Abstract image of a woman sitting on books and studying on a laptop

Chapter 1Information Security OverviewCopyright © 2014 by Mc

Download as DOCX, PDF
E
EstelaJeffery653

This document discusses the fundamentals of information security, emphasizing the importance of protecting valuable information assets and the methodologies required to build effective security programs. It covers the philosophy of security, methods for assessing risks, the evolution of security practices, and the roles of defense, detection, and deterrence in mitigating threats. Additionally, it highlights the challenges defenders face and the significance of aligning security strategies with business processes.

Education
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Chapter 1 Information Security Overview Copyright © 2014 by McGraw-Hill Education. Introduction This chapter is about the philosophy and methodology that inform the core principles and practices of a successful and effective security program. It introduces the fundamentals of security, the importance of security and the best way to go about it, and focuses primarily on philosophies that underpin security. Copyright © 2014 by McGraw-Hill Education. The Importance of Information Protection Information is an important asset. The more information you have at your command, the better you can adapt to the world around you. In business, information is often one of the most important assets a company can possess. Information differentiates companies and provides leverage that helps one company become more successful than another.
Copyright © 2014 by McGraw-Hill Education. Information Security Overview Key questions to ask before embarking on any security endeavor: What are you trying to protect? Why are you trying to protect it? How will you protect it? We cover some background information and axioms, ideologies, reasoning, values, and viewpoints you should keep in mind whenever you are considering security tools and techniques. Copyright © 2014 by McGraw-Hill Education. The Evolution of Information Security Copyright © 2014 by McGraw-Hill Education. Justifying Security Investment Business Agility Cost Reduction Portability
By improving access to the information that drives its business, every company can expand its business influence on a global scale, regardless of the company’s size or location. Information, one of the most important assets a company can possess, is even more valuable when shared with those authorized to have it. Modern security practices provide information to those who need it without exposing it to those who should not have it. Copyright © 2014 by McGraw-Hill Education. Security Methodology The Three Ds of Security Defensive measures reduce the likelihood of a successful compromise of valuable assets, thereby lowering risk and potentially saving the expense of incidents that might otherwise not be avoided. Another aspect of security is detection. In order to react to a security incident, you first need to know about it. Deterrence is another aspect of security. It is considered to be an effective method of reducing the frequency of security compromises, and thereby the total loss due to security incidents. Copyright © 2014 by McGraw-Hill Education. How to Build a Security Program
Authority Framework Assessment Planning Action Maintenance Begin with describing what is needed and why, and to proceed to define how it will be implemented, when, and using which particular methods. Copyright © 2014 by McGraw-Hill Education. The Impossible Job The job of the attacker is always easier than the job of the defender. The attacker needs only to find one weakness, while the defender must try to cover all possible vulnerabilities. The attacker has no rules—he can follow unusual paths, abuse the trust of the system, or resort to destructive practices. The defender must try to keep his assets intact, minimize damage, and keep costs down—like fighting off a horde of spider monkeys with only two arms. Copyright © 2014 by McGraw-Hill Education. The Weakest Link
A security infrastructure will drive an attacker to the weakest link. The weakest link will attract the greatest number of attacks. Copyright © 2014 by McGraw-Hill Education. Business Processes vs. Technical Controls In security, there is no magic bullet. Business processes should determine the choice of tools, and the tools are used to facilitate the business processes—not the other way around. Before selecting security products, the business processes must be identified so that security products can be chosen that fit appropriately into the business environment. Copyright © 2014 by McGraw-Hill Education. Summary Security should solve specific problems consistent with clearly identified requirements. Security benefits business by reducing costs and creating new revenue opportunities. Security can be thought of in the context of the three Ds: Defense – reduces misuse and accidents Detection – provides visibility into good and bad activities Deterrence – discourages unwanted behavior
Strategies are used to manage proactive security efforts, and tactics are used to manage reactive security efforts. Copyright © 2014 by McGraw-Hill Education. ITEC 630 MIDTERM EXAM ITEC 630 MIDTERM EXAM SUMMER 2021 Name: Mahamadou Diallo ITEC 630 Mahamadou Diallo University of Maryland Global Campus 6/27/2021 Name: Mahamadou Diallo QUESTION 1 The acquisition approach includes creating a new system from scratch. The new system being designed will contain features based on the user's interest or the person wishing to buy the system. Custom acquisition is more efficient than other approaches (Marcus, 2013). It takes advantage of the fact that it
may employ current and updated technology to solve a company's challenges. With this, one may be creative in handling all the technological challenges and difficulties faced. One advantage of bespoke acquisition is that it improves an organization's technical abilities since one must engage with the system. This also makes organizational knowledge functional. Packaged acquisition method includes buying an already- customized system. Most businesses choose this as buying a system already built and tested is considerably easier and efficient. Unlike other system acquisition techniques, packaged system acquisition approach permits system modification and manipulation to modify how specific aspects function to meet the organization's needs and wishes. For example, bespoke add- on software that communicates with the bundled application is a workaround and can be produced for particular purposes. However, businesses that embrace packaged system purchases must accept the system's capabilities as they allow for modification. The outsourced system acquisition approach is the other market- common strategy. Acquisition strategy outsourced is outsourcing or engaging an external vendor to build and supply the system. Outsourcing businesses are usually called Application Service Providers (Ellis, 2014). One of the numerous advantages of an outsourced system purchase approach is its low entry cost and fast set-up time. However, when producing an outsourced system, the employer should speak with service providers to get the best out of the system since they must react to all their demands. An example of an outsourced system acquisition approach is when a company employs a service provider to run your applications but on your site. This strengthens the company by hiring a service provider specializing in your area of interest. References Ellis, R. (2014). Current cabled and cable-free seismic acquisition systems each have their own advantages and disadvantages–is it possible to combine the two? first
break, 32(1). Marcus, S. (Ed.). (2013). Automating knowledge acquisition for expert systems (Vol. 57). Springer Science & Business Media. QUESTION TWO Interactive methods can be categorized as interviewing, collaborative interaction design, and surveying people. Interviewing is an important method of data collection since it relies on firsthand information collection. From interviews, one can reveal so much information about one's opinions since it will be based on facts, feelings since the discussion can easily tell the surfaces of the interviewee more carefully by listening to them. One can also say to the organization's goals. When conducting an interview, one should conduct a background check on the area of interest. This can be done by reading background material, corporate newspapers, and the organization's website. A variety of open-ended and closed-ended interview questions are asked over the course of the interview process. Questionnaires with open-ended responses allow the interviewee to reply to the questions in how they choose to respond to them. The major advantage of this sort of inquiry is that it puts the interviewee at ease, which allows them to react more confidently. When it comes to the closed-ended interview question, there is a limit to the number of replies that can be given. This is critical in the generation of accurate and trustworthy data that is simple to examine and interpret. The major advantage of this interview style is that it saves time and makes it simple to get straight to the subject. JAD is a technique that allows the analyst to do requirements analysis and design the user interface while working with users in a group environment rather than individually. This includes the project team members who are committed to the JAD, an executive sponsor who will introduce and conclude the session, users who attempt to articulate the information, observers who provide analytical and technical advice, a scribe who will formally record everything that is done, and a session leader
