...Principles of Information Security, 4th Edition 1 Chapter 1 1 Review Questions 1. What is the difference between a threat agent and a threat? A threat agent is the facilitator of an attack, whereas a threat is a category of objects, persons, or other entities that represents a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences and others are purposeful. Fire is a threat; however, a fire that has begun in a building is an attack. If an arsonist set the fire then the arsonist is the threat agent. If an accidental electrical short started the fire, the short is the threat agent. 2. What is the difference between vulnerability and exposure? Vulnerability is a weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Exposure is a condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present. 3. How is infrastructure protection (assuring the security of utility services) related to information security? The availability of information assets is dependent on having information systems that are reliable and that remain highly available. 4. What type of security was dominant in the early years of computing? In the early years of computing when security was addressed at all, it dealt only with the physical security of the computers themselves and not the data or...
Words: 4896 - Pages: 20
...this chapter readers will learn to identify major national and international laws that relate to the practice of information security as well as come to understand the role of culture as it applies to ethics in information security. Chapter Objectives When you complete this chapter, you will be able to: Differentiate between law and ethics Identify major national and international laws that relate to the practice of information security Understand the role of culture as it applies to ethics in information security Access current information on laws, regulations, and relevant professional organizations Set-up Notes This chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours. Lecture Notes and Teaching Tips with Quick Quizzes Introduction As a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities. To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as...
Words: 4470 - Pages: 18
...Project Security Plan This plan was developed by David Hanuschak, Managing Director of On-point Technologies, in cooperation with other key members of the On-point Technologies staff. About On-point Technologies We are a three man great solution for your networking needs. On-point technologies are top rated with the Better Business Bureau for customer satisfaction. Objectives This security plan is our first. We will take a broad view of the security risks facing the firm and take prompt action to reduce our exposure. Everyone remembers the virus attack we had earlier this year, and we hope to avoid another disaster like that! However, I hope that by taking a wider view, we may be able to plan for threats we don’t know about yet. I realize that we are limited in time, people, and (of course) cash. Our main priority is to continue to grow a successful business. We cannot hope for Central Intelligence Agency (CIA)-like security, and it wouldn’t be good for our culture to turn On-point into Fort Knox. The project team has weighed these constraints carefully in deciding what to do and has tried to strike a balance between practicality, cost, comfort, and security measures. We are all convinced, however, that doing nothing is not an option. I am taking responsibility for leading this review and ensuring that all the action items are carried out. I am concerned about the risks we face, although having reviewed the plan, I am sure we can address them properly. This...
Words: 2146 - Pages: 9
...Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Anti-Hacking: The Protection of Computers While the term Anti-Hacking may have different meanings to different people, one thing is certain. By definition, it means , "the opposite of hacking." If hacking is defined as an attack on a computer system, then Anti-Hacking is the protection of that system. The three aspects discussed in this paper: Education of the Security Adminis trator, Securing the Environment, and How to Fight Back are just one combined definition of how to protect a system. Copyright SANS Institute Author Retains Full Rights AD © SANS Institute 2003, Author retains full rights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights. Anti-Hacking: The Protection of Computers Chadd Schlotter In the Computer Security industry, there are many solutions available to help combat cyber crime. Firewalls and Intrusion Detection systems are in place across the Internet to help protect more networks than ever before. Teams at software corporations work diligently on creating patches for known vulnerabilities, yet everyday the number of computers that are compromised increases....
Words: 4983 - Pages: 20
...Home Computer Incident Response Plan Introduction This paper contains a brief Incident response for my home computers. For the purpose of this paper two departments introduced, User department and Technology services department. Virus Attack Before Attack Users * Keep anti-virus software running? * Update virus signatures at least weekly. * Attend virus awareness training. * Learn how to detect and take basic steps during a virus attack. * Perform back-ups of vulnerable data on a regular basis. * Rotate most current backup media offsite. Technology Services * Provide education and training about virus attack awareness. * Provide education about the dangers and attack profiles of the most prevalent kinds of malware attacks. * Instruct users about proper method for data backups. * Randomly test backups using restores to ensure the quality of the backup procedures, the training, and the quality of the media. * Provide offsite backup media service. * Ensure that a current Incident Response Plan is in place to deal with active attacks and post attack situations. After an Attack Users * Work with Technology services to determine the extent of data loss. * Work with Technology Services to determine the root causes. * Work with Technology Services to provide input updates to the Lessons Learned * Work with Technology Services to provide input updates to the Incident Response Plan * Work...
Words: 1390 - Pages: 6
...Introduction to Computer Security CSE 3482 Introduction to Information/Computer Security Instructor: N. Vlajic, Winter 2014 Learning Objectives Upon completion of this material, you should be able to: • Describe the key security requirements of confidentiality, integrity and availability (CIA). • Describe the CNSS security model (McCumber Cube). • Identify today’s most common threats and attacks against information. • Distinguish between different main categories of malware. Required Reading Computer Security, Stallings: Chapter 1 Computer Security, Stallings: Chapter 6 Introduction • Information Technology – technology involving development & use of computer systems & networks for the purpose of processing & distribution of data in many organizations, information/data is seen as the most valuable asset categories of IT jobs: IT administrator - installs, maintains, repairs IT equipment IT architect - draws up plans for IT systems and how they will be implemented IT engineer - develops new or upgrades existing IT equipment (software or hardware) IT manager - oversees other IT employees, has authority to buy technology and plan budgets Introduction (cont.) • Information System – entire set of data, software, hardware, networks, people, procedures and policies that deal with processing & distribution of information in an organization each component has its own strengths, weaknesses, and its own security requirements information...
Words: 1194 - Pages: 5
...STUDENT LEARNING OBJECTIVES After completing this chapter, you will be able to answer the following questions: 1. Why are information systems vulnerable to destruction, error, and abuse? What is the business value of security and control? What are the components of an organizational framework for security and control? What are the most important tools and technologies for safeguarding information resources? 2. 3. 4. ISBN 1-256-42913-9 232 Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc. C HAPTER O UTLINE Chapter-Opening Case: Boston Celtics Score Big Points Against Spyware 7.1 System Vulnerability and Abuse 7.2 Business Value of Security and Control 7.3 Establishing a Framework for Security and Control 7.4 Technologies and Tools for Protecting Information Resources 7.5 Hands-on MIS Projects Business Problem-Solving Case: Are We Ready for Cyberwarfare? BOSTON CELTICS SCORE BIG POINTS AGAINST SPYWARE While the Boston Celtics were fighting for a spot in the playoffs several years ago, another fierce battle was being waged by its information systems. Jay Wessel, the team’s vice president of technology, was trying to score points against computer spyware. Wessel and his IT staff manage about 100 laptops issued to coaches and scouts, and sales, marketing, and finance employees, and these machines were being overwhelmed by malware (malicious software). Like any sports...
Words: 21009 - Pages: 85
...depends on complex computer based system. With the increasingly use of computer and explosive growth of the Internet has brought many good things: electronic commerce, online banking, e-mail, video conferencing etc. The improvement of systems security to prevent criminal hacker has become an important concern to society. There are many ways to protect those information systems; it seems that the Ethical Hacking is a better way. Therefore, whether to teach or not teach the "Ethical Hacking" as a course in Tertiary education has become an interesting argument. In this article will analysis the ethical, legal, and ethical implications of this issue. In order to discuss the ethical, legal, and social implications of this issue, one has to understand the definition of Ethical Hacking. The Word Spy states that "Ethical hacking is a computer hacker who attempts to infiltrate a secure computer system in an effort to learn the system's weaknesses so that they can be repaired" (The Word Spy, 2003). The question arises here is whether Ethical Hacking is ethical or unethical. Ethical The "Computer Ethics" states in part that all information belongs to everyone and there should be no boundaries or restraints to prevent disclosure of this information (Johnson, 1994). From most hacker's perspective, freedom of information includes the right to source codes and the programs themselves. This freedom also includes the right to access information stored on a computer network. At times...
Words: 1017 - Pages: 5
...have specific risk mitigation strategies. My top five (5) risk exposures would be wireless access security, the principal’s laptop being left or stolen when she travels and the password being easy to guess, social engineering to gain access to not only student systems (laptops and computer science computers) but also to teacher and administrator systems, the use of Facebook, MySpace and Twitter while at school exposing daily activities and routines while at school or work in the case of the faculty, Physical security at the school protecting the servers, student data, school business information, etc. and strong password policy. 3. Given the potential risks that you identified, what IT security policies would you recommend be created by the school to help mitigate each of the identified risk exposures you listed in #2 above? First and foremost a comprehensive security policy that takes into consideration the variables and factors at the school. This includes students, teachers, physical access, layout of the school and property, security measures as defined by FERPA, HIPAA, etc. A password policy needs to be in place that stresses complexity, minimum length (recommendations) and recycling or expiring passwords. This could be accomplished with a minimum length of 8 characters, one being a capital letter, one being a number, and one being a special character. Physical security should be setup in a way that there are locked, secured doors to all...
Words: 1205 - Pages: 5
...Chapter 5 Developing Security Programs Chapter Overview Chapter 5 will explore the various organizational approaches to information security and provide an explanation of the functional components of the information security program. Readers will learn how to plan and staff an organization’s information security program based on its size and other factors as well as how to evaluate the internal and external factors that influence the activities and organization of an information security program. As the topic of organizing the information security function is expanded upon, the reader will learn how to identify and describe the typical job titles and functions performed in the information security program. The chapter concludes with an exploration of the components of a security education, training, and awareness program and describes how organizations create and manage these programs. Chapter Objectives When you complete this chapter, you will be able to: • Recognize and understand the organizational approaches to information security • List and describe the functional components of the information security program • Determine how to plan and staff an organization’s information security program based on its size • Evaluate the internal and external factors that influence the activities and organization of an information security program • List and describe the typical job titles and functions performed in the information security program •...
Words: 3969 - Pages: 16
...Order Code RL33199 Data Security Breaches: Context and Incident Summaries Updated May 7, 2007 Rita Tehan Information Research Specialist Knowledge Services Group Data Security Breaches: Context and Incident Summaries Summary Personal data security breaches are being reported with increasing regularity. Within the past few years, numerous examples of data such as Social Security, bank account, credit card, and driver’s license numbers, as well as medical and student records have been compromised. A major reason for the increased awareness of these security breaches is a California law that requires notice of security breaches to the affected individuals. This law, implemented in July 2003, was the first of its kind in the nation. State data security breach notification laws require companies and other entities that have lost data to notify affected consumers. As of January 2007, 35 states have enacted legislation requiring companies or state agencies to disclose security breaches involving personal information. Congress is considering legislation to address personal data security breaches, following a series of high-profile data security breaches at major financial services firms, data brokers (including ChoicePoint and LexisNexis), and universities. In the past three years, multiple measures have been introduced, but to date, none have been enacted. This report will be updated regularly. Contents Introduction . . . . . . . . . . . . . . . . . . . ....
Words: 18803 - Pages: 76
...Computer Security Careers Blake Eubank Harrisburg Community College 1 A. After going to http://www.giac.org I learned it is a great place to get certified in more than 20 different specialized information security areas. It targets specific skills sets rather than generalizing. They offer more disciplines and focus on the skills required to master specific jobs. (Northcutt, 2011) The Information Systems Security Association (ISSA) is a non-profit organization which provides forums, education, and publications for its security professional members. The main goal of ISSA is to promote leadership which will ensure confidentiality, integrity, and availability of information resources. Members include all levels of security professionals in a variety of different fields including government, public, and private sectors. (ISSA.org. 2011) Technology in Action doesn’t really cover computer security careers, it does reference the Information Systems Security Association web site on page 469 but no further discussion can be found in the text. (Evans, 2011) B. On the Helium web site author Chris Stubbs explains that one of the basic skills needed for any computer user is the ability to type. (Stubbs, 2009) In my opinion you don’t have to be able to type fast you just need a working knowledge of the QWERTY keyboard. Dan Morrill on it.toolbox.com references network engineering skills as the third and sixth most important information security skills needed out of the top...
Words: 554 - Pages: 3
...any field. The other two careers were required to be in Information technology. It was also required that one of the technology careers dealt with IT security. The careers I researched were Diagnostic Medical Sonographer, Database Administrator, and Ethical Hacker. The career of my own personal choice was a Diagnostic medical sonographer. I chose this career because sonography is what I would like to major in. A Database Administrator was my technology career and an Ethical Hacker was my choice for an IT security profession. I chose these two occupations because I had very little...
Words: 903 - Pages: 4
...Applying decision-making frameworks to IT related ethical issues: Computer-Based Crimes INTRODUCTION/PROBLEM STATEMENT Today’s technology has opened up a new realm of criminal activity, and new ways to exploit innocent people. Cyber-related crimes have been increasing for the past decade and include a number of different illegal activities to include: identity theft, phishing, cyber-stalking, and the use of malware. Criminal activities are of course, unethical, and cyber-crimes are no exception. It is a problem plaguing our society, and people have to be diligent to avoid being attacked and exploited. “It seems that everything relies on computers and the internet now — communication, entertainment, transportation (car engine systems, airplane navigation), shopping, and medicine (equipment, medical records). How much of your daily life relies on computers? How much of your personal information is stored either on your own computer or on someone else's system? Cyber security involves protecting that information by preventing, detecting, and responding to attacks” (US CERT, 2013). Today, we’ll look at an ethical approach (Reynolds' Seven-Step Ethical Decision-Making Approach) to develop protective measures that could help in mitigating cyber-crimes Ethically, cyber-crimes really boil down to what’s right and wrong. Deontological theories focus on the right action, doing the right thing, no matter the consequences. All humans on this planet have a deontological...
Words: 1300 - Pages: 6
...jobs in the Internet Technology field, Information Security Officer is the job for you. ISO (Information Security Officer) is also one of the most challenging and demanding career fields that IT has to offer, usually consisting of more senior IT personal. I will be discussing the necessary education, experience and day to day duties to perform this highly in demand job. The first thing I’m going to talk about is the required education, experience and qualifications necessary to become an Information Security Officer. To be a ISO you must possess at a minimum a Bachelor’s in Information Security or equivalent years of work experience, Master’s is preferred. You must also have a minimum of eight years of progressively responsible experience in information security, risk management and implementing a comprehensive disaster recovery program. You should also possess a minimum of six years supervising professionals in an IT environment. Lastly there is essential certification you must possess; Certified Information System Security Professional (CISSP) is usually at the top of required certifications. Some other certifications that are helpful are: CCNA (Cisco Certified Network Associate); CCIE (Cisco Certified Internetwork Expert); A+ certification; Network plus and Security plus. Knowledge of all of these certifications, education and experience would make you highly desirable with any company to be there Information Security Officer. Stopping the bad guys and keeping the network...
Words: 483 - Pages: 2
