Principles of Information Security,

Fourth Edition

CHAPTER 2

WHY SECURITY IS NEEDED

Learning Objectives
2

Upon completion of this material, you should be able

to:
Demonstrate that organizations have a business need for
information security
Explain why a successful information security program is the
responsibility of both an organizations general management
and IT management

Principles of Information Security, Fourth Edition

Learning Objectives (contd.)

3

Identify the threats posed to information security and the

more common attacks associated with those threats, and
differentiate threats to the information within systems from
attacks against the information within systems
Describe the issues facing software developers, as well as the
most common errors made by developers, and explain how
software development programs can create software that is
more secure and reliable

Principles of Information Security, Fourth Edition

Introduction
4

Primary mission of information security is to ensure

systems and contents stay the same

If no threats existed, resources could be focused on
improving systems, resulting in vast improvements
in ease of use and usefulness
Attacks on information systems are a daily
occurrence

Principles of Information Security, Fourth Edition

Information security performs four important

functions for an organization
5

1. Protects ability to function

Information security is both management issue and people
issue
2. Enables safe operation of applications

implemented on its IT systems

Management must continue to oversee infrastructure

Principles of Information Security, Fourth Edition

Information security performs four important

functions for an organization
6

3. Protects data
Organization, without data, loses its record of transactions
and/or ability to deliver value to customers
4. Safeguards technology assets
Infrastructure services based on size and scope of the
organization
Additional security services may be needed as organization
grows

Principles of Information Security, Fourth Edition

Threats
7

Threat: an object, person, or other entity that

represents a constant danger to an asset

Management must be informed of the different

threats facing the organization

Principles of Information Security, Fourth Edition

Threat 1: Malicious software (malware)

8

Malicious software (malware) designed to damage,

destroy, or deny service to target systems

Types:
Viruses (segments of code)
Worms (replicate themselves )
Trojan horses (hide their true nature)

Principles of Information Security, Fourth Edition

Figure 2-4 Trojan Horse Attack

Principles of Information Security, Fourth Edition

Threat 2: Deviations in Quality of Service

10

Products or services are not delivered as expected

Information system depends on many support

systems

Internet service issues

Power issues
Excesses
Shortages
Losses

voltage increase
low voltage
loss of power

Principles of Information Security, Fourth Edition

Threat 3: Espionage
11

Access of information by unauthorized individuals

Shoulder surfing

Principles of Information Security, Fourth Edition

http://administracionconfirma.trackglobe.es/documentos/listado_contenidos/135/1/thumbs_web/c_24_401.jpg

Threat 3: Espionage (contd.)

13

Expert hacker
Develops software scripts and program exploits
Usually a master of many skills
Will create attack software and share with others
Unskilled hacker
Many more unskilled hackers than expert hackers
Use expertly written software to exploit a system
Do not usually fully understand the systems they hack

Principles of Information Security, Fourth Edition

Threat 3: Espionage (contd.)

14

Other terms for system rule breakers:

Cracker: cracks or removes software protection designed to
prevent unauthorized duplication

Phreaker: hacks the public telephone network

Principles of Information Security, Fourth Edition

Review ..
15

What are the four functions of Information Security?

What is the definition of Threat?
What are the types of threats?

Principals of Information Security, Fourth Edition

Threat 4: Forces of Nature

16

Example?
Most dangerous threats
Disrupt not only individual lives, but also storage,

transmission, and use of information

Organizations must implement controls to limit

damage and prepare contingency plans for continued

operations

Principles of Information Security, Fourth Edition

Threat 5: Human Error

17

Includes acts performed without malicious intent

Causes include:
Inexperience
Improper training
Incorrect assumptions

Principles of Information Security, Fourth Edition

Threat 5: Human Error (contd.)

18

Employee mistakes can easily lead to:

Exposing data
Entry of wrong data
Deleting or changing data
Storing data in unprotected areas
Many of these threats can be prevented with controls

Principles of Information Security, Fourth Edition

Threat 6: Information Extortion

19

Attacker steals information from computer system

and demands compensation for its return

Example?

Principles of Information Security, Fourth Edition

Threat 7: Theft
20

Illegal taking of anothers physical, electronic, or

intellectual property
Physical theft is controlled relatively easily
Electronic theft is more complex problem; evidence

of crime is not clear

Principles of Information Security, Fourth Edition

Threat 8: Technical Hardware Failures

21

Manufacturer distributes equipment containing

flaws
Weak devices or systems produce poor service

Principles of Information Security, Fourth Edition

Attacks
22

Attacks: Acts or actions that exploits vulnerability

(weakness) in controlled system

Types of attacks
Malicious code: includes execution of viruses, worms, Trojan
horses, and active Web scripts with intent to destroy or steal
information

Principles of Information Security, Fourth Edition

Attacks (contd.)
23

Types of attacks (contd.)

Back door: gaining access to system or network using known
or previously unknown/newly discovered access mechanism

Password crack

Brute force: trying every possible combination of options of a

password

Dictionary: use common passwords (i.e., the dictionary)

Principles of Information Security, Fourth Edition

Attacks (contd.)
24

Types of attacks (contd.)

Denial-of-service (DoS): attacker sends large number of

connection or information requests to a target
May

result in system crash or inability to perform ordinary

functions

Distributed denial-of-service (DDoS): coordinated stream of

requests is launched against target from many locations
(Zombies)

Principles of Information Security, Fourth Edition

Figure 2-11 Denial-of-Service Attacks

Principles of Information Security, Fourth Edition

25

Attacks (contd.)
26

Types of attacks (contd.)

Sniffers: program or device that monitors data traveling over
network
can

be used both for legitimate purposes and for stealing

information from a network

Phishing: an attempt to gain personal/financial information

from individual, usually by posing as legitimate entity

Pharming: redirection of legitimate Web traffic (e.g., browser

requests) to illegitimate site for the purpose of obtaining
private information

Principles of Information Security, Fourth Edition

Attacks (contd.)
27

Types of attacks (contd.)

Social engineering: using social skills to convince people to
reveal access credentials or other valuable information to
attacker

Principles of Information Security, Fourth Edition

Secure Software Development

28

Development of software and systems is often

accomplished using methodology such as Systems

Development Life Cycle (SDLC)
Including procedures to create more secure software

(Software Assurance SA)

Principles of Information Security, Fourth Edition

Software Design Principles

29

Keep design simple and small

Access decisions
Users utilize only necessary privileges
Human interface must be easy to use

Principles of Information Security, Fourth Edition

Software Development Security Problems

30

Buffer overruns
Command injection
Failure to handle errors
Failure to protect network traffic
Failure to store and protect data

Principles of Information Security, Fourth Edition