Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- For Amy, the day began like any other at the Sequential Label and Supply Company
- (SLS) help desk. Taking calls and helping office workers with computer problems was not
- glamorous, but she enjoyed the work; it was challenging and paid well enough. Some of her
- friends in the industry worked at bigger companies, some at cutting-edge tech companies,
- but they all agreed that jobs in information technology were a good way to pay the bills.
- The phone rang, as it did about four times an hour. The first call of the day, from a worried
- user hoping Amy could help him out of a jam, seemed typical. The call display on her mon-
- itor showed some of the facts: the user’s name, his phone number and department, where
- his office was on the company campus, and a list of his past calls to the help desk.
- “Hi, Bob,” she said. “Did you get that document formatting problem squared away?”
- “Sure did, Amy. Hope we can figure out what’s going on this time.”
- “We’ll try, Bob. Tell me about it.”
- “Well, my PC is acting weird,” Bob said. “When I go to the screen that has my e-mail
- program running, it doesn’t respond to the mouse or the keyboard.”
- “Did you try a reboot yet?”
- 1
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- “Sure did. But the window wouldn’t close, and I had to turn my PC off. After it restarted, I
- opened the e-mail program, and it’s just like it was before—no response at all. The other
- stuff is working OK, but really, really slowly. Even my Internet browser is sluggish.”
- “OK, Bob. We’ve tried the usual stuff we can do over the phone. Let me open a case, and
- I’ll dispatch a tech over as soon as possible.”
- Amy looked up at the LED tally board on the wall at the end of the room. She saw that
- only two technicians were dispatched to user support at the moment, and since it was the
- day shift, four technicians were available. “Shouldn’t be long at all, Bob.”
- She hung up and typed her notes into ISIS, the company’s Information Status and Issues
- System. She assigned the newly generated case to the user dispatch queue, which would page
- the roving user support technician with the details in a few minutes.
- A moment later, Amy looked up to see Charlie Moody, the senior manager of the server
- administration team, walking briskly down the hall. He was being trailed by three of his
- senior technicians as he made a beeline from his office to the room where the company
- servers were kept in a carefully controlled environment. They all looked worried.
- Just then, Amy’s screen beeped to alert her of a new e-mail. She glanced down. The screen
- beeped again—and again. It started beeping constantly. She clicked the envelope icon and,
- after a short delay, the mail window opened. She had 47 new e-mails in her inbox. She
- opened one from Davey Martinez in the Accounting Department. The subject line said,
- “Wait till you see this.” The message body read, “Funniest joke you’ll see today.” Davey
- often sent her interesting and funny e-mails, and she clicked the file attachment icon to open
- the latest joke.
- After that click, her PC showed the hourglass pointer icon for a second and then the normal
- pointer reappeared. Nothing happened. She clicked the next e-mail message in the queue.
- Nothing happened. Her phone rang again. She clicked the ISIS icon on her computer desk-
- top to activate the call management software and activated her headset. “Hello, Help Desk,
- how can I help you?” She couldn’t greet the caller by name because ISIS had not responded.
- “Hello, this is Erin Williams in Receiving.”
- Amy glanced down at her screen. Still no ISIS. She glanced up to the tally board and was
- surprised to see the inbound-call counter tallying up waiting calls like digits on a stopwatch.
- Amy had never seen so many calls come in at one time.
- “Hi, Erin,” Amy said. “What’s up?”
- “Nothing,” Erin answered. “That’s the problem.” The rest of the call was a replay of Bob’s,
- except that Amy had to jot notes down on a legal pad. She couldn’t dispatch the user
- support team either. She looked at the tally board. It had gone dark. No numbers at all.
- Then she saw Charlie running down the hall from the server room. His expression had
- changed from worried to frantic.
- Amy picked up the phone again. She wanted to check with her supervisor about what to do
- now. There was no dial tone.
- 2 Chapter 1
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- LEARNING OBJECTIVES:
- Upon completion of this material, you should be able to:
- • Define information security
- • Recount the history of computer security, and explain how it evolved into information security
- • Define key terms and critical concepts of information security
- • List the phases of the security systems development life cycle
- • Describe the information security roles of professionals within an organization
- Introduction
- JamesAnderson, executiveconsultantatEmagined Security, Inc., believesinformationsecurityin
- an enterprise is a “well-informed sense of assurance that the information risks and controls are in
- balance.” He is not alone in his perspective. Many information security practitioners recognize
- that aligning information security needs with business objectives must be the top priority.
- For more information on Emagined Security Consulting, visit www.emagined.com.
