Principles of Information Security

Sixth Edition

Chapter 2
Need for Security
Learning Objectives

• Upon completion of this material, you should be able to:

– Discuss the organizational need for information security
– Explain why a successful information security program is the shared
responsibility of an organization’s three communities of interest
– List and describe the threats posed to information security and common attacks
associated with those threats
– List the common development failures and errors that result from poor software
security efforts

2 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Introduction

Data: Items of fact collected by an organization. Data includes raw numbers, facts, and words. Student
quiz scores are a simple example of data

Information: Data that has been organized, structured, and presented to provide additional insight
into its context, worth, and usefulness. For example, a student class average can be presented in the
context of its value, as in “ 90=A”

Information asset: The focus of information security; is information that has value to the organization,
and the systems that store, process, and transmit the information.

Media: As a subset of information assets, the systems and networks that store, process, and transmit
information.

3 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Introduction (Cont.)

The primary mission of an information security program is to ensure

information assets remain safe and useful.

If no threats existed, resources could be used exclusively to improve

systems that contain, use, and transmit information.

Finally, Threat of attacks on information systems is a constant concern.

4 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Business Needs First

• Information security performs four important functions for an

organization:
– Protecting the organization’s ability to function
– Protecting the data and information the organization collects and uses
– Enabling the safe operation of applications running on the organization’s
IT systems
– Safeguarding the organization’s technology assets

5 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

1-Protecting the Functionality of an Organization

• The three communities of interest–

– general management,
– IT management,
– and information security management
- are each responsible for facilitating the information security program that
protects the organization’s ability to function.
• Communities of interest should address information security in terms of business
impact and cost of business interruption rather than isolating security as a
technical problem.

6 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

2-Protecting Data That Organizations Collect and Use

• Data security: Commonly used as a surrogate for information security, data

security is the focus of protecting data or information in its various states at rest (in
storage), in processing, and transmission (over networks)
• Database: A collection of related data stored in a structured form and usually
managed by a database management system
• Database security: A subset of information security that focuses on the assessment
and protection of information stored in data repositories like database management
systems and storage media
• Without data, an organization loses its record of transactions and ability to deliver
value to customers.
• Protecting data in transmission, in processing, and at rest (storage) is a critical
aspect of information security.
7 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD
3-Enabling the Safe Operation of Applications

• Organization needs environments that safeguard applications using IT systems

particularly those that are important elements of organization infrastructure
– operating system platforms, certain operational applications, electronic mail (e-
mail), and instant messaging (IM)
• Management must continue to oversee infrastructure once in place—not relegate
to IT department.

8 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

4-Safeguarding Technology Assets in Organizations

• Organizations must employ secure infrastructure hardware appropriate to the size

and scope of the enterprise.
• Additional security services may be needed as the organization grows.
• More robust solutions should replace security programs the organization has
outgrown.
• An example of a robust solution is a commercial-grade,
– unified security architecture device complete with intrusion detection and
prevention systems,
– public key infrastructure (PKI), and
– virtual private network (VPN) capabilities.

9 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Threats and Attacks

• Threat: a potential risk to an asset’s loss of value.

• Attack: An intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it.
• Exploit A technique used to compromise a system.
• Vulnerability: A potential weakness in an asset or its defensive control system(s).
• Management must be informed about the various threats to an organization’s
people, applications, data, and information systems.
Overall security is improving, but so is the number of potential hackers.

10 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

 Figure 2-1 World Internet usage

Internet usage and world population estimates are as of July 20, 2020
Statistics of threats and attacks to information security.
• Several studies in recent years have examined the threats and attacks to
information security. One of the most recent studies found that 67.1 percent of
responding organizations suffered malware infections.
• More than 98 percent of responding organizations identified malware attacks as a
threat, with 58.7 percent indicating they were a significant or severe threat.
• Malware was identified as the second-highest threat source behind electronic
phishing/spoofing.

