Information Security PDF

Summary

This document provides an introduction to information security. It discusses the importance of protecting information from malicious software like malware. The document also touches on various concepts like confidentiality, integrity, and availability.

Full Transcript

2 Principles of Information Security

Amy looked up at the help desk ticket status monitor on the wall at the end of the room. She saw that only two techni-
cians were currently dispatched to user support, and because it was the day shift, four technicians were available. “Shouldn’t
be long at all, Bob.”
She hung up and typed her notes into the company’s trouble ticket tracking system. She assigned the newly generated
case to the user dispatch queue, which would page the user support technician with the details in a few minutes.
A moment later, Amy looked up to see Charlie Moody, the senior manager of the server administration team, walking
briskly down the hall. He was being trailed by three of his senior technicians as he made a beeline from his office to the room
where the company servers were kept in a carefully controlled environment. They all looked worried.
Just then, Amy’s screen beeped to alert her of a new e-mail. She glanced down. The screen beeped again—and again. It
started beeping constantly. She clicked the envelope icon, and after a short delay, the mail window opened. She had 47 new
e-mails in her inbox. She opened one from Davey Martinez in the Accounting Department. The subject line said, “Wait till you
see this.” The message body read, “Funniest joke you’ll see today.” Davey often sent her interesting and funny e-mails, and
she clicked the file attachment icon to open the latest joke.
After that click, her PC showed the Windows “please wait” cursor for a second and then the mouse pointer reappeared.
Nothing happened. She clicked the next e-mail message in the queue. Nothing happened. Her phone rang again. She clicked
the icon on her computer desktop to activate the call management software and activated her headset. “Hello, Help Desk, how
can I help you?” She couldn’t greet the caller by name because her computer had not responded.
“Hello, this is Erin Williams in Receiving.”
Amy glanced down at her screen. Still no tracking system. She glanced up to the tally board and was surprised to see the
inbound-call counter tallying up waiting calls like digits on a stopwatch. Amy had never seen so many calls come in at one time.
“Hi, Erin,” Amy said. “What’s up?”
“Nothing,” Erin answered. “That’s the problem.” The rest of the call was a replay of Bob’s, except that Amy had to jot notes
down on a legal pad. She couldn’t notify the user support team either. She looked at the ticket status monitor again. It had
gone dark. No numbers at all.
Then she saw Charlie walking quickly down the hall from the server room. His expression had changed from worried to
frantic.
Amy picked up the phone again. She wanted to check with her supervisor about what to do now. There was no dial tone.

Introduction To Information Security
Every organization, whether public or private and regardless of size, has information it wants to protect. It could be
customer information, product or service information, and/or employee information. Regardless of the source, it is
the organization’s job to protect the information to the best of its ability. Organizations have a responsibility to all its
stakeholders to protect that information. Unfortunately, there aren’t enough security professionals to go around. As
a result, everyone in the organization must have a working knowledge of how to protect the information assigned to
them and how to assist in preventing the unauthorized disclosure, damage, or destruction of that information. After
all, if you’re not part of the solution, you’re part of the problem.
This module’s opening scenario illustrates that information risks and controls may not be in balance at SLS.
Though Amy works in a technical support role to help users with their problems, she did not recall her train-
ing about malicious e-mail attachments, such as worms or viruses, and fell victim to this form of attack herself.
Understanding how malicious software (malware) might be the cause of a company’s problems is an important
skill for information technology (IT) support staff as well as users. SLS’s management also showed signs of confu-
sion and seemed to have no idea how to contain this kind of incident. If you were in Amy’s place and were faced
with a similar situation, what would you do? How would you react? Would it occur to you that something far
more insidious than a technical malfunction was happening at your company? As you explore the modules of this
book and learn more about information security, you will become more capable of answering these questions.
But, before you can begin studying details about the discipline of information security, you must first know its
history and evolution.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 3

The history of information security begins with the concept of computer computer security
security. The need for computer security arose during World War II when the first In the early days of computers, this
mainframe computers were developed and used to aid computations for com- term specified the protection of the
physical location and assets associ-
munication code-breaking messages from enemy cryptographic devices like the
ated with computer technology
Enigma, shown in Figure 1-1. Multiple levels of security were implemented to pro- from outside threats, but it later
tect these devices and the missions they served. This required new processes as came to represent all actions taken
well as tried-and-true methods needed to maintain data confidentiality. Access to to protect computer systems from
losses.
sensitive military locations, for example, was controlled by means of badges, keys,
and the facial recognition of authorized personnel by security guards. The growing
need to maintain national security eventually led to more complex and technologically sophisticated computer
security safeguards.
During these early years, information security was a straightforward process composed predominantly of physi-
cal security and simple document classification schemes. The primary threats to security were physical theft of
equipment, espionage against products of the systems, and sabotage. One of the first documented security problems
that fell outside these categories occurred in the early 1960s, when a systems administrator was working on a MOTD
(message of the day) file while another administrator was editing the password file. A software glitch mixed the two
files, and the entire password file was printed to every output file.1

The 1960s
During the Cold War, many more mainframe computers were brought online to accomplish more complex and sophis-
ticated tasks. These mainframes required a less cumbersome process of communication than mailing magnetic tapes
between computer centers. In response to this need, the U.S. Department of Defense’s Advanced Research Projects
Agency (ARPA) began examining the feasibility of a redundant, networked communications system to support the
military’s exchange of information. In 1968, Dr. Larry Roberts developed the ARPANET project, which evolved into
what we now know as the Internet. Figure 1-2 is an excerpt from his program plan.