- This chapter’s opening scenario illustrates that information risks and controls may not be in
- balance at SLS. Though Amy works in a technical support role to help users with their prob-
- lems, she did not recall her training about malicious e-mail attachments, such as worms or
- viruses, and fell victim to this form of attack herself. Understanding how malware might be
- the cause of a company’s problems is an important skill for information technology (IT) sup-
- port staff as well as users. SLS’s management also shows signs of confusion and seems to have
- no idea how to contain this kind of incident. If you were in Amy’s place and were faced with
- a similar situation, what would you do? How would you react? Would it occur to you that
- something far more insidious than a technical malfunction was happening at your company?
- As you explore the chapters of this book and learn more about information security, you will
- become more capable of answering these questions. But, before you can begin studying details
- about the discipline of information security, you must first know its history and evolution.
- The History of Information Security
- Key Term
- computer security In the early days of computers, this term specified the need to secure the
- physical location of computer technology from outside threats. This term later came to represent
- all actions taken to preserve computer systems from losses. It has evolved into the current
- concept of information security as the scope of protecting information in an organization has
- expanded.
- The history of information security begins with the concept of computer security. The
- need for computer security arose during World War II when the first mainframe computers
- were developed and used to aid computations for communication code breaking, as shown in
- The History of Information Security 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Figure 1-1. Multiple levels of security were implemented to protect these devices and the mis-
- sions they served. This required new processes as well as tried-and-true methods needed to
- maintain data confidentiality. Access to sensitive military locations, for example, was con-
- trolled by means of badges, keys, and the facial recognition of authorized personnel by secu-
- rity guards. The growing need to maintain national security eventually led to more complex
- and technologically sophisticated computer security safeguards.
- During these early years, information security was a straightforward process composed pre-
- dominantly of physical security and simple document classification schemes. The primary
- threats to security were physical theft of equipment, espionage against products of the systems,
- and sabotage. One of the first documented security problems that fell outside these categories
- occurred in the early 1960s, when a systems administrator was working on a MOTD (mes-
- sage of the day) file and another administrator was editing the password file. A software glitch
- mixed the two files, and the entire password file was printed on every output file. 3
- The 1960s
- During the Cold War, many more mainframe computers were brought online to accomplish
- more complex and sophisticated tasks. These mainframes required a less cumbersome process
- of communication than mailing magnetic tapes between computer centers. In response to this
- need, the Department of Defense’s Advanced Research Projects Agency (ARPA) began exam-
- ining the feasibility of a redundant, networked communications system to support the mili-
- tary’s exchange of information. In 1968, Dr. Larry Roberts developed the ARPANET
- 4 Chapter 1
- Earlier versions of the German code machine Enigma
- were first broken by the Poles in the 1930s. The British
- and Americans managed to break later, more complex
- versions during World War II. The increasingly complex
- versions of the Enigma, especially the submarine or
- Unterseeboot version of the Enigma, caused considerable
- anguish to Allied forces before finally being cracked. The
- information gained from decrypted transmissions was
- used to anticipate the actions of German armed forces.
- ”Some ask why, if we were reading the Enigma, we did
- not win the war earlier. One might ask, instead, when, if
- ever, we would have won the war if we hadn’t read it.”
- Figure 1-1 The Enigma 1
- Source: National Security Agency. Used with permission. 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- project. Figure 1-2 is an excerpt from his Program Plan. ARPANET evolved into what we
- now know as the Internet, and Roberts became known as its founder.
- For more information on Dr. Roberts and the history of the Internet, visit his Web site at
- www.packet.cc.
- The 1970s and 80s
- During the next decade, ARPANET became more popular and saw wider use, increasing the
- potential for its misuse. In 1973, Internet pioneer Robert M. Metcalfe (pictured in Figure 1-3)
- identified fundamental problems with ARPANET security. As one of the creators of Ethernet,
- a dominant local area networking protocol, he knew that individual remote sites did not
- have sufficient controls and safeguards to protect data from unauthorized remote users.
- Other problems abounded: vulnerability of password structure and formats; lack of safety
- procedures for dial-up connections; and nonexistent user identification and authorizations.
- Phone numbers were widely distributed and openly publicized on the walls of phone
- booths, giving hackers easy access to ARPANET. Because of the range and frequency of
- computer security violations and the explosion in the numbers of hosts and users on
- ARPANET, network security was commonly referred to as network insecurity. 5 In 1978,
- Richard Bisbey and Dennis Hollingworth, two researchers in the Information Sciences Insti-
- tute at the University of Southern California, published a study entitled “Protection Analysis:
- Final Report.” It focused on a project undertaken by ARPA to understand and detect
- The History of Information Security 5
- Figure 1-2 Development of the ARPANET
- Source: Courtesy of Dr. Lawrence Roberts. Used with permission. 4
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- vulnerabilities in operating system security. For a timeline that includes this and other semi-
- nal studies of computer security, see Table 1-1.
