Module 2: The Need for Information Security PDF

Summary

This module explores the critical need for information security within organizations, emphasizing the shared responsibility among management, IT, and security teams. It discusses the importance of protecting information assets, including data and systems, and ensuring business functionality. Key topics include common threats, program development, and the balance between security and business needs. © 2022 Cengage Learning.

Full Transcript

MODULE 2
The Need for Information
Security

Upon completion of this material, you should be able to: Our bad neighbor
1 Discuss the need for information security makes us early stir-
2 Explain why a successful information security program is the shared rers, which is both
responsibility of the entire organization healthful and good
3 List and describe the threats posed to information security and common attacks husbandry.
associated with those threats —William Shakespeare, King
Henry, in Henry V, Act 4, Scene 1
4 List the common information security issues that result from poor software
development efforts

Opening Scenario
Fred Chin, CEO of Sequential Label and Supply (SLS), leaned back in his leather chair and propped his feet up on the long
mahogany table in the conference room where the SLS Board of Directors had just adjourned from their quarterly meeting.
“What do you think about our computer security problem?” he asked Gladys Williams, the company’s chief information
officer (CIO). He was referring to the outbreak of a malicious worm on the company’s computer network the previous month.
Gladys replied, “I think we have a real problem, and we need to put together a real solution. We can’t sidestep this with
a quick patch like last time.” Six months ago, most of the systems on the company network had been infected with a virus
program that came from an employee’s personal USB drive. To prevent this from happening again, all users in the company
were now prohibited from using personal devices on corporate systems and networks.
Fred wasn’t convinced. “Can’t we just allocate additional funds to the next training budget?”
Gladys shook her head. “You’ve known for some time now that this business runs on technology. That’s why you hired me
as CIO. I’ve seen this same problem at other companies, and I’ve been looking into our information security issues. My staff and
I have some ideas to discuss with you. I’ve asked Charlie Moody to come in today to talk about it. He’s waiting to speak with us.”
When Charlie joined the meeting, Fred said, “Hello, Charlie. As you know, the Board of Directors met today. They received
a report on the costs and lost production from the malware outbreak last month, and they directed us to improve the security
of our technology. Gladys says you can help me understand what we need to do about it.”
“To start with,” Charlie said, “Instead of simply ramping up our antivirus solution or throwing resources at an endpoint
protection product, we need to start by developing a formal information security program. We need a thorough review of our
policies and practices, and we need to establish an ongoing risk management program. Then we can explore the technical
options we have. There are some other things that are part of the process as well, but this is where I think we should start.”

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
28 Principles of Information Security

“Sounds like it is going to be complicated … and expensive,” said Fred.
Charlie looked at Gladys and then answered, “Well, there will probably be some extra expenses for specialized hardware
and software, and we may have to slow down some of our product development projects a bit, but this approach will call
more for a change in our attitude about security than just a spending spree. I don’t have accurate estimates yet, but you can
be sure we’ll put cost-benefit worksheets in front of you before we commit any funds.”
Fred thought about this for a few seconds. “Okay. What’s our next step?”
Gladys answered, “First, we need to initiate a project plan to develop our new information security program. We’ll use
our usual systems development and project management approach. There are a few differences, but we can easily adapt our
current models. We’ll need to reassign a few administrators to help Charlie with the new program. We’d also like a formal
statement to the entire company identifying Charlie as our new chief information security officer and asking all of the depart-
ment heads to cooperate with his new information security initiatives.”
“Information security? What about computer security?” asked Fred.
Charlie responded, “Information security includes computer security, plus all the other things we use to do business:
securing our information, networks, operations, communications, personnel, and intellectual property. Even our paper records
need to be factored in.”
“I see,” Fred said. “Okay, Mr. Chief Information Security Officer.” Fred held out his hand for a congratulatory handshake.
“Bring me the draft project plan and budget in two weeks. The audit committee of the Board meets in four weeks, and we’ll
need to report our progress then.”

Introduction To The Need For Information Security
Unlike any other business or information technology program, the primary mission of an information security pro-
gram is to ensure that information assets—information and the systems that house them—are protected and thus
remain safe and useful. Organizations expend a lot of money and thousands of hours to maintain their information
assets. If threats to these assets didn’t exist, those resources could be used exclusively to improve the systems
that contain, use, and transmit the information. However, the threat of attacks on
information asset information assets is a constant concern, and the need for information security
The focus of information security; grows along with the sophistication of the attacks. While some organizations lump
information that has value to the both information and systems under their definition of an information asset, oth-
organization and the systems that
store, process, and transmit the
ers prefer to separate the true information-based assets (data, databases, data
information. sets, and the applications that use data) from their media—the technologies that
access, house, and carry the information. For our purposes, we will include both
media data and systems assets in!our use of the term. Similarly, we’ll use the term infor-
As a subset of information assets, mation to describe both data and information, as for most organizations the
the systems, technologies, and terms can be used interchangeably.
networks that store, process, and Organizations must understand the environment in which information assets
transmit information.
reside so their information security programs can address actual and potential prob-
lems. This module describes the environment and identifies the threats to it, the
data
organization, and its information.
Items of fact collected by an organi-
zation; includes raw numbers, facts,
Information security performs four important functions for an organization:
and words.
Protecting the organization’s ability to function
Protecting the data and information the organization collects and uses,
information whether physical or electronic
Data that has been organized, Enabling the safe operation of applications running on the organization’s IT
structured, and presented to pro-
vide additional insight into its con-
systems
text, worth, and usefulness. Safeguarding the organization’s technology assets

