Summary

This document provides an introduction to information security. It discusses the importance of protecting information from malicious software like malware. The document also touches on various concepts like confidentiality, integrity, and availability.

Full Transcript

2 Principles of Information Security Amy looked up at the help desk ticket status monitor on the wall at the end of the room. She saw that only two techni- cians were currently dispatched to user support, and because it was the day shift, four technicians were available. “Shouldn’t be lo...

2 Principles of Information Security Amy looked up at the help desk ticket status monitor on the wall at the end of the room. She saw that only two techni- cians were currently dispatched to user support, and because it was the day shift, four technicians were available. “Shouldn’t be long at all, Bob.” She hung up and typed her notes into the company’s trouble ticket tracking system. She assigned the newly generated case to the user dispatch queue, which would page the user support technician with the details in a few minutes. A moment later, Amy looked up to see Charlie Moody, the senior manager of the server administration team, walking briskly down the hall. He was being trailed by three of his senior technicians as he made a beeline from his office to the room where the company servers were kept in a carefully controlled environment. They all looked worried. Just then, Amy’s screen beeped to alert her of a new e-mail. She glanced down. The screen beeped again—and again. It started beeping constantly. She clicked the envelope icon, and after a short delay, the mail window opened. She had 47 new e-mails in her inbox. She opened one from Davey Martinez in the Accounting Department. The subject line said, “Wait till you see this.” The message body read, “Funniest joke you’ll see today.” Davey often sent her interesting and funny e-mails, and she clicked the file attachment icon to open the latest joke. After that click, her PC showed the Windows “please wait” cursor for a second and then the mouse pointer reappeared. Nothing happened. She clicked the next e-mail message in the queue. Nothing happened. Her phone rang again. She clicked the icon on her computer desktop to activate the call management software and activated her headset. “Hello, Help Desk, how can I help you?” She couldn’t greet the caller by name because her computer had not responded. “Hello, this is Erin Williams in Receiving.” Amy glanced down at her screen. Still no tracking system. She glanced up to the tally board and was surprised to see the inbound-call counter tallying up waiting calls like digits on a stopwatch. Amy had never seen so many calls come in at one time. “Hi, Erin,” Amy said. “What’s up?” “Nothing,” Erin answered. “That’s the problem.” The rest of the call was a replay of Bob’s, except that Amy had to jot notes down on a legal pad. She couldn’t notify the user support team either. She looked at the ticket status monitor again. It had gone dark. No numbers at all. Then she saw Charlie walking quickly down the hall from the server room. His expression had changed from worried to frantic. Amy picked up the phone again. She wanted to check with her supervisor about what to do now. There was no dial tone. Introduction To Information Security Every organization, whether public or private and regardless of size, has information it wants to protect. It could be customer information, product or service information, and/or employee information. Regardless of the source, it is the organization’s job to protect the information to the best of its ability. Organizations have a responsibility to all its stakeholders to protect that information. Unfortunately, there aren’t enough security professionals to go around. As a result, everyone in the organization must have a working knowledge of how to protect the information assigned to them and how to assist in preventing the unauthorized disclosure, damage, or destruction of that information. After all, if you’re not part of the solution, you’re part of the problem. This module’s opening scenario illustrates that information risks and controls may not be in balance at SLS. Though Amy works in a technical support role to help users with their problems, she did not recall her train- ing about malicious e-mail attachments, such as worms or viruses, and fell victim to this form of attack herself. Understanding how malicious software (malware) might be the cause of a company’s problems is an important skill for information technology (IT) support staff as well as users. SLS’s management also showed signs of confu- sion and seemed to have no idea how to contain this kind of incident. If you were in Amy’s place and were faced with a similar situation, what would you do? How would you react? Would it occur to you that something far more insidious than a technical malfunction was happening at your company? As you explore the modules of this book and learn more about information security, you will become more capable of answering these questions. But, before you can begin studying details about the discipline of information security, you must first know its history and evolution. Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 3 The history of information security begins with the concept of computer computer security security. The need for computer security arose during World War II when the first In the early days of computers, this mainframe computers were developed and used to aid computations for com- term specified the protection of the physical location and assets associ- munication code-breaking messages from enemy cryptographic devices like the ated with computer technology Enigma, shown in Figure 1-1. Multiple levels of security were implemented to pro- from outside threats, but it later tect these devices and the missions they served. This required new processes as came to represent all actions taken well as tried-and-true methods needed to maintain data confidentiality. Access to to protect computer systems from losses. sensitive military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards. The growing need to maintain national security eventually led to more complex and technologically sophisticated computer security safeguards. During these early years, information security was a straightforward process composed predominantly of physi- cal security and simple document classification schemes. The primary threats to security were physical theft of equipment, espionage against products of the systems, and sabotage. One of the first documented security problems that fell outside these categories occurred in the early 1960s, when a systems administrator was working on a MOTD (message of the day) file while another administrator was editing the password file. A software glitch mixed the two files, and the entire password file was printed to every output file.1 The 1960s During the Cold War, many more mainframe computers were brought online to accomplish more complex and sophis- ticated tasks. These mainframes required a less cumbersome process of communication than mailing magnetic tapes between computer centers. In response to this need, the