- Security that went beyond protecting the physical location of computing devices began with a
- single paper sponsored by the Department of Defense. Rand Report R-609 attempted to
- define the multiple controls and mechanisms necessary for the protection of a computerized
- data processing system. The document was classified for almost ten years, and is now consid-
- ered to be the paper that started the study of computer security.
- The security—or lack thereof—of systems sharing resources inside the Department of Defense
- was brought to the attention of researchers in the spring and summer of 1967. At that time,
- systems were being acquired at a rapid rate and securing them was a pressing concern both
- for the military and defense contractors.
- In June 1967, ARPA formed a task force to study the process of securing classified informa-
- tion systems. The task force was assembled in October 1967 and met regularly to formulate
- recommendations, which ultimately became the contents of Rand Report R-609. 6 The docu-
- ment was declassified in 1979 and released as Rand Report R-609-1. The content of the two
- documents is identical with the exception of two transmittal memorandums.
- For more information on the Rand Report, visit www.rand.org/pubs/reports/R609-1.html and
- click the Read Online Version button.
- 6 Chapter 1
- Figure 1-3 Dr. Metcalfe receiving the National Medal of Technology
- Source: U.S. Department of Commerce. Used with permission.
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- Rand Report R-609 was the first widely recognized published document to identify the role of
- management and policy issues in computer security. It noted that the wide use of networking
- components in military information systems introduced security risks that could not be miti-
- gated by the routine practices then used to secure these systems. Figure 1-4 shows an illustration
- of computer network vulnerabilities from the 1979 release of this document. This paper sig-
- naled a pivotal moment in computer security history—the scope of computer security expanded
- significantly from the safety of physical locations and hardware to include:
- ●
- Securing the data
- ●
- Limiting random and unauthorized access to that data
- ●
- Involving personnel from multiple levels of the organization in information security
- MULTICS Much of the early research on computer security centered on a system called
- Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete,
- The History of Information Security 7
- Date Document
- 1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems.
- 1970 Willis H. Ware authors the report Security Controls for Computer Systems: Report of Defense Science
- Board Task Force on Computer Security - RAND Report R-609, which was not declassified until 1979. It
- became known as the seminal work identifying the need for computer security.
- 1973 Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary
- Notes on the Design of Secure Military Computer Systems.
- 1975 The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) in
- the Federal Register.
- 1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,” which discussed the
- Protection Analysis project created by ARPA to better understand the vulnerabilities of operating
- system security and examine the possibility of automated vulnerability detection techniques in
- existing system software. 7
- 1979 Morris and Thompson author “Password Security: A Case History,” published in the Communications
- of the Association for Computing Machinery (ACM). The paper examined the design history of a
- password security scheme on a remotely accessed, time-sharing system.
- 1979 Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” which
- discussed secure user IDs, secure group IDs, and the problems inherent in the systems.
- 1982 The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of
- the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series.
- 1984 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report, the
- authors examined four “important handles to computer security:” physical control of premises and
- computer facilities, management commitment to security objectives, education of employees, and
- administrative procedures aimed at increased security. 8
- 1984 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise
- was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore
- no technique can be secure against the system administrator or other privileged users...the naive user
- has no chance.” 9
- 1992 Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory,
- develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as
- IPSEC security.
- Table 1-1 Key Dates in Information Security
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- MULTICS is noteworthy because it was the first operating system to integrate security into
- its core functions. It was a mainframe, time-sharing operating system developed in the mid-
- 1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute
- of Technology (MIT).
- For more information on the MULTICS project, visit web.mit.edu/multics-history.
- In 1969, not long after the restructuring of the MULTICS project, several of its developers (Ken
- Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlroy) created a new operating sys-
- tem called UNIX. While the MULTICS system implemented multiple security levels and pass-
- words, the UNIX system did not. Its primary function, text processing, did not require the
- same level of security as that of its predecessor. Not until the early 1970s did even the simplest
- component of security, the password function, become a component of UNIX.
- In the late1970s, the microprocessor brought the personal computer (PC) and a new age of com-
- puting. The PC became the workhorse of modern computing, moving it out of the data center.
- This decentralization of data processing systems in the 1980s gave rise to networking—the inter-
- connecting of PCs and mainframe computers, which enabled the entire computing community to
- make all its resources work together.
- 8 Chapter 1
- Radiation
- Radiation
- Radiation
- Crosstalk Crosstalk
- Processor
- Switching
- center
- Communication
- lines
- Files
- Theft
- Copying
- Unauthorized access
- Failure of protection circuits
- contribute to software failures
- Radiation
- Computer Network Vulnerabilities
- Radiation
- Taps
- Taps
- Hardware
- Replace supervisor
- Reveal protective measures
- Operator
- Improper connections
- Cross coupling
- Hardware
- Attachment of recorders
- Bugs
- Access
- Remote
- Consoles
- Identification
- Authentication
- Subtle software
- modifications
- User
- Disable hardware devices
- Use stand-alone utility programs
- Maintenance Man
- Disable protective features
- Provide “ins”
- Reveal protective measures
- Systems Programmer
- Failure of protection features
- Access control
- Bounds control
- etc.
- Software
- Figure 1-4 Illustration of computer network vulnerabilities from Rand Report R-609
- Source: Rand Report R-609. Used with permission. 10
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- In the mid-1980s, the U.S. Government passed several key pieces of legislation that formalized
- the recognition of computer security as a critical issue for federal information systems. The
- Computer Fraud and Abuse Act of 1986 and the Computer Security Act of 1987 defined com-
- puter security and specified responsibilities and associated penalties. These laws and others are
- covered in Chapter 3, “Legal, Ethical, and Professional Issues in Information Security.”
- In 1988, the Defense Advanced Research Projects Agency (DARPA) within the Department of
- Defense created the Computer Emergency Response Team (CERT) to address network security.
- The 1990s
- At the close of the 20th century, networks of computers became more common, as did the need
- to connect them to each other. This gave rise to the Internet, the first global network of net-
- works. The Internet was made available to the general public in the 1990s after decades of
- being the domain of government, academia, and dedicated industry professionals. The Internet
- brought connectivity to virtually all computers that could reach a phone line or an Internet-
- connected local area network (LAN). After the Internet was commercialized, the technology
- became pervasive, reaching almost every corner of the globe with an expanding array of uses.
- Since its inception as a tool for sharing Defense Department information, the Internet has
- become an interconnection of millions of networks. At first, these connections were based
- on de facto standards because industry standards for interconnected networks did not exist.
- These de facto standards did little to ensure the security of information, though some degree
- of security was introduced as precursor technologies were widely adopted and became indus-
- try standards. However, early Internet deployment treated security as a low priority. In fact,
- many problems that plague e-mail on the Internet today result from this early lack of secu-
- rity. At that time, when all Internet and e-mail users were presumably trustworthy computer
- scientists, mail server authentication and e-mail encryption did not seem necessary. Early
- computing approaches relied on security that was built into the physical environment of the
- data center that housed the computers. As networked computers became the dominant style
- of computing, the ability to physically secure a networked computer was lost, and the stored
- information became more exposed to security threats.
- In 1993, the first DEFCON conference was held in Las Vegas. Originally it was established
- as a gathering for people interested in information security, including authors, lawyers, gov-
- ernment employees, and law enforcement officials. A compelling topic was the involvement
- of hackers in creating an interesting venue for the exchange of information between two
- adversarial groups—the “white hats” of law enforcement and security professionals and the
- “black hats” of hackers and computer criminals.
- In the late 1990s and into the 2000s, many large corporations began publicly integrating
- security into their organizations. Antivirus products became extremely popular.
- 2000 to Present
- Today, the Internet brings millions of unsecured computer networks into continuous commu-
- nication with each other. The security of each computer’s stored information is contingent on
- the security level of every other computer to which it is connected. Recent years have seen a
- growing awareness of the need to improve information security, as well as a realization that
- information security is important to national defense. The growing threat of cyberattacks has
- made governments and companies more aware of the need to defend the computerized
- The History of Information Security 9
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- control systems of utilities and other critical infrastructure. Another growing concern is the
- threat of nation-states engaging in information warfare, and the possibility that business and
- personal information systems could become casualties if they are undefended. Since 2000,
- Sarbanes-Oxley and other laws related to privacy and corporate responsibility have affected
- computer security.
- The attack on the World Trade Centers on September 11, 2001 resulted in major legislation
- changes related to computer security, specifically to facilitate law enforcement’s ability to col-
- lect information about terrorism. The USA PATRIOT Act of 2001 and its follow-up laws,
- the USA PATRIOT Improvement and Reauthorization Act of 2005 and the PATRIOT
- Sunsets Act of 2011, are discussed in Chapter 3.
- For more information on the history of computer security, visit the NIST Computer Security site at
- http://csrc.nist.gov/publications/history/. NIST is the National Institute of Standards and
- Technology.
- What Is Security?
- Key Terms
- C.I.A. triangle The industry standard for computer security since the development of the
- mainframe. The standard is based on three characteristics that describe the utility of information:
- confidentiality, integrity, and availability.
- communications security The protection of all communications media, technology, and
- content.
- information security Protection of the confidentiality, integrity, and availability of information
- assets, whether in storage, processing, or transmission, via the application of policy, education,
- training and awareness, and technology.
- network security A subset of communications security; the protection of voice and data
- networking components, connections, and content.
- physical security The protection of physical items, objects, or areas from unauthorized access
- and misuse.
- security A state of being secure and free from danger or harm. Also, the actions taken to make
- someone or something secure.
