Principles of Information Security PDF

Summary

This document is a module on the need for information security, discussing the importance of information protection and its relationship to business needs. The presented material highlights the functions of information security in organizations.

Full Transcript

Module 2
The Need for Information
Security

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1
 Module Objectives

By the end of this module, you should be able to:
2.1 Discuss the need for information security
2.2 Explain why a successful information security program is the shared
responsibility of the entire organization
2.3 List and describe the threats posed to information security and common
attacks associated with those threats
2.4 List the common information security issues that result from poor software
development efforts

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
 Introduction to the Need
for Information Security (1 of 2)
The primary mission of an information security program is to ensure that
information assets—information and the systems that house them—remain
safe and useful.
If threats didn’t exist, resources could be used exclusively to improve systems
that contain, use, and transmit information.
The threat of attacks on information systems is a constant concern.
Organizations must understand the environment in which information assets
reside so their information security programs can address actual and potential
problems.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
 Introduction to the Need
for Information Security (2 of 2)
Information security performs four important functions for an organization:
− Protecting the organization’s ability to function
− Protecting the data and information the organization collects and uses
− Enabling the safe operation of applications running on the organization’s IT
systems
− Safeguarding the organization’s technology assets

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
 Business Needs First
(organization’s ability to function)
When security needs and business needs collide, business wins.
Without the underlying business to generate revenue and use the information,
the information may lose value, and there would be no need for it.
If the business cannot function, information security becomes less important.
The key is to balance the needs of the organization with the need to protect
information assets, realizing that business needs come first.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
 Protecting Functionality

All three communities of interest are responsible for facilitating security
programs.
Implementing information security has more to do with management than
technology.
Communities of interest should address information security in terms of
business impact and cost of business interruption, rather than isolating security
as a technical problem.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
 Protecting Data That Organizations Collect
and Use
Without data, an organization loses its record of transactions and the ability to
deliver value to customers.
Protecting data in transmission, in processing, and at rest (storage) is a critical
aspect of information security.
Securing databases encompasses managerial, technical, and physical controls.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
 Enabling the Safe Operation of Applications

Organizations needs environment that safeguard applications using IT systems.
Management must continue to oversee infrastructure once in place—not
relegate it to the IT department.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
 Safeguarding Technology Assets in
Organizations
Organizations must employ secure infrastructure hardware appropriate to the
size and scope of the enterprise.
Additional security services may be needed as the organization grows.
More robust solutions should replace security programs the organization has
outgrown.
IT continues to add new capabilities and methods that allow organizations to
solve business information management challenges.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
 Information Security Threats and Attacks

Threat: A potential risk to an asset’s loss of value.
Attack: An intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it.
Exploit: A technique used to compromise a system.
Vulnerability: A potential weakness in an asset or its defensive control
system(s).
Management must be informed about the various threats to an organization’s
people, applications, data, and information systems.
Overall security is improving, but the number of potential hackers is growing.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
 Knowledge Check Activity 1

Match the terms on the left with the definitions on the right.

Term Definition
Threat An intentional or unintentional act that can damage
Attack or otherwise compromise information and the
systems that support it.
Exploit
A potential weakness in an asset or its defensive
Vulnerability control system(s).
A potential risk to an asset’s loss of value.
A technique used to compromise a system.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
 Knowledge Check Activity 1: Answer

Match the terms with the definitions.
Answer:
Term Definition
Threat A potential risk to an asset’s loss of value.
Attack An intentional or unintentional act that can damage or
otherwise compromise information and the systems that
support it.
Exploit A technique used to compromise a system.
Vulnerability A potential weakness in an asset or its defensive control
system(s).