For more information on Dr. Roberts, including links to his recorded presentations, visit the Internet Hall of Fame
i at www.internethalloffame.org/inductees/lawrence-roberts.

Earlier versions of the German code machine Enigma
were first broken by the Poles in the 1930s. The British
and Americans managed to break later, more complex
versions during World War II. The increasingly complex
versions of the Enigma, especially the submarine or
Unterseeboot version of the Enigma, caused considerable
Source: © kamilpetran/Shutterstock.com.2

anguish to Allied forces before finally being cracked. The
© kamilpetran/Shutterstock.com

information gained from decrypted transmissions was
used to anticipate the actions of German armed forces.
”Some ask why, if we were reading the Enigma, we did
not win the war earlier. One might ask, instead, when, if
ever, we would have won the war if we hadn’t read it.”

Figure 1-1 The Enigma

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 4 Principles of Information Security

Source: Courtesy of Dr. Lawrence Roberts. Used with permission.3

Figure 1-2 Development of the ARPANET

The 1970s and ’80s
During the next decade, ARPANET became more popular and saw wider
use, increasing the potential for its misuse. In 1973, Internet pioneer
Robert M. Metcalfe (pictured in Figure 1-3) identified fundamental prob-
lems with ARPANET security. As one of the creators of Ethernet, a domi-
nant local area networking protocol, he knew that individual remote
Source: U.S. Department of Commerce. Used with permission.

sites did not have sufficient controls and safeguards to protect data
from unauthorized remote users. Other problems abounded, including
vulnerability of password structure and formats, lack of safety proce-
dures for dial-up connections, and nonexistent user identification and
authorizations. Phone numbers were widely distributed and openly
publicized on the walls of phone booths, giving hackers easy access
to ARPANET. Because of the range and frequency of computer secu-
rity violations and the explosion in the numbers of hosts and users
on ARPANET, network security was commonly referred to as network
insecurity.4 For a timeline that includes seminal studies of computer
security, see Table 1-1.
Security that went beyond protecting physical computing devices and
their locations effectively began with a single paper published by the
RAND Corporation in February 1970 for the Department of Defense. RAND
Report R-609 attempted to define the multiple controls and mechanisms
Figure 1-3 D  r. Metcalfe receiving
the National Medal of necessary for the protection of a computerized data processing system.
Technology The document was classified for almost 10 years, and is now considered
to be the paper that started the study of computer security.
The security—or lack thereof—of systems sharing resources inside
the Department of Defense was brought to the attention of researchers in the spring and summer of 1967. At that time,
systems were being acquired at a rapid rate, and securing them was a pressing concern both for the military and
defense contractors.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 5

Table 1-1 Key Dates in Information Security

Date Document
1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems.
1970 Willis H. Ware authors the report “Security Controls for Computer Systems: Report of Defense Science
Board Task Force on Computer Security—RAND Report R-609,” which was not declassified until 1979. It
became known as the seminal work identifying the need for computer security.
1973 Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes
on the Design of Secure Military Computer Systems.
1975 The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) in the
Federal Register.
1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,” which discussed the
Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system
security and examine the possibility of automated vulnerability detection techniques in existing system
software.5
1979 Morris and Thompson author “Password Security: A Case History,” published in the Communications of the
Association for Computing Machinery (ACM). The paper examined the design history of a password security
scheme on a remotely accessed, time-sharing system.
Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” which discussed
secure user IDs, secure group IDs, and the problems inherent in the systems.
1982 The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of the
Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series.
1984 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report, the authors
examined four “important handles to computer security”: physical control of premises and computer
facilities, management commitment to security objectives, education of employees, and administrative
procedures aimed at increased security.6
Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise
was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore, no
technique can be secure against the system administrator or other privileged users... the naive user has
no chance.”7
1992 Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory, develop
the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security.

In June 1967, ARPA formed a task force to study the process of securing classified information systems. The task
force was assembled in October 1967 and met regularly to formulate recommendations, which ultimately became the
contents of RAND Report R-609. The document was declassified in 1979 and released as Security Controls for Computer
Systems: Report of Defense Science Board Task Force on Computer Security—RAND Report R-609-1.8 The content of the
two documents is identical with the exception of two transmittal memorandums.

i For more information on the RAND Report, visit www.rand.org/pubs/reports/R609-1.html.

RAND Report R-609 was the first widely recognized published document to identify the role of management and
policy issues in computer security. It noted that the wide use of networking components in military information sys-
tems introduced security risks that could not be mitigated by the routine practices then used to secure these systems.
Figure 1-4 shows an illustration of computer network vulnerabilities from the 1979 release of this document. This paper
signaled a pivotal moment in computer security history—the scope of computer security expanded significantly from
the safety of physical locations and hardware to include the following:

Securing the data
Limiting random and unauthorized access to that data
Involving personnel from multiple levels of the organization in information security

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
6 Principles of Information Security

Computer Network Vulnerabilities
Radiation
Taps
Taps Radiation Radiation
Radiation
Radiation Crosstalk Crosstalk

Communication
lines Switching
Processor
center

Source: RAND Report R-609-1. Used with permission.9
Hardware
Files Improper connections
Theft Cross coupling
Operator
Copying Systems Programmer Remote
Replace supervisor
Unauthorized access Disable protective features Consoles
Reveal protective measures
Provide “ins”
Hardware Reveal protective measures
Failure of protection circuits
Maintenance Man Access
contribute to software failures
Disable hardware devices Attachment of recorders
Software Use stand-alone utility programs Bugs User
Failure of protection features Identification
Access control Authentication
Bounds control Subtle software
etc. modifications

Figure 1-4 Illustration of computer network vulnerabilities from RAND Report R-609

MULTICS
Much of the early research on computer security centered on a system called Multiplexed Information and Computing
Service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to
integrate security into its core functions. It was a mainframe, time-sharing operating system developed in the mid-1960s
by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT).

i For more information on the MULTICS project, visit web.mit.edu/multics-history.

