IAS - Module.pdf

Full Transcript

INTE 30063:
Information Assurance
and Security 1

Compiled by:

JOHN DUSTIN D. SANTOS
 INFORMATION ASSURANCE AND SECURITY 1 I

Revision Table
Revision No. Date Revised by
Version 1 January 13, 2021 John Dustin D. Santos
Version 2 March 26, 2022 John Dustin D. Santos
 INFORMATION ASSURANCE AND SECURITY 1 II

Table of Contents

Chapter 1: Introduction to Information Security 1
Overview
Learning Objectives
The History of Information Security 1
What is Information Security? 2
Key Information Security Concepts 3
Critical Characteristics of Information 4
Components of an Information System 5
Software 5
Hardware 5
Data 5
People 5
Procedures 6
Networks 6
Approaches to Information Security Implementation 6
Bottom-up Approach 6
Top-down Approach 6
The Systems Development Life Cycle 7
Methodology and Phases 7
Investigation 7
Analysis 8
Logical Design 8
Physical Design 8
Implementation 8
Maintenance and Change 8
The Security Systems Development Cycle 8
Investigation 9
Analysis 9
Logical Design 9
Physical Design 9
Implementation 9
Maintenance and Change 9
Security Professionals and the Organization 10
Senior Management 11
Information Security Project Team 11
Data Responsibilities 11
Communities of Interest 12
Information Security Management and Professionals 12
Information Technology Management and Professionals 12
Organization Management and Professionals 12
Information Security: Is it an Art or a Science? 12
Security as Art 12
Security as Science 12
Security as Social Science 12
 INFORMATION ASSURANCE AND SECURITY 1 III

Assessment
References

Chapter 2: The Need for Security 14
Overview
Learning Objectives
Business Needs First 14
Protecting the Functionality of an Organization 14
Enabling Safe Operating of Applications 14
Protecting Data that Organizations Collect and Use 15
Safeguarding Technology Assets in Organization 15
Threats 15
14 Categories of Threat 15
1. Comprises to Intellectual Property 15
2. Deliberate Software Attacks 16
3. Deviations in Quality of Service 17
4. Espionage or Trespass 18
5. Forces of Nature 18
6. Human Error or Failure 20
7. Information Extortion 20
8. Missing, Inadequate, or Incomplete Organizational Policy or Planning 20
9. Missing, Inadequate, or Incomplete Controls 20
10. Sabotage or Vandalism 20
11. Theft 21
12. Technical Hardware Failures or Errors 21
13. Technical Software Failures or Errors 21
14. Technological Obsolescence 21
Attacks 22
1. Malicious Code 22
2. Hoaxes 22
3. Back Doors 23
4. Password Crack 23
5. Brute Force 23
6. Dictionary Attack 23
7. DoS and DDoS 23
8. Spoofing 23
9. Man-in-the-Middle 24
10. Spam 24
11. Mail Bombing 24
12. Sniffers 24
13. Social Engineering 24
14. Phishing 24
15. Pharming 25
16. Timing Attack 25
Secure Software Development 25
Software Assurance and the SA Common Body of Knowledge 25
Software Design Principles 26
 INFORMATION ASSURANCE AND SECURITY 1 IV

Software Development Security Problems 26
Assessment
References

Chapter 3: Legal, Ethical, and Professional Issues in
Information Security 31
Overview
Learning Objectives
Law and Ethics in Information Security 31
Organizational Liability and the Need for Counsel 31
Policy versus Law 31
Types of Law 32
International Laws and Legal Bodies 32
Council of Europe Convention on Cybercrime 33
Agreement on Trade-Related Aspects of Intellectual Property Rights 33
Digital Millennium Copyright Act 33
Ethics and Information Security 33
Ten Commandments of Computer Ethics 33
Ethical Differences across Cultures 34
Ethics and Education 35
Deterring Unethical and Illegal Behavior 35
Assessment
Exercise
References

Chapter 4: Risk Management 38
Overview
Learning Objectives
An Overview of Risk Management 38
Know Yourself 39
Know the Enemy 39
The Roles of the Communities of Interest 40
Risk Identification 40
Plan and Organize the Process 40
Asset Identification and Inventory 41
Classifying and Prioritizing Information Assets 45
Information Asset Valuation 46
Information Asset Prioritization 47
Identifying and Prioritizing Threats 48
Vulnerability Identification 50
Risk Assessment 50
Likelihood 51
Risk Determination 51
Identify Possible Controls 52
Risk Control Strategies 52
Defend 52
Implementing Defend Strategy 53
 INFORMATION ASSURANCE AND SECURITY 1 V

Transfer 53
Mitigate 53
Accept 54
Terminate 54
Select a Risk Control Strategy 54
Feasibility Studies 55
Cost Benefit Analysis 56
Evaluation, Assessment, and Maintenance of Risk Controls 56
Risk Management Discussion Points 57
Risk Appetite 57
Residual Risk 57
Documenting Results 58
Assessment
References

Chapter 5: Planning for Security 60
Overview
Learning Objectives
Information Security Planning and Governance 60
Planning Levels 60
Planning and the CISO 61
Information Security Governance 61
Information Security Governance Outcomes 62
Information Security Policy, Standards, and Practices 62
Definitions 63
Enterprise Information Security Policy 64
Issue-Specific Security Policy 65
Violations of Policy 66
Policy, Review, and Modification 66
Limitations of Liability 66
Systems-Specific Policy 67
Policy Management 68
The Information Security Blueprint 69
The ISO 27000 Series 69
NIST Security Models 70
IETF Security Architecture 70
Baselining and Best Business Practices 70
Security Education, Training, and Awareness Program 70
Security Education 71
Security Training 71
Security Awareness 71
Continuity Strategies 72
Business Impact Analysis 73
Incident Response Planning 74
Disaster Recovery Planning 74
Business Continuity Planning 75
Crisis Management 75
 INFORMATION ASSURANCE AND SECURITY 1 VI

Assessment
Exercise
References
 INFORMATION ASSURANCE AND SECURITY 1 1

Chapter 1: Introduction to Information Security

Overview
This chapter establishes the foundation for understanding the broader field of information security. This is
accomplished by defining key terms, explaining essential concepts, and providing a review of the origins
of the field and its impact on the understanding of information security.

Learning Objectives
Upon completion of this material, you should be able to:
 Define information security
 Recount the history of computer security, and explain how it evolved into information security.
 Define key terms and critical concepts of information security.
 Enumerate the phases of the security systems development life cycle.
 Describe the information security roles of professionals within an organization.

The History of Information Security

The history of information security begins with computer security. The need for computer security – that
is, the need to secure physical locations, hardware, and software from threats – arose during World War II
when the first mainframes, developed to aid computations form communication code breaking, were put to
see. Multiple levels of security were implemented to protect these mainframes and maintain the integrity
of their data. Access to sensitive military locations, for example, was controlled by means of badges, keys,
and the facial recognition of authorized personnel by security guards. The growing need to maintain
national security eventually led to more complex and more technologically sophisticated computer security
safeguards.

Let’s look at the main events happened which contribute to the development of information security.

The 1960s
 Advanced Research Procurement Agency (ARPA) began examining the feasibility of a redundant
networked communications system designed to support the military’s need to exchange
information.
 Larry Roberts, known as the Founder of the Internet, developed the project called ARPANET from
inception.

The 1970s and 80s
 During the next decade, the ARPANET grew in popularity as did its potential for misuse.
 In December of 1973, Robert M. Metcalfe, indicated that there were fundamental problems with
ARPANET security:
o Individual remote users’ sites did not have sufficient controls and safeguards to protect
data against unauthorized remote users.
o There were no safety procedures for dial-up connections to the ARPANET.
o User identification and authorization to the system were non-existent.
 INFORMATION ASSURANCE AND SECURITY 1 2

o Phone numbers were widely distributed and openly publicized on the walls of rest rooms
and phone booths, giving hackers easy access to ARPANET.
 In the late 1970s, the microprocessor brought a new age of computing capabilities and security
threats as these microprocessors were networked.
 Information security began with Rand Report R-609, sponsored by the Department of Defense,
which attempted to define multiple controls and mechanisms necessary for the protection of a
multi-level computer system.
o The score of computer security grew from physical security to include:
 Safety of the data itself
 Limiting of random and unauthorized access to that data
 Involvement of personnel from multiple levels of the organization
o At this stage, the concept of computer security evolved into more sophisticated system we
call information security.