who is well-versed in communications skills. The benefits of JAD are the rapid development of systems, and creative idea production is improved. With this, there is so much brainstorming, and this allows for creative idea production. It helps the users become involved in the early systems projects and treat their feedback seriously. However, JAD requires a lot of time for one to be available for all sessions. JAD sessions can be held offsite, comfortable surrounding with minimal distractions. One also has to be keen on the attendance and schedule the meeting where the participants can attend the conference (Kelly, 2013). One should not hold a session unless everyone can attend the sessions. Before the interview, it is also essential to practice problem- solving skills. Because many people are participating in the project, the organization's members are geographically scattered. Closed-ended questions and open-ended questions are the two sorts of questions that may be found in questionnaires. When many alternatives are mutually exclusive, the options are usually presented directly below the question in closed-ended questions. Content analysis is the study of huma n speech that has been recorded. It studies written materials such as newspaper articles and editorials, among other things (Rind, 2013). Some of the acceptable subjects for content analysis include who says what, how they say it, to whom they say it, and with what they say it, among others. It explains how issues are defined. An example is the media house covers a certain point about a certain state. With this, we can have coding, counting, and record keeping. Coding can be manifest versus latent content. An advantage of content analysis is the economy of time and money. It is also easy to repeat a portion of the study if necessary. It is also easier to redo if there is a problem. Analyzing existing statistics is another source of data. It can be either the main source of data or a supplemental source of data. Most of the time, data that exist does not cover the exact question. Therefore,
reliability is often dependent on the quality of the statistics. One of the main advantages of this method is that it is cheap, and scholars can verify your findings if they want since data is available to multiple users. References Rind, A., Wang, T. D., Aigner, W., Miksch, S., Wongsuphasawat, K., Plaisant, C., & Shneiderman, B. (2013). Interactive information visualization to explore and query electronic health records. Foundations and Trends in Human- Computer Interaction, 5(3), 207-298. Kelly, D., & Sugimoto, C. R. (2013). A systematic review of interactive information retrieval evaluation studies, 1967– 2006. Journal of the American Society for Information Science and Technology, 64(4), 745-770. QUESTION THREE A) Prototyping is the way to develop a system model. It quickly develops a functional model to test different parts of a design, show concepts or features and collect early feedback from users (Bødker, 2020). Prototyping is crucial since the issue area with stakeholders may be explored. Furthermore, the solution space may be explored in a system where the prospective basis for further system development is accessible. References Bødker, S., & Grønbæk, K. (2020). Design in action: From prototyping by demonstration to cooperative prototyping. In Design at work (pp. 197-218). CRC Press. B) They have reduced time and cost. When possible, changes are likely to occur in the system, changes are made early in the project; therefore, less time is wasted, and a more developed product will be produced at the end (Martelli, 2016). With this, the quality of the specifications and the requirements provided
by the customer are met. Therefore, mistakes cost you less at the prototyping stage than at the development stage. Improved and increased user involvement. For example, if the end-users are involved in the design and creation stages, the end product will be based on their specifications; this makes it easier for the end-user to want the system. Provides functionalities and interaction. A user may offer helpful input while developing prototype. A prototype may be created in weeks. As answers emerge, consumers feel more positive about process and outcomes. Additionally, prototyping can detect mistakes and omissions. References Martelli, N., Serrano, C., van den Brink, H., Pineau, J., Prognon, P., Borget, I., & El Batti, S. (2016). Advantages and disadvantages of 3-dimensional printing in surgery: a systematic review. Surgery, 159(6), 1485-1500. C) Time-consuming. Naturally, prototypes are designed to be developed quickly. If the developer decides to spend more time at the prototyping stage, time will elapse, and this will cause an increase in time spent at the developing stage and an increase in the cost of production. User confusion. Sometimes the customers may confuse the prototype for the end polished final product and may grow fond of some of the features present in the prototype and may not be present in the final product (Martelli, 2016). This confuses the customers after seeing the product. The developer misunderstands the user's intent. It is vital for any project's success that all stakeholders operate from the same set of ideas and objectives. Suppose buyers insist that the final product has all proposed prototype features. This might lead to team-to-mission conflicts. References Martelli, N., Serrano, C., van den Brink, H., Pineau, J., Prognon, P., Borget, I., & El Batti, S. (2016). Advantages and disadvantages of 3-dimensional printing in surgery: a systematic
review. Surgery, 159(6), 1485-1500. QUESTION FOUR A) System users, system owners, and analysts assemble in a single room for highly organized group sessions or mini retreats (Sensuse, 2020). Joint Application Design (JAD) is a method where highly organized group sessions or mini retreats including system users, system owners and analysts take place in a same room for a prolonged duration. JAD-like techniques are increasingly being utilized in system planning and system analysis to reach consensus on problems, goals, and requirements, among others (Nilson, 2020). It is more often called cooperative application development, which more appropriately represents the reality that it involves more than simply system design. Using JAD facilitators who have been trained in this manner, as well as specialized and prepared agendas, this is performed in order to aid the participant in arriving at complete and high- quality requirements. References Sensuse, D. I., Rochman, H. N., Al Hakim, S., & Winarni, W. (2020). Knowledge management system design method with joint application design (JAD) adoption. VINE Journal of Information and Knowledge Management Systems. Nilson, J. V. (2020). Developing a Local Acquisitions System Using the Joint Application Design (JAD) Process. B) The coordinated approach of bringing professionals and subject- matter experts together to deliberate in a structured and organized manner through JAD sessions saves valuable time, and the overall design and delivery schedules are improved as a result of this (Sensuse, 2020). Communication and actors who are not necessary are excluded from the discussion, which thoroughly reviews the business goals and formulates requirements that can be delivered quickly by the technology team.
Cost-cutting measures: In the end, the accelerated analysis of requirements, as well as the rapid design and efficient delivery, results in significant cost savings for the organization concerned. Improve your understanding: The careful selection of participants in the JAD sessions ensures that professionals can interact and provide a better understanding of the objectives and goals in relation to their skills and knowledge, even though product direction is frequently identified and suggested by business executives in many cases. References Sensuse, D. I., Rochman, H. N., Al Hakim, S., & Winarni, W. (2020). Knowledge management system design method with joint application design (JAD) adoption. VINE Journal of Information and Knowledge Management Systems. C) Time commitment is required. Depending on the scope of the project, a JAD may necessitate a significant investment of time on your part. To be a part of the JAD, all participants must be available to meet at the designated times and must put all other activities on hold during those times. Commitment on the part of JADs require that the organization has a clear understanding of the approach and guidelines that will be used. A firm commitment to this approach by AJAD is required for the organization to produce effective and productive results. Analysts of systems must always keep in mind that none of the techniques that they employ, including JAD, are foolproof methods of obtaining the information they seek. The requirements for a quality system serve as the foundation for the success of any project (Iqbal, 2019). Good requirements should be verifiable and attainable, and achieving this without the participation of the user is impossible. References Iqbal, A., Khan, I. A., & Jan, S. (2019, February). A Review and Comparison of the Traditional Collaborative and Online
