Information Security Notes

Principles of Information Security, 4th Edition
Chapter 1
Review Questions
1. What is the difference between a threat agent and a threat?

A threat agent is the facilitator of an attack, whereas a threat is a category of objects,
persons, or other entities that represents a potential danger to an asset. Threats are always
present. Some threats manifest themselves in accidental occurrences and others are
purposeful. Fire is a threat; however, a fire that has begun in a building is an attack. If an
arsonist set the fire then the arsonist is the threat agent. If an accidental electrical short
started the fire, the short is the threat agent.
2. What is the difference between vulnerability and exposure?
Vulnerability is a weaknesses or fault in a system or protection mechanism that opens it
to attack or damage. Exposure is a condition or state of being exposed. In information
security, exposure exists when a vulnerability known to an attacker is present.
3. How is infrastructure protection (assuring the security of utility services) related to
information security?
The availability of information assets is dependent on having information systems that
are reliable and that remain highly available.
4. What type of security was dominant in the early years of computing?
In the early years of computing when security was addressed at all, it dealt only with the
physical security of the computers themselves and not the data or connections between
the computers. This led to circumstances where most information being stored on
computers was vulnerable since information security was often left out of the design
phase of most systems.
5. What are the three components of the CIA triangle? What are they used for?
The three components of the C.I.A. are:
 confidentiality (assurance that the information is shared only among authorized
persons or organizations);
 integrity (assurance that the information is complete and uncorrupted); and
 availability (assurance that the information systems and the necessary data are
available for use when they are needed).
These three components are frequently used to conveniently articulate the objectives of a
security program that must be used in harmony to assure an information system is secure
and usable.
6. If the C.I.A. triangle is incomplete, why is it so commonly used in security?
The CIA triangle is commonly used in security because it addresses the fundamental
concerns of information: confidentiality, integrity, and availability. It is still used when
not complete because it addresses all of the major concerns with the vulnerability of
information systems.
______________________________________________________________________________
7. Describe the critical characteristics of information. How are they used in the study
of computer security?
The critical characteristics of information define the value of information. Changing any
one of its characteristics changes the value of the information itself. There are seven
characteristics of information:
 Availability enables authorized users - either persons or computer systems - to
access information without interference or obstruction, and to receive it in the
required format.
 Accuracy occurs when information is free from mistakes or errors and it has the
value that the end user expects.
 Authenticity of information is the quality or state of being genuine or original,
rather than a reproduction or fabrication. Information is authentic when it is in the
same state in which it was created, placed, stored, or transferred.
 Confidentiality is achieved when disclosure or exposure of information to
unauthorized individuals or systems is prevented. Confidentiality ensures that
only those with the rights and privileges to access information are able to do so.
 Integrity of information is maintained when it is whole, complete, and
uncorrupted.
 Utility of information is the quality or state of that information having value for
some purpose or end. Information has value when it serves a particular purpose.
 Possession of information is the quality or state of ownership or control of some
object or item. Information is said to be in one’s possession if one obtains it,
independent of format or other characteristics.
8. Identify the six components of an information system. Which are most directly
affected by the study of computer security? Which are most commonly associated
with its study?
The six components are software, hardware, data, people, procedures, and networks.
People would be impacted most by the study of computer security. People can be the
weakest link in an organization’s information security program. And unless policy,
education and training, awareness, and technology are properly employed to prevent
people from accidentally or intentionally damaging or losing information, they will
remain the weakest link. Social engineering can prey on the tendency to cut corners and
the commonplace nature of human error. It can be used to manipulate the actions of
people to obtain access information about a system.
Procedures, written instructions for accomplishing a specific task, could be another
component, which will be impacted. The information system will be effectively secured
by teaching employees to both follow and safeguard the procedures. Following procedure
reduces the likelihood of employees erroneously creating information insecurities. Proper
education about the protection of procedures can avoid unauthorized access gained using
social engineering. Hardware and software are the components that are historically
associated with the study of computer security. However, the IS component that created
much of the need for increased computer and information security is networking.
9. What system is the farther of almost all modern multiuser systems?
_____________________________________________________________________________________________
Page: 2
______________________________________________________________________________
MULTICS
10. Which paper is the foundation of all subsequent studies of computer security?
Rand Report R-609, sponsored by the Department of Defense.
11. Why is the top-down approach to information security superior to the bottom-up
approach?
The top-down approach, in which the project is initiated by upper-level managers who
issue policy, procedures and processes, dictate the goals and expected outcomes, and
determine accountability for each required action, has a higher probability of success.
This approach has strong upper-management support, a dedicated champion, usually
dedicated funding, a clear planning and implementation process, and the means of
influencing organizational culture. The most successful kind of top-down approach also
involves a formal development strategy referred to as a systems development life cycle.
12. Why is a methodology important in the implementation of information security?
How does a methodology improve the process?
A methodology is a formal technique that has a structured sequence of procedures that is
used to solve a problem. Methodology is important in the implementation of information
security because it ensures that development is structured in an orderly, comprehensive
fashion. The methodology unifies the process of identifying specific threats and the
creation of specific controls to counter those threats into a coherent program. Thus, a
methodology is important in the implementation of information security for two main
reasons.
 First, it entails all the rigorous steps for the organizations’ employees to follow,
therefore avoiding any unnecessary mistakes that may compromise the end goal
(i.e., to have a comprehensive security posture). An example of this is that a
methodology guides an organization to solve the root cause of the information
security problem, not just its symptoms.
 Second, methodology increases the probability of success. Once a methodology
is adopted, the personnel selected will be responsible for establishing key
milestones and made accountable for achieving the project goals.
The methodology can greatly improve the process. For example, following the six steps
of the SDLC (Systems Development Life Cycle) (investigation, analysis, logical design,
physical design, implementation, and maintenance and change) allows developments to
proceed in an orderly, comprehensive fashion. Individuals or groups assigned to do the
analysis step do not have to initiate their work until the investigation step is completely
finished. Moreover, each step of the methodology may determine whether the project
should be continued, discontinued, outsourced, or postponed. For example, the physical
design step may need to be postponed or outsourced if the organization does not possess
the technology needed.
13. Which members of an organization are involved in the security system development
life cycle? Who leads the process?
Initiation and control of the SecSDLC is the responsibility of upper management.
Responsible managers, contractors and employees are then utilized to execute the
SecSDLC. The process is usually led by a senior executive, sometimes called the
_____________________________________________________________________________________________
Page: 3
______________________________________________________________________________
champion, that promotes the project and secures financial, administrative, and company
wide backing of the project, then a project manager is assigned the task of managing the
project.
14. How can the practice of information security be described as both an art and a
science? How does security as a social science influence its practice?
The practice of information security is a never-ending process. An effective information
security practice must be considered as a tripod that relates to three important aspects
(science, art, and social science):
 First, information security is a science because it requires various kinds of tools
and technologies used for technical purposes. It can also include sound
information security plans and policies that may dictate the needs of particular
technologies.
 Second, information security is also an art because there are no clear-cut rules on
how to install various security mechanisms. Different factors such as budgets,
time, threats, risks, vulnerabilities, and asset values can significantly affect the
numbers and types of passive and active controls an organization needs. The
overall goal is for the organization to have a sound information security posture
that can reduce the risks of being attacked as much as possible.
 Third, and most importantly, information security must be looked at as a social
science mainly because social science deals with people, and information security
is primarily a people issue, not a technology issue. Through the eye of a social
scientist, an organization can greatly benefit from the Security Education,
Training, and Awareness program (SETA), which can help employees (1)
understand how to perform their jobs more securely, (2) be fully aware of the
security issues within the organization, and (3) be accountable for their actions.
Therefore, information security must be viewed as having all three natures, with the most
emphasis on the social science perspective. After all, people are the ones who make the
other five components of information assets (software, hardware, data, procedures and
networks) possible.
15. Who is ultimately responsible for the security of information in the organization?
The Chief Information Security Officer (CISO) is primarily responsible for the
assessment, management, and implementation of information security in the organization.
The CISO usually reports directly to the CIO, although in larger organizations it is not
uncommon for one or more layers of management to exist between the two. However, the
recommendations of the CISO to the CIO must be given equal, if not greater, priority
than other technology and information-related proposals.
16. What is the relationship between the MULTICS project and early development of
computer security?
MULTICS, Multiplexed Information and Computing Service, was the first operating
system created with security as its primary goal. It was a mainframe, time-sharing
operating system developed through a partnership between GE, Bell Labs and MIT.
Much of the early focus for research on computer security was centered on this system.
17. How has computer security evolved into modern information security?
_____________________________________________________________________________________________
Page: 4
______________________________________________________________________________
Before the creation and use of networking technologies computer security consisted of
securing the physical location of the system by the use of badges, keys and facial
recognition. With the creation of ARPANET and the increasing popularity of networked
systems, it was no longer adequate to merely physically secure a system. In order to
insure total security, the information itself, as well as the hardware used to transmit and
store that information, needed to be addressed. Information security developed from this
need. Eventually, computer security became just another component of information
security.
18. What was important about Rand Report R-609?
The movement toward security that went beyond protecting physical locations began
with the Rand Report R-609, a paper sponsored by the Department of Defense. This
report attempted to address the multiple controls and mechanisms necessary for the
protection of a multilevel computer system. In addition, the Rand Report was the first to
identify the role of management and policy issues in the expanding arena of computer
security. It noted that the wide utilization of networking components in information
systems in the military introduced security risks that could not be mitigated by the routine
practices then used to secure these systems. This paper signaled a pivotal moment in
computer security history—when the scope of computer security expanded significantly
from the safety of physical locations and hardware to include securing the data, limiting
random and unauthorized access to that data, and involving personnel from multiple
levels of the organization in matters pertaining to information security
19. Who decides how and when data in an organization will be used and or controlled?
Who is responsible for seeing these wishes are carried out?
The three types of data ownership and their respective responsibilities are:
Data owners: Those responsible for the security and use of a particular set of information.
They are usually members of senior management and could be CIOs. The data owners
usually determine the level of data classification (discussed later) associated with the
data, as well as the changes to that classification required by organizational change. The
data owners work with subordinate managers to oversee the day-to-day administration of
the data.
Data custodians: Working directly with data owners, data custodians are responsible for
the storage, maintenance, and protection of the information. Depending on the size of the
organization, this may be a dedicated position, such as the CISO, or it may be an
additional responsibility of a systems administrator or other technology manager. The
duties of a data custodian often include overseeing data storage and backups,
implementing the specific procedures and policies laid out in the security policies and
plans, and reporting to the data owner.
Data users: End users who work with the information to perform their daily jobs
supporting the mission of the organization. Everyone in the organization is responsible
for the security of data, so data users are included here as individuals with an information
security role.
20. Who should lead a security team? Should the approach to security be more
managerial or technical?
_____________________________________________________________________________________________
Page: 5
______________________________________________________________________________
A project manager, who may be a departmental line manager or staff unit manager, would
lead a security team. Typically, that person would understand project management,
personnel management, and information security technical requirements. The approach to
security should be more managerial than technical, although, the technical ability of the
resources actually performing the day-to-day activities is critical. The top-down approach
to security implementation is by far the best. It has strong upper management support, a
dedicated champion, dedicated funding, clear planning and the opportunity to influence
organizational culture.
_____________________________________________________________________________________________
Page: 6
______________________________________________________________________________
Exercises
1. Look up “the paper that started the study of computer security.” Prepare a
summary of the key points. What in this paper specifically addresses security in
areas previously unexamined?
Rand Report R-609 noted that security for computers had moved beyond the physical
security of locking the computers behind closed doors. With the rise in computer
networking, multiple users using resource-sharing systems could gain access to
confidential information. New forms of security had to be implemented that could protect
the safety of data, limit access, and handle different levels of personnel accessing the
system. In order to accomplish this, R-609 pointed out that a task force was being
implemented by ARPA in order to focus on the potential security risks of multi-access
computer systems. The paper points out that security is no longer as simple as moving the
system to a secure location, and new measures must be implemented to provide
acceptable security.
The key points are: security control in resource-sharing systems; increase in the number
of resource-sharing systems; protection of information in multi-access, resource-sharing
computer systems; and necessity for the application of security rules and regulations.
The growing need to have resources available to a larger number of users, led in the
1960's to the implementation of resource-sharing computer systems. Sharing data among
a larger number of users highlighted the need for an appropriate security system because
data, in a multi-access computer environment, was no longer considered secure. Above
all, the lack of control demonstrated by random and unauthorized access to shared data
started being seen as one of the biggest threats to the data itself. Another important issue
that specifically addressed security was the lack of security rules and regulations. Rand
Report R-609 was the first report to identify the important role of management and policy
issues in computer security.
The Rand Report R-609 attempted to cover the broader aspect of protecting a computer
system. It was the first to identify the role of management and policy issues in computer
security. R-609 focused on the protection of information in a multi-access, resource
sharing computer system, more specifically: safety of data, limiting random and
unauthorized access, as well as the involvement of personnel from multiple levels of the
organization in matters pertaining to information security.
2. Assume that a security model is needed for protection of information in your class.
Using the NSTISSC model, examine each of the cells and write a brief statement on
how you would address the three components represented in that cell.
Confidentiality – Policy – Storage: An example of protecting the confidentiality of class
information in storage by means of policy could be simply issuing rules to keep
unauthorized viewers access restricted, such as a rule to lock file cabinets that contain the
information.
Confidentiality – Policy – Processing: An example of protecting the confidentiality of
class information in processing by means of policy could be simply issuing rules to keep
unauthorized viewers access restricted while information is being processed, such as only
allowing registered students in the class to attend and listen to lecture.
_____________________________________________________________________________________________
Page: 7
______________________________________________________________________________
Confidentiality – Policy – Transmission: An example of protecting the confidentiality of

class information in transmission by means of policy could be simply issuing rules to
keep unauthorized viewers access restricted while information is being processed, such as
only allowing registered students in the class to attend and listen to lecture.
Confidentiality – Education – Storage: An example of protecting the confidentiality of
class information in storage by means of education could be accomplished by training
students and faculty, such as teaching them what people are authorized access to the
information in storage.
Confidentiality – Education – Processing: An example of protecting the confidentiality
of class information that is being processed by means of education could be
accomplished by training students and faculty, such as training how to verify if the people
are authorized to get the information before class starts by something such as a student ID
or schedule.
Confidentiality – Education – Transmission: An example of protecting the confidentiality
of class information that is being transmitted by means of education could be
accomplished by training students and faculty, such as training the students and faculty to
close doors to the classroom while in lecture so that others outside would not hear the
lecture.
Confidentiality – Technology – Storage: An example of protecting the confidentiality of
class information that is being stored by means of technology could be accomplished by
something as simple as locks on file cabinets that contain the information while not in
use.
Confidentiality – Technology – Processing: An example of protecting the confidentiality
of class information that is being processed by means of technology could be
accomplished by forcing the use of electronic IDs during classes.
Confidentiality – Technology – Transmission: An example of protecting the
confidentiality of class information that is being transmitted by means of technology
could be accomplished by having a password on a class website.
Integrity – Policy – Storage: An example of protecting the integrity of class information
that is being stored by means of policy could be accomplished by simply making rules
that state that only certified people may alter the information
Integrity – Policy – Processing: An example of protecting the integrity of class
information that is being processed by means of policy could be accomplished by making
a rule that forces students to study in only quiet areas without the help of other people not
in the class.
Integrity – Policy – Transmission: An example of protecting the integrity of class
a rule that the teacher is not allowed to drink alcohol before class.
Integrity – Education – Storage: An example of protecting the integrity of class
information that is being stored by means of education could be accomplished by
teaching those who store the information who is authorized to change it.
Integrity – Education – Processing: An example of protecting the integrity of class
_____________________________________________________________________________________________
Page: 8
______________________________________________________________________________
information that is being processed by means of education could be accomplished by

informing the students that studying with other non students will give incorrect
information.
Integrity – Education – Transmission: An example of protecting the integrity of class
information that is being transmitted by means of education could be accomplished by
teaching the teachers effective ways to teach.
Integrity – Technology – Storage: An example of protecting the integrity of class
information that is being stored by means of technology could be accomplished by
electronically storing all the data on a device that forces authorization to modify it.
Integrity – Technology – Processing: An example of protecting the integrity of class
information that is being processed by means of technology could be accomplished by
making PowerPoint presentations to verify what the teacher says.
Integrity – Technology – Transmission: An example of protecting the integrity of class
information that is being transmitted by means of technology could be accomplished by
printing the PowerPoint presentations and giving a copy to each student.
Availability – Policy – Storage: An example of protecting the availability of class
information that is being stored by means of policy could be accomplished by making
policy stating that authorized students are allowed access to certain stored information.
Availability – Policy – Processing: An example of protecting the availability of class
a rule that only those authorized are allowed to enter the classroom.
Availability – Policy – Transmission: An example of protecting the availability of class
information that is being transmitted by means of policy could be accomplished by
making a rule that allows only students into the classroom and none other.
Availability – Education – Storage: An example of protecting the availability of class
information that is being stored by means of education could be accomplished by
teaching those who store the information the correct process of storage so that things
don’t get lost.
Availability – Education – Processing: An example of protecting the availability of class
information that is being processed by means of education could be accomplished by
teaching those who teach the information to speak up so that everyone in the classroom
can hear what is being taught.
Availability – Education – Transmission: An example of protecting the availability of
class information that is being transmitted by means of education could be accomplished
by teaching the students to remain quiet in the classroom so that all can hear the
information.
Availability – Technology – Storage: An example of protecting the availability of class
information that is being stored by means of technology could be accomplished by
making the information available on the Internet via a password protected website.
Availability – Technology – Processing: An example of protecting the availability of
class information that is being processed by means of technology could be accomplished
_____________________________________________________________________________________________
Page: 9
______________________________________________________________________________
by the teacher providing the PowerPoint files available to the student on the Internet to
study.
Availability – Technology – Transmission: An example of protecting the availability of
class information that is being transmitted by means of technology could be
accomplished by the teacher using a microphone so the lecture is loud enough for all
students to hear.
3. Consider the information stored on your personal computer. For each of the terms
listed, find an example and document it: threat, threat agent, vulnerability,
exposure, risk, attack, and exploit.
Note: Due to a compositional error this question is based on information from Chapter 2,
and as such the answers are drawn from there.
Answers will vary greatly depending on the information stored on the individual’s
systems: An example is provided. (Note you can also answer this question from the
reverse as illustrated)
Answer method one (data based)
Data: Electronic Checkbook (and associated banking information): Threats would
include: Acts of Human Failure – Threat agent would be my wife/husband, vulnerability
would be data is susceptible to deletion. Exposure would be I let my wife/husband use
my computer, on which the files reside. Risk would be loss of financial and banking
information. Attack would include my wife/husband realizing I am in class, and using
my computer to surf the Web or play computer games on my computer, and then
accidentally deleting the file to make more room on the hard drive for their game or
download. The exploit would be simplistic – my wife/husband opens windows explorer,
sees the files marked “Stuff”, right clicking on the folder and selecting DELETE.
Alternate answer method:
Threat – Acts of Human Error or Failure (user mistakes), Acts of Espionage or Tresspass
(Hackers), Deliberate Software Attacks (Email viruses and worms), Technological
Obsolescence (my computer is OLD!)
Threat Agent – Wife/Husband/Kids, neighbor’s kids, hackers, Microsoft
Vulnerability – lack of password protection on system, insufficient protection on Internet
connection, OS vulnerabilities (Microsoft!),
Exposure – no password set on firewall, new patch on OS deletes system password, etc.
Risk – loss of personal and confidential info, compromise of systems as zombie, etc.
Attack – significant other deletes files, hacker hacks network router and system, kids
copy files to friends computers.
Exploit – downloaded scripts from hacker sites, detailed descriptions of how to set up a
DDOS tested by kids.
4. Using the Web, identify the CIO, CISO and SA of an organization of your choice.
Who represents the data owner, data custodian?
_____________________________________________________________________________________________
Page: 10
______________________________________________________________________________
Each organization will have its own specific answer set depending on the policies that
organization has in place.
5. Using the web, find out who Kevin Mitnick was. What did he do? Who caught him?
Write a short summary of his activities and why he is famous.
Kevin Mitnick was one of the most notorious computer hackers in computer history. He
began his "hacking" career by using a personal computer and a modem to gain access to a
digital central office switch of a local telephone company. He, as well as several other
members of a phone phreak gang, would make prank calls, answer operator assisted calls
and eavesdrop on conversations. This, however, didn't satisfy them for long. In 1981,
over Memorial Day weekend, Kevin and his gang talked their way past a security guard
at Pacific Bell's COSMOS center. Once inside, they stole passwords, operating manuals
and combinations to doors at other Pacific Bell offices. They also did a little "social
engineering" while inside and left fake names and phone numbers for later use. The gang
was eventually caught when a girlfriend of one of the gang members went to the police.
The gang was charged with stealing and destroying data. Kevin Mitnick was only 17 at
the time and was sentenced to three months in juvenile detention and one year probation.
In 1983, Kevin was arrested again, but this time by the campus police at the University of
Southern California. This time he used one of the school's computers to break into the
Pentagon using ARPAnet. His sentence was six months in a juvenile prison. In 1987, he
received three years probation for stealing software from the Santa Cruz Operation. He
was caught by the use of illegal telephone credit card numbers.
In 1989, he was again arrested and charged with one count of possession of illegal long
distance access codes and one count of computer fraud. He and a friend tried to gain
access to Digital Equipment's Palo Alto research laboratory with the hope of acquiring a
copy of the VMS minicomputer operating system. He was later caught when his
accomplice became frustrated with him and turned him in to the FBI and DEC. Kevin
received jail time and was required to undergo counseling at a halfway house. In 1992, an
arrest warrant was issued on him for violating the terms of his probation. He violated
probation by associating with members of his original phone phreak gang and illegally
accessing a computer. Kevin was arrested in 1995.
Alternate Answer
Kevin Mitnick, aka Condor, is one of the most famous computer hackers in the history of
computers. This famous hacker was so prolific that it earned him a place on the FBI’s
Most Wanted List. Mitnick started out as a phone phreaker, someone who breaks into
phone switches, but later turned his attention to computer systems. Mitnick was brought
up on charges numerous times, but it was not until he went on a computer hacking spree
in 1995 that he made national attention. Mitnick was finally tracked down after two years
on the run as a fugitive. Tsutomu Shimomura played a major role in the capture of
Mitnick, after Mitnick hacked into Shimomura’s computer system. Mitnick was jailed for
5 years without a trial or bond, and is said to be the longest held prisoner without a trial.
Mitnick was later released in Sept. of 2000 but was not allowed to use any type of
electronic device as part of the terms of his probation.
_____________________________________________________________________________________________
Page: 11
______________________________________________________________________________

