Principles of Information Security, 4th Ed. – Michael E. Whitman Chap 01

certify to CengageBrain substance ab utilizationr Licensed to CengageBrain substance abuser Principles of training surety, Fourth Edition Michael E. Whitman and Herbert J. Mattord infirmity President pillar, C atomic number 18r Education & reproduction Solutions Dave Garza Director of knowledge Solutions Matthew Kane Executive Editor Steve Helba Managing Editor Marah Bellegarde crossway four-in-hand Natalie Pashoukos Development Editor Lynne Raughley pillar Assistant Jennifer Wheaton Vice President Marketing, C beer Education & Training Solutions Jennifer Ann Baker Marketing Director Deborah S.Yarnell Senior Marketing Manager Erin Coffin Associate Marketing Manager Shanna Gibbs Production Manager Andrew Cr proscribedh Content Project Manager Brooke Greenhouse Senior Art Director bastard Pendleton Manufacturing Coordinator Amy Rogers Technical Edit/Quality Assurance Green Pen Quality Assurance 2012 words Technology, Cengage discipline For much culture, contact or f ind us on the realism Wide Web at www. course. com ALL RIGHTS RESERVED.No part of this work c distributively(prenominal) overed by the copy in force(p) herein whitethorn be reproduced, transmitted, stored or used in about(prenominal) form or by all means graphic, electronic, or mechanical, including moreover non limited to photocopying, recording, s bottomlandning, digitizing, taping, Web distribution, selective nurture networks, or breeding storage and retrieval brasss, except as permitted under Section 107 or 108 of the 1976 joined States Copy office Act, without the prior written permission of the publisher.For product entropy and engineering science assistance, contact us at Cengage larn Customer & Sales Support, 1-800-354-9706 For permission to use substantial from this text or product, submit totally requests online at cengage. com/permissions Further permission questions whoremonger be e branded to email entertained comLibrary of carnal knowledge Contr ol Number 2010940654 ISBN-13 978-1-111-13821-9 ISBN-10 1-111-13821-4 Course Technology 20 Channel Center Boston, MA 02210 USA Cengage acquirement is a leading provider of customized attainment solutions with force locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at inter home(a). cengage. com/region. Cengage Learning products atomic number 18 represented in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit course. cengage. com bribe any of our products at your local college store or at our preferred online store www. engagebrain. com. Printed in the United States of America 1 2 3 4 5 6 7 8 9 14 13 12 11 10 right of first unrestrictedation 2011 Cengage Learning. every last(predicate) Rights Reserved. may non be copied, s potentiometerned, or duplicated, in whole or in part. overdue to electronic rights, rough leash troupe mental object may be conquer from the eBook and/or eChapter(s). Editorial revue has deemed that any strangled marrowed does not materially be active the overall learning get laid. Cengage Learning reserves the right to sequester extra limit at any time if ulterior rights restrictions posit it. Licensed to CengageBrain User hapter 1 demonstration to In fix upion protective cover Do not figure on opp championnts not fill outing worry well-nigh(predicate) your own lack of preparation. BOOK OF THE FIVE RINGS For Amy, the day began like any other at the Sequential differentiate and Supply Company (SLS) succor desk. Taking calls and helping office thespians with com delegateing machine problems was not glamorous, but she enjoyed the work it was challenging and paid well. nigh of her friends in the industry worked at bigger companies, nearly at cutting-edge tech companies, but they all agreed that jobs in nurture technology were a good way to pay the bills.The yell rang, as it did on average about four time an hour and about 28 times a day. The first call of the day, from a worried substance abuser hoping Amy could help him out of a jam, seemed typical. The call display on her monitor gave whatsoever of the facts the users name, his phone number, the department in which he worked, where his office was on the association campus, and a list of all the calls hed made in the past. Hi, Bob, she said. Did you get that document formatting problem squ bed extraneous? Sure did, Amy. Hope we screw figure out whats going on this time. Well try, Bob. Tell me about it. Well, my PC is acting weird, Bob said. When I go to the screen that has my email program running, it doesnt respond to the mouse or the keyboard. Did you try a reboot yet? 1 Copyright 2011 Cengage Learning. all(a) Rights Reserved. whitethorn not be copied, s bathned, or duplicated, in whole or in part. imputable to electronic rights, some third society surfeit may be suppressed from the eBook and/or eChapter(s). Ed itorial appraise has deemed that any suppressed confine does not materially cloak the overall learning experience. Cengage Learning reserves the right to abate extra inwardness at any time if consequent rights restrictions expect it. Licensed to CengageBrain User Chapter 1 Sure did. But the window wouldnt close, and I had to turn it off. After it restarted, I candid the e-mail program, and its scarcely like it was beforeno result at all. The other pressure is working OK, but really, really slowly. hitherto my Internet browser is sluggish. OK, Bob. Weve tried the usual stuff we can do over the phone. Let me open a case, and Ill dispatch a tech over as soon as possible. Amy looked up at the LED tally board on the besiege at the end of the room. She saw that in that location were only two technicians dispatched to deskside support at the moment, and since it was the day shift, there were four available. Shouldnt be long at all, Bob. She hung up and typed her notes int o ISIS, the high societys instruction perspective and Issues clay. She assigned the immaturefoundly generated case to the deskside dispatch queue, which would page the roving deskside team with the points in just a few minutes. A moment later, Amy looked up to see Charlie Moody, the senior manager of the server government activity team, walking b stakely down the hall. He was organismness trailed by triplet of his senior technicians as he made a beeline from his office to the door of the server room where the company servers were kept in a controlled environment. They all looked worried.Just then, Amys screen beeped to alert her of a new e-mail. She glanced down. It beeped againand again. It started beeping constantly. She clicked on the envelope movie and, after a short delay, the mail window opened. She had 47 new e-mails in her inbox. She opened one from Davey Martinez, an acquaintance from the Accounting Department. The theater line said, Wait till you see this. Th e centre body ingest, boldness what this has to say about our managers salaries Davey often sent her interesting and funny e-mails, and she failed to notice that the file attachment video was unusual before she clicked it.Her PC showed the hourglass cursor icon for a second and then the normal pointer reappe argond. Nothing happened. She clicked the next e-mail message in the queue. Nothing happened. Her phone rang again. She clicked the ISIS icon on her instruction processing outline desk covering to activate the call management softw are and activated her headset. Hello, Tech Support, how can I help you? She couldnt greet the caller by name because ISIS had not responded. Hello, this is Erin Williams in receiving. Amy glanced down at her screen. quiesce no ISIS.She glanced up to the tally board and was surprised to see the inbound-call-counter tallying up waiting calls like digits on a stopwatch. Amy had never seen so many calls come in at one time. Hi, Erin, Amy said. Whats up? Nothing, Erin answered. Thats the problem. The rest of the call was a replay of Bobs, except that Amy had to jot notes down on a legal pad. She couldnt dispatch the deskside support team each. She looked at the tally board. It had gone dark. No metrical composition at all. Then she saw Charlie running down the hall from the server room. He didnt look worried anymore. He looked frantic. Amy picked up the phone again.She wanted to check with her supervisor about what to do now. there was no dial tone. Copyright 2011 Cengage Learning. All Rights Reserved. may not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party centre may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed subject field does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if later(prenominal) rights restrictions require it. Licensed to CengageBrain User cornerstone to Information Security 3LEARNING OBJECTIVES Upon consummation of this material, you should be able to Define tuition trade protection measure Recount the history of data processor warranter measures, and explain how it evolved into tuition protection Define key ground and particular concepts of learning gage Enumerate the phases of the tribute systems increase life cycle Describe the teaching trade protection berths of professionals within an musical arrangement 1 creative activity pile Anderson, executive consultant at Emagined Security, Inc. , believes schooling warranter in an enterprise is a well-informed aesthesis of assurance that the data risks and controls are in relief. He is not alone in his perspective. Many schooling bail practitioners recognize that aligning nurture shelter needs with business objectives mustiness be the top priority. This chapters opening scenario illustrates that the infor mation risks and controls are not in balance at Sequential Label and Supply. Though Amy works in a technological support role and her job is to solve technical problems, it does not occur to her that a malicious software program, like a worm or virus, strength be the agent of the companys current ills.Management also shows signs of confusion and seems to watch no paper how to contain this kind of incident. If you were in Amys place and were verbalismd with a similar situation, what would you do? How would you pit? Would it occur to you that something far more insidious than a technical malfunction was happening at your company? As you explore the chapters of this take for and learn more about information credential, you will become split able to answer these questions. But before you can begin mattering the details of the discipline of information gage, you must first know the history and evolution of the field.The History of Information Security The history of informati on security measure begins with electronic calculating machine security. The need for data processor securitythat is, the need to define physical locations, hardware, and software from threats arose during World War II when the first mainframes, developed to aid computations for communication code softening (see Figure 1-1), were put to use. Multiple levels of security were utilize to protect these mainframes and maintain the impartiality of their data.Access to warm military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards. The increment need to maintain national security yettually led to more complex and more technologically sophisticated figurer security safeguards. During these early years, information security was a straightforward process composed predominantly of physical security and simple document classification schemes. The primary threats to security were physical theft of e quipment, espionage against the products of the systems, and sabotage.One of the first documented security problems that fell outside these categories occurred in the early sixties, when a systems administrator was working on an MOTD Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.Licensed to CengageBrain User 4 Chapter 1 Earlier versions of the German code machine Enigma were ? rst broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during World War II. The increasingly complex versions of the Enigma, especially the chock or Unterseeboot version of the Enigma, caused considerable anguish to Allied forces before ? nally being cracked. The information gained from decrypted transmittings was used to call up the actions of German armed forces. more or less ask why, if we were reading the Enigma, we did not win the war earlier. One susceptibility ask, instead, when, if ever, we would have won the war if we hadnt read it. 1 Figure 1-1 The Enigma Source adroitness of National Security Agency (message of the day) file, and another administrator was editing the password file. A software hemipteran mixed the two files, and the entire password file was printed on every output file. 2 The 1960s During the Cold War, many more mainframes were brought online to accomplish more complex and sophisticated tasks.It became necessary to enable these mainframes to communicate via a less cumbersome process than mailing magnetic magnetic tapes between information processing system centers. In response to this need, the Department of Defenses Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant, networked communication theory system to support the militarys exchange of information. Larry Roberts, known as the founder of the Internet, developed the standwhich was called ARPANETfrom its inception. ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the ARPANET Program Plan).The 1970s and 80s During the next decade, ARPANET became popular and more wide used, and the potential for its ill-treatment grew. In December of 1973, Robert M. Bob Metcalfe, who is credited Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to re move additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 5 1 Figure 1-2 Development of the ARPANET Program Plan3 Source Courtesy of Dr. Lawrence Roberts with the suppuration of Ethernet, one of the most popular networking protocols, identified fundamental problems with ARPANET security. Individual remote sites did not have ample controls and safeguards to protect data from unauthorized remote users.Other problems abounded vulnerability of password structure and formats lack of safety procedures for dial-up tie inions and absent user appellation and authorization to the system. Phone numbers were widely distributed and openly exotericized on the walls of phone booths, giving hackers lax attack to ARPANET. Because of the range and frequency of computer security violations and the explosion in the numbers of hosts and users on ARPANET, network security was referred to as network insecuri ty. In 1978, a famous study empower Protection Analysis Final Report was published. It focused on a project undertaken by ARPA to lift up the vulnerabilities of operating(a) system security. For a timeline that holds this and other seminal studies of computer security, see Table 1-1. The movement toward security that went beyond protecting physical locations began with a one paper sponsored by the Department of Defense, the Rand Report R-609, which try to define the multiple controls and mechanisms necessary for the protection of a multilevel computer system.The document was classified for nearly ten years, and is now considered to be the paper that started the study of computer security. The securityor lack therefromof the systems share-out resources at bottom the Department of Defense was brought to the attention of researchers in the spring and summer of 1967. At that time, systems were being engenderd at a rapid rate and securing them was a pressing concern for both the military and abnegation contractors. Copyright 2011 Cengage Learning. All Rights Reserved.May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 6 Chapter 1 Date 1968 1973 1975 1978 Documents Maurice Wilkes discusses password security in Time-Sharing electronic computer Systems.Schell, Downey, and Popek see to it the need for additional security in military systems in Preliminary Notes on the Design of furbish up Military Computer Systems. 5 The Federal Information Processing Standards (FIPS) realizes Digital Encryption Standard (DES) in the Federal Register. Bisbey and Hollingworth publish their study Protection Analysis Final Report, discussing the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system security and examine the possibility of automated vulnerability espial techniques in existing system software. Morris and Thompson author Password Security A Case History, published in the Communications of the Association for Computing Machinery (ACM). The paper examines the history of a design for a password security scheme on a remotely accessed, time-sharing system. Dennis Ritchie publishes On the Security of UNIX and Protection of Data File Contents, discussing make prisoner user IDs and desex group IDs, and the problems inherent in the systems. Grampp and Morris write UNIX Operating System Security. In this report, the authors examine four chief(prenominal) handles to computer security physical control of premises and computer facilities, management consignment to security objectives, education of employees, and administ rative procedures aimed at increased security. 7 Reeds and Weinberger publish File Security and the UNIX System Crypt Command. Their premise was No technique can be secure against wiretapping or its equivalent on the computer. so no technique can be secure against the systems administrator or other privileged users the simple user has no chance. 8 1979 1979 1984 1984 Table 1-1 Key Dates for Seminal Works in Early Computer Security In June of 1967, the Advanced Research Projects Agency formed a task force to study the process of securing classified information systems. The Task Force was assembled in October of 1967 and met regularly to formulate recommendations, which ultimately became the content of the Rand Report R-609. 9 The Rand Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security.It noted that the wide utilization of networking destinys in information systems in the military introduced s ecurity risks that could not be mitigated by the routine practices then used to secure these systems. 