Collaborative Techniques for Software Requirement Elicitation. In 2019 2nd International Conference on Advancements in Computational Sciences (ICACS) (pp. 1-8). IEEE. Mahamadou Diallo Page 2 of 2 Chapter 2 Risk Analysis Copyright © 2014 by McGraw-Hill Education. Introduction The objective of a security program is to mitigate risks. Mitigating risks does not mean eliminating them; it means reducing them to an acceptable level. What is being protected? What are the threats? Where are the weaknesses that may be exploited? Copyright © 2014 by McGraw-Hill Education.
Threat Definition Threat vectors Threat sources and targets Types of attacks Malicious mobile code Advanced Persistent Threats (APTs) Manual attacks Copyright © 2014 by McGraw-Hill Education. Threat Sources Insider threats should be an important consideration in any security program. Security professionals know that many real-world threats come from inside the organization, which is why just building a wall around your trusted interior is not good enough. Copyright © 2014 by McGraw-Hill Education. Threat VectorsSourcesThreatsTargetsEmployees Contractors Consultants System integrators Service providers Resellers
Vendors Cleaning staff Third-party support Competitors Insiders Terrorists Internet attackers Software Malware Software bugs Accidents Weather Natural causesTheft Loss Exposure Unauthorized changes Deletion (complete) Deletion (partial) Unauthorized addition Fraud Impersonation Harassment Espionage Denial of service Malfunction Corruption Misuse Errors Outages Physical hazards InjuryIntellectual property Trade secrets Personally identifiable information Protected health information Financial data Credit card numbers
Social Security numbers Documents Computers Peripherals Storage Networks Operating systems E-mail Voice communications Applications Privacy Productivity Health and safety A threat vector is a term used to describe where a threat originates and the path it takes to reach a target. Copyright © 2014 by McGraw-Hill Education. Types of Attacks Threats found in the real world Copyright © 2014 by McGraw-Hill Education. Types of Security Controls Preventative: Block security threats before they can exploit a vulnerability. Detective: Discover and provide notification of attacks or misuse when they happen. Deterrent: Stop people from wanting to violate policy.
Corrective: Restore the integrity of data or another asset. Recovery: Restore the availability of a service. Compensative: In a layered security strategy, provide protection even when another control fails. Copyright © 2014 by McGraw-Hill Education. Types of Attacks Malicious Mobile Code Computer viruses Computer worms e-mail worms Trojans Remote access Trojans Zombie Trojans and DDoS attacks Malicious HTML Advanced Persistent Threats (APTs) Manual Attacks Physical attacks Network-layer attacks Application-layer attacks Copyright © 2014 by McGraw-Hill Education. Malicious Mobile Code There are three generally recognized variants of malicious mobile code: viruses, worms, and Trojans. In addition, many malware programs have components that act like two or more of these types, which are called hybrid threats or mixed threats.
Lifecycle of malicious mobile code: Find Exploit Infect Repeat Copyright © 2014 by McGraw-Hill Education. Computer Viruses A virus is a self-replicating program that uses other host files or code to replicate. Anatomy of a Virus The damage routine of a virus (or really of any malware program) is called the payload. Payloads can be intentionally destructive, deleting files, corrupting data, copying confidential information, formatting hard drives, and removing security settings. Copyright © 2014 by McGraw-Hill Education. Types of Viruses If the virus overwrites the host code with its own code, effectively destroying much of the original content, it is called an overwriting virus. If the virus inserts itself into the host code, moving the original code around so the host programming still remains and is executed after the virus code, the virus is called a parasitic virus.
Viruses that copy themselves to the beginning of the file are called prepending viruses. Viruses that place themselves at the end of a file are called appending viruses. Viruses that appear in the middle of a host file are labeled mid- infecting viruses. Copyright © 2014 by McGraw-Hill Education. Example of an Overwriting Virus Copyright © 2014 by McGraw-Hill Education. Example of a Prepending Parasitic Virus Copyright © 2014 by McGraw-Hill Education. Computer Worms A computer worm uses its own coding to replicate, although it may rely on the existence of other related code to do so. The key to a worm is that it does not directly modify other host code to replicate. Copyright © 2014 by McGraw-Hill Education.
E-mail Worms Originates from e-mail The worm first modifies the PC in such a way that it makes sure it is always loaded into memory when the machine starts. Then it looks for additional e-mail addresses to send itself to. Copyright © 2014 by McGraw-Hill Education. Trojans Trojan horse programs, or Trojans, work by posing as legitimate programs that are activated by an unsuspecting user. Copyright © 2014 by McGraw-Hill Education. Remote Access Trojans A RAT becomes a back door into the compromised system and allows the remote attacker to do virtually anything he or she wants to the compromised PC. Copyright © 2014 by McGraw-Hill Education. Zombie Trojans
Zombie Trojans infect a host and wait for their originating attacker’s commands telling them to attack other hosts. Copyright © 2014 by McGraw-Hill Education. Malicious HTML Pure HTML coding can be malicious when it breaks browser security zones or when it can access local system files. Copyright © 2014 by McGraw-Hill Education. Advanced Persistent Threats (APTs) The use of sophisticated malware for targeted cybercrime is known as advanced persistent threats (APTs). Usually targeted at businesses and governments Begins with a simple malware attack. “Phones home” to download further malware—reaches out to a command and control server (CnC server) to bring down rootkits, Trojans, RATs, and other sophisticated malware. The RATs open up connections to their CnC servers to be used by their human controllers. Copyright © 2014 by McGraw-Hill Education.
Manual Attacks Typical Attacker Scenarios Port-scanning a particular IP subnet, looking for open TCP/IP ports Attempting to identify the host or service by using fingerprinting mechanisms Attempting to compromise the system in such a way as to gain the highest privileged access to the computer Copyright © 2014 by McGraw-Hill Education. Physical Attacks If an attacker can physically access a computer, it’s game over. Copyright © 2014 by McGraw-Hill Education. Network-Layer Attacks Packet Sniffing =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+= 08/02-12:00:44 0:60:8:26:85:D -> 0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53973 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EB9C Ack: 0xF308B9B7 Win: 0xFFCD TcpLen: 20 55 53 45 52 20 72 6F 67 65 72 67 0D 0A USER rogerg.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+= =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+=+=+=+=+=+= 08/02-12:00:46 0:60:8:26:85:D- >0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53978 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EBA9 Ack: 0xF308B9DA Win: 0xFFAA TcpLen: 20 50 41 53 53 20 70 61 72 72 6F 74 0D 0A PASS parrot.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+= Copyright © 2014 by McGraw-Hill Education. Protocol-Anomaly Attacks Network packets that do not follow the intended format and purpose of the protocol. The attacker can either compromise a remote host or network or compromise a confidential network data stream. Network-layer attacks are most often used to get past firewalls and to cause DoS attacks. Copyright © 2014 by McGraw-Hill Education. Application-Layer Attacks Content attacks Buffer overflows Password cracking P2P attacks Man-in-the-middle attacks ARP poisoning MAC flooding DHCP poisoning
DNS spoofing ICMP poisoning Wireless attacks Copyright © 2014 by McGraw-Hill Education. Risk Assessment Analyze and categorize the things to be protected and avoided. Facilitate the identification and prioritization of protective elements. Provide a means to measure the effectiveness of the overall security architecture. Copyright © 2014 by McGraw-Hill Education. The Definition of Risk Risk is the probability of an undesired event (a threat) exploiting a vulnerability to cause an undesired result to an asset. Risk = Probability (Threat + Exploit of Vulnerability) × Cost of Asset Damage Annualized Loss (ALE) = Single Loss (SLE) × Annualized Rate (ARO) Copyright © 2014 by McGraw-Hill Education.
Summary Threat definition and risk assessment are necessary to focus the security program on the areas that are most important and relevant to the environment. Threat definition should take into account threat vectors that represent the greatest potential harm. Many threat sources and targets need to be considered: Malicious mobile code Advanced persistent threats Manual attacks Once the threats are identified, risks should be analyzed. Risk is a combination of the threats, exploitation of vulnerabilities, and the resulting cost of damage. Based on this analysis, the proper defensive, detective, and deterrent controls can be applied. Copyright © 2014 by McGraw-Hill Education.

More Related Content

PPTX
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
PPTX
Information security Chap 1 whitman.pptx
sania82678
 
DOCX
Ics 3210 information systems security and audit - edited
Nelson Kimathi
 
PPTX
03-15-2025UPDATED INFORMATION ASSURANCE.pptx
ROSARIEDELAPAZ
 
PDF
Solution Manual for Information Systems in Organizations by Wallace
glinneshiaa
 
DOCX
BBA 3551, Information Systems Management 1 Course Lea.docx
aryan532920
 
DOCX
Information Assurance Framework for Web Services .docx
jaggernaoma
 
PDF
1-Computer_Security_EENG-524_Lecture-01.pdf
Umarr Alie Sesay
 
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
Information security Chap 1 whitman.pptx
sania82678
 
Ics 3210 information systems security and audit - edited
Nelson Kimathi
 
03-15-2025UPDATED INFORMATION ASSURANCE.pptx
ROSARIEDELAPAZ
 
Solution Manual for Information Systems in Organizations by Wallace
glinneshiaa
 
BBA 3551, Information Systems Management 1 Course Lea.docx
aryan532920
 
Information Assurance Framework for Web Services .docx
jaggernaoma
 
1-Computer_Security_EENG-524_Lecture-01.pdf
Umarr Alie Sesay
 

Similar to Chapter 1Information Security OverviewCopyright © 2014 by Mc (20)

PPT
Sad Lec3
Waqas !!!!
 
PDF
Industry program panel
Luxembourg Institute of Science and Technology
 
PDF
Industry program panel - SINCONF ACM
christophefeltus
 
PDF
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
molicochoual
 
PDF
Security Level Analysis of Academic Information Systems Based on Standard ISO...
IJCSIS Research Publications
 
PDF
Availability
Sam Muthoka
 
PDF
Research Method EMBA chapter 12
Mazhar Poohlah
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
PPT
Bis Chapter15
Chun Hoi Lam
 
DOC
Take back your security infrastructure
Anton Chuvakin
 
PDF
820 1961-1-pb
Mohammed Mahfouz Alhassan
 
PDF
Paper Titled Information Security in an organization
Mohammed Mahfouz Alhassan
 
DOCX
Responses needed, a paragraph per bullet question (7-8 sentences).docx
ronak56
 
DOCX
Master of Computer Application (MCA) – Semester 4 MC0076
Aravind NC
 
PDF
Questions On Technical Design Decisions
Rikki Wright
 
PDF
Chapter 3 - Security Management Concepts & Principles.pdf
aishahmrawy
 
DOCX
Bsa 411 preview full class
fasthomeworkhelpdotcome
 
DOCX
1 question minimum 750 words and APA stylewell be focusing on.docx
oswald1horne84988
 
Sad Lec3
Waqas !!!!
 
Industry program panel
Luxembourg Institute of Science and Technology
 
Industry program panel - SINCONF ACM
christophefeltus
 
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
molicochoual
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
IJCSIS Research Publications
 
Availability
Sam Muthoka
 
Research Method EMBA chapter 12
Mazhar Poohlah
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
Bis Chapter15
Chun Hoi Lam
 
Take back your security infrastructure
Anton Chuvakin
 
820 1961-1-pb
Mohammed Mahfouz Alhassan
 
Paper Titled Information Security in an organization
Mohammed Mahfouz Alhassan
 
Responses needed, a paragraph per bullet question (7-8 sentences).docx
ronak56
 
Master of Computer Application (MCA) – Semester 4 MC0076
Aravind NC
 
Questions On Technical Design Decisions
Rikki Wright
 
Chapter 3 - Security Management Concepts & Principles.pdf
aishahmrawy
 
Bsa 411 preview full class
fasthomeworkhelpdotcome
 
1 question minimum 750 words and APA stylewell be focusing on.docx
oswald1horne84988
 
Ad

More from EstelaJeffery653 (20)

DOCX
Individual ProjectMedical TechnologyWed, 9617Num.docx
EstelaJeffery653
 
DOCX
Individual ProjectThe Post-Watergate EraWed, 3817Numeric.docx
EstelaJeffery653
 
DOCX
Individual ProjectArticulating the Integrated PlanWed, 31.docx
EstelaJeffery653
 
DOCX
Individual Multilingualism Guidelines1)Where did the a.docx
EstelaJeffery653
 
DOCX
Individual Implementation Strategiesno new messagesObjectives.docx
EstelaJeffery653
 
DOCX
Individual Refine and Finalize WebsiteDueJul 02View m.docx
EstelaJeffery653
 
DOCX
Individual Cultural Communication Written Assignment  (Worth 20 of .docx
EstelaJeffery653
 
