Principles of

Information Security
CH2: THE NEED FOR INFORMATION
SECURITY

B A S E D O N C H 7 O F M A N A G E M E N T I N F O R M A T I O N S Y S T E M S M A N A G I N G T H E D I G I TA L F I R M F I F T E E N T H E D I T I O N
K E N N E T H C . L A U D O N • J A N E P. L A U D O N
Learning Objectives
Upon completion of this material, you should be able to:
◦ Discuss the organizational need for information security
◦ Explain why a successful information security program is the shared
responsibility of an organization’s three communities of interest
◦ List and describe the threats posed to information security and common
attacks associated with those threats
◦ List the common development failures and errors that result from poor
software security efforts
Introduction
The primary mission of an information security program is to ensure
information assets information and the systems that house them—
remain safe and useful.
If no threats existed, resources could be used exclusively to improve
systems that contain, use, and transmit information.
Threat of attacks on information systems is a constant concern.
Business Needs First
Information security performs four important functions for an
organization
◦ Protecting the organization’s ability to function
◦ Protecting the data and information the organization collects and uses
◦ Enabling the safe operation of applications running on the organization’s IT
systems
◦ Safeguarding the organization’s technology assets
Protecting the Functionality of an
Organization
Management (general and IT) responsible for facilitating
security program.
Implementing information security has more to do with
management than technology.
Communities of interest should address information security in
terms of business impact and cost of business interruption.
Protecting Data that Organizations
Collect and Use
An organization, without data, loses its record of
transactions and ability to deliver value to customers
Protecting data in motion, in processing, and data at rest
(storage) is critical aspects of information security
Enabling the Safe Operation of
Applications
Organization needs environments that safeguard applications using
IT systems.
Management must continue to oversee infrastructure once in place
—not relegate to IT department.
Safeguarding Technology Assets in
Organizations
Organizations must have secure infrastructure hardware based on
the size and scope of the enterprise
Additional security services may be needed as the organization
grows
More robust solutions may be needed to replace security programs
the organization has outgrown
Threats
Threat: an object, person, or other entity that represents a constant
danger to an asset
Management must be informed about the various threats to an
organization’s people, applications, data, and information systems.
Overall security is improving, but so is the number of potential
hackers.
◦ As of April 2023, there were 5.18 billion internet users worldwide,
which amounted to 64.6 percent of the global population.
The 12 Categories of Threats to
Information Security
Compromises to Intellectual Property
Intellectual property (IP): creation, ownership, and control of original
ideas as well as the representation of those ideas.
The most common IP breaches involve software piracy.
Two watchdog organizations investigate software abuse:
◦ Software & Information Industry Association (SIIA)
◦ Business Software Alliance (BSA)

Enforcement of copyright law has been attempted with technical

Utility services issues: telephone, water, wastewater, trash pickup, etc. can disrupt
business
Power supply irregularities (power shortage/losses)
Espionage or Trespass
Access of protected information by unauthorized individuals
Competitive intelligence (legal) vs. industrial espionage (illegal)
Shoulder surfing can occur anywhere a person accesses confidential
information
Controls let trespassers know they are intruding on organization’s
cyberspace
Hackers use skills, guile, or fraud to bypass controls protecting others’
information
Espionage or Trespass
Types of hackers:
◦ Expert hacker
◦ Develops software scripts and program exploits
◦ Usually a master of many skills
◦ Will often create attack software and share with others
◦ Unskilled hacker
◦ Many more unskilled hackers than expert hackers
◦ Use expertly written software to exploit a system
◦ Do not usually fully understand the systems they hack
◦ Cracker:
◦ “cracks” or removes software protection designed to prevent unauthorized duplication
Espionage or Trespass
Password attacks
– Brute force
– Dictionary
– Rainbow tables
– Social engineering
Forces of Nature
Forces of nature are among the most dangerous threats
These include tornados, hurricanes, earthquakes
Disrupt not only individual lives, but also storage, transmission, and use of
information
Organizations must implement controls to limit damage and prepare
contingency plans for continued operations
Human Error or Failure
Employees are among the greatest threats. Why?
Includes acts performed without malicious intent. Causes include:
◦ Employees not following policies.
◦ Inexperience
◦ Improper training
◦ Incorrect assumptions
Human Error or Failure
Employee mistakes can easily lead to:
◦ Revelation of classified data
◦ Entry of erroneous data
◦ Accidental data deletion or modification
◦ Data storage in unprotected areas
◦ Failure to protect information

Many of these threats can be prevented with training, ongoing awareness activities, and controls
Social engineering uses social skills to convince people to reveal access credentials or other
valuable information to an attacker
Phishing: an attempt to gain personal/financial information from individual, usually by posing as
legitimate entity
People are the weakest link. You can have the best technology; firewalls, intrusion-detection
systems, biometric devices ... and somebody can call an unsuspecting employee .
Information Extortion
Attacker steals information from a computer system and demands
compensation for its return or nondisclosure. Also known as cyberextortion.
Commonly done in credit card number theft
Ransomware
◦ Ransomware is a malware attack on the host system that denies access to the user and
then offers to provide a key to allow access back to the user’s system and data for a fee
◦ two types of ransomware:
◦ Lockscreen
◦ encryption
Sabotage or Vandalism
The deliberate sabotage of a computer system, or any company’s assets.
Threats can range from petty vandalism to organized sabotage
Companies rely on their image to promote trust and confidence.
Web site defacing can erode consumer confidence, dropping sales and organization’s net worth
Threat of hacktivist or cyberactivist operations rising
Hacktivist: a hacker who seeks to disrupt systems to protest the operations, policies, or actions
of an organization or government.
Cyberterrorism: a hacker who attacks systems to conduct terrorist activities via networks or
Internet pathways.
Software Attacks
Types of attacks
◦ Malware (malicious code): scripts and applications designed to harm a target computer system. Includes
execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information
◦ Virus: consists of code segments (programming instructions) that perform malicious actions
◦ Worm: A type of malware that is capable of activation and replication without being attached to an existing program
◦ Trojan horse: A malware program that hides its true nature and reveals its designed behavior only when activated.
◦ Malicious software (malware) designed to damage, destroy, or deny service to target systems
◦ Includes:
◦ Polymorphic threats: a virus changes the way it appears to antivirus software programs
◦ Spyware: Any technology that aids in gathering information about people or organizations without their knowledge.
◦ Zero-day-attack: An attack that makes use of malware that is not yet known by the anti-malware software companies.
Software Attacks
Types of attacks (cont’d.)
◦ Back door: gaining access to system or network using known or previously unknown/newly
discovered access mechanism
◦ Denial-of-service (DoS): attacker sends large number of connection or information requests to
a target
◦ Target system cannot handle successfully along with other, legitimate service requests
◦ May result in system crash or inability to perform ordinary functions
◦ Distributed denial-of-service (DDoS): A coordinated stream of requests is launched against a
target from many locations simultaneously.
◦ Mail bombing: also a DoS; attacker routes large quantities of e-mail to target
Software Attacks
Types of attacks (cont’d.)
◦ Sniffers: program or device that monitors data traveling over network; can be used both for
legitimate purposes and for stealing information from a network
◦ Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address
◦ Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them
back into network
◦ Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as
a vector for some attacks
Technical Hardware Failures or Errors
Occur when manufacturer distributes equipment containing flaws to
users
Can cause system to perform outside of expected parameters, resulting
in unreliable or poor service
Some errors are terminal; some are intermittent
CPU Failure resulted in calculation error, Intel Pentium II chip. $475
millions loss.
Technical Software Failures or Errors
Large quantities of computer code are written, debugged, published,
and sold before all bugs are detected and resolved.
Combinations of certain software and hardware can reveal new software
bugs.
Entire Web sites are dedicated to documenting bugs.
Open Web Application Security Project (OWASP) is dedicated to helping
organizations create/operate trustworthy software and publishes a list of
top security risks.
The Deadly Sins in Software Security
Buffer overrun (overflow): occurs when more data is sent to a program buffer
than it is designed to handle.
Command injection: occurs when user input is passed directly to a compiler
without screening for content that may compromise the intended function.
Developers ensure command input is validated before it is used in the
program.
Cross-site scripting (XSS): occurs when an application running on a Web server
inserts commands into a user’s browser session and causes information to be
sent to a hostile server. Filtering/validating input/output.
SQL Injection SQL injection occurs when developers fail to properly validate
user input before using it to query a relational database.
Technological Obsolescence
Antiquated/outdated infrastructure can lead to unreliable,
untrustworthy systems.
Proper managerial planning should prevent technology
obsolescence.
IT plays a large role.
Theft
Illegal taking of another’s physical, electronic, or intellectual property
Physical theft is controlled relatively easily: locked doors, surveillance cameras,
alarm systems, etc.
Electronic theft is more complex problem; evidence of crime not readily
apparent
Organizations may not even know it has occurred.
Discussion:
◦ Will the increase use of mobile technology, including smartphones, tablet PCs, and
laptops, increases the risk of data theft? How?