U.S. Department of Defense’s Advanced Research Projects Agency (ARPA) began examining the feasibility of a redundant, networked communications system to support the military’s exchange of information. In 1968, Dr. Larry Roberts developed the ARPANET project, which evolved into what we now know as the Internet. Figure 1-2 is an excerpt from his program plan. For more information on Dr. Roberts, including links to his recorded presentations, visit the Internet Hall of Fame i at www.internethalloffame.org/inductees/lawrence-roberts. Earlier versions of the German code machine Enigma were first broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during World War II. The increasingly complex versions of the Enigma, especially the submarine or Unterseeboot version of the Enigma, caused considerable Source: © kamilpetran/Shutterstock.com.2 anguish to Allied forces before finally being cracked. The © kamilpetran/Shutterstock.com information gained from decrypted transmissions was used to anticipate the actions of German armed forces. ”Some ask why, if we were reading the Enigma, we did not win the war earlier. One might ask, instead, when, if ever, we would have won the war if we hadn’t read it.” Figure 1-1 The Enigma Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 4 Principles of Information Security Source: Courtesy of Dr. Lawrence Roberts. Used with permission.3 Figure 1-2 Development of the ARPANET The 1970s and ’80s During the next decade, ARPANET became more popular and saw wider use, increasing the potential for its misuse. In 1973, Internet pioneer Robert M. Metcalfe (pictured in Figure 1-3) identified fundamental prob- lems with ARPANET security. As one of the creators of Ethernet, a domi- nant local area networking protocol, he knew that individual remote Source: U.S. Department of Commerce. Used with permission. sites did not have sufficient controls and safeguards to protect data from unauthorized remote users. Other problems abounded, including vulnerability of password structure and formats, lack of safety proce- dures for dial-up connections, and nonexistent user identification and authorizations. Phone numbers were widely distributed and openly publicized on the walls of phone booths, giving hackers easy access to ARPANET. Because of the range and frequency of computer secu- rity violations and the explosion in the numbers of hosts and users on ARPANET, network security was commonly referred to as network insecurity.4 For a timeline that includes seminal studies of computer security, see Table 1-1. Security that went beyond protecting physical computing devices and their locations effectively began with a single paper published by the RAND Corporation in February 1970 for the Department of Defense. RAND Report R-609 attempted to define the multiple controls and mechanisms Figure 1-3 D  r. Metcalfe receiving the National Medal of necessary for the protection of a computerized data processing system. Technology The document was classified for almost 10 years, and is now considered to be the paper that started the study of computer security. The security—or lack thereof—of systems sharing resources inside the Department of Defense was brought to the attention of researchers in the spring and summer of 1967. At that time, systems were being acquired at a rapid rate, and securing them was a pressing concern both for the military and defense contractors. Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 5 Table 1-1 Key Dates in Information Security Date Document 1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems. 1970 Willis H. Ware authors the report “Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security—RAND Report R-609,” which was not declassified until 1979. It became known as the seminal work identifying the need for computer security. 1973 Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes on the Design of Secure Military Computer Systems. 1975 The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) in the Federal Register. 1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,” which discussed the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system security and examine the possibility of automated vulnerability detection techniques in existing system software.5 1979 Morris and Thompson author “Password Security: A Case History,” published in the Communications of the Association for Computing Machinery (ACM). The paper examined the design history of a password security scheme on a remotely accessed, time-sharing system. Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” which discussed secure user IDs, secure group IDs, and the problems inherent in the systems. 1982 The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series. 1984 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report, the authors examined four “important handles to computer security”: physical control of premises and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increased security.6 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore, no technique can be secure against the system administrator or other privileged users... the naive user has no chance.”7 1992 Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security. In June 1967, ARPA formed a task force to study the process of securing classified information systems. The task force was assembled in October 1967 and met regularly to formulate recommendations, which ultimately became the contents of RAND Report R-609. The document was declassified in 1979 and released as Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security—RAND Report R-609-1.8 The content of the two documents is identical with the exception of two transmittal memorandums. i For more information on the RAND Report, visit www.rand.org/pubs/reports/R609-1.html. RAND Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security. It noted that the wide use of networking components in military information sys- tems introduced security risks that could not be mitigated by the routine practices then used to secure these systems. Figure 1-4 shows an illustration of computer network vulnerabilities from the 1979 release of this document. This paper signaled a pivotal moment in computer security history—the scope of computer security expanded significantly from the safety of physical locations and hardware to include the following: Securing the data Limiting random and unauthorized access to that data Involving personnel from multiple levels of the organization in information security Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 6 Principles of Information Security Computer Network Vulnerabilities Radiation Taps Taps Radiation Radiation Radiation Radiation Crosstalk Crosstalk Communication lines Switching Processor center Source: RAND Report R-609-1. Used with permission.9 Hardware Files Improper connections Theft Cross coupling Operator Copying Systems Programmer Remote Replace supervisor Unauthorized access Disable protective features Consoles Reveal protective measures Provide “ins” Hardware Reveal protective measures Failure of protection circuits Maintenance Man Access contribute to software failures Disable hardware devices Attachment of recorders Software Use stand-alone