DOCX
Individual ProjectThe Basic Marketing PlanWed, 3117N.docx
EstelaJeffery653
 
DOCX
Individual ProjectFinancial Procedures in a Health Care Organiza.docx
EstelaJeffery653
 
DOCX
Individual Expanded Website PlanView more »Expand view.docx
EstelaJeffery653
 
DOCX
Individual Expanded Website PlanDueJul 02View more .docx
EstelaJeffery653
 
DOCX
Individual Communicating to Management Concerning Information Syste.docx
EstelaJeffery653
 
DOCX
Individual Case Analysis-MatavIn max 4 single-spaced total pag.docx
EstelaJeffery653
 
DOCX
Individual Assignment Report Format• Report should contain not m.docx
EstelaJeffery653
 
DOCX
Include LOCO api that allows user to key in an address and get the d.docx
EstelaJeffery653
 
DOCX
Include the title, the name of the composer (if known) and of the .docx
EstelaJeffery653
 
DOCX
include as many events as possible to support your explanation of th.docx
EstelaJeffery653
 
DOCX
Incorporate the suggestions that were provided by your fellow projec.docx
EstelaJeffery653
 
DOCX
inal ProjectDUE Jun 25, 2017 1155 PMGrade DetailsGradeNA.docx
EstelaJeffery653
 
DOCX
include 1page proposal- short introduction to research paper and yo.docx
EstelaJeffery653
 
Individual ProjectMedical TechnologyWed, 9617Num.docx
EstelaJeffery653
 
Individual ProjectThe Post-Watergate EraWed, 3817Numeric.docx
EstelaJeffery653
 
Individual ProjectArticulating the Integrated PlanWed, 31.docx
EstelaJeffery653
 
Individual Multilingualism Guidelines1)Where did the a.docx
EstelaJeffery653
 
Individual Implementation Strategiesno new messagesObjectives.docx
EstelaJeffery653
 
Individual Refine and Finalize WebsiteDueJul 02View m.docx
EstelaJeffery653
 
Individual Cultural Communication Written Assignment  (Worth 20 of .docx
EstelaJeffery653
 
Individual ProjectThe Basic Marketing PlanWed, 3117N.docx
EstelaJeffery653
 
Individual ProjectFinancial Procedures in a Health Care Organiza.docx
EstelaJeffery653
 
Individual Expanded Website PlanView more »Expand view.docx
EstelaJeffery653
 
Individual Expanded Website PlanDueJul 02View more .docx
EstelaJeffery653
 
Individual Communicating to Management Concerning Information Syste.docx
EstelaJeffery653
 
Individual Case Analysis-MatavIn max 4 single-spaced total pag.docx
EstelaJeffery653
 
Individual Assignment Report Format• Report should contain not m.docx
EstelaJeffery653
 
Include LOCO api that allows user to key in an address and get the d.docx
EstelaJeffery653
 
Include the title, the name of the composer (if known) and of the .docx
EstelaJeffery653
 
include as many events as possible to support your explanation of th.docx
EstelaJeffery653
 
Incorporate the suggestions that were provided by your fellow projec.docx
EstelaJeffery653
 
inal ProjectDUE Jun 25, 2017 1155 PMGrade DetailsGradeNA.docx
EstelaJeffery653
 
include 1page proposal- short introduction to research paper and yo.docx
EstelaJeffery653
 
Ad

Recently uploaded (20)

PDF
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
PDF
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
PPTX
Unit 4 Computer Architecture Multicore Processor.pptx
Gunasundari Selvaraj
 
PPTX
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
PDF
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
PDF
HVAC Specification 2024 according to central public works department
amitrobanipl
 
PDF
LEARNERS WITH ADDITIONAL NEEDS ProfEd Topic
Johnlloyd489543
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PDF
Uderstanding digital marketing and marketing stratergie for engaging the digi...
afreenpeshmam
 
PDF
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
PPTX
What’s under the hood: Parsing standardized learning content for AI
Rustici Software
 
DOCX
Cambridge-Practice-Tests-for-IELTS-12.docx
ssuser0d93ff
 
PDF
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
PPTX
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 
PDF
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
PDF
Skin Care and Cosmetic Ingredients Dictionary ( PDFDrive ).pdf
SahianAlondraPichard
 
PDF
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
Unit 4 Computer Architecture Multicore Processor.pptx
Gunasundari Selvaraj
 
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
HVAC Specification 2024 according to central public works department
amitrobanipl
 
LEARNERS WITH ADDITIONAL NEEDS ProfEd Topic
Johnlloyd489543
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
Uderstanding digital marketing and marketing stratergie for engaging the digi...
afreenpeshmam
 
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
What’s under the hood: Parsing standardized learning content for AI
Rustici Software
 
Cambridge-Practice-Tests-for-IELTS-12.docx
ssuser0d93ff
 
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
Skin Care and Cosmetic Ingredients Dictionary ( PDFDrive ).pdf
SahianAlondraPichard
 