In 1969, not long after the restructuring of the MULTICS project, several of its developers (Ken Thompson, Dennis
Ritchie, Rudd Canaday, and Doug McIlroy) created a new operating system called UNIX. While the MULTICS system
implemented multiple security levels and passwords, the UNIX system did not. Its primary function, text processing,
did not require the same level of security as that of its predecessor. Not until the early 1970s did even the simplest
component of security, the password function, become a component of UNIX.
In the late 1970s, the microprocessor brought the personal computer (PC) and a new age of computing. The PC
became the workhorse of modern computing, moving it out of the data center. This decentralization of data processing
systems in the 1980s gave rise to networking—the interconnecting of PCs and mainframe computers, which enabled
the entire computing community to make all its resources work together.
In the early 1980s, TCP (the Transmission Control Protocol) and IP (the Internet Protocol) were developed and
became the primary protocols for the ARPANET, eventually becoming the protocols used on the Internet to this day. Dur-
ing the same time frame, the hierarchical Domain Name System, or DNS, was developed. The first dial-up Internet service
provider (ISP)—The World, operated by Standard Tool & Die—came online, allowing home users to access the Internet.
Prior to that, vendors like CompuServe, GEnie, Prodigy, and Delphi had provided dial-up access for online computer ser-
vices, while independent bulletin board systems (BBSs) became popular for sharing information among their subscribers.

i For more information on the history of the Internet, visit www.livescience.com/20727-internet-history.html.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 7

In the mid-1980s, the U.S. government passed several key pieces of legislation that formalized the recognition of
computer security as a critical issue for federal information systems. The Computer Fraud and Abuse Act of 1986 and
the Computer Security Act of 1987 defined computer security and specified responsibilities and associated penalties.
These laws and others are covered in Module 6.
In 1988, the Defense Advanced Research Projects Agency (DARPA) within the Department of Defense created the
Computer Emergency Response Team (CERT) to address network security.

The 1990s
At the close of the 20th century, networks of computers became more common, as did the need to connect them to each
other. This gave rise to the Internet, the first global network of networks. The Internet was made available to the general
public in the 1990s after decades of being the domain of government, academia, and dedicated industry professionals.
The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected
local area network (LAN). After the Internet was commercialized, the technology became pervasive, reaching almost
every corner of the globe with an expanding array of uses.
Since its inception as ARPANET, a tool for sharing Defense Department information, the Internet has become an
interconnection of millions of networks. At first, these connections were based on de facto standards because industry
standards for interconnected networks did not exist. These de facto standards did little to ensure the security of infor-
mation, though some degree of security was introduced as precursor technologies were widely adopted and became
industry standards. However, early Internet deployment treated security as a low priority. In fact, many problems that
plague e-mail on the Internet today result from this early lack of security. At that time, when all Internet and e-mail users
were presumably trustworthy computer scientists, mail server authentication and e-mail encryption did not seem nec-
essary. Early computing approaches relied on security that was built into the physical environment of the data center
that housed the computers. As networked computers became the dominant style of computing, the ability to physi-
cally secure a networked computer was lost, and the stored information became more exposed to security threats.
In 1993, the first DEFCON conference was held in Las Vegas. Originally, it was established as a gathering for people
interested in information security, including authors, lawyers, government employees, and law enforcement officials.
A compelling topic was the involvement of hackers in creating an interesting venue for the exchange of information
between two adversarial groups—the “white hats” of law enforcement and security professionals and the “black hats”
of hackers and computer criminals.
In the late 1990s and into the 2000s, many large corporations began publicly integrating security into their organi-
zations. Antivirus products became extremely popular, and information security began to emerge as an independent
discipline.

2000 to Present
Today, the Internet brings millions of unsecured computer networks and billions of computer systems into continuous
communication with each other. The security of each computer’s stored information is contingent on the security level
of every other computer to which it is connected. Recent years have seen a growing awareness of the need to improve
information security, as well as a realization that information security is important to national defense. The growing
threat of cyberattacks has made governments and companies more aware of the need to defend the computerized con-
trol systems of utilities and other critical infrastructure. Other growing concerns are the threat of countries engaging
in information warfare and the possibility that business and personal information systems could become casualties if
they are undefended. Since 2000, Sarbanes–Oxley and other laws related to privacy and corporate responsibility have
affected computer security.
The attack on the World Trade Centers on September 11, 2001, resulted in major legislation changes related to
computer security, specifically to facilitate law enforcement’s ability to collect information about terrorism. The USA
PATRIOT Act of 2001 and its follow-up laws are discussed in Module 6.
The 21st century also saw the massive rise in mobile computing, with smartphones and tablets possessing more
computing power than early-era mainframe systems. Embedded devices have seen the creation of computing built
into everyday objects in the Internet of Things (IoT). Each of these networked computing platforms brings its own set
of security issues and concerns as they are connected into networks with legacy platforms and cloud-based service
delivery systems. Technology that is supposed to be seamless turns out to have many connection points, each with its

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
8 Principles of Information Security

own set of security and reliability vulnerabilities. The emergence of tools to deal with now-routine threats at large scale
has led to the development of complete solutions for unified threat management, data loss prevention, and security
information and event management. The solutions will be explored in more detail in later modules.
Wireless networking, and the risks associated with it, has become ubiquitous and pervasive, with widely available
connectivity providing ready access to the Internet as well as local networks that are usually ill-prepared for access by
the public. This opens the local net as well as the Internet to a constant threat of anonymous attacks from very large
numbers of people and devices.
The threat environment has grown from the semiprofessional hacker defacing Web sites for amusement to profes-
sional cybercriminals maximizing revenue from theft and extortion, as well as government-sponsored cyberwarfare
groups striking military, government, and commercial targets by intent and by opportunity. The attack sources of today
are well-prepared and are attacking all connected public and private systems and users.