utility programs Bugs User Failure of protection features Identification Access control Authentication Bounds control Subtle software etc. modifications Figure 1-4 Illustration of computer network vulnerabilities from RAND Report R-609 MULTICS Much of the early research on computer security centered on a system called Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to integrate security into its core functions. It was a mainframe, time-sharing operating system developed in the mid-1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT). i For more information on the MULTICS project, visit web.mit.edu/multics-history. In 1969, not long after the restructuring of the MULTICS project, several of its developers (Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlroy) created a new operating system called UNIX. While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not. Its primary function, text processing, did not require the same level of security as that of its predecessor. Not until the early 1970s did even the simplest component of security, the password function, become a component of UNIX. In the late 1970s, the microprocessor brought the personal computer (PC) and a new age of computing. The PC became the workhorse of modern computing, moving it out of the data center. This decentralization of data processing systems in the 1980s gave rise to networking—the interconnecting of PCs and mainframe computers, which enabled the entire computing community to make all its resources work together. In the early 1980s, TCP (the Transmission Control Protocol) and IP (the Internet Protocol) were developed and became the primary protocols for the ARPANET, eventually becoming the protocols used on the Internet to this day. Dur- ing the same time frame, the hierarchical Domain Name System, or DNS, was developed. The first dial-up Internet service provider (ISP)—The World, operated by Standard Tool & Die—came online, allowing home users to access the Internet. Prior to that, vendors like CompuServe, GEnie, Prodigy, and Delphi had provided dial-up access for online computer ser- vices, while independent bulletin board systems (BBSs) became popular for sharing information among their subscribers. i For more information on the history of the Internet, visit www.livescience.com/20727-internet-history.html. Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 7 In the mid-1980s, the U.S. government passed several key pieces of legislation that formalized the recognition of computer security as a critical issue for federal information systems. The Computer Fraud and Abuse Act of 1986 and the Computer Security Act of 1987 defined computer security and specified responsibilities and associated penalties. These laws and others are covered in Module 6. In 1988, the Defense Advanced Research Projects Agency (DARPA) within the Department of Defense created the Computer Emergency Response Team (CERT) to address network security. The 1990s At the close of the 20th century, networks of computers became more common, as did the need to connect them to each other. This gave rise to the Internet, the first global network of networks. The Internet was made available to the general public in the 1990s after decades of being the domain of government, academia, and dedicated industry professionals. The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area network (LAN). After the Internet was commercialized, the technology became pervasive, reaching almost every corner of the globe with an expanding array of uses. Since its inception as ARPANET, a tool for sharing Defense Department information, the Internet has become an interconnection of millions of networks. At first, these connections were based on de facto standards because industry standards for interconnected networks did not exist. These de facto standards did little to ensure the security of infor- mation, though some degree of security was introduced as precursor technologies were widely adopted and became industry standards. However, early Internet deployment treated security as a low priority. In fact, many problems that plague e-mail on the Internet today result from this early lack of security. At that time, when all Internet and e-mail users were presumably trustworthy computer scientists, mail server authentication and e-mail encryption did not seem nec- essary. Early computing approaches relied on security that was built into the physical environment of the data center that housed the computers. As networked computers became the dominant style of computing, the ability to physi- cally secure a networked computer was lost, and the stored information became more exposed to security threats. In 1993, the first DEFCON conference was held in Las Vegas. Originally, it was established as a gathering for people interested in information security, including authors, lawyers, government employees, and law enforcement officials. A compelling topic was the involvement of hackers in creating an interesting venue for the exchange of information between two adversarial groups—the “white hats” of law enforcement and security professionals and the “black hats” of hackers and computer criminals. In the late 1990s and into the 2000s, many large corporations began publicly integrating security into their organi- zations. Antivirus products became extremely popular, and information security began to emerge as an independent discipline. 2000 to Present Today, the Internet brings millions of unsecured computer networks and billions of computer systems into continuous communication with each other. The security of each computer’s stored information is contingent on the security level of every other computer to which it is connected. Recent years have seen a growing awareness of the need to improve information security, as well as a realization that information security is important to national defense. The growing threat of cyberattacks has made governments and companies more aware of the need to defend the computerized con- trol systems of utilities and other critical infrastructure. Other growing concerns are the threat of countries engaging in information warfare and the possibility that business and personal information systems could become casualties if they are undefended. Since 2000, Sarbanes–Oxley and other laws related to privacy and corporate responsibility have affected computer security. The attack on the World Trade Centers on September 11, 2001, resulted in major legislation changes related to computer security, specifically to facilitate law enforcement’s ability to collect information about terrorism. The USA PATRIOT Act of 2001 and its follow-up laws are discussed in Module 6. The 21st century also saw the massive rise in mobile computing, with smartphones and tablets possessing more computing power than early-era mainframe systems. Embedded devices have seen the creation of computing built into everyday objects in the Internet of Things (IoT). Each of these networked computing platforms brings its own set of security issues and concerns as they are connected into networks with legacy platforms and cloud-based service delivery systems. Technology that is supposed to be seamless turns out to have many connection points, each with its Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 8 Principles of Information Security own set of security and reliability vulnerabilities. The emergence of tools to deal with now-routine threats at large scale has led to the development of complete solutions for unified threat management, data loss prevention, and security information and event management. The solutions will be explored in more detail in later modules. Wireless networking, and the risks associated with it, has become ubiquitous and pervasive, with widely available connectivity providing ready access to the Internet as well as local networks that are usually ill-prepared for access by the public. This opens the local net as well as the Internet to a constant threat of anonymous attacks from very large numbers of people and devices. The threat environment has grown from the semiprofessional hacker defacing Web sites for amusement to profes- sional cybercriminals maximizing revenue from theft and extortion, as well as government-sponsored cyberwarfare groups striking military, government, and commercial targets by intent and by opportunity. The attack sources of today are well-prepared and are attacking all connected public and private systems and users. What Is Security? Security is protection. Protection from adversaries—those who would do harm, intentionally or otherwise—is the ultimate objective of security. National security, for example, is a multilayered system that protects the sovereignty of a state, its people, its resources, and its territory. Achieving the appropriate level of security for an organization also requires a multifaceted system. A successful organization should have multiple layers of security in place to protect its people, operations, physical infrastructure, functions, communications, and information. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit the information.10 Figure 1-5 shows that information security includes the broad areas of information security management, data security, and net- work security. The CNSS model of information security evolved from a concept developed by the computer security industry called the C.I.A. triad. The C.I.A. triad (see Figure 1-6) has been the standard security for computer security in both industry and government since the development of A state of being secure and free the mainframe. This standard is based on the three characteristics of information from danger or harm; also, the that give it value to organizations: confidentiality, integrity, and availability. The secu- actions taken to make someone or rity of these three characteristics is as important today as it has always been, but something secure. the C.I.A. triad model is generally viewed as no longer adequate in addressing the constantly changing environment. The threats to the confidentiality, integrity, and information security availability of information have evolved into a vast collection of events, including Protection of the confidentiality, accidental or intentional damage, destruction, theft, unintended or unauthorized integrity, and availability of infor- mation assets, whether in storage, modification, or other misuse from human or nonhuman threats. This vast array of processing, or transmission, via the application of policy, educa- tion, training and awareness, and TY RI GO CU technology. SE VE RN N TIO AN M A Management of CE OR I NF Information Security network security POLICY A subset of communications secu- rity; the protection of voice and Computer Security data networking components, con- Network Security Data Security nections, and content. ity ial C.I.A. triad nt In te de Data gr The industry standard for computer nfi ity & Co security since the development of the mainframe; the standard is Services based on three characteristics that Confidentiality Integrity Availability describe the attributes of infor- mation that are important to pro- Availability tect: confidentiality, integrity, and Figure 1-5 C  omponents of availability. ­information security Figure 1-6 The C.I.A. triad Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 9 constantly evolving threats has prompted the development of a more robust model that addresses the complexities of the current information security environment. The expanded model consists of a list of critical characteristics of information, which are described in the next section. C.I.A. triad terminology is used in this module because of the breadth of material that is based on it. Key Information Security Concepts This book uses many terms and concepts that are essential to any discussion of information security. Some of these terms are illustrated in Figure 1-7; all are covered in greater detail in subsequent modules. Access—A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls regulate this ability. Asset—The organizational resource that is being protected. An asset can be logical, such as a Web site, soft- ware information, or data; or an asset can be physical, such as a person, computer system, hardware, or other tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting to protect. Attack—An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Someone who casually reads sensitive information not intended for his or her use is committing a passive attack. A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a building fire is an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems—for example, as part of a botnet (slang for robot network). This group of compromised computers, running soft- ware of the attacker’s choosing, can operate autonomously or under the attacker’s direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself. Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. Vulnerability: SQL injection in online database Web interface Sources (top left to bottom right): © iStockphoto/tadija, Internet Explorer, © iStockphoto/darrenwise, Internet Explorer, Microsoft Excel. Threat: Theft Threat agent: Ima Hacker Exploit: Script from MadHackz Web site Attack: Ima Hacker downloads exploit from MadHackz Web site, then accesses HAL Inc.’s Web site and applies script, resulting in Loss: download of customer data Asset: HAL Inc.’s customer database Figure 1-7 Key concepts in information security Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 10 Principles of Information Security Control, safeguard, or countermeasure—Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The various levels and types of controls are discussed more fully in the following modules. Exploit—A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components. Exposure—A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker. Loss—A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. When an organization’s information is stolen, it has suffered a loss. Protection profile or security posture—The entire set of controls and safeguards—including policy, education, training and awareness, and technology—that the organization implements to protect the asset. The terms are sometimes used interchangeably with the term security program, although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs. Risk—The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must