Introduction to the Management of Information Security PDF

Summary

This document provides an introduction to the management of information security. It covers learning objectives, introduction, communities of interest and other key security aspects. Key learning ideas are also included in the summary.

Full Transcript

Management of Information Security, 6th ed. - Whitman & Mattord

1
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Learning Objectives

Upon completion of this material (Ch1), you should be
able to:
List and discuss the key characteristics of information security
List and describe the dominant categories of threats to
information security
Describe the importance of the manager’s role in securing an
organization’s information assets
Differentiate information security management from general
business management

2
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Introduction
With the wide adoption of the Internet by individuals and businesses,
the ways organisations operate have changed dramatically
Brick-and-mortar (trivial and slower) to complete online presence (what is brick-and-
mortar?)
Information/data and technologies enable online operations
- Various information systems to speed up operations
- Social media for advertisement

IT enables the storage and transportation of information—often a
company’s most valuable resource (Q: examples of technologies that
store information; Why most valuable resource?)
But what happens if the vehicle breaks down, even for a little while? – LogOrgD
logistics company under ransomware attack
Hence – protecting information is essential
InfoSec Managers are the champions that expect to do just that
(sometimes with the team of other professionals)
3
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Introduction (Continued)

“Security is IT/security team problem” – let’s discuss
InfoSec community are the champions that must take
the lead, but they need help!
InfoSec efforts must involve the entire organization, as
represented by three distinct groups of managers and
professionals, or communities of interest:
1. Those in the field of information security
2. Those in the field of IT
3. Those from the rest of the organization (think of functions of each
community)

4
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Communities of Interest
These three groups should engage in a constructive effort to
reach consensus on an overall plan to protect the
organization’s information assets:
The information security community protects the organization’s
information assets from the many threats they face
The IT community supports the business objectives of the
organization by supplying and supporting IT that is appropriate to the
organization’s needs
The general business community articulates and communicates
organizational policy and objectives and allocates resources to the
other groups
Working together, these communities of interest make
recommendations to executive management about how to
secure an organization’s information assets most effectively
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
5
 Management of Information Security, 6th ed. - Whitman & Mattord

What Is Security?

In general, security means being free from danger. To be secure is to be
protected from the risk of loss, damage, unwanted modification, or
other hazards

Security is often achieved by means of several strategies undertaken
simultaneously or used in combination with one another

In organisation: It is the role of management to ensure that each
strategy is properly planned, organized, staffed, directed, and
controlled
6
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Specialized Areas of Security

Specialized areas of security include (the elements of
InfoSec that must be in place):
1. Physical security, physical items, objects, or areas from unauthorized access and
misuse.

2. Operations security, details of an organization's operations and activities.
3. Communications security, all communications media, technology, and content.
4. Cyber (or computer) security, computerized information processing systems
and the data they contain and process

5. Network security, subset of communications security and cybersecurity; the protection
of voice and data networking components, connections, and content.

7
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Information Security

Information security (InfoSec) is the protection of information
and its critical elements, including the systems and hardware
that use, store, and transmit the information.
InfoSec focuses on the protection of information and the
characteristics that give it value, such as confidentiality,
integrity, and availability,
and includes
the technology that houses and transfers that information
through a variety of protection mechanisms such as policy
(ch4) , training and awareness programs (ch5), and
technology
8
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

The CIA Triad and the CNSS Model

How do we achieve information security?
Committee on National Security Systems (CNSS) Security Model
(also known as the McCumber Cube) provides a detailed perspective
on security
shows the three dimensions that are central to the discussion of
InfoSec: information characteristics, information location, and
security control categories.
by extending the relationship among the three dimensions that are
represented by the axes in the figure, you end up with a 3 x 3 x 3
cube with 27 cells.
See figure 1-2 on next slide

9
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

each cell represents an area of intersection among these three dimensions, which must be addressed
to secure information
For Example: Technology/Integrity/Storage = Controls that address the use of technology to protect the integrity of
information while in storage (e.g. Intrusion Detection and Prevention System)
Disadvantages (only gaps in InfoSec):
no guidelines on how to implement controls (only identifies gaps in InfoSec program;
does not address the needs of IT and business communities

10
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

The C.I.A. Triad
To better understand the management of InfoSec, it is vital
to be familiar with the key characteristics of InfoSec
The C.I.A. triad—confidentiality, integrity, and availability—
has expanded into a more comprehensive list of critical
characteristics of information, including privacy, identification,
authentication, authorization, and accountability