- Security is protection. Protection from adversaries—those who would do harm, intentionally
- or otherwise—is the ultimate objective of security. National security, for example, is a multi-
- layered system that protects the sovereignty of a state, its assets, its resources, and its people.
- Achieving the appropriate level of security for an organization also requires a multifaceted sys-
- tem. A successful organization should have multiple layers of security in place to protect its
- operations, physical infrastructure, people, functions, communications, and information.
- The Committee on National Security Systems (CNSS) defines information security as the pro-
- tection of information and its critical elements, including the systems and hardware that use,
- store, and transmit the information. 11 Figure 1-5 shows that information security includes the
- broad areas of information security management, data security, and network security. The
- CNSS model of information security evolved from a concept developed by the computer secu-
- rity industry called the C.I.A. triangle. The C.I.A. triangle (see Figure 1-6) has been the
- 10 Chapter 1
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- standard for computer security in both industry and government since the development of the
- mainframe. This standard is based on the three characteristics of information that give it value
- to organizations: confidentiality, integrity, and availability. The security of these three charac-
- teristics is as important today as it has always been, but the C.I.A. triangle model is generally
- viewed as no longer adequate in addressing the constantly changing environment. The threats
- to the confidentiality, integrity, and availability of information have evolved into a vast collec-
- tion of events, including accidental or intentional damage, destruction, theft, unintended or
- unauthorized modification, or other misuse from human or nonhuman threats. This vast
- array of constantly evolving threats has prompted the development of a more robust model
- that addresses the complexities of the current information security environment. The
- expanded model consists of a list of critical characteristics of information, which are described
- in the next section. C.I.A. triangle terminology is used in this chapter because of the breadth
- of material that is based on it.
- For more information on CNSS, visit www.cnss.gov and click the history link.
- Key Information Security Concepts
- This book uses many terms and concepts that are essential to any discussion of information
- security. Some of these terms are illustrated in Figure 1-7; all are covered in greater detail in
- subsequent chapters.
- ●
- Access A subject or object’s ability to use, manipulate, modify, or affect another sub-
- ject or object. Authorized users have legal access to a system, whereas hackers must
- gain illegal access to a system. Access controls regulate this ability.
- ●
- Asset The organizational resource that is being protected. An asset can be logical, such
- as a Web site, software information, or data; or an asset can be physical, such as a
- person, computer system, hardware, or other tangible object. Assets, particularly
- information assets, are the focus of what security efforts are attempting to protect.
- What Is Security? 11
- Confidentiality
- Computer Security
- Data Security
- Network Security
- Integrity
- POLICY
- Management of
- Information Security
- Information Security
- Governance
- Availability
- Figure 1-5 Components of information security
- Data
- &
- Services
- Availability
- Confidentiality
- Integrity
- Figure 1-6 The C.I.A. triangle
- © Cengage Learning 2015
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- ●
- Attack An intentional or unintentional act that can damage or otherwise compromise
- information and the systems that support it. Attacks can be active or passive, intentional
- or unintentional, and direct or indirect. Someone who casually reads sensitive informa-
- tion not intended for his or her use is committing a passive attack. A hacker attempting
- to break into an information system is an intentional attack. A lightning strike that
- causes a building fire is an unintentional attack. A direct attack is perpetrated by a
- hacker using a PC to break into a system. An indirect attack is a hacker compromising a
- system and using it to attack other systems—for example, as part of a botnet (slang for
- robot network). This group of compromised computers, running software of the attack-
- er’s choosing, can operate autonomously or under the attacker’s direct control to attack
- systems and steal user information or conduct distributed denial-of-service attacks.
- Direct attacks originate from the threat itself. Indirect attacks originate from a compro-
- mised system or resource that is malfunctioning or working under the control of a threat.
- ●
- Control, safeguard, or countermeasure Security mechanisms, policies, or procedures
- that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise
- improve security within an organization. The various levels and types of controls are
- discussed more fully in the following chapters.
- 12 Chapter 1
- Attack: Ima Hacker downloads an exploit from MadHackz
- web site and then accesses buybay’s Web site. Ima then applies
- the script, which runs and compromises buybay's security controls
- and steals customer data. These actions cause buybay to
- experience a loss.
- Threat: Theft
- Threat agent: Ima Hacker
- Exploit: Script from MadHackz
- Web site
- Asset: buybay’s
- customer database
- Vulnerability: Buffer
- overflow in online
- database Web interface
- Figure 1-7 Key concepts in information security
- Sources (top left to bottom right): © iStockphoto/tadija, Internet Explorer, © iStockphoto/darrenwise, Internet Explorer, Microsoft Excel.
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- ●
- Exploit A technique used to compromise a system. This term can be a verb or a noun.
- Threat agents may attempt to exploit a system or other information asset by using it
- illegally for their personal gain. Or, an exploit can be a documented process to take
- advantage of a vulnerability or exposure, usually in software, that is either inherent in
- the software or created by the attacker. Exploits make use of existing software tools or
- custom-made software components.
