laptop thefts in airports were common. A two-pe rson team worked to steal a computer as its owner passed it through the conveyor examine devices.The first perpetrator entered the security area ahead of an unsuspecting target and quickly went through. Then, the second perpetrator waited behind the target until the target placed his/her computer on the baggage scanner. As the computer was whisked through, the second agent slipped ahead of the victim and entered the metal detector with a substantial collection of keys, coins, and the like, thereby slowing the detection process and allowing the first perpetrator to clutch the computer and disappear in a crowded walkway. While the security response to September 11, 2001 did tighten the security process at airports, hardware can fluid be stolen in airports and other public places.Although laptops and notebook computer computers are worth a few thousand dollars, the information contained in them can be worth a great deal more to organizations and individuals. Data Data stored, proces sed, and transmitted by a computer system must be protected. Data is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. Systems developed in recent years are likely to make use of database Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 18 Chapter 1 management systems. When done properly, this should improve the security of the data and the application. Unfortunately, many system development projects do not make full use of the database management systems security capabilities, and in some ca ses the database is implemented in ways that are less secure than traditional file systems. People Though often overlooked in computer security considerations, people have always been a threat to information security.Legend has it that around 200 B. C. a great army threatened the security and stability of the Chinese empire. So ferocious were the invaders that the Chinese emperor commanded the twist of a great wall that would defend against the Hun invaders. Around 1275 A. D. , Kublai Khan ultimately achieved what the Huns had been trying for thousands of years. Initially, the Khans army tried to climb over, dig under, and break through the wall. In the end, the Khan simply bribed the gatekeeperand the rest is history. Whether this event actually occurred or not, the moral of the story is that people can be the weakest link in an organizations information security program.And unless policy, education and training, awareness, and technology are properly employed to prevent people fr om accidentally or intentionally damaging or losing information, they will remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate the actions of people to obtain access information about a system. This thing is discussed in more detail in Chapter 2, The Need for Security. Procedures Another ofttimes overlooked component of an IS is procedures. Procedures are written instructions for accomplishing a specific task. When an unauthorized user obtains an organizations procedures, this poses a threat to the integrity of the information.For example, a consultant to a bank learned how to wire currency by using the computer centers procedures, which were readily available. By taking advantage of a security weakness (lack of authentication), this bank consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the loss of over ten mill ion dollars before the situation was corrected. near organizations distribute procedures to their legitimate employees so they can access the information system, but many of these companies often fail to provide proper education on the protection of the procedures. Educating employees about safeguarding procedures is as important as physically securing the information system.After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of the organization only on a need-to-know basis. Networks The IS component that created much of the need for increased computer and information security is networking. When information systems are connected to each other to form local area networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. The physical technology that enables network functions is becoming more and more acces sible to organizations of every size.Applying the traditional tools of physical security, such as locks and keys, to restrict access to and interaction with the hardware components of an information system are still important but when computer systems are networked, this approach is no longer enough. Steps to provide network Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 19 security are essential, as is the implementation of alarm and intrusion ystems to make system owners aware of ongoing compromises. 1 Balanc ing Information Security and Access Even with the best planning and implementation, it is impossible to obtain perfect information security. Recall James Anderson