11
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Confidentiality

Confidentiality is “an attribute of information that describes how
data is protected from disclosure or exposure to unauthorized
individuals or systems”
Confidentiality means limiting access to information only to those
who need it, and preventing access by those who do not
Example: Dr. Basel’s computer password is Facebook123 (written
on a piece of paper and left on a desk) – opposite to confidentiality
To protect the confidentiality of information, a number of measures
are used:
Information classification
Secure document (and data) storage – example?
Application of general security policies – why policies are important?
Security education – why education is important?
Cryptography (encryption)
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
12
 Management of Information Security, 6th ed. - Whitman & Mattord

Integrity
Integrity is “an attribute of information that describes how
data is whole, complete, and uncorrupted”
Integrity characteristic ensures we can trust this information
Integrity ensures that the data stored in the systems is
accurate no unauthorized person or software can alter it
The integrity of information is threatened when it is exposed
to corruption, damage, destruction, or other disruption of its
authentic state (e.g., data theft)
Integrity can be compromised accidentally or deliberately

13
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Availability

Availability is “an attribute of information that describes how
data is accessible and correctly formatted for use without
interference or obstruction”

Availability of information means that users, either people or
other systems, have access to it in a usable format

Availability does not imply that the information is accessible
to any user; rather, it means information can be accessed
when needed by authorized users
14
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Privacy
Privacy is, “in the context of information security, the right of
individuals or groups to protect themselves and their information from
unauthorized access, providing confidentiality”
Information that is collected, used, and stored by an organization is to
be used only for the purposes stated by the data owner at the time it
was collected – organisations must explicitly state with what parties
they intend to share your information
In this context, privacy does not mean freedom from observation; it
means that the information will be used only in ways approved by the
person who provided it

Question: what is the difference between information security and
information privacy?
Protecting privacy is an important component in the digital information
15
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Information Aggregation

Related to privacy,
Many organizations collect, swap, and sell personal information as
a commodity, commonly disregarding privacy of information
owners
Today, it is possible to collect and combine personal information
from several different sources (known as information aggregation)
that has resulted in databases that could be used in ways the
original data owner has not agreed to or even knows about
Question – how organisations make profits from data?
Advice: DuckDuckGo browser/extension does not collect personal
information; ProtonMail encrypts all correspondence and does not
have access to your personal information, Wickr messenger offers
anonymous registration, cloud Sync offers client anonymity:
OsmAnd vs. Google Maps 16
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Identification

Identification is “the access control mechanism whereby
unverified entities who seek access to a resource provide a
label by which they are known to the system”
An information system possesses the characteristic of
identification when it is able to recognize individual users
Identification is typically performed by means of a user name
or other ID
Example – login credentials
Q: Why identification is important?

17
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Authentication
Authentication is “the access control mechanism that requires the
validation and verification of an unauthenticated entity’s purported
identity”
It is the process by which a control establishes whether a user (or
system) has the identity it claims to have
Individual users may disclose a personal identification number (PIN), a
password, or a passphrase to authenticate their identities to a
computer system
Example: after a user enters login
credentials, the system must compare
this information to the existing records and either
authenticate the user or reject access
Q: Do you see the difference between identification and
authentication?

18
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Authorization

Authorization is “the access control mechanism that
represents the matching of an authenticated entity to a list of
information assets and corresponding access levels”
Admin login
Regular user
After the identity of a user is authenticated, authorization
defines what the user (whether a person or a computer) has
been specifically and explicitly permitted by the proper
authority to do,
such as access, modify, or delete the contents of an
information asset
Explain: Identification vs. Authentication vs. Authorization
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
19
 Management of Information Security, 6th ed. - Whitman & Mattord

Accountability

Accountability is “the access control mechanism that ensures
all actions on a system—authorized or unauthorized—can be
attributed to an authenticated identity. Also known as
auditability”

Accountability of information occurs when a control provides
assurance that every activity undertaken can be attributed to
a named person or automated process

Accountability is most commonly associated with system
audit logs 20
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Threats and Attacks
 Management of Information Security, 6th ed. - Whitman & Mattord

Sun Tzu Wu’s The Art of War

One who knows the enemy and knows himself will not be in danger
in a hundred battles
One who does not know the enemy but knows himself will
sometimes win, sometimes lose.
One who does not know the enemy and does not know himself will
be in danger in every battle (timeless quotes of Sun Tzu, 500
BC)
To protect your organization’s information, you must:
know yourself; that is, be familiar with the information assets to be protected and the
systems, mechanisms, and methods used to store, transport, process, and protect them;
and
know your enemy; that is the threats your organization faces