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
 World Internet Usage

World Regions Population Population Internet Users Penetration Growth Internet
(2020 Est.) % of World (6/30/2020) Rate (% Pop.) 2000–2020 World %
Africa 1,340,598,447 17.2% 566,138,772 42.2% 12,441% 11.7%
Asia 4,294,516,659 55.1% 2,525,033,874 58.8% 2,109% 52.2%
Europe 834,995,197 10.7% 727,848,547 87.2% 592% 15.1%
Latin America/ 654,287,232 8.4% 467,817,332 71.5% 2,489% 9.7%
Caribbean
Middle East 260,991,690 3.3% 184,856,813 70.8% 5,527% 3.8%
North America 368,869,647 4.7% 332,908,868 90.3% 208% 6.9%
Oceania/ 42,690,838 0.5% 28,917,600 67.7% 279% 0.6%
Australia
WORLD 7,796,949,710 100.0% 4,833,521,806 62.0% 1,239% 100.0%
TOTAL
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
 Rated Threats from Internal Sources in 2015 SEC/CISE
Survey of Threats to Information Protection (1 of 2)
From Employees or Internal Stakeholders Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Inability/unwillingness to follow established 6.6% 17.2% 33.6% 26.2% 16.4% 66%
policy
Disclosure due to insufficient training 8.1% 23.6% 29.3% 25.2% 13.8% 63%
Unauthorized access or escalation of 4.8% 24.0% 31.2% 31.2% 8.8% 63%
privileges
Unauthorized information collection/data 6.4% 26.4% 40.0% 17.6% 9.6% 60%
sniffing
Theft of on-site organizational information 10.6% 32.5% 34.1% 12.2% 10.6% 56%
assets
Theft of mobile/laptop/tablet and related/ 15.4% 29.3% 28.5% 17.9% 8.9% 55%
connected information assets
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
 Rated Threats from Internal Sources in 2015 SEC/CISE
Survey of Threats to Information Protection (2 of 2)
From Employees or Internal Stakeholders Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Intentional damage or destruction of 22.3% 43.0% 18.2% 13.2% 3.3% 46%
information assets
Theft or misuse of organizationally leased, 29.6% 33.6% 21.6% 10.4% 4.8% 45%
purchased, or developed software
Web site defacement 43.4% 33.6% 16.4% 4.9% 1.6% 38%
Blackmail of information release or sales 43.5% 37.1% 10.5% 6.5% 2.4% 37%

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
 Rated Threats from External Sources in 2015 SEC/CISE
Survey of Threats to Information Protection (1 of 2)
From Outsiders or External Stakeholders Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Unauthorized information collection/data 6.4% 14.4% 21.6% 32.8% 24.8% 71%
sniffing
Unauthorized access or escalation of 7.4% 14.0% 26.4% 31.4% 20.7% 69%
privileges
Web site defacement 8.9% 23.6% 22.8% 26.8% 17.9% 64%
Intentional damage or destruction of 14.0% 32.2% 18.2% 24.8% 10.7% 57%
information assets
Theft of mobile/laptop/tablet and related/ 20.5% 25.4% 26.2% 15.6% 12.3% 55%
connected information assets
Theft of on-site organizational information 21.1% 24.4% 25.2% 17.9% 11.4% 55%
assets
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
 Rated Threats from External Sources in 2015 SEC/CISE
Survey of Threats to Information Protection (2 of 2)
From Outsiders or External Stakeholders Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Blackmail of information release or sales 31.1% 30.3% 14.8% 14.8% 9.0% 48%
Disclosure due to insufficient training 34.5% 21.8% 22.7% 13.4% 7.6% 48%
Inability/unwillingness to follow 33.6% 29.4% 18.5% 6.7% 11.8% 47%
established policy
Theft or misuse of organizationally leased, 31.7% 30.1% 22.8% 9.8% 5.7% 46%
purchased, or developed software

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
 Perceived Threats to Information Assets in 2015 SEC/
CISE Survey of Threats to Information Protection (1 of 5)
General Threats to Information Assets Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Electronic phishing/spoofing attacks 0.8% 13.1% 16.4% 32.0% 37.7% 79%
Malware attacks 1.7% 12.4% 27.3% 36.4% 22.3% 73%
Unintentional employee/insider mistakes 2.4% 17.1% 26.8% 35.8% 17.9% 70%
Loss of trust due to information loss 4.1% 18.9% 27.0% 22.1% 27.9% 70%
Software failures or errors due to unknown 5.6% 18.5% 28.2% 33.9% 13.7% 66%
vulnerabilities in externally acquired software
Social engineering of employees/insiders 8.1% 14.6% 32.5% 34.1% 10.6% 65%
based on social media information
Social engineering of employees/insiders 8.9% 19.5% 24.4% 32.5% 14.6% 65%
based on other published information

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
 Perceived Threats to Information Assets in 2015 SEC/
CISE Survey of Threats to Information Protection (2 of 5)
General Threats to Information Assets Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Software failures or errors due to poorly 7.2% 21.6% 24.0% 32.0% 15.2% 65%
developed, internally created applications
SQL injections 7.6% 17.6% 31.9% 29.4% 13.4% 65%
Social engineering of employees/insiders 11.4% 19.5% 23.6% 31.7% 13.8% 63%
based on organization's Web sites
Denial of service (and distributed DoS) 8.2% 23.0% 27.9% 32.8% 8.2% 62%
attacks
Software failures or errors due to known 8.9% 23.6% 26.8% 35.8% 4.9% 61%
vulnerabilities in externally acquired software
Outdated organizational software 8.1% 28.2% 26.6% 26.6% 10.5% 61%

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
 Perceived Threats to Information Assets in 2015 SEC/
CISE Survey of Threats to Information Protection (3 of 5)

General Threats to Information Assets Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Loss of trust due to representation as source 9.8% 23.8% 30.3% 23.0% 13.1% 61%
of phishing/spoofing attack
Loss of trust due to Web defacement 12.4% 30.6% 31.4% 19.8% 5.8% 55%
Outdated organizational hardware 17.2% 34.4% 32.8% 12.3% 3.3% 50%
Outdated organization data format 18.7% 35.8% 26.8% 13.8% 4.9% 50%
Inability/unwillingness to establish effective 30.4% 26.4% 24.0% 13.6% 5.6% 48%
policy by management
Hardware failures or errors due to aging 19.5% 39.8% 24.4% 14.6% 1.6% 48%
equipment

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
 Perceived Threats to Information Assets in 2015 SEC/
CISE Survey of Threats to Information Protection (4 of 5)
General Threats to Information Assets Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Hardware failures or errors due to defective 17.9% 48.0% 24.4% 8.1% 1.6% 46%
equipment
Deviations in quality of service from other 25.2% 38.7% 25.2% 7.6% 3.4% 45%
provider
Deviations in quality of service from data 26.4% 39.7% 23.1% 7.4% 3.3% 44%
communications provider/ISP
Deviations in quality of service from 29.9% 38.5% 18.8% 9.4% 3.4% 44%
telecommunications provider/ISP (if different
from data provider)
Loss due to other natural disaster 31.0% 37.9% 23.3% 6.9% 0.9% 42%

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
 Perceived Threats to Information Assets in 2015 SEC/
CISE Survey of Threats to Information Protection (5 of 5)
General Threats to Information Assets Not a 2 3 4 A Severe Comp.
Threat Threat Rank
1 5
Loss due to fire 26.2% 49.2% 21.3% 3.3% 0.0% 40%
Deviations in quality of service from power 36.1% 43.4% 12.3% 5.7% 2.5% 39%
provider
Loss due to flood 33.9% 43.8% 19.8% 1.7% 0.8% 38%
Loss due to earthquake 41.7% 35.8% 15.0% 6.7% 0.8% 38%

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
 Common Attack Pattern Enumeration and
Classification (CAPEC)
A tool that security professionals can use to understand attacks is the Common
Attack Pattern Enumeration and Classification (CAPEC) Web site hosted by
Mitre—a nonprofit research and development organization sponsored by the
U.S. government.
This online repository can be searched for characteristics of a particular attack
or simply browsed by professionals who want additional knowledge of how
attacks occur procedurally.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
The 12 Categories of Threats

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
 The 12 Categories of Threats to Information Security
Category of Threat Attack Examples
Compromises to intellectual property Piracy, copyright infringement
Deviations in quality of service Internet service provider (ISP), power, or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
 Compromises to Intellectual Property

Intellectual property (IP): creation, ownership, and control of original ideas as
well as the representation of those ideas
IP includes trade secrets, copyrights, trademarks, and patents.
The most common IP breaches involve software piracy.
Two watchdog organizations investigate software abuse:
− Software and Information Industry Association (SIIA)
− Business Software Alliance (BSA)
According to the BSA, in 2018, approximately 37 percent of software installed
on personal computers globally was not properly licensed.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
 Deviations in Quality of Service (1 of 3)

An information system depends on the successful operation of many
interdependent support systems.
Internet service, communications, and power irregularities dramatically affect
the availability of information and systems.
Services are usually arranged with a service level agreement (SLA).

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
Average Cost of Downtime According to
Fusion Connect

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
 Deviations in Quality of Service (2 of 3)

Internet service issues
− Internet service provider (ISP) failures can considerably undermine the
availability of information.
− An outsourced Web hosting provider assumes responsibility for all Internet
services as well as for the hardware and Web site operating system
software.
Communications and other service provider issues
− Other utility services affect organizations: telephone, water, wastewater,
trash pickup.
− Loss of these services can affect an organization’s ability to function.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
 Deviations in Quality of Service (3 of 3)

Power irregularities
− Commonplace
− Lead to fluctuations such as power excesses, power shortages, and power
losses (blackout, brownout, fault, noise, sag, spike, or surge)
− Sensitive electronic equipment vulnerable to and easily damaged/destroyed
by fluctuations
− Controls can be applied to manage power quality.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
 Knowledge Check Activity 2

A short-term decrease in electrical power availability is known as a _____.
a. surge
b. spike
c. sag
d. swell

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
 Knowledge Check Activity 2: Answer

A short-term decrease in electrical power availability is known as a _____.

Answer: c. sag

A spike (or swell) or a surge is an increase in power availability.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
 Espionage or Trespass (1 of 3)

Access of protected information by unauthorized individuals
Competitive intelligence techniques are legal, whereas industrial espionage
techniques are not.
Shoulder surfing can occur anywhere a person accesses confidential
information.
Acts of trespass can lead to unauthorized real or virtual actions that enable
information gatherers to enter premises or systems without permission.
Hackers use skill, guile, or fraud to bypass controls protecting others’
information.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
 Shoulder Surfing

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
 Espionage or Trespass (2 of 3)

Expert hacker
− Develops software scripts and program exploits
− Usually a master of many skills
− Will often create attack software and share with others
Unskilled hackers
− Many more unskilled hackers than expert hackers
− Use expertly written software to exploit a system
− Do not usually fully understand the systems they hack
− Also known as script kiddies or packet monkeys
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
 Contemporary Hacker Profile

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
 Espionage or Trespass (3 of 3)
Other terms for system rule breakers:
− Cracker: “cracks” or removes software protection designed to prevent
unauthorized duplication.
− Phreaker: hacks the public telephone system to make free calls or disrupt
services.
Password attacks
− Cracking
− Brute force
− Dictionary
− Rainbow tables
− Social engineering
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
 Password Strength (1 of 2)
Case-insensitive Passwords Using a Standard Alphabet Set
(No Numbers or Special Characters)
Password Length Odds of Cracking: 1 in (based on number of Estimated Time to Crack*
characters ^ password length):
8 208,827,064,576 0.36 seconds
9 5,429,503,678,976 9.27 seconds
10 141,167,095,653,376 4.02 minutes
11 3,670,344,486,987,780 1.74 hours
12 95,428,956,661,682,200 1.89 days
13 2,481,152,873,203,740,000 49.05 days
14 64,509,974,703,297,200,000 3.5 years
15 1,677,259,342,285,730,000,000 90.9 years
16 43,608,742,899,428,900,000,000 2,362.1 years
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38
 Password Strength (2 of 2)
Case-sensitive Passwords Using a Standard Alphabet Set
with Numbers and 20 Special Characters
Password Length Odds of Cracking: 1 in (based on number of Estimated Time to Crack*
characters ^ password length):
8 2,044,140,858,654,980 1.0 hours
9 167,619,550,409,708,000 3.3 days
10 13,744,803,133,596,100,000 271.7 days
11 1,127,073,856,954,880,000,000 61.0 years
12 92,420,056,270,299,900,000,000 5,006.0 years
13 7,578,444,614,164,590,000,000,000 410,493.2 years
14 621,432,458,361,496,000,000,000,000 33,660,438.6 years
15 50,957,461,585,642,700,000,000,000,000 2,760,155,968.2 years
16 4,178,511,850,022,700,000,000,000,000,000 226,332,789,392.1 years
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39
 Forces of Nature
Forces of nature can present some of the most dangerous threats.
They disrupt not only individual lives, but also storage, transmission, and use of
information.
Threats include fires, floods, earthquakes, lightning, landslides, tornados,
hurricanes, tsunamis, ESD, dust contamination, solar activity, civil unrest, and
acts of war.
Organizations must implement controls to limit damage and prepare
contingency plans for continued operations.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 40
 Human Error or Failure (1 of 2)
Includes acts performed without malicious intent or in ignorance
Causes include:
− Inexperience
− Improper training
− Incorrect assumptions
Employees are among the greatest threats to an organization’s data.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41
The Biggest Threat—Acts of Human Error or
Failure

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42
 Human Error or Failure (2 of 2)
Employee mistakes can easily lead to:
− Revelation of classified data
− Entry of erroneous data
− Accidental data deletion or modification
− Data storage in unprotected areas
− Failure to protect information
Many of these threats can be prevented with training, ongoing awareness
activities, and controls.
Social engineering uses social skills to convince people to reveal access
credentials or other valuable information to an attacker.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 43
 Social Engineering
“People are the weakest link. You can have the best technology; firewalls,
intrusion-detection systems, biometric devices... and somebody can call an
unsuspecting employee. That's all she wrote, baby. They got everything.” —
Kevin Mitnick
Business e-mail compromise: exploiting business e-mail systems and users
Advance-fee fraud: indicates recipient is due money and small advance fee or
personal banking information required to facilitate transfer
Phishing: attempt to gain personal/confidential information; apparent legitimate
communication hides embedded code that redirects user to third-party site

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44
Example of a Nigerian 4-1-9 Fraud Letter

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
 Phishing Example: Lure

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46
Phishing Example: Fake Website

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47
 Information Extortion
Also known as cyberextortion
Attacker steals information from a computer system and demands
compensation for its return or nondisclosure
Common in credit card number theft

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 48
 Ransomware
Ransomware is a malware attack on the host system that denies access to the
user and then offers to provide a key to allow access back to the user’s system
and data for a fee.
There are two types of ransomware: lockscreen and encryption.
Common phishing mechanisms to get a user to download ransomware include
pop-ups indicating that illegal information or malware was detected on the
user’s system, threatening to notify law enforcement, or offering to delete the
offending material if the user clicks a link or button.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 49
Ransomware Notification Screen

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 50
 Sabotage or Vandalism
Threats can range from petty vandalism to organized sabotage.
Web site defacing can erode consumer confidence, diminishing an
organization’s sales, net worth, and reputation.
Threat of hacktivist or cyberactivist operations is rising.
Cyberterrorism/cyberwarfare: a much more sinister form of hacking

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 51
 Software Attacks (1 of 5)
Malicious software (malware) is used to overwhelm the processing
capabilities of online systems or to gain access to protected systems via hidden
means.
Software attacks occur when an individual or a group designs and deploys
software to attack a system.
When an attack makes use of malware that is not yet known by the antimalware
software companies, it is said to be a zero-day attack.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 52
 Software Attacks (2 of 5)
Types of attacks include:
− Malware (malicious code): It includes the execution of viruses, worms,
Trojan horses, and active Web scripts with the intent to destroy or steal
information.
▪ Virus: It consists of code segments that attach to existing program and take control of
access to the targeted computer.
▪ Worms: They replicate themselves until they completely fill available resources such as
memory and hard drive space.
▪ Trojan horses: malware disguised as helpful, interesting, or necessary pieces of
software
▪ Polymorphic threat: actually evolves to elude detection
▪ Virus and worm hoaxes: nonexistent malware that employees waste time spreading
awareness about
▪ Back door: gaining access to system or network using known or previously
unknown/newly discovered access mechanism
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 53
 Software Attacks (3 of 5)
Types of attacks (cont’d)
− Denial-of-service (DoS): An attacker sends a large number of connection or
information requests to a target.
▪ The target system becomes overloaded and cannot respond to legitimate
requests for service.
▪ It may result in a system crash or inability to perform ordinary functions.
− Distributed denial-of-service (DDoS): A coordinated stream of requests is
launched against a target from many locations simultaneously.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 54
The Most Dangerous Malware Attacks to Date
(1 of 2)
Malware Type Year Estimated Number Estimated Financial
of Systems Infected Damage
CIH, a.k.a. Chernobyl Memory-resident virus 1998 Unknown $250 million
Melissa Macro virus 1999 Unknown $300 million to $600
million
ILOVEYOU Virus 2000 10% of Internet $5.5 billion
Klez (and variants) Virus 2001 7.2% of Internet $19.8 billion
Code Red (and CR II) Worm 2001 400,000 servers $2.6 billion
Nimda Multivector worm 2001 Unknown Unknown
Sobig F Worm 2003 1 million $3 billion
SOL Slammer, a.k.a. Worm 2003 75,000 $950 million to $1.2 billion
Sapphire

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 55
The Most Dangerous Malware Attacks to Date
(2 of 2)
Malware Type Year Estimated Number Estimated Financial
of Systems Infected Damage
MyDoom Worm 2004 2 million $38 billion
Sasser Worm 2004 500,000 to 700,000 Unknown
Nesky Virus 2004 Less than 100,000 Unknown
Storm Worm Trojan horse virus 2006 10 million Unknown
Leap-A/Oompa-A Virus 2006 Unknown (Apple) Unknown
Conficker Worm 2009 15 million Unknown
Stutznet Worm 2009 ~200,000 Unknown

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 56
 Attack Replication Vectors (1 of 2)

Vector Description
IP scan and attack The infected system scans a range of IP addresses and service ports and targets
several vulnerabilities known to hackers or left over from previous exploits, such as
Code Red, Back Orifice, or PoizonBox.
Web browsing If the infected system has write access to any Web pages, it makes all Web content
files infectious, including.html,.asp,.cgi, and other files. Users who browse to those
pages infect their machines.
Virus Each affected machine infects common executable or script files on all computers to
which it can write, which spreads the virus code to cause further infection.
Unprotected shares Using vulnerabilities in file systems and in the way many organizations configure them,
the infected machine copies the viral component to all locations it can reach.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 57
 Attack Replication Vectors (2 of 2)

Vector Description
Mass mail By sending e-mail infections to addresses found in the address book, the affected
machine infects many other users, whose mail-reading programs automatically run the
virus program and infect even more systems.
Simple Network SNMP is used for remote management of network and computer devices. By using the
Management widely known and common passwords that were employed in early versions of this
Protocol (SNMP) protocol, the attacking program can gain control of the device. Most vendors have
closed these vulnerabilities with software upgrades.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 58
 Denial-of-Service Attacks

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 59
 Software Attacks (4 of 5)
Types of attacks (cont’d)
− Mail bombing (also a DoS): An attacker routes large quantities of e-mail to a
target to overwhelm the receiver.
− Spam (unsolicited commercial e-mail): It is considered more a nuisance than
an attack, though it is emerging as a vector for some attacks.
− Packet sniffer: It monitors data traveling over a network; it can be used both
for legitimate management purposes and for stealing information from a
network.
− Spoofing: A technique used to gain unauthorized access; an intruder
assumes a trusted IP address.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 60
 IP Spoofing Attack

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 61
 Software Attacks (5 of 5)
Types of attacks (cont’d)
− Pharming: It attacks a browser’s address bar to redirect users to an
illegitimate site for the purpose of obtaining private information.
− Man-in-the-middle: An attacker monitors the network packets, modifies them,
and inserts them back into the network.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 62
 Man-in-the-Middle Attack

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 63
 Knowledge Check Activity 3
Communications interception attacks include all of the following EXCEPT _____.
a. sniffers
b. spoofing
c. pharming
d. ransomware
e. man-in-the-middle

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 64
 Knowledge Check Activity 3: Answer
Communications interception attacks include all of the following EXCEPT _____.

Answer: c. ransomware

Each of the others involves using the communication network or procedures as a
means of attack. Ransomware uses encryption of the victim’s data as a means to
extort payment.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 65
Technical Hardware Failures or Errors (1 of 2)
They occur when a manufacturer distributes equipment containing a known or
unknown flaw.
They can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability.
Some errors are terminal, while others are intermittent.
Intel Pentium CPU failure is a notable example.
Mean time between failure and annualized failure rates measure hardware
failure rates.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 66
Technical Hardware Failures or Errors (2 of 2)
Large quantities of computer code are written, debugged, published, and sold
before all bugs are detected and resolved.
Combinations of certain software and hardware can reveal new software bugs.
Entire Web sites are dedicated to documenting bugs.
Open Web Application Security Project (OWASP) is dedicated to helping
organizations create/operate trustworthy software and publishes a list of top
security risks.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 67
 The Deadly Sins in Software Security (1 of 3)
Common failures in software development:
− SQL injection
− Web server-related vulnerabilities (XSS, XSRF, and response splitting)
− Web client-related vulnerability (XSS)
− Use of magic URLs and hidden forms
− Buffer overrun
− Format string problems
− Integer bugs (overflows/underflows)
− C++ catastrophes
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 68
 The Deadly Sins in Software Security (2 of 3)
Common failures in software development:
− Catching exceptions
− Command injection
− Failure to handle errors
− Information leakage
− Race conditions
− Poor usability
− Not updating easily
− Executing code with too much privilege
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 69
 The Deadly Sins in Software Security (3 of 3)
Common failures in software development:
− Failure to protect stored data
− Sins of mobile code
− Use of weak password-based systems
− Weak random numbers
− Using cryptography incorrectly
− Failure to protect network traffic
− Improper use of PKI, especially SSL
− Trusting network name resolution
− Neglecting change control
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 70
 Technological Obsolescence
Antiquated/outdated infrastructure can lead to unreliable and untrustworthy
systems.
Proper managerial planning should prevent technology obsolescence.
IT plays a large role.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 71
 Theft
It is the illegal taking of another’s physical, electronic, or intellectual property.
Physical theft is controlled relatively easily.
Electronic theft is a more complex problem; the evidence of crime is not readily
apparent.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 72
 Summary (1 of 4)
Information security performs four important functions:
− Information security performs four important functions to ensure that information assets
remain safe and useful: protecting the organization’s ability to function, enabling the safe
operation of applications implemented on the organization’s IT systems, protecting the data
an organization collects and uses, and safeguarding the organization’s technology assets.
− To make sound decisions about information security, management must be informed about
threats to its people, applications, data, and information systems, and the attacks they face.

− Threats are any events or circumstances that have the potential to adversely affect
operations and assets. An attack is an intentional or unintentional act that can damage or
otherwise compromise information and the systems that support it. A vulnerability is a
potential weakness in an asset or its defensive controls.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 73
 Summary (2 of 4)
Threats or dangers facing an organization’s people, information, and systems
fall into the following categories:
− Compromises to intellectual property—Intellectual property, such as trade secrets,
copyrights, trademarks, or patents, are intangible assets that may be attacked via software
piracy or the exploitation of asset protection controls.
− Deviations in quality of service—Organizations rely on services provided by others. Losses
can come from interruptions to those services.
− Espionage or trespass—Asset losses may result when electronic and human activities
breach the confidentiality of information.
− Forces of nature—A wide range of natural events can overwhelm control systems and
preparations to cause losses to data and availability.
− Human error or failure—Losses to assets may come from intentional or accidental actions
by people inside and outside the organization.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 74
 Summary (3 of 4)
Threats or dangers facing an organization’s people, information, and systems
fall into the following categories:
− Information extortion—Stolen or inactivated assets may be held hostage to extract payment
of ransom.
− Sabotage or vandalism—Losses may result from the deliberate sabotage of a computer
system or business, or from acts of vandalism. These acts can either destroy an asset or
damage the image of an organization.
− Software attacks—Losses may result when attackers use software to gain unauthorized
access to systems or cause disruptions in systems availability.
− Technical hardware failures or errors—Technical defects in hardware systems can cause
unexpected results, including unreliable service or lack of availability.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 75
 Summary (4 of 4)
Threats or dangers facing an organization’s people, information, and systems
fall into the following categories:
− Technical software failures or errors—Software used by systems may have purposeful or
unintentional errors that result in failures, which can lead to loss of availability or
unauthorized access to information.
− Technological obsolescence—Antiquated or outdated infrastructure can lead to unreliable
and untrustworthy systems that may result in loss of availability or unauthorized access to
information.
− Theft—Theft of information can result from a wide variety of attacks.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 76
 Self-Assessment
Consider this statement:
− “When security needs and business needs collide, business needs win out.”
Do you think there are times and circumstances when this is not completely
true? When might that be?
If you are working in the area of information security, what does this statement
indicate about how you should work with other units in the organization?

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 77
Information Security
User Authentication
 Outlines
◼ User Authentication techniques
 User Authentication
“The process of verifying an identity claimed by or
for a system entity.”
 Authentication Process

◼Fundamental ◼Identification step
building block ⚫ Presenting an identifier
to the security system
and primary line
of defense Verification step
⚫ Presenting or
generating
◼Basis for access authentication
information that
control and user corroborates the
accountability binding between
the entity and the
identifier
 Authentication Process
◼ An authentication process consists of two steps:

❖ Identification step: Presenting an identifier to the security system.
(Identifiers should be assigned carefully, because authenticated
identities are the basis for other security services, such as access
control service.)

❖ Verification step: Presenting or generating authentication
information that corroborates the binding between the entity and
the identifier.
 Password Authentication
◼ Widely used line of defense against intruders
❖ User provides name/login and password
❖ System compares password with the one stored for that specified
login
◼ The user ID:
❖ Determines that the user is authorized to access the system
❖ Determines the user’s privileges
❖ Is used in discretionary access control

◼ Password Authentication Benefits:
❖ Used for a long time.
❖ Integrated into many operating systems
❖ Users are familiar with them.
Password Vulnerabilities
 Countermeasures
◼ stop unauthorized access to password file
◼ intrusion detection measures
◼ account lockout mechanisms
◼ policies against using common passwords but
rather hard to guess passwords
◼ training & enforcement of policies
◼ automatic workstation logout
◼ encrypted network links
Use of Hashed
Passwords
Example:
UNIX system
Password Cracking
 Modern Approaches

◼ Complex password policy
❖ Forcing users to pick stronger passwords

However password-cracking techniques have also
improved
❖ The processing capacity available for password cracking has increased
dramatically
❖ The use of sophisticated algorithms to generate potential passwords
❖ Studying examples and structures of actual passwords in use
Password Selection Strategies
 Something User Has: Token
Authentication
◼ Most of these techniques are a combination of something the
user has and something the user knows.
◼ Objects that the user has for a purpose of authentication are
called tokens.
◼ The tokens are divided to: Memory Tokens and Smart
Tokens.
 Token Authentication
◼ object user possesses to authenticate,
e.g.
❖ magnetic stripe card
❖ memory card
❖ Smartcard/Smart tokens
 Types of Cards Used as Tokens
Card Type Defining Feature Example
Embossed Raised characters only, on Old credit card
front
Magnetic stripe Magnetic bar on back, characters on front Bank card
Memory Electronic memory inside Prepaid phone card
Smart Electronic memory and processor inside Biometric ID card
Contact Electrical contacts exposed on surface
Contactless Radio antenna embedded inside
 Memory Card/ Token
◼ store but do not process data
◼ magnetic stripe card, e.g. bank card
◼ electronic memory card
◼ used alone for physical access
◼ with password/PIN for computer use
◼ drawbacks of memory cards include:
❖ need special reader
❖ loss of token issues
❖ user dissatisfaction (Need to hold it with him)
❖ Token cost
 Smart Tokens
◼ Smart token expands the functionality of a memory
token by incorporating one or more integrated circuits
into the token itself.
◼ Smart token also requires a user to provide something
he know (ex: password) in order to "unlock" the smart
token for use.
◼ Smart token Benefits:
❖ Great flexibility.
❖ Solve many authentication problems.
❖ Greater security than memory cards.
❖ Solve the problem of electronic monitoring.
 Smart Tokens/Cards

◼Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
◼ Interface:
o Manual interfaces include a keypad and display for interaction
o Electronic interfaces communicate with a compatible reader/writer
◼ Authentication protocol:
o Classified into three categories:
Static
Dynamic password generator
Challenge-response
 Smart Cards
◼ Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols
◼ Contain:
o An entire microprocessor
Processor
Memory
I/O ports
◼ Typically include three types of memory:
o Read-only memory (ROM)
Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
Holds application data and programs
o Random access memory (RAM)
Holds temporary data generated when applications are executed
 Biometric Authentication
◼ Attempts to authenticate an individual based on
unique physical characteristics
◼ Based on pattern recognition
◼ Is technically complex and expensive when
compared to passwords and tokens
◼ Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
Authentication Procedures
Two-Parity
Two-Parity
Third-parity
 ?

CSC-S 421 Dr. Mohamed Elhoseny Fall 2020-2021