What Is Security?
Security is protection. Protection from adversaries—those who would do harm, intentionally or otherwise—is the
ultimate objective of security. National security, for example, is a multilayered system that protects the sovereignty of
a state, its people, its resources, and its territory. Achieving the appropriate level of security for an organization also
requires a multifaceted system. A successful organization should have multiple layers of security in place to protect
its people, operations, physical infrastructure, functions, communications, and information.
The Committee on National Security Systems (CNSS) defines information security as the protection of information
and its critical elements, including the systems and hardware that use, store, and transmit the information.10 Figure 1-5
shows that information security includes the broad areas of information security management, data security, and net-
work security. The CNSS model of information security evolved from a concept developed by the computer security
industry called the C.I.A. triad. The C.I.A. triad (see Figure 1-6) has been the standard
security for computer security in both industry and government since the development of
A state of being secure and free the mainframe. This standard is based on the three characteristics of information
from danger or harm; also, the that give it value to organizations: confidentiality, integrity, and availability. The secu-
actions taken to make someone or rity of these three characteristics is as important today as it has always been, but
something secure.
the C.I.A. triad model is generally viewed as no longer adequate in addressing the
constantly changing environment. The threats to the confidentiality, integrity, and
information security availability of information have evolved into a vast collection of events, including
Protection of the confidentiality,
accidental or intentional damage, destruction, theft, unintended or unauthorized
integrity, and availability of infor-
mation assets, whether in storage, modification, or other misuse from human or nonhuman threats. This vast array of
processing, or transmission, via
the application of policy, educa-
tion, training and awareness, and TY
RI GO
CU
technology. SE VE
RN
N
TIO AN
M
A Management of CE
OR
I NF Information Security
network security POLICY

A subset of communications secu-
rity; the protection of voice and
Computer Security

data networking components, con-
Network Security
Data Security

nections, and content.
ity
ial

C.I.A. triad
nt

In
te
de

Data
gr

The industry standard for computer
nfi

ity

&
Co

security since the development of
the mainframe; the standard is Services
based on three characteristics that Confidentiality Integrity Availability
describe the attributes of infor-
mation that are important to pro- Availability
tect: confidentiality, integrity, and Figure 1-5 C
 omponents of
availability. ­information security Figure 1-6 The C.I.A. triad

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 9

constantly evolving threats has prompted the development of a more robust model that addresses the complexities
of the current information security environment. The expanded model consists of a list of critical characteristics of
information, which are described in the next section. C.I.A. triad terminology is used in this module because of the
breadth of material that is based on it.

Key Information Security Concepts
This book uses many terms and concepts that are essential to any discussion of information security. Some of these
terms are illustrated in Figure 1-7; all are covered in greater detail in subsequent modules.

Access—A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized
users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls
regulate this ability.
Asset—The organizational resource that is being protected. An asset can be logical, such as a Web site, soft-
ware information, or data; or an asset can be physical, such as a person, computer system, hardware, or other
tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting
to protect.
Attack—An intentional or unintentional act that can damage or otherwise compromise information and the
systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect.
Someone who casually reads sensitive information not intended for his or her use is committing a passive
attack. A hacker attempting to break into an information system is an intentional attack. A lightning strike that
causes a building fire is an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break
into a system. An indirect attack is a hacker compromising a system and using it to attack other systems—for
example, as part of a botnet (slang for robot network). This group of compromised computers, running soft-
ware of the attacker’s choosing, can operate autonomously or under the attacker’s direct control to attack
systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate
from the threat itself. Indirect attacks originate from a compromised system or resource that is malfunctioning
or working under the control of a threat.

Vulnerability: SQL
injection in online
database Web interface

Sources (top left to bottom right): © iStockphoto/tadija, Internet Explorer,
© iStockphoto/darrenwise, Internet Explorer, Microsoft Excel.

Threat: Theft
Threat agent: Ima Hacker

Exploit: Script from MadHackz Web site

Attack: Ima Hacker downloads exploit from MadHackz Web site,
then accesses HAL Inc.’s Web site and applies script, resulting in
Loss: download of customer data

Asset: HAL Inc.’s
customer database

Figure 1-7 Key concepts in information security

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
10 Principles of Information Security

Control, safeguard, or countermeasure—Security mechanisms, policies, or procedures that can successfully
counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization.
The various levels and types of controls are discussed more fully in the following modules.
Exploit—A technique used to compromise a system. This term can be a verb or a noun. Threat agents may
attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an
exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software,
that is either inherent in the software or created by the attacker. Exploits make use of existing software tools
or custom-made software components.
Exposure—A condition or state of being exposed; in information security, exposure exists when a vulnerability
is known to an attacker.
Loss—A single instance of an information asset suffering damage or destruction, unintended or unauthorized
modification or disclosure, or denial of use. When an organization’s information is stolen, it has suffered a loss.
Protection profile or security posture—The entire set of controls and safeguards—including policy, education,
training and awareness, and technology—that the organization implements to protect the asset. The terms are
sometimes used interchangeably with the term security program, although a security program often comprises
managerial aspects of security, including planning, personnel, and subordinate programs.
Risk—The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must mini-
mize risk to match their risk appetite—the quantity and nature of risk they are willing to accept.
Subjects and objects of attack—A computer can be either the subject of an attack—an agent entity used to
conduct the attack—or the object of an attack: the target entity. See Figure 1-8. A computer can also be both
the subject and object of an attack. For example, it can be compromised by an attack (object) and then used
to attack other systems (subject).
Threat—Any event or circumstance that has the potential to adversely affect operations and assets. The term
threat source is commonly used interchangeably with the more generic term threat. The two terms are techni-
cally distinct, but to simplify discussion, the text will continue to use the term threat to describe threat sources.
Threat agent—The specific instance or a component of a threat. For example, the threat source of “trespass or
espionage” is a category of potential danger to information assets, while “external professional hacker” (like
Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat agent. A lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat source known as “acts of God/acts of nature.”
© shooarts/Shutterstock.com

to steal information across
the Internet from…
© Oleksiy Mark/Shutterstock.com
© frank_peters/Shutterstock.com

Hacker using a laptop a remote server that is the object
as the subject of an attack… of the hacker’s attack.

Figure 1-8 Computer as the subject and object of an attack

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 11

Threat event—An occurrence of an event caused by a threat agent. An example of a threat event might be
damage caused by a storm. This term is commonly used interchangeably with the term attack.
Threat source—A category of objects, people, or other entities that represents the origin of danger to an
asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful
or undirected. For example, threat agent “hackers,” as part of the threat source “acts of trespass or espionage,”
purposely threaten unprotected information systems, while threat agent “severe storms,” as part of the threat
source “acts of God/acts of nature,” incidentally threaten buildings and their contents.
Vulnerability—A potential weakness in an asset or its defensive control system(s). Some examples of vulner-
abilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known
vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered).

Critical Characteristics of Information
The value of information comes from the characteristics it possesses. When a characteristic of information changes,
the value of that information either increases or, more commonly, decreases. Some characteristics affect information’s
value to users more than others, depending on circumstances. For example, timeliness of information can be a critical
factor because information loses much or all of its value when delivered too late. Though information security profes-
sionals and end users share an understanding of the characteristics of information, tensions can arise when the need
to secure information from threats conflicts with the end users’ need for unhindered access to it. For instance, end
users may perceive two-factor authentication in their login—which requires an acknowledgment notification on their
smartphone—to be an unnecessary annoyance. Information security professionals, however, may consider two-factor
authentication necessary to ensure that only authorized users access the organization’s systems and data. Each critical
characteristic of information—that is, the expanded C.I.A. triad—is defined in the following sections.

Confidentiality
Confidentiality ensures that only users with the rights, privileges, and need to access information are able to do so.
When unauthorized individuals or systems view information, its confidentiality is breached. To protect the confiden-
tiality of information, you can use several measures, including the following:

Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users

Confidentiality, like most characteristics of information, is interdependent with other characteristics and is closely
related to the characteristic known as privacy. The relationship between these two characteristics is covered in more
detail in Module 6. The value of confidentiality is especially high for personal information about employees, customers, or
patients. People who transact with an organization expect that their personal information will remain confidential, whether
the organization is a federal agency, such as the Internal Revenue Service, a healthcare
facility, or a business. Problems arise when companies disclose confidential information. confidentiality
Sometimes this disclosure is intentional, but disclosure of confidential information also An attribute of information that
happens by mistake—for example, when confidential information is mistakenly e-mailed describes how data is protected
to someone outside the organization rather than to someone inside it. from disclosure or exposure to
unauthorized individuals or systems.
Other examples of confidentiality breaches include an employee throwing away a
document that contains critical information without shredding it, or a hacker who suc-
cessfully breaks into an internal database of a Web-based organization and steals sensi-
personally identifiable
information (PII)
tive information about its clients, such as names, addresses, and credit card numbers.
Information about a person’s his-
As a consumer, you give up pieces of personal information in exchange for conve- tory, background, and attributes
nience or value almost daily. By using a “members” card at a grocery store, you dis- that can be used to commit identity
close some of your spending habits. When you fill out an online survey, you exchange theft; typically includes a person’s
name, address, Social Security
pieces of your personal history for access to online privileges. When you sign up for
number, family information,
a free magazine, Web resource, or free software application, you provide p ­ ersonally employment history, and financial
identifiable information (PII). The bits and pieces of personal information you information.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
12 Principles of Information Security

integrity disclose may be copied, sold, replicated, distributed, and eventually coalesced into
An attribute of information that profiles and even complete dossiers of you and your life.
describes how data is whole, com-
plete, and uncorrupted. Integrity
Information has integrity when it is in its expected state and can be trusted. The
integrity of information is threatened when it is exposed to corruption, damage,
destruction, or other disruption of its authentic state. Corruption can occur while information is being stored or
transmitted. Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this
reason, a key method for detecting a virus or worm is to look for changes in file integrity, as shown by the file size.
Another key method of assuring information integrity is file hashing, in which a file is read by a special algorithm that
uses the bit values in the file to compute a single large number called a hash value. The hash value for any combina-
tion of bits is unique.
If a computer system performs the same hashing algorithm on a file and obtains a different number than the file’s
recorded hash value, the file has been compromised and the integrity of the information is lost. Information integrity
is the cornerstone of information systems because information is of no value or use if users cannot verify its integrity.
File hashing and hash values are examined in detail in Module 10.
File corruption is not necessarily the result of external forces, such as hackers. Noise in the transmission media,
for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can alter
and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity
of information. During each transmission, algorithms, hash values, and error-correcting codes ensure the integrity of
the information. Data whose integrity has been compromised is retransmitted.
Unfortunately, even the routine use of computers can result in unintended changes to files as the equipment
degrades, software malfunctions, or other “natural causes” occur.

Unintentional Disclosures
The number of unintentional information releases due to malicious attacks is substantial. Millions of people lose information
to hackers and malware-focused attacks annually. However, organizations occasionally lose, misplace, or inadvertently release
information in an event not caused by hackers or other electronic attacks.
In 2020, Virgin Media, a communications company, left more than 900,000 users’ information unsecured for almost a
year after one of its databases was misconfigured by employees. Also in 2020, more than 5.2 million customers of Marriott
International were exposed in a data breach resulting from the misuse of two employees’ credentials. This disclosure occurred
not two years after Marriott’s reservation database was breached, exposing more than 383 million guests and resulting in the
loss of more than five million passport numbers.11
The Georgia Secretary of State gave out more than six million voters’ private information, including Social Security num-
bers, in a breach that occurred in late 2015. The breach was found to have been caused by an employee who failed to follow
established policies and procedures, and resulted in the employee being fired. While the agency claimed it recovered all copies
of the data that were sent to 12 separate organizations, it was still considered a data breach.
In January 2008, GE Money, a division of General Electric, revealed that a data backup tape with credit card data from
approximately 650,000 customers and more than 150,000 Social Security numbers went missing from a records management
company’s storage facility. Approximately 230 retailers were affected when Iron Mountain, Inc., announced it couldn’t find a
magnetic tape.12
In February 2005, the data aggregation and brokerage firm ChoicePoint revealed that it had been duped into releasing
personal information about 145,000 people to identity thieves in 2004. The perpetrators used stolen identities to create
ostensibly legitimate business entities, which then subscribed to ChoicePoint to acquire the data fraudulently. The company
reported that the criminals opened many accounts and recorded personal information, including names, addresses, and
identification numbers. They did so without using any network or computer-based attacks; it was simple fraud. The fraud was
feared to have allowed the perpetrators to arrange hundreds of identity thefts.
The giant pharmaceutical organization Eli Lilly and Co. released the e-mail addresses of 600 patients to one another
in 2001. The American Civil Liberties Union (ACLU) denounced this breach of privacy, and information technology industry

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 13

analysts noted that it was likely to influence the public debate on privacy legislation. The company claimed the mishap was
caused by a programming error that occurred when patients who used a specific drug produced by Lilly signed up for an e-mail
service to access company support materials.
These are but a few of the multitudes of data breaches that occur regularly in the world, day in and day out. Wikipedia
maintains a list of the more well-known breaches at https://en.wikipedia.org/wiki/List_of_data_breaches.

For more details on information losses caused by attacks, visit Wikipedia.org and search on the terms “data
i breach” and “timeline of computer security hacker history.”

Availability
Availability enables authorized users—people or computer systems—to access information without interference or
obstruction and to receive it in the required format. Consider, for example, research libraries that require identification
before entrance. Librarians protect the contents of the library so that they are available only to authorized patrons.
The librarian must accept a patron’s identification before the patron has free access to the book stacks. Once autho-
rized patrons have access to the stacks, they expect to find the information they need in a usable format and familiar
language. In this case, the information is bound in a book that is written in English.

Accuracy
Information has accuracy when it is free from mistakes or errors and has the value that the end user expects. If infor-
mation has been intentionally or unintentionally modified, it is no longer accurate. Consider a checking account, for
example. You assume that the information in your account is an accurate representation of your finances. Incorrect
information in the account can result from external or internal errors. If a bank teller, for instance, mistakenly adds
or subtracts too much money from your account, the value of the information is
changed. Or, you may accidentally enter an incorrect amount into your account reg-
availability
ister. Either way, an inaccurate bank balance could cause you to make other mistakes,
An attribute of information that
such as bouncing a check that overdraws your account. describes how data is accessible
and correctly formatted for use
Authenticity without interference or obstruction.
Information is authentic when it is in the same state in which it was created, placed,
stored, or transferred. Consider for a moment some common assumptions about e-mail. accuracy
When you receive e-mail, you assume that a specific individual or group created and An attribute of information that
transmitted the e-mail—you assume you know its origin. This is not always the case. describes how data is free of errors
E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem and has the value that the user
expects.
for many people today because the modified field often is the address of the originator.
Spoofing the sender’s address can fool e-mail recipients into thinking that the messages
are legitimate traffic, thus inducing them to open e-mail they otherwise might not have. authenticity
An attribute of information that
Utility describes how data is genuine or
original rather than reproduced or
The utility of information is its usefulness. In other words, information has value fabricated.
when it can serve a purpose. If information is available but is not in a meaningful
format to the end user, it is not useful. For example, U.S. Census data can quickly
become overwhelming and difficult for a private citizen to interpret; however, for a
utility
An attribute of information that
politician, the same data reveals information about residents in a district—such as
describes how data has value or
their race, gender, and age. This information can help form a politician’s campaign usefulness for an end purpose.
strategy or shape their policies and opinions on key issues.

Possession possession
An attribute of information that
The possession of information is the quality or state of ownership or control. Infor- describes how the data’s owner-
mation is said to be in one’s possession if one obtains it, independent of format or ship or control is legitimate or
other characteristics. While a breach of confidentiality always results in a breach authorized.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
14 Principles of Information Security

McCumber Cube of possession, a breach of possession does not always lead to a breach of confi-
A graphical representation of the dentiality. For example, assume a company stores its critical customer data using
architectural approach used in an encrypted file system. An employee who has quit decides to take a copy of the
computer and information secu-
tape backups and sell the customer records to the competition. The removal of the
rity; commonly shown as a cube
composed of 3×3×3 cells, similar totapes from their secure environment is a breach of possession. Because the data
a Rubik’s Cube. is encrypted, neither the former employee nor anyone else can read it without the
proper decryption methods; therefore, there is no breach of confidentiality. Today,
people who are caught selling company secrets face increasingly stiff fines and a
strong likelihood of jail time. Also, companies are growing more reluctant to hire people who have demonstrated
dishonesty in their past. Another example might be that of a ransomware attack in which a hacker encrypts impor-
tant information and offers to provide the decryption key for a fee. The attack would result in a breach of possession
because the owner would no longer have possession of the information.

CNSS Security Model
The definition of information security in this text is based in part on the National Training Standard for Information
Systems Security Professionals, NSTISSI No. 4011 (1994). The hosting organization is CNSS, which is responsible
for coordinating the evaluation and publication of standards related to the protection of National Security Systems
(NSS). CNSS was originally called the National Security Telecommunications and Information Systems Security Com-
mittee (NSTISSC) when established in 1990 by National Security Directive (NSD) 42, National Policy for the Security
of National Security Telecommunications and Information Systems. The outdated CNSS standards are expected to
be replaced by a newer document from the National Institute of Standards and Technology (NIST) called Special
Publication (SP) 800-16 Rev. 1 (2014), “A Role-Based Model for Federal Information Technology/Cyber Security
Training,” in the near future.

i For more information on CNSS and its standards, see www.cnss.gov/CNSS/issuances/Instructions.cfm.

The model, which was created by John McCumber in 1991, provides a graphical representation of the architec-
tural approach widely used in computer and information security; it is now known as the McCumber Cube.13 As
shown in Figure 1-9, the McCumber Cube shows three dimensions. When extrapolated, the three dimensions of each
axis become a 3×3×3 cube with 27 cells representing areas that must be addressed to secure today’s information
systems. To ensure comprehensive system security, each of the 27 areas must be properly addressed. For example,
the intersection of technology, integrity, and storage requires a set of controls or safeguards that address the need
to use technology to protect the integrity of information while in storage. One such control might be a system for
detecting host intrusion that protects the integrity of information by alerting security administrators to the potential

y
nolog
n| Tech
| Ed ucatio
Policy

Confidentiality Confidentiality
gy
olo
hn
ec
|T
ion

Integrity Integrity
at
uc
Ed
y|
lic
Po

Availability Availability

Storage | Processing | Transmission Storage | Processing | Transmission

Figure 1-9 The McCumber Cube14

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 15

modification of a critical file. A common omission from such a model is the need for guidelines and policies that pro-
vide direction for the practices and implementations of technologies. The need for policy is discussed in subsequent
modules of this book.

Components Of An Information System
As shown in Figure 1-10, an information system (IS) is much more than computer hardware and software; it includes
multiple components, all of which work together to support personal and professional operations. Each of the IS com-
ponents has its own strengths and weaknesses, as well as its own characteristics and uses. Each component of the IS
also has its own security requirements.

Software
The software component of an IS includes applications (programs), operating systems, and assorted command utili-
ties. Software is perhaps the most difficult IS component to secure. The exploitation of errors in software programming
accounts for a substantial portion of the attacks on information. The IT industry is rife with reports warning of holes,
bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy
software, from smartphones that crash to flawed automotive control computers that lead to recalls.
Software carries the lifeblood of information through an organization. Unfortu-
nately, software programs are often created under the constraints of project manage-
ment, which limit time, costs, and manpower. Information security is all too often information system (IS)
The entire set of software, hard-
implemented as an afterthought rather than developed as an integral component
ware, data, people, procedures,
from the beginning. In this way, software programs become an easy target of acci- and networks that enable the use
dental or intentional attacks. of information resources in the
organization.

Hardware
physical security
Hardware is the physical technology that houses and executes the software, stores
The protection of material items,
and transports the data, and provides interfaces for the entry and removal of infor- objects, or areas from unauthorized
mation from the system. Physical security policies deal with hardware as a physical access and misuse.
© Flamingo Images/
Shutterstock.com

Shutterstock.com

Shutterstock.com

Shutterstock.com
© Oleksiy Mark/

© Pixel-Shot/

© shooarts/

People Hardware Software Networks
Shutterstock.com

Shutterstock.com
© Mark Agnor/
© ZinetroN/

Data
Procedures
© Elnur/Shutterstock.com

Components of an Information System

Figure 1-10 Components of an information system

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
16 Principles of Information Security

asset and with the protection of physical assets from harm or theft. Applying the traditional tools of physical security,
such as locks and keys, restricts access to and interaction with the hardware components of an information system.
Securing the physical location of computers and the computers themselves is important because a breach of physical
security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms
that cannot guarantee any level of information security if unrestricted hardware access is possible.
Before September 11, 2001, laptop thefts in airports were common. A two-person team worked to steal a com-
puter as its owner passed it through the conveyor scanning devices. The first perpetrator entered the security
area ahead of an unsuspecting target and quickly went through. Then, the second perpetrator waited behind until
the target placed the computer on the baggage scanner. As the computer was whisked through, the second perpe-
trator slipped ahead of the victim and entered the metal detector with a substantial collection of keys, coins, and
the like, slowing the detection process and allowing the first perpetrator to grab the computer and disappear in a
crowded walkway.
While the security response to September 11 did tighten the security process at airports, hardware can still be
stolen in offices, coffee houses, restaurants, and other public places. Although laptops and notebook computers might
be worth a few thousand dollars, the information stored on them can be worth a great deal more to disreputable
organizations and individuals. Consider that unless plans and procedures are in place to quickly revoke privileges on
stolen devices like laptops, tablets, and smartphones, the privileged access that these devices have to cloud-based
data stores could be used to steal information that is many times more valuable than the device itself.

Data
Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable
asset of an organization and therefore is the main target of intentional attacks. Systems developed in recent years are
likely to make use of database management systems. When used properly, they should improve the security of the
data and the applications that rely on the data. Unfortunately, many system development projects do not make full
use of a database management system’s security capabilities, and in some cases, the database is implemented in ways
that make it less secure than traditional file systems. Because data and information exist in physical form in many
organizations as paper reports, handwritten notes, and computer printouts, the protection of physical information is
as important as the protection of electronic, computer-based information. As an aside, the terms data and information
are used interchangeably today. Information was originally defined as data with meaning, such as a report or statistical
analysis. For our purposes, we will use the term information to represent both unprocessed data and actual information.

People
Though often overlooked in computer security considerations, people have always been a threat to information secu-
rity. Legend has it that around 200 B.C., a great army threatened the security and stability of the Chinese empire. So
ferocious were the Hun invaders that the Chinese emperor commanded the construction of a great wall that would
defend against them. Around 1275 A.D., Kublai Khan finally achieved what the Huns had been trying for more than a
thousand years. Initially, the Khan’s army tried to climb over, dig under, and break through the wall. In the end, the
Khan simply bribed the gatekeeper—and the rest is history.
Whether this event actually occurred or not, the timeless moral to the story is that people can be the weakest link
in an organization’s information security program. Unless policy, education and training, awareness, and technology
are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will
remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of
human error. It can be used to manipulate people to obtain access information about a system. This topic is discussed
in more detail in Module 2.

Procedures
Procedures are another frequently overlooked component of an IS. Procedures are written instructions for accomplish-
ing a specific task. When an unauthorized user obtains an organization’s procedures, it poses a threat to the integrity
of the information. For example, a consultant to a bank learned how to wire funds by using the computer center’s

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 1 Introduction to Information Security 17

procedures, which were readily available. By taking advantage of a security weakness (lack of authentication), the bank
consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the
loss of more than $10 million before the situation was corrected. Most organizations distribute procedures to employ-
ees so they can access the information system, but many of these companies often fail to provide proper education for
using the procedures safely. Educating employees about safeguarding procedures is as important as physically securing
the information system. After all, procedures are information in their own right. Therefore, knowledge of procedures,
as with all critical information, should be disseminated among members of an organization on a need-to-know basis.

Networks
Networking is the IS component that moves data and information between the components of the information system
and has created much of the need for increased computer and information security. Prior to networking, physical
security was the dominant focus when protecting information. When information systems are connected to each other
to form LANs, and these LANs are connected to other networks such as the Internet, new security challenges rapidly
emerge. Networking technology is accessible to organizations of every size. Applying the traditional tools of physical
security, such as locks and keys, to restrict access to the system’s hardware components is still important. However,
when computer systems are networked, this approach is no longer enough. Steps to provide network security such
as installing and configuring firewalls are essential, as is implementing intrusion detection systems to make system
owners aware of ongoing compromises.

The definition of what an information system is and the roles that it plays has been getting some attention in
i industry and academia. As information systems have become the core elements of most organizations’ ongoing
operations, do they still need to be considered anything other than the way companies do all of their business?
For another view of what makes an information system, and to better understand how we might approach
improving its security, you can read this article at Technopedia: www.techopedia.com/definition/24142/
information-system-is.

Security And The Organization
Security has to begin somewhere in the organization, and it takes a wide range of professionals to support a diverse
information security program. The following sections discuss the development of security as a program and then
describe typical information security responsibilities of various professional roles in an organization.

Balancing Information Security and Access
Even with the best planning and implementation, it is impossible to obtain perfect information security. Information
security cannot be absolute: It is a process, not a goal. You can make a system available to anyone, anywhere, anytime,
through any means. However, such unrestricted access poses a danger to the security of the information. On the other
hand, a completely secure information system would not allow anyone access. To achieve balance—that is, to operate
an information system that satisfies users and security professionals—the security level must allow reasonable access
yet protect against threats. Figure 1-11 shows some of the competing voices that must be considered when balancing
information security and access.
Because of today’s security concerns and issues, an information system or data processing department can get
too entrenched in the management and protection of systems. An imbalance can occur when the needs of the end user
are undermined by obsessive focus on protecting and administering the information systems. ­Information ­security
technologists and end users must recognize that both groups share the same overall goals of the ­organization—
to ensure that data is available when, where, and how it is needed, with minimal delays or obstacles. In an ideal
world, this level of availability can be met even after addressing concerns about loss, damage, interception, or
destruction.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
18 Principles of Information Security

User 1: Encrypting
CISO: Encryption is e-mail is a hassle.
needed to protect secrets
of the organization.