22
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Key Concepts of Information Security: Threats and Attacks
Difference between threat and attack: A threat represents a potential risk to
an information asset, whereas an attack (or threat event) represents an
ongoing act against the asset that could result in a loss
Question: Please provide examples of information security cyber threats
What about examples of cyber-attacks?
Threat agents damage or steal an organization’s information or physical
assets by using exploits to take advantage of a vulnerability where controls
are not present or no longer effective (or use social engineering techniques)
Attack: “an intentional or unintentional act that can damage or otherwise compromise
information and the systems that support it”
Exploit: “a technique used to compromise a system… E.g., Astrum exploit kit took
advantage of vulnerability in Adobe Flash Player – common type of ransomware attack in
2018
Vulnerability: “a potential weakness in an asset or its defensive control system(s)”, e.g.,
weak password, weakness in code

23
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

24
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Software Attacks

Deliberate software attacks occur when an individual or a
group designs and deploys software to attack a system
This software can be used to overwhelm the processing
capabilities of online systems or to gain access to protected
systems by hidden means
Malware—viruses, worms, Trojan horses (behaviour) – people and
even information security experts make mistakes with these terms
Backdoors
Spyware
Ransomware (WannaCry and CryptoLocker)
Keylogging – question: what is keylogger?
Bots – question: what is bot?

25
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Virus
Type of malware that propagates by
inserting a copy of itself into another
program becoming part of this program – just
like human virus it needs carrier
Spreads from one computer to another, leaving
infections as it travels.
Almost all viruses are attached to an executable file,
which means the virus may exist on your computer
but it actually cannot infect your computer unless
you run or open the malicious program
A computer virus can range in severity: some may
cause only mildly annoying effects while others can
damage your hardware, software or files.
26
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Worm
Computer worms are similar to viruses in self-replication function but in contrast to
viruses, which require the spreading of an infected host file, worms are standalone
software and do not require a host program or human help to propagate.
To spread, worms exploit a vulnerability on the target system, e.g. Web server,
operating system (WannaCry)
The biggest danger - its capability to replicate itself on a system, e.g., a worm can
send a copy of itself to everyone listed in victim’s e-mail address book. Computer
worms can replicate themselves really fast, e.g. Code Red worm designed to initiate
DoS attack on the White House infected more than 250,000 systems in just 9 hours
(2001)
Computer worm can initiate DDoS, deface Web pages, install “backdoors” (illegal
remote access) on infected Web servers. Worms can also broadcast vulnerable
servers to the Internet.
Stuxnet - one of the most dangerous and sophisticated computer worms ever

27
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Trojan Horse

Unlike viruses and worms,
Trojans do not reproduce by
infecting other files nor do
they self-replicate but they
can be just as destructive.
Just like in the Trojan Horse
legend, Trojan Horse malware
pretends to be a regular
program, e.g. games,
disk utilities, and even
antivirus programs
28
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Extortion
Cyberextortion is an attempt to extort money/ransom
from a victim by taking their data hostage
Ransomware encrypts (most commonly) the
user’s data and offers to unlock it if the user
pays the attacker
Thousands of attacks happen on a daily basis
Most popular ransomware groups are Maze,
REvil, NetWalker
Colonial attack – compromised VPN credentials
Countermeasures: backups/cybersecurity
basics/incident response
Ransomware Generations (see Connolly et al.,
2021 paper on Blackboard, section II –
Ransomware Evolution)
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
29
 Management of Information Security, 6th ed. - Whitman & Mattord

Theft
Physical theft can be controlled easily using a wide variety of measures, from
locked doors to trained security personnel and the installation of alarm systems
Digital theft, however, is a more complex problem to manage and control (digital
footprints, distance – lack of fear; lack of empathy) (criminals are harder to catch)
Question: What characteristics of Information Security are affected?
(please use C.I.A. triad for assessment)
Theft is often an overlapping category with software attacks, espionage or
trespass, information extortion, and compromises to intellectual property
Ransomware Generation IV: from extortion (i.e., threat to destroy
data/decryption key) to blackmail (i.e., threat to expose data) :
Fear of incrimination
Fear of embarrassment
Fear of reputational damage/lost revenue
Fear of intellectual property exposure or loss
30
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Human Error or Failure
This category includes acts performed without intent or malicious purpose or
in ignorance by an authorized user
When people use information systems, mistakes happen
Crafty hackers use social engineering, e.g., send convincing emails from
spoofed addresses
Inexperience, improper training, and incorrect assumptions can cause
human error or failure
One of the greatest threats to an organization’s information
security is its own employees
Human error or failure often can be prevented with Security Education,
Training and Awareness (SETA) programs, but not always
Question: examples of awareness activities?
Question: can human error be 100% prevented? 31
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Compromises to Intellectual Property

Intellectual property (IP) can be trade secrets, copyrights,
trademarks, and patents (e.g., Coke recipe)
Coca-Cola claims its formula is the "world's most guarded secret."
The recipe, the company says, is now kept in a purpose-built vault
within the company's headquarters in Atlanta (e.g., University of
California San Francisco paid $1.14 million ransom)
– Question: other examples of intellectual property?
Question: What characteristics of Information Security are
affected? (please use C.I.A. triad for assessment)

32
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Deviations in Quality of Service

An organization’s information system depends on the successful
operation of many interdependent support systems, including
power grids, data and telecommunications networks, parts
suppliers, service vendors, and even janitorial staff and garbage
hauliers, any of which can be interrupted by severe weather,
employee illnesses, or other unforeseen events

Irregularities in Internet service, communications, and power
supplies can dramatically affect the availability of information and
systems, e.g., a power outage at ZU can affect so many services
including the availability of information

33
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Espionage or Trespass
When an unauthorized person gains access to information an
organization is trying to protect, the act is categorized as espionage
or trespass
When information gatherers employ techniques that cross a legal or
ethical threshold, they are conducting industrial espionage
Once an attacker gains access to a system, the next step is to
increase privileges (privilege escalation) to gain administrator- (or
root-) level control
Stuxnet – one of the most sophisticated examples of industrial
espionage; worm developed to target Iran’s nuclear facilities
The level of sophistication pointed out to a state-organised attack
These attacks are not common as they require advanced technical
skills and are very expensive
34
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Forces of Nature

Forces of nature can present some of the most dangerous threats
because they usually occur with little warning and are beyond the
control of people

Examples of forces of nature and how can they affect
organization?

Because it is not possible to avoid these threats, organizations
must implement controls to limit damage and prepare contingency
plans for continued operations
Most forces of nature can only be mitigated through insurance,
although careful facilities design and placement can reduce the
likelihood of damage
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
35
 Management of Information Security, 6th ed. - Whitman & Mattord

Forces of Nature (Continued)

Some typical force of nature attacks:
Fire Hurricanes, typhoons,
Flood and tropical depressions
Earthquake Tsunami

Lightning Electrostatic discharge
(ESD)
Landslide or mudslide
Dust contamination
Tornados or severe
windstorms

36
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Sabotage or Vandalism

This category of threat involves the deliberate sabotage of a
computer system or business, or acts of vandalism to destroy an
asset or damage the image of an organization
These acts can range from petty vandalism by employees to
organized sabotage against an organization
E.g. Wiper (NotPetya)
Vandalism to a Web site can erode consumer confidence,
diminishing an organization’s sales, net worth, and reputation
Activism in the digital age:
Online activism (hacktivism) e.g., Anonymous (HBGary Federal)

37
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Technical Hardware Failures

Technical hardware failures or errors occur when a
manufacturer distributes equipment containing a
known or an unknown flaw, which can cause the
system to perform outside of expected parameters,
resulting in unreliable service or lack of availability
(e.g., motherboard failure)

38
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Technical Software Failures

Large quantities of computer code are written, debugged,
published, and sold before all their bugs are detected and
resolved
Some bugs are accidental
Sometimes these bugs are not errors, but purposeful shortcuts
left by programmers for benign or malign reasons, bypassing
security checks to speed up software testing (e.g., unit testing)

Among the most popular bug documentation Web site is
Bugtraq, hosted by Security Focus, which provides up-to-the-
minute information on the latest security vulnerabilities as well
as a thorough archive of past bugs
39
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Management of Information Security, 6th ed. - Whitman & Mattord

Technological Obsolescence

Outdated infrastructure can lead to unreliable and
untrustworthy systems (e.g., many systems rely on
out-of-date OS, e.g., MRI scan machines rely on
Windows XP, which is not supported anymore by
Microsoft)
Management must recognize that when technology
becomes outdated, there is a risk of losing data
integrity from attacks
Ideally, proper planning by management should
prevent technology from becoming obsolete, but
when obsolescence is clear, management must take
immediate action
However, this is not as simple as written in a book…
 Why?
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
40