Chapter 2
Review Questions
1. Why is information security a management problem? What can management do

that technology cannot?
Both general management and IT management are responsible for implementing
information security to protect the ability of the organization to function.
Decision-makers in organizations must set policy and operate their organization in a
manner that complies with the complex, shifting political legislation on the use of
technology. Management is responsible for informed policy choices and the enforcement
of decisions that affect applications and the IT infrastructures that support them.
Management can also implement an effective information security program to protect the
integrity and value of the organization’s data.
2. Why is data the most important asset an organization possesses? What other assets
in the organization require protection?
Data is important in the organization because without it an organization will lose its
record of transactions and/or its ability to deliver value to its customers. Since any
business, educational institution, or government agency that functions within the modern
social context of connected and responsive service relies on information systems to
support these services, protecting data in motion and data at rest are both critical.
Other assets that require protection include the ability of the organization to function, the
safe operation of applications, and technology assets.
3. Which management groups are responsible for implementing information security
to protect the organizations’ ability to function?
Both general management and IT management are responsible for implementing
information security that protects the organization’s ability to function. Although many
business and government managers shy away from addressing information security
because they perceive it to be a technically complex task, in fact, implementing
information security has more to do with management than with technology. Just as
managing payroll has more to do with management than with mathematical wage
computations, managing information security has more to do with policy and its
enforcement than with the technology of its implementation.
4. Has the implementation of networking technology created more or less risk for
business that use information technology? Why?
Networking is usually considered to have created more risk for businesses that use
information technology. This is due to the fact that potential attackers have more and
readier access to these information systems when they have been networked, especially if
they are interconnected to the Internet.
5. What is information extortion? Describe how such an attack can cause losses, using
an example not found in the text.
_____________________________________________________________________________________________
Page: 12
______________________________________________________________________________
When an attacker is able to control access to an asset, it can be held hostage to the
attacker’s demands. For example, if an attacker is able to gain access to a set of data in a
database and then encrypt that data, they may extort money or other value from the owner
in order to share the encryption key so that the data can be used by the owner.
6. Why do employees constitute one of the greatest threats to information security?
Employees are the greatest threats since they are the closest to the organizational data and
will have access by nature of their assignments. They are the ones who use it in everyday
activities, and employee mistakes represent a very serious threat to the confidentiality,
integrity, and availability of data. Employee mistakes can easily lead to the revelation of
classified data, entry of erroneous data, accidental deletion or modification of data,
storage of data in unprotected areas, and failure to protect information.
7. What measures can individuals take to protect against shoulder surfing?
The best way for an individual to avoid shoulder surfing is to avoid, as far as possible, the
accessing of confidential information when another person is present. The individual
should limit the number of times he/she accesses confidential data, and do it only when
he/she is sure that nobody can observe them. One should be constantly aware of who is
around when accessing sensitive information.
8. How has the perception of the hacker changed over recent years? What is the profile
of a hacker today?
The classic perception of the hacker is frequently glamorized in fictional accounts as
someone who stealthily manipulates their way through a maze of computer networks,
systems, and data to find the information that resolves the dilemma posed in the plot and
saves the day. However, in reality, a hacker frequently spends long hours examining the
types and structures of the targeted systems because he or she has to use skill, guile, or
fraud to attempt to bypass the controls placed around information that is the property of
someone else.
The perception of a hacker has evolved over the years. The traditional hacker profile was
male, age 13-18, with limited parental supervision who spent all his free time at the
computer. The current profile of a hacker is a male or female, age 12 – 60, with varying
technical skill levels, and can be internal or external to the organization. Today there are
both expert hackers and unskilled hackers. The expert hackers create the software and
schemes to attack computer systems while the novice hackers are the ones who merely
utilize the software created by the expert hacker.
9. What is the difference between a skilled hacker and an unskilled hacker (other then
the lack of skill)? How does protection against each differ?
An expert hacker in one who develops software scripts and codes to exploit relatively
unknown vulnerabilities. The expert hacker is usually a master of several programming
languages, networking protocols, and operating systems.
An unskilled hacker is one who uses scripts and code developed by skilled hackers. They
rarely create or write their own hacks, and are often relatively unskilled in programming
languages, networking protocols, and operating systems.
_____________________________________________________________________________________________
Page: 13
______________________________________________________________________________
Protecting against an expert hacker is much more difficult, due in part to the fact that
most of the time the expert hacker is using new, undocumented attack code. This makes it
almost impossible to guard against these attacks at first. Conversely, an unskilled hacker
generally uses hacking tools that have been made publicly available. Therefore,
protection against these hacks can be maintained by staying up-to-date on the latest
patches and being aware of hacking tools that have been published by expert hackers.
10. What are the various types of Malware? How do worms differ from viruses? Do
Trojan horses carry viruses or worms?
Common types of malware are viruses, worms, Trojan horses, logic bombs, and back
doors.
Computer viruses are segments of code that induce other programs to perform actions.
Worms are malicious programs that replicate themselves constantly without requiring
another program to provide a safe environment for replication.
Once a trusting user executes a Trojan horse program it will unleash viruses or worms to
the local workstation and the network as a whole.
11. Why does polymorphism cause greater concern than traditional malware? How
does it affect detection?
Polymorphism causes greater concern because it makes malicious code more difficult to
detect.
The code changes over time, which means commonly used anti-virus software, which
uses preconfigured signatures for detection, will be unable to detect the newly changed
attack. This makes polymorphic threats harder to protect against.
12. What is the most common form of violation of intellectual property? How does an
organization protect against it? What agencies fight it?
The most common violations involve the unlawful use or duplication of software-based
intellectual property known as software piracy.
Some organizations have used such security measures as digital watermarks and
embedded code, copyright codes, and even the intentional placement of bad sectors on
software media. Also, most companies file patents, trademarks or copyrights which can
allow a company to legally pursue a violator. Another effort to combat piracy is the
online registration process. During installation, software users are asked or even required
to register their software to obtain technical support, or the use of all features.
There are two major organizations that investigate allegations of software abuse:
Software and Information Industry Association (SIIA) and the Business Software
Alliance (BSA).
13. What are the various types of force majeure? Which type is of greatest concern to an
organization in Las Vegas? Oklahoma City? Miami? Los Angeles?
Force majeure refers to forces of nature or acts of God that pose a risk, not only to the
lives of individuals, but also to information security. Force majeure includes fire, flood,
earthquake, lightning, landslide or mudslide, tornado or severe windstorm, hurricane or
typhoon, tsunami, electrostatic discharge (ESD), and/or dust contamination.
_____________________________________________________________________________________________
Page: 14
______________________________________________________________________________
A major concern to an organization in Las Vegas might be dust contamination. Tornado is

a concern for Oklahoma City, OK. Miami, FL would be most concerned with hurricanes
or tsunamis. Earthquakes, mud-slides, wildfires and riots would be of concern to LA.
14. How does technology obsolescence constitute a threat to information security? How
can an organization protect against it?
Technological obsolescence is a security threat caused by management’s potential lack of
planning and failure to anticipate the technology needed for evolving business
requirements. Technological obsolescence occurs when the infrastructure becomes
outdated, which leads to unreliable and untrustworthy systems. As a result, there is a risk
of loss of data integrity from attacks.
One of the best ways to prevent this is through proper planning by management. Once
discovered, outdated technologies must be replaced. Information Technology personnel
must help management identify probable obsolescence so that any necessary replacement
(or upgrade) of technologies can be done in a timely fashion.
15. Does the intellectual property owned by an organization usually have value? If so,
how can attackers threaten that value?
Yes, the IP of an organization may be its highest value asset. Attackers can threaten its
value by reducing or removing its availability to the owner or steal and then selling
copies of the asset thus causing a loss in the economic value of the assets.
16. What are the types of password attacks? What can a systems administrator do to
protect against them?
The types of password attacks include: Password Crack, Brute Force, and Dictionary:
Password crack: Attempting to reverse calculate the password is called “cracking.”
Cracking is used when a copy of the Security Account Manager data file can be obtained.
A possible password is taken from the SAM file and run through the hashing algorithm in
an attempt to guess the password.
Brute Force: The application of computing and network resources to try every possible
combination of options for a password.
Dictionary: A form of brute force for guessing passwords. The dictionary attack selects
specific accounts and uses a list of commonly used passwords with which to guess.
To protect against password attacks, security administrators can:
Implement controls that limit the number of attempts allowed.
Use a “disallow” list of passwords from a similar dictionary.
Require use of additional numbers and special characters in passwords.
17. What is the difference between a denial-of-service attack and a distributed denial-
of-service attack? Which is potentially more dangerous and devastating? Why?
A denial-of-service attack occurs when an attacker sends a large number of connection or
information requests to a target. A distributed denial-of-service attack occurs when a
coordinated stream of requests is launched against a target from many locations at the
same time.
_____________________________________________________________________________________________
Page: 15
______________________________________________________________________________
A distributed denial-of-service attack is potentially more dangerous and devastating. In

most DDoS attacks, numerous machines are first compromised and used as “zombies” to
carry out the denial-of-service attack against a single target. DDoS attacks are most
difficult to defend against, and there are currently no controls any single organization can
apply.
18. For a sniffer attack to succeed, what must the attacker do? How can an attacker
gain access to a network to use the sniffer system?
The attacker must first gain access to a network to install the sniffer.
Social engineering offers the best way for an attacker to gain access to a network to
install a physical sniffer device. By convincing an unwitting employee to instruct the
attacker as to the whereabouts of the networking equipment, the installation of the sniffer
can be accomplished.
19. What method does a social engineering hacker use to gain information about a
user’s login and password? How would this method differ if it were targeted
towards an administrator’s assistant versus a data-entry clerk?
Social Engineering is the process of using social skills to obtain access credentials or
other valuable information. Role-playing can do this, where the attacker represents
himself or herself as someone of authority requesting information. This may also be
accomplished by installing bogus software on user machines that will gather access
information, or by using deception to act on the conscience of users.
Tactics change based on the target. A data-entry clerk could likely be swayed just by
mentioning the name of the CEO and describing his anger at not getting the requested
information promptly. Conversely, someone higher up the chain of command, who
perhaps even works directly with those in power, would require more convincing proof.
This could be anything from a few additional details regarding a particular project or
something as precise as an authorization password or document.
20. What is a buffer overflow and how is it used against a web server?
A buffer overflow occurs when more data is sent to a buffer than it can handle. It can be
caused over a network when there is a mismatch in the processing rates between the two
entities involved in the communication process.
Why do employees constitute one of the greatest threats to information security?

Employees constitute one of the greatest threats to information security because
employeemistakes can lead to the revelation of classified data, entry of erroneous data,
accidentaldeletion or modification of data, the storage of data in unprotected areas, or
they could fail tofollow procedures to protect data.
Exercises
1. Consider the statement: an individual threat, like a hacker, can be represented in
more than one threat category. If a hacker hacks into a network, copies a few files,
defaces the Web page, and steals credit card numbers, how many different threat
categories does this attack cover?
_____________________________________________________________________________________________
Page: 16
______________________________________________________________________________
Deliberate acts are the main threat category for this type of attack because the
hacker is deliberately trying to cause harm. Different sub-categories that this
attack could fall under are deliberate acts of espionage or trespass, deliberate acts
of sabotage or vandalism, and deliberate acts of theft.
Compromises to intellectual property – copying of files, defacing the web page,
and stealing credit card numbers.
Technical failures. For instance, if part of the organizations software has an

unknown trap door then this type of hacker attack could occur.
Management failure. This hacker attack could happen if management were to

have a lack of sufficient planning and foresight to anticipate the technology need
for evolving business requirements.
2. Using the web, determine what was the extent of Mafiaboy's exploits. How many
sites did he compromise and how? How was he caught?
Mafiaboy's exploits consisted of a series of DDoS (Distributed Denial of Service) attacks
on 11 corporate networks. The attacks caused, according to investigators, approximately
1.7 billion dollars in loss for these companies but there is dispute regarding the accuracy
of that figure. The attacks caused some of these companies' websites and networks to be
difficult to reach. In some cases, they crashed completely, remaining offline from mere
hours to as long as several days. Since the attacks were so large, it prompted the
authorities to investigate. Authorities found that someone by the name of Mafiaboy was
bragging about the attacks on websites, message boards and even on his own site. In
addition to this, the authorities were able to associate an IP address to the attacks, which
in turn linked to the ISP, and then, with the ISP's help, they linked the IP address to an
account whose phone numbers linked to Mafiaboy's father's number.
Alternate Answer
One example of a novice using pre-coded exploits was that of Mafiaboy, a teen that
launched distributed denial-of-service attacks against several high profile websites.
MafiaBoy’s denial-of-service attacks brought down many of the Internet's largest sites.
The tools used for these attacks are widely available on the Internet and require little
computer knowledge to use, being simple enough for use by script kiddies. Mafiaboy
simply ran a computer script that clogged networks full of garbage data. He was deemed
an unskilled attacker because of a number of indicators, primarily that he failed to take
basic steps to cover his tracks, such as erasing logs. A series of computer taps led to
Mafiaboy’s arrest.
Nonetheless, his skill deficit did not stop him from successfully shutting down a number
of prominent websites. MafiaBoy gained illegal access to 75 computers in 52 different
networks and planted a DoS tool on them which he then activated and used to attack 11
Internet sites by sending up to 10,700 phony information requests in 10 seconds.
Amazon.com, Yahoo!, Buy.com, CNN.com as well as more than 1,200 other sites CNN
hosts worldwide, Dell.com and eBay are among the sites Mafiaboy was able to cripple.
The cost to these companies is estimated to be in the millions, perhaps even billions, of
dollars. For example, for a company whose only storefront is web-based, this type of
_____________________________________________________________________________________________
Page: 17
______________________________________________________________________________
attack can be a disaster, as it is estimated that thousands of dollars of revenue is lost per
hour of non-operation. Because Amazon.com’s website was inaccessible for more than a
day, it is estimated they lost several million dollars. Buy.com and Yahoo! offered more
concrete numbers; each company lost a million dollars every four hours that their
networks were inaccessible.
References:
1. “DoS Attacks Cripple Yahoo, CNN, Amazon and Buy.com” Irish News. February 9,
2001. http://www.iol.ie/~kooltek/dosattacks.html
2. “One year after DoS attacks, vulnerabilities remain.” February 8, 2001.
http://www.cnn.com/2001/TECH/internet/02/08/ddos.anniversary.idg/index.html#2
3. Search the Web for “The Official Phreaker’s Manual”. What information contained
in this manual can help a security administrator to protect a communications
system.
Phone phreaking is the act of using mischievous and mostly illegal methods in order to
avoid having to pay for some sort of telecommunications invoice, order, transfer, or other
service. It often involves usage of highly illegal boxes and machines in order to defeat the
security that is set up to avoid this sort of tactic. This security includes “blocking
networks.” A blocking network is a network that, under certain conditions, may be unable
to form a transmission path from one end of the network to the other. In general, all
networks used within the Bell Systems are of the blocking type.
A security administrator could benefit from studying "The Official Phreaker's Manual" as
it could allow them to better protect their communications system. From the system
administrator's point of view, this information would prove useful due to the fact that it
provides many common ways of finding loop-holes and alternate ways around different
communications system security measures. Equipped with this information, a system
administrator would be aware of and could utilize different approaches in implementing a
more extensive security program.
4. The chapter discussed many threats and vulnerabilities to information security.
Using the Web, find at least two other sources of information on threat and
vulnerabilities. Begin with www.securityfocus.com. Using a keyword search on
“threats.”
HYPERLINK "http://csrc.ncsl.nist.gov/"http://csrc.ncsl.nist.gov/ - This site
has details about new security standards that should be adopted by
organizations and the reasons for the security standards ranging from
cryptology to network security.
HYPERLINK "http://icat.nist.gov/icat.cfm"http://icat.nist.gov/icat.cfm - This site
is a searchable index of information on computer vulnerabilities.
HYPERLINK
"http://security1.gartner.com/section.php.id.19.s.1.jsp"http://security1.gart
ner.com/section.php.id.19.s.1.jsp - This site has a number of articles with
information security concerns for various industry experts on a wide
variety of issues especially in the corporate world.
_____________________________________________________________________________________________
Page: 18
______________________________________________________________________________
HYPERLINK "http://www.cerias.purdue.edu/"http://www.cerias.purdue.edu/
HYPERLINK "http://www.cert.org/stats"http://www.cert.org/stats
HYPERLINK "http://www.fedcirc.gov/"http://www.fedcirc.gov/ - Information on
reported threats.
HYPERLINK "http://www.gocsi.com/"http://www.gocsi.com
HYPERLINK "http://www.idc.com/"http://www.idc.com
HYPERLINK
"http://www.infomaticsonline.co.uk/"http://www.infomaticsonline.co.uk,
HYPERLINK
"http://www.iss.net/security_center/"http://www.iss.net/security_center/
HYPERLINK
"http://www.microsoft.com/security/"http://www.microsoft.com/security/ -
Microsoft’s listing of important announcements for security and privacy
HYPERLINK "http://www.riptech.com/"http://www.riptech.com
HYPERLINK "http://www.securityfocus.com/"http://www.securityfocus.com/ -
Securityfocus.com lists threats, vulnerabilities, and advisories
HYPERLINK "http://www.siliconvalley.com/"http://www.siliconvalley.com
HYPERLINK
"http://www.symantec.com/avcenter/"http://www.symantec.com/avcenter/
- This site has information on the latest viruses and security advisories.
HYPERLINK
"http://www.theregister.co.uk/content/55/index.html"http://www.theregiste
r.co.uk/content/55/index.html - The Register’s listing of the latest threats
HYPERLINK "http://www.theregus.com/"http://www.theregus.com - This site
has information on any new information about the Technology industry
including breaches of security of various companies information systems.
HYPERLINK "http://www.washtimes.com/"http://www.washtimes.com
HYPERLINK "http://zdreviews.search.com/"http://zdreviews.search.com
HYPERLINK "https://www.security-survey.gov.uk/"https://www.security-
survey.gov.uk
5. Using the categories of threats mentioned here, as well as the various attacks
described, review several newspapers and locate examples of each.
Potential acts of human error or failure HYPERLINK
"http://www.nwfusion.com/columnists/2001/00379820.html"http://www.nwfusion
.com/columnists/2001/00379820.html
Compromises to intellectual property - HYPERLINK
"http://www.wired.com/news/politics/0,1283,54681,00.html"http://www.wired.co
m/news/politics/0,1283,54681,00.html
_____________________________________________________________________________________________
Page: 19
______________________________________________________________________________
Deliberate acts of espionage or trespass- HYPERLINK

"http://www.washtimes.com/upi-breaking/24052002-081209-
7018r.htm"http://www.washtimes.com/upi-breaking/24052002-081209-7018r.htm
Deliberate acts of information extortion- HYPERLINK
"http://www.newsfactor.com/perl/story/17940.html"http://www.newsfactor.com/p
erl/story/17940.html
Deliberate acts of sabotage of vandalism- HYPERLINK
"http://www.computertimes.com/jun01security.htm" \l
"defense"http://www.computertimes.com/jun01security.htm#defense
Deliberate acts of theft- HYPERLINK
"http://www.wired.com/news/mac/0,2125,50025,00.html"http://www.wired.com/n
ews/mac/0,2125,50025,00.html
Deliberate software attacks- HYPERLINK
"http://www.scmagazine.com/scmagazine/sc-
online/2002/article/33/article.html"http://www.scmagazine.com/scmagazine/sc-
online/2002/article/33/article.html
Forces of nature- HYPERLINK
"http://www.signonsandiego.com/news/computing/personaltech/20020812-
9999_mz1b12summer.html"http://www.signonsandiego.com/news/computing/per
sonaltech/20020812-9999_mz1b12summer.html
Potential deviations in quality of service from service provides HYPERLINK
"http://zdnet.com.com/2100-1105-837412.html"http://zdnet.com.com/2100-1105-
837412.html
HYPERLINK "http://cma.zdnet.com/texis/techinfobase/techinfobase/
+Dwq_qoKX88XK9s/zdisplay.html"http://cma.zdnet.com/texis/techinfobase/techi
nfobase/+Dwq_qoKX88XK9s/zdisplay.html
Technical hardware failure- HYPERLINK
"http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,20266572-
1,00.htm"http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,2026
6572-1,00.htm
Technical software failure- HYPERLINK
"http://www.wired.com/news/technology/0,1282,15459,00.html"http://www.wired
.com/news/technology/0,1282,15459,00.html
Technological obsolescence- HYPERLINK
"http://www.wired.com/news/topstories/0,1287,10124,00.html"http://www.wired.
com/news/topstories/0,1287,10124,00.html
Virus Attack:
VBS.Melhack.B is an intended mass mailing virus that is written in Visual
Basic. It copies itself as OsamaLaden.vbs into two locations.
(http://securityresponse.symantec.com/avcenter/venc/data/vbs.melhack.b.h
tml)
_____________________________________________________________________________________________
Page: 20
______________________________________________________________________________
Worm Attack:
W32.Efno.Worm is a worm that attempts to spread using the popular
KaZaA file-sharing program. The worm is written in Visual Basic, and
therefore it requires Visual Basic runtime libraries (Msvbvm60.dll) to run.
When this worm runs, it changes several KaZaA registry keys. This causes
the worm to be accessible to other users on the KaZaA network. The worm
spreads using the file name "Win XP SP1 cracker.exe." However, it is
possible to change the file name to other names that may appeal to people.
http://securityresponse.symantec.com/avcenter/venc/data/w32.efno.worm.
html
Trojan Horse:
Trojan.IrcBounce is the detection for a collection of programs that a
hacker can use to conceal intrusion and obtain administrator-level access
to Microsoft Windows environments. These programs can be used to
attack Windows environments that
Have the default installation, in which the Administrator account has no password
Use user names and passwords that are very common.
After it is installed into victim's system, it gives a remote attacker unobstructed access to
the compromised computer.
Back Door:
Backdoor.FunFactory allows unauthorized access to an infected computer.
It also allows voice communication from the intruder to the user of the
compromised computer.
_____________________________________________________________________________________________
Page: 21
______________________________________________________________________________

Chapter 3
Review Questions
1. What is the difference between law and ethics?

Laws are rules that mandate or prohibit certain behavior in society; they are drawn from
ethics, which define socially acceptable behaviors. The key difference between laws and
ethics is that laws carry the sanctions of a governing authority and ethics do not. Ethics in
turn are based on cultural mores: the fixed moral attitudes or customs of a particular
group.
2. What is civil law and what does it accomplish?
Civil law represents a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizational entities and people.
3. What are the primary examples of public law?
Criminal, administrative, and constitutional law.
4. Which law amended the Computer Fraud and Abuse Act of 1986, and what
did it change?
The National Information Infrastructure Protection Act of 1996 amended the Computer
Fraud and Abuse Act of 1986. It modified several sections of the CFA Act and increased
the penalties for selected crimes.
5. Which law was specifically created to deal with encryption policy in the U.S.?
_____________________________________________________________________________________________
Page: 22
______________________________________________________________________________
The Security and Freedom Through Encryption Act of 1999 clarifies use of encryption
for people in the US, and permits all persons in the U.S. to buy or sell any encryption
product.
6. What is privacy in an information security context?
Privacy is not absolute freedom from observation, but rather it is a more precise “state of
being free from unsanctioned intrusion.”
7. What is another name for the Kennedy-Kassebaum Act (1996) and why is it
important to organizations that are not in the health-care industry?
The Health Insurance Portability and Accountability Act Of 1996 (HIPAA) protects the
confidentiality and security of health-care data by establishing and, enforcing standards
and by standardizing electronic data interchange. It impacts all health-care organizations
including doctors' practices, health clinics, life insurers, and universities, as well as some
organizations which have self-insured employee health programs or manage data related
to health-care.
Beyond the basic privacy guidelines, the act requires organizations that retain health-care
information to use information security mechanisms to protect this information, as well
as policies and procedures to maintain this security. It also requires a comprehensive
assessment of the organization’s information security systems, policies, and procedures.
HIPAA provides guidelines for the use of electronic signatures based on security
standards that ensure message integrity, user authentication, and nonrepudiation. There is
no specification of particular security technologies for each of the security requirements,
only that security must be implemented to ensure the privacy of health-care information.
The privacy standards of HIPAA severely restrict the dissemination and distribution of
private health information without documented consent. The standards provide patients
with the right to know who has access to their information and who has accessed it. The
standards also restrict the use of health information to the minimum necessary for the
health-care services required.
8. If you work for a financial service organization such as a bank or credit union,
which law from 1999 affects your use of customer data? What impact does it have?
The law from 1999 that affects the use of customer data by financial institutions is the
Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999. Specifically,
this act requires all financial institutions to disclose their privacy policies on the sharing
of nonpublic personal information. It also requires due notice to customers, so that they
can request that their information not be shared with third parties. In addition, the act
ensures that the privacy policies in effect in an organization are both fully disclosed when
a customer initiates a business relationship, and distributed at least annually for the
duration of the professional association.
9. What is the primary purpose of the USA PATRIOT Act?
U.S.A. PATRIOT Act of 2001 modified a wide range of existing laws to provide law
enforcement agencies with broader latitude in order to combat terrorism-related activities.
The laws modified by the Patriot Act include some of the earliest laws created to deal
with electronic technology.
_____________________________________________________________________________________________
Page: 23
______________________________________________________________________________
10. Which 1997 law provides guidance on the use of encryption?

Security and Freedom through Encryption Act of 1997 which affirms the rights of
persons in the United States to use and sell products that include encryption and to relax
export controls on such products.
11. What is intellectual property (IP)? Is it afforded the same protection in
every country of the world? What laws currently protect it in the
United States and Europe?
Intellectual property is recognized as a protected asset in the United States. The U.S.
copyright laws extend this privilege to the published word, including electronic formats.
Fair use of copyrighted materials includes their use to support news reporting, teaching,
scholarship, and a number of other related activities, so long as the use is for educational
or library purposes, not for profit, and is not excessive. As long as proper
acknowledgement is provided to the original author of such works, including a proper
description of the location of source materials (citation), and the work is not represented
as one’s own, it is entirely permissible to include portions of someone else’s work as
reference.
U.S. Copyright law governs the protection of IP in the US.

The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS),
created by the World Trade Organiziation (WTO), and negotiated over the years 1986-94,
introduced intellectual property rules into the multilateral trade system.
The Digital Millennium Copyright Act (DMCA) is the American contribution to an

international effort by the World Intellectual Properties Organization (WIPO) to reduce
the impact of copyright, trademark, and privacy infringement, especially when
accomplished via the removal of technological copyright protection measures. This
American law was created in response to the 1995 adoption of Directive 95/46/EC by the
European Union, which added protection for individuals with regard to the processing of
personal data and the use and movement of such data. The United Kingdom has also
already implemented a version of this law called the Database Right, in order to comply
with Directive 95/46/EC.
12. How will the Sarbanes-Oxley Act of 2002 affect information security managers?
Executives working in firms covered by this law will seek assurance on the reliability and
quality of information systems from senior information technology managers. In turn, IT
managers will likely ask information security managers to verify the confidentiality and
integrity of those same information systems in a process known in the industry as sub-
certification.
13. What is due care? Why would an organization want to make sure it exercises due
care in its usual course of operations?
_____________________________________________________________________________________________
Page: 24
______________________________________________________________________________
An organization increases its liability if it refuses to take measures known as due care.
Due care has been taken when an organization makes sure that every employee knows
what is acceptable or unacceptable behavior, and knows the consequences of illegal or
unethical actions. The more active a role an organization takes in observing the due care
concept; the less likely it will be liable for its employees’ illegal and/or unethical actions.
14. How does due diligence differ from due care? Why are both important?
Due diligence requires that an organization make a valid effort to protect others and
continually maintain this level of effort. Due care has been taken when an organization
makes sure that every employee knows what is acceptable or unacceptable behavior, and
knows the consequences of illegal or unethical actions. They are both important because
an organization not practicing both due diligence and due care increase their chance of
being found liable should an incident occur.
15. What is a policy? How does it differ from a law?
A policy is a formalized body of expectations that describe acceptable and unacceptable
employee behaviors in the workplace. The difference between a policy and a law is that
ignorance of a policy is an acceptable defense.
16. What are the three general categories of unethical and illegal behavior?
Software License Infringement, Illicit Use and Misuse of Corporate Resources
17. What is the best method for preventing an illegal or unethical activity?
Deterrence is the best method for preventing an illegal or unethical activity. In order for
deterrence to be effective, those affected by the deterrence must a) fear the penalty, b)
have an expectation of detection/apprehension and c) expect that if apprehended, the
penalty will be applied.
18. Of the information security organizations listed that have codes of ethics, which has
been established for the longest time? When was it founded?
The Association of Computing Machinery (ACM) was established in 1947 as “the

world’s first educational and scientific computing society.”
19. Of the organizations listed that have a code of ethics, which is focused on auditing
and control?
The Information Systems Audit and Control Association (ISACA).
20. What can be done to deter someone from committing a crime?

Three elements are usually considered necessary to control behavior:
 Fear of penalty—Potential offenders must fear the penalty. Threats of informal
reprimand or verbal warnings may not have the same impact as the threat of
imprisonment or forfeiture of pay.
 Probability of being caught—Potential offenders must believe there is a strong
possibility of being caught. Penalties will not deter illegal or unethical behavior
unless there is reasonable fear of being caught.
_____________________________________________________________________________________________
Page: 25
______________________________________________________________________________
 Probability of penalty being administered—Potential offenders must believe that

the penalty will in fact be administered.
_____________________________________________________________________________________________
Page: 26
______________________________________________________________________________
Exercises
What does CISSP Stand for? Use the Internet to identify the ethical rules CISSP holders
have agreed to follow.
CISSP is an acronym for Certified Information Systems Security Professional.
The code can be found at https://www.isc2.org/ethics/ (as of October 2010).
2. For what kind of information security jobs does the NSA recruit? Use the Internet
to visit their Web page and find out.
Computer Science / Electrical Engineering:
 Information Assurance Research with these skills:
o Secure Network Technology
 Biometrics
 Intrusion Detection
 Wireless Security
 High Speed Networking Security
o Secure Systems Research
o Secure Network Technology
o Cryptology Research
 Information Assurance Directorate with these skills:
■ Network Security
■ Vulnerability Analysis
■ Public Key Infrastructure (PKI)
■ Security Testing/Red Teaming
■ Firewalls/Router security
■ Security Software Design/Development (object oriented
programming – C++/Java)
■ Firewalls/Router Security
■ Security Hardware Design/Development
■ Customer Support
■ Defense Information Operations (DIO)
■ Special Processing Laboratory (SPL) {now part of IAD}
■ Microelectronics Research Laboratory (MRL) {now part of
IAD}
 Networking with theses skills:
_____________________________________________________________________________________________
Page: 27
______________________________________________________________________________
■ Packet Based
■ Internet/Intranets
■ Protocol Development
■ Optical Network Management
■ Advanced Research
Alternate Answer
The NSA’s ongoing mission involves monitoring, gathering, and decoding foreign
communication signals from around the world, as well as information assurance.
To meet this goal, they actively recruit individuals with computer and engineering
backgrounds as well as those with foreign language capabilities. From their
website, some of the current job titles include: Inspector General Auditor/IT
Specialist; Mathematician; Computer Scientist; Cryptanalyst; Electronic and
Computer Engineer; Signals Analyst; Signals Intelligence (SIGINT) Systems
Engineering Architect; and Linguist.
3. Using the resources available in your library, find out what laws your state has
passed to prosecute computer crime.
(Note that each state will have different answers. Answers from the State of
Georgia are given as a representative.)
The Georgia Computer Systems Protection Act was enacted by the 1991 Georgia
General Assembly and signed into law by the Governor effective July 1, 1991. It
repealed and replaced an act having the same name enacted by the 1981 Georgia
General Assembly and signed into law by the Governor effective July 1, 1981.
This act establishes certain acts involving computer fraud or abuse as crimes
punishable by defined fines or imprisonment or both. A modification to this Act
was passed by the 1996 session of the Georgia General Assembly.
The following specific computer crimes are defined by state law (Georgia Code
16-9-90 et seq.).
Computer theft -- including theft of computer services, intellectual property such
as copyrighted material, and any other property.
Computer trespass -- unauthorized use of computers to delete or alter data or
interfere with others' usage.
Computer invasion of privacy -- unauthorized access to financial or personal data
or the like.
Computer forgery -- forgery as defined by other laws, but committed on a
computer rather than on paper.
Computer password disclosure -- unauthorized disclosure of a password resulting
in damages exceeding $500. In practice, this includes any disclosure that requires
a system security audit afterward.
_____________________________________________________________________________________________
Page: 28
______________________________________________________________________________
Maximum penalties are a $5,000 fine and 1 year of imprisonment for password
disclosure, and a $50,000 fine and 15 years of imprisonment for the other
computer crimes, plus civil liability. This code is contained in the House senate
bill number 822 – also contains codes 16-9-91 contains the Ga. Assemblies
findings that previous laws made it difficult to prosecute computer crimes. Code
16-9-92 – Definitions of computer, computer network, computer operation,
computer program, data, financial instruments, property, services, use, victim
expenditure, and without authority. Code 16-9-93 goes into detail about the
following: computer theft, computer trespass, computer invasion of privacy,
computer forgery, computer password disclosure, Article of exclusion, civil relief
damages, criminal penalties. 16-9-94 sums up codes 16-9-90 through 16-9-93.
4. Using a Web browser go to www.eff.org. What are the current top concerns of this
organization?
 Expanded Surveillance with Reduced Checks and Balances.
 Be careful what you put in that Goggle search.
 Nationwide roving wiretaps.
 ISPs hand over more user information.
 New definitions of terrorism expand scope of surveillance.
 Over breadth with a lack of focus on terrorism.
 Government spying on suspected computer trespassers with no need for court
order. Sec. 217.
 Adding samples to DNA database for those convicted of "any crime of
violence."
 Wiretaps now allowed for suspected violations of the Computer Fraud and
Abuse Act.
 Dramatic increases to the scope and penalties of the Computer Fraud and
Abuse Act.
 Allows Americans to be More Easily Spied Upon by US Foreign Intelligence
Agencies.
 General Expansion of FISA Authority.
 Increased information sharing between domestic law enforcement and
intelligence.
 FISA detour around federal domestic surveillance limitations; domestic detour
around FISA limitations.
Alternate Answer
_____________________________________________________________________________________________
Page: 29
______________________________________________________________________________
Spearheading a movement to repeal the Children’s Internet Protection Act of 2000

(CIPA). According to the EFF, the software being used is not effective at blocking out
pornography and is blocking thousands of sites that should not be blocked, therefore
hurting students’ ability to learn.
Leading a coalition of civil liberties groups urging a secret appeals court to reject the
Justice Department's bid for broadly expanded powers to spy on U.S. citizens. “At issue
in the case -- which has focused a spotlight on the ultra-secret Foreign Intelligence
Surveillance Court -- is whether the Constitution and the USA PATRIOT ACT adopted by
Congress after the Sept. 11 terrorist attacks permit the government to use looser foreign
intelligence standards to conduct criminal investigations in the United States.”
http://www.eff.org/Privacy/Surveillance/20020919_eff_pr.html
5. Using the ethical scenarios presented in the chapter, finish each of the incomplete
statements, and bring your answers to class to compare them with those of you
peers.
(Since this is discussion-based, no answers have been provided)
_____________________________________________________________________________________________
Page: 30
______________________________________________________________________________

Chapter 4
Review Questions
1. What is risk management? Why is identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to ensure the confidentiality,
integrity, and availability of all the components in the organization’s information system.
To protect assets, which are defined here as information and the systems that use, store,
and transmit information, you must understand what they are, how they add value to the
organization, and to which vulnerabilities they are susceptible. Once you know what you
have, you can identify what you are already doing to protect it. Just because you have a
control in place to protect an asset does not necessarily mean that the asset is protected.
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
2. According to Sun Tzu, what two key understandings must you achieve to be
successful?
An observation made by Chinese General Sun Tzu Wu stated, “If you know the enemy
and know yourself, you need not fear the result of a hundred battles. If you know yourself
but not the enemy, for every victory gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in every battle. In short, know yourself
and know the enemy.
3. Who is responsible for risk management in an organization? Which community of
interest usually takes the lead in information security risk management?
In an organization, it is the responsibility of each community of interest to manage the
risks that organization encounters. Each community of interest has a role to play. Since
the members of the information security community best understand the threats and
attacks that introduce risk into the organization, they often take a leadership role in
addressing risk.
4. In risk management strategies, why must periodic review be a part of the process?
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
5. Why do networking components need more examination from an information
security perspective than from a systems development perspective?
_____________________________________________________________________________________________
Page: 31
______________________________________________________________________________
Since networking subsystems are often the focal point of attacks against the system, they
should be considered as special cases rather than combined with general hardware and
software components.
Additionally, some networking components require examination from an information
security perspective due to the fact that they must be reconfigured from their default
settings to both serve their required purpose and maintain security requirements. From
the systems development perspective, the networking component may function perfectly,
as is, right out of the box. However, without information security oversight, potential
vulnerabilities could go unnoticed.
6. What value does an automated asset inventory system have for the risk
identification process?
Automated tools can sometimes identify the system elements that make up hardware,
software, and network components. The inventory listing is usually available in a
database, or can be exported to a database for custom information on security assets.
Once stored, the inventory listing must be kept current, often by means of a tool that
periodically refreshes the data.
When you move to the later steps of risk management, which involve calculations of loss
and projections of costs, the case for the use of automated risk management tools for
tracking information assets becomes stronger.
7. What information attribute is often of great value for networking equipment when
DHCP is not used?
The IP address is a useful attribute for networking equipment. Note that many
organizations use the dynamic host control protocol (DHCP) within TCP/IP that reassigns
IP numbers to devices as needed, making the use of IP numbers as part of the asset
identification process problematic. As a result, IP address use in inventory is usually
limited to those devices that use static IP addresses.
8. Which is more important to the systems components classification scheme, that the
list be comprehensive or mutually exclusive?
It is more important that the list be comprehensive than mutually exclusive. It would be
far better to have a component assessed in an incorrect category rather than to have it go
completely unrecognized during a risk assessment.
9. What’s the difference between an asset’s ability to generate revenue and its ability to
generate profit?
Revenue is the recognition of income from an activity supported by the system. Profit is
the amount of revenue that exceeds operating costs. Some systems may cost more to
operate than they contribute to revenue.
10. What are vulnerabilities and how do you identify them?
Vulnerabilities are specific avenues that threat agents can exploit to attack an information
asset. They are chinks in the armor of the information asset—a flaw or weakness in an
information asset, security procedure, design, or control that could be exploited
accidentally or on purpose to breach security.
_____________________________________________________________________________________________
Page: 32
______________________________________________________________________________
Analyzing all components of an Information System and evaluating the risk to each
component should identify any vulnerabilities.
11. What is competitive disadvantage? Why has it emerged as a factor?
A competitive disadvantage occurs when a company falls behind the competition in its
ability to maintain the highly responsive services required in today’s marketplaces.
This is a factor because almost all organizations have an IT system in this day and time.
Therefore, organizations need to obtain or improve their IT systems to avoid falling
behind all others.
12. What are the strategies from controlling risk as described in this chapter?
 Defend - The defend control strategy attempts to prevent the exploitation of the
vulnerability.
 Transfer - The transfer control strategy attempts to shift risk to other assets, other
processes, or other organizations.
 Mitigate - The mitigate control strategy attempts to reduce the impact caused by the
exploitation of vulnerability through planning and preparation.
 Accept - The accept control strategy is the choice to do nothing to protect a
vulnerability and to accept the outcome of its exploitation.
 Terminate - The terminate control strategy directs the organization to avoid those
business activities that introduce uncontrollable risks.
13. Describe the “defend” strategy. List and describe the three common methods.
The defend control strategy attempts to prevent the exploitation of the vulnerability. This
Is the preferred approach, and is accomplished by means of countering threats, removing
vulnerabilities from assets, limiting access to assets, and adding protective safeguards.
There are three common methods used to defend:
 Application of policy
 Education and training
 Application of technology
14. Describe the “transfer” strategy. Describe how outsourcing can be used for this
purpose.
The transfer strategy is the control approach that attempts to shift risk to other assets,
other processes, or other organizations. This may be accomplished by rethinking how
services are offered, revising deployment models, outsourcing to other organizations,
purchasing insurance, or implementing service contracts with providers.
Outsourcing allows an organization to transfer the risk associated with the management
of complex systems to another organization that has experience in dealing with those
risks. One of the benefits of outsourcing is that the service provider is responsible for
disaster recovery when recovery efforts are needed.
15. Describe the “mitigate” strategy. What three planning approaches are discussed in
the text as opportunities to mitigate risk?
_____________________________________________________________________________________________
Page: 33
______________________________________________________________________________
The mitigate strategy is the control approach that attempts to reduce the impact caused by
the exploitation of vulnerability through planning and preparation. Mitigation begins with
the early detection that an attack is in progress and the ability of the organization to
respond quickly, efficiently, and effectively.
This approach requires the creation of three types of plans: the incident response plan, the
disaster recovery plan, and the business continuity plan. Each of these plans depends on
the ability to detect and respond to an attack as quickly as possible and relies on the
existence and quality of the other plans.
Incident Response Plan (IRP) – Defines the actions an organization can and perhaps
should take while an incident is in progress. The IR plan focuses on intelligence
gathering, information analysis, coordinated decision making, and urgent, concrete
actions.
Disaster recovery plan (DRP) - Includes the entire spectrum of activities used to prepare
for and recover from an incident. The DR plan focuses more on preparations completed
before and actions taken after the incident.
Business Continuity Plan (BCP) – Encompasses the continuation of business activities
if a catastrophic event occurs. The BC plan includes planning the steps necessary to
ensure the continuation of the organization when the scope or scale of a disaster exceeds
the ability of the DR plan to restore operations.
16. How is an incident response plan different from a disaster recovery plan?
The DR plan focuses more on preparations completed before and actions taken for
disasters – often escalated incidents; to reestablish operations at the primary site. The IR
plan focuses on Incident Response: intelligence gathering, information analysis,
coordinated decision making, and urgent, concrete actions taken while an incident is
occurring.
17. What is risk appetite? Explain why risk appetite varies from organization to
organization?
Risk appetite defines the quantity and nature of risk that organizations are willing to
accept as they evaluate the trade offs between perfect security and unlimited accessibility.
Risk appetite varies from organization to organization because different organizations
maintain different balances between the expense of controlling vulnerabilities and the
losses possible if these vulnerabilities were exploited. The key for each organization is to
find the balance in its decision-making processes and in its feasibility analyses, therefore
assuring that an organization’s risk appetite is based on experience and facts and not on
ignorance or wishful thinking.
18. What is a Cost Benefit Analysis?
Cost benefit analysis is the formal decision-making process used by an organization to
evaluate whether or not the benefit gained from a given project is worth the expense its
undertaking incurs.
19. What is the definition of single loss expectancy? What is annual loss expectancy?
_____________________________________________________________________________________________
Page: 34
______________________________________________________________________________
A single loss expectancy is the value associated with the most likely loss from an attack.
It is a calculation based on the value of the asset and the expected percentage of loss that
would occur from a single occurrence of a particular attack.
Annual loss expectancy is the expected loss from exploitation of a vulnerability for a
specific information asset over the course of a year. It is calculated by multiplying the
single loss expectancy for a particular information asset by the annualized rate of
occurrence.
20. What is residual risk?
Even when vulnerabilities have been controlled as much as possible, there is often still
some risk that has not been completely removed, shifted, or planned for. This remainder
is called residual risk.
_____________________________________________________________________________________________
Page: 35
______________________________________________________________________________
Exercises
1. If an organization has three information assets to evaluate for risk management as
shown in the accompanying data, which vulnerability should be evaluated for
additional controls first? Which one should be evaluated last?
An evaluation of the provided asset vulnerabilities results in:
Asset A:
This is a switch that has two vulnerabilities. The first involves a hardware failure
likelihood of 0.2 and the second involves a buffer attack likelihood of 0.1. The
switch has an impact rating of 90. Assumptions made on this asset have a 75%
certainty.
Asset B:
This is a web server that deals with e-commerce transactions. It has one
vulnerability with a likelihood of 0.1. However it has an impact rating of 100.
Assumptions made on this asset have an 80% certainty.
Asset C:
This is a control console with no password protection with a likelihood of attack
of 0.1. It has no controls and an impact rating of 5. Assumptions made on this
asset have a 90% certainty.
Based on the above information, the vulnerability that should be evaluated first is the web
server risk of attack of asset B. This device has an impact rating of 100 and 80%
certainty of the stated assumptions. The device obviously plays an important part in the
business and any down time would result in a loss of customers, which translates directly
into a financial loss. Additionally, when compared to the other two assets. This is the
only one that has direct contact with customers and a high visibility profile.
The last risk that should be investigated for additional controls would be the attack of the
control console of Asset C. Even though there are no controls currently in place on this
asset, it only has an impact rating of 5 and is mostly operated by what should be trusted
employees.
2. Using the data classification scheme presented in this chapter, identify and classify the
information contained in your personal computer or personal digital assistant. Based on
your potential for misuse or embarrassment, what information would be Confidential,
Sensitive but Unclassified, Public Release? (the answer here is representative)
Confidential Sensitive but Unclassified Public Release
Microsoft Money Favorites
Outlook PST Files My Documents
Word Documents Digital Photos
Application Files
Alternate Answer
_____________________________________________________________________________________________
Page: 36
______________________________________________________________________________
INFORMATIO CO SENSI FOR

N STORE NFI TIVE / PUBLI
DE UNCL C
NTI ASSIF RELEA
AL IED SE
Personal X
Identification
Calendar X
IP/MAC Address X
Personal X
Documents
School Papers X
Personal Schedule X
Email Messages X
Contacts X
Web Favorites X
Income Tax X
Worksheets
Music Files X
Picture Files X
Alternate Answer
Confidential – Client Bank and Credit card statements, Tax information
Sensitive but Unclassified- Client contact information (addresses, phone numbers, etc.)
Public- General company documents
3. Suppose XYZ Software Company has a new application development project, with
projected revenues of $1,200,000. Using the following table, calculate ARO and ALE
for each threat category that XYZ Software Company faces for this project.
_____________________________________________________________________________________________
Page: 37
______________________________________________________________________________
XYZ Software Company, major Cost per Frequency of SLE ARO ALE
threat categories for new Incident Occurrence
applications development
Programmer mistakes $5,000 1 per week 5,000 52.0 $ 260,000

Loss of intellectual property $75,000 1 per year 75,000 1.0 $ 75,000
Software piracy $500 1 per week 500 52.0 $ 26,000
Theft of information (hacker) $2,500 1 per quarter 2,500 4.0 $ 10,000
Theft of information (employee) $5,000 1 per 6 months 5,000 2.0 $ 10,000
Web defacement $500 1 per month 500 12.0 $ 6,000
Theft of equipment $5,000 1 per year 5,000 1.0 $ 5,000
Virus, worms, Trojan horses $1,500 1 per week 1,500 52.0 $ 78,000
Denial-of-service attacks $2,500 1 per quarter 2,500 4.0 $ 10,000
Earthquake $250,000 1 per 20 years 250,000 0.1 $ 12,500
Flood $250,000 1 per 10 years 250,000 0.1 $ 25,000
Fire $500,000 1 per 10 years 500,000 0.1 $ 50,000
4. How might XYZ Software Company arrive at the values in the above table? For
each entry, describe the process of determining the cost per incident and frequency
of occurrence
 It is most likely that the XYZ Software Company employed an economic feasibility
study or cost benefit analysis to arrive at the values in their cost\incident table.
 For each of the entries in the chart, the cost per incident and the frequency of
occurrence could have been reached through several, varied methods. Businesses
often use benchmarking, best practices, and baselining to determine the values of cost
per incident and frequency of occurrence. These techniques take in to account internal
investigation and asset valuation, along with information that has been gathered by
other sources in the industry, such as frequency of virus, worm, or Trojan attacks. All
of these methods combined could provide the numbers for the costs and frequency for
the chart listed.
_____________________________________________________________________________________________
Page: 38
______________________________________________________________________________
5. Assume a year has passed and XYZ has improved security by applying a number of
controls. Using the information from Exercise 3 and the following table, calculate
the post-control ARO and ALE for each threat category listed.
SLE ARO ALE CBA

Programmer mistakes 5,000 100% 60,000 180,000
Loss of intellectual 75,000 50% 37,500 22,500
property
Software piracy 500 100% 6,000 -10,000

Theft of information 2,500 100% 5,000 -10,000
(hacker)
Theft of information 5,000 100% 5,000 -10,000
(employee)
Web defacement 500 100% 2,000 -14,000
Theft of equipment 5,000 50% 2,500 -12,500

Virus, worms, Trojan 1,500 100% 18,000 45,000
horses
Denial-of-service 2,500 100% 5,000 -12,500
attacks
Earthquake 250,000 5% 12,500 -5,000
Flood 50,000 10% 5,000 10,000
Fire 100,000 10% 10,000 30,000
Some of the values have changed due to the fact that controls were implemented and they
had a positive impact on the protection of the assets of the organization thus reducing the
frequency of occurrences. However, the controls did not reduce the cost of an incident to
occur because the value of an asset will remain the same and cost the organization the
same amount of time and money to replace. The controls put into place are worth the
costs listed.
_____________________________________________________________________________________________
Page: 39
______________________________________________________________________________

Chapter 5
Review Questions
1. How can a security framework assist in the design and implementation of a security
infrastructure? What is information security governance? Who in the organization should
plan for it?
Designing a working plan for securing the organization’s information assets begins by
creating or validating an existing security blueprint for the implementation of needed
security controls to protect the information assets. A framework is the outline from
which a more detailed blueprint evolves. The blueprint is the basis for the design,
selection, and implementation of all subsequent security policies, education and training
programs, and technologies. The blueprint provides scaleable, upgradeable, and
comprehensive security for the coming years. The blueprint is used to plan the tasks to
be accomplished and the order in which to proceed.
The governance of information security is a strategic planning responsibility whose

importance has grown over recent years. Many consider good information security
practices and sound information security governance a component of U.S. homeland
security. Unfortunately, information security is all too often regarded as a technical issue
when it is, in fact, a management issue. In order to secure information assets, an
organization’s management must integrate information security practices into the fabric
of the organization, expanding corporate governance policies and controls to encompass
the objectives of the information security process.
2. Where can a security administrator go to find information on established security
frameworks?
A security administrator can look to the Information Technology- Code of Practice for
Information Security Management, ISO 17799/BS 7799 as well as ISO 17799/BS 7799,
the NIST Security Models including the SP 800-12, 14, 18, 26, and 30, and the VISA
International Security Model are just a few of the established security frameworks
available.
3. What is the ISO 27000 series of standards? What individual standards make up the
series?
One of the most widely referenced security models is the Information Technology – Code
of Practice for Information Security Management, which was originally published as
British Standard BS7799. In 2000, this Code of Practice was adopted as an international
standard framework for information security by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) as
ISO/IEC 17799. The document was revised in 2005 (becoming ISO 17799:2005), and it
was then renamed to ISO 27002 in 2007, to align it with the document ISO 27001.
ISO Status Title or Topic
_____________________________________________________________________________________________
Page: 40
______________________________________________________________________________
27000
Series
Standard
27000 Planned Series Overview and Terminology
27001 2005 Information Security Management System Specification
27002 2007 Code of Practice for Information Security Management
27003 Planned Information Security Management Systems Implementation
Guidelines
27004 Planned Information Security Measurements and Metrics
27005 Planned ISMS Risk Management
27006 2007 Requirements for Bodies Providing Audit and Certification
of an ISMS
4. What are the inherent problems with ISO 17799, and why hasn’t the U.S. adopted
it? What are the recommended alternatives?
The problems include:
 The global information security community has not defined any justification for a
code of practice as identified in the ISO/IEC 17799.
 ISO/IEC 1799 lacks “the necessary measurement precision of a technical
standard.”
 There is no reason to believe that ISO/IEC 17799 is more useful than any other
approach currently available.
 ISO/IEC 17799 is not as complete as other frameworks available.
 ISO/IEC 17799 is perceived to have been hurriedly prepared given the
tremendous impact its adoption could have on industry information security
controls.
The recommended alternative is to use the many documents available from the Computer
Security Resource Center of the National Institute for Standards and Technology. These
documents are publicly available at no charge, and have been available for some time and
therefore have been broadly reviewed by government and industry professionals.
5. What documents are available from the NIST Computer Resource Center, and how
can they support the development of a security framework?
The documents available from the NIST Computer Resource Center that can assist in the
design of a security framework are:
SP 800-12: An Introduction to Computer Security: The NIST Handbook
SP 800-14: Generally Accepted Security Principles and Practices for Securing
Information Technology Systems
SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information
Systems
SP 800-26: Security Self-Assessment Guide for Information Technology Systems
SP 800-30: Risk Management Guide for Information Technology Systems
These documents can support the development of a computer framework because they
provide organizations with a basic skeleton for planning a blueprint.
6. What benefit can a private, for-profit agency derive from best practices designed for
_____________________________________________________________________________________________
Page: 41
______________________________________________________________________________
federal agencies?
Private organization can take advantage of best practices designed for federal agencies by
adapting many of the same methodologies and practices into its own organization. These
best practices can facilitate an organization by helping them piece together the desired
outcome of the security process, and therefore work backwards to an effective design.
7. What web resources can aid an organization in developing best practices as part of a
security framework?
The web offers a variety of information sources for a security framework. Of course,
many of the security framework documents are available via the web, but in addition the
government offers a web site (fasp.nist.gov) that offers security frameworks and best
practices.
Other sources include:
 the Internet Security Trask Force (www.ca.com/ISTF), offering a collection of
parties interested in Internet security,
 the Computer Emergency Response Team (www.cert.org), offering a series of
modules with links and practices of security methodologies
 the Technology Manager’s Forum (www.techforum.com)
 the Information Security Forum (www.isfsecuritystandard.com)
 the Information Systems Audit and Control Association (www.isaca.com)
 the Professional Security Consultants (www.iapsc.org)
 the Global Grid Forum (www.gridforum.org)
8. Briefly describe a management, an operational, and a technical control, and explain
when would each be applied as part of a security framework?
Management controls cover security processes that are designed by strategic planners and
implemented by the security administration of the organization. These include setting the
direction and scope of the security processes and provide detailed instruction for its
conduct.
Operational controls deal with the operational functionality of security in the organization
including disaster recovery and incident response planning.
Technical controls address the tactical and technical issues related to designing and
implementing security in the organization, as well as issues related to examining and
selecting the technologies appropriate to protecting information.
9. What are the differences between a policy, a standard, and a practice? What are the
three types of security policies? Where would each be used? What type of policy would be
needed to guide use of the Web? E-mail? Office equipment for personal use?
A policy is a plan or course of action intended to influence and determine decisions,
actions, and other matters. Policies are organizational laws because they dictate
acceptable and unacceptable behavior within the context of the organization’s culture. A
standard, like a policy, has the same requirement for compliance, but it provides more
detail as to what must be done to comply with policy. The level of acceptance of
standards may be informal (as in de facto standards) or formal (as in de jure standards).
Finally, practices, procedures, and guidelines effectively explain how to comply with
_____________________________________________________________________________________________
Page: 42
______________________________________________________________________________
policy.
Policies provide instructions on what technologies can and cannot be used for. Three
criteria for shaping sound policies are:
 Never conflict with law
 Stand up in court, if challenged
 Be properly administered through dissemination and documented acceptance
For these reasons, it is important for policy to be adequately detailed to ensure proper
implementation.
Policy that is not well defined can cause significant liability for the company if it finds
itself defending policy in a court of law. Unless a particular use is clearly prohibited, the
organization cannot penalize an employee for its misuse.
Policy has the ultimate responsibility for managing technology. System administrators
and users are responsible for enforcing policy.
Based on The National Institute of Standards and Technology’s (NIST) Special
Publication 800-14, there are three types of information security policies. First are
general or security program policies (SPP), which are usually drafted by the chief
information officer of the organization. The SPP are used to directly support the mission,
vision, and direction of the organization and set the strategic direction, scope, and tone
for all security efforts within the organization. Second are issue-specific security policies
(ISSP) that are formally written to instruct employees to properly use the technologies of
the organization such as use of the Internet, electronic email, and use of photocopy
equipment. The ISSP requires frequent updates and must contain a statement on the
organization’s position on a specific issue. Third are system-specific security policies
(SysSP). The SysSP are not formal documents but are usually codified as standards and
procedures used when configuring or maintaining systems. The SysSP fall into two
groups: access control lists and configuration rules.
Office equipment for personal use - An issue specific security policy would be needed to
guide use of the web, e-mail, and office equipment for personal use.
10. Who is ultimately responsible for managing a technology? Who is responsible for
enforcing policy that affects the use of a technology?
Senior Management. Everyone in a supervisory position.
11. What is contingency planning? How is it different from routine management
planning? What are components of contingency planning?
Contingency planning encompasses all planning conducted by the organization to prepare
for, react to, and recover from events that threaten the security of information and
information assets in the organization, and the subsequent restoration to normal modes of
business operations.
Each part of contingency planning is different in scope, applicability, and design
compared to routine management planning.
Contingency planning is composed of three plans: Incident Response Plan, Disaster
_____________________________________________________________________________________________
Page: 43
______________________________________________________________________________
Recovery Plan, and Business Continuity Plan. Contingency planning is all the planning
conducted by the organization to prepare for, react to, and recover from events that
threaten the security of information and information assets in the organization.
12. When is the IR Plan used?
An Incident Response Planning (IRP) covers the identification, classification, response
to, and recovery from an incident. It should be used when an incident in progress is first
detected by an organization. IRP is more reactive, than proactive, with the exception of
the planning that must occur to prepare the IR teams to be ready to react to an incident.
13. When is the DR Plan used?
A disaster recovery plan addresses the preparation for and recovery from a disaster,
whether natural or man-made. It is used before a disaster, in preparation for the
occurrence, and after a disaster to rebuild and recover organizational functionality.
14. When is the BC Plan used? How do you determine when to use IRP, DRP, or BCP
plans?
Business Continuity Planning (BCP) will be needed if a disaster has rendered the current
location of the business unusable for continued operation. BCP outlines the
reestablishment of critical business operations during a disaster that impacts operations at
the primary site.
An Incident Response Plan is used as soon as an incident in progress has been identified.
An attack is identified as an incident if:
1. It is directed against information assets.
2. It has a realistic chance of success.
3. It could threaten the confidentiality, integrity, or availability of information
resources.
A Disaster Recovery Plan is used if an incident escalates or is disastrous. It typically
focuses on restoring systems at the original site after disasters occur.
A Business Continuity Plan is used concurrently with the Disaster Recovery Plan when
the damage is major or long term, requiring more than simple restoration of information
and information resources.
15. What are the five elements of a business impact analysis?
The five elements of a business impact analysis are:
a. Threat attack identification
b. Business unit analysis
c. Attack success scenario development
d. Potential damage assessment
e. Subordinate plan classification
16. What are Pipkin’s three categories of incident indicators?
 Possible
 Probable
 Definite
17. What is containment and why is it part of the planning process?
_____________________________________________________________________________________________
Page: 44
______________________________________________________________________________
Containment is the process of determining what systems have been attacked and
removing their ability to attack non-compromised systems.
Containment is part of the planning process because the containment of an attack could
prevent the attack from escalating into a disaster. It is focused on stopping the incident
and recovering control of the systems.
18. What is computer forensics? When are the results of computer forensics used?
Computer forensics is the process of collecting, analyzing and preserving computer-
related evidence.
This information is used in informal proceedings when dealing with internal
administrative, criminal or civil legal proceedings, if the perpetrator is brought to justice.
19. What is an after-action review? When is it performed? Why is it done?
Part of the incident recovery process, the after action review is performed by the IR team.
It is a detailed examination of the events that occurred from the first detection to final
recovery. All key players review their notes, and verify that the IR documentation is
accurate and precise. This document serves as a training case for future actions.
20. List and describe the six continuity strategies identified in the text.
Hot sites - A hot site is a fully configured computer facility, with all services,
communications links, and physical plant operations including heating and air
conditioning. Hot sites duplicate computing resources, peripherals, phone systems,
applications, and workstations. A hot site is the pinnacle of contingency planning, a
duplicate facility that needs only the latest data backups and personnel to become a fully
operational twin of the original. A hot site can be operational in a matter of minutes, and
in some cases may be built to perform a fail-over seamlessly by picking up the processing
load from a failing site. The hot site is therefore the most expensive alternative available.
Warm sites - A warm site provides many of the same services and options of the hot site.
However, it typically does not include the actual applications the company needs, or the
applications may not yet be installed and configured. A warm site frequently includes
computing equipment and peripherals with servers but not client workstations. A warm
site has many of the advantages of a hot site, but at a lower cost. The downside is that it
requires hours, if not days, to make a warm site fully functional.
Cold sites - A cold site provides only rudimentary services and facilities. No computer
hardware or peripherals are provided. All communications services must be installed after
the site is occupied. Basically a cold site is an empty room with heating, air conditioning,
and electricity. Everything else is an option. Although the obvious disadvantages may
preclude its selection, a cold site is better than nothing. The main advantage of cold sites
over hot and warm sites is the cost.
Time-shares - A time-share is a hot, warm, or cold site that is leased in conjunction with a
business partner or sister organization. The time-share allows the organization to maintain
a disaster recovery and business continuity option, but at a reduced overall cost. The
advantages are identical to the type of site selected (hot, warm, or cold). The primary
disadvantage is the possibility that more than one organization involved in the time-share
may need the facility simultaneously. Other disadvantages include the need to stock the
_____________________________________________________________________________________________
Page: 45
______________________________________________________________________________
facility with the equipment and data from all organizations involved, the negotiations for
arranging the time-share, and associated agreements, should one or more parties decide to
cancel the agreement or to sublease its options.
Service-bureaus - A service bureau is an agency that provides a service for a fee. In the
case of disaster recovery and continuity planning, the service is the agreement to provide
physical facilities in the event of a disaster. These types of agencies also frequently
provide off-site data storage for a fee. With service bureaus, contracts can be carefully
created, specifying exactly what the organization needs, without the need to reserve
dedicated facilities. A service agreement usually guarantees space when needed, even if
the service bureau has to acquire additional space in the event of a widespread disaster.
Mutual agreements - A mutual agreement is a contract between two or more organizations
that specifies how each will assist the other in the event of a disaster. It stipulates that
each organization is obligated to provide the necessary facilities, resources, and services
until the receiving organization is able to recover from the disaster. While this may seem
like a viable solution, many organizations balk at the idea of having to fund (even in the
short term) duplicate services and resources should the other agreeing parties need them.
Still, mutual agreements between divisions of the same parent company, between
subordinate and superior organizations, or between business partners may be a cost-
effective solution.
_____________________________________________________________________________________________
Page: 46
______________________________________________________________________________
Exercises
1. Using a graphics program, design several security awareness posters on the
following themes: updating anti-virus signatures, protecting sensitive information,
watching out for e-mail viruses, prohibiting use of company equipment for personal
matters, changing and protecting passwords, avoiding social engineering, and protecting
software copyrights. What other areas can you come up with?
Additions: Upcoming security classes, addition of new security personnel, reduce
employee accidents and failure increases.
Keep Protected
E-Mail Awareness
Do you know the person sending you that attachment? You can't be too careful these
days. There are new breeds of software viruses that disguise themselves in E-Mail
documents. Better safe than sorry…..
Social Engineering
Be on your guard for calls trying to get sensitive information. They may not be who they
appear to be, this is social engineering, a way to break into systems. If anyone attempts
to solicit user id or password information………..say NO!!!
Passwords
Please regard the use of passwords as sensitive information. Follow the standards on
changing every 3 months. Be careful where you store password information.
_____________________________________________________________________________________________
Page: 47
______________________________________________________________________________
2. Search the Web for security education and training programs in your area. Keep a
list and see which category has the most examples. See if you can determine the costs
associated with each example. Which do you feel would be more cost effective in terms of
both time and money?
Examples will vary over time.
For a security professional the education would be the most effective because the
education would give a person the background to learn security principles and then be
able to apply those in situations. Training on the other hand would be specific to the
product or topic in information security and would have a limited scope of material. This
would be beneficial to someone that administered a specific type of system but would not
give them the background needed to make plans for the information security of the
organization as a whole.
While there are courses and training programs offered in all areas, there does seem to be a
larger focus on incident response. They seem to be more expensive on average than the
security awareness training programs. The security awareness training would be the most
cost-effective measure in terms of time and money.
3. Search the Web for examples of issue-specific security policies. What types of
policies can you find? Draft a simple issue-specific policy using the format provided in the
text that outline “Fair and Responsible Use of College Computers,” and is based on the
rules and regulations you have been provided in your institution. Does your school have a
similar policy? Does it contain all the elements listed in the text?
Policy Statement
This policy has been adopted to outline the acceptable use of all campus computers.
Strong adherence to this policy is a must and any student not doing so will be considered
to be in violation of campus policy. Violators are subject to disciplinary actions
established by administration and the IT department.
User Responsibility
The following guidelines are to be followed by all authorized users accessing university
owned computers.
General Computer Usage
As a registered student, you are responsible for the protection of all information and data
that you have access to, whether directly or indirectly. It is also the responsibility of the
student to recognize what, if any, of that data or information is sensitive and take the
necessary measures to keep it that way.
To help in the protection of all data, sensitive or otherwise choose a user name and
password that is easy to remember, but hard for others to guess.
Never under any circumstance share or disclose your username and/or password.
At no time is gaming permitted on campus computers. No exceptions.
Respect all legal protections such as copyright and licenses. Never copy software or use
shareware without written permission from the author or an IT administrator.
_____________________________________________________________________________________________
Page: 48
______________________________________________________________________________
Log off all workstations or computers when you have completed your task.
In the classroom environment, properly shut down all computers at the end of the period
prior to leaving.
Only registered students and faculty are permitted to use campus machines.
Inform an IT administrator if you observe or learn of any suspicious activity.
Internet Use
Access to the Internet is only permitted through the campus firewall, router and content
scanning software. Access through any other means is not permitted.
Only authorized personnel are permitted to install modems, software, or any other types
of hardware.
Internet users should never visit web sites that are offensive to others, contain sexual
content, or are in violation of the law. Remember that you are responsible for anything
that you do on the system. The school reserves the right to keep and maintain logs on all
Internet usage, as well as, block any web sites that are deemed offensive or in violation of
the law.
If you have any doubt about Internet use or content, consult an IT administrator before
proceeding.
Electronic Mail
It is the responsibility of the student to maintain his or her own mailboxes; if an email is
no longer needed delete it in order to reduce memory usage and storage space.
Do not send excessively large attachments.
Scan all transmissions for viruses.
Refrain from offensive, racist, or lewd language when constructing emails.
Emails should never contain information relating to an extreme political nature, violence,
and hatred or illegal activity.
All electronic transmissions are monitored and scanned for viruses, and offensive content.
The school reserves the right to keep and maintain logs on all electronic mail usage.
* Note: All data, information, hardware and software belongs solely to the school, treat it
with respect and keep security in mind at all times.
* Your computer, workstation and all logins to the network are monitored regularly.
* Logs are audited and maintained regularly.
Kennesaw State does have a similar policy and contains the elements as described above.
Alternate Answer
POLICY FOR “FAIR AND RESPOSIBLE USE OF COLLEGE COMPUTERS”
October 20, 2002
ACWORTH STATE UNIVERSITY
_____________________________________________________________________________________________
Page: 49
______________________________________________________________________________
Statement of policy
This document describes policies for use of Acworth State University computer resources
by faculty, staff, and students.
Computer resources are defined as all publicly available networks, processors,
peripherals and supplies under the administration of the Office of Computing Services
and various academic departments and colleges.
Authorized access and usage of equipment
Unauthorized access to computer resources is prohibited. No one should use the ID or
password of another; nor should anyone provide his/her ID or password to another,
except in the case necessaries to facilitate computer maintenance and repairs.
Computer university resources are to be used predominately for university related
activities. However, personal use is permitted as long as it conforms to this policy and
does not interfere with university operations.
Programs and files stored in users' private directories are considered private unless their
owners have explicitly made them available. However, in the case of system problems or
clear policy violations, system managers may examine user files and system logs in order
to gather sufficient information to diagnose and correct system problems and investigate
policy violations.
Prohibited usage of equipment
No one should deliberately attempt to degrade the performance of a computer system or
to deprive authorized personnel of resources or access to any university computer
systems.
Electronic communications facilities (such as e-mail) are for college related activities
only. Fraudulent, harassing or obscene messages and/or materials are not to be sent or
stored.
The use of Acworth State University’s computer resources for the conduct of a business
or any other commercial purposes is prohibited.
Computer software protected by copyright is not to be copied from, into, or by using
campus-computing facilities, except as permitted by law or by the contract with the
owner of the copyright. This means that such computer and microcomputer software may
only be copied in order to make back-up copies, if permitted by the copyright owner.
Systems management
Personal user files -- whether stored on disk or backup tape -- are considered private and
will not be scanned or read by computer center staff except as specifically authorized
below:
If System Managers discover private information as an incidental result of performing
their duties, they are obligated to keep this information confidential. However, such
information, if it is evidence of policy violations, may be used in disciplinary
proceedings.
System Managers are authorized to examine user files or processes only as far as
_____________________________________________________________________________________________
Page: 50
______________________________________________________________________________
necessary to ensure reliable and secure system operation. If reliable system operation is in
jeopardy, system operators are also authorized to kill or suspend user processes, move
user files to alternate storage media or delete files that can be easily recovered (for
instance, from off the Internet). The users affected will be promptly notified of the actions
taken and the reasons why. System Managers will make every reasonable attempt to
assist users in recovering work files that were destroyed in the process of attempting to
keep the system running properly.
System Managers are authorized to examine user files to collect evidence of specific
college policy violations, provided that probable cause exists for such a search. Any
examination of this sort must be reported promptly to the Director of Computing.
Violations of policy
Depending on the nature and severity of the policy violation, the university may take one
or more of the following disciplinary actions:
Send a verbal, written, or electronic mail warning.
Allow only restricted computer privileges.
Temporarily suspend the computer account.
Revoke all computer privileges.
Policy review and modification
All policies and procedures outlined are intended to serve for the current academic year;
however, Acworth State University reserves the right to make such modifications as are
deemed necessary. If and when changes are made, appropriate effort such as faxing
updates to all campus departments and posting changes on the university's web page will
be made to notify the university community.
Limitations of liability
Acworth State University provides computer accounts and access to technology resources
for all faculties, students, and staff for educationally related purposes. The university
assumes full responsibility for the accuracy and appropriateness of official university
WWW pages.
Individual's personal pages (as denoted by "~username" in the URL) are provided as
professional and educational work areas. These individual pages are reviewed for
adherence to technical standards only. Individual page content is determined by the page
owner, is not reviewed by the university, and is subject to review upon formal complaint
by a responsible party.
Acworth State University assumes no responsibility for, nor does it endorse, the contents
of any personal/individual's World Wide Web page. However, if you believe the content
of an individual's page is offensive, obscene, or inconsistent with the generally accepted
norms for WWW page content, please register a formal complaint by contacting
webmaster@acworth.edu
Acworth State University adopted this policy on October 20, 2002. Send all comments
and questions to: jtweed@acworth.edu
_____________________________________________________________________________________________
Page: 51
______________________________________________________________________________
4. Use your library or the Web to find a reported natural disaster that occurred at
least 180 days ago. From the news accounts, determine if local or national officials had
prepared disaster plans and if they were used. See if you can determine how the plans
helped the officials improve the response to the disaster. How do the plans help the
recovery?
On February 14, 2000, tornadoes blasted rural southern Georgia early in the morning,
killing at least 19 people and injuring more than 100 others. The violent weather that hit
southwestern Georgia with at least five tornadoes was part of a storm system that also hit
Arkansas, Tennessee, Mississippi, Alabama and northeastern Florida before moving into
the Carolinas. Thousands of people in the region lost power and Georgia Gov. Roy
Barnes declared a state of emergency.
Emergency shelters were set up in Camilla and Moultrie, the main town in neighboring
Colquitt County. The Red Cross was also sent to the area to provide aid to the victims
and their families and federal aid was also being dispersed. The area involved did have
an emergency disaster plan to implement upon being notified by the national weather
service incase of approaching storms. However, the tornadoes came without warning and
the towns where unable to prepare. All efforts were turned towards recovery and
rebuilding.
Alternate Answer
Earlier this year the Vltava and Elbe rivers flooded many European towns and cities. Due
to the path of these rivers and current economic conditions, these floods occurred in
many countries that greatly differed in economic status. The deaths and damage that
occurred appears to be greatest in countries with weak economies that were ill prepared
for such an event such as Romania or the Czech Republic. In comparison, countries with
better-funded and organized response teams such as Germany and Austria had a lower
death and damage toll.
5. Classify each of the following occurrences as an incident or disaster. If an

occurrence is a disaster, determine whether or not business continuity plans would be
called into play.
A hacker gets into the network and deletes files from a server.
A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers are
damaged, but the fire is contained before it moves out of the area.
A tornado hits a local power company, and the company will be without power for three to
five days.
Employees go on strike, and the company could be without critical workers for weeks.
A disgruntled employee takes a critical server home, sneaking it out after hours.
_____________________________________________________________________________________________
Page: 52
______________________________________________________________________________
a. A hacker gets into the network and deletes files from a server. - Incident. No
business continuity plans is called to play.
b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some
computers are damaged, but the fire is contained before it moves out of the area. -
Disaster. No business continuity plans is called to play.
c. A tornado hits a local power company, and the company will be without power for
three to five days. - Disaster. Business continuity plan is called to play.
d. Employees go on strike, and the company could be without critical workers for
weeks. - Disaster. Business continuity plans is called to play.
e. A disgruntled employee takes a critical server home, sneaking it out after hours.
-Incident. No business continuity plans is called to play.
Alternate Answer
a. A hacker gets into the network and deletes files from a server. - This would be
considered an incident unless the deleted files were crucial to the continuation of
the business and the business was unprepared (i.e., without backups), at which
point it would be considered a disaster.
b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some
computers are damaged, but the fire is contained before it moves out of the area. -
This would be considered an incident.
c. A tornado hits a local power company, and the company will be without power for
three to five days. - This would be considered a disaster where the business
continuity plans would be called into play.
d. Employees go on strike, and the company could be without critical workers for a
week. - This would be considered a disaster where the business continuity plans
would be called into play.
e. A disgruntled employee takes a critical server home, sneaking it out after hours. -
If the server could not be replaced in an acceptable amount of time, this would be
considered a disaster. Depending on the nature of the business, this could call into
play the business continuity plans.
_____________________________________________________________________________________________
Page: 53
______________________________________________________________________________
Chapter 6
Review Questions
1. What is the typical relationship among the un-trusted network, the firewall, and the
trusted network?
The un-trusted network is usually the Internet or another segment of public access
network while the trusted network is typically a privately owned network. The firewall
serves as a mechanism to filter traffic from the untrusted network that comes into the
trusted network to gain some assurance that that traffic is legitimate.
2. What is the relationship between a TCP and UDP packet? Will any specific
transaction usually involve both types of packets?
UDP packets are, by design, connectionless. TCP packets usually involve the creation of
a connection from one host computer to another. It would be unusual for a single
transaction to involve both TCP and UPD ports.
3. How is an application layer firewall different from a packet filtering firewall? Why
is an application layer firewall sometimes called a proxy server?
The application layer firewall takes into consideration the nature of the applications that
are being run (the type and timing of the network connection requests, the type and nature
of the traffic that is generated) whereas the packet filtering firewall simply looks at the
packets as they are transferred. The application firewall is also known as a proxy server,
since it runs special software that acts as a proxy for a service request.
4. How is static filtering different from dynamic filtering of packets? Which is

perceived to offer improved security?
Static filtering requires that the filtering rules governing how the firewall decides which
packets are allowed and which are denied are developed and installed. This type of
filtering is common in network routers and gateways. Dynamic filtering allows the
firewall to react to an emergent event and update or create rules to deal with the event.
This reaction could be positive, as in allowing an internal user to engage in a specific
activity upon request, or negative, as in dropping all packets from a particular address
when an increase in the presence of a particular type of malformed packet is detected.
While static filtering firewalls allow entire sets of one type of packet to enter in response
to authorized requests, the dynamic packet filtering firewall allows only a particular
packet with a particular source, destination, and port address to enter through the firewall.
5. What is stateful inspection? How is state information maintained during a network

connection or transaction?
Stateful inspection firewalls, also called stateful firewalls, keep track of each network
connection between internal and external systems using a state table. A state table tracks
the state and context of each packet in the conversation by recording which station sent
what packet and when. Like first generation firewalls, stateful inspection firewalls
perform packet filtering, but they take it a step further. Whereas simple packet filtering
firewalls only allow or deny certain packets based on their address, a stateful firewall can
block incoming packets that are not responses to internal requests. If the stateful firewall
_____________________________________________________________________________________________
Page: 54
______________________________________________________________________________
receives an incoming packet that it cannot match in its state table, it defaults to its ACL to
determine whether to allow the packet to pass. The primary disadvantage of this type of
firewall is the additional processing required to manage and verify packets against the
state table, which can leave the system vulnerable to a DoS or DDoS attack.
State information is preserved using a state table that looks similar to a firewall rule set
but has additional information. The state table contains the familiar source IP and port,
and destination IP and port, but adds information on the protocol used (i.e., UDP or TCP),
total time in seconds, and time remaining in seconds.
6. What is a circuit gateway, and how does it differ from the other forms of firewalls?
The circuit gateway firewall operates at the transport layer. Again, connections are
authorized based on addresses. Like filtering firewalls, circuit gateway firewalls do not
usually look at data traffic flowing between one network and another, but they do prevent
direct connections between one network and another. They accomplish this by creating
tunnels connecting specific processes or systems on each side of the firewall, and then
allow only authorized traffic, such as a specific type of TCP connection for only
authorized users, in these tunnels. A circuit gateway is a firewall component often
included in the category of application gateway, but it is in fact a separate type of
firewall.
7. What special function does a cache server perform? Why is this useful for larger
organizations?
These types of servers can store the most recently accessed pages in their internal cache
memory, and thus can provide content for heavily accessed pages without the level of
traffic required when pages are not cached. Larger organizations often find that just a few
web sites account for a large quantity of traffic and can lower total network traffic
measurably by using a cache server.
8. Describe how the various types of firewalls interact with the network traffic at
various levels of the OSI model.
Packet filtering firewalls scan network data packets looking for compliance with or
violation of the rules of the firewall’s database. Filtering firewalls inspect packets at the
network layer, or Layer 3, of the OSI model. MAC layer firewalls are designed to operate
at the media access control layer (layer 2) of the OSI network mode. Application level
firewalls will operate at OSI layers above layer 3, using specific knowledge of various
protocols and applications to make more informed decisions about packet forwarding.
9. What is a hybrid firewall?

A hybrid is a firewall that combines features and functions from other types of firewalls.
Hybrid firewalls use a combination of the other three methods, and in practice, most
firewalls fall into this category, since most use multiple approaches within the same
device.
10. List the five generations of firewall technology. Which generations are still in
common use?
_____________________________________________________________________________________________
Page: 55
______________________________________________________________________________
At the present time, there are five generally recognized generations of firewalls, and these
generations can be implemented in a wide variety of architectures.
First Generation. First generation firewalls are static packet filtering firewalls—that is,
simple networking devices that filter packets according to their headers as the packets
travel to and from the organization’s networks.
Second Generation. Second generation firewalls are application-level firewalls or proxy

servers—that is, dedicated systems that are separate from the filtering router and that
provide intermediate services for requestors.
Third Generation. Third generation firewalls are stateful inspection firewalls, which, as
you may recall, monitor network connections between internal and external systems
using state tables.
Fourth Generation. While static filtering firewalls, such as first and third generation
firewalls, allow entire sets of one type of packet to enter in response to authorized
requests, the fourth generation firewalls, which are also known as dynamic packet
filtering firewalls, allow only a particular packet with a particular source, destination, and
port address to enter.
Fifth Generation. The fifth generation firewall is the kernel proxy, a specialized form that
works under the Windows NT Executive, which is the kernel of Windows NT.
Most modern firewalls combine features from more than one generation.
11. How does a commercial-grade firewall appliance differ from a commercial-grade

firewall system? Why is this difference significant?
An appliance will be a combination of hardware and software where the hardware is
either customized or highly tuned to meet the needs of the firewall application. This will
often yield superior performance and improved capabilities.
12. Explain the basic technology that makes residential/SOHO firewall appliances
effective in protecting a local network. Why is this usually adequate for protection?
Network Address Translation (NAT) assigns non-routing local addresses to the computer
systems in the local area network and uses the single ISP assigned address to
communicate with the Internet. Since the internal computers are not visible to the public
network, they are much less likely to be scanned or compromised.
13. What key features point to the superiority of residential/SOHO firewall appliances
over personal computer-based firewall software?
When the protective control fails, the appliance will most often fail in a safe mode, while
the software is likely to stop working, leaving the protected system vulnerable.
_____________________________________________________________________________________________
Page: 56
______________________________________________________________________________
14. How do screened host architectures for firewalls differ from screened subnet
firewall architectures? Which of these offers more security for the information
assets that remain on the trusted network?
In fact, they operate in much the same way. The specialized design of the screened subnet
is perceived to offer more security for the trusted network.
15. What is a sacrificial host? What is a bastion host?

They are synonyms. Since the bastion host stands as a sole defender on the network
perimeter, it is also commonly referred to as the sacrificial host. To its advantage, this
configuration requires the external attack to compromise two separate systems, before the
attack can access internal data.
16. What is a DMZ? Is this really an appropriate name for the technology, considering
the function this type of subnet performs?
It is named for the security buffer often found after an armed conflict. In fact it is a poor
name, since the network segment so named is often home to the most heavily armored
systems the organization can prepare.
17. What are the questions that must be addressed when selecting a firewall for a
specific organization?
1. What type of firewall technology offers the right balance between protection and cost for
the needs of the organization?
2. What features are included in the base price? What features are available at extra cost?
Are all cost factors known?
3. How easy is it to set up and configure the firewall? How accessible are the staff
technicians who can competently configure the firewall?
4. Can the candidate firewall adapt to the growing network in the target organization?
18. What is RADIUS? What advantage does it have over TACACS?

The RADIUS (Remote Authentication Dial-In User Service) system centralizes the
management of user authentication by placing the responsibility for authenticating each
user in the central RADIUS server.
19. What is a content filter? Where is it placed in the network to gain the best result for
the organization?
A content filter is a software filter—technically not a firewall—that allows administrators
to restrict access to content from within a network. It is essentially a set of scripts or
programs that restricts user access to certain networking protocols and Internet locations,
or restricts users from receiving general types or specific examples of Internet content.
Some refer to content filters as reverse firewalls, as their primary focus is to restrict
internal access to external material.
To gain the best result, it should be placed on the primary connection used to gain access
to the Internet.
_____________________________________________________________________________________________
Page: 57
______________________________________________________________________________
20. What is a VPN? What are some reasons why it is widely popular in many
organizations?
A Virtual Private Network (VPN) is a private and secure network connection between
systems that uses the data communication capability of an unsecured and public network.
VPNs are popular since they are simple to set up and maintain and usually require only
that the tunneling points be dual-homed—that is, connecting a private network to the
Internet or to another outside connection point. There is VPN support built into most
Microsoft server software, including NT and 2000, as well as client support for VPN
services built into XP. While true private network services connections can cost hundreds
of thousands of dollars to lease, configure, and maintain, a VPN can cost next to nothing.
_____________________________________________________________________________________________
Page: 58
______________________________________________________________________________
Exercises
1. Using the Web, search for “software firewalls.” Examine the various alternatives
available and compare their functionality, cost, features, and type of protection.
Create a weighted ranking according to your own evaluation of the features and
specifications of each software package.
Will vary by class.
2. Using Figure 6-14, create rule(s) necessary for both the internal and external
firewalls to allow a remote user to access an internal machine from the Internet
using the software Timbuktu. This requires researching the ports used by this
software packet.
Exact rules will vary, but the following information is necessary: Timbuktu uses UDP
407 and 1419 for Connection setup and handshaking, TCP 1417 for Send commands,
TCP 1418 for View screen, TCP 1419 for Send file, and TCP 1420 for Receive file
3. Using Figure 6-15, suppose management wants to create a “server farm” that is
configured to allow a proxy firewall in the DMZ to access an internal Web server
(rather than a Web server in the DMZ). Do you foresee any technical difficulties in
deploying this architecture? What advantages and disadvantages are there to this
implementation?
This is a good solution to place the Web servers containing critical data inside the
network and use proxy services from a DMZ (screened network segment). This protects
the Web servers themselves from compromise, and places proxies in the DMZ to carry
requests. This also accomplishes two things: it allows HTTP traffic to reach the Web server,
and it prevents non-HTTP traffic from reaching the Web server.
Advantages: Screens Web server from external attacks and non-Web traffic
Disadvantages: Slows Web response time, and increases traffic through the internal firewall.
4. Using the Internet, determine what applications are commercially available to

secure remote access to a PC.
Will vary by student. Some examples include PCAnywhere, Timbuktu, Windows
Remote Desktop and to an extent LiveMesh.
5. Using a Microsoft XP or Vista system, open Internet Explorer. Open Internet

Options under the Tools menu. Examine the contents of the Security and Privacy
tabs. How can these tabs be configured to provide: a) content filtering, and b)
protection from unwanted items like cookies?
a) You can configure Internet Explorer to control the kinds of content users can view in
the browser.
You can control content in two manners. You can use content rating systems, or you can
specify Web sites. Administration of content-rating systems is done by independent
organizations. Internet Explorer defaults to the ratings from the Internet Content Ratings
association.
To Enable the Content Advisor Feature:
_____________________________________________________________________________________________
Page: 59
______________________________________________________________________________
In Internet Explorer, click Internet Options on the Tools menu. Click the Content tab.
Under Content Advisor, click Enable to open the Content Advisor dialog box.
(source: http://support.microsoft.com/kb/310401)
b) You can configure your privacy settings in Internet Explorer 6 by clicking Internet
Options on the Tools menu, and then clicking the Privacy tab.
NOTE: An administrator can customize your privacy settings and remove the Privacy tab
from the interface in the Internet Options dialog box. If the Privacy tab is not available,
contact your administrator, or see the "Information for Advanced Users and IT
Professionals" section.
The Privacy settings slider has six settings: Block All Cookies, High, Medium High,
Medium (default level), Low, and Accept All Cookies.
(source: http://support.microsoft.com/kb/283185)
_____________________________________________________________________________________________
Page: 60
______________________________________________________________________________

Chapter 7
Review Questions
1. What common security system is an IDPS most like? In what ways are these systems
similar?
IDPSs are much like burglar alarms. They both will monitor an area for actions that may
represent a threat and sound an alarm when those actions are detected.
2. How does a false positive alarm differ from a false negative one? From a security
perspective, which is least desirable?
A false positive seems like an alert, but is in fact, routine activity. A false negative seems
like normal activity and is in fact an alert-level action. From a security viewpoint, false
positives are just a nuisance but false negatives are a failure in the mission of the system.
3. How does a network-based IDPS differ from a host-based IDPS?

A network-based IDPS monitors network traffic on a specified network segment. A host-
based IDPS monitors a single host system for changes.
4. How does a signature-based IDPS differ from a behavior-based IDPS?

A signature-based system looks for patterns of behavior that match a library of known
behaviors. A behavior-based system watches for activities that suggest an alert-level
activity is occurring based on sequences of actions or the timing between otherwise
unrelated events.
5. What is a monitoring (or SPAN) port? What is it used for?

A switched-port analysis port is a data port on a switched device that replicates all
designated traffic from the switch device so that the traffic can be captured, stored or
analyzed for IDPS or other purposes.
6. List and describe the three control strategies proposed for IDPS control.
The three commonly utilized control strategies are centralized, partially distributed, and
fully distributed. With a centralized IDPS control strategy all IDPS control functions are
implemented and managed in a central location. Using a fully distributed IDPS control
strategy is the opposite of the centralized strategy. Each monitoring site uses its own
paired sensors to perform its own control functions to achieve the necessary detection,
reaction, and response functions. Thus, each sensor/agent is best configured to deal with
its own environment. In a partially distributed IDPS control strategy the better parts of
the other two strategies are combined. While the individual agents can still analyze and
respond to local threats, their reporting to a hierarchical central facility enables the
organization to detect widespread attacks. This blended approach to reporting is one of
the more effective methods of detecting intelligent attackers, especially those who probe
an organization through multiple points of entry, trying to scope out the systems’
configurations and weaknesses, before they launch a concerted attack.
_____________________________________________________________________________________________
Page: 61
______________________________________________________________________________
7. What is a honeypot? How is it different from a honeynet?

Honey pots are decoy systems designed to lure potential attackers away from critical
systems and encourage attacks against themselves. Indeed, these systems are created for
the sole purpose of deceiving potential attackers. In the industry, they are also known as
decoys, lures, and fly-traps. When a collection of honey pots connects several honey pot
systems on a subnet, it may be called a honey net.
8. How does a padded cell system differ from a honeypot?

A padded cell is a honey pot that has been protected so that that it cannot be easily
compromised. In other words, a padded cell is a hardened honey pot. In addition to
attracting attackers with tempting data, a padded cell operates in tandem with a traditional
IDPS. When the IDPS detects attackers, it seamlessly transfers them to a special
simulated environment where they can cause no harm—the nature of this host
environment is what gives the approach its name, padded cell.
9. What is network footprinting? What is network fingerprinting? How are they

related?
Footprinting is the organized research of the Internet addresses owned or controlled by a
target organization. The attacker uses public Internet data sources to perform keyword
searches to identify the network addresses of the organization. This research is
augmented by browsing the organization’s Web pages. Web pages usually contain
quantities of information about internal systems, individuals developing Web pages, and
other tidbits, which can be used for social engineering attacks. The next phase of the
attack protocol is a second intelligence or data-gathering process called fingerprinting.
This is a systematic survey of all of the target organization’s Internet addresses (which
were collected during the footprinting phase described above); the survey is conducted to
ascertain the network services offered by the hosts in that range. Complete fingerprinting
requires the knowledge of the Internet presences of the target that is collected in the
footprinting process.
10. Why do many organizations ban port scanning activities on their internal networks?
Why would ISPs ban outbound port scanning by their customers?
There are few legitimate business reasons that require port scanning and it is a high-
impact and highly intensive use of network resources. It is most often used by attackers
as a prelude to a concerted attack. ISPs do not want to be liable for the actions of
attackers who may use their network resources.
11. What is an open port? Why is it important to limit the number of open ports a
system has to only those that are absolutely essential?
An open port is a TCP or UDP service port that accepts traffic and responds with services
at that port address. Ports that are not required are often poorly configured and subject to
misuse. Only essential services should be offered on secure networks.
12. What is a vulnerability scanner? How is it used to improve security?

A software program or network appliance that scans a range of network addresses and
port numbers for open services. When a service port is found, it attempts to identify the
_____________________________________________________________________________________________
Page: 62
______________________________________________________________________________
service being offered and evaluates the security of that service, perhaps by compromising
the service. When an improperly configured or weak service port is found, it can be
removed or repaired to reduce risk.
13. What is the difference between active and passive vulnerability scanners?
An active scanner will initiate network traffic to find and evaluate service ports. A passive
scanner uses traffic from the target network segment to evaluate the service ports
available from hosts on the network segment.
14. What kind of data and information can be found using a packet sniffer?
All network traffic that is visible on the network connection of the packet sniffer is
visible. If the data in such packets is not encrypted, all contents are also viewable.
15. What capabilities should a wireless security toolkit include?

A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless
hosts, and assess the level of privacy or confidentiality afforded on the wireless network.
16. What is biometric authentication? What does the term biometric mean?
Biometric authentication encompasses a set of technical means that measure one or
more physical characteristics in order to verify a person’s identity. Biometric means
literally, life measurement or to measure the characteristics of the person requesting
access.
17. Are any biometric recognition characteristics considered more reliable than others?
Which are the most reliable?
Yes, each characteristic has a known degree of reliability. Among the most reliable are
retina, fingerprint and iris recognition.
18. What is a false reject rate? What is a false accept rate? What is their relationship to
the crossover error rate?
The false reject rate is the percentage of or value associated with the rate at which
supplicants who are authentic users are denied or prevented access to authorized areas as
a result of a failure in the biometric device. This error rate is also known as a Type I error.
The false accept rate is the percentage of or value associated with the rate at which
supplicants who are not legitimate users are allowed access to systems or areas as a result
of a failure in the biometric device. This error rate is also known as a Type II error. This
type of error is unacceptable to security professionals, as it represents a clear breach of
access. The crossover error rate (CER) is the level at which the number of false rejections
equals the false acceptances, also known as the equal error rate. This is possibly the most
common and important overall measure of the accuracy of a biometric system.
19. What is the most widely accepted biometric authorization technology noted in the
text? Why do you think this technology is so acceptable to users?
Keystroke pattern recognition. It is the least invasive.
_____________________________________________________________________________________________
Page: 63
______________________________________________________________________________
20. What is the most effective biometric authorization technology noted in the text?
Why do you think this technology is deemed to be most effective by security
professionals?
Retina pattern recognition. It is the most reliable and the most secure.
_____________________________________________________________________________________________
Page: 64
______________________________________________________________________________
Exercises
1. A key feature of hybrid IDPS systems is event correlation. After researching event
correlation online, define the following terms as they are used in this process:
compression, suppression, and generalization.
Compression is the degree to which redundant or inconsequential data can be removed to
compress the resulting dataset. Suppression is the ability of a correlation engine to
suppress false positive triggers from raising an unwarranted alarm. Generalization is the
ability to extrapolate a known exploit signature into a general purpose alert.
2. ZoneAlarm is a PC-based firewall and IDPS tool. Visit the product manufacturer at
www.zonelabs.com, and find the product specification for the IDPS features of
ZoneAlarm. Which of the ZoneAlarm products offer these features?
ZoneAlarm Pro and ZoneAlarm Security Suite include IDPS features (as of 12/07/2004).
3. Using the Internet, search for commercial IDPS systems. What classification systems
and descriptions are used, and how can these be used to compare the features and
components of each IDPS? Create a comparison spreadsheet identifying the
classification systems you find.
Answer will vary for each student.
4. Use the Internet to find vendors of thumbprint and iris scanning tools. Which of
these tools is more economical? Which of these is least intrusive?
5. There are several online passphrase generators available. Locate at least two of
them on the Internet, and try them out. What did you observe?
_____________________________________________________________________________________________
Page: 65
______________________________________________________________________________

Chapter 8
Review Questions
1. What are cryptography and cryptanalysis?

Cryptography and cryptanalysis are the two topic areas within cryptology.
2. What were some of the first uses of cryptography?
Concealing military and political secrets while they were transported from place to place.
3. What is a key, and what is it used for?
The information used in conjunction with an algorithm to create the ciphertext from the
plaintext or derive the plaintext from the ciphertext; the key can be a series of bits used
by a computer program, or it can be a passphrase used by humans that is then converted
into a series of bits for use in the computer program.
4. What are the three basic operations in cryptography?
Encrypting, decrypting and hashing.
5. What is a hash function, and what can it be used for?
Hash functions are mathematical algorithms that generate a message summary or digest
(sometimes called a fingerprint) to confirm the identity of a specific message and to
confirm that there have not been any changes to the content.
6. Why is it important to exchange keys out of band in symmetric encryption?
So that they are not intercepted and used to read the secret message.
7. What is the fundamental difference between symmetric and asymmetric
encryption?
Asymmetric encryption is also known as public key encryption. It uses two different keys
to encrypt messages, the public key and the private key. Symmetric is different because it
uses only one key to encrypt and decrypt messages. Symmetric encryption is much faster
for the computer to process, however it raises the costs of key management.
Symmetric encryption, also called private key encryption, is where the same key is used
to conduct both the encryption and decryption of the message. Both the sender and
receiver must own encryption of the key. The problem with symmetric encryption is
getting a copy of the key to the sender.
Asymmetric encryption, also called public key encryption, uses two different keys.
Either key may encrypt or decrypt the message, but one key must be used for encryption
only and the other must be used for decryption only. The technique has the highest value
when one key is used as a private key and the other is used as a public key. The public
key is stored in a public location where anyone can use it. The problem with asymmetric
encryption is that it requires four keys to hold a single conversation between two parties.
_____________________________________________________________________________________________
Page: 66
______________________________________________________________________________
Due to the number of keys involved in asymmetric encryption, it is not as efficient to use
as symmetric encryptions in terms of CPU computations and key management.
8. How does Public Key Infrastructure protect information assets?
By making the use of cryptographic systems more convenient.
9. What are the components of PKI?
A certificate authority (CA), which issues, manages, authenticates, signs, and revokes
users’ digital certificates, which typically contain the user’s name, public key, and other
identifying information.
A registration authority (RA), which operates under the trusted collaboration of the
certificate authority and can be delegated day-to-day certification functions, such as
verifying registration information about new registrants, generating end-user keys,
revoking certificates, and validating that users possess a valid certificate.
Certificate directories, which are central locations for certificate storage that provide
a single access point for administration and distribution.
Management protocols, which organize and manage the communications between CAs,
RAs, and end users. This includes the functions and procedures for setting up new users,
issuing keys, recovering keys, updating keys, revoking keys, and enabling the transfer of
certificates and status information among the parties involved in the PKI’s area of
authority.
Policies and procedures that assist an organization in the application and management of
certificates, the formalization of legal liabilities and limitations, and actual business
practice use.
10. What is the difference between digital signatures and digital certificates?
A certificate is a wrapper for a key value. A signature is a combination of a message
digest and other information used to assure non-repudiation.
11. What drawbacks to symmetric and asymmetric encryption are resolved by using a
hybrid method like Diffie-Hellman?
It allows use without out-of-band key exchange.
12. What is steganography, and what may it be used for?
Steganography is a process used to hide messages within digital encoding of pictures and
graphics. This is a concern for the security professional because hidden messages are not
easily detected and can contain sensitive information that needs to be protected.
13. What security protocols are predominantly used in Web-based electronic
commerce?
S-HTTP, SET, SSL, SSH-2, and IPSec
14. What security protocols are used to protect e-mail?
S/MIME, PEM and PGP.
_____________________________________________________________________________________________
Page: 67
______________________________________________________________________________
15. IPSec can be used in two modes. What are they?

Transport and tunnel modes.
16. Which kind of attack on cryptosystems involves using a collection of pre-identified
terms? Which kind of attack involves sequential guessing of all possible key combinations?
A dictionary attack uses pre-identified terms. A brute-force attack tries all possible
combinations.
17. If you were setting up an encryption-based network, what size key would you chose
and why?
I would choose the largest key size consistent with the tools being used and the overhead
performance burden it would impose on our environment. If all of the compute devices
were capable of AES 256 encryption, that is the current ‘gold standard’.
18. What is the average key size of a strong encryption system in use today?
Web-based SSL has standardized on 128 bits as of late 2004.
Newer versions (circa 2008) are 256 bit.
19. What is the standard for encryption currently recommended by NIST?
AES, the Advanced Encryption Standard.
20. What is the most popular symmetric encryption system used over the Web? The
most popular asymmetric system? Hybrid system?
SSL, 3DES, and PGP.
Alternate answers could include: (since Web popularity varies): RSA, AES, RC6.
_____________________________________________________________________________________________
Page: 68
______________________________________________________________________________
Exercises
1. Go to a popular online electronic commerce site like Amazon.com. Select several
items for your shopping cart. Go to check out. When you get to the screen that asks for
your credit card number, right-click on the Web browser and select “Properties.” What can
you find out about the cryptosystems and protocols in use to protect this transaction?
Each student will prepare a different answer.
2. Repeat Exercise 1 on a different Web site. Does this site use similar or different
protocols? Describe them.
3. Go to the Web site for PGP,
http://www.pgp.com/downloads/desktoptrial/index.html. Download and install the trial
version of PGP. Using PGP and your favorite e-mail program, send a PGP-signed e-mail to
your instructor. What looks different in this e-mail compared to your previous e-mails?
Note: Since publication PGP has changes this web site – it still defaults from the above
URL, but now the student should download the “Desktop Trial Software” instead of the
“freeware version”

4. Visit the NIST Web site and view the document “Announcing the Advanced
Encryption Standard,” which can be found at
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. Review the FIPS-197 standard.
Examine the document to determine an overview of the development and implementation
of this cryptosystem.
Each student will prepare a different answer. Answers should include:
This standard specifies the Rijndael algorithm, a symmetric block cipher that can process
data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.
Rijndael was designed to handle additional block sizes and key lengths, however they are
not adopted in this standard.
5. Search the Web for steganography tools. What do you find? Download and install a
trial version of one of the tools. Embed a text file within an image. In a side-by-side
comparison of the two images, can you tell the difference between the original image and
the image with the embedded file?
_____________________________________________________________________________________________
Page: 69
______________________________________________________________________________

Chapter 9
Review Questions
1. What is physical security? What are the primary threats to physical security? How
are they manifested in attacks against the organization?
Physical security addresses the design, implementation, and maintenance of
countermeasures that protect the physical resources of an organization. This means the
physical protection of the people, hardware, and the supporting system elements and
resources associated with the management of information in all its states: transmission,
storage, and processing.
The primary threats to physical security include the following: inadvertent acts - potential
acts of human error or failure, potential deviations in quality of service by service
providers, and power irregularities; deliberate acts – acts of espionage or trespass, acts of
information extortion, acts of sabotage or vandalism, acts of theft, software attacks, and
compromises to intellectual property; acts of God – forces of nature; technical failures –
technical hardware failures or errors and technical software failures or errors; and
management failures – technical obsolescence.
In the physical environment a potential act of human error or failure can be represented
by an employee accidentally spilling coffee on his or her laptop computer. A compromise
to intellectual property can include an employee without an appropriate security
clearance copying a classified marketing plan. A deliberate act of espionage or trespass
could be exemplified by a competitor sneaking into a facility with a camera. Deliberate
acts of sabotage or vandalism can be physical attacks on individuals or property with the
intent to sabotage or deface; deliberate acts of theft are perhaps the most common of
these threats. Examples include employees stealing computer equipment, credentials,
passwords, and laptops. Acts of God include lightning hitting a building and causing a
fire. Quality of service deviations from service providers, especially power and water,
also represent physical security threats. Technical hardware failures or errors and
technological obsolescence both have common examples in physical security.
2. What are the roles of IT, security, and general management with regard to physical
security?
Physical security is designed and implemented in several layers. Each community of
interest in the organization is responsible for components within these layers.
 General management: Responsible for the security of the facility in which the
organization is housed and the policies and standards for secure operation. This
includes exterior security, building access, as well as other controls.
 IT management and professionals: Responsible for environmental and access
security in technology equipment locations and for the policies and standards of
secure equipment operation. This includes access to server rooms, server room
temperature and humidity controls.
_____________________________________________________________________________________________
Page: 70
______________________________________________________________________________
 Information security management and professionals: Perform risk assessments

and implementation reviews for the physical security controls implemented by the
other two groups.
3. How does physical access control differ from logical access control described in
earlier chapters? How is it similar?
Physical access control refers to the countermeasures aiming at protecting the physical
resources of an organization (people, hardware, supporting system elements, and
resources associated with the management of information in all its states).
Logical access control refers to the countermeasures aiming at protecting the critical
information that, a potential attacker, could steal without having to physically access the
devices storing that kind of information. Logical access controls are mainly technology-
based controls (firewalls, intrusion detection systems, and monitoring software).
Logical access control is similar to physical access in that both kinds of controls have as
final objective the protection of vital resources for an organization.
4. Define a secure facility. What is the primary objective of designing such a facility?
What are some of the secondary objectives of the design of a secure facility?
A secure facility is a physical location that has been engineered with controls designed to
minimize the risk of attacks from physical threats.
The primary objective of designing such a facility is to ensure physical security in that
facility in order to protect the physical resources of the organization.
Through the physical security policies, users of information assets can be directed in the
appropriate use of computing resources and information assets, as well as the protection
of their own personal safety in day-to-day operations.
5. Why are guards considered the most effective form of control for situations that
require decisive action in the face of unfamiliar stimuli? Why are they usually the most
expensive controls to deploy? When should dogs be used for physical security?
They are the only control discussed where human intellect is online to be applied to the
problems being faced. The direct and indirect expense of staffing the role is the highest
among the control options discussed. Dogs are useful when keen senses are needed
within a controlled setting.
6. List and describe the four categories of locks. In which situation is each type of lock
preferred?
Manual Locks – installed in doors and cannot be changed except my locksmiths. Mostly
used when securing a single door.
Programmable Locks – more sophisticated than manual locks, with ability to reset the
access method. Used when securing computer rooms or wiring closets.
Electronic Locks – allow the ability to be integrated into alarm systems and other
building management systems. This type of lock is used to secure computer rooms or
communications rooms.
_____________________________________________________________________________________________
Page: 71
______________________________________________________________________________
Biometric Locks – Uses fingerprint, voice recognition, palm print etc to

identify/authorize a person from entering a secured area. These locks are often used in
highly secured areas.
As each lock mechanism gets more sophisticated, it requires greater input from the user,
and more control to the entity providing the security.
7. What are the two possible modes that locks use when they fail? What implications
does this have for human safety? In which situation is each preferred?
Fail-safe and fail-secure. Fail-secure locks will be unable to be opened in the event of
failure and human safety could be compromised in the event of a life-safety emergency.
Whenever humans can be trapped inside, fail-safe locks are required.
8. What is a mantrap? When should it be used?
A mantrap is a small enclosure that has an entry point and a different exit point. The
person entering the mantrap then continues on to another entrance that is usually
protected by some other form of electronic or biometric lock and key. If the verification
is authorized the person is able to enter the secure area, if not the person cannot exit the
mantrap until authorities arrive.
A mantrap should be used when protecting an area that needs high security.
9. What is the most common form of alarm? What does it detect? What types of
sensors are commonly used in this type of alarm system?
The most common form of alarm is the burglar alarm. Burglar alarms detect an intrusion.
The types of sensors they use are motion, glass breakage, weight and contact sensors.
10. Describe a physical firewall that is used in buildings. List the reasons you can think
of for why an organization might need a firewall for physical security controls.
A firewall is an interior wall constructed of non-combustible materials that extends to the
ceiling height to prevent the spread of fire. Computer rooms and wiring closets should be
compartmentalized between firewalls to prevent fire damage and intrusion. Firewalls
help to prevent intrusion because they do block areas in the plenum that are not blocked
by normal walls.
11. What is considered the most serious threat within the realm of physical security?
Why is it valid to consider this threat the most serious?
Fire. More losses come from this threat than all others combined.
12. What three elements must be present for a fire to ignite and continue to burn? How
do fire suppression systems manipulate the three elements to quell fires?
Temperature (ignition source), Oxygen, and Fuel
They deprive the environment of one of the elements, either Oxygen or fuel, or reduce
the temperature.
13. List and describe the three fire detection technologies covered in the chapter. Which
is the most commonly used?
_____________________________________________________________________________________________
Page: 72
______________________________________________________________________________
a. Thermal detection systems, which contain a sophisticated heat sensor, that operate
in one of two ways. The first is fixed temperature where the sensor detects when
the ambient temperature in an area reaches a predetermined level (135-165
degrees Fahrenheit or 57-74 degrees Centigrade. The second is rate of rise, where
the sensor detects an unusual rapid increase in the area temperature within a short
period of time.
b. Smoke detection systems are the most common means of detecting a potential
dangerous fire and they are required by building codes in most residential
dwellings and commercial buildings. They consist of photoelectric sensor-project
and detect an infrared beam across an area, ionization sensor-contains a small
amount of a harmless radioactive material within a detection chamber, and air-
aspirating detectors-used in high sensitivity areas.
c. Flame detector is a sensor that detects the infrared or ultraviolet light produced by
an open flame.
The most commonly used today is the smoke detector.
14. List and describe the four classes of fire described in the text. Does the class of the
fire dictate how to control the fire?
Class A – Fires that involve ordinary combustible fuels such as wood, paper, textiles,
rubber, cloth, and trash. Class A fires are extinguished by agents that interrupt the ability
of the fuel to be ignited. Water and multipurpose dry chemical fire extinguishers are ideal
for these types of fires.
Class B- fires fueled by combustible liquids or gases, such as solvents, gasoline, paint,
lacquer, and oil. Class B fires are extinguished by agents that remove oxygen from the
fire. Carbon dioxide, multipurpose dry chemical fire extinguishers, and halon fire
extinguishers are ideal for these types of fires.
Class C- Fires with energized electrical equipment or appliances. Class C fires are
extinguished with agents that must be non-conducting. Carbon dioxide, multipurpose dry
chemical fire extinguishers, and halon fire extinguishers are ideal for these types of fires.
Class D- Fires fueled by combustible metals, such as magnesium, lithium, and sodium.
Fires of this type require specials extinguishing agents and techniques.
Note: students may research and report a new “Class K” designation for cooking oil fires.
15. What is Halon and why is its use restricted?
Halon is an effective gaseous fire suppression agent, introduced in the 1960’s.
The problem with Halon is that it is an ozone-depleting substance. Under the Clean Air
Act (CAA), the United States banned the production and import of Halons 1211, 1301,
and 2402 beginning January 1, 1994, in compliance with the Montreal Protocol on
Substances that Deplete the Ozone Layer.
_____________________________________________________________________________________________
Page: 73
______________________________________________________________________________
16. What is the relationship between HVAC and physical security? What four physical
characteristics of the indoor environment are controlled by a properly designed HVAC
system? What are the optimal temperature and humidity ranges for computing systems?
HVAC is a concern for physical security because of several reasons. The first is
temperature. Temperature must be controlled because electronic equipment is subject to
damage caused by extreme temperatures or rapid changes in temperature. Humidity and
static can also cause damage to electronic equipment. Ventilation shafts should be
properly built and maintained in order to prevent a person from climbing through the
shafts to gain access to secure rooms that contain computers or data.
The four physical characteristics of the indoor environment that are controlled by a
properly designed HVAC are temperature, humidity, static and filtration.
The optimal temperature range for computing systems is between 70 and 74 degrees
Fahrenheit and the optimal level of humidity level is between 40 and 60 percent.
17. List and describe the four primary types of UPS systems. Which is the most effective
and the most expensive and why?
UPSs (Uninterruptible Power Supplies) is a backup power source for major computer
systems. For basic configurations of UPS are: (1) a standby or offline UPS, which is an
offline batter backup that detects the interruption of power to the power equipment; (2) a
ferroresonant standby UPS, which is also an offline UPS that provides power through
electrical service and uses the UPS as a battery backup; (3) the line-interactive UPS,
which also uses a battery backup as source of power but generates power through
inverters and converters inside the model; and (4) the true online UPS, which works in
the opposite fashion to a standby UPS since the primary power source is the battery. The
last type of UPS (the true online UPS) is the most expensive and the most effective one
because it allows constant feed to the system, while completely eliminating power
problems. Power failure does not affect the computer system as long as the batteries hold
out.
18. What two critical factors are impacted when water is not available in a facility?
Why are these factors important to the operation of the organization’s information assets?
Fire-safety and air conditioning. If fire safety systems are not in place, no humans can
occupy the building (under most fire codes). A/C is needed for continued operation of
most computer equipment.
19. List and describe the three fundamental ways that data can be intercepted. How
does a physical security program protect against each of these data interception methods?
Three methods of data interception are (1) direct observation, which requires close
enough distance between an individual and the information to breach confidentiality; (2)
interception of data transmission, which can be done in several ways such as through
sniffer software or tapping into a LAN; and (3) electromagnetic interception, which
occurs when an individual eavesdrop on electromagnetic signals that move through
cables. Data interception is considered part of physical security because it addresses the
design, implementation, and maintenance of countermeasures that protect data, one of the
critical components of the computer system.
_____________________________________________________________________________________________
Page: 74
______________________________________________________________________________
20. What can you do to reduce the risk of laptop theft?

Use passwords
Physical security
Alarms
Trace software
User training
_____________________________________________________________________________________________
Page: 75
______________________________________________________________________________
Exercises
1. Assume that your organization is planning to have a server room that functions
without human beings—in other words, the functions are automated (such a room is often
called a lights-out server room). Describe the fire control system(s) you would install in that
room.
An automatic fire detection system would certainly be the best choice for a lights-out
server room in the data center, where no human beings are physically present.
As for the type of fire detection system, I would probably opt for a very sophisticated
system like the air-aspirating detector system, since the server room is certainly a high-
sensitive area where critical devices are stored. This system works by taking in air,
filtering it, and moving it through a chamber containing a laser beam. If the laser beam is
diverted or refracted by smoke particles, the system is activated.
Another key element I would consider is the type of fire suppressor to adopt. In this kind
of decision, very important is to consider the type of fire that has to be combated. Class C
includes fires with energized electrical equipment or appliances, that is, fires that are
extinguished with agents that must be nonconducting. Since this is the type of fire that
would interest a server room, the attention must be focused on a gaseous emission
system, and in particular on a system that uses a clean chemical agent (like it was Halon
before it got prohibited in commercial and residential locations). Clean agents are those
that don't leave any residue when dry, and don't interfere with the operation of electrical
or electronic equipment. Alternative clean agents (even if they are reported to be less
effective than Halon) are FM-200, Inergen, Carbon Dioxide, and FE-13 (one of the
newest and safest clean agent variations of the most commonly used clean agents).
2. Assume you have converted part of a former area of general office space into a
server room. Describe the factors you would consider for each of the following topics:
Walls and doors
Access control
Fire detection
Fire suppression
Heating, ventilating, and air conditioning
Power quality and distribution
ANSWER:
a. Walls and doors
Due to the construction of the walls and doors of the facility, the security of
information assets can sometimes be compromised. In high security areas such as a
server room, the firewalls and doors with either mechanical or electromechanical
locks should be used.
_____________________________________________________________________________________________
Page: 76
______________________________________________________________________________
b. Access control
For physical security, a secure facility is an ideal location that has been engineered
with a number of controls designed to minimize the risk of attacks from physical
threats. An organization should consider using as many security controls as possible
in order to secure a server room. Typical physical security controls include:
 Walls, fencing, and gates: Deter unauthorized access to the facility
 Guards: Evaluate each situation as it arises and make reasoned responses
 Dogs: Detect intrusions that human guards can’t
 ID Cards and badges: Authenticate an authorized individual with access to the
facility
 Locks and keys: Avoid an intruder to gain access to the secured location
 Mantraps: Deny unauthorized entry and trap an intruder in a small enclosure
 Electronic monitoring: Record events within a specific area that guard and
dogs might miss, or to record events in areas where other types of physical
controls are not practical
 Alarms and alarm systems: Notify the appropriate individual when a
predetermined event or activity occurs
 Computer rooms and wiring closets: Disallow unauthorized individuals to
gain information
 Interior walls and doors: Provide not only physical security from potential
intruders but from fires
c. Fire detection
Either manual or automatic fire detection systems need to be installed. Manual fire
detection systems include human responses, such as calling the fire department, as
well as manually activated alarms, such as sprinklers and gaseous systems. Automatic
detection systems include thermal detections systems, smoke detection systems, and
flame detector. An organization should consider placing one of these fire detections
systems depending on its budget.
d. Fire suppression
There are a variety of fire suppression systems commonly used in many organizations
including portable, manual, and automatic apparatus. One or more fire suppression
systems should be prepared in case of emergency.
e. Heating, ventilating, and air conditioning
_____________________________________________________________________________________________
Page: 77
______________________________________________________________________________
Since the operation of the heating, ventilation, and air conditioning (HVAC) system
can have dramatic impact on information systems operations and protection, four
areas (temperature, filtration, humidity, and static electricity) within HVAC system
should properly managed.
f. Power quality and distribution
The most critical factor for power systems used by information-processing equipment
is that the power infrastructure be properly installed and correctly grounded. In case
of power outage, an Uninterruptible Power Supplies (UPS) is a backup power source
for major computer systems. Grounding ensures that the returning flow of current is
properly discharged to the ground.
Another important aspect of power management is the need to be able to stop power
immediately. A server room should equipped with an emergency power shutoff,
which is usually a large red button, prominently placed to facilitate access, with an
accident-proof cover to prevent unintentional use.
3. Assume you have been asked to review the power needs for a standalone computer
system which processes important but noncritical data and does not have to be online at all
times, and which stores valuable data that could be corrupted if the power system were
suddenly interrupted. Which UPS features are most important to such a system? Which
type of UPS do you recommend for this system?
There are four basic configurations of UPS: the standby, ferroresonant standby, line-interactive,
and the true online. Factors of the various UPS systems include switch time, the amount of
electricity that the UPS supplies, and costs. Switch time refers to the amount of time it takes for
the UPS to activate a transfer switch. Also the wattage needed to keep the equipment on for a
certain period of time should be precisely calculated to select a proper UPS to meet the
organization’s power supply needs. Finally, the more sophisticated the UPS becomes, the more
costly it becomes. So the best way is to select the smallest UPS necessary to provide the needed
support. In this scenario, a ferroresonant standby UPS would be the best selection among a
number of UPS configurations.
4. Using a floor plan from a building you are familiar with, design an electronic
monitoring plan that includes closed-circuit television, burglar alarms with appropriate
sensors, fire detectors, and suppression and access controls for key entrances.
Solution will be location and situation dependent.
5. Define the required wattage for a UPS for the following systems:
a. Monitor: 2 amps; CPU: 3 amps; printer: 3 amps
b. Monitor: 3 amps; CPU: 4 amps; printer: 3 amps
c. Monitor: 3 amps; CPU: 4 amps; printer: 4 amps
Assuming operation in USA at standard voltage of 120volts at 60 Hz:
a. (2 * 120) + (3 * 120) + (3 * 120) = 960 Watts
b. (3 * 120) + (4 * 120) + (3 * 120) = 1,200 Watts
c. (3 * 120) + (4 * 120) + (4 * 120) = 1,320 Watts
_____________________________________________________________________________________________
Page: 78
______________________________________________________________________________
Search the Web for a UPS that provides the wattage necessary to run the systems
above for at least 15 minutes during a power outage.
The specific products that students may find can be evaluated by the common practice of
vendors of rating the unit in VA hours. So a unit rated at 200 VA hours will support 800
watts for 15 minutes (1/4 hour). Using this process, the minimum VA hour rating for UPS
units that meet the require are:
a. 240 VA hours
b. 300 VA hours
c. 330 VA hours
_____________________________________________________________________________________________
Page: 79
______________________________________________________________________________

Chapter 10
Review Questions
1. What is a project plan? List what a project plan can accomplish.

A project plan is a concrete plan that is translated from an organization’s blueprint for
information security. The project plan delivers instructions to the individuals who are
executing the implementation phase. These instructions focus on the security control
changes needed to the hardware, software, procedures, data, and people that make up the
organization’s information systems. The project plan as a whole must describe how to
acquire and implement the needed security controls and create a setting in which those
controls achieve the desired outcomes.
The project plan allows the organization to clarify issues such as leadership, managerial,
technical, and budgetary considerations, plus organizational resistance to the change.
2. What is the value of a statement of vision and objectives? Why is it needed before a
project plan is developed?
A statement of vision and objective states the mission of the information security
program and its objectives. This is important because it insures that only the controls that
add value to the organization’s information security program are incorporated into the
project plan. If, however, the statement has not been developed for the organization’s
security program, it is crucial that one be incorporated into the project plan.
3. What categories of constraints to project plan implementation are noted in the
chapter? Explain each of them.
The five categories of constraints to project plan implementation are Financial, Priority,
Time and Scheduling, Staffing, and Scope.
1. Financial constraints refer to the fact that the amount of effort that can be
expended on the information security project depends on the funds available.
2. Priority constraints relate to the fact that the prioritization of threats and the value
of the information asset that are threatened guide the implementation of controls.
3. Time constraints are very important to the development of the project plan. Since
"time waits for no one", it can impact a project plan at dozens of points in its
development (time to order and receive a security control due to backlogs of the
vendor, time to install and configure the control, time to train the users, etc.)
4. Staffing constraints relates to the fact that the lack of enough qualified, trained,
and available personnel constitutes a threat to the project plan implementation. If
no staff members are trained to deal with a newer technology, for example,
someone must be trained or hired who is experienced with that particular
technology.
5. Project scope constraints refer to the fact that it is unrealistic for an organization
to install all information security components at once. Handling many complex
_____________________________________________________________________________________________
Page: 80
______________________________________________________________________________
tasks at one time is risky. Moreover, problems of interrelated conflicts between

the installation of information security controls and the daily operations of the
organization can arise. In addition to that, the installation of new information
security controls may conflict with existing controls.
4. List and describe the three major steps in executing the project plan.
Three major steps are planning the project, supervising tasks and action steps, and
wrapping up. Planning involves the creation of a detailed project plan. Creating a project
plan to implement the information security blueprint is often assigned to either a project
manager or the project champion. Supervising tasks and action steps means to designate a
suitable person from the information security community of interest to lead the
implementation. Project wrap-up is handled as a procedural task assigned to a mid-level
IT or information security manager. These managers collect documentation, finalize
status reports, and deliver a final report and a presentation at a wrap-up meeting.
5. What is a work breakdown structure (WBS)? Is it the only way to organize a project
plan?
The WBS is a planning tool that allows you to break the project plan into several major
tasks to be accomplished that are placed on the WBS task list. Each one of these major
tasks is then further divided into either smaller tasks or specific action steps.
The WBS is not the only way to organize a project plan. Other complex project planning
tools can be used in the creation of a project plan.
6. What is projectitis? How is it cured or its impact minimized?
This is when the project manager spends more time documenting project tasks, collecting
performance measurements, recording information, and updating information than they
spend on accomplishing meaningful project work.
This can be avoided by using simple tools to focus on organization and coordination.
7. List and define the common attributes of the tasks of a WBS.
The common attributes for each major task of a WBS are:
1. Work to be accomplished. It identifies the work to be accomplished and
encompasses both activities and deliverables.
2. Individuals (or skills set) assigned to perform the task. It describes the skill set or
individual person (resource) needed to accomplish the task.
3. Start and end dates for the task. It focuses on determining only completion dates
for major milestones within the project.
4. Amount of effort required for completion in hours or workdays. Planners need to
estimate the effort required to complete each task, subtask, or action step.
5. Estimated capital expenses for the task. Planners need also to estimate the
expected capital expenses for the completion of the task, subtask, or action item
(the purchase of a firewall device for example).
6. Estimated noncapital expenses for the task. In addition to the estimation of the
capital expenses for the task, planners need to estimate the expected noncapital
_____________________________________________________________________________________________
Page: 81
______________________________________________________________________________
expenses for the task, subtask, or action item (a recovery charge for staff time for
some organizations, for example, or contract or consulting time for others).
7. Identification of task interdependencies. Planners should note wherever possible
the dependencies of other tasks or action steps on the task or action step at hand.
The tasks or action steps that come before the specific task at hand are called
predecessors. Those tasks or action steps that come after the task at hand are
called successors.
8. How does a planner know when a task has been subdivided to an adequate degree
and can be classified as an action step?
When the task can be completed by one individual or skill set and when it includes a
single deliverable.
9. What is a deliverable? Name two uses for deliverables.
A deliverable is a completed document or program module that can serve either as the
beginning point for a later task or become an element in the finished project.
If the task of a WBS is "Configure Firewall", the deliverable could be an implementation

document that will be used by the network architect in charge to configure the firewall.
If the task of the same WBS is "Perform Penetration Test", the deliverable could be a
report that describes and documents the procedures and results of test performed by the
penetration test team.
10. What is a resource? What are the two types?
A resource can be defined as the skill set or individual person within the organization
needed to accomplish the task in the project plan.
11. Why is it a good practice to delay naming specific individuals as resources early in
the planning process?
Because, in order to verify their availability to work on his project during the scheduled
dates, the project manager should first meet with the people he thinks have the right skills
to accomplish the specific project tasks.
12. What is a milestone and why is it significant to project planning?
A milestone is a specific point in the project plan when a task and its action steps are
complete and have a noticeable impact on the progress of the project plan as a whole.
For example, the date for sending the final RFP to vendors is considered a milestone
because it signals all RFP preparation is complete.
13. Why is it good practice to assign start and end dates sparingly in the early stages of
project planning?
It is a good idea to use starting and ending dates sparingly in the early stages of a project
because it can not only cause resistance by the team, but can also result in an increase in
projectitis. The planner should start with completion dates for only the major milestones.
14. Who is the best judge of effort estimates for project tasks and action steps? Why?
_____________________________________________________________________________________________
Page: 82
______________________________________________________________________________
It is always good practice to ask the individuals who are most familiar with the work or
familiar with similar types of work to make the estimates. Then, all individuals assigned
to action steps should review the estimated effort hours, understand the tasks, and agree
with the estimates.
15. Within project management, what is a dependency? What is a predecessor? What is
a successor?
A dependency is a relationship between a task or action step where one is dependent on
the completion of the other for the task to begin.
A predecessor is a task or action step that precedes the one at hand.
A successor is a task or action step that comes after the one at hand.
16. What is a negative feedback loop? How is it used to keep a project in control?
It is a process to manage a project to completion. The measured results are compared to
the expected results. When a significant deviation occurs, corrective action is taken to
bring the task that is deviating from plan back into compliance with the projection, or else
the estimate is revised in light of the new information.
17. When a task is not meeting the plan, what two circumstances are likely to be
involved?
The two likely circumstance involved with a task not meeting the plan can be that the
estimate of the task is flawed or the performance of the task has lagged. Corrective action
needs to be taken if either of the two situations occurs.
18. List and describe the four basic conversion strategies (as described in the chapter)
that are used when converting to a new system. Under which circumstances is each of these
the best approach?
Direct changeover: Also known as going “cold turkey,” a direct changeover involves
stopping the old method and beginning the new. This could be as simple as having
employees follow the existing procedure one week, and then use a new procedure the
next. Some cases of direct changeover are simple, such as a change that involves
requiring employees to use a new password (which uses a stronger degree of
authentication) beginning on an announced date; some may be more complex, such as
requiring the entire company to change procedures when the network team disables an
old firewall and activates a new one. The primary drawback to the direct changeover
approach is that if the new system fails or needs modification, users may be without
services while the system’s bugs are worked out. Complete testing of the new system in
advance of the direct changeover helps to reduce the probability of these problems.
Phased implementation: A phased implementation is the most common conversion
strategy and involves rolling out a piece of the system across the entire organization. This
could mean that the security group implements only a small portion of the new security
profile, giving users a chance to get used to it and resolving small issues as they arise.
This is usually the best approach to security project implementation. For example, if a
new VPN solution that employees can use to connect to the organization’s network while
they’re traveling is to be introduced, then each week one department might be added to
the group allowed to use the new VPN, and this process would continue until all
_____________________________________________________________________________________________
Page: 83
______________________________________________________________________________
departments are using the new approach.

Pilot implementation: The pilot implementation involves implementing all security
improvements in a single office, department, or division, and resolving issues within that
group before expanding to the rest of the organization. The pilot implementation works
well when an isolated group can serve as the “guinea pig,” which keeps the
implementation from dramatically impacting the performance of the organization as a
whole. The operation of a research and development group, for example, may not impact
the real-time operations of the organization and could assist security in resolving issues
that emerge.
Parallel operations: The parallel operations strategy involves running the new methods
alongside the old methods. In general, this means running two systems concurrently, and
in terms of information systems, it might involve, for example, running two firewalls
concurrently. Although this approach is usually a complex operation, it can be one that
reinforces an organization’s information security by allowing the old system(s) to serve
as backup for the new systems if they fail or are compromised. Drawbacks usually
include the need to deal with both systems and maintain both sets of procedures.
19. What is technology governance? What is change control? How are they related?
Technology governance is a complex process that an organization uses to manage the
impacts and costs caused by technology implementation, innovation, and obsolescence.
This matter deals with how frequently technical systems are updated, and how technical
updates are approved and funded. Technology governance also facilitates the
communication about technical advances and issues across the organization.
Medium or large organizations deal with the impact of technical change on the operation
of the organization through a change control process. By managing the process of change
the organization can:
 Improve communication about change across the organization
 Enhance coordination between groups within the organization as change is
scheduled and completed
 Reduce unintended consequences by having a process to resolve potential conflict
and disruption that uncoordinated change can introduce
 Improve quality of service as potential failures are eliminated and groups work
together
 Assure management that all groups are complying with the organization’s policies
regarding technology governance, procurement, accounting, and information
security
20. What are certification and accreditation when applied to information systems
security management? List and describe at least two certification or accreditation
processes.
In security management, accreditation authorizes an IT system to process, store, or
transmit information. It is issued by a management official and serves as a means of
assuring that systems are of adequate quality. It also challenges managers and technical
staff to find the best methods to assure security, given technical constraints, operational
constraints, and mission requirements.
_____________________________________________________________________________________________
Page: 84
______________________________________________________________________________
In the same vein, certification is defined as “the comprehensive evaluation of the

technical and nontechnical security controls of an IT system to support the accreditation
process that establishes the extent to which a particular design and implementation meets
a set of specified security requirements.” Organizations pursue accreditation or
certification to gain a competitive advantage, or to provide assurance or confidence to
their customers. Accreditation demonstrates that management has identified an acceptable
risk level and provided resources to control unacceptable risk levels.
Two C&A processes are SP 800-37: Guidelines for the Security Certification and
Accreditation of Federal Information Technology Systems, and CNSS Instruction-1000:
National Information Assurance Certification and Accreditation Process (NIACAP).
_____________________________________________________________________________________________
Page: 85
______________________________________________________________________________
Exercises
1. Create a first draft of a WBS from the scenario below. Make assumptions as needed
based on the section about project planning considerations and constraints in the chapter.
In your WBS, describe the skill sets required for the tasks you have planned.
Scenario
Sequential Label and Supply is having a problem with employees surfing the Web to access
material the company has deemed inappropriate for use in a professional environment. The
technology exists to insert a filtering device in the company Internet connection that blocks
certain Web locations and certain Web content. The vendor has provided you with some
initial information about the filter. The hardware is an appliance that costs $18,000 and
requires a total of 150 effort-hours to install and configure. Technical support on the
appliance costs 18 percent of the purchase price and includes a training allowance for the
year. A software component is needed for administering the appliance that runs on the
administrator’s desktop computer and it costs $550. A monthly subscription provides the
list of sites to be blocked and costs $250 per month. The administrator must spend an
estimated four hours per week for ongoing administrative functions.
Items you should consider:
Your plan requires two sections, one for deployment and another for ongoing operation
after implementation.
The vendor offers a contracting service for installation at $140 per hour.
Your change control process requires a 17-day lead time for change requests.
The manufacturer has a 14-day order time and a 7-day delivery time for this device.
Implementation WBS
Non-
Start & Effort Capital
Item TASK Resources Capital Dep.
End Dates Hours Expense
Exp.
Contact
Network team
to ensure
hardware Network S: 11/25
1 2 $0 $100
device will Engineers E:11/27
work with
network
infrastructure
Network
Purchase Web Engineer & S:11/28
2 1 $18,000 $0 1
Filter Purchasing E:12/19
Group
_____________________________________________________________________________________________
Page: 86
______________________________________________________________________________
Purchase
Technical Purchasing S:11/28
3 1 $3,240 $0 1
Support Group E:12/19
Contract
Purchase
additional Purchasing S:11/28
4 1 $800 $0 1
software Group E:12/19
components
Submit
change
Change S:12/19
5 request to 1 $0 $0 2
control board E:01/06
implement
hardware
Send
Training
administrator S:01/06
6 center and 40 $0 $0 3
to training on E:01/10
Administrator
device
Install
hardware and Outside S:01/06
7 150 $0 $21,000 2,4
software vendors E:01/20
componenets.
Ongoing Support
Start & Non-
Effort Capital
Item TASK Resources End Capital Dep.
Hours Expense
Dates Exp.
Ongoing
1 adminstration Administrator Ongoing 4/WK $0 $0
of device
Monthly Administrator/Purchasing
2 Ongoing 250/Month $0
subscription Group
2. If you have access to a commercial project management software package

(Microsoft Project for example), use it to complete a project plan based on the data shown
in Table 10-2. Prepare a simple WBS report (or Gantt chart) showing your work.
_____________________________________________________________________________________________
Page: 87
______________________________________________________________________________
3. Write a job description for Kelvin Urich, the project manager described in the
opening vignette of this chapter. Be sure to identify key characteristics of the ideal
candidate as well as work experience and educational background. Also, justify why your
job description is suitable for potential candidates of this position.
This job description is suitable for potential candidates of this position because it
_____________________________________________________________________________________________
Page: 88
______________________________________________________________________________
describes all aspects that should be thought of when soliciting a new employee for a
position in your organization. For example, this candidate should be able to
communicate with others in the organization before drafting a project together.
Position: Project Manager

Company: Sequential Label and Supply Company
Location: Kennesaw, GA
Required
Education: 4-Year Degree or Equivalent Work Experience
Under limited supervision, performs a variety of technical and/or educational duties in

support of Manufacturing Information Security Computing product launches. Provides
the highest level of technical expertise. Responsible for the development and execution
of implementation methodology from product envisioning through stabilization.
Responsible for training other team members on stabilized products. Participate in all
stages/phases of the Development Process Model, including envisioning, planning,
developing, implementation and stabilizing. Trains and supports team members in the use
of information security software products and/or various technical support and
development processes. Troubleshoot information security software and interface issues,
identify problems, develop constructive solution and recommend specific actions.
Document support issues for transition to support team. Mentor support team on new
products. Serve as a key internal and external contact/liaison for the Manufacture
Computing Services and Support group.
Position requires 3+ years systems integration experience. Working knowledge of UNIX

and NT. Working knowledge of Information Security guidelines, Oracle and SQL Server
preferred. Proven track record of Project Management and Implementation Service.
Strong interpersonal and written communication skills a must. Strong attendance record
a must. Bachelor’s degree or equivalent required.
Project management requires a unique set of skills and a thorough understanding of a

broad body of specialized knowledge. Must have experience in project management
techniques, and be able to oversee the project. Position requires a four-year college
degree in a related field, and two years work experience as project manager.
These job requirements are suitable for a potential job candidate. Without experience, it
is virtually impossible to manage a team, therefore the candidate should possess a
minimum of two years work experience.
4. Search the World Wide Web for job descriptions of project managers. You can use
any number of Web sites including www.monster.com or www.dice.com to find at least ten
IT-related job descriptions. What common elements do you find among the job
descriptions? What is the most unusual characteristic among the job descriptions?
_____________________________________________________________________________________________
Page: 89
______________________________________________________________________________
Sites: Hotjob.com, careeerjournal.com, dice.com, monster.com

- Good communication skills
- Experience in development
- Knowledgeable about project management tools and methodologies at
various levels
- Excellent leadership skills
Sites: Hotjob.com, careeerjournal.com, dice.com, monster.com

- Programming knowledge
- Data Modeling,Data mining,Data Migration
- PMP certification
- Color management and graphic arts experience is a PLUS
The most unusual characteristic seen was one job requirement seeking experience with Lux
software.

Chapter 11
_____________________________________________________________________________________________
Page: 90
______________________________________________________________________________
Review Questions
1. Who in an organization should decide where in the organizational structure the

information security function should be located? Why?
There is not a specific department or individual that decides where the information
security function should go. It is the entire organization (the different communities of
interest) that has to find a rational compromise by placing the information security
function where it can best balance the needs of enforcement of organization policy with
the education, training, awareness, and customer service needed to make information
security part of the organizational culture.
2. List and describe the options available for the location of the information security
functions within the organization. Discuss the advantages and disadvantages of each
option.
The security function can be placed within the:
1. IT function – as a peer of other functions such as networks, applications
development, and the help desk.
2. Physical security function – as a peer of physical security or protective services
3. Administration services function – as a peer of human resources or purchasing
4. Insurance and risk management function – because compromising of security can
be of great risk to the company.
5. Legal department – for enforcement of security policies.
 IT functions as a peer of other functions such as networks, applications
development and the help desk.
Advantage is the IT function has a more technical view of how to protect the
infrastructure.
Disadvantage is the IT function is so technical and rapidly changes that being a peer of
IT functions can make the non technical peers to resist change and therefore
implementation of security is at risk...
 Physical security function, as a peer of protective services and the advantage and
disadvantage.
Advantage of physical security function as a peer of protective services can be
surveillance, guard dog, locks, alarms, fence, and mantraps which are a deterrent and
serve one purpose to keep intruders from accessing secured site or property. Damage
to these devices is not a risk to human life.
Disadvantage of physical security function as a peer to security services is there is no
human reasoning to distinguish the seriousness of a security breach.
 Administrative services function, as a peer of human resources or purchasing
advantages and disadvantages,
_____________________________________________________________________________________________
Page: 91
______________________________________________________________________________
Advantages administrative services are designed to implement services to a particular

individual or group and ensure certain functions are carried out. On the other hand
human resources take in account policies of the entire organization. The purchasing
department can ensure that costs are in line with the organizations budget.
Disadvantage of administrative services is the lack of technical expertise. Human
resources are more involved with procedural aspects pertaining to humans. The
purchasing service does not understand the reasoning for purchase beyond cost factor.
 Insurance and risk management function.
Advantage of Insurance versus risk management function is that insurance accepts the
risk as long as you pay for the service which must be spelled out in details to
understand what is covered in the insurance. On the other hand risk management
function within an organization will need to do a detailed analysis of the risk involved
and weigh it against cost and any affect of downtime within an organization if
security is breached.
Disadvantage of Insurance is the cost to the organization. For risk management the
disadvantage would be if in researching the security vulnerabilities something is
overlooked.
3. For each of the major types of information security job titles covered in the chapter,
list and describe the criteria used for selection.
Chief Information Security Officer (CISO or CSO)
The most common qualification for this type of position is the Certified Information
Systems Security Professional (CISSP) accreditation. A graduate degree is also often
required, although it may be from a number of possible disciplines, including information
systems, computer science, another information technology field, criminal justice,
military science, business, or other fields related to the broader topic of security. To
qualify for this position, the candidate must demonstrate experience as a security
manager, and present experience with planning, policy, and budgets. Some organizations
prefer to hire individuals with law enforcement experience.
Security Manager
It is not uncommon for a candidate for this position to have a CISSP. Traditionally,
managers earn the CISSP or CISM, and technical professionals earn the Global
Information Assurance Certification (GIAC). Security managers must have the ability to
draft middle- and lower-level policies as well as standards and guidelines. They must
have experience in traditional business matters: budgeting, project management, hiring,
and firing. They must also be able to manage technicians, both in the assignment of tasks
and the monitoring of activities. Experience with business continuity planning is usually
a plus.
_____________________________________________________________________________________________
Page: 92
______________________________________________________________________________
Security Technician
The technical qualifications and position requirements for a security technician vary.
Organizations prefer the expert, certified, proficient technician. Regardless of the area,
the particular job description covers some level of experience with a particular hardware
and software package. Sometimes familiarity with a technology secures an applicant an
interview; however, actual experience in using the technology is usually required.
4. What are some of the factors that influence an organization’s information security
hiring decisions?
When hiring information security professionals, organizations frequently look for
individuals who understand:
 How an organization operates at all levels
 Information security is usually a management problem and is seldom an
exclusively technical problem
 People and have strong communications and writing skills
 The roles of policy and education and training
 The threats and attacks facing an organization
 How to protect the organization from attacks
 How business solutions can be applied to solve specific information security
problems
 Many of the most common mainstream IT technologies as generalists
 The terminology of IT and information security
Each candidate for the position must have a wide range of knowledge to bring to the
organizations security sector.
1. Definers – develop the product and technical architectures and do consulting and
risk assessment.
2. Builders – create and install security solutions.
3. Administrators – operate and administrate the security tools and the security
monitoring and try to continuously improve processes.
5. What general attributes do organizations seek in a candidate when hiring
information security professionals across all positions? Prioritize the list and justify your
ranking.
Many organizations look for a technically qualified information security generalist, with
a solid understanding of how an organization operates. When hiring information security
professionals, organizations will look for the following attributes in the order of
importance.
Organizations will seek an individual who understands:
 How to protect the organization from information security attacks
_____________________________________________________________________________________________
Page: 93
______________________________________________________________________________
 The terminology of IT and information security; this is the basis for subsequent
knowledge and skill needed for the specific positions.
 The threats facing an organization and how these threats can become attacks
 Most mainstream IT technologies (not necessarily as experts, but as generalists)
 How an organization operates at all levels
 That information security is usually a management problem and is seldom an
exclusively technical problem
 How to work with people and collaborate with end-users, and have string
communications and writing skills
 The role of policy in guiding security efforts, and the role of education and
training in making the user part of the solution, rather than part of the problem
 How business solutions (including technology-based solutions) can be applied to
solve specific information security problems
6. What are the critical considerations when dismissing an employee? Do these change
based on whether the departure is friendly or hostile or according to which position the
employee is departing from?
When an employee prepares to leave an organization, the following tasks must be
performed:
 Access to the organization’s systems must be disabled
 Removable media must be returned
 Hard drives must be secured
 File cabinet locks must be changed
 Office door lock must be changed
 Keycard access must be revoked
 Personal effects must be removed from the organization’s premises
In reality, most employees are allowed to clean out their own offices and collect their
personal belongings, and simply asked to return their keys. From a security standpoint,
these procedures are/would be considered risky and lax, for they expose the
organization’s information to disclosure and theft. To minimize such risks, an
organization should ideally have security-minded termination procedures that are
followed consistently—in other words, they are followed regardless of what level of trust
the organization had placed in the employee and what the level of cordiality is generally
maintained in the office environment. But this kind of universally consistent approach is
a difficult and awkward practice to implement (which is why it’s not often applied).
Given the realities of workplaces, the simplest and best method for handling the out-
processing of an employee may be to select, based on the employee’s reasons for leaving,
one of the scenarios that follows.
_____________________________________________________________________________________________
Page: 94
______________________________________________________________________________
Hostile departures (non-voluntary) include termination, downsizing, lay off, or quitting.

Before the employee knows he is leaving, security terminates all logical and keycard
access. As soon as the employee reports for work, he is escorted into his supervