Chapter 2

The Need for Information

Security

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1
 Module Objectives

By the end of this module, you should be able to:

2.1. Discuss the need for information security
2.2. List and describe the threats posed to information security and common
attacks associated with those threats

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
 Introduction to the Need
for Information Security (1 of 2)
• The primary mission of an information security program is to ensure that
information assets—information and the systems that house them—remain
safe and useful.
• If threats didn’t exist, resources could be used exclusively to improve systems
that contain, use, and transmit information.
• The threat of attacks on information systems is a constant concern.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
 Introduction to the Need
for Information Security (2 of 2)
• Information security performs four important functions for an organization:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
 Information Security Threats and Attacks

• Management must be informed about the various threats to an organization’s

people, applications, data, and information systems.
• Overall security is improving, but the number of potential hackers is growing.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
The 12 Categories of Threats

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
 The 12 Categories of Threats to Information Security
Category of Threat Attack Examples
Compromises to intellectual property Piracy, copyright infringement
Deviations in quality of service Internet service provider (ISP), power, or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
 Compromises to Intellectual Property

• Intellectual property (IP): creation, ownership, and control of original ideas as

well as the representation of those ideas
• IP includes trade secrets, copyrights, trademarks, and patents.
• The most common IP breaches involve software piracy.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
 Deviations in Quality of Service

• An information system depends on the successful operation of many

interdependent support systems.
• Internet service, communications, and power irregularities dramatically affect
the availability of information and systems.
• Services are usually arranged with a service level agreement (SLA).

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
 Deviations in Quality of Service

• Internet service issues

• Communications and other service provider issues
• Power irregularities

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
 Espionage or Trespass

• Access of protected information by unauthorized individuals

• Competitive intelligence techniques are legal, whereas industrial espionage
techniques are not.
• Shoulder surfing
• Acts of trespass can lead to unauthorized real or virtual actions that enable
information gatherers to enter premises or systems without permission.
• Hackers use skill, guile, or fraud to bypass controls protecting others’
information.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
 Espionage or Trespass (2 of 3)

• Expert hacker
• Unskilled hackers

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
 Espionage or Trespass (3 of 3)
• Other terms for system rule breakers:
− Cracker:
− Phreaker:
• Password attacks
− Cracking
− Brute force
− Dictionary
− Rainbow tables
− Social engineering

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
 Forces of Nature
• Forces of nature can present some of the most dangerous threats.
• They disrupt not only individual lives, but also storage, transmission, and use of
information.
• Threats include fires, floods, earthquakes, lightning, landslides, tornados,
hurricanes, tsunamis, ESD, dust contamination, solar activity, civil unrest, and
acts of war.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
 Human Error or Failure (1 of 2)
• Includes acts performed without malicious intent or in ignorance
• Causes include:
− Inexperience
− Improper training
− Incorrect assumptions
• Employees are among the greatest threats to an organization’s data.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
 Human Error or Failure (2 of 2)
• Employee mistakes can easily lead to:
− Revelation of classified data
− Entry of erroneous data
− Accidental data deletion or modification
− Data storage in unprotected areas
− Failure to protect information
• Many of these threats can be prevented with training, ongoing awareness
activities, and controls.
• Social engineering

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
 Social Engineering
• Business e-mail compromise:
• Advance-fee fraud:
• Phishing:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
 Information Extortion
• Also known as cyberextortion
• Attacker steals information from a computer system and demands
compensation for its return or nondisclosure
• Common in credit card number theft

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
 Ransomware
• Ransomware is a malware attack on the host system that denies access to the
user and then offers to provide a key to allow access back to the user’s system
and data for a fee.
• There are two types of ransomware: lockscreen and encryption.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
 Sabotage or Vandalism
• Threats can range from petty vandalism to organized sabotage.
• Web site defacing can erode consumer confidence, diminishing an
organization’s sales, net worth, and reputation.
• Threat of hacktivist or cyberactivist operations is rising.
• Cyberterrorism/cyberwarfare: a much more sinister form of hacking

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
 Software Attacks (1 of 5)
• Malicious software (malware) is used to overwhelm the processing
capabilities of online systems or to gain access to protected systems via hidden
means.
• When an attack makes use of malware that is not yet known by the antimalware
software companies, it is said to be a zero-day attack.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
 Software Attacks (2 of 5)
• Types of attacks include:
− Malware (malicious code): It includes the execution of viruses, worms,
Trojan horses, and active Web scripts with the intent to destroy or steal
information.
▪ Virus:
▪ Worms:
▪ Trojan horses:
▪ Polymorphic threat:
▪ Virus and worm hoaxes:
▪ Back door:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
 Software Attacks (3 of 5)
• Types of attacks (cont’d)
− Denial-of-service (DoS): An attacker sends a large number of connection or
information requests to a target.
− Distributed denial-of-service (DDoS): A coordinated stream of requests is
launched against a target from many locations simultaneously.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
 Attack Replication Vectors (1 of 2)

Vector Description
IP scan and attack The infected system scans a range of IP addresses and service ports and targets
several vulnerabilities known to hackers or left over from previous exploits, such as
Code Red, Back Orifice, or PoizonBox.
Web browsing If the infected system has write access to any Web pages, it makes all Web content
files infectious, including .html, .asp, .cgi, and other files. Users who browse to those
pages infect their machines.
Virus Each affected machine infects common executable or script files on all computers to
which it can write, which spreads the virus code to cause further infection.
Unprotected shares Using vulnerabilities in file systems and in the way many organizations configure them,
the infected machine copies the viral component to all locations it can reach.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
 Attack Replication Vectors (2 of 2)

Vector Description
Mass mail By sending e-mail infections to addresses found in the address book, the affected
machine infects many other users, whose mail-reading programs automatically run the
virus program and infect even more systems.
Simple Network SNMP is used for remote management of network and computer devices. By using the
Management widely known and common passwords that were employed in early versions of this
Protocol (SNMP) protocol, the attacking program can gain control of the device. Most vendors have
closed these vulnerabilities with software upgrades.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
 Denial-of-Service Attacks

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
 Software Attacks (4 of 5)
• Types of attacks (cont’d)
− Mail bombing (also a DoS):
− Spam (unsolicited commercial e-mail):
− Packet sniffer:
− Spoofing:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
 IP Spoofing Attack

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
 Software Attacks (5 of 5)
• Types of attacks (cont’d)
− Pharming:
− Man-in-the-middle:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
 Man-in-the-Middle Attack

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
Technical Hardware Failures or Errors (1 of 2)
• They occur when a manufacturer distributes equipment containing a known or
unknown flaw.
• They can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability.
• Some errors are terminal, while others are intermittent.
• Intel Pentium CPU failure is a notable example.
• Mean time between failure and annualized failure rates measure hardware
failure rates.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
Technical Hardware Failures or Errors (2 of 2)
• Large quantities of computer code are written, debugged, published, and sold
before all bugs are detected and resolved.
• Combinations of certain software and hardware can reveal new software bugs.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
 The Deadly Sins in Software Security (1 of 3)
• Common failures in software development:
− SQL injection
− Web server-related vulnerabilities (XSS, XSRF, and response splitting)
− Web client-related vulnerability (XSS)
− Use of magic URLs and hidden forms
− Buffer overrun
− Format string problems
− Integer bugs (overflows/underflows)
− C++ catastrophes
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
 The Deadly Sins in Software Security (2 of 3)
• Common failures in software development:
− Catching exceptions
− Command injection
− Failure to handle errors
− Information leakage
− Race conditions
− Poor usability
− Not updating easily
− Executing code with too much privilege
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
 The Deadly Sins in Software Security (3 of 3)
• Common failures in software development:
− Failure to protect stored data
− Sins of mobile code
− Use of weak password-based systems
− Weak random numbers
− Using cryptography incorrectly
− Failure to protect network traffic
− Improper use of PKI, especially SSL
− Trusting network name resolution
− Neglecting change control
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
 Technological Obsolescence
• Antiquated/outdated infrastructure can lead to unreliable and untrustworthy
systems.
• Proper managerial planning should prevent technology obsolescence.
• IT plays a large role.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
 Theft
• It is the illegal taking of another’s physical, electronic, or intellectual property.
• Physical theft is controlled relatively easily.
• Electronic theft is a more complex problem; the evidence of crime is not readily
apparent.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37