10 This paper signaled a pivotal moment in computer security historywhen the kitchen range of computer security expanded significantly from the safety of physical locations and hardware to include the adjacent Securing the data Limiting random and unauthorized access to that data Involving personnel from multiple levels of the ecesis in matters pertaining to information securityMULTICS Much of the early research on computer security centered on a system called Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to integrate security into Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 7 its core functions. It was a mainframe, time-sharing operating system developed in the mid1960s by a consortium of General Electric (GE), Bell Labs, and the mammy Institute of Technology (MIT). In mid-1969, not long after the restructuring of the MULTICS project, several of its developers (Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlro) created a new operating system called UNIX.While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not. Its primary function, text bear upon, did not require the same level of security as that of its predecessor. In fact, it was not until the early 1970s that even the simplest region of security, the password function, be came a component of UNIX. In the late 1970s, the microprocessor brought the personalized computer and a new age of computing. The PC became the workhorse of modern computing, thereby moving it out of the data center.This decentralization of data processing systems in the 1980s gave rise to networkingthat is, the interconnecting of personal computers and mainframe computers, which enabled the entire computing community to make all their resources work together. 1 The 1990s At the close of the twentieth century, networks of computers became more greenness, as did the need to connect these networks to each other. This gave rise to the Internet, the first global network of networks. The Internet was made available to the general public in the 1990s, having previously been the domain of government, academia, and dedicated industry professionals.The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area network (LAN). A fter the Internet was commercialized, the technology became pervasive, attain almost every corner of the globe with an expanding array of uses. Since its inception as a tool for sharing Defense Department information, the Internet has become an interconnectedness of millions of networks. At first, these connections were based on de facto standards, because industry standards for interconnection of networks did not exist at that time.These de facto standards did little to ensure the security of information though as these forerunner technologies were widely adopted and became industry standards, some degree of security was introduced. However, early Internet deployment treated security as a low priority. In fact, many of the problems that plague e-mail on the Internet immediately are the result of this early lack of security. At that time, when all Internet and e-mail users were (presumably trustworthy) computer scientists, mail server genuineation and e-mail encryption did not s eem necessary.Early computing approaches relied on security that was built into the physical environment of the data center that housed the computers. As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more exposed to security threats. 2000 to Present Today, the Internet brings millions of unsecured computer networks into continuous communication with each other. The security of each computers stored information is now contingent upon(p) on the level of security of every other computer to which it is connected.Recent years have seen a growing sensibleness of the need to remedy information security, as well as a realization that information security is important to national defense. The growing threat of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 8 Chapter 1 cyber glide paths have made governments and companies more aware of the need to defend the computer-controlled control systems of utilities and other critical infrastructure. There is also growing concern about nation-states engaging in information warfare, and the possibility that business and personal information systems could become casualties if they are undefended.What Is Security? In general, security is the prime(a) or state of being secureto be free from danger. 11 In other words, protection against adversariesfrom those who would do harm, intentionally or otherwiseis the objective. National security, for example, is a multilayered system that pr otects the sovereignty of a state, its pluss, its resources, and its people. Achieving the appropriate level of security for an presidency also requires a multifaceted system.A successful organization should have the following multiple layers of security in place to protect its operations Physical security, to protect physical items, objects, or areas from unauthorized access and misuse Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations Operations security, to protect the details of a particular operation or series of activities Communications security, to protect communications media, technology, and content Network security, to protect networking components, connections, and contents Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, homewo rk and awareness, and technology.The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. 12 Figure 1-3 shows that information security includes the broad areas of information security management, computer and data security, and network security. The CNSS model of information security evolved from a concept developed by the computer security industry called the C. I. A. triangle. The C. I. A. triangle has been the industry standard for computer security since the development of the mainframe. It is based on the three characteristics of information that keep back it value to organizations confidentiality, integrity, and availability.The security of these three characteristics of information is as important today as it has always been, but the C. I. A. triangle model no longer adequately parcel outes the constantly chang ing environment. The threats to the confidentiality, integrity, and availability of information have evolved into a vast accrual of events, including accidental or intentional prostitute, destruction, theft, unintended or unauthorized modification, or other misuse from benignant being or nonhuman threats. This new environment of many constantly evolving threats has prompted the development of a more naughty model that addresses the complexities of the current information security environment.The expanded model consists of a list of critical characteristics of information, which are described in the next Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remo ve additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 9 1 Information security Figure 1-3 Components of Information SecuritySource Course Technology/Cengage Learning section. C. I. A. triangle nomenclature is used in this chapter because of the breadth of material that is based on it. Key Information Security Concepts This adjudge uses a number of terms and concepts that are essential to any discussion of information security. Some of these terms are illustrated in Figure 1-4 all are covered in greater detail in subsequent chapters. Access A subject or objects ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have amerciable access to a system. Access controls regulate this ability.Asset The organizational resource that is being protected. An asset can be logical, such(prenominal)(prenominal) as a Web site, information, or data or an asset can be physical, such as a person, computer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts they are what those efforts are enterpriseing to protect. Attack An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Someone casually reading sensitive information not intended for his or her use is a passive attack.A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a fire in a building is an unintentional attack. A direct attack is a hacker using a personal computer to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems, for example, as part of a botnet (slang for robot network). This group of compromi sed computers, running software of the attackers choosing, can operate autonomously or under the attackers direct control to attack systems and slip user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself.Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 10 Chapter 1 Vulnerability Buffer overflow in online database Web interface nemesis Theft menace agent Ima Hac ker Exploit Script from MadHackz Web site Attack Ima Hacker downloads an exploit from MadHackz wind vane site and then accesses buybays Web site. Ima then applies the script which runs and compromises buybays security controls and steals customer data. These actions cause buybay to experience a loss. Asset buybays customer database Figure 1-4 Information Security Terms Source Course Technology/Cengage Learning Control, safeguard, or countermeasure Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, break down vulnerabilities, and otherwise improve the security within an organization.The various levels and types of controls are discussed more fully in the following chapters. Exploit A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker. Exploits make use of existing software tools or custom-made software components. Exposure A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present.Loss A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organizations information is stolen, it has suffered a loss. Protection profile or security posture The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially aff ect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 11 organization implements (or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the term security program, although the security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs. Risk The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetitethe quantity and nature of risk the organization is willing to accept. adequate to(p)s and objects A computer can be either the subject of an attackan agent entity used to conduct the attackor the object of an attackthe target entity, as shown in Figure 1-5. A computer can be both the subject and object of an attack, when, for example, it is compromised by an attac k (object), and is then used to attack other systems (subject). Threat A kinsperson of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be intention-made or undirected. For example, hackers purposefully threaten unprotected information systems, while severe storms incidentally threaten buildings and their contents. Threat agent The specific instance or a component of a threat.For example, all hackers in the founding present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms. Vulnerability A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined , documented, and published others endure latent (or undiscovered). 1 Critical Characteristics of InformationThe value of information comes from the characteristics it possesses. When a characteristic of information changes, the value of that information either increases, or, more commonly, decreases. Some characteristics affect informations value to users more than others do. This can depend on circumstances for example, timeliness of information can be a critical factor, because information loses much or all of its value when it is delivered too late. Though information security professionals and end users share an understanding of the characteristics of subject object Figure 1-5 Computer as the Subject and Object of an Attack Source Course Technology/Cengage LearningCopyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapte r(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 12 Chapter 1 information, tensions can arise when the need to secure the information from threats conflicts with the end users need for unhindered access to the information.For instance, end users may perceive a tenth-of-a-second delay in the computation of data to be an unnecessary annoyance. Information security professionals, however, may perceive that tenth of a second as a minor delay that enables an important task, like data encryption. Each critical characteristic of informationthat is, the expanded C. I. A. triangleis defined in the sections below. Availability Availability enables authorized userspersons or computer systemsto access information without interference or stoppage and to receive it in the r equired format. Consider, for example, research libraries that require identification before entrance.Librarians protect the contents of the subroutine library so that they are available only to authorized athletic supporters. The librarian must accept a patrons identification before that patron has free access to the book stacks. Once authorized patrons have access to the contents of the stacks, they expect to find the information they need available in a working(a) format and familiar language, which in this case typically means bound in a book and written in English. Accuracy Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate. Consider, for example, a checking account.You assume that the information contained in your checking account is an accurate representation of your finances. Incorrect information in your checking accoun t can result from impertinent or internal errors. If a bank teller, for instance, mistakenly adds or subtracts too much from your account, the value of the information is changed. Or, you may accidentally enter an incorrect amount into your account register. Either way, an inaccurate bank balance could cause you to make mistakes, such as bouncing a check. Authenticity Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.Information is authentic when it is in the same state in which it was created, placed, stored, or transferred. Consider for a moment some common assumptions about e-mail. When you receive e-mail, you assume that a specific individual or group created and transmitted the e-mailyou assume you know the origin of the e-mail. This is not always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem for many people today, because often the modified field is the address of the originator. Spoofing the senders address can fool e-mail recipients into thinking that messages are legitimate traffic, therefrom inducing them to open e-mail they otherwise might not have.Spoofing can also alter data being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing, which can enable the attacker to get access to data stored on computing systems. some other variation on spoofing is phishing, when an attacker attempts to obtain personal or financial information using fraudulent means, most often by posing as another individual or organization. Pretending to be someone you are not is sometimes called pretexting when it is undertaken by law enforcement agents or private investigators. When used in a phishing attack, e-mail spoofing lures victims to a Web server that does not represent the organization it purports to, in an attempt to steal their private data such as account numbers and passwords.The most common variant s include posing as a bank or brokerage company, e-commerce organization, or Internet service provider. Even when authorized, pretexting does not always lead to a satisfactory outcome. In 2006, the CEO of Hewlett-Packard Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.Licensed to CengageBrain User Introduction to Information Security 13 Corporation, Patricia Dunn, authorized contract investigators to use pretexting to smokeout a corporate director guess of leaking confidential information. The resulting firestorm of negative publicity led to Ms. Dunns eventual departure from th e company. 13 1 Confidentiality Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is gaped.To protect the confidentiality of information, you can use a number of measures, including the following Information classification Secure document storage Application of general security policies Education of information custodians and end users Confidentiality, like most of the characteristics of information, is interdependent with other characteristics and is most closely colligate to the characteristic known as privacy. The relationship between these two characteristics is covered in more detail in Chapter 3, Legal and Ethical Issues in Security. The value of confidentiality of information is especially high when it is personal i nformation about employees, customers, or patients. Individuals who transact with an organization expect that their personal information will remain confidential, whether the organization is a federal agency, such as the Internal Revenue Service, or a business. Problems arise when companies get around confidential information.Sometimes this disclosure is intentional, but there are times when disclosure of confidential information happens by mistakefor example, when confidential information is mistakenly e-mailed to someone outside the organization rather than to someone inside the organization. Several cases of privacy violation are outlined in Offline Unintentional Disclosures. Other examples of confidentiality suspensiones are an employee throwing by a document containing critical information without shredding it, or a hacker who successfully breaks into an internal database of a Web-based organization and steals sensitive information about the clients, such as names, addresses , and credit card numbers.As a consumer, you give up pieces of confidential information in exchange for convenience or value almost daily. By using a members only card at a grocery store, you disclose some of your using up habits. When you fill out an online survey, you exchange pieces of your personal history for access to online privileges. The bits and pieces of your information that you disclose are copied, sold, replicated, distributed, and ultimately coalesced into profiles and even complete dossiers of yourself and your life. A similar technique is used in a unlawful enterprise called salami theft. A deli worker knows he or she cannot steal an entire salami, but a few slices here or there can be taken home without notice.Eventually the deli worker has stolen a whole salami. In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticedbut eventually the employee gets something complete o r useable. ace Information has integrity when it is whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 14 Chapter 1 Offline Unintentional Disclosures In February 2005, the data aggregation and brokerage firm ChoicePoint revealed that it had been duped into releasing personal information about 145,000 people to identity thieves during 2004. The perpetrators used stolen identities to create obstensibly legitimate business entities, which then subscribed to ChoicePoint to acquire the data fraudulently.The company reported that the criminals opened many accounts and enter personal information on individuals, including names, addresses, and identification numbers. They did so without using any network or computer-based attacks it was simple fraud. 14 While the the amount of damage has yet to be compiled, the fraud is feared to have allowed the perpetrators to arrange many hundreds of instances of identity theft. The giant pharmaceutical organization Eli Lilly and Co. released the e-mail addresses of 600 patients to one another in 2001. The American Civil Liberties Union (ACLU) denounced this breach of privacy, and information technology industry analysts noted that it was likely to influence the public debate on privacy legislation.The company claimed that the hazard was caused by a computer programing error that occurred when patients who used a specific drug produced by the company signed up for an e-mail s ervice to access support materials provided by the company. About 600 patient addresses were exposed in the mass e-mail. 15 In another incident, the intellectual property of Jerome Stevens Pharmaceuticals, a small prescription drug manufacturer from New York, was compromised when the FDA released documents the company had filed with the agency. It remains unclear whether this was a deliberate act by the FDA or a simple error but either way, the companys secrets were posted to a public Web site for several months before being removed. 16 damage, destruction, or other faulting of its authentic state. Corruption can occur while information is being stored or transmitted.Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this reason, a key method for detecting a virus or worm is to look for changes in file integrity as shown by the size of the file. some other key method of assuring information integrity is file hashing, in which a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value. The hash value for any combination of bits is unique. If a computer system performs the same hashing algorithm on a file and obtains a different number than the recorded hash value for that file, the file has been compromised and the integrity of the information is lost.Information integrity is the cornerstone of information systems, because information is of no value or use if users cannot verify its integrity. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions requir e it. Licensed to CengageBrain User Introduction to Information Security 15File corruption is not necessarily the result of external forces, such as hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a perimeter with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information. During each transmission, algorithms, hash values, and the error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is retransmitted. 1 Utility The utility of information is the quality or state of having value for some purpose or end.Information has value when it can serve a purpose. If information is available, but is not in a format meaningful to the end user, it is not useful. For example, to a private citizen U. S. Census data can pronto become overwhelming and difficult to interpret h owever, for a politician, U. S. Census data reveals information about the residents in a district, such as their race, gender, and age. This information can help form a politicians next campaign strategy. Possession The possession of information is the quality or state of ownership or control. Information is said to be in ones possession if one obtains it, independent of format or other characteristics.While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. For example, assume a company stores its critical customer data using an encrypted file system. An employee who has quit decides to take a copy of the tape backups to sell the customer records to the competition. The removal of the tapes from their secure environment is a breach of possession. But, because the data is encrypted, neither the employee nor anyone else can read it without the proper decryption methods therefore, there is no breach of confidentiality. Today, people caught selling company secrets face increasingly stiff fines with the likelihood of jail time.Also, companies are growing more and more reluctant to necessitate individuals who have demonstrated dishonesty in their past. CNSS Security Model The definition of information security presented in this text is based in part on the CNSS document called the National Training Standard for Information Systems Security Professionals NSTISSI No. 4011. (See www. cnss. gov/Assets/pdf/nstissi_4011. pdf. Since this document was written, the NSTISSC was renamed the Committee on National Security Systems (CNSS) see www. cnss. gov. The library of documents is being renamed as the documents are rewritten. ) This document presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.The model, created by John McCumber in 1991, provides a graphical representation of the archite ctural approach widely used in computer and information security it is now known as the McCumber Cube. 17 The McCumber Cube in Figure 1-6, shows three dimensions. If extrapolated, the three dimensions of each axis become a 3 3 3 cube with 27 cells representing areas that must be addressed to secure todays information systems. To ensure system security, each of the 27 areas must be flop addressed during the security process. For example, the intersection between technology, integrity, and storage requires a control or safeguard that addresses the need to use technology to protect the integrity of information while in storage.One such control might be a system for detecting host intrusion that protects the integrity of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 16 Chapter 1 Figure 1-6 The McCumber Cube18 Source Course Technology/Cengage Learning information by alerting the security administrators to the potential modification of a critical file.What is commonly left out of such a model is the need for guidelines and policies that provide direction for the practices and implementations of technologies. The need for policy is discussed in subsequent chapters of this book. Components of an Information System As shown in Figure 1-7, an information system (IS) is much more than computer hardware it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the organization. These six critical components enable information to be input, processed, output , and stored. Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses.Each component of the information system also has its own security requirements. Software The software component of the IS comprises applications, operating systems, and versatile command utilities. Software is perhaps the most difficult IS component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The information technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, from smartphones that crash to flawed automotive control computers that lead to recalls.Software carries the lifeblood of information through an organization. Unfortunately, software programs are often created under the constraints of project management, which limit time, cost, and manpowe r. Information security is all too often implemented as an afterthought, rather than developed as an integral component from the beginning. In this way, software programs become an easy target of accidental or intentional attacks. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 17 1 Figure 1-7 Components of an Information System Source Course Technology/Cengage Learning computer hardware Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfa ces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft.Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible. Before September 11, 2001, laptop thefts in airports were common. A two-person team worked to steal a computer as its owner passed it through the conveyor scanning devices.The first perpetrator entered the security area onward of an unsuspecting target and quickly went through. Then, the second p erpetrator waited behind the target until the target placed his/her computer on the baggage scanner. As the computer was whisked through, the second agent slipped ahead of the victim and entered the metal detector with a substantial collection of keys, coins, and the like, thereby slowing the detection process and allowing the first perpetrator to overhear the computer and disappear in a crowded walkway. While the security response to September 11, 2001 did repress the security process at airports, hardware can still be stolen in airports and other public places.Although laptops and notebook computers are worth a few thousand dollars, the information contained in them can be worth a great deal more to organizations and individuals. Data Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset possess by an organization and it is the main target of intentional attacks. Systems developed in recent years are likely to make use of database Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User 18 Chapter 1 management systems. When done properly, this should improve the security of the data and the application. Unfortunately, many system development projects do not make full use of the database management systems security capabilities, and in some cases the database is implemented in ways that are less secure than traditional file systems. People Though often overlooked in computer security considerations, people have always been a threat to information security.Legend has it that around 200 B. C. a great army threatened the security and stability of the Chinese empire. So ferocious were the invaders that the Chinese emperor butterfly commanded the construction of a great wall that would defend against the Hun invaders. Around 1275 A. D. , Kublai caravan inn finally achieved what the Huns had been trying for thousands of years. Initially, the Khans army tried to climb over, dig under, and break through the wall. In the end, the Khan plain bribed the gatekeeperand the rest is history. Whether this event actually occurred or not, the moral of the story is that people can be the weakest link in an organizations information security program.And unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate the actions of people to obtain access information about a system. This topic is discussed in more detail in Chapter 2, The Need for Security. Procedures Another frequently overlooked component of an IS is procedures. Procedures are written instructions for accomplishing a specific task. When an unauthorized user obtains an organizations procedures, this poses a threat to the integrity of the information.For example, a consultant to a bank learned how to wire funds by using the computer centers procedures, which were readily available. By taking advantage of a security weakness (lack of authentication), this bank consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the loss of over ten million dollars before the situation was corrected. Most organizations distribute procedures to their legitimate employees so they can access the information system, but many of these companies often fail to provide proper education on the protection of the procedures. Educating employees about safeguarding procedures is as important as physically securing the information system.After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of the organization only on a need-to-know basis. Networks The IS component that created much of the need for increased computer and information security is networking. When information systems are connected to each other to form local area networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. The physical technology that enables network functions is becoming more and more accessible to organizations of every size.Applying the traditional tools of physical security, such as locks and keys, to restrict access to and interaction with the hardware components of an information system are sti ll important but when computer systems are networked, this approach is no longer enough. Steps to provide network Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to CengageBrain User Introduction to Information Security 19 security are essential, as is the implementation of alarm and intrusion ystems to make system owners aware of ongoing compromises. 1 Balancing Information Security and Access Even with the best planning and implementation, it is unfeasible to obtain perfect information security. Recall James Anderson