Information Assurance and Security

The Need for Security

Principles of Information Security, 2nd Edition 1

Learning Objectives
 Discuss the organizational need for information
security
 Explain why a successful information security
program is the shared responsibility of an
organization’s three communities of interest
 List and describe the threats posed to information
security and common attacks associated with those
threats
 List the common development failures and errors that
result from poor software security efforts
Principles of Information Security, 2nd Edition 2
 The Need for Security
 Information Security Function for an Organization
 Protecting the Ability to Function
 Threats to Information Security

Principles of Information Security, 2nd Edition 3

 The Need for Security
 the primary mission of an information security program
is to ensure that information assets—information and
the systems that house them—remain safe and useful.
 Organizations expend a lot of money and thousands of
hours to maintain their information assets.
 However, the threat of attacks on information assets is
a constant concern, and the need for information
security grows along with the sophistication of the
attacks.

Principles of Information Security, 2nd Edition 4

 Information Security Function for an
Organization
1. Protecting the organization’s ability to function
2. Enabling the safe operation of applications
implemented on the organization’s IT systems
3. Protecting the data an organization collects and uses
4. Safeguarding the organization’s technology assets

Principles of Information Security, 2nd Edition 5

 Information Security Function for an
Organization
1. Protecting the organization’s ability to function
 Shared responsibility between general
management and IT management
 Address information security in terms of business
impact and cost of business interruption

Principles of Information Security, 2nd Edition 6

 Information Security Function for an
Organization
2. Enabling the safe operation of applications
implemented on the organization’s IT systems
 Organizations requires integrated, efficient, and
capable applications.

Principles of Information Security, 2nd Edition 7

 Information Security Function for an
Organization
3. Protecting the data an organization collects and uses
 Without data, an organization loses its record of
transactions and its ability to deliver value to customers.
Any business, educational institution, or government agency
that operates within the modern context of connected and
responsive services relies on information systems.

Principles of Information Security, 2nd Edition 8

 Information Security Function for an
Organization
3. Protecting the data an organization collects and uses
 Therefore, data security—protecting data in transmission, in processing, and
at rest (storage)—is a critical aspect of information security. Organizations
store much of the data they deem critical in databases, managed by
specialized data management software known as a database management
system (DBMS). The process of maintaining the confidentiality, integrity, and
availability of data managed by a DBMS is known as database security.

Principles of Information Security, 2nd Edition 9

 Information Security Function for an
Organization
4. Safeguarding the organization’s technology assets
 To perform effectively, organizations must employ
secure infrastructure hardware appropriate to the
size and scope of the enterprise.
 Information technology continues to add new
capabilities and methods that allow organizations to
solve business information management challenges.

Principles of Information Security, 2nd Edition 10

 Threats
 A threat is an object, person, or other entity that
represents a constant danger to an asset.
 By examining each threat category in turn,
management effectively protects its information
through policy, education and training, and
technology controls.

Principles of Information Security, 2nd Edition 11

 12 Categories of Threats
1. Compromises to intellectual Property
2. Deviations in quality of service
3. Espionage or trespass
4. Forces of nature
5. Human error or failure
6. Information extortion

Principles of Information Security, 2nd Edition 12

 12 Categories of Threats
7. Sabotage or vandalism
8. Software attacks
9. Technical hardware failures or errors
10. Technical software failures or errors
11. Technological obsolescence
12. Theft

Principles of Information Security, 2nd Edition 13

 12 Categories of Threats
1. Compromises to intellectual Property
 Intellectual Property – the creation, ownership, and
control of original ideas as well as representation of
those ideas.
 IP includes trade secrets, copyrights, trademarks, and
patents. IP is protected by copyright law and other
laws, carries the expectation of proper attribution or
credit to its source, and potentially requires the
acquisition of permission for its use, as specified in
those laws
Principles of Information Security, 2nd Edition 14
 12 Categories of Threats
1. Compromises to intellectual Property
 Software Piracy – The unauthorized duplication,
installation, or distribution of copyrighted computer
software, which is a violation of intellectual property.
 Copyright Protection and User Registration
 A number of technical mechanisms—digital watermarks,
embedded code, copyright codes, and even the
intentional placement of bad sectors on software media—
have been used to enforce copyright laws.

Principles of Information Security, 2nd Edition 15

 12 Categories of Threats
2. Deviations in quality of service
 An organization’s information system depends on
the successful operation of many interdependent
support systems, including power grids, data and
telecommunications networks, parts suppliers,
service vendors, and even janitorial staff and
garbage haulers.

Principles of Information Security, 2nd Edition 16

 12 Categories of Threats
2. Deviations in quality of service
 Internet Service Issues.
 Communications and Other Service Provider
Issues
 Power Irregularities

Principles of Information Security, 2nd Edition 17

 12 Categories of Threats
3. Espionage or trespass
 Espionage or trespass is a well-known and broad
category of electronic and human activities that
can breach the confidentiality of information.
 Hackers
 Cracker
 Phreaker

Principles of Information Security, 2nd Edition 18

 12 Categories of Threats
4. Forces of nature
 Forces of nature, sometimes called acts of God, can
present some of the most dangerous threats because
they usually occur with little warning and are beyond the
control of people. These threats, which include events
such as fires, floods, earthquakes, landslides, mudslides,
windstorms, sandstorms, solar flares, and lightning as
well as volcanic eruptions and insect infestations, can
disrupt not only people’s lives but the storage,
transmission, and use of information

Principles of Information Security, 2nd Edition 19

 12 Categories of Threats
5. Human error or failure
 This category includes acts performed without
intent or malicious purpose or in ignorance by an
authorized user. When people use information
systems, mistakes happen. Similar errors happen
when people fail to follow established policy.
Inexperience, improper training, and incorrect
assumptions are just a few things that can cause
human error or failure

Principles of Information Security, 2nd Edition 20

 12 Categories of Threats
6. Information extortion
 The act of an attacker or trusted insider who
steals or interrupts access to information from a
computer system and demands compensation for
its return or for an agreement not to disclose the
information.

Principles of Information Security, 2nd Edition 21

 12 Categories of Threats
7. Sabotage or vandalism
 This category of threat involves the deliberate
sabotage of a computer system or business or
acts of vandalism to destroy an asset or damage
the image of an organization.

Principles of Information Security, 2nd Edition 22

 12 Categories of Threats
8. Software attacks
 Deliberate software attacks occur when an
individual or group designs and deploys software to
attack a system. This attack can consist of specially
crafted software that attackers trick users into
installing on their systems. This software can be
used to overwhelm the processing capabilities of
online systems or to gain access to protected
systems by hidden means.

Principles of Information Security, 2nd Edition 23

 12 Categories of Threats
8.Software attacks
 Malware
 Backdoors
 Denial-of-Service (DoS) and Distributed Denial-of-
Service (DDoS) Attacks
 Email Attacks
 Communications Interception Attacks

Principles of Information Security, 2nd Edition 24

 12 Categories of Threats
9. Technical hardware failures or errors
 Technical hardware failures or errors occur when
a manufacturer distributes equipment containing a
known or unknown flaw. These defects can cause
the system to perform outside of expected
parameters, resulting in unreliable service or lack
of availability.

Principles of Information Security, 2nd Edition 25

 12 Categories of Threats
9. Technical hardware failures or errors
 The Intel Pentium CPU Failure.
 Mean Time Between Failure

Principles of Information Security, 2nd Edition 26

 12 Categories of Threats
10. Technical software failures or errors
 Large quantities of computer code are written,
debugged, published, and sold before all their
bugs are detected and resolved. Sometimes,
combinations of certain software and hardware
reveal new failures that range from bugs to
untested failure conditions. Sometimes these
bugs are not errors, but purposeful shortcuts left
by programmers for benign or malign reasons.

Principles of Information Security, 2nd Edition 27

 12 Categories of Threats
11. Technological obsolescence
 Antiquated or outdated infrastructure can lead to
unreliable and untrustworthy systems.
Management must recognize that when
technology becomes outdated, there is a risk of
losing data integrity from attacks.

Principles of Information Security, 2nd Edition 28

 12 Categories of Threats
12. Theft
 The illegal taking of another’s property, which can
be physical, electronic, or intellectual.

Principles of Information Security, 2nd Edition 29