12 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Rated Threats from Internal Sources to Information Protection

13 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Rated Threats from External Sources to Information Protection

14 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

The 12 Categories of Threats to Information Security

Category of Threat Attack Examples

Compromises to intellectual property Piracy, copyright infringement

Deviations in equality of service Internet service provider (ISP), power, or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes. lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information

15 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

1-Compromises to Intellectual Property
Intellectual property (IP) : creation, ownership, and For example, use of some IP may require specific payments
control of original ideas as well as the representation before a song can be used in a movie or before the
of those ideas. distribution of a photo in a publication

IP is protected by copyright law and other laws- requires the acquisition of permission
for its use, as specified in those law.

The most common IP breaches involve software piracy.

Software Piracy: The unauthorized duplication, installation, or distribution of

copyrighted computer software, which is a violation of intellectual property

16 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

2-Deviations in Quality of Service

• Information system depends on the successful operation of many interdependent support systems.
• Internet service, communications, and power irregularities dramatically affect the availability of
information and systems.
• availability disruption: An interruption in service, usually from a service provider, which causes
an adverse event within an organization.
• Internet service issues:
– Internet service provider (ISP): failures can considerably undermine the availability of
information.
– Outsourced Web hosting provider assumes responsibility for all Internet services as well as for
the hardware and Web site operating system software.These Web hosting services are usually
arranged with a service level agreement (SLA).

17 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

2-Deviations in Quality of Service

• Service level agreement (SLA): A document or part of a document that specifies

the expected level of service from a service provider. An SLA usually contains
provisions for minimum acceptable availability and penalties for downtime.
• Vendors may promote high availability or uptime(or low downtime)
• Downtime: The percentage of time a particular service is not available; the
opposite of uptime
• Uptime: The percentage of time a particular service is available; the opposite of
downtime

18 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

2-Deviations in Quality of Service

• Communications and other service provider issues

– Other utility services affect organizations: telephone, water, wastewater, trash
pickup.
– Loss of these services can affect an organization’s ability to function.
• Power irregularities
– Are commonplace
– Lead to fluctuations such as power shortages and power losses
– Sensitive electronic equipment vulnerable to and easily damaged/destroyed by
fluctuations

19 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

3-Espionage or Trespass
• When an authorized person gains access to information an organization is trying to protect, the
act is categorized as espionage or trespass.
• Competitive intelligence: The collection and analysis of information about an organization’s
business competitors through legal and ethical means to gain business intelligence and
competitive advantage.
• Industrial espionage: The collection and analysis of information about an organization’s
business competitors, often through illegal or unethical means, to gain an unfair competitive
advantage. Also known as corporate spying,
• Shoulder surfing:is an example of Industrial espionage can occur anywhere a person accesses
confidential information. Instances of shoulder surfing occur at computer terminals, desks, and
ATMs; on a bus, airplane, or subway.

20 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Escalation of Privileges
• Once an attacker gains access to a system, the next step is to increase his or her
privileges.
• Privilege escalation: The unauthorized modification of an authorized or unauthorized
system user account to gain advanced access and control over the system.
• Jailbreaking: Escalating privileges to gain administrator-level or root access control over
a smartphone operating system (typically associated with Apple iOS smartphones).
• Rooting: Escalating privileges to gain administrator-level control over a computer system
(including smartphones). Typically associated with Android OS smartphones

21 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Hacker Variants
• Cracker: A hacker who intentionally removes or bypasses software copyright
protection designed to prevent unauthorized duplication or use.
• The term cracker is now commonly associated with software copyright bypassing
and password decryption. With the removal of the copyright protection, software
can be easily distributed and installed. With the decryption of user passwords
from stolen system files, user accounts can be illegally accessed
• Phreaker: A hacker who manipulates the public telephone system to make free
calls or disrupt services.

22 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Password attacks
• Password attacks fall under the category of espionage or trespass .
• Cracking: Attempting to remove, or bypass a password or other access control
protection, such as the copyright protection on software.
• There are several alternative approaches to password cracking:
– 1-Brute force
– 2-Dictionary
– 3-Rainbow tables
– 4-Social engineering

23 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Password attacks
• Brute force: An attempt to guess a password by attempting every possible
combination of characters and numbers in it.
• Password rule : An industry recommendation for password structure and
strength that specifies passwords should be at least 10 characters long and contain
at least one 1-uppercase letter, one 2-lowercase letter, one 3-number, and one 4-
special character
• Dictionary password attack: A variation of the brute force password attack that
attempts to narrow the range of possible passwords guessed by using a list of
common passwords and possibly including attempts based on the target’s
personal information.

24 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Password attacks
• Rainbow table: A table of hash values and their corresponding plaintext values
that can be used to look up password values if an attacker can steal a system’s
encrypted password file.
• Social engineering: The process of using social skills to convince people to
reveal access credentials or other valuable information to an attacker.

25 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Table 2-6 Password Power (1 of 2)
Case-Insensitive Passwords Using a Standards Alphabet Set (No Numbers or Special Characters)

26 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Table 2-6 Password Power (2 of 2)

27 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

4- Forces of Nature
• Forces of nature can present some of the most dangerous threats.
• They disrupt not only individual lives but also the storage, transmission, and use of information.
• Organizations must implement controls to limit damage and prepare contingency plans for continued
operations.
– Fire
– Flood
– Earthquakes
– Lightning
– Landslides or mudslides
– Tornados and hurricanes.
– Tsunamis
– Etc,
28 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD
5-Human Error or Failure

• Includes acts performed without malicious intent or in ignorance

• Causes include:
– Inexperience
– Improper training
– Incorrect assumptions
• Employees are among the greatest threats to an organization’s data

29 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

5-Human Error or Failure

• Employee mistakes can easily lead to:

– Revelation of classified data
– Accidental data deletion or modification
– Data storage in unprotected areas
– Failure to protect information
• Many of these threats can be prevented with training, ongoing
awareness activities, and controls
• Social engineering uses social skills to convince people to reveal
access credentials or other valuable information to an attacker
30 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD
Social Engineering
• Advance-fee fraud: A form of social engineering, typically conducted via e-mail, in
which an organization or some third party indicates that the recipient is due an amount of
money and needs only a small advance fee or personal banking information to facilitate
the transfer.
• Phishing: A form of social engineering in which the attacker provides what appears to be
legitimate communication (usually e-mail), but it contains hidden or embedded code that
redirects the reply to a third-party site to extract personal or confidential information
• Spear phishing : Any highly targeted phishing attack.
• Pretexting: attacker pretends to be an authority figure who needs information to confirm
the target’s identity, but the real object is to trick the target into revealing confidential
information. Pretexting is commonly performed by telephone

31 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

6-Information Extortion
• Information extortion: The act of an attacker or trusted insider who steals or
interrupts access to information from a computer system and demands
compensation for its return or for an agreement not to disclose the information.
– Commonly done in credit card number theft
• Ransomware: Computer software specifically designed to identify and encrypt
valuable information in a victims system to extort payment for the key needed to
unlock the encryption

32 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

7-Sabotage or Vandalism
• Threats can range from petty vandalism to organized sabotage.
• Website defacing can erode consumer confidence, diminishing an organization’s sales, net worth,
and reputation.
• Hacktivist: A hacker who seeks to interfere with or disrupt systems to protest the operations,
policies, or actions of an organization or government agency
• Cyberterrorist:A hacker who attacks systems to conduct terrorist activities via networks or
Internet pathways

33 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

8-Software Attacks
• Software attacks occur when an individual or a group designs and deploys
software to attack a system.
• Types of attacks include:
– Malware (malicious code: It includes the execution of viruses, worms, Trojan
horses, and active Web scripts with the intent to destroy or steal information.
 Virus: It consists of code segments that attach to existing programs and take
control of access to the targeted computer.
 Worms: They replicate themselves until they fill available resources such as
memory and hard drive space.
 Trojan horses: malware disguised as helpful, interesting, or necessary pieces
of software.

