Principles of Information Security

In: Computers and Technology

Submitted By spankygodwin
Words 318246
Pages 1273
Principles of Information Security
Fourth Edition

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Principles of Information Security
Fourth Edition

Michael E. Whitman,
Herbert J. Mattord,

Kennesaw State University

Ph.D., CISM, CISSP

CISM, CISSP

Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

This is an electronic version of the print textbook. Due to electronic rights restrictions, some third party content may be suppressed.
Editorial review has deemed that any…...

Similar Documents

Se571 Principles of Information Security and Privacy

...Aircraft Solutions Security Weaknesses Final Project SE571 Principles of Information Security and Privacy Keller Graduate School of Management Table of Contents Executive Summary ……………………………………………………………………..1 Company Overview……………………………………………………………………...1 Security Vulnerabilities .................................................................................................1-3 Recommended Solution.....................................................................................................4 A Software/ Hardware Bundle Example Solution 4 Cost of Hardware/Software…………………………………………………………...3-6 Summary……………………………………………………………………………….…6 References…………………………………………………...……………………………7 Executive Summary This paper’s purpose is to point out and resolve the security vulnerabilities of Aircraft Solutions. Company Overview My focus is on Aircraft Solution’s weaknesses, after gaining employment with AS I have noticed some problems. Two Security Vulnerabilities In the beginning I see that all the computers have independent antivirus software and firewalls on the servers. The diagram shows that the CD has no firewall at all and is still connected to the headquarters server behind its firewall. The CD is directly connected to the net. This could be a good input for an attack. IT, Finance, S&M and the DD are all at risk for this weakness at this point. This can be a direct in for......

Words: 1725 - Pages: 7

Principles of Information Security

...Classification: Laptop Security Policy Statement of Policy This policy talks about how to use laptop in secure way where we don’t want student and employees to get the laptop from their home and come here with virus. Laptop computers provide important functionality, allowing Abu Dhabi Women College faculty and employees to have their computing resource at hand in meetings/classes, and each students and staffs has different username and password. Unfortunately, laptops are easily stolen, lost or broken. These procedures address the actions that must be taken in order to minimize the risk of the theft of College owned laptops. Appropriate Use Employees in our college are expected from student to use their laptop in a very careful way. Where they not allow getting their laptop from home because they may lose their password and may they have viruses. In addition, they should not use their laptop to hacker and crack and they should not download any software that you don’t know about it and Keep liquids away from your laptop. Furthermore, you should have available antivirus software would help such as anti-virus. And in cases somebody is not following these rules he will be avail to harm his laptop. Systems Management The laptops in our college are mange by TSD. TSD are responsible to fix the problem and install the software. They had four sections such as network specialist, sewer administers, IT technician and AV technician. If the student and teachers had a problem......

Words: 427 - Pages: 2

Principles of Information Security

... Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the three elements in the C.I.A. triangle, introduced in Chapter 1, is an essential part of every IT organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, information security and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information systems controls and the benefits realized from the operation of secured, available systems. 2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle? Know Yourself First, you must identify, examine, and understand the information and systems currently in place within your organization. This is self-evident. To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because a control is......

Words: 307 - Pages: 2

Principles of Information Security Chapter 2 Review Questions

...implementing information security to protect the ability of the organization to function. They must set policy and operate the organization in a manner that complies with the laws that govern the use of technology. Technology alone cannot solve information security issues. Management must make policy choices and enforce those policies to protect the value of the organization’s data. 2. Data is important to an organization because without it an organization will lose its record of transactions and/or its ability to furnish valuable deliverables to its customers. Other assets that require protection include the ability of the organization to function, the safe operation of applications, and technology assets. 3. Both general management and IT management are responsible for implementing information security. 4. The implementation of networking technology has created more risk for businesses that use information technology because business networks are now connected to the internet and other networks external to the organization. This has made it easier for people to gain unauthorized access to the organization’s networks. 5. Information extortion is when an attacker steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. One example could be someone that gains access to PII such as SSN’s through a company’s database and ransoms the information for money. If not paid, he could sell the information on the......

Words: 1112 - Pages: 5

Ch1 Principles of Information Security

...output. 4. Early security was entirely physical security. 5. Confidentiality is Information’s should only be accessible to its intended recipients. Integrity is Information that’s there the same time it was sent. Availability is Information should be available to those authorized to use it. 6. The CIA triangle is still used because it addresses the major concerns with the vulnerability of information systems. 7. Availability is Authorised users can access the information, Accuracy is free from errors, Authenticity is genuine, Confidentiality is preventing disclosure to unauthorized individuals, Integrity whole and uncorrupted. Utility has a value for some purpose Possession Ownership. 8. Data, People, Procedures, Hardware,Software. 9. Mainframe computer systems. 10. Rand Report R-609 11. Bottom up lacks a number of critical features such as participant support and organizational staying power, whereas top down has strong upper management support. 12. A formal methodology ensures a rigorous process and avoids missing steps. 13. Security professionals are involved in the SDLC. Senior management, security project team and data owners are leads in the project. 14. Art because there are no hard and fast rules especially with users and policy. Science because the software is developed by computer scientists and engineers. Hardware and software that can be fixed given enough time. 15. CISO 16. It was the first and operating system created with security as its primary......

Words: 415 - Pages: 2

Principles of Information Security

... Principles of Information Security Fourth Edition Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Principles of Information Security Fourth Edition Michael E. Whitman, Kennesaw State University Ph.D., CISM, CISSP Herbert J. Mattord, CISM, CISSP Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed......

Words: 318245 - Pages: 1273

Principles of Information Security

...the security of utility services) related to information security? Answer Infrastructure protection is related to information in the sense that assets of an organization (infrastructure utility services that is offered to customers) are secured from intrusion, exploitation and threats. 4. What type of security was dominant in the early years of computing? Answer Early security was entirely physical security. 5. What are the three components of the C.I.A. triangle? What are they used for? Answer Confidentiality: Information should only be accessible to its intended recipients. Integrity: Information should arrive the same as it was sent. Availability: Information should be available to those authorized to use it. 6. If the C.I.A. triangle is incomplete, why is it so commonly used in security? Answer The CIA triangle is still used because it addresses the major concerns with the vulnerability of information systems 7. Describe the critical characteristics of information. How are they used in the study of computer security? Answer Availability: Authorized users can access the information Accuracy: free from errors Authenticity: genuine Confidentiality: preventing disclosure to unauthorized individuals. Integrity: whole and uncorrupted. Utility: has a value for some purpose Possession: Ownership 8. Identify the six components of an information system. Which are most directly affected by the study of computer security?......

Words: 6364 - Pages: 26

Chapter 1-Introduction to Information Security: Principles of Information Security

...Chapter 1-Introduction to Information Security: 1. What is the difference between a threat and a threat agent? A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack. 2. What is the difference between vulnerability and exposure? Vulnerability: is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure: is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure. 3. How is infrastructure protection (assuring the security of utility services) related to information security? The organization needs to have clear parameters and set regulation when it comes to the protection of itself. Clear goals and objectives when it comes to protection will lead to a better protection on regards to the information security. 4. What type of security was dominant in the early years of computing? Early security was entirely physical security. - EX: Lock and Key 5. What are the 3 components of the CIA triangle and what are they used for? Confidentiality: Information should only be accessible to its intended recipients. Integrity: Information should arrive the same as it was sent. Availability: Information should be available to those authorized to use it. 6. If the CIA triangle is incomplete, why is it so commonly used in security? The CIA triangle is still......

Words: 965 - Pages: 4

Principles of Information Security Ch. 1 Questions

...(assuring the security of utility services) related information security? 4. What type of security was dominant in the early years of computing? 5. What are the three components of the C.I.A. triangle? What are they used for? 6. If the C.I.A. triangle is incomplete, why is it so commonly used in security? 7. Describe the critical characteristics of information. How are they used in the study computer security? 8. Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study? 9. What system is the father of almost all modern multiuser systems? 10. Which paper is the foundation of all subsequent studies of computer security? 11. Why is the top-down approach to information security superior to the bottom-up approach? 12. Why is a methodology important in the implementation of information security? How does a methodology improve the process? 13. Which members of an organization are involved in the security system development life cycle? Who leads the process? 14. How can the practice of information security be described as both an art and a science? How does security as a social science influence its practice? 15. Who is ultimately responsible for the security of information in the organization? 16. What is the relationship between the MULTICS project and the early development of computer......

Words: 326 - Pages: 2

Chapter 2 Review Questions Principles of Information Security

...1. Information security is more of a management issue because it is up to management to decide what end users should have access to and what they should not. Also technology can only do what it is told to do but if management sets up training to teach end users about the threats of say opening an unknown email then the company is safer. 2. Without data an organization loses its record of transactions and/or its ability to deliver value to its customers. Page 42 Principles of Information Security 3. Both general and It management 4. It has created more and the reason why is it is much easier to spread viruses, worms, etc. now that the can get from system to system without having to attach to a physical disc. 5. Information extortion occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. Page 60 Principles of Information Security. An example would be if someone would steal the latest album from a well-known artist before its release date and demanded to be paid or it would be released onto the internet. 6. Employees are one of the biggest threats for several reasons the can accidently allow someone access to the system by installing a back door or it is possible for them to become angry with the company and just hand out IP to rival companies. It is also possible that they could accidently delete valuable data from the system that has no backup. 7. Make sure......

Words: 908 - Pages: 4

Principles of Information Security Chapter 1

...Principles of Information Security, 4th Edition 1 Chapter 1 1 Review Questions 1. What is the difference between a threat agent and a threat? A threat agent is the facilitator of an attack, whereas a threat is a category of objects, persons, or other entities that represents a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences and others are purposeful. Fire is a threat; however, a fire that has begun in a building is an attack. If an arsonist set the fire then the arsonist is the threat agent. If an accidental electrical short started the fire, the short is the threat agent. 2. What is the difference between vulnerability and exposure? Vulnerability is a weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Exposure is a condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present. 3. How is infrastructure protection (assuring the security of utility services) related to information security? The availability of information assets is dependent on having information systems that are reliable and that remain highly available. 4. What type of security was dominant in the early years of computing? In the early years of computing when security was addressed at all, it dealt only with the physical security of the computers themselves and not the data......

Words: 4896 - Pages: 20

Se 571 Principles of Information Security

...571 PRINCIPLES OF INFORMATION SECURITY To purchase this visit following link: http://www.activitymode.com/product/se-571-principles-of-information-security/ Contact us at: SUPPORT@ACTIVITYMODE.COM SE 571 PRINCIPLES OF INFORMATION SECURITY SE 571 Principles of Information Security and Privacy Final Exam 1. (TCO A) You are responsible for developing a security evaluation process that can be used to assess various operating systems both during and after development. List the five most desirable qualities your evaluation process should have and explain why they are important. (Be sure to address qualities of the evaluation process, not specific metrics for assessment of operating systems.) (Points : 40) . (TCO B) The Open Systems Interconnection model is inherently inefficient. On the source host, each layer must take the work of higher layers, add some result, and pass the work to lower layers. On the destination host, each layer must process these results from lower layers and pass the appropriate information to upper layers. Surely this wrapping and unwrapping process is inefficient. Assess the security advantage of this layered approach. (Points : 40) (TCO C) Why is a firewall usually a good place to terminate a Virtual Private Network (VPN) connection from a remote user? Why not terminate the VPN connection at the actual servers being accessed? Under what circumstances would VPN termination at the server be a good idea? (Points : 40) SE 571 PRINCIPLES OF......

Words: 1141 - Pages: 5

Principles of Information-Systems Security

...As an Information Security Engineer for a large multi-international corporation, that has just suffered multiple security breaches that have threatened customers' trust in the fact that their confidential data and financial assets such as Credit-card information; one must implement security measures that will protect the network through a vulnerable wireless connection within the organization, while also providing a security plan that will protect against weak access-control policies within the organization. The first step of protecting against Credit-card information through a vulnerable wireless connection within the organization would be to first protect your wireless broadband from cyber-attacks, which don’t involve any costly measures. One must always remember to lock down the wireless network. By default the password for your panel is often a standard one set-up by the manufacturer (for example ‘admin’). It’s very important that you change this as soon as possible, because it would me that many hackers would already have the password for it. When picking a strong password use a case sensitive combination of alphabets and numbers, six characters and more. Also remember to make it something unique and not the same as something else like your Facebook or Twitter password. Next too consider is the fact that most routers come with a WEP or WPA key built in for good measure, and each router has a different code so there is no need to stress when it comes to this aspect.......

Words: 902 - Pages: 4

Principle of Information Security

...types of packets? A TCP Packet sends information, and reports back to the sender on progress to assure that information has been sent and received. UDP on the other hand is designed more for speed after establishing a connection and is used to strive for the fastest data retrieval rate as possible, but for this type of packet, it’s less important that it reports back. I don’t believe there will be specific transactions that involve both types of packets. But TCP is better for assuring that data is being received completely, but UDP focuses on assuring data is retrieved as quickly as possible. 3. How is an application layer firewall different from a packet-filtering firewall? Why an application layer firewall is sometimes called a proxy server? A packet-filtering firewall only allows “a particular packet with a particular source, destination, and port address to enter”. An application layer firewall is sometimes called a proxy server because it “runs special software that acts as a proxy for a service request” It is more to deal with outgoing connections and making connections within the DMZ zone of an organization. 4. How is static filtering different from dynamic filtering of packets? Which is perceived to offer improved security? Static filtering works with rules that are already designated or “developed and installed with the firewall” and only a person can change it 5. What is stateful inspection? How is state information maintained during a network......

Words: 415 - Pages: 2

Principles of Information Security

...organization is different in the way that it communicates internally and with its vendors and customers and in the kinds of information that it sends over the Internet. Practicing strong computer security is a nonnegotiable requirement for organizations doing business today. However, building security into an existing corporate culture is a complex undertaking. Every organization has a security culture, and each is as unique as the organization itself. Security culture can be collaborative or argumentative, structured or unstructured. Security can be an integral part of a process beginning at the project-definition stage, or a separate process added on to an existing project. It can be ingrained or reactive. Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Security issues are unknowingly generated via employees using consumer electronics in their homes. As more consumer communications and devices enter the corporate enterprise security professionals need to consider the risks for business security. Things to consider included IM, gmail, iphones, un-secure home networks, etc. Employees are using these devices at home and in the workplace. . The first and most important strategy is to align information security with business strategy. The higher the value, the bigger the target, the greater the damage and overall......

Words: 953 - Pages: 4