The 1990s
 At the close of the 20th century, as networks of computers became more common, so too did the
need to connect the networks to each other.
 This gave rise to the Internet, the first manifestation of a global network of networks.
 There has been a price of the phenomenal growth of the internet, however. When security was
considered at all, early internet deployment treated it as a low priority.
 As the requirement for networked computers became the dominant style of computing, the ability
to physically secure that physical computer was lost, and the stored information became more
exposed to security threats.

2000 to Present
 Today, the Internet has brought millions of unsecured computer networks into communication with
each other.
 Our ability to secure each computer’s stored information is now influenced by the security on each
computer to which it is connected.

What is Information Security?

In general, security is “the quality or state of being secure – to be free from danger.” It means that to be
protected from adversaries – from those who would do harm, intentionally or otherwise.

A successful organization should have the following multiple layers of security in place for the protection
of its operations:
 Physical security – to protect the physical items, objects, or areas of an organization from
unauthorized access and misuse.
 Personal security – to protect the individual or group of individuals who are authorized to access
the organization and its operations.
 Operations security – to protect the details of a particular operation or series of activities.
 Communications security – to protect an organization’s communications media, technology, and
content.
 Network security – to protect networking components, connections, and contents.
 INFORMATION ASSURANCE AND SECURITY 1 3

Information security, therefore, is the protection of information and its critical elements, including the
systems and hardware that use, store, and transmit that information. But to protect the information and its
related systems from danger, tools, such as policy, awareness, training, education, and technology are
necessary.

The C.I.A. triangle has been considered the industry standard for computer security since the development
of the mainframe. It was solely based on three characteristics that described the utility of information:
confidentiality, integrity, and availability. The C.I.A. triangle has expanded into a list of critical
characteristics of information.

Key Information Security Concepts
Here are some terms and concepts that are essential to any discussion of information security:

Access – A subject or object’s ability to use, manipulate, modify, or affect another subject or object.
Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access
controls regulate this ability.

Asset – The organizational resource that is being protected. An asset can be logical, such as a Web site,
information, or data; or an asset can be physical, such as a person, computer system, or other tangible object.
Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are
attempting to protect.

Attack – An intentional or unintentional act that can cause damage to or otherwise compromise information
and/or the systems that support it. An attack is an information security threat that involves an attempt to
obtain, alter, destroy, remove, implant or reveal information without authorized access or permission. It
happens to both individuals and organizations. There are many different kinds of attacks, including but not
limited to passive, active, targeted, clickjacking, brandjacking, botnet, phishing, spamming, inside and
outside.

Control, safeguard, or countermeasure – Security mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within
an organization. The various levels and types of controls are discussed more fully in the following chapters.

Exploit – A technique used to compromise a system. This term can be a verb or a noun. Threat agents may
attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an
exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software,
that is either inherent in the software or is created by the attacker. Exploits make use of existing software
tools or custom-made software components.

Exposure – A condition or state of being exposed. In information security, exposure exists when a
vulnerability known to an attacker is present.

Loss – A single instance of an information asset suffering damage or unintended or unauthorized
modification or disclosure. When an organization’s information is stolen, it has suffered a loss.

Protection profile or security posture – The entire set of controls and standards, including policy,
education, training and awareness, and technology, that the organization implements (or fails to implement)
to protect the asset. The terms are sometimes used interchangeably with the term security program, although
the security program often comprises managerial aspects of security, including planning, personnel, and
subordinate programs.
 INFORMATION ASSURANCE AND SECURITY 1 4

Risk – The probability that something unwanted will happen. Organizations must minimize risk to match
their risk appetite – the quantity and nature of risk the organization is willing to accept.

Subjects and objects – A computer can be either the subject of an attack – an agent entity used to conduct
the attack – or the object of an attack – the target entity. A computer can be both the subject and object of
an attack, when, for example, it is compromised by an attack (object), and then used to attack other systems
(subject).

Threat – A category of objects, persons, or other entities that presents a danger to an asset. Threats are
always present and can be purposeful or undirected. For example, hackers purposely threaten unprotected
information systems, while severe storms incidentally threaten buildings and their contents.

Threat agent – The specific instance or a component of a threat. For example, all hackers in the world
present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone systems, is a
specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent that is part of the
threat of severe storms.

Vulnerability – A weakness or fault in a system or protection mechanism that opens it to attack or damage.
Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an
unlocked door.

Critical Characteristics of Information
The value of information comes from the characteristics it possesses.

Availability – enables users who need to access information to do so without interference or obstruction
and in the required format. The information is said to be available to an authorized user when and where
needed and in the correct format.

Accuracy – free from mistake or error and having the value that the end-user expects. If information
contains a value different from the user’s expectations due to the intentional or unintentional modification
of its content, it is no longer accurate.

Authenticity – the quality or state of being genuine or original, rather than a reproduction or fabrication.
Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality – the quality or state of preventing disclosure or exposure to unauthorized individuals or
systems.

Integrity – the quality or state of being whole, complete, and uncorrupted. The integrity of information is
threatened when the information is exposed to corruption, damage, destruction, or other disruption of its
authentic state.

Utility – the quality or state of having value for some purpose or end. Information has value when it serves
a particular purpose. This means that if information is available, but not in a format meaningful to the end-
user, it is not useful.

Possession – the quality or state of having ownership or control of some object or item. Information is said
to be in possession if one obtains it, independent of format or other characteristic. While a breach of
 INFORMATION ASSURANCE AND SECURITY 1 5

confidentiality always results in a breach of possession, a breach of possession does not always result in a
breach of confidentiality.

Components of an Information System

An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware,
data, people, and procedures necessary to use information as a resource in the organization. To fully
understand the importance of information security, it is necessary to briefly review the elements of an
information system.

Software
The software component of the IS comprises applications, operating systems, and assorted command
utilities. Software is perhaps the most difficult IS component to secure. The exploitation of errors in
software programming accounts for a substantial portion of the attacks on information. The information
technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems
in software. In fact, many facets of daily life are affected by buggy software, form smartphones that crash
to flawed automotive control computers that lead to recalls.

Software carries the lifeblood of information through an organization. Unfortunately, software programs
are often created under the constraints of project management, which limit time, cost, and manpower.
Information security is all too often implemented as an after-thought, rather than developed as an integral
component from the beginning. In this way, software programs become an easy target of accidental or
intentional attacks.

Hardware
Hardware is the physical technology that houses and executes the software, stores and transports the data,
and provides interfaces for the entry and removal of information from the system. Physical security policies
deal with hardware as a physical asset and with the protection of physical assets from harm or theft.
Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction
with the hardware components of an information system. Securing the physical location of computers and
the computers themselves is important because a breach of physical security can result in a loss of
information. Unfortunately, most information systems are built on hardware platforms that cannot
guarantee any level of information security if unrestricted access to the hardware is possible.

Data
Data stored, processed, and transmitted by a computer system must be protected. Data is often the most
valuable asset possessed by an organization and it is the main target of intentional attacks. Systems
developed in recent years are likely to make use of database management systems. When done properly,
this should improve the security of the data and the application. Unfortunately, many system development
projects do not make full use of the database management system’s security capabilities, and in some cases
the database is implemented in ways that are less secure than traditional file systems.

People
Though often overlooked in computer security considerations, people have always been a threat to
information security. People can be the weakest link in an organization’s information security program.
And unless policy, education and training, awareness, and technology are properly employed to prevent
people from accidentally or intentionally damaging or losing information, they will remain the weakest
 INFORMATION ASSURANCE AND SECURITY 1 6

link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human
error. It can be used to manipulate the actions of people to obtain access information about a system.

Procedures
Another frequently overlooked component of an IS is procedures. Procedures are written instructions for
accomplishing a specific task. When an unauthorized user obtains an organization’s procedures, this poses
a threat to the integrity of the information. Most organizations distribute procedures to their legitimate
employees so they can access the information system, but many of these companies often fail to provide
proper education on the protection of the procedures. Educating employees about safeguarding procedures
is as important as physically securing the information system. After all, procedures are information in their
own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated
among members of the organization only on a need-to-know basis.

Networks
The IS component that created much of the need for increased computer and information security is
networking. When information systems are connected to each other to form local area networks (LANs),
and these LANs are connected to other networks such as the Internet, new security challenges rapidly
emerge. The physical technology that enables network functions is becoming more and more accessible to
organizations of every size. Applying the traditional tools of physical security, such as locks and keys, to
restrict access to and interaction with the hardware components of an information system are still important;
but when computer systems are networked, this approach is no longer enough. Steps to provide network
security are essential, as is the implementation of alarm and intrusion systems to make system owners aware
of ongoing compromises.

Approaches to Information Security Implementation

Bottom-up Approach
 Security can begin as a grass-roots effort when systems administrators attempt to improve the
security of their systems. This is referred to as the bottom-up approach.
 The key advantage of the bottom-up approach is the technical expertise of the individual
administrators.
 Unfortunately, this approach seldom works, as it lacks a number of critical features, such as
participant support and organizational staying power.

Top-down Approach
 An alternative approach, which has a higher probability of success, is called the top-down
approach. The project is initiated by upper management who issue policy, procedures and
processes, dictate the goals and expected outcomes of the project, and determine who is accountable
for each of the required actions.
 The top-down approach has strong upper management support, a dedicated champion, dedicated
funding, clear planning and the opportunity to influence organizational culture.
 The most successful top-down approach also involves a formal development strategy referred to as
a systems development life cycle.
 INFORMATION ASSURANCE AND SECURITY 1 7

The Systems Development Life Cycle

Information security must be managed in a manner similar to any other major system implemented in the
organization.

The best approach for implementing an information security system in an organization with little or no
formal security in place, is to use a variation of the Systems Development Life Cycle (SDLC): the Security
Systems Development Life Cycle (SecSDLC).

Methodology and Phases
The SDLC is a methodology for the design and implementation of an information system in an organization.
A methodology is a formal approach to solving a problem based on a structured sequence of procedures.
Using a methodology ensures a rigorous process, and avoids missing those steps that can lead to
compromising the end goal. The goal is creating a comprehensive security posture.

The traditional SLDC consists of six general phases. SLDC models range from having three to twelve
phases, all of which have been mapped into the six presented here. The waterfall model whose image
shown below illustrates that each phase begins with the results and information gained from the previous
phase.

Investigation
The first phase, investigation, is the most important. What problem is the system being developed to solve?
The investigation phase begins with an examination of the event or plan that initiates the process. During
the investigation phase, the objectives, constraints, and scope of the project are specified. A preliminary
cost-benefit analysis evaluates the perceived benefits and the appropriate levels of cost for those benefits.
As the conclusion of this phase, and at every phase following, a feasibility analysis assesses the economic,
 INFORMATION ASSURANCE AND SECURITY 1 8

technical, and behavioral feasibilities of the process and ensures that implementation is worth the
organization’s time and effort.

Analysis
The analysis phase begins with the information gained during the investigation phase. This phase consists
primarily of assessments of the organization, its current systems, and its capability to support the proposed
systems. Analysts begin by determining what the new system is expected to do and how it will interact with
existing systems. This phase ends with the documentation of the findings and an update of the feasibility
analysis.

Logical Design
In the logical design phase, the information gained from the analysis phase is used to begin creating a
solution system for a business problem. Then, based on the business need, select applications capable of
providing needed services. Based on the applications needed, select data support and structures capable of
providing the needed inputs. Finally, based on all of the above, select specific technologies to implement
the physical solution. In the end, another feasibility analysis is performed.

Physical Design
During the physical design phase, specific technologies are selected to support the alternatives identified
and evaluated in the logical design. The selected components are evaluated based on a make-or-buy
decision (develop in-house or purchase from a vendor). Final designs integrate various components and
technologies. After yet another feasibility analysis, the entire solution is presented to the end-user
representatives for approval.

Implementation
In the implementation phase, any needed software is created or purchased. Components are ordered,
received and tested. Afterwards, users are trained and supporting documentation created. Again a feasibility
analysis is prepared, and the users are then presented with the system for a performance review and
acceptance test.

Maintenance and Change
The maintenance and change phase is the longest and most expensive phase of the process. This phase
consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.
Even though formal development may conclude during this phase, the life cycle of the project continues
until it is determined that the process should begin again from the investigation phase. When the current
system can no longer support the changed mission of the organization, the project is terminated and a new
project is implemented.

The Security Systems Development Cycle

The same phases used in the traditional SDLC can be adapted to support the specialized implementation of
a security project. The fundamental process is the identification of specific threats and the creation of
specific controls to counter those threats. The SecSDLC unifies the process and makes it a coherent program
rather than a series of random, seemingly unconnected actions.
 INFORMATION ASSURANCE AND SECURITY 1 9

Investigation
The investigation of the SecSDLC begins with a directive from upper management, dictating the process,
outcomes and goals of the project, as well as the constraints placed on the activity. Frequently, this phase
begins with a statement of program security policy that outlines the implementation of security. Teams of
responsible managers, employees and contractors are organized, problems analyzed, and scope defined,
including goals objectives, and constraints not covered in the program policy. Finally, an organizational
feasibility analysis is performed to determine whether the organization has the resources and commitment
necessary to conduct a successful security analysis and design.

Analysis
In the analysis phase, the documents from the investigation phase are studied. The development team
conducts a preliminary analysis of existing security policies or programs, along with documented current
threats and associated controls. This phase also includes an analysis of relevant legal issues that could
impact the design of the security solution. Risk management is the process of identifying, assessing and
evaluating the levels of risk facing the organization, also begins in this stage.

Logical Design
The logical design phase creates and develops the blueprints for security, and examines and implements
key policies that influence later decisions. Also at this stage, critical planning is developed for incident
response actions to be taken in the event of partial or catastrophic loss. The planning answers the following
questions:
 Continuity planning: How will business continue in the event of a loss?
 Incident response: What steps are taken an attack occurs?
 Disaster recovery: What must be done to recover information and vital systems immediately after
a disastrous event?

Next, a feasibility analysis determines whether or not the project should continue or should be outsourced.

Physical Design
In the physical design phase, the security technology needed to support the blueprint outlined in the logical
design is evaluated, alternative solutions generated, and a final design agreed upon. The security blueprint
may be revisited to keep it synchronized with the changes needed when the physical design is completed.
Criteria needed to determine the definition of successful solutions is also prepared during this phase.
Included at this time are the designs for physical security measures to support the proposed technological
solutions. At the end of this phase, a feasibility study should determine the readiness of the organization for
the proposed project, and then the champion and users are presented with the design. At this time, all parties
involved have a chance to approve the project before implementation begins.

Implementation
The implementation phase is similar to the traditional SDLC. The security solutions are acquired (made or
bought), tested, and implemented, and tested again. Personnel issues are evaluated and specific training and
education programs conducted. Finally, the entire tested package is presented to upper management for
final approval.

Maintenance and Change
The maintenance and change phase, though last, is perhaps most important, given the high level of ingenuity
in today’s threats. The reparation and restoration of information is a constant duel with an often-unseen
 INFORMATION ASSURANCE AND SECURITY 1 10

adversary. As new threats emerge and old threats evolve, the information security profile of an organization
requires constant adaptation to prevent threats from successfully penetrating sensitive data.

Below is a table of SDLC and SecDLC Phase Summary

Security Professionals and the Organization

It takes a wide range of professionals to support a diverse information security program. To develop and
execute specific security policies and procedures, additional administrative support and technical expertise
is required. The following describes the typical information security responsibilities of various professional
roles in an organization.
 INFORMATION ASSURANCE AND SECURITY 1 11

Senior Management
The senior technology officer is typically the Chief Information Officer (CIO), although other titles such
as Vice President of Information, VP for Information Technology, and VP for Systems may be used. The
CIO is primarily responsible for advising the Chief Executive Officer, President or company owner on the
strategic planning that affects the management of information in the organization.

The Chief Information Security Officer (CISO) has primarily responsible for the assessment,
management, and implementation of securing the information in the organization. The CISO may also be
referred to as the Manager for Security, the Security Administrator, or a similar title.

Information Security Project Team
The information security project team should consist of a number of individuals who are experienced in
one or multiple facets of the required technical and nontechnical areas. Many of the same skills needed to
manage and implement security are also needed to design it. Members of the security project team fill the
following roles:

 Champion: a senior executive who promotes the project and ensures its support, both financially
and administratively, at the highest levels of the organization.
 Team leader: a project manager, who may be a departmental line manager or staff unit manager,
who understands project management, personnel management, and information security technical
requirements.
 Security policy developers: individuals who understand the organizational culture, policies, and
requirements for developing and implementing successful policies.
 Risk assessment specialists: individuals who understand financial risk assessment techniques, the
value of organizational assets, and the security methods to be used.
 Security professionals: dedicated, trained, and well-educated specialists in all aspects of
information security from both technical and non-technical standpoints.
 Systems administrators: individuals with the primary responsibility for administering the systems
that house the information used by the organization.
 End users: those the new system will most directly impact. Ideally, a selection of users from
various departments, levels, and degrees of technical knowledge assist the team in focusing on the
application of realistic controls applied in ways that do not disrupt the essential business activities
they seek to safeguard.

Data Responsibilities
Now that you understand the responsibilities of both senior management and the security project team, we
can define the roles of those who own and safeguard the data.

 Data Owner - responsible for the security and use of a particular set of information. Data owners
usually determine the level of data classification associated with the data, as well as changes to that
classification required by organization change.
 Data Custodian - responsible for the storage, maintenance, and protection of the information. The
duties of a data custodian often include overseeing data storage and backups, implementing the
specific procedures and policies laid out in the security policies and plans, and reporting to the data
owner.
 Data Users - the end systems users who work with the information to perform their daily jobs
supporting the mission of the organization. Everyone in the organization is responsible for the
security of data, so data users are included here as individuals with an information security role.
 INFORMATION ASSURANCE AND SECURITY 1 12

Communities of Interest

Each organization develops and maintains its own unique culture and values. Within each organization
culture, there are communities of interest to develop and evolve. Community of interest is a group of
individuals who are united by similar interests or values within an organization and who share a common
goal of helping the organization to meet its objectives. These communities of interest include:

Information Security Management and Professionals
Their roles are aligned with the goals and mission of the information security community of interest. These
job functions and organizational roles focus on protecting the organization’s information systems and stored
information from attacks.

Information Technology Management and Professionals
The community of interest made up of IT managers and skilled professionals in systems design,
programming, networks, and other related disciplines has many of the same objectives as the information
security community. However, its members focus more on costs of system creation and operation, ease of
use for system users, and timeliness of system creation, as well as transaction response time. The goals of
the IT community and the information security community are not always in complete alignment, and
depending on the organization structure, this may cause conflict.

Organizational Management and Professionals
The organization’s general management team and the rest of the resources in the organization make up the
other major community of interest. This larger group is almost always made up of subsets of other interest
as well, including executive management, production management, human resources, accounting, and
legal, to name just a few.

Information Security: Is it an Art or a Science?

Security as Art
The administrators and technicians who implement security can be compared to a painter applying oils to
canvas. There are no hard and fast rules regulating the installation of various security mechanisms, nor are
there many universally accepted complete solutions.

Security as Science
Technology developed by computer scientist and engineers – which is designed for rigorous performance
levels – makes information security a science as well as an art. Almost every fault, security hole, and
systems malfunction is a result of the interaction of specific hardware and software.

Security as Social Science
Social science examines the behavior of individuals as they interact with systems, whether these are societal
systems or, as information systems. Information security begins and ends with the people inside the
organization and the people that interact with the system, intentionally or otherwise. By understanding some
of the behavioral aspects of organizational science and change management, security administrators can
greatly reduce the levels of risk cause by end users and create more acceptable and supportable security
profiles. These measures, coupled with appropriate policy and training issues, can substantially improve
the performance of end users and result in a more secure information system.
 INFORMATION ASSURANCE AND SECURITY 1 13

Assessment

1. What is the difference between a threat agent and a threat?
2. What is the difference between vulnerability and exposure?
3. What type of security was dominant in the early years of computing?
4. What are the three components of the CIA triangle? What are they used for?
5. Describe the critical characteristics of information. How are they used in the study of computer
security?
6. Identify the six components of an information system. Which are the most directly affected by the
study of computer security? Which are the most commonly associated with its study?
7. Why is the top-down approach to information security superior to the bottom-up approach?
8. Why is a methodology important in the implementation of information security? How does a
methodology improve the process?
9. How can the practice of information security be described as both an art and a science? How does
as security as a social science influence its practice?
10. How has computer security evolved into modern information security?

References
1. Whitman, Michael, Principles of Information Security, 6th Ed., 2018
2. Lynett, M. (2015). A History of Information Security From Past to Present. Mesltd.Ca.
https://blog.mesltd.ca/a-history-of-information-security-from-past-to-present
3. What is an Attack? - Definition from Techopedia. (2012). Techopedia.com.
https://www.techopedia.com/definition/6060/attack
4. The History of Cybersecurity: CompTIA’s Future of Tech. (2012). CompTIA’s Future of Tech.
https://www.futureoftech.org/cybersecurity/2-history-of-cybersecurity/
 INFORMATION ASSURANCE AND SECURITY 1 14

Chapter 2: The Need for Security

Overview
This chapter examines the business drivers behind the information security analysis design process. It
examines current organizational and technological security needs, and emphasizes and builds on the
concepts presented in the previous chapter. This chapter also examines the various threats facing
organizations and present methods for ranking these threats that organizations can use when they begin
their security planning process.

Learning Objectives
Upon completion of this material, you should be able to:
 Demonstrate that organizations have a business need for information security
 Explain why a successful information security program is the responsibility of both an
organization’s general management and IT management
 Identify the threats posed to information security and the more common attacks associated with
those threats, and differentiate threats to the information within systems form attacks against the
information within systems
 Describe the issues facing software developers, as well as the common errors made by developers,
and explain how software development programs can create software that is more secure and
reliable.

Business Needs First

There are four (4) important functions of an organization that the information security performs:
1. Protecting the organization’s ability to function
2. Enabling the safe operation of applications running on the organization’s IT systems
3. Protecting the data the organization collects and uses
4. Safeguarding the organization’s technology assets

Protecting the Functionality of an Organization
 Shared responsibility between general management and IT management.
o Set security policy in compliance with legal requirements.
o Not really a technology issue.
 Address information security in terms of
o Business impact
o Cost of business interruption

Enabling Safe Operating of Applications
 Operation requires integrated, efficient, and capable applications.
 A modern organization needs to create an environment that protect critical applications such as
o Operating system platforms
o Electronic mail
o Instant messaging
 These can be acquired by outsourcing to a service provider or can be developed internally.
 INFORMATION ASSURANCE AND SECURITY 1 15

 Protection of the infrastructure must be overseen by management.

Protecting Data that Organizations Collect and Use
 Data provides
o Record of transactions (e.g. banking)
o Ability to deliver value to customers
o Enable creation and movement of goods and services
 Information systems and the data they process enable the creation and movement of goods and
services.
 Therefore, protecting data in motion (online transactions) and data at rest (offline transactions)
are both critical aspects of information security.
 An effective information security program implemented by management protects the integrity and
value of the organization’s data.

Safeguarding Technology Assets in Organizations
 Organizations must have secure infrastructure services based on the size and scope of the enterprise.
o Smaller businesses may require less protections such as email service provided by an ISP
and augmented with a personal encryption tool.
o Additional services are required for larger businesses such as Public Key Infrastructure
(PKI), an integrated system of software, encryption methodologies, and legal agreements
that can be used to support the entire information infrastructure.
 In general, as an organization’s network grows to accommodate changing needs, more robust
technology solutions should replace security programs the organization has outgrown.

Threats

500 B.C. – Chinese general Sun Tzu Wu wrote The Art of War, a military treatise that emphasizes the
importance of knowing yourself as well as the threats you face.

To protect your organization’s information, you must:
1. Know yourself; that is, be familiar with the information to be protected and the systems that store,
transport, and process it; and
2. Know the threats you face.

Threat – is an object, person, or entity that represents a constant danger to an asset.

14 Categories of Threat
There are 14 categories of threat, which is discussed below.

1. Compromises to Intellectual Property
Intellectual Property – defined as “the ownership of ideas and control over the tangible or virtual
representation of those ideas. Use of another person’s intellectual property may or may not involve royalty
payments or permission, but should always include proper credit to the source.” These can be trade secrets,
copyrights, trademarks, and patents.

Software piracy – Unlawful use or duplication of software-based intellectual property. It is also the most
common IP breach.
 INFORMATION ASSURANCE AND SECURITY 1 16

A number of technical mechanisms have been used to enforce copyright law. This includes
 Digital watermarks and embedded code
 Copyright codes
 Intentional placement of bad sectors on software media

License agreement – a window that usually pops up during the installation of new software. This is the
most common tool used to establish that the user has read and agrees to the license agreement.

Online registration process – Another effort to combat piracy. Individuals who install software are often
asked or even required to register their software to obtain technical support or the use of all features.

2. Deliberate Software Attacks
Deliberate software attacks occur when an individual or group designs and deploys software to attack a
system.

Malicious code (sometimes known as malicious software or malware) – software components or
programs designed to damage, destroy, or deny service to the target systems. The following are some
common instances of malicious code.

1. Virus – a computer virus is designed to spread from host to host and has the ability to replicate
itself. Similarly, in the same way that the flu viruses cannot reproduce without a host cell, computer
viruses cannot reproduce and spread without programming such as a file or document. A virus
operates by inserting or attaching itself to a legitimate program or document that supports macros
in order to execute its code. In the process, a virus has the potential to cause unexpected or
damaging effects, such as harming the system software by corrupting or destroying data. (What Is
A Computer Virus?, 2020).

2. Worm - A computer worm is a type of malware that spreads copies of itself from computer to
computer. A worm can replicate itself without any human interaction, and it does not need to attach
itself to a software program in order to cause damage. Worms can modify and delete files, and they
can even inject additional malicious software onto a computer. Sometimes a computer worm’s
purpose is only to make copies of itself over and over — depleting system resources, such as hard
drive space or bandwidth, by overloading a shared network. In addition to wreaking havoc on a
computer’s resources, worms can also steal data, install a backdoor, and allow a hacker to gain
control over a computer and its system settings. (What is a computer worm and how does it work?,
2019).

3. Trojan Horses - A Trojan horse or Trojan is a type of malware that is often disguised as legitimate
software. Users are typically tricked by some form of social engineering into loading and executing
Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal
your sensitive data, and gain backdoor access to your system. These actions can include deleting
data, blocking data, modifying data, copying data, and disrupting the performance of computers or
computer networks. (Kaspersky, 2019)

4. Back Door or Trap Door – A virus or worm can have a payload that installs a back door or trap
door component in a system, which allows the attacker to access the system at will with special
privileges. Examples of these kinds of payloads include Subeven and Back Orifice.
 INFORMATION ASSURANCE AND SECURITY 1 17

5. Polymorphic Threats – A polymorphic threat is one that over time changes the way it appears to
antivirus software programs, making it undetectable by techniques that look for preconfigured
signatures. These viruses and worms actually evolve, changing their size and other external file
characteristics to elude detection by antivirus software programs.

6. Virus and Worm Hoaxes – These are messages with false warning about a computer virus or
worm. Typically, the warning arrives in an e-mail note or is distributed through a note in a
company's internal network. These notes are usually forwarded using distribution lists and they will
typically suggest that the recipient forward the note to other distribution lists. (TechTarget
Contributors, 2017).

3. Deviations in Quality of Service
Companies rely on a number of service providers: power, water, sewage, internet, and phone, just to name
a few. If one of these providers has irregular service, it could disrupt business operations and threaten the
security of information. We refer to this condition as an availability disruption and interruption in service,
usually from a service provider, which can cause an adverse event within the organization.

1. Power – One of the most important services to the organization’s IT equipment is electrical power.
Too much or not enough power can cause major issues with computer equipment. Some common
conditions include:
a. Blackout – long-term interruption or outage in electrical power availability.
b. Brownout – a long-term decrease in the quality of electrical power availability.
c. Fault – a short-term interruption in electrical power availability.
d. Noise – the presence of additional and disruptive signals in network communications or
electrical power delivery.
e. Sag – a short-term decrease in electrical power availability.
f. Spike – a short term increase in electrical power availability.
g. Surge – a long-term increase in electrical power availability.

2. Internet – Many organizations today rely heavily on their Internet and web services to both
communicate with supplier and clients, and to acquire and deliver products and services. A failure
of this connection would negatively impact the organization. Specific threats or attacks to this
connection involve both physical disruptions, like a contractor digging up a cable, or a tree falling
on a line, as well as electronic disruptions. Many electrical disruptions, intentional, or accidental,
cover multiple threat categories.

In order to minimize the impact and probability of availabilities disruptions, we expect documented
commitment from our service providers that they will provide quality service or provide some form
of restitution should they fail. The document that specifies the expected level of service from a
service provider is known as a Service Level Agreement, or SLA. An SLA usually contains
provisions for a minimum acceptable availability and penalties for remediation procedures for
downtime.

3. Communications and Other Service Provider Issues – Other utility services can affect
organizations as well. Among these are telephone, water, wastewater, trash pickup, cable television,
natural or propane gas, and custodial services. The loss of these services can impair the ability of
an organization to function. For instance, most facilities require water service to operate an air-
conditioning system. If a wastewater system fails, an organization might be prevented from
allowing employees into the building.
 INFORMATION ASSURANCE AND SECURITY 1 18

4. Espionage or Trespass
Espionage or trespass is a well-known and broad category of electronic and human activities that can breach
the confidentiality of information. When an unauthorized individual gains access to the information an
organization is trying to protect, data is categorized as espionage or trespass. Attackers can use many
different methods to access the information stored in an information system. Some information gathering
techniques are quite legal, for example, using a web browser to perform market research. These legal
techniques are called, collectively, competitive intelligence. When an information gatherers employ
techniques that cross the threshold what is legal or ethical, they are conducting industrial espionage.
Acts of trespass can lead to an authorized real our virtual actions that enable information gatherers to enter
premises or systems they have not pin authorized to enter. Controls sometimes mark the boundaries of an
organization's virtual territory. These boundaries give notice to trespassers that they are encroaching on the
organization's cyberspace. Sound principles of authentication and authorization can help organizations
protect valuable information and systems. This control methods and methodologies employ multiple layers
or factors to protect against unauthorized access.

Forms of espionage include:
1. Shoulder surfing - this technique is used in public or semipublic settings when individuals gather
information that they are not authorized so have by looking over another individual's shoulder or
viewing the information from a distance. Instances of shoulder surfing occur at computer terminals,
desks, ATM machines, on the bus for subway where people use smartphones and tablet PCs, or
other places where a person is accessing confidential information.

2. Hackers - these are "people who use and create computer software to gain access to information
illegally." Hackers are frequently glamorized in fictional accounts as people who stealthily
manipulate a maze of computer networks, systems, and data to find the information that solves the
mystery or saves the day.

3. Phreaker - A phreaker hacks the public telephone network to make free calls or disrupt services.
Phreakers grew in fame in the 1970s when they developed devices called blue boxes that enabled
free calls from pay phones. Later, red boxes were developed to simulate the tones of coins falling
in a pay phone, and finally black boxes emulated the line voltage. With the advent of digital
communications, these boxes became practically obsolete. Even with the loss of the colored box
technologies, phreakers continue to cause problems for all telephone systems.

5. Forces of Nature
Forces of nature, force majeure, or acts of God can present some of the most dangerous threats, because
they usually occur with very little warning and are beyond the control of people. These threats, which
include events such as fires, floods, earthquakes, and lightning as well as volcanic eruptions and insect
infestations, can disrupt not only the lives of individuals but also the storage, transmission, and use of
information. Some of the more common threats in this group are listed here.

1. Fire - In this context, usually a structural fire that damages a building housing computing
equipment that comprises all or part of an information system, as well as smoke damage and/or
water damage from sprinkler systems or firefighters. This threat can usually be mitigated with fire
casualty insurance and/or business interruption insurance.

2. Flood - An overflowing of water onto an area that is normally dry, causing direct damage to all or
part of the information system or to the building that houses all or part of the information system.
A flood might also disrupt operations through interruptions in access to the buildings that house all
 INFORMATION ASSURANCE AND SECURITY 1 19

or part of the information system. This threat can sometimes be mitigated with flood insurance
and/or business interruption insurance.

3. Earthquake - A sudden movement of the earth’s crust caused by the release of stress accumulated
along geologic faults or by volcanic activity. Earthquakes can cause direct damage to all or part of
the information system or, more often, to the building that houses it, and can also disrupt operations
through interruptions in access to the buildings that house all or part of the information system.
This threat can sometimes be mitigated with specific casualty insurance and/or business
interruption insurance, but is usually a separate policy.

4. Lightning - An abrupt, discontinuous natural electric discharge in the atmosphere. Lightning
usually directly damages all or part of the information system an/or its power distribution
components. It can also cause fires or other damage to the building that houses all or part of the
information system, and disrupt operations by interfering with access to the buildings that house
all or part of the information system. This threat can usually be mitigated with multipurpose
casualty insurance and/or business interruption insurance.

5. Landslide or mudslide - The downward sliding of a mass of earth and rock directly damaging all
or part of the information system or, more likely, the building that houses it. Land- or mudslides
also disrupt operations by interfering with access to the buildings that house all or part of the
information system. This threat can sometimes be mitigated with casualty insurance and/or business
interruption insurance.

6. Tornado or severe windstorm - A rotating column of air ranging in width from a few yards to
more than a mile and whirling at destructively high speeds, usually accompanied by a funnel-
shaped downward extension of a cumulonimbus cloud. Storms can directly damage all or part of
the information system or, more likely, the building that houses it, and can also interrupt access to
the buildings that house all or part of the information system. This threat can sometimes be
mitigated with casualty insurance and/or business interruption insurance.

7. Hurricane or typhoon - These storms may disrupt operations by interrupting access to the
buildings that house all or part of the information system. This threat can sometimes be mitigated
with casualty insurance and/or business interruption insurance.

8. Tsunami - A very large ocean wave caused by an underwater earthquake or volcanic eruption.
These events can directly damage all or part of the information system or, more likely, the building
that houses it. Organizations located in coastal areas may experience tsunamis. Tsunamis may also
cause disruption to operations through interruptions in access or electrical power to the buildings
that house all or part of the information system. This threat can sometimes be mitigated with
casualty insurance and/or business interruption insurance.

9. Electronic discharge (ESD) - Usually, static electricity and ESD are little more than a nuisance.
Unfortunately, however, the mild static shock we receive when walking across a carpet can be
costly or dangerous when it ignites flammable mixtures and damages costly electronic components.
Static electricity can draw dust into clean-room environments or cause products to stick together.
The cost of ESD-damaged electronic devices and interruptions to service can range from only a
few cents to several millions of dollars for critical systems. Loss of production time in information
processing due to ESD impact is significant. While not usually viewed as a threat, ESD can disrupt
information systems, but it is not usually an insurable loss unless covered by business interruption
insurance.
 INFORMATION ASSURANCE AND SECURITY 1 20

10. Dust contamination - Some environments are not friendly to the hardware components of
information systems. Because dust contamination can shorten the life of information systems or
cause unplanned downtime, this threat can disrupt normal operations.

Since it is not possible to avoid force of nature threats, organizations must implement controls to limit
damage, and they must also prepare contingency plans for continued operations, such as disaster recovery
plans, business continuity plans, and incident response plans.

6. Human Error or Failure
This category includes acts performed without intent or malicious purpose by an authorized user. When
people use information systems, mistakes happen. Inexperience, improper training, and the incorrect
assumptions are just a few things that can cause these misadventures. Regardless of the cause, even
innocuous mistakes can produce extensive damage.

One of the greatest threats to an organization’s information security is the organization’s own employees.
Employees are the threat agents closest to the organizational data. Because employees use data in everyday
activities to conduct the organization’s business, their mistakes represent a serious threat to the
confidentiality, integrity, and availability of data, relative to threats from outsiders.

Much human error or failure can be prevented with training and ongoing awareness activities, but also with
controls, ranging from simple procedures, such as requiring the user to type a critical command twice, to
more complex procedures, such as the verification of commands by a second party.

7. Information Extortion
Information extortion occurs when an attacker or trusted insider steals information from a computer system
and demands compensation for its return or for an agreement not to disclose it. Extortion is common in
credit card number theft.

8. Missing, Inadequate, or Incomplete Organizational Policy or Planning.
Missing, inadequate, or incomplete organizational policy or planning makes an organization vulnerable to
loss, damage, or disclosure of information assets when other threats lead to attacks. Information security is,
at its core, a management function. The organization’s executive leadership is responsible for strategic
planning for security as well as for IT and business functions—a task known as governance.

9. Missing, Inadequate, or Incomplete Controls
Missing, inadequate, or incomplete controls—that is, security safeguards and information asset protection
controls that are missing, misconfigured, antiquated, or poorly designed or managed—make an organization
more likely to suffer losses when other threats lead to attacks.

For example, if a small organization installs its first network using small office/home office (SOHO)
equipment (which is similar to the equipment you might have on your home network) and fails to upgrade
its network equipment as it becomes larger, the increased traffic can affect performance and cause
information loss. Routine security audits to assess the current levels of protection help to ensure the
continuous protection of organization’s assets.

10. Sabotage or Vandalism
This category of threat involves the deliberate sabotage of a computer system or business, or acts of
vandalism to either destroy an asset or damage the image of an organization. These acts can range from
petty vandalism by employees to organized sabotage against an organization.
 INFORMATION ASSURANCE AND SECURITY 1 21

Although not necessarily financially devastating, attacks on the image of an organization are serious.
Vandalism to a Web site can erode consumer confidence, thus diminishing an organization’s sales and net
worth, as well as its reputation.

There are innumerable reports of hackers accessing systems and damaging or destroying critical data.
Hacked Web sites once made front-page news, as the perpetrators intended. The impact of these acts has
lessened as the volume has increased.

Compared to Web site defacement, vandalism within a network is more malicious in intent and less public.
Today, security experts are noticing a rise in another form of online vandalism, hacktivist or cyberactivist
operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an
organization or government agency.

A much more sinister form of hacking is cyberterrorism. Cyberterrorists hack systems to conduct terrorist
activities via network or Internet pathways. The United States and other governments are developing
security measures intended to protect the critical computing and communications networks as well as the
physical and power utility infrastructures.

11. Theft
The threat of theft—the illegal taking of another’s property, which can be physical, electronic, or
intellectual—is a constant. The value of information is diminished when it is copied without the owner’s
knowledge.

Physical theft can be controlled quite easily by means of a wide variety of measures, from locked doors to
trained security personnel and the installation of alarm systems. Electronic theft, however, is a more
complex problem to manage and control. When someone steals a physical object, the loss is easily detected;
if it has any importance at all, its absence is noted. When electronic information is stolen, the crime is not
always readily apparent. If thieves are clever and cover their tracks carefully, no one may ever know of the
crime until it is far too late.

12. Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known
or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting
in unreliable service or lack of availability. Some errors are terminal—that is, they result in the
unrecoverable loss of the equipment. Some errors are intermittent, in that they only periodically manifest
themselves, resulting in faults that are not easily repeated, and thus, equipment can sometimes stop working,
or work in unexpected ways.

13. Technical Software Failures or Errors
Large quantities of computer code are written, debugged, published, and sold before all their bugs are
detected and resolved. Sometimes, combinations of certain software and hardware reveal new bugs. These
failures range from bugs to untested failure conditions. Sometimes these bugs are not errors, but rather
purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes
into programs that bypass security checks are called trap doors and can cause serious security breaches.

14. Technological Obsolescence
Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems. Management must
recognize that when technology becomes outdated, there is a risk of loss of data integrity from attacks.
 INFORMATION ASSURANCE AND SECURITY 1 22

Management’s strategic planning should always include an analysis of the technology currently in use.
Ideally, proper planning by management should prevent technology from becoming obsolete, but when
obsolescence is manifest, management must take immediate action. IT professionals play a large role in the
identification of probable obsolescence.

Attacks
An attack is an act that takes advantage of a vulnerability to compromise a controlled system. It is
accomplished by a threat agent that damages or steals an organization’s information or physical asset.

A vulnerability is an identified weakness in a controlled system, where controls are not present or are no
longer effective. Unlike threats, which are always present, attacks only exist when a specific act may cause
a loss.

The following are the major types of attacks used against controlled systems:

1. Malicious Code
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts
with the intent to destroy or steal information. The state-of-the-art malicious code attack is the polymorphic,
or multivector, worm. These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in commonly found information system devices.

Other forms of malware include covert software applications—bots, spyware, and adware— that are
designed to work out of sight of users or via an apparently innocuous user action.

 A bot (an abbreviation of robot) is an automated software program that executes certain commands
when it receives a specific input. Bots are often the technology used to implement Trojan horses,
logic bombs, back doors, and spyware.
 Spyware is “any technology that aids in gathering information about a person or organization
without their knowledge. Spyware is placed on a computer to secretly gather information about the
user and report it. The various types of spyware include:
o a Web bug, a tiny graphic on a Web site that is referenced within the Hypertext Markup
Language (HTML) content of a Web page or e-mail to collect information about the user
viewing the HTML content;
o a tracking cookie, which is placed on the user’s computer to track the user’s activity on
different Web sites and create a detailed profile of the user’s behavior.
 Adware is any software program intended for marketing purposes such as that used to deliver and
display advertising banners or popups to the user’s screen or tracking the user’s online usage or
purchasing activity.

2. Hoaxes
A more devious attack on computer systems is the transmission of a virus hoax with a real virus attached.
When the attack is masked in a seemingly legitimate message, unsuspecting users more readily distribute
it. Even though these users are trying to do the right thing to avoid infection, they end up sending the attack
on to their coworkers and friends and infecting many users along the way.
 INFORMATION ASSURANCE AND SECURITY 1 23

3. Back Doors
Using a known or previously unknown and newly discovered access mechanism, an attacker can gain access
to a system or network resource through a back door. Sometimes these entries are left behind by system
designers or maintenance staff, and thus are called trap doors. A trap door is hard to detect, because very
often the programmer who puts it in place also makes the access exempt from the usual audit logging
features of the system.

4. Password Crack
Attempting to reverse-calculate a password is often called cracking. A cracking attack is a component of
many dictionary attacks. It is used when a copy of the Security Account Manager (SAM) data file, which
contains hashed representation of the user’s password, can be obtained. A password can be hashed using
the same algorithm and compared to the hashed results. If they are the same, the password has been cracked.

5. Brute Force
The application of computing and network resources to try every possible password combination is called
a brute force attack. Since the brute force attack is often used to obtain passwords to commonly used
accounts, it is sometimes called a password attack. If attackers can narrow the field of target accounts, they
can devote more time and resources to these accounts. That is one reason to always change the
manufacturer’s default administrator account names and passwords.

6. Dictionary Attack
The dictionary attack is a variation of the brute force attack which narrows the field by selecting specific
target accounts and using a list of commonly used passwords (the dictionary) instead of random
combinations. Organizations can use similar dictionaries to disallow passwords during the reset process
and thus guard against easy-to-guess passwords. In addition, rules requiring numbers and/or special
characters in passwords make the dictionary attack less effective.

7. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests
to a target. So many requests are made that the target system becomes overloaded and cannot respond to
legitimate requests for service. The system may crash or simply become unable to perform ordinary
functions.

A distributed denial-of- service (DDoS) is an attack in which a coordinated stream of requests is launched
against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation
phase in which many systems, perhaps thousands, are compromised. The compromised machines are turned
into zombies, machines that are directed remotely (usually by a transmitted command) by the attacker to
participate in the attack.

8. Spoofing
Spoofing is a technique used to gain unauthorized access to computers, wherein the intruder sends messages
with a source IP address that has been forged to indicate that the messages are coming from a trusted host.
To engage in IP spoofing, hackers use a variety of techniques to obtain trusted IP addresses, and then modify
the packet headers to insert these forged addresses. Newer routers and firewall arrangements can offer
protection against IP spoofing.
 INFORMATION ASSURANCE AND SECURITY 1 24

9. Man-in-the-Middle
In the well-known man-in-the-middle or TCP hijacking attack, an attacker monitors (or sniffs) packets
from the network, modifies them, and inserts them back into the network. This type of attack uses IP
spoofing to enable an attacker to impersonate another entity on the network. It allows the attacker to
eavesdrop as well as to change, delete, reroute, add, forge, or divert data. A variant of TCP hijacking,
involves the interception of an encryption key exchange, which enables the hacker to act as an invisible
man-in-the-middle—that is, an eavesdropper—on encrypted communications.

10. Spam
Spam is unsolicited commercial e-mail. While many consider spam a trivial nuisance rather than an attack,
it has been used as a means of enhancing malicious code attacks. The most significant consequence of
spam, however, is the waste of computer and human resources. Many organizations attempt to cope with
the flood of spam by using e-mail filtering technologies. Other organizations simply tell the users of the
mail system to delete unwanted messages.

11. Mail Bombing
Another form of e-mail attack that is also a DoS is called a mail bomb, in which an attacker routes large
quantities of e-mail to the target. This can be accomplished by means of social engineering or by exploiting
various technical flaws in the Simple Mail Transport Protocol (SMTP). The target of the attack receives an
unmanageably large volume of unsolicited e-mail. By sending large e-mails with forged header information,
attackers can take advantage of poorly configured e-mail systems on the Internet and trick them into sending
many e-mails to an address chosen by the attacker. If many such systems are tricked into participating in
the event, the target e-mail address is buried under thousands or even millions of unwanted e-mails.

12. Sniffers
A sniffer is a program or device that can monitor data traveling over a network. Sniffers can be used both
for legitimate network management functions and for stealing information. Unauthorized sniffers can be
extremely dangerous to a network’s security, because they are virtually impossible to detect and can be
inserted almost anywhere. This makes them a favorite weapon in the hacker’s arsenal. Sniffers often work
on TCP/IP networks, where they’re sometimes called packet sniffers. Sniffers add risk to the network,
because many systems and users send information on local networks in clear text. A sniffer program shows
all the data going by, including passwords, the data inside files—such as word-processing documents—and
screens full of sensitive data from applications.

13. Social Engineering
Social engineering is the process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker. There are several social engineering techniques, which usually
involve a perpetrator posing as a person higher in the organizational hierarchy than the victim. To prepare
for this false representation, the perpetrator may have used social engineering tactics against others in the
organization to collect seemingly unrelated information that, when used together, makes the false
representation more credible.

14. Phishing
Phishing is an attempt to gain personal or financial information from an individual, usually by posing as a
legitimate entity. Phishing attacks use three primary techniques, often in combination with one another:
URL manipulation, Web site forgery, and phone phishing.
 URL manipulation, attackers send an HTML embedded e-mail message, or a hyperlink whose
HTML code opens a forged Web site.
 INFORMATION ASSURANCE AND SECURITY 1 25

 In the forged Web site, phishers publish a website by copying the design, content, and user
interface of a legitimate website.
 Phone phishing is pure social engineering. The attacker calls a victim on the telephone and
pretends to be someone they are not (a practice sometimes called pretexting) in order to gain access
to private or confidential information such as health or employment records or financial
information. They may impersonate someone who is known to the potential victim only by
reputation.

15. Pharming
Pharming is the redirection of legitimate Web traffic (e.g., browser requests) to an illegitimate site for the
purpose of obtaining private information. Pharming often uses Trojans, worms, or other virus technologies
to attack the Internet browser’s address bar so that the valid URL typed by the user is modified to that of
the illegitimate Web site. Pharming may also exploit the Domain Name System (DNS) by causing it to
transform the legitimate host name into the invalid site’s IP address; this form of pharming is also known
as DNS cache poisoning.

16. Timing Attack
A timing attack explores the contents of a Web browser’s cache and stores a malicious cookie on the
client’s system. The cookie (which is a small quantity of data stored by the Web browser on the local
system, at the direction of the Web server) can allow the designer to collect information on how to access
password-protected sites. Another attack by the same name involves the interception of cryptographic
elements to determine keys and encryption algorithms.

Secure Software Development
Systems consist of hardware, software, networks, data, procedures, and people using the system. Many of
the information security issues described in this chapter have their root cause in the software elements of
the system. Secure systems require secure, or at least securable, software. The development of systems and
the software they use is often accomplished using a methodology, such as the systems development life
cycle (SDLC). Many organizations recognize the need to include planning for security objectives in the
SDLC they use to create systems, and have put in place procedures to create software that is more able to
be deployed in a secure fashion. This approach to software development is known as software assurance,
or SA.

Software Assurance and the SA Common Body of Knowledge
The U.S. Department of Defense (DoD) launched a Software Assurance Initiative in 2003. This initial
process was led by Joe Jarzombek and was endorsed and supported by the Department of Homeland
Security (DHS), which joined the program in 2004. This program initiative resulted in the publication of
the Secure Software Assurance (SwA) Common Body of Knowledge (CBK).47 A working group drawn
from industry, government, and academia was formed to examine two key questions:

1. What are the engineering activities or aspects of activities that are relevant to achieving secure
software?
2. What knowledge is needed to perform these activities or aspects?

Based on the findings of this working group, and a host of existing external documents and standards, the
SwA CBK was developed and published to serve as a guideline. While this work has not yet been adopted
 INFORMATION ASSURANCE AND SECURITY 1 26

as a standard or even a policy requirement of government agencies, it serves as a strongly recommended
guide to developing more secure applications.

The SwA CBK, which is a work in progress, contains the following sections:
 Nature of Dangers
 Fundamental Concepts and Principles
 Ethics, Law, and Governance
 Secure Software Requirements
 Secure Software Design
 Secure Software Construction
 Secure Software Verification, Validation, and Evaluation
 Secure Software Tools and Methods
 Secure Software Processes
 Secure Software Project Management
 Acquisition of Secure Software
 Secure Software Sustainment

The following sections provides insight into the stages that should be incorporated into the software SDLC.

Software Design Principles
 Economy of mechanism: Keep the design as simple and small as possible.
 Fail-safe defaults: Base access decisions on permission rather than exclusion.
 Complete mediation: Every access to every object must be checked for authority.
 Open design: The design should not be secret, but rather depend on the possession of keys or
passwords.
 Separation of privilege: Where feasible, a protection mechanism should require two keys to unlock,
rather than one.
 Least privilege: Every program and every user of the system should operate using the least set of
privileges necessary to complete the job.
 Least common mechanism: Minimize mechanisms (or shared variables) common to more than one
user and depended on by all users.
 Psychological acceptability: It is essential that the human interface be designed for ease of use, so
that users routinely and automatically apply the protection mechanisms correctly.

Software Development Security Problems
Some software development problems that result in software that is difficult or impossible to deploy in a
secure fashion have been identified as “deadly sins in software security.” These twenty problem areas in
software development (which is also called software engineering) were originally categorized by John
Viega, upon request of Amit Youran, who at the time was the Director of the Department of Homeland
Security’s National Cyber Security Division. These problem areas are the following:

1. Buffer Overruns - Buffers are used to manage mismatches in the processing rates between two
entities involved in a communication process. A buffer overrun (or buffer overflow) is an
application error that occurs when more data is sent to a program buffer than it is designed to
handle. During a buffer overrun, an attacker can make the target system execute instructions, or
the attacker can take advantage of some other unintended consequence of the failure. Sometimes
this is limited to a denial-of-service attack. In any case, data on the attacked system loses
integrity.
 INFORMATION ASSURANCE AND SECURITY 1 27

2. Command Injection - Command injection problems occur when user input is passed directly
to a compiler or interpreter. The underlying issue is the developer’s failure to ensure that
command input is validated before it is used in the program.

3. Cross-site Scripting - Cross site scripting (or XSS) occurs when an application running on a
Web server gathers data from a user in order to steal it. An attacker can use weaknesses in the
Web server environment to insert commands into a user’s browser session, so that users
ostensibly connected to a friendly Web server are, in fact, sending information to a hostile
server. This allows the attacker to acquire valuable information, such as account credentials,
account numbers, or other critical data. Often an attacker encodes a malicious link and places it
in the target server, making it look less suspicious. After the data is collected by the hostile
application, it sends what appears to be a valid response from the intended server.

4. Failure to Handle Errors - What happens when a system or application encounters a scenario
that it is not prepared to handle? Does it attempt to complete the operation (reading or writing
data or performing calculations)? Does it issue a cryptic message that only a programmer could
understand? Or does it simply stop functioning? Failure to handle errors can cause a variety of
unexpected system behaviors. Programmers are expected to anticipate problems and prepare
their application code to handle them.

5. Failure to Protect Network Traffic - Traffic on a wired network is also vulnerable to
interception in some situations. On networks using hubs instead of switches, any user can install
a packet sniffer and collect communications to and from users on that network. Periodic scans
for unauthorized packet sniffers, unauthorized connections to the network, and general
awareness of the threat can mitigate this problem.

6. Failure to Store and Protect Data Securely - Storing and protecting data securely is a large
enough issue to be the core subject of this entire text. Programmers are responsible for
integrating access controls into, and keeping secret information out of, programs. Access
controls, the subject of later chapters, regulate who, what, when, where, and how individuals
and systems interact with data. Failure to properly implement sufficiently strong access controls
makes the data vulnerable. Overly strict access controls hinder business users in the performance
of their duties, and as a result the controls may be administratively removed or bypassed.

7. Failure to Use Cryptographically Strong Random Numbers - Most modern cryptosystems,
like many other computer systems, use random number generators. Howev