mini- mize risk to match their risk appetite—the quantity and nature of risk they are willing to accept. Subjects and objects of attack—A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack: the target entity. See Figure 1-8. A computer can also be both the subject and object of an attack. For example, it can be compromised by an attack (object) and then used to attack other systems (subject). Threat—Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat. The two terms are techni- cally distinct, but to simplify discussion, the text will continue to use the term threat to describe threat sources. Threat agent—The specific instance or a component of a threat. For example, the threat source of “trespass or espionage” is a category of potential danger to information assets, while “external professional hacker” (like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat source known as “acts of God/acts of nature.” © shooarts/Shutterstock.com to steal information across the Internet from… © Oleksiy Mark/Shutterstock.com © frank_peters/Shutterstock.com Hacker using a laptop a remote server that is the object as the subject of an attack… of the hacker’s attack. Figure 1-8 Computer as the subject and object of an attack Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 11 Threat event—An occurrence of an event caused by a threat agent. An example of a threat event might be damage caused by a storm. This term is commonly used interchangeably with the term attack. Threat source—A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful or undirected. For example, threat agent “hackers,” as part of the threat source “acts of trespass or espionage,” purposely threaten unprotected information systems, while threat agent “severe storms,” as part of the threat source “acts of God/acts of nature,” incidentally threaten buildings and their contents. Vulnerability—A potential weakness in an asset or its defensive control system(s). Some examples of vulner- abilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered). Critical Characteristics of Information The value of information comes from the characteristics it possesses. When a characteristic of information changes, the value of that information either increases or, more commonly, decreases. Some characteristics affect information’s value to users more than others, depending on circumstances. For example, timeliness of information can be a critical factor because information loses much or all of its value when delivered too late. Though information security profes- sionals and end users share an understanding of the characteristics of information, tensions can arise when the need to secure information from threats conflicts with the end users’ need for unhindered access to it. For instance, end users may perceive two-factor authentication in their login—which requires an acknowledgment notification on their smartphone—to be an unnecessary annoyance. Information security professionals, however, may consider two-factor authentication necessary to ensure that only authorized users access the organization’s systems and data. Each critical characteristic of information—that is, the expanded C.I.A. triad—is defined in the following sections. Confidentiality Confidentiality ensures that only users with the rights, privileges, and need to access information are able to do so. When unauthorized individuals or systems view information, its confidentiality is breached. To protect the confiden- tiality of information, you can use several measures, including the following: Information classification Secure document storage Application of general security policies Education of information custodians and end users Confidentiality, like most characteristics of information, is interdependent with other characteristics and is closely related to the characteristic known as privacy. The relationship between these two characteristics is covered in more detail in Module 6. The value of confidentiality is especially high for personal information about employees, customers, or patients. People who transact with an organization expect that their personal information will remain confidential, whether the organization is a federal agency, such as the Internal Revenue Service, a healthcare facility, or a business. Problems arise when companies disclose confidential information. confidentiality Sometimes this disclosure is intentional, but disclosure of confidential information also An attribute of information that happens by mistake—for example, when confidential information is mistakenly e-mailed describes how data is protected to someone outside the organization rather than to someone inside it. from disclosure or exposure to unauthorized individuals or systems. Other examples of confidentiality breaches include an employee throwing away a document that contains critical information without shredding it, or a hacker who suc- cessfully breaks into an internal database of a Web-based organization and steals sensi- personally identifiable information (PII) tive information about its clients, such as names, addresses, and credit card numbers. Information about a person’s his- As a consumer, you give up pieces of personal information in exchange for conve- tory, background, and attributes nience or value almost daily. By using a “members” card at a grocery store, you dis- that can be used to commit identity close some of your spending habits. When you fill out an online survey, you exchange theft; typically includes a person’s name, address, Social Security pieces of your personal history for access to online privileges. When you sign up for number, family information, a free magazine, Web resource, or free software application, you provide p ­ ersonally employment history, and financial identifiable information (PII). The bits and pieces of personal information you information. Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 12 Principles of Information Security integrity disclose may be copied, sold, replicated, distributed, and eventually coalesced into An attribute of information that profiles and even complete dossiers of you and your life. describes how data is whole, com- plete, and uncorrupted. Integrity Information has integrity when it is in its expected state and can be trusted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being stored or transmitted. Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this reason, a key method for detecting a virus or worm is to look for changes in file integrity, as shown by the file size. Another key method of assuring information integrity is file hashing, in which a file is read by a special algorithm that uses the bit values in the file to compute a single large number called a hash value. The hash value for any combina- tion of bits is unique. If a computer system performs the same hashing algorithm on a file and obtains a different number than the file’s recorded hash value, the file has been compromised and the integrity of the information is lost. Information integrity is the cornerstone of information systems because information is of no value or use if users cannot verify its integrity. File hashing and hash values are examined in detail in Module 10. File corruption is not necessarily the result of external forces, such as hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information. During each transmission, algorithms, hash values, and error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is retransmitted. Unfortunately, even the routine use of computers can result in unintended changes to files as the equipment degrades, software malfunctions, or other “natural causes” occur. Unintentional Disclosures The number of unintentional information releases due to malicious attacks is substantial. Millions of people lose information to hackers and malware-focused attacks annually. However, organizations occasionally lose, misplace, or inadvertently release information in an event not caused by hackers or other electronic attacks. In 2020, Virgin Media, a communications company, left more than 900,000 users’ information unsecured for almost a year after one of its databases was misconfigured by employees. Also in 2020, more than 5.2 million customers of Marriott International were exposed in a data breach resulting from the misuse of two employees’ credentials. This disclosure occurred not two years after Marriott’s reservation database was breached, exposing more than 383 million guests and resulting in the loss of more than five million passport numbers.11 The Georgia Secretary of State gave out more than six million voters’ private information, including Social Security num- bers, in a breach that occurred in late 2015. The breach was found to have been caused by an employee who failed to follow established policies and procedures, and resulted in the employee being fired. While the agency claimed it recovered all copies of the data that were sent to 12 separate organizations, it was still considered a data breach. In January 2008, GE Money, a division of General Electric, revealed that a data backup tape with credit card data from approximately 650,000 customers and more than 150,000 Social Security numbers went missing from a records management company’s storage facility. Approximately 230 retailers were affected when Iron Mountain, Inc., announced it couldn’t find a magnetic tape.12 In February 2005, the data aggregation and brokerage firm ChoicePoint revealed that it had been duped into releasing personal information about 145,000 people to identity thieves in 2004. The perpetrators used stolen identities to create ostensibly legitimate business entities, which then subscribed to ChoicePoint to acquire the data fraudulently. The company reported that the criminals opened many accounts and recorded personal information, including names, addresses, and identification numbers. They did so without using any network or computer-based attacks; it was simple fraud. The fraud was feared to have allowed the perpetrators to arrange hundreds of identity thefts. The giant pharmaceutical organization Eli Lilly and Co. released the e-mail addresses of 600 patients to one another in 2001. The American Civil Liberties Union (ACLU) denounced this breach of privacy, and information technology industry Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 13 analysts noted that it was likely to influence the public debate on privacy legislation. The company claimed the mishap was caused by a programming error that occurred when patients who used a specific drug produced by Lilly signed up for an e-mail service to access company support materials. These are but a few of the multitudes of data breaches that occur regularly in the world, day in and day out. Wikipedia maintains a list of the more well-known breaches at https://en.wikipedia.org/wiki/List_of_data_breaches. For more details on information losses caused by attacks, visit Wikipedia.org and search on the terms “data i breach” and “timeline of computer security hacker history.” Availability Availability enables authorized users—people or computer systems—to access information without interference or obstruction and to receive it in the required format. Consider, for example, research libraries that require identification before entrance. Librarians protect the contents of the library so that they are available only to authorized patrons. The librarian must accept a patron’s identification before the patron has free access to the book stacks. Once autho- rized patrons have access to the stacks, they expect to find the information they need in a usable format and familiar language. In this case, the information is bound in a book that is written in English. Accuracy Information has accuracy when it is free from mistakes or errors and has the value that the end user expects. If infor- mation has been intentionally or unintentionally modified, it is no longer accurate. Consider a checking account, for example. You assume that the information in your account is an accurate representation of your finances. Incorrect information in the account can result from external or internal errors. If a bank teller, for instance, mistakenly adds or subtracts too much money from your account, the value of the information is changed. Or, you may accidentally enter an incorrect amount into your account reg- availability ister. Either way, an inaccurate bank balance could cause you to make other mistakes, An attribute of information that such as bouncing a check that overdraws your account. describes how data is accessible and correctly formatted for use Authenticity without interference or obstruction. Information is authentic when it is in the same state in which it was created, placed, stored, or transferred. Consider for a moment some common assumptions about e-mail. accuracy When you receive e-mail, you assume that a specific individual or group created and An attribute of information that transmitted the e-mail—you assume you know its origin. This is not always the case. describes how data is free of errors E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem and has the value that the user expects. for many people today because the modified field often is the address of the originator. Spoofing the sender’s address can fool e-mail recipients into thinking that the messages are legitimate traffic, thus inducing them to open e-mail they otherwise might not have. authenticity An attribute of information that Utility describes how data is genuine or original rather than reproduced or The utility of information is its usefulness. In other words, information has value fabricated. when it can serve a purpose. If information is available but is not in a meaningful format to the end user, it is not useful. For example, U.S. Census data can quickly become overwhelming and difficult for a private citizen to interpret; however, for a utility An attribute of information that politician, the same data reveals information about residents in a district—such as describes how data has value or their race, gender, and age. This information can help form a politician’s campaign usefulness for an end purpose. strategy or shape their policies and opinions on key issues. Possession possession An attribute of information that The possession of information is the quality or state of ownership or control. Infor- describes how the data’s owner- mation is said to be in one’s possession if one obtains it, independent of format or ship or control is legitimate or other characteristics. While a breach of confidentiality always results in a breach authorized. Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 14 Principles of Information Security McCumber Cube of possession, a breach of possession does not always lead to a breach of confi- A graphical representation of the dentiality. For example, assume a company stores its critical customer data using architectural approach used in an encrypted file system. An employee who has quit decides to take a copy of the computer and information secu- tape backups and sell the customer records to the competition. The removal of the rity; commonly shown as a cube composed of 3×3×3 cells, similar totapes from their secure environment is a breach of possession. Because the data a Rubik’s Cube. is encrypted, neither the former employee nor anyone else can read it without the proper decryption methods; therefore, there is no breach of confidentiality. Today, people who are caught selling company secrets face increasingly stiff fines and a strong likelihood of jail time. Also, companies are growing more reluctant to hire people who have demonstrated dishonesty in their past. Another example might be that of a ransomware attack in which a hacker encrypts impor- tant information and offers to provide the decryption key for a fee. The attack would result in a breach of possession because the owner would no longer have possession of the information. CNSS Security Model The definition of information security in this text is based in part on the National Training Standard for Information Systems Security Professionals, NSTISSI No. 4011 (1994). The hosting organization is CNSS, which is responsible for coordinating the evaluation and publication of standards related to the protection of National Security Systems (NSS). CNSS was originally called the National Security Telecommunications and Information Systems Security Com- mittee (NSTISSC) when established in 1990 by National Security Directive (NSD) 42, National Policy for the Security of National Security Telecommunications and Information Systems. The outdated CNSS standards are expected to be replaced by a newer document from the National Institute of Standards and Technology (NIST) called Special Publication (SP) 800-16 Rev. 1 (2014), “A Role-Based Model for Federal Information Technology/Cyber Security Training,” in the near future. i For more information on CNSS and its standards, see www.cnss.gov/CNSS/issuances/Instructions.cfm. The model, which was created by John McCumber in 1991, provides a graphical representation of the architec- tural approach widely used in computer and information security; it is now known as the McCumber Cube.13 As shown in Figure 1-9, the McCumber Cube shows three dimensions. When extrapolated, the three dimensions of each axis become a 3×3×3 cube with 27 cells representing areas that must be addressed to secure today’s information systems. To ensure comprehensive system security, each of the 27 areas must be properly addressed. For example, the intersection of technology, integrity, and storage requires a set of controls or safeguards that address the need to use technology to protect the integrity of information while in storage. One such control might be a system for detecting host intrusion that protects the integrity of information by alerting security administrators to the potential y nolog n| Tech | Ed ucatio Policy Confidentiality Confidentiality gy olo hn ec |T ion Integrity Integrity at uc Ed y| lic Po Availability Availability Storage | Processing | Transmission Storage | Processing | Transmission Figure 1-9 The McCumber Cube14 Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 15 modification of a critical file. A common omission from such a model is the need for guidelines and policies that pro- vide direction for the practices and implementations of technologies. The need for policy is discussed in subsequent modules of this book. Components Of An Information System As shown in Figure 1-10, an information system (IS) is much more than computer hardware and software; it includes multiple components, all of which work together to support personal and professional operations. Each of the IS com- ponents has its own strengths and weaknesses, as well as its own characteristics and uses. Each component of the IS also has its own security requirements. Software The software component of an IS includes applications (programs), operating systems, and assorted command utili- ties. Software is perhaps the most difficult IS component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The IT industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, from smartphones that crash to flawed automotive control computers that lead to recalls. Software carries the lifeblood of information through an organization. Unfortu- nately, software programs are often created under the constraints of project manage- ment, which limit time, costs, and manpower. Information security is all too often information system (IS) The entire set of software, hard- implemented as an afterthought rather than developed as an integral component ware, data, people, procedures, from the beginning. In this way, software programs become an easy target of acci- and networks that enable the use dental or intentional attacks. of information resources in the organization. Hardware physical security Hardware is the physical technology that houses and executes the software, stores The protection of material items, and transports the data, and provides interfaces for the entry and removal of infor- objects, or areas from unauthorized mation from the system. Physical security policies deal with hardware as a physical access and misuse. © Flamingo Images/ Shutterstock.com Shutterstock.com Shutterstock.com Shutterstock.com © Oleksiy Mark/ © Pixel-Shot/ © shooarts/ People Hardware Software Networks Shutterstock.com Shutterstock.com © Mark Agnor/ © ZinetroN/ Data Procedures © Elnur/Shutterstock.com Components of an Information System Figure 1-10 Components of an information system Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 16 Principles of Information Security asset and with the protection of physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted hardware access is possible. Before September 11, 2001, laptop thefts in airports were common. A two-person team worked to steal a com- puter as its owner passed it through the conveyor scanning devices. The first perpetrator entered the security area ahead of an unsuspecting target and quickly went through. Then, the second perpetrator waited behind until the target placed the computer on the baggage scanner. As the computer was whisked through, the second perpe- trator slipped ahead of the victim and entered the metal detector with a substantial collection of keys, coins, and the like, slowing the detection process and allowing the first perpetrator to grab the computer and disappear in a crowded walkway. While the security response to September 11 did tighten the security process at airports, hardware can still be stolen in offices, coffee houses, restaurants, and other public places. Although laptops and notebook computers might be worth a few thousand dollars, the information stored on them can be worth a great deal more to disreputable organizations and individuals. Consider that unless plans and procedures are in place to quickly revoke privileges on stolen devices like laptops, tablets, and smartphones, the privileged access that these devices have to cloud-based data stores could be used to steal information that is many times more valuable than the device itself. Data Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset of an organization and therefore is the main target of intentional attacks. Systems developed in recent years are likely to make use of database management systems. When used properly, they should improve the security of the data and the applications that rely on the data. Unfortunately, many system development projects do not make full use of a database management system’s security capabilities, and in some cases, the database is implemented in ways that make it less secure than traditional file systems. Because data and information exist in physical form in many organizations as paper reports, handwritten notes, and computer printouts, the protection of physical information is as important as the protection of electronic, computer-based information. As an aside, the terms data and information are used interchangeably today. Information was originally defined as data with meaning, such as a report or statistical analysis. For our purposes, we will use the term information to represent both unprocessed data and actual information. People Though often overlooked in computer security considerations, people have always been a threat to information secu- rity. Legend has it that around 200 B.C., a great army threatened the security and stability of the Chinese empire. So ferocious were the Hun invaders that the Chinese emperor commanded the construction of a great wall that would defend against them. Around 1275 A.D., Kublai Khan finally achieved what the Huns had been trying for more than a thousand years. Initially, the Khan’s army tried to climb over, dig under, and break through the wall. In the end, the Khan simply bribed the gatekeeper—and the rest is history. Whether this event actually occurred or not, the timeless moral to the story is that people can be the weakest link in an organization’s information security program. Unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate people to obtain access information about a system. This topic is discussed in more detail in Module 2. Procedures Procedures are another frequently overlooked component of an IS. Procedures are written instructions for accomplish- ing a specific task. When an unauthorized user obtains an organization’s procedures, it poses a threat to the integrity of the information. For example, a consultant to a bank learned how to wire funds by using the computer center’s Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Module 1 Introduction to Information Security 17 procedures, which were readily available. By taking advantage of a security weakness (lack of authentication), the bank consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the loss of more than $10 million before the situation was corrected. Most organizations distribute procedures to employ- ees so they can access the information system, but many of these companies often fail to provide proper education for using the procedures safely. Educating employees about safeguarding procedures is as important as physically securing the information system. After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of an organization on a need-to-know basis. Networks Networking is the IS component that moves data and information between the components of the information system and has created much of the need for increased computer and information security. Prior to networking, physical security was the dominant focus when protecting information. When information systems are connected to each other to form LANs, and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. Networking technology is accessible to organizations of every size. Applying the traditional tools of physical security, such as locks and keys, to restrict access to the system’s hardware components is still important. However, when computer systems are networked, this approach is no longer enough. Steps to provide network security such as installing and configuring firewalls are essential, as is implementing intrusion detection systems to make system owners aware of ongoing compromises. The definition of what an information system is and the roles that it plays has been getting some attention in i industry and academia. As information systems have become the core elements of most organizations’ ongoing operations, do they still need to be considered anything other than the way companies do all of their business? For another view of what makes an information system, and to better understand how we might approach improving its security, you can read this article at Technopedia: www.techopedia.com/definition/24142/ information-system-is. Security And The Organization Security has to begin somewhere in the organization, and it takes a wide range of professionals to support a diverse information security program. The following sections discuss the development of security as a program and then describe typical information security responsibilities of various professional roles in an organization. Balancing Information Security and Access Even with the best planning and implementation, it is impossible to obtain perfect information security. Information security cannot be absolute: It is a process, not a goal. You can make a system available to anyone, anywhere, anytime, through any means. However, such unrestricted access poses a danger to the security of the information. On the other hand, a completely secure information system would not allow anyone access. To achieve balance—that is, to operate an information system that satisfies users and security professionals—the security level must allow reasonable access yet protect against threats. Figure 1-11 shows some of the competing voices that must be considered when balancing information security and access. Because of today’s security concerns and issues, an information system or data processing department can get too entrenched in the management and protection of systems. An imbalance can occur when the needs of the end user are undermined by obsessive focus on protecting and administering the information systems. ­Information ­security technologists and end users must recognize that both groups share the same overall goals of the ­organization— to ensure that data is available when, where, and how it is needed, with minimal delays or obstacles. In an ideal world, this level of availability can be met even after addressing concerns about loss, damage, interception, or destruction. Copyright 2022 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 18 Principles of Information Security User 1: Encrypting CISO: Encryption is e-mail is a hassle. needed to protect secrets of the organization.

Use Quizgecko on...
Browser
Browser