Principles of Information Security,

Fifth Edition

Chapter 2
The Need for Security
 Learning Objectives
• Upon completion of this material, you should be
able to:
– Recognize the business need for information security
– Understand the responsibility of both top management
and IT management in information security program.
– Identify and differentiate threats to information systems
from attacks against information systems.
– List the common development failures and errors that
result from poor software and system security efforts.

Principles of Information Security, Fifth Edition 2

 Introduction
• The primary mission of an information security
program is to ensure information assets—
information and the systems that house them—
remain safe and useful.

Principles of Information Security, Fifth Edition 3

 Introduction

• If no threats existed,
resources could be used
exclusively to improve
systems that contain, use,
and transmit information.
• Threat of attacks on
information systems is a
constant concern.

Principles of Information Security, Fifth Edition 4

 Business Needs First, Technology
Needs Last
• Information security performs four important
functions for an organization:
– Protecting the organization’s ability to function
– Protecting the data and information the organization
collects and uses
– Enabling the safe operation of applications running
on the organization’s IT systems
– Safeguarding the organization’s technology assets

Principles of Information Security, Fifth Edition 5

 Threats
• Organizations must use information security to
protect their information assets to any threats that
an attack.
• Attack: An intentional or unintentional act that can
damage or otherwise compromise information and
the systems that support it.
• Exploit: A technique used to compromise a system
• Vulnerability: A potential weakness in an asset or
its defensive control system(s).

Principles of Information Security, Fifth Edition 6

 Threats
• Threat: a potential risk
to an asset’s loss of
value
• Assets: information and
the systems that house
them

Principles of Information Security, Fifth Edition 7

 Threats

• Top management must

be informed about the
various threats to an
organization’s people,
applications, data, and
information systems.
• Overall security is
improving, so is the
number of potential
hackers.
Principles of Information Security, Fifth Edition 8
 Threats
• The 2010–2011 CSI/FBI survey found
– 67.1 percent of organizations had malware
infections.
– 11 percent indicated system penetration by an
outsider.

Principles of Information Security, Fifth Edition 9

Principles of Information Security, Fifth Edition 10
 Compromises to Intellectual Property
• Intellectual property
(IP): creation, ownership,
and control of original
ideas as well as the
representation of those
ideas

Principles of Information Security, Fifth Edition 11

 Software Piracy
• Software piracy: The
unauthorized duplication,
installation, or distribution
of copyrighted computer
software, which is a
violation of intellectual
property.

Principles of Information Security, Fifth Edition 12

 Deviations in Quality of Service
• Information system depends on the successful
operation of many interdependent support systems.
• Internet service, communications, and power
irregularities dramatically affect the availability of
information and systems.

Principles of Information Security, Fifth Edition 13

 Deviations in Quality of Service
(cont’d)
• Internet service issues
• Internet service provider
(ISP) failures can
considerably undermine the
availability of information.

Principles of Information Security, Fifth Edition 14

 Deviations in Quality of Service
(cont’d)
• Communications and other service
provider issues
– Other utility services affect
organizations: telephone, water,
wastewater, trash pickup.
– Loss of these services can affect
organization’s ability to function.

Principles of Information Security, Fifth Edition 15

 Deviations in Quality of Service
(cont’d)
• Power irregularities
– Lead to fluctuations such as power excesses, power
shortages, and power losses
– Sensitive electronic equipment vulnerable to and
easily damaged/destroyed by fluctuations
– Controls can be applied to manage power quality.

Principles of Information Security, Fifth Edition 16

 Deviations in Quality of Service
(cont’d)
• Power losses

Principles of Information Security, Fifth Edition 17

 Espionage or Trespass
• Industrial espionage: The collection and analysis of
information about an organization’s business
competitors, often through illegal or unethical means, to
gain an unfair competitive advantage.
• Also known as corporate spying, which is distinguished
from espionage for national security reasons

Principles of Information Security, Fifth Edition 18

 Espionage or Trespass

Principles of Information Security, Fifth Edition 19

 Espionage or Trespass
• Shoulder surfing :The
direct, covert observation
of individual information
or system use

Principles of Information Security, Fifth Edition 20

 Espionage or Trespass (cont’d)
• Expert hacker
– Develops software scripts and program exploits
– Usually a master of many skills
– Will often create attack software and share with
others

Principles of Information Security, Fifth Edition 21

 Espionage or Trespass (cont’d)
• Unskilled hacker
– Many more unskilled hackers than expert hackers
– Use expertly written software to exploit a system
– Do not usually fully understand the systems they
hack

Principles of Information Security, Fifth Edition 22

 Forces of Nature
• Forces of nature can present some of the most
dangerous threats.
• They disrupt not only individual lives, but also
storage, transmission, and use of information.
• Organizations must implement controls to limit
damage and prepare contingency plans for
continued operations.

Principles of Information Security, Fifth Edition 23

 Forces of Nature

Principles of Information Security, Fifth Edition 24

 Human Error or Failure
• Includes acts performed without malicious intent or
in ignorance
• Causes include:
– Inexperience
– Improper training
– Incorrect assumptions
• Employees are among the greatest threats to an
organization’s data.

Principles of Information Security, Fifth Edition 25

 Information Extortion
• Attacker steals information
from a computer system and
demands compensation for its
return or nondisclosure.
• Also known as cyberextortion.

Principles of Information Security, Fifth Edition 26

 Sabotage or Vandalism
• Sabotage or vandalism: Losses may result from
the deliberate sabotage of a computer system or
business, or from acts of vandalism.
• These acts can either destroy an asset or damage
the image of an organization.

Principles of Information Security, Fifth Edition 27

 Software Attacks

• Malicious software (malware) is used to

overwhelm the processing capabilities of online
systems or to gain access to protected systems
via hidden means.
• Software attacks occur when an individual or a
group designs and deploys software to attack a
system.
• Software attacks include the execution of viruses,
worms, Trojan horses, and back doors with the
intent to destroy or steal information.
Principles of Information Security, Fifth Edition 28
Principles of Information Security, Fifth Edition 29
 Software Attacks (cont’d)
• Types of attacks (cont’d)
– Denial-of-service (DoS): An attacker sends a large
number of connection or information requests to a
target.
– Distributed denial-of-service (DDoS): A
coordinated stream of requests is launched against a
target from many locations simultaneously.

Principles of Information Security, Fifth Edition 30

Principles of Information Security, Fifth Edition 31
 Software Attacks (cont’d)
• Types of attacks (cont’d)
– Pharming: It attacks a browser’s address bar to
redirect users to an illegitimate site for the purpose
of obtaining private information.
– Man-in-the-middle: An attacker monitors the
network packets, modifies them, and inserts them
back into the network.

Principles of Information Security, Fifth Edition 32

Principles of Information Security, Fifth Edition 33
 Technical Hardware Failures or Errors
• Technical hardware failures or errors: Technical
defects in hardware systems can cause
unexpected results, including unreliable service or
lack of availability.

Principles of Information Security, Fifth Edition 34

 The Deadly Sins in Software Security
• Technical software failures or errors: Software
used by systems may have purposeful or
unintentional errors that result in failures, which can
lead to loss of availability or unauthorized access to
information.

Principles of Information Security, Fifth Edition 35

 Technological Obsolescence
• Technological obsolescence: Antiquated or
outdated infrastructure can lead to unreliable and
untrustworthy systems that may result in loss of
availability or unauthorized access to information.

Principles of Information Security, Fifth Edition 36

 Theft
• Theft: Theft of information can result from a wide
variety of attacks
• Illegal taking of another’s physical, electronic, or
intellectual property
• Physical theft is controlled relatively easily.
• Electronic theft is a more complex problem; the
evidence of crime is not readily apparent.

Principles of Information Security, Fifth Edition 37

 Theft

Principles of Information Security, Fifth Edition 38

 Summary
• Unlike any other aspect of IT, information security’s
primary mission is to ensure things stay the way
they are.
• Information security performs four important
functions:
– Protects organization’s ability to function
– Enables safe operation of applications implemented
on organization’s IT systems
– Protects data the organization collects and uses
– Safeguards the technology assets in use at the
organization
Principles of Information Security, Fifth Edition 39