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 

Chapter 1Information Security OverviewCopyright © 2014 by Mc

  • 1. Chapter 1 Information Security Overview Copyright © 2014 by McGraw-Hill Education. Introduction This chapter is about the philosophy and methodology that inform the core principles and practices of a successful and effective security program. It introduces the fundamentals of security, the importance of security and the best way to go about it, and focuses primarily on philosophies that underpin security. Copyright © 2014 by McGraw-Hill Education. The Importance of Information Protection Information is an important asset. The more information you have at your command, the better you can adapt to the world around you. In business, information is often one of the most important assets a company can possess. Information differentiates companies and provides leverage that helps one company become more successful than another.
  • 2. Copyright © 2014 by McGraw-Hill Education. Information Security Overview Key questions to ask before embarking on any security endeavor: What are you trying to protect? Why are you trying to protect it? How will you protect it? We cover some background information and axioms, ideologies, reasoning, values, and viewpoints you should keep in mind whenever you are considering security tools and techniques. Copyright © 2014 by McGraw-Hill Education. The Evolution of Information Security Copyright © 2014 by McGraw-Hill Education. Justifying Security Investment Business Agility Cost Reduction Portability
  • 3. By improving access to the information that drives its business, every company can expand its business influence on a global scale, regardless of the company’s size or location. Information, one of the most important assets a company can possess, is even more valuable when shared with those authorized to have it. Modern security practices provide information to those who need it without exposing it to those who should not have it. Copyright © 2014 by McGraw-Hill Education. Security Methodology The Three Ds of Security Defensive measures reduce the likelihood of a successful compromise of valuable assets, thereby lowering risk and potentially saving the expense of incidents that might otherwise not be avoided. Another aspect of security is detection. In order to react to a security incident, you first need to know about it. Deterrence is another aspect of security. It is considered to be an effective method of reducing the frequency of security compromises, and thereby the total loss due to security incidents. Copyright © 2014 by McGraw-Hill Education. How to Build a Security Program
  • 4. Authority Framework Assessment Planning Action Maintenance Begin with describing what is needed and why, and to proceed to define how it will be implemented, when, and using which particular methods. Copyright © 2014 by McGraw-Hill Education. The Impossible Job The job of the attacker is always easier than the job of the defender. The attacker needs only to find one weakness, while the defender must try to cover all possible vulnerabilities. The attacker has no rules—he can follow unusual paths, abuse the trust of the system, or resort to destructive practices. The defender must try to keep his assets intact, minimize damage, and keep costs down—like fighting off a horde of spider monkeys with only two arms. Copyright © 2014 by McGraw-Hill Education. The Weakest Link
  • 5. A security infrastructure will drive an attacker to the weakest link. The weakest link will attract the greatest number of attacks. Copyright © 2014 by McGraw-Hill Education. Business Processes vs. Technical Controls In security, there is no magic bullet. Business processes should determine the choice of tools, and the tools are used to facilitate the business processes—not the other way around. Before selecting security products, the business processes must be identified so that security products can be chosen that fit appropriately into the business environment. Copyright © 2014 by McGraw-Hill Education. Summary Security should solve specific problems consistent with clearly identified requirements. Security benefits business by reducing costs and creating new revenue opportunities. Security can be thought of in the context of the three Ds: Defense – reduces misuse and accidents Detection – provides visibility into good and bad activities Deterrence – discourages unwanted behavior
  • 6. Strategies are used to manage proactive security efforts, and tactics are used to manage reactive security efforts. Copyright © 2014 by McGraw-Hill Education. ITEC 630 MIDTERM EXAM ITEC 630 MIDTERM EXAM SUMMER 2021 Name: Mahamadou Diallo ITEC 630 Mahamadou Diallo University of Maryland Global Campus 6/27/2021 Name: Mahamadou Diallo QUESTION 1 The acquisition approach includes creating a new system from scratch. The new system being designed will contain features based on the user's interest or the person wishing to buy the system. Custom acquisition is more efficient than other approaches (Marcus, 2013). It takes advantage of the fact that it
  • 7. may employ current and updated technology to solve a company's challenges. With this, one may be creative in handling all the technological challenges and difficulties faced. One advantage of bespoke acquisition is that it improves an organization's technical abilities since one must engage with the system. This also makes organizational knowledge functional. Packaged acquisition method includes buying an already- customized system. Most businesses choose this as buying a system already built and tested is considerably easier and efficient. Unlike other system acquisition techniques, packaged system acquisition approach permits system modification and manipulation to modify how specific aspects function to meet the organization's needs and wishes. For example, bespoke add- on software that communicates with the bundled application is a workaround and can be produced for particular purposes. However, businesses that embrace packaged system purchases must accept the system's capabilities as they allow for modification. The outsourced system acquisition approach is the other market- common strategy. Acquisition strategy outsourced is outsourcing or engaging an external vendor to build and supply the system. Outsourcing businesses are usually called Application Service Providers (Ellis, 2014). One of the numerous advantages of an outsourced system purchase approach is its low entry cost and fast set-up time. However, when producing an outsourced system, the employer should speak with service providers to get the best out of the system since they must react to all their demands. An example of an outsourced system acquisition approach is when a company employs a service provider to run your applications but on your site. This strengthens the company by hiring a service provider specializing in your area of interest. References Ellis, R. (2014). Current cabled and cable-free seismic acquisition systems each have their own advantages and disadvantages–is it possible to combine the two? first
  • 8. break, 32(1). Marcus, S. (Ed.). (2013). Automating knowledge acquisition for expert systems (Vol. 57). Springer Science & Business Media. QUESTION TWO Interactive methods can be categorized as interviewing, collaborative interaction design, and surveying people. Interviewing is an important method of data collection since it relies on firsthand information collection. From interviews, one can reveal so much information about one's opinions since it will be based on facts, feelings since the discussion can easily tell the surfaces of the interviewee more carefully by listening to them. One can also say to the organization's goals. When conducting an interview, one should conduct a background check on the area of interest. This can be done by reading background material, corporate newspapers, and the organization's website. A variety of open-ended and closed-ended interview questions are asked over the course of the interview process. Questionnaires with open-ended responses allow the interviewee to reply to the questions in how they choose to respond to them. The major advantage of this sort of inquiry is that it puts the interviewee at ease, which allows them to react more confidently. When it comes to the closed-ended interview question, there is a limit to the number of replies that can be given. This is critical in the generation of accurate and trustworthy data that is simple to examine and interpret. The major advantage of this interview style is that it saves time and makes it simple to get straight to the subject. JAD is a technique that allows the analyst to do requirements analysis and design the user interface while working with users in a group environment rather than individually. This includes the project team members who are committed to the JAD, an executive sponsor who will introduce and conclude the session, users who attempt to articulate the information, observers who provide analytical and technical advice, a scribe who will formally record everything that is done, and a session leader
  • 9. who is well-versed in communications skills. The benefits of JAD are the rapid development of systems, and creative idea production is improved. With this, there is so much brainstorming, and this allows for creative idea production. It helps the users become involved in the early systems projects and treat their feedback seriously. However, JAD requires a lot of time for one to be available for all sessions. JAD sessions can be held offsite, comfortable surrounding with minimal distractions. One also has to be keen on the attendance and schedule the meeting where the participants can attend the conference (Kelly, 2013). One should not hold a session unless everyone can attend the sessions. Before the interview, it is also essential to practice problem- solving skills. Because many people are participating in the project, the organization's members are geographically scattered. Closed-ended questions and open-ended questions are the two sorts of questions that may be found in questionnaires. When many alternatives are mutually exclusive, the options are usually presented directly below the question in closed-ended questions. Content analysis is the study of huma n speech that has been recorded. It studies written materials such as newspaper articles and editorials, among other things (Rind, 2013). Some of the acceptable subjects for content analysis include who says what, how they say it, to whom they say it, and with what they say it, among others. It explains how issues are defined. An example is the media house covers a certain point about a certain state. With this, we can have coding, counting, and record keeping. Coding can be manifest versus latent content. An advantage of content analysis is the economy of time and money. It is also easy to repeat a portion of the study if necessary. It is also easier to redo if there is a problem. Analyzing existing statistics is another source of data. It can be either the main source of data or a supplemental source of data. Most of the time, data that exist does not cover the exact question. Therefore,
  • 10. reliability is often dependent on the quality of the statistics. One of the main advantages of this method is that it is cheap, and scholars can verify your findings if they want since data is available to multiple users. References Rind, A., Wang, T. D., Aigner, W., Miksch, S., Wongsuphasawat, K., Plaisant, C., & Shneiderman, B. (2013). Interactive information visualization to explore and query electronic health records. Foundations and Trends in Human- Computer Interaction, 5(3), 207-298. Kelly, D., & Sugimoto, C. R. (2013). A systematic review of interactive information retrieval evaluation studies, 1967– 2006. Journal of the American Society for Information Science and Technology, 64(4), 745-770. QUESTION THREE A) Prototyping is the way to develop a system model. It quickly develops a functional model to test different parts of a design, show concepts or features and collect early feedback from users (Bødker, 2020). Prototyping is crucial since the issue area with stakeholders may be explored. Furthermore, the solution space may be explored in a system where the prospective basis for further system development is accessible. References Bødker, S., & Grønbæk, K. (2020). Design in action: From prototyping by demonstration to cooperative prototyping. In Design at work (pp. 197-218). CRC Press. B) They have reduced time and cost. When possible, changes are likely to occur in the system, changes are made early in the project; therefore, less time is wasted, and a more developed product will be produced at the end (Martelli, 2016). With this, the quality of the specifications and the requirements provided
  • 11. by the customer are met. Therefore, mistakes cost you less at the prototyping stage than at the development stage. Improved and increased user involvement. For example, if the end-users are involved in the design and creation stages, the end product will be based on their specifications; this makes it easier for the end-user to want the system. Provides functionalities and interaction. A user may offer helpful input while developing prototype. A prototype may be created in weeks. As answers emerge, consumers feel more positive about process and outcomes. Additionally, prototyping can detect mistakes and omissions. References Martelli, N., Serrano, C., van den Brink, H., Pineau, J., Prognon, P., Borget, I., & El Batti, S. (2016). Advantages and disadvantages of 3-dimensional printing in surgery: a systematic review. Surgery, 159(6), 1485-1500. C) Time-consuming. Naturally, prototypes are designed to be developed quickly. If the developer decides to spend more time at the prototyping stage, time will elapse, and this will cause an increase in time spent at the developing stage and an increase in the cost of production. User confusion. Sometimes the customers may confuse the prototype for the end polished final product and may grow fond of some of the features present in the prototype and may not be present in the final product (Martelli, 2016). This confuses the customers after seeing the product. The developer misunderstands the user's intent. It is vital for any project's success that all stakeholders operate from the same set of ideas and objectives. Suppose buyers insist that the final product has all proposed prototype features. This might lead to team-to-mission conflicts. References Martelli, N., Serrano, C., van den Brink, H., Pineau, J., Prognon, P., Borget, I., & El Batti, S. (2016). Advantages and disadvantages of 3-dimensional printing in surgery: a systematic
  • 12. review. Surgery, 159(6), 1485-1500. QUESTION FOUR A) System users, system owners, and analysts assemble in a single room for highly organized group sessions or mini retreats (Sensuse, 2020). Joint Application Design (JAD) is a method where highly organized group sessions or mini retreats including system users, system owners and analysts take place in a same room for a prolonged duration. JAD-like techniques are increasingly being utilized in system planning and system analysis to reach consensus on problems, goals, and requirements, among others (Nilson, 2020). It is more often called cooperative application development, which more appropriately represents the reality that it involves more than simply system design. Using JAD facilitators who have been trained in this manner, as well as specialized and prepared agendas, this is performed in order to aid the participant in arriving at complete and high- quality requirements. References Sensuse, D. I., Rochman, H. N., Al Hakim, S., & Winarni, W. (2020). Knowledge management system design method with joint application design (JAD) adoption. VINE Journal of Information and Knowledge Management Systems. Nilson, J. V. (2020). Developing a Local Acquisitions System Using the Joint Application Design (JAD) Process. B) The coordinated approach of bringing professionals and subject- matter experts together to deliberate in a structured and organized manner through JAD sessions saves valuable time, and the overall design and delivery schedules are improved as a result of this (Sensuse, 2020). Communication and actors who are not necessary are excluded from the discussion, which thoroughly reviews the business goals and formulates requirements that can be delivered quickly by the technology team.
  • 13. Cost-cutting measures: In the end, the accelerated analysis of requirements, as well as the rapid design and efficient delivery, results in significant cost savings for the organization concerned. Improve your understanding: The careful selection of participants in the JAD sessions ensures that professionals can interact and provide a better understanding of the objectives and goals in relation to their skills and knowledge, even though product direction is frequently identified and suggested by business executives in many cases. References Sensuse, D. I., Rochman, H. N., Al Hakim, S., & Winarni, W. (2020). Knowledge management system design method with joint application design (JAD) adoption. VINE Journal of Information and Knowledge Management Systems. C) Time commitment is required. Depending on the scope of the project, a JAD may necessitate a significant investment of time on your part. To be a part of the JAD, all participants must be available to meet at the designated times and must put all other activities on hold during those times. Commitment on the part of JADs require that the organization has a clear understanding of the approach and guidelines that will be used. A firm commitment to this approach by AJAD is required for the organization to produce effective and productive results. Analysts of systems must always keep in mind that none of the techniques that they employ, including JAD, are foolproof methods of obtaining the information they seek. The requirements for a quality system serve as the foundation for the success of any project (Iqbal, 2019). Good requirements should be verifiable and attainable, and achieving this without the participation of the user is impossible. References Iqbal, A., Khan, I. A., & Jan, S. (2019, February). A Review and Comparison of the Traditional Collaborative and Online
  • 14. Collaborative Techniques for Software Requirement Elicitation. In 2019 2nd International Conference on Advancements in Computational Sciences (ICACS) (pp. 1-8). IEEE. Mahamadou Diallo Page 2 of 2 Chapter 2 Risk Analysis Copyright © 2014 by McGraw-Hill Education. Introduction The objective of a security program is to mitigate risks. Mitigating risks does not mean eliminating them; it means reducing them to an acceptable level. What is being protected? What are the threats? Where are the weaknesses that may be exploited? Copyright © 2014 by McGraw-Hill Education.
  • 15. Threat Definition Threat vectors Threat sources and targets Types of attacks Malicious mobile code Advanced Persistent Threats (APTs) Manual attacks Copyright © 2014 by McGraw-Hill Education. Threat Sources Insider threats should be an important consideration in any security program. Security professionals know that many real-world threats come from inside the organization, which is why just building a wall around your trusted interior is not good enough. Copyright © 2014 by McGraw-Hill Education. Threat VectorsSourcesThreatsTargetsEmployees Contractors Consultants System integrators Service providers Resellers
  • 16. Vendors Cleaning staff Third-party support Competitors Insiders Terrorists Internet attackers Software Malware Software bugs Accidents Weather Natural causesTheft Loss Exposure Unauthorized changes Deletion (complete) Deletion (partial) Unauthorized addition Fraud Impersonation Harassment Espionage Denial of service Malfunction Corruption Misuse Errors Outages Physical hazards InjuryIntellectual property Trade secrets Personally identifiable information Protected health information Financial data Credit card numbers
  • 17. Social Security numbers Documents Computers Peripherals Storage Networks Operating systems E-mail Voice communications Applications Privacy Productivity Health and safety A threat vector is a term used to describe where a threat originates and the path it takes to reach a target. Copyright © 2014 by McGraw-Hill Education. Types of Attacks Threats found in the real world Copyright © 2014 by McGraw-Hill Education. Types of Security Controls Preventative: Block security threats before they can exploit a vulnerability. Detective: Discover and provide notification of attacks or misuse when they happen. Deterrent: Stop people from wanting to violate policy.
  • 18. Corrective: Restore the integrity of data or another asset. Recovery: Restore the availability of a service. Compensative: In a layered security strategy, provide protection even when another control fails. Copyright © 2014 by McGraw-Hill Education. Types of Attacks Malicious Mobile Code Computer viruses Computer worms e-mail worms Trojans Remote access Trojans Zombie Trojans and DDoS attacks Malicious HTML Advanced Persistent Threats (APTs) Manual Attacks Physical attacks Network-layer attacks Application-layer attacks Copyright © 2014 by McGraw-Hill Education. Malicious Mobile Code There are three generally recognized variants of malicious mobile code: viruses, worms, and Trojans. In addition, many malware programs have components that act like two or more of these types, which are called hybrid threats or mixed threats.
  • 19. Lifecycle of malicious mobile code: Find Exploit Infect Repeat Copyright © 2014 by McGraw-Hill Education. Computer Viruses A virus is a self-replicating program that uses other host files or code to replicate. Anatomy of a Virus The damage routine of a virus (or really of any malware program) is called the payload. Payloads can be intentionally destructive, deleting files, corrupting data, copying confidential information, formatting hard drives, and removing security settings. Copyright © 2014 by McGraw-Hill Education. Types of Viruses If the virus overwrites the host code with its own code, effectively destroying much of the original content, it is called an overwriting virus. If the virus inserts itself into the host code, moving the original code around so the host programming still remains and is executed after the virus code, the virus is called a parasitic virus.
  • 20. Viruses that copy themselves to the beginning of the file are called prepending viruses. Viruses that place themselves at the end of a file are called appending viruses. Viruses that appear in the middle of a host file are labeled mid- infecting viruses. Copyright © 2014 by McGraw-Hill Education. Example of an Overwriting Virus Copyright © 2014 by McGraw-Hill Education. Example of a Prepending Parasitic Virus Copyright © 2014 by McGraw-Hill Education. Computer Worms A computer worm uses its own coding to replicate, although it may rely on the existence of other related code to do so. The key to a worm is that it does not directly modify other host code to replicate. Copyright © 2014 by McGraw-Hill Education.
  • 21. E-mail Worms Originates from e-mail The worm first modifies the PC in such a way that it makes sure it is always loaded into memory when the machine starts. Then it looks for additional e-mail addresses to send itself to. Copyright © 2014 by McGraw-Hill Education. Trojans Trojan horse programs, or Trojans, work by posing as legitimate programs that are activated by an unsuspecting user. Copyright © 2014 by McGraw-Hill Education. Remote Access Trojans A RAT becomes a back door into the compromised system and allows the remote attacker to do virtually anything he or she wants to the compromised PC. Copyright © 2014 by McGraw-Hill Education. Zombie Trojans
  • 22. Zombie Trojans infect a host and wait for their originating attacker’s commands telling them to attack other hosts. Copyright © 2014 by McGraw-Hill Education. Malicious HTML Pure HTML coding can be malicious when it breaks browser security zones or when it can access local system files. Copyright © 2014 by McGraw-Hill Education. Advanced Persistent Threats (APTs) The use of sophisticated malware for targeted cybercrime is known as advanced persistent threats (APTs). Usually targeted at businesses and governments Begins with a simple malware attack. “Phones home” to download further malware—reaches out to a command and control server (CnC server) to bring down rootkits, Trojans, RATs, and other sophisticated malware. The RATs open up connections to their CnC servers to be used by their human controllers. Copyright © 2014 by McGraw-Hill Education.
  • 23. Manual Attacks Typical Attacker Scenarios Port-scanning a particular IP subnet, looking for open TCP/IP ports Attempting to identify the host or service by using fingerprinting mechanisms Attempting to compromise the system in such a way as to gain the highest privileged access to the computer Copyright © 2014 by McGraw-Hill Education. Physical Attacks If an attacker can physically access a computer, it’s game over. Copyright © 2014 by McGraw-Hill Education. Network-Layer Attacks Packet Sniffing =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+= 08/02-12:00:44 0:60:8:26:85:D -> 0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53973 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EB9C Ack: 0xF308B9B7 Win: 0xFFCD TcpLen: 20 55 53 45 52 20 72 6F 67 65 72 67 0D 0A USER rogerg.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+= =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
  • 24. +=+=+=+=+=+=+=+= 08/02-12:00:46 0:60:8:26:85:D- >0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53978 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EBA9 Ack: 0xF308B9DA Win: 0xFFAA TcpLen: 20 50 41 53 53 20 70 61 72 72 6F 74 0D 0A PASS parrot.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+= Copyright © 2014 by McGraw-Hill Education. Protocol-Anomaly Attacks Network packets that do not follow the intended format and purpose of the protocol. The attacker can either compromise a remote host or network or compromise a confidential network data stream. Network-layer attacks are most often used to get past firewalls and to cause DoS attacks. Copyright © 2014 by McGraw-Hill Education. Application-Layer Attacks Content attacks Buffer overflows Password cracking P2P attacks Man-in-the-middle attacks ARP poisoning MAC flooding DHCP poisoning
  • 25. DNS spoofing ICMP poisoning Wireless attacks Copyright © 2014 by McGraw-Hill Education. Risk Assessment Analyze and categorize the things to be protected and avoided. Facilitate the identification and prioritization of protective elements. Provide a means to measure the effectiveness of the overall security architecture. Copyright © 2014 by McGraw-Hill Education. The Definition of Risk Risk is the probability of an undesired event (a threat) exploiting a vulnerability to cause an undesired result to an asset. Risk = Probability (Threat + Exploit of Vulnerability) × Cost of Asset Damage Annualized Loss (ALE) = Single Loss (SLE) × Annualized Rate (ARO) Copyright © 2014 by McGraw-Hill Education.
  • 26. Summary Threat definition and risk assessment are necessary to focus the security program on the areas that are most important and relevant to the environment. Threat definition should take into account threat vectors that represent the greatest potential harm. Many threat sources and targets need to be considered: Malicious mobile code Advanced persistent threats Manual attacks Once the threats are identified, risks should be analyzed. Risk is a combination of the threats, exploitation of vulnerabilities, and the resulting cost of damage. Based on this analysis, the proper defensive, detective, and deterrent controls can be applied. Copyright © 2014 by McGraw-Hill Education.