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 2 The Need for Information Security 29

Business Needs First
There is a long-standing saying in information security: When security needs and business needs collide, business wins.
Without the underlying business to generate revenue and use the information, the information may lose value, and
there would be no need for it. If the business cannot function, information security becomes less important. The key
is to balance the needs of the organization with the need to protect information assets, realizing that business needs
come first. This is not to say that information security should be casually ignored whenever there is a conflict, but to
stress that decisions associated with the degree to which information assets are protected should be made carefully,
considering both the business need to use the information and the need to protect it.

Protecting Functionality
The three communities of interest defined in Module 1—general management, IT management, and information security
management—are each responsible for facilitating the information security program that protects the organization’s
ability to function. Although many business and government managers shy away from addressing information security
because they perceive it to be a technically complex task, implementing information security has more to do with man-
agement than technology. Just as managing payroll involves management more than mathematical wage computations,
managing information security has more to do with risk management, policy, and its enforcement than the technology
of its implementation. As the noted information security author Charles Cresson Wood writes:

In fact, a lot of [information security] is good management for information technology. Many people think
that a solution to a technology problem is more technology. Well, not necessarily. … So a lot of my work, out
of necessity, has been trying to get my clients to pay more attention to information security as a management
issue in addition to a technical issue, information security as a people issue in addition to the technical issue.1

Each of an organization’s communities of interest must address information security in terms of business impact
and the cost of business interruption rather than isolating security as a technical problem.

Protecting Data That Organizations Collect and Use
Without data, an organization loses its record of transactions and its ability to deliver value to customers. Any business,
educational institution, or government agency that operates within the modern context of connected and responsive
services relies on information systems. Even when transactions are not online, information systems and the data they
process enable the creation and movement of goods and services. Therefore, protecting data in transmission, in pro-
cessing, and at rest (storage) is a critical aspect of information security. The value of data motivates attackers to steal,
sabotage, or corrupt it. An effective information security program implemented by management protects the integrity
and value of the organization’s data.
Organizations store much of the data they deem critical in databases, managed by specialized software known
as a database management system (DBMS). Database security is accomplished by applying a broad range of control
approaches common to many areas of information security. Securing databases encompasses most of the topics
covered in this textbook, including managerial, technical, and physical controls. Managerial controls include policy,
procedure, and governance. Technical controls used to secure databases rely on knowledge of access control, authenti-
cation, auditing, application security, backup and recovery, encryption, and integrity controls. Physical controls include
the use of data centers with locking doors, fire suppression systems, video monitoring, and physical security guards.
The fundamental practices of information security have broad applicability in database security. One indicator
of this strong degree of overlap is that the International Information System Secu-
rity Certification Consortium (ISC)2, the organization that evaluates candidates for
many prestigious information security certification programs, allows experience as a database
database administrator to count toward the experience requirement for the Certified A collection of related data stored
in a structured form and usually
Information Systems Security Professional (CISSP).
managed by specialized systems.

Enabling the Safe Operation of Applications
Today’s organizations are under immense pressure to acquire and operate integrated,
database security
A subset of information security
efficient, and capable applications. A modern organization needs to create an envi-
that focuses on the assessment and
ronment that safeguards these applications, particularly those that are important protection of information stored in
elements of the organization’s infrastructure—operating system platforms, certain data repositories.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
30 Principles of Information Security

operational applications, electronic mail (e-mail), and instant messaging (IM) applications, like text messaging (short
message service, or SMS). Organizations acquire these elements from a service provider, or they implement their
own. Once an organization’s infrastructure is in place, management must continue to oversee it and not relegate its
management to the IT department.

Safeguarding Technology Assets in Organizations
To perform effectively, organizations must employ secure infrastructure hardware appropriate to the size and scope
of the enterprise. For instance, a small business may get by in its start-up phase using a small-scale firewall, such as a
small office/home office (SOHO) device.
In general, as an organization grows to accommodate changing needs, more robust technology solutions should
replace security technologies the organization has outgrown. An example of a robust solution is a commercial-grade, uni-
fied security architecture device, complete with intrusion detection and prevention systems, public key infrastructure
(PKI), and virtual private network (VPN) capabilities. Modules 8 through 10 describe these technologies in more detail.
Information technology continues to add new capabilities and methods that allow organizations to solve business infor-
mation management challenges. In recent years, we have seen the emergence of the Internet and the Web as new markets.
Cloud-based services, which have created new ways to deliver IT services, have also brought new risks to organizational
information, additional concerns about the ways these assets can be threatened, and concern for how they must be defended.

Information Security Threats And Attacks
Around 500 B.C., the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise that emphasizes the impor-
tance of knowing yourself as well as the threats you face.2 To protect your organization’s information, you must
(1) know yourself—that is, be familiar with the information to be protected and the systems that store, transport,
and process it—and (2) know your enemy; in other words, the threats you face. To make sound decisions about infor-
mation security, management must be informed about the various threats to an organization’s people, applications,
data, and information systems. As discussed in Module 1, a threat represents a potential risk to an information asset,
whereas an attack represents an ongoing act against the asset that could result in a loss. Threat agents damage or steal
an organization’s information or physical assets by using exploits to take advantage of vulnerabilities where controls
are not present or no longer effective. Unlike threats, which are always present, attacks exist only when a specific act
may cause a loss. For example, the threat of damage from a thunderstorm is present throughout the summer in many
places, but an attack and its associated risk of loss exist only for the duration of an actual thunderstorm. The follow-
ing sections discuss each of the major types of threats and corresponding attacks facing modern information assets.

i For more information on The Art of War, check out MIT’s Classics page at http://classics.mit.edu/Tzu/artwar.html.

To investigate the wide range of threats that pervade the interconnected world, many researchers have collected
information on threats and attacks from practicing information security personnel and their organizations. While the
categorizations may vary, threats are relatively well researched and understood.

4.8 Billion Potential Hackers
There is wide agreement that the threat from external sources increases when an organization connects to the
Internet. The number of Internet users continues to grow; about 62 percent of the world’s almost 7.8 billion people—
that is, more than 4.8 billion people—have some form of Internet access, a dramatic increase over the 49.2 percent
reported as recently as 2015. Table 2-1 shows Internet usage by continent. Since
exploit
the time this data was collected in mid-2020, the world population has continued to
A technique used to compromise
grow, with an expected increase in Internet usage. Therefore, a typical organization
a system; may also describe the
tool, program, or script used in the with an online connection to its systems and information faces an ever-increasing
compromise. pool of potential hackers.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 2 The Need for Information Security 31

a le 2-1 World Internet Usage3

Population Population Internet Users Penetration Growth Internet
World Regions (2020 Est.) % of World (6/30/2020) Rate (% Pop.) 2000–2020 World %
Africa 1,340,598,447 17.2% 566,138,772 42.2% 12,441% 11.7%
Asia 4,294,516,659 55.1% 2,525,033,874 58.8% 2,109% 52.2%
Europe 834,995,197 10.7% 727,848,547 87.2% 592% 15.1%
Latin America/ 654,287,232 8.4% 467,817,332 71.5% 2,489% 9.7%
Caribbean
Middle East 260,991,690 3.3% 184,856,813 70.8% 5,527% 3.8%
North America 368,869,647 4.7% 332,908,868 90.3% 208% 6.9%
Oceania/Australia 42,690,838 0.5% 28,917,600 67.7% 279% 0.6%
WORLD TOTAL 7,796,949,710 100.0% 4,833,521,806 62.0% 1,239% 100.0%
Notes: Internet usage and world population estimates are as of July 20, 2020.

Other Studies of Threats
Several studies in recent years have examined the threats and attacks to information security. One of the most recent
studies, conducted in 2015, found that 67.1 percent of responding organizations suffered malware infections.
More than 98 percent of responding organizations identified malware attacks as a threat, with 58.7 percent indi-
cating they were a significant or severe threat. Malware was identified as the second-highest threat source behind
electronic phishing/spoofing.4
Table 2-2 shows these and other threats from internal stakeholders. Table 2-3 shows threats from external stake-
holders. Table 2-4 shows general threats to information assets.

a le 2-2 Rated Threats from Internal Sources in 2015 SEC/CISE Survey of Threats to Information Protection5

Not a A Severe
Threat Threat Comp.
From Employees or Internal Stakeholders 1 2 3 4 5 Rank
Inability/unwillingness to follow established 6.6% 17.2% 33.6% 26.2% 16.4% 66%
policy
Disclosure due to insufficient training 8.1% 23.6% 29.3% 25.2% 13.8% 63%
Unauthorized access or escalation of 4.8% 24.0% 31.2% 31.2% 8.8% 63%
privileges
Unauthorized information collection/data 6.4% 26.4% 40.0% 17.6% 9.6% 60%
sniffing
Theft of on-site organizational information 10.6% 32.5% 34.1% 12.2% 10.6% 56%
assets
Theft of mobile/laptop/tablet and related/ 15.4% 29.3% 28.5% 17.9% 8.9% 55%
connected information assets
Intentional damage or destruction of 22.3% 43.0% 18.2% 13.2% 3.3% 46%
information assets
Theft or misuse of organizationally leased, 29.6% 33.6% 21.6% 10.4% 4.8% 45%
purchased, or developed software
Web site defacement 43.4% 33.6% 16.4% 4.9% 1.6% 38%
Blackmail of information release or sales 43.5% 37.1% 10.5% 6.5% 2.4% 37%

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
32 Principles of Information Security

a le 2-3 Rated Threats from External Sources in 2015 SEC/CISE Survey of Threats to Information
Protection6

Not a A Severe
Threat Threat Comp.
From Outsiders or External Stakeholders 1 2 3 4 5 Rank
Unauthorized information collection/data 6.4% 14.4% 21.6% 32.8% 24.8% 71%
sniffing
Unauthorized access or escalation of 7.4% 14.0% 26.4% 31.4% 20.7% 69%
privileges
Web site defacement 8.9% 23.6% 22.8% 26.8% 17.9% 64%
Intentional damage or destruction of 14.0% 32.2% 18.2% 24.8% 10.7% 57%
information assets
Theft of mobile/laptop/tablet and related/ 20.5% 25.4% 26.2% 15.6% 12.3% 55%
connected information assets
Theft of on-site organizational information 21.1% 24.4% 25.2% 17.9% 11.4% 55%
assets
Blackmail of information release or sales 31.1% 30.3% 14.8% 14.8% 9.0% 48%
Disclosure due to insufficient training 34.5% 21.8% 22.7% 13.4% 7.6% 48%
Inability/unwillingness to follow 33.6% 29.4% 18.5% 6.7% 11.8% 47%
established policy
Theft or misuse of organizationally leased, 31.7% 30.1% 22.8% 9.8% 5.7% 46%
purchased, or developed software

a le 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information
Protection7

Not a A Severe
Threat Threat Comp.
General Threats to Information Assets 1 2 3 4 5 Rank
Electronic phishing/spoofing attacks 0.8% 13.1% 16.4% 32.0% 37.7% 79%
Malware attacks 1.7% 12.4% 27.3% 36.4% 22.3% 73%
Unintentional employee/insider 2.4% 17.1% 26.8% 35.8% 17.9% 70%
mistakes
Loss of trust due to information loss 4.1% 18.9% 27.0% 22.1% 27.9% 70%
Software failures or errors due to 5.6% 18.5% 28.2% 33.9% 13.7% 66%
unknown vulnerabilities in externally
acquired software
Social engineering of employees/insiders 8.1% 14.6% 32.5% 34.1% 10.6% 65%
based on social media information
Social engineering of employees/insiders 8.9% 19.5% 24.4% 32.5% 14.6% 65%
based on other published information
Software failures or errors due to 7.2% 21.6% 24.0% 32.0% 15.2% 65%
poorly developed, internally created
applications
SQL injections 7.6% 17.6% 31.9% 29.4% 13.4% 65%

(continues)

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 2 The Need for Information Security 33

a le 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information
Protection7 (Continued)

Not a A Severe
Threat Threat Comp.
General Threats to Information Assets 1 2 3 4 5 Rank
Social engineering of employees/insiders 11.4% 19.5% 23.6% 31.7% 13.8% 63%
based on organization’s Web sites
Denial of service (and distributed DoS) 8.2% 23.0% 27.9% 32.8% 8.2% 62%
attacks
Software failures or errors due to known 8.9% 23.6% 26.8% 35.8% 4.9% 61%
vulnerabilities in externally acquired
software
Outdated organizational software 8.1% 28.2% 26.6% 26.6% 10.5% 61%
Loss of trust due to representation as 9.8% 23.8% 30.3% 23.0% 13.1% 61%
source of phishing/spoofing attack
Loss of trust due to Web defacement 12.4% 30.6% 31.4% 19.8% 5.8% 55%
Outdated organizational hardware 17.2% 34.4% 32.8% 12.3% 3.3% 50%
Outdated organization data format 18.7% 35.8% 26.8% 13.8% 4.9% 50%
Inability/unwillingness to establish 30.4% 26.4% 24.0% 13.6% 5.6% 48%
effective policy by management
Hardware failures or errors due to aging 19.5% 39.8% 24.4% 14.6% 1.6% 48%
equipment
Hardware failures or errors due to 17.9% 48.0% 24.4% 8.1% 1.6% 46%
defective equipment
Deviations in quality of service from 25.2% 38.7% 25.2% 7.6% 3.4% 45%
other provider
Deviations in quality of service from data 26.4% 39.7% 23.1% 7.4% 3.3% 44%
communications provider/ISP
Deviations in quality of service from 29.9% 38.5% 18.8% 9.4% 3.4% 44%
telecommunications provider/ISP (if
different from data provider)
Loss due to other natural disaster 31.0% 37.9% 23.3% 6.9% 0.9% 42%
Loss due to fire 26.2% 49.2% 21.3% 3.3% 0.0% 40%
Deviations in quality of service from 36.1% 43.4% 12.3% 5.7% 2.5% 39%
power provider
Loss due to flood 33.9% 43.8% 19.8% 1.7% 0.8% 38%
Loss due to earthquake 41.7% 35.8% 15.0% 6.7% 0.8% 38%

Common Attack Pattern Enumeration and Classification
(CAPEC)
A tool that security professionals can use to understand attacks is the Common Attack Pattern Enumeration and Clas-
sification (CAPEC) Web site hosted by Mitre—a nonprofit research and development organization sponsored by the
U.S. government. This online repository can be searched for characteristics of a particular attack or simply browsed
by professionals who want additional knowledge of how attacks occur procedurally.

i For more information on CAPEC, visit http://capec.mitre.org, where contents can be downloaded or viewed online.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
34 Principles of Information Security

The 12 Categories Of Threats
The scheme shown in Table 2-5 consists of 12 general categories of threats that represent a clear and present danger
to an organization’s people, information, and systems. Each organization must prioritize the threats it faces based on
the particular security situation in which it operates, its organizational strategy regarding risk, and the exposure levels
of its assets. Module 4 covers these topics in more detail. You may notice that many of the attack examples in Table 2-5
could be listed in more than one category. For example, an attack performed by a hacker to steal customer data falls
into the category of “theft,” but it can also be preceded by “espionage or trespass,” as the hacker illegally accesses
the information. The theft may also be accompanied by Web site defacement actions to delay discovery, qualifying it
for the category of “sabotage or vandalism.” As mentioned in Module 1, these are technically threat sources, but for
simplicity’s sake, they are described here as threats.

Compromises to Intellectual Property
Many organizations create or support the development of intellectual property (IP) as part of their business opera-
tions. (You will learn more about IP in Module 6.) IP includes trade secrets, copyrights, trademarks, and patents. IP is
protected by copyright law and other laws, carries the expectation of proper attribution or credit to its source, and
potentially requires the acquisition of permission for its use, as specified in those
laws. For example, use of some IP may require specific payments or royalties before
intellectual property a song can be used in a movie or before the distribution of a photo in a publication.
(IP)
The unauthorized appropriation of IP constitutes a threat to information security—
Original ideas and inventions cre-
ated, owned, and controlled by a for example, when employees take an idea they developed at work and use it to
particular person or organization; make money for themselves. Employees may have access privileges to a variety of
IP includes the representation of IP, including purchased and developed software and organizational information, as
original ideas.
many employees typically need to use IP to conduct day-to-day business.

software piracy Software Piracy
The unauthorized duplication,
installation, or distribution of copy-
Organizations often purchase or lease the IP of other organizations and must abide
righted computer software, which is by a purchase or licensing agreement for its fair and responsible use. The most com-
a violation of intellectual property. mon IP breach is software piracy. Because most software is licensed to an individual

a le 2-5 The 12 Categories of Threats to Information Security8

Category of Threat Attack Examples
Compromises to intellectual property Piracy, copyright infringement
Deviations in quality of service Internet service provider (ISP), power, or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 2 The Need for Information Security 35

user, its use is restricted to a single installation or to a designated user in an organization. If a user copies the program
to another computer without securing another license or transferring the license, the user has violated the copyright.
The nearby feature describes a classic case of this type of copyright violation. While you may note that the example
is from 1997, which seems a long time ago, it illustrates that the issue remains significant today.
Software licenses are strictly enforced by regulatory and private organizations, and software publishers use sev-
eral control mechanisms to prevent copyright infringement. In addition to laws against software piracy, two watchdog
organizations investigate allegations of software abuse: the Software and Information Industry Association (SIIA) at
www.siia.net, formerly known as the Software Publishers Association, and the Business Software Alliance (BSA) at www.
bsa.org. BSA estimates that approximately 37 percent of software installed on personal computers globally, as reported
in the 2018 findings, was not properly licensed. This number is only slightly lower than the 39 percent reported in the
2016 BSA global study; however, the majority of countries in the study indicate unlicensed rates in excess of 50 percent.
Furthermore, BSA estimates an increased risk of malware for systems using unlicensed software. 9 Figure 2-1 shows the
BSA’s software piracy reporting Web site.

Source: Business Software Alliance. Used with permission.

i ure 2-1 BSA’s software piracy reporting Web site

Copyright Protection and User Registration
A number of technical mechanisms—digital watermarks, embedded code, copyright codes, and even the inten-
tional placement of bad sectors on software media—have been used to enforce copyright laws. The most com-
mon tool is a unique software registration code in combination with an end-user license agreement (EULA) that
usually pops up during the installation of new software, requiring users to indicate that they have read and
agree to conditions of the software’s use. Figure 2-2 shows a license agreement from Microsoft for an Office 365
subscription.10

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
36 Principles of Information Security

Source: Microsoft. Used with permission.
i ure 2-2 Microsoft Office software license terms

Another effort to combat piracy is online registration. Users who install software are often asked or even required
to register their software to complete the installation, obtain technical support, or gain the use of all features. Some
users believe that this process compromises personal privacy because they never know exactly what information is
obtained from their computers and sent to the software manufacturer. Figure 2-3 shows an example of online software
registration from the Steam game client. Steam requires the user to create an account and log in to it before register-
ing software.
Intellectual property losses may result from the successful exploitation of vulnerabilities in asset protection con-
trols. Many of the threats against these controls are described in this module.

Source: Steam Online. Used with permission.

i ure 2-3 Steam subscriber agreement and product registration

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 2 The Need for Information Security 37

Violating Software Licenses
Adapted from “Bootlegged Software Could Cost Community College”11
By Natalie Patton, Las Vegas Review Journal, September 18, 1997
Ever heard of the software police? The Washington-based Software Publishers Association (SPA) copyright watchdogs were
tipped off that a community college in Las Vegas, Nevada, was using copyrighted software in violation of the software
licenses. The SPA spent months investigating the report. Academic Affairs Vice President Robert Silverman said the college
was prepared to pay some license violation fines, but was unable to estimate the total amount of the fines. The college cut
back on new faculty hires and set aside more than $1.3 million in anticipation of the total cost.
The audit was intensive, and it examined every computer on campus, including faculty machines, lab machines, and the
college president’s computer. Peter Beruk, SPA’s director of domestic antipiracy cases, said the decision to audit a reported
violation is only made when there is overwhelming evidence to win a lawsuit, as the SPA has no policing authority and can only
bring civil actions. Most investigated organizations settle out of court and agree to pay the fines to avoid costly court battles.
The process begins with an anonymous tip, usually from someone inside the organization. Of the hundreds of tips the
SPA receives each week, only a handful are selected for on-site visits. If the audited organizations have license violations,
they are required to destroy illegal software copies, repurchase software they want to keep (at double the retail price), and
pay the proper licensing fees for the software they used illegally.
In this case, the community college president suggested the blame for the college’s violations belonged to faculty and
students who may have downloaded illegal copies of software from the Internet or installed software on campus computers
without permission. Some of the faculty suspected that the problem lay with the qualifications and credibility of the campus
technology staff. The president promised to put additional staff and rules in place to prevent future license violations.

Deviations in Quality of Service
An organization’s information system depends on the successful operation of many interdependent support systems,
including power grids, data and telecommunications networks, parts suppliers, service vendors, and even janitorial
staff and garbage haulers. Any of these support systems can be interrupted by severe weather, intentional or acciden-
tal employee actions, or other unforeseen events. Deviations in quality of service can result from such accidents as a
backhoe taking out the organization’s Internet connection or phone lines. The backup provider may be online and in
service but may be able to supply only a fraction of the bandwidth the organization needs for full service. This deg-
radation of service is a form of availability disruption. Irregularities in Internet service, communications, and power
supplies can dramatically affect the availability of information and systems.

Internet Service Issues
In organizations that rely heavily on the Internet and the World Wide Web to sup-
port continued operations, ISP failures can considerably undermine the availability availability disruption
of information. Many organizations have sales staff and telecommuters working at An interruption or disruption in
remote locations. When these off-site employees cannot contact the host systems, service, usually from a service pro-
vider, which causes an adverse
they must use manual procedures to continue operations. The U.S. government’s
event within an organization.
Federal Communications Commission (FCC) maintains a Network Outage Reporting
System (NORS), which according to FCC regulation 47 C.F.R. Part 4, requires com-
service level
munications providers to report outages that disrupt communications at certain agreement (SLA)
facilities, like emergency services and airports. A document or part of a document
When an organization places its Web servers in the care of a Web hosting that specifies the expected level
provider, that provider assumes responsibility for all Internet services and for the of service from a service provider,
including provisions for minimum
hardware and operating system software used to operate the Web site. These Web
acceptable availability and penal-
hosting services are usually arranged with a service level agreement (SLA). When ties or remediation procedures for
a service provider fails to meet the terms of the SLA, the provider may accrue fines downtime.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
38 Principles of Information Security

uptime to cover losses incurred by the client, but these payments seldom cover the losses
The percentage of time a particular generated by the outage. Vendors may promote high availability or uptime (or
service is available. low downtime), but Figure 2-4 shows even an availability that seems acceptably
high can cost the average organization a great deal. In August 2013, for example,
downtime the Amazon.com Web site went down for 30 to 40 minutes, costing the company
The percentage of time a particular between $3 million and $4 million. Another widely reported disruption was the
service is not available. Mirai botnet event in 2016, a massive attack that disrupted Internet access in parts
of Europe and the United States.

i If you suspect that a widely used Internet service is down, you can check its status at https://downdetector.com/.

What are the top causes of downtime?
40%

25%
19%
17% 15%
13%
9%
5% 4% 3% 3%
1%
re
re

rm
re

ism
re

e

er

o
n

d

r

an

ad
ro

ilu
ilu

ilu
io

oo

Fi

th

to

or
er

ric
at

rn
fa

O
fa

fa

Fl

rs

rr
st

To
ur
an

e
e

te

Te
k

ar
er

ar

or

H
um

in
w
w

dw

w

W
ft
Po

H
et
ar

So
N
H

Breakdown of downtime
Hours At $12,500 per hour of downtime (Avg. cost for SMBS)
Unavailable At $212,100 per hour of downtime (Avg. cost for all businesses)
$549,000
99.5% 43.92
$9,315,432
Source: Fusion Connect. Used with permission.

$109,500
99.9% 8.76
$1,857,996

$54,750
99.95% 4.38
$928,998

$10,950
99.99% 0.53
$185,800

$1,096
99.999% 0.05
$18,594

i ure 2-4 Average cost of downtime according to Fusion Connect12

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 2 The Need for Information Security 39

Communications and Other Service Provider Issues
Other utility services can affect organizations as well. Among these are telephone,
water, wastewater, trash pickup, cable television, natural or propane gas, and
custodial services. The loss of these services can impair the ability of an orga-
blackout
A long-term interruption (outage) in
nization to function. For instance, most facilities require water service to oper-
electrical power availability.
ate an air-conditioning system. Even in Minnesota in February, air-conditioning
systems help keep a modern facility operating. If a wastewater system fails, an
brownout
organization might be prevented from allowing employees into the building. While
A long-term decrease in quality of
several online utilities allow an organization to compare pricing options from electrical power availability.
various service providers, only a few show a comparative analysis of availability
or downtime.
fault
A short-term interruption in electri-
Power Irregularities cal power availability.
Irregularities from power utilities are common and can lead to fluctuations such
as power excesses, power shortages, and power losses. These fluctuations can noise
pose problems for organizations that provide inadequately conditioned power The presence of additional and
for their information systems equipment. In the United States, we are supplied disruptive signals in network com-
120-volt, 60-cycle power, usually through 15- and 20-amp circuits. Europe as munications or electrical power
delivery.
well as most of Africa, Asia, South America, and Australia use 230-volt, 50-cycle
power. With the prevalence of global travel by organizational employees, fail-
ure to properly adapt to different voltage levels can damage computing equip- sag
A short-term decrease in electrical
ment, resulting in a loss. When power voltage levels vary from normal, expected
power availability.
levels, such as during a blackout , brownout , fault , noise , sag , spike , or surge ,
an organization’s sensitive electronic equipment— especially networking
spike
equipment, computers, and computer-based systems, which are vulnerable to
A short-term increase in electrical
fluctuations—can be easily damaged or destroyed. With small computers and power availability, also known as
network systems, power-conditioning options such as surge suppressors can a swell.
smooth out spikes. The more expensive uninterruptible power supply (UPS)
can protect against spikes and surges as well as sags and even blackouts of surge
limited duration. A long-term increase in electrical
power availability.

Espionage or Trespass competitive
Espionage or trespass is a well-known and broad category of electronic and intelligence
human activities that can breach the confidentiality of information. When an The collection and analysis of infor-
unauthorized person gains access to information an organization is trying to mation about an organization’s
business competitors through legal
protect, the act is categorized as espionage or trespass. Attackers can use many
and ethical means to gain busi-
different methods to access the information stored in an information system. ness intelligence and competitive
Some information-gathering techniques are legal—for example, using a Web advantage.
browser to perform market research. These legal techniques are collectively
called competitive intelligence. When information gatherers employ tech- industrial espionage
niques that cross a legal or ethical threshold, they are conducting industrial The collection and analysis of
espionage. Many countries that are considered allies of the United States engage information about an organiza-
tion’s business competitors, often
in industrial espionage against American organizations. When foreign govern- through illegal or unethical means,
ments are involved, these activities are considered espionage and a threat to to gain an unfair competitive
national security. advantage; also known as corpo-
rate spying.

For more information about industrial espionage in the United States, visit the National Counterintelligence and
i Security Center at www.dni.gov/index.php/ncsc-home. Look through the resources for additional information on
top issues like economic espionage, cyber threats, and insider threats.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
40 Principles of Information Security

Some forms of espionage are relatively low-tech. One
example, called shoulder surfing, is pictured in Figure 2-5.
This technique is used in public or semipublic settings
when people gather information they are not authorized
to have. Instances of shoulder surfing occur at computer
terminals, desks, and ATMs; on a bus, airplane, or subway,
where people use smartphones and tablets; and in other
places where employees may access confidential infor-
mation. Shoulder surfing flies in the face of the unwritten
etiquette among professionals who address information
security in the workplace: If you can see another person
entering personal or private information into a system,
look away as the information is entered. Failure to do so
constitutes not only a breach of etiquette but an affront
to privacy and a threat to the security of confidential
information.
To avoid shoulder surfing, try not to access confi-
dential information when another person is present.
People should limit the number of times they access con-
fidential data, and should do it only when they are sure
nobody can observe them. Users should be constantly
aware of the presence of others when accessing sensitive
i ure 2-5 Shoulder surfing
information.

shoulder surfing Hackers
The direct, covert observation of Acts of trespass can lead to unauthorized real or virtual actions that enable informa-
individual information or system tion gatherers to enter premises or systems without permission. Controls sometimes
use.
mark the boundaries of an organization’s virtual territory. These boundaries give
notice to trespassers that they are encroaching on the organization’s cyberspace.
trespass Sound principles of authentication and authorization can help organizations protect
Unauthorized entry into the real or valuable information and systems. These control methods and technologies employ
virtual property of another party.
multiple layers or factors to protect against unauthorized access and trespass.
The classic perpetrator of espionage or trespass is the hacker, who is frequently
hacker glamorized in fictional accounts as a person who stealthily manipulates a maze of
A person who accesses systems computer networks, systems, and data to find information that solves the mystery
and information without authoriza-
and heroically saves the day. However, the true life of the hacker is far more mun-
tion and often illegally.
dane. The profile of the typical hacker has shifted from that of a 13- to 18-year-old
male with limited parental supervision who spends all of his free time on the com-
expert hacker puter; by comparison, modern hackers have fewer known attributes (see Figure 2-6).
A hacker who uses extensive knowl-
In the real world, a hacker frequently spends long hours examining the types and
edge of the inner workings of com-
puter hardware and software to structures of targeted systems and uses skill, guile, or fraud to attempt to bypass
gain unauthorized access to sys- controls placed on information owned by someone else.
tems and information, and who Hackers possess a wide range of skill levels, as with most technology users.
often creates automated exploits,
scripts, and tools used by other However, most hackers are grouped into two general categories: the expert hacker
hackers; also known as an elite and the novice hacker. The expert hacker is usually a master of several program-
hacker. ming languages, networking protocols, and operating systems, and exhibits a mas-
tery of the technical environment of the chosen targeted system. As described
novice hacker in the nearby feature “Hack PCWeek,” expert hackers are extremely talented and
A relatively unskilled hacker who usually devote extensive time and energy attempting to break into other people’s
uses the work of expert hackers to
information systems. Even though this example occurred several years ago, it
perform attacks; also known as a
neophyte, n00b, newbie, script kid- illustrates that systems and networks are still attacked and compromised using
die, or packet monkey. the same techniques.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Module 2 The Need for Information Security 41

Breaking into computer systems, Theft of confidential information, Disclosure of stolen confidential
information, Hijacking victims’ e-mail accounts, and Defacing Internet websites

IMA HACKER

?
No Photograph Available
Aliases: “Lost” “All your PC are belong to me” “Cyber-Merlin”

DESCRIPTION
Date(s) of Birth Used: unknown Hair: unknown
Place of Birth: unknown Eyes: unknown
Height: unknown Sex: unknown
Weight: unknown Race: unknown
NCIC: A1234566789 Nationality: unknown
Occupation: unknown

Scars and Marks:
unknown
Individual may be age 12−60, male or female, unkown
Remarks:
background, with varying technological skill levels; may be
internal or external to the organization.

CAUTION

i ure 2-6 Contemporary hacker profile

In 2017, the Singapore Ministry of Defense invited hackers to test its publicly professional hacker
accessible system for vulnerabilities. In March 2016, General Motors (GM) invited A hacker who conducts attacks for
computer researchers to look for vulnerabilities in the software used in its vehicles personal financial benefit or for a
crime organization or foreign gov-
and Web site, offering a reward to anyone who found an undocumented issue. In April
ernment; not to be confused with a
2015, the U.S. government did the same thing, inviting hackers to “Hack the Pentagon,” penetration tester.
of all places—a program that continues to this day. This type of “bug bounty” program
is an effort to convince both ethical and unethical hackers to help rather than hinder penetration tester
organizations in their security efforts. Other companies that recently invited such An information security profes-
attacks include Tesla Motors, Inc., the ride-share company Uber, and Google. sional with authorization to attempt
Once an expert hacker chooses a target system, the likelihood is high that he to gain system access in an effort
to identify and recommend reso-
or she will successfully enter the system. Fortunately for the many poorly protected lutions for vulnerabilities in those
organizations in the world, there are substantially fewer expert hackers than novice systems; also known as a pen tester.
hackers.
A new category of hacker has emerged over the last few years. The professional pen tester
hacker seeks to conduct attacks for personal benefit or the benefit of an employer, See penetration tester.
which is typically a crime organization or illegal government operation (see the sec-
tion on cyberterrorism). The professional hacker should not be confused with the penetration tester (or pen tester),
who has authorization from an organization to test its information systems and network defense and is expected to
provide detailed reports of the findings. The primary differences between professional hackers and penetration testers
are the authorization provided and the ethical professionalism displayed.

For more information about hacking, see the master’s thesis of Steven Kleinknecht, “Hacking Hackers: Ethno-
i graphic Insights into the Hacker Subculture—Definition, Ideology and Argot,” which you can find online either by
searching on the title or by going to https://macsphere.mcmaster.ca/handle/11375/10956.

Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
42 Principles of Information Security

script kiddies