34 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

8-Software Attacks
• Polymorphic threat: Malware (a virus or worm) that over time changes the
way it appears to antivirus software programs, making it undetectable by
techniques that look for preconfigured signatures.
• Virus and worm hoaxes: nonexistent malware that employees waste time
spreading awareness about.
• Zero-day attack: An attack that makes use of malware that is not yet known by
anti-malware software companies.
• Adware: Malware intended to provide undesired marketing and advertising,
including popups and banners on a user’s screens.
• Spyware: Any technology that aids in gathering information about people or
organizations without their knowledge.

35 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

8-Software Attacks

• Virus :A type of malware that is attached to other executable programs. When activated, it
replicates and propagates itself to multiple systems, spreading by multiple communications
vectors. For example, a virus might send copies of itself to all users in the infected system’s e-mail

program. Can be classified by how they spread themselves:

– macro virus :A type of virus written in a specific macro language to target applications that use the
language. The virus is activated when the application’s product is opened. A macro virus typically affects
documents, slideshows, e-mails, or spreadsheets created by office suite applications.

– memory-resident virus: are capable of reactivating when the computer is booted and continuing their
actions until the system is shut down

36 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

8-Software Attacks
• Back door: gaining access to system or network using known or previously
unknown/newly discovered access mechanism.
• Denial-of-service (DoS) : An attacker sends a large number of connection or
information requests to a target.
• The target system becomes overloaded and cannot respond to legitimate requests for
service.
• It may result in system crash or inability to perform ordinary functions.
• Distributed denial-of-service (DDoS) : A form of DoS attack in which a
coordinated stream of requests is launched against a target from many locations at
the same time using bots or zombies
• Bot :An abbreviation of robot an automated software program that executes certain
commands when it receives a specific input.

37 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

8-Software Attacks
• Email Attacks:
• Spam: Undesired e-mail, typically commercial advertising.
• Mail bomb:An attack designed to overwhelm the receiver with excessive
quantities of e-mail. DoS
• Communications Interception Attacks:
• Packet sniffer: It monitors data traveling over a network; it can be used both
for legitimate management purposes and for stealing information from a
network
• Spoofing: A technique for gaining unauthorized access to computers using a
forged or modified source IP address to give the perception that messages are
coming from a trusted host.

38 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

8-Software Attacks

• Pharming(browser bar): It attacks a browser’s address bar to redirect users to an

illegitimate site for the purpose of obtaining private information. often use trojans, worms,
or other virus technologies to attack an Internet browser’s address bar so that the valid URL
the user types is modified to be that of an illegitimate

• Man-in-the-middle:A group of attacks whereby a person intercepts a communications

stream and inserts himself in the conversation to convince each of the legitimate parties that
he is the other communications partner. Some man-in-the-middle attacks involve
encryption functions. The attacker can monitor the network packets, modify them, and
insert them back into the network.

39 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 2-18 Denial-of-service attack

In a denial-of-service attack, a hacker compromises a system and uses that system

to attack the target computer, flooding it with more requests for services than the
target can handle.
In a distributed denial-of-service attack, dozens or even hundreds of computers
(known as zombies or bots) are compromised, loaded with DOS attack software,
and then remotely activated by the hacker to conduct a coordinated attack.

40 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 2-19 IP Spoofing attack

41 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 2-20 Man-in-the-middle attack

42 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

9-Technical Hardware Failures or Errors
• Technical hardware failures or errors occur when
– a manufacturer distributes equipment containing a known or unknown flaw.
– These defects can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability.

43 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

10-Technical Software Failures or Errors
• Large quantities of computer code are written, debugged, published, and sold
before all their bugs are detected and resolved
• Open Web Application Security Project (OWASP) was founded in 2001 as a non-
profit consortium dedicated to helping organizations create and operate software
applications they could trust. Every three years or so, OWASP publishes a list of
“Top 10 Web Application Security Risks”

44 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

The Deadly Sins in Software Security

Common failures in software development:

• Buffer overruns: An application error that occurs when more data is sent to a program buffer
than it is designed to handle.
• Failure to handle errors: Failure to handle errors can cause a variety of unexpected system
behaviors. Programmers are expected to anticipate problems and prepare their application code to
handle them(Unexpected errors)
• Failure to store and protect data securely: Access controls regulate who, what, when, where,
and how users and systems interact with data. Failure to properly implement sufficiently strong
access controls makes the data vulnerable
• Failure to use cryptographically strong random numbers: Those who understand the workings
of such a random number generator can predict particular values at particular times

45 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

The Deadly Sins in Software Security

Failure to use cryptographically strong random numbers: Those who understand the workings of such
a random number generator can predict particular values at particular times.

Neglecting Change Control: Once the system is in production, change control processes ensure that
only authorized changes are introduced and that all changes are adequately tested before being
released

Unauthenticated key exchange: One of the biggest challenges in private key systems, which involve
two users sharing the same key, is securely getting the key to the other party.

Use of weak password-based systems: Failure to require sufficient password strength and to control
incorrect password entry is a serious security issue

46 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

11-Technological Obsolescence

• Outdated infrastructure can lead to unreliable, untrustworthy systems.

• Proper managerial planning should prevent technology obsolescence.
• IT plays a large role.
• Management must recognize that when technology becomes outdated, there is a
risk of loss of data integrity to threats and attacks.
• Ideally, proper planning by management should prevent the risks from technology
obsolesce, but when obsolescence is identified, management must take
immediate action.

47 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

12-Theft
• Illegal taking of another’s physical, electronic, or intellectual property.
• Physical theft is controlled relatively easily.
• Electronic theft is a more complex problem to manage and control.
Organizations may not even know it has occurred.
• The value of information suffers when it is copied and taken away without the
owner’s knowledge.

48 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Summary (1 of 4)
• Information security performs four important functions:
– Protecting organization’s ability to function
– Enabling safe operation of applications implemented on organization’s IT
systems
– Protecting data an organization collects and uses
– Safeguarding the technology assets in use at the organization
• Threats or dangers facing an organization’s people, information, and systems
fall into the following categories:
– Compromises to intellectual property: Intellectual property, such as trade
secrets, copyrights, trademarks, or patents, are intangible assets that may be
attacked via software piracy or the exploitation of asset protection controls.

49 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Summary (2 of 4)
– Deviations in quality of service: Organizations rely on services provided by others.
– Losses can come from interruptions to those services.
– Espionage or trespass: Asset losses may result when electronic and human activities breach
the confidentiality of information.
– Forces of nature: A wide range of natural events can overwhelm control systems and
preparations to cause losses to data and availability.
– Human error or failure: Losses to assets may come from intentional or accidental actions by
people inside and outside the organization.
– Information extortion: Stolen or inactivated assets may be held hostage to extract payment of
ransom.

50 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Summary (3 of 4)

– Sabotage or vandalism: Losses may result from the deliberate sabotage of a

computer system or business, or from acts of vandalism. These acts can either
destroy an asset or damage the image of an organization.
– Software attacks: Losses may result when attackers use software to gain
unauthorized access to systems or cause disruptions in systems availability.
– Technical hardware failures or errors: Technical defects‫ل‬GG‫ خل‬in hardware
systems can cause unexpected results, including unreliable service or lack of
availability.
– Technical software failures or errors: Software used by systems may have
purposeful or unintentional errors that result in failures, which can lead to loss
of availability or unauthorized access to information.

51 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Summary (4 of 4)
– Technological obsolescence: Antiquated or outdated infrastructure can lead to
unreliable and untrustworthy systems that may result in loss of availability or
unauthorized access to information.
– Theft: Theft of information can result from a wide variety of attacks.

52 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD