CHAPTER 2:

The Need for Security

Lesson Objectives:
Upon completion of this material, you should be able to:
Demonstrate that organizations have a business need for information security
Explain why a successful information security program is the responsibility of both an organization’s general
management and IT management
Identify the threats posed to information security and the more common attacks associated with those threats,
and differentiate threats to the information within systems from attacks against the information within
systems
Describe the issues facing software developers, as well as the most common errors made by developers, and
explain how software development programs can create software that is more secure and reliable

INTRODUCTION
Unlike any other information technology program, the primary mission of an information security
program is to ensure that systems and their contents remain the same. Organizations expend hundreds of
thousands of dollars and thousands of man-hours to maintain their information systems. If threats to
information and systems didn’t exist, these resources could be used to improve the systems that support the
information. However, attacks on information systems are a daily occurrence, and the need for information
security grows along with the sophistication of such attacks.
Organizations must understand the environment in which information systems operate so that their
information security programs can address actual and potential problems.

LESSON 1: BUSINESS NEEDS FIRST, TECHNOLOGY NEEDS LAST

 Information security is unlike any other aspect of information technology. It is an arena where the
primary mission is to ensure things stay the way they are.
 If there were no threats to information and systems, we could focus on improving systems that support
the information, resulting in vast improvements in ease of use and usefulness.
 The first phase, Investigation, provides an overview of the environment in which security must operate,
and the problems that security must address.
 Information security performs four important functions for an organization:
 Protects the organization’s ability to function
 Enables the safe operation of applications implemented on the organization’s IT systems
 Protects the data the organization collects and uses
 Safeguards the technology assets in use at the organization

Protecting the Ability to Function

 Management is responsible
 Information security is
 a management issue
 a people issue
 Communities of interest must argue for information security in terms of impact and cost

1-1 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security
Enabling Safe Operation
 Organizations must create integrated, efficient, and capable applications
 Organization need environments that safeguard applications
 Management must not abdicate to the IT department its responsibility to make choices and enforce
decisions

Protecting Data
 One of the most valuable assets is data
 Without data, an organization loses its record of transactions and/or its ability to deliver value to its
customers
 An effective information security program is essential to the protection of the integrity and value of the
organization’s data

Safeguarding Technology Assets

 Organizations must have secure infrastructure services based on the size and scope of the enterprise
 Additional security services may have to be provided
 More robust solutions may be needed to replace security programs the organization has outgrown

LESSON 2: THREATS
 Management must be informed of the various kinds of threats facing the organization
 A threat is an object, person, or other entity that represents a constant danger to an asset
 By examining each threat category in turn, management effectively protects its information through
policy, education and training, and technology controls

Acts of Human Error or Failure

 Includes acts done without malicious intent
 Caused by:
 Inexperience
 Improper training
 Incorrect assumptions
 Other circumstances
 Employees are greatest threats to information security – They are closest to the organizational data
 Employee mistakes can easily lead to the following:
 revelation of classified data
 entry of erroneous data
 accidental deletion or modification of data
 storage of data in unprotected areas
 failure to protect information
 Many of these threats can be prevented with controls

Deviations in Quality of Service by Service Providers

 Situations of product or services not delivered as expected
 Information system depends on many inter-dependent support systems

1-2 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security
 Three sets of service issues that dramatically affect the availability of information and systems are
 Internet service
 Communications and other service providers
 Power irregularities
Internet Service Issues
 Loss of Internet service can lead to considerable loss in the availability of information
 organizations have sales staff and telecommuters working at remote locations
 When an organization outsources its web servers, the outsourcer assumes responsibility for
 All Internet Services
 The hardware and operating system software used to operate the web site
Communications and Other Services
 Other utility services have potential impact
 Among these are
 telephone
 water & wastewater
 trash pickup
 cable television
 natural or propane gas
 custodial services
 The threat of loss of services can lead to inability to function properly
Power Irregularities
Voltage levels can increase, decrease, or cease:
 spike – momentary increase
 surge – prolonged increase
 sag – momentary low voltage
 brownout – prolonged drop
 fault – momentary loss of power
 blackout – prolonged loss
 Electronic equipment is susceptible to fluctuations, controls can be applied to manage power quality

Espionage/Trespass
 Broad category of activities that breach confidentiality
 Unauthorized accessing of information
 Competitive intelligence vs. espionage
 Shoulder surfing can occur any place a person is accessing confidential information
 Controls implemented to mark the boundaries of an organization’s virtual territory giving notice to
trespassers that they are encroaching on the organization’s cyberspace
 Hackers uses skill, guile, or fraud to steal the property of someone else
 Generally two skill levels among hackers:
 Expert hacker
 develops software scripts and codes exploits
 usually a master of many skills
 will often create attack software and share with others
 Script kiddies
1-3 IAS 101 – Information Assurance and Security 1
CHAPTER 2:
The Need for Security
 hackers of limited skill
 use expert-written software to exploit a system
 do not usually fully understand the systems they hack
 Other terms for system rule breakers:
 Cracker - an individual who “cracks” or removes protection designed to prevent unauthorized
duplication
 Phreaker - hacks the public telephone network

Information Extortion
 Information extortion is an attacker or formerly trusted insider stealing information from a computer
system and demanding compensation for its return or non-use
 Extortion found in credit card number theft
 Individual or group who want to deliberately sabotage the operations of a computer system or business,
or perform acts of vandalism to either destroy an asset or damage the image of the organization
 These threats can range from petty vandalism to organized sabotage
 Organizations rely on image so Web defacing can lead to dropping consumer confidence and sales
 Rising threat of hacktivist or cyber-activist operations – the most extreme version is cyber-terrorism

Deliberate Acts of Theft

 Illegal taking of another’s property - physical, electronic, or intellectual
 The value of information suffers when it is copied and taken away without the owner’s knowledge
 Physical theft can be controlled - a wide variety of measures used from locked doors to guards or alarm
systems
 Electronic theft is a more complex problem to manage and control - organizations may not even know it
has occurred

Deliberate Software Attacks

 When an individual or group designs software to attack systems, they create malicious code/software
called malware
 Designed to damage, destroy, or deny service to the target systems
 Includes:
 macro virus
 boot virus
 worms
 Trojan horses
 logic bombs
 back door or trap door
 denial-of-service attacks
 polymorphic
 hoaxes
 The virus-controlled target program then carries out the virus’s plan, by replicating itself into additional
targeted systems.
 The macro virus is embedded in the automatically executing macro code, common in office productivity
software like word processors, spread sheets, and database applications.
1-4 IAS 101 – Information Assurance and Security 1
CHAPTER 2:
The Need for Security
 The boot virus, infects the key operating systems files located in a computer’s boot sector.
 Worms - malicious programs that replicate themselves constantly without requiring another program to
provide a safe environment for replication. Worms can continue replicating themselves until they
completely fill available resources, such as memory, hard drive space, and network bandwidth.
 Trojan horses - software programs that hide their true nature, and reveal their designed behavior only
when activated. Trojan horses are frequently disguised as helpful, interesting or necessary pieces of
software, such as readme.exe files often included with shareware or freeware packages.
 Back door or Trap door - A virus or worm can have a payload that installs a back door or trap door
component in a system. This allows the attacker to access the system at will with special privileges.
 Polymorphism - A threat that changes its apparent shape over time, representing a new threat not
detectable by techniques that are looking for a pre-configured signature. These threats actually evolve
variations in size and appearance to elude detection by anti-virus software programs, making detection
more of a challenge.
 Virus and Worm Hoaxes - As frustrating as viruses and worms are, perhaps more time and money is
spent on resolving virus hoaxes. Well-meaning people spread the viruses and worms when they send
e-mails warning of fictitious or virus laden threats.
VIRUS
 Virus is a computer program that attaches itself to an executable file or application.
 It can replicate itself, usually through an executable program attached to an e-mail.
 The keyword is “attaches”. A virus can not stand on its own.
 You must prevent viruses from being installed on computers in your organizations.
WORM
 A worm is a computer program that replicates and propagates itself without having to attach itself to a
host.
 Most infamous worms are Code Red and Nimda.
 Cost businesses millions of dollars in damage as a result of lost productivity
 Computer downtime and the time spent recovering lost data, reinstalling programming's, operating
systems, and hiring or contracting IT personnel.
TROJAN HORSE
 Trojan Programs disguise themselves as useful computer programs or applications and can install a
backdoor or rootkit on a computer.
BACKDOORS OR ROOTKITS
 Backdoors or rootkits are computer programs that give attackers a means of regaining access to the
attacked computer later.
SPYWARE
 A Spyware program sends info from the infected computer to the person who initiated the
spyware program on your computer
 Spyware program can register each keystroke entered.
 www.spywareguide.com

ADWARE
 Main purpose is to determine a user’s purchasing habits so that Web browsers can display
advertisements tailored to that user.
1-5 IAS 101 – Information Assurance and Security 1
CHAPTER 2:
The Need for Security
 Slow down the computer it’s running on.
 Adware sometimes displays a banner that notifies the user of its presence

Protecting against Deliberate Software Attacks

 Educating Your Users
 Many U.S. government organizations make security awareness programs mandatory, and many
private-sector companies are following their example.
 Email monthly security updates to all employees.
 Update virus signature files as soon as possible.
 Protect a network by implementing a firewall.
 Avoiding Fear Tactics
 Your approach to users or potential customers should be promoting awareness rather than
instilling fear.
 When training users, be sure to build on the knowledge they already have.

Compromises to Intellectual Property

 Intellectual property is “the ownership of ideas and control over the tangible or virtual representation of
those ideas”
 Many organizations are in business to create intellectual property
 trade secrets
 copyrights
 trademarks
 patents

FORCES OF NATURE
 Forces of nature, force majeure, or acts of God are dangerous because they are unexpected and can
occur with very little warning
 Can disrupt not only the lives of individuals, but also the storage, transmission, and use of information
 Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect infestation
 Since it is not possible to avoid many of these threats, management must implement controls to limit
damage and also prepare contingency plans for continued operations

Technical Hardware Failures or Errors

 Technical hardware failures or errors occur when a manufacturer distributes to users equipment
containing flaws
 These defects can cause the system to perform outside of expected parameters, resulting in unreliable
service or lack of availability
 Some errors are terminal, in that they result in the unrecoverable loss of the equipment
 Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that
are not easily repeated
 This category of threats comes from purchasing software with unrevealed faults
 Large quantities of computer code are written, debugged, published, and sold only to determine that not
all bugs were resolved
 Sometimes, unique combinations of certain software and hardware reveal new bugs
1-6 IAS 101 – Information Assurance and Security 1
CHAPTER 2:
The Need for Security
 Sometimes, these items aren’t errors, but are purposeful shortcuts left by programmers for honest or
dishonest reasons

Technological Obsolescence
 When the infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy
systems
 Management must recognize that when technology becomes outdated, there is a risk of loss of data
integrity to threats and attacks
 Ideally, proper planning by management should prevent the risks from technology obsolesce, but when
obsolescence is identified, management must take action

LESSON 3: Attacks
 An attack is the deliberate act that exploits vulnerability
 It is accomplished by a threat-agent to damage or steal an organization’s information or physical asset
 An exploit is a technique to compromise a system
 A vulnerability is an identified weakness of a controlled system whose controls are not present
or are no longer effective
 An attack is then the use of an exploit to achieve the compromise of a controlled system

Malicious Code
 This kind of attack includes the execution of viruses, worms, Trojan horses, and active web scripts with
the intent to destroy or steal information
 The state of the art in attacking systems in 2002 is the multi-vector worm using up to six attack vectors
to exploit a variety of vulnerabilities in commonly found information system devices

Attack Descriptions
 IP Scan and Attack – Compromised system scans random or local range of IP addresses and targets
any of several vulnerabilities known to hackers or left over from previous exploits
 Web Browsing - If the infected system has write access to any Web pages, it makes all Web content
files infectious, so that users who browse to those pages become infected
 Virus - Each infected machine infects certain common executable or script files on all computers to
which it can write with virus code that can cause infection
 Unprotected Shares - using file shares to copy viral component to all reachable locations
 Mass Mail - sending e-mail infections to addresses found in address book
 Simple Network Management Protocol - SNMP vulnerabilities used to compromise and infect
 Hoaxes - A more devious approach to attacking computer systems is the transmission of a virus hoax,
with a real virus attached
 Back Doors - Using a known or previously unknown and newly discovered access mechanism, an
attacker can gain access to a system or network resource
 Password Crack - Attempting to reverse calculate a password
 Brute Force - The application of computing and network resources to try every possible combination of
options of a password

1-7 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security
 Dictionary - The dictionary password attack narrows the field by selecting specific accounts to attack
and uses a list of commonly used passwords (the dictionary) to guide guesses
 Denial-of-service (DoS) –
 attacker sends a large number of connection or information requests to a target
 so many requests are made that the target system cannot handle them successfully along with
other, legitimate requests for service
 may result in a system crash, or merely an inability to perform ordinary functions
 Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of requests is
launched against a target from many locations at the same time
 Spoofing - technique used to gain unauthorized access whereby the intruder sends messages to a
computer with an IP address indicating that the message is coming from a trusted host
 Man-in-the-Middle - an attacker sniffs packets from the network, modifies them, and inserts them back
into the network
 Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather than an attack, it
is emerging as a vector for some attacks
 Mail-bombing - another form of e-mail attack that is also a DoS, in which an attacker routes large
quantities of e-mail to the target
 Sniffers - a program and/or device that can monitor data traveling over a network. Sniffers can be used
both for legitimate network management functions and for stealing information from a network
 Social Engineering - within the context of information security, the process of using social skills to
convince people to reveal access credentials or other valuable information to the attacker
 “People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems,
biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby.
They got everything.”
 “brick attack” – the best configured firewall in the world can’t stand up to a well placed brick
 Buffer Overflow –
 application error occurs when more data is sent to a buffer than it can handle
 when the buffer overflows, the attacker can make the target system execute instructions, or the
attacker can take advantage of some other unintended consequence of the failure
 Usually the attacker fill the overflow buffer with executable program code to elevate the
attacker’s permission to that of an administrator.
 Ping of Death Attacks --
 A type of DoS attack
 Attacker creates an ICMP packet that is larger than the maximum allowed 65,535 bytes.
 The large packet is fragmented into smaller packets and reassembled at its destination.
 Destination user cannot handle the reassembled oversized packet, thereby causing the system
to crash or freeze.
 Timing Attack –
 relatively new
 works by exploring the contents of a web browser’s cache
 can allow collection of information on access to password-protected sites
 another attack by the same name involves attempting to intercept cryptographic elements to
determine keys and encryption algorithms
 Pharming
1-8 IAS 101 – Information Assurance and Security 1
CHAPTER 2:
The Need for Security
 Pharming is “the redirection of legitimate Web traffic (e.g., browser requests) to an illegitimate
site for the purpose of obtaining private information. Pharming often uses Trojans, worms, or
other virus technologies to attack the Internet browser’s address bar so that the valid URL typed
by the user is modified to that of the illegitimate Web site. Pharming may also exploit the
Domain Name System (DNS) by causing it to transform the legitimate host name into the invalid
site’s IP address; this form of pharming is also known as DNS cache poisoning.”

LESSON 4: Secure Software Development

Secure systems require secure, or at least securable, software. The development of systems and the
software they use is often accomplished using a methodology, such as the systems development life cycle
(SDLC). Many organizations recognize the need to include planning for security objectives in the SDLC they
use to create systems, and have put in place procedures to create software that is more able to be deployed in
a secure fashion. This approach to software development is known as software assurance, or SA.

Software Design Principles

Good software development should result in a finished product that meets all of its design specifications.
Information security considerations are a critical component of those specifications, though that has not always
been true. Leaders in software development J. H. Saltzer and M. D. Schroeder note that:

The protection of information in computer systems […and] the usefulness of a set of protection
mechanisms depends upon the ability of a system to prevent security violations. In practice, producing
a system at any level of functionality that actually does prevent all such unauthorized acts has proved
to be extremely difficult. Sophisticated users of most systems are aware of at least one way to crash
the system, denying other users authorized access to stored information. Penetration exercises
involving a large number of different general-purpose systems all have shown that users can construct
programs that can obtain unauthorized access to information stored within. Even in systems designed
and implemented with security as an important objective, design and implementation flaws provide
paths that circumvent the intended access constraints. Design and construction techniques that
systematically exclude flaws are the topic of much research activity, but no complete method applicable
to the construction of large general-purpose systems exists yet…49 This statement could be about
software development in the early part of the 21st century, but actually dates back to 1975, before
information security and software assurance became critical factors for many organizations.

In this same article, the authors provide insight into what are now commonplace security principles: Economy
of mechanism:
 Economy of mechanism: Keep the design as simple and small as possible.
 Fail-safe defaults: Base access decisions on permission rather than exclusion.
 Complete mediation: Every access to every object must be checked for authority.
 Open design: The design should not be secret, but rather depend on the possession of keys or
passwords.
 Separation of privilege: Where feasible, a protection mechanism should require two keys to unlock,
rather than one.

1-9 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security
 Least privilege: Every program and every user of the system should operate using the least set of
privileges necessary to complete the job.
 Least common mechanism: Minimize mechanisms (or shared variables) common to more than one
user and depended on by all users.
 Psychological acceptability: It is essential that the human interface be designed for ease of use, so
that users routinely and automatically apply the protection mechanisms correctly

Software Development Security Problems

Some software development problems that result in software that is difficult or impossible to deploy in a
secure fashion have been identified as “deadly sins in software security.”51 These twenty problem areas in
software development (which is also called software engineering) were originally categorized by John Viega,
upon request of Amit Youran, who at the time was the Director of the Department of Homeland Security’s
National Cyber Security Division. These problem areas are described in the following sections.

Buffer Overruns: Buffers are used to manage mismatches in the processing rates between two entities
involved in a communication process. A buffer overrun (or buffer overflow) is an application error that occurs
when more data is sent to a program buffer than it is designed to handle. During a buffer overrun, an attacker
can make the target system execute instructions, or the attacker can take advantage of some other unintended
consequence of the failure. Sometimes this is limited to a denial-of-service attack. In any case, data on the
attacked system loses integrity

Command Injection: Command injection problems occur when user input is passed directly to a compiler or
interpreter. The underlying issue is the developer’s failure to ensure that command input is validated before it is
used in the program.

Cross-site Scripting: Cross site scripting (or XSS) occurs when an application running on a Web server
gathers data from a user in order to steal it. An attacker can use weaknesses in the Web server environment to
insert commands into a user’s browser session, so that users ostensibly connected to a friendly Web server
are, in fact, sending information to a hostile server.

Failure to Handle Errors: Failure to handle errors can cause a variety of unexpected system behaviors.
Programmers are expected to anticipate problems and prepare their application code to handle them.

Failure to Protect Network Traffic: Traffic on a wired network is also vulnerable to interception in some
situations. On networks using hubs instead of switches, any user can install a packet sniffer and collect
communications to and from users on that network. Periodic scans for unauthorized packet sniffers,
unauthorized connections to the network, and general awareness of the threat can mitigate this problem.

Failure to Store and Protect Data Securely: Storing and protecting data securely is a large enough
issue to be the core subject of this entire text. Programmers are responsible for integrating access controls
into, and keeping secret information out of, programs. Failure to properly implement sufficiently strong access
controls makes the data vulnerable.

1-10 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security
The integration of secret information—such as the “hard coding” of passwords, encryption keys, or other
sensitive information—can put that information at risk of disclosure.

Failure to Use Cryptographically Strong Random Numbers: Most modern cryptosystems, like many
other computer systems, use random number generators. However, a decision support system using random
and pseudo-random numbers for Monte Carlo method forecasting does not require the same degree of rigor
and the same need for true randomness as a system that seeks to implement cryptographic procedures.

Format String Problems: Computer languages often are equipped with built-in capabilities to reformat data
while they’re outputting it. The formatting instructions are usually written as a “format string.” Unfortunately,
some programmers may use data from untrusted sources as a format string.

Neglecting Change Control: Developers use a process known as change control to ensure that the
working system delivered to users represents the intent of the developers. Once the system is in production,
change control processes ensure that only authorized changes are introduced and that all changes are
adequately tested before being released.

Improper File Access: If an attacker changes the expected location of a file by intercepting and modifying
a program code call, the attacker can force a program to use files other than the ones the program is supposed
to use. The potential for damage or disclosure is great, so it is critical to protect not only the location of the files
but also the method and communications channels by which these files are accessed.

Improper Use of SSL: Programmers use Secure Sockets Layer (SSL) to transfer sensitive data, such as
credit card numbers and other personal information, between a client and server. While most programmers
assume that using SSL guarantees security, unfortunately they more often than not mishandle this technology.
Failure to use Hypertext Transfer Protocol Secure (HTTPS), to validate the certificate authority and then
validate the certificate itself, or to validate the information against a certificate revocation list (CRL), can
compromise the security of SSL traffic.

Information Leakage: One of the most common methods of obtaining inside and classified information is
directly or indirectly from an individual, usually an employee. By warning employees against disclosing
information, organizations can protect the secrecy of their operation.

Integer Bugs (Overflows/Underflows): Although paper and pencil can deal with arbitrary numbers of
digits, the binary representations used by computers are of a particular fixed length.

Race Conditions: A race condition is a failure of a program that occurs when an unexpected ordering of
events in the execution of the program results in a conflict over access to the same system resource. A race
condition can also occur when information is stored in multiple memory threads if one thread stores information
in the wrong memory location, by accident or intent.

SQL Injection: SQL injection occurs when developers fail to properly validate user input before using it to
query a relational database.
1-11 IAS 101 – Information Assurance and Security 1
CHAPTER 2:
The Need for Security
Trusting Network Address Resolution: The Domain Name System (DNS) is a function of the World Wide
Web that converts a URL (Uniform Resource Locator) like www.course.com into the IP address of the Web
server host. This distributed model is vulnerable to attack or “poisoning.” The client accepts the first set of
information it receives and is directed to that IP address.

Unauthenticated Key Exchange : One of the biggest challenges in private key systems, which involve two
users sharing the same key, is securely getting the key to the other party. Sometimes an “out of band” courier
is used, but other times a public key system, which uses both a public and private key, is used to exchange the
key.

Use of Magic URLs and Hidden Forms: HTTP is a stateless protocol where the computer programs on
either end of the communication channel cannot rely on a guaranteed delivery of any message. This makes it
difficult for software developers to track a user’s exchanges with a Web site over multiple interactions.

Use of Weak Password-Based Systems: Failure to require sufficient password strength, and to control
incorrect password entry, is a serious security issue. Password policy can specify the number and type of
characters, the frequency of mandatory changes, and even the reusability of old passwords. Similarly, a
system administrator can regulate the permitted number of incorrect password entries that are submitted and
further improve the level of protection. Systems that do not validate passwords, or store passwords in easy-to-
access locations, are ripe for attack.

SUMMARY
 Information security performs four important functions:
o Protecting an organization’s ability to function
o Enabling the safe operation of applications implemented on the organization’s IT systems
o Protecting the data an organization collects and uses
o Safeguarding the technology assets in use at an organization
 To make sound decisions about information security, management must be informed about threats to its
people, applications, data, and information systems.
 Threats or dangers facing an organization’s people, information, and systems fall into the following fourteen
general categories:
 Replace list with:
o Compromises to intellectual property
o Deliberate software attacks
o Deviations in quality of service
o Espionage or trespass
o Forces of nature
o Human error or failure
o Information extortion
o Missing, inadequate, or incomplete organizational policy or planning
o Missing, inadequate, or incomplete controls
o Sabotage or vandalism

1-12 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security
o Theft
o Technical hardware failures or errors
o Technical software failures or errors
o Technological obsolescence
 An attack is a deliberate act that takes advantage of a vulnerability to compromise a controlled system. It is
accomplished by a threat agent that damages or steals an organization’s information or physical asset. A
vulnerability is an identified weakness in a controlled system, where controls are not present or are no
longer effective.
 Software assurance (SA)—a discipline within the area of computer security—attempts to identify the
activities involved in creating secure systems.
 Poor software development practices can introduce significant risk but by developing sound development
practices, change control and quality assurance into the process, over

Activity 1: Review Questions

1. Why is information security a management problem? What can management do that technology
cannot?
2. Why is data the most important asset an organization possesses? What other assets in the
organization require protection?
3. Which management groups are responsible for implementing information security to protect the
organization’s ability to function?
4. Why do employees constitute one of the greatest threats to information security?
5. What measures can individuals take to protect against shoulder surfing?
Activity 2: Case Exercises
Soon after the board of directors meeting, Charlie was promoted to Chief Information Security Officer, a new
position that reports to the CIO, Gladys Williams, and that was created to provide leadership for SLS’s efforts
to improve its security profile.
Questions:
1. How do Fred, Gladys, and Charlie perceive the scope and scale of the new information security effort?
2. How will Fred measure success when he evaluates Gladys’ performance for this project? How will he
evalute Charlie’s performance?
3. Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning
process?

NAME: ______________________________________ COURSE & YEAR: ___________________

ACTIVITY ANSWER SHEET

ACTIVITY 1. Review Questions

1-13 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security
1. Why is information security a management problem? What can management do that technology
cannot?

2. Why is data the most important asset an organization possesses? What other assets in the
organization require protection?

3. Which management groups are responsible for implementing information security to protect the
organization’s ability to function?

4. Why do employees constitute one of the greatest threats to information security?

1-14 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security

5. What measures can individuals take to protect against shoulder surfing?

ACTIVITY 2. Case Exercises

1. How do Fred, Gladys, and Charlie perceive the scope and scale of the new information security effort?

2. How will Fred measure success when he evaluates Gladys’ performance for this project? How will he
evalute Charlie’s performance?

1-15 IAS 101 – Information Assurance and Security 1

CHAPTER 2:
The Need for Security

3. Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning
process?

1-16 IAS 101 – Information Assurance and Security 1