- ●
- Exposure A condition or state of being exposed; in information security, exposure
- exists when a vulnerability is known to an attacker.
- ●
- Loss A single instance of an information asset suffering damage or destruction, unin-
- tended or unauthorized modification or disclosure, or denial of use. When an organi-
- zation’s information is stolen, it has suffered a loss.
- ●
- Protection profile or security posture The entire set of controls and safeguards, including
- policy, education, training and awareness, and technology, that the organization imple-
- ments to protect the asset. The terms are sometimes used interchangeably with the term
- security program, although a security program often comprises
- managerial aspects of security, including planning, personnel, and subordinate programs.
- ●
- Risk The probability of an unwanted occurrence, such as an adverse event or loss.
- Organizations must minimize risk to match their risk appetite—the quantity and
- nature of risk they are willing to accept.
- ●
- Subjects and objects A computer can be either the subject of an attack—an agent entity
- used to conduct the attack—or the object of an attack: the target entity, as shown in
- Figure1-8.A computer can also be both the subject and object of an attack. For example, it
- can be compromised by an attack (object) and then used to attack other systems (subject).
- ●
- Threat A category of objects, people, or other entities that represents a danger to an
- asset. Threats are always present and can be purposeful or undirected. For example,
- hackers purposefully threaten unprotected information systems, while severe storms
- incidentally threaten buildings and their contents.
- ●
- Threat agent The specific instance or a component of a threat. For example, the threat of
- “trespass or espionage” is a category of potential danger to information assets, while
- “external professional hacker” (like Kevin Mitnick, who was convicted of
- hacking into phone systems) is a specific threat agent. A lightning strike, hailstorm,
- ortornado isa threatagent that is part ofthe threat known as “acts of God/acts ofnature.”
- ●
- Vulnerability A weakness or fault in a system or protection mechanism that opens it to
- attack or damage. Some examples of vulnerabilities are a flaw in a software
- What Is Security? 13
- Hacker using a
- computer as the
- subject of an attack
- Hacker request
- Stolen information
- Remote system that is
- the object of an attack
- Internet
- Figure 1-8 Computer as the subject and object of an attack
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- package, an unprotected system port, and an unlocked door. Some well-known
- vulnerabilities have been examined, documented, and published; others remain
- latent (or undiscovered).
- Critical Characteristics of Information
- Key Terms
- accuracy An attribute of information that describes how data is free of errors and has the value
- that the user expects.
- authenticity An attribute of information that describes how data is genuine or original rather
- than reproduced or fabricated.
- availability An attribute of information that describes how data is accessible and correctly
- formatted for use without interference or obstruction.
- confidentiality An attribute of information that describes how data is protected from disclosure
- or exposure to unauthorized individuals or systems.
- integrity An attribute of information that describes how data is whole, complete, and uncorrupted.
- possession An attribute of information that describes how the data’s ownership or control is
- legitimate or authorized.
- utility An attribute of information that describes how data has value or usefulness for an end
- purpose.
- The value of information comes from the characteristics it possesses. When a characteristic of
- information changes, the value of that information either increases or, more commonly,
- decreases. Some characteristics affect information’s value to users more than others, depend-
- ing on circumstances. For example, timeliness of information can be a critical factor because
- information loses much or all of its value when delivered too late. Though information secu-
- rity professionals and end users share an understanding of the characteristics of information,
- tensions can arise when the need to secure information from threats conflicts with the end
- users’ need for unhindered access to it. For instance, end users may perceive a .1-second
- delay in the computation of data to be an unnecessary annoyance. Information security pro-
- fessionals, however, may perceive .1 seconds as a minor delay that enables an important task,
- like data encryption. Each critical characteristic of information—that is, the expanded C.I.A.
- triangle—is defined in the following sections.
- Availability Availability enables authorized users—people or computer systems—to
- access information without interference or obstruction and to receive it in the required for-
- mat. Consider, for example, research libraries that require identification before entrance.
- Librarians protect the contents of the library so that they are available only to authorized
- patrons. The librarian must accept a patron’s identification before the patron has free access
- to the book stacks. Once authorized patrons have access to the stacks, they expect to find
- the information they need in a usable format and familiar language. In this case, the infor-
- mation is bound in a book that is written in English.
- Accuracy Information has accuracy when it is free from mistakes or errors and has the
- value that the end user expects. If information has been intentionally or unintentionally
- modified, it is no longer accurate. Consider a checking account, for example. You assume
- that the information in your account is an accurate representation of your finances. Incor-
- rect information in the account can result from external or internal errors. If a bank teller,
- for instance, mistakenly adds or subtracts too much money from your account, the value of
- 14 Chapter 1
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- the information is changed. Or, you may accidentally enter an incorrect amount into your
- account register. Either way, an inaccurate bank balance could cause you to make other
- mistakes, such as bouncing a check.
- Authenticity Authenticity of information is the quality or state of being genuine or origi-
- nal, rather than a reproduction or fabrication. Information is authentic when it is in the same
- state in which it was created, placed, stored, or transferred. Consider for a moment some com-
- mon assumptions about e-mail. When you receive e-mail, you assume that a specific individual
- or group created and transmitted the e-mail—you assume you know its origin. This is not
- always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is
- a problem for many people today because the modified field often is the address of the origina-
- tor. Spoofing the sender’s address can fool e-mail recipients into thinking that the messages are
- legitimate traffic, thus inducing them to open e-mail they otherwise might not have.
- Confidentiality Information has confidentiality when it is protected from disclosure or
- exposure to unauthorized individuals or systems. Confidentiality ensures that only users
- with the rights and privileges to access information are able to do so. When unauthorized
- individuals or systems can view information, confidentiality is breached. To protect the con-
- fidentiality of information, you can use several measures, including the following:
- ●
- Information classification
- ●
- Secure document storage
- ●
- Application of general security policies
- ●
- Education of information custodians and end users
- Confidentiality, like most characteristics of information, is interdependent with other charac-
- teristics and is most closely related to the characteristic known as privacy. The relationship
- between these two characteristics is covered in more detail in Chapter 3, “Legal, Ethical,
- and Professional Issues in Information Security.”
- The value of information confidentiality is especially high for personal information about
- employees, customers, or patients. People who transact with an organization expect that their
- personal information will remain confidential, whether the organization is a federal agency,
- such as the Internal Revenue Service, or a business. Problems arise when companies disclose
- confidential information. Sometimes this disclosure is intentional, but disclosure of confiden-
- tial information also happens by mistake—for example, when confidential information is mis-
- takenly e-mailed to someone outside the organization rather than to someone inside it.
- Other examples of confidentiality breaches are an employee throwing away a document of
- critical information without shredding it, or a hacker who successfully breaks into an inter-
- nal database of a Web-based organization and steals sensitive information about the clients,
- such as names, addresses, and credit card numbers.
- As a consumer, you give up pieces of personal information in exchange for convenience or
- value almost daily. By using a “members” card at a grocery store, you disclose some of your
- spending habits. When you fill out an online survey, you exchange pieces of your personal his-
- tory for access to online privileges. When you sign up for a free magazine, Web resource, or free
- software application, you provide personally identifiable information (PII). The bits and pieces
- of personal information you disclose are copied, sold, replicated, distributed, and eventually
- coalesced into profiles and even complete dossiers of yourself and your life.
- What Is Security? 15
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Integrity Information has integrity when it is whole, complete, and uncorrupted. The integ-
- rity of information is threatened when it is exposed to corruption, damage, destruction, or other
- disruption of its authentic state. Corruption can occur while information is being stored or trans-
- mitted. Many computer viruses and worms are designed with the explicit purpose of corrupting
- data. For this reason, a key method for detecting a virus or worm is to look for changes in file
- integrity, as shown by the file size. Another key method of assuring information integrity is file
- hashing,inwhicha fileisread bya specialalgorithmthatusesthe bit valuesinthefiletocompute
- a single large number called a hash value. The hash value for any combination of bits is unique.
- 16 Chapter 1
- Unintentional Disclosures
- The number of unintentional information releases due to malicious attacks is sub-
- stantial. Millions of people lose information to hackers and malware-focused attacks
- annually. However, organizations occasionally lose, misplace, or inadvertently
- release information in an event not caused by hackers or other electronic attacks.
- In January 2008, GE Money, a division of General Electric, revealed that a data
- backup tape with credit card data from approximately 650,000 customers and over
- 150,000 Social Security numbers went missing from a records management com-
- pany’s storage facility. Approximately 230 retailers were affected when Iron Moun-
- tain, Inc., announced it couldn’t find a magnetic tape. 12
- In February 2005, the data aggregation and brokerage firm ChoicePoint revealed that
- it had been duped into releasing personal information about 145,000 people to identity
- thieves during 2004. The perpetrators used stolen identities to create ostensibly legiti-
- mate business entities, which then subscribed to ChoicePoint to acquire the data fraudu-
- lently.Thecompanyreportedthatthecriminalsopenedmanyaccountsandrecordedper-
- sonal information, including names, addresses, and identification numbers. They did so
- without using any network or computer-based attacks; it was simple fraud. The fraud
- was feared to have allowed the perpetrators to arrange hundreds of identity thefts.
- The giant pharmaceutical organization Eli Lilly and Co. released the e-mail
- addresses of 600 patients to one another in 2001. The American Civil Liberties Union
- (ACLU) denounced this breach of privacy, and information technology industry ana-
- lysts noted that it was likely to influence the public debate on privacy legislation.
- The company claimed the mishap was caused by a programming error that
- occurred when patients who used a specific drug produced by Lilly signed up for an
- e-mail service to access company support materials.
- In another incident in 2005, the intellectual property of Jerome Stevens Pharma-
- ceuticals, a small prescription drug manufacturer from New York, was compromised
- when the U.S. Food and Drug Administration (FDA) released documents the com-
- pany had filed with the agency. It remains unclear whether the release was pur-
- poseful or a simple error, but the company secrets were posted to a public Web
- site for several months before being removed.
- OFFLINE
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 1
- If a computer system performs the same hashing algorithm on a file and obtains a different num-
- ber than the file’s recorded hash value, the file has been compromised and the integrity of the
- information is lost. Information integrity is the cornerstone of information systems because
- information is of no value or use if users cannot verify its integrity. File hashing and hash values
- are examined in detail in Chapter 8, “Cryptography.”
- For more details on information losses caused by attacks, visit Wikipedia.org and search on the
- terms “Data breach” and “Timeline of Computer Security Hacker History.”
- File corruption is not necessarily the result of external forces, such as hackers. Noise in the
- transmission media, for instance, can also cause data to lose its integrity. Transmitting data on
- a circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits
- can compensate for internal and external threats to the integrity of information. During each
- transmission, algorithms, hash values, and error-correcting codes ensure the integrity of the
- information. Data whose integrity has been compromised is retransmitted.
- Utility The utility of information is the quality or state of having value for some purpose
- or end. In other words, information has value when it can serve a purpose. If information
- is available but is not in a meaningful format to the end user, it is not useful. For example,
- U.S. Census data can quickly become overwhelming and difficult for a private citizen to
- interpret; however, for a politician, the same data reveals information about residents in a
- district, such as their race, gender, and age. This information can help form a politician’s
- next campaign strategy.
- Possession The possession of information is the quality or state of ownership or con-
- trol. Information is said to be in one’s possession if one obtains it, independent of format
- or other characteristics. While a breach of confidentiality always results in a breach of pos-
- session, a breach of possession does not always lead to a breach of confidentiality. For
- example, assume a company stores its critical customer data using an encrypted file system.
- An employee who has quit decides to take a copy of the tape backups and sell the customer
- records to the competition. The removal of the tapes from their secure environment is a
- breach of possession. But, because the data is encrypted, neither the former employee nor
- anyone else can read it without the proper decryption methods; therefore, there is no breach
- of confidentiality. Today, people who are caught selling company secrets face increasingly
- stiff fines and a strong likelihood of jail time. Also, companies are growing more reluctant
- to hire people who have demonstrated dishonesty in their past.
- CNSS Security Model
- The definition of information security in this text is based in part on the CNSS document
- called the National Training Standard for Information Systems Security Professionals,
- NSTISSI No. 4011. The hosting organization is the Committee on National Security Systems,
- which is responsible for coordinating the evaluation and publication of standards related to
- the protection of National Security Systems (NSS). CNSS was originally called the National
- Security Telecommunications and Information Systems Security Committee (NSTISSC) when
- established in 1990 by National Security Directive (NSD) 42, National Policy for the Security
- of National Security Telecommunications and Information Systems. NSTISSI 4011 presents a
- CNSS Security Model 17
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- comprehensive information security model and has become a widely accepted evaluation stan-
- dard for the security of information systems. The CNSS standards are expected to be replaced
- by the new NIST SP 800-16, “Information Technology Security Training Requirements:
- A Role-Based Model for Federal Information Technology/Cyber Security Training,” in the
- near future.
- For more information on CNSS and its standards, see www.cnss.gov/CNSS/issuances/Instructions
- .cfm.
- The model, which was created by John McCumber in 1991, provides a graphical representa-
- tion of the architectural approach widely used in computer and information security; it is now
- known as the McCumber Cube. 14 As shown in Figure 1-9, the McCumber Cube shows three
- dimensions. If extrapolated, the three dimensions of each axis become a 3×3×3 cube with 27
- cells representing areas that must be addressed to secure today’s information systems. To
- ensure system security, each of the 27 areas must be properly addressed during the security
- process. For example, the intersection of technology, integrity, and storage requires a control
- or safeguard that addresses the need to use technology to protect the integrity of information
- while in storage. One such control might be a system for detecting host intrusion that protects
- the integrity of information by alerting security administrators to the potential modification of
- a critical file. A common omission from such a model is the need for guidelines and policies
- that provide direction for the practices and implementations of technologies. The need for pol-
- icy is discussed in subsequent chapters of this book.
- Key Term
- McCumber Cube A graphical representation of the architectural approach widely used in
- computer and information security; commonly shown as a cube composed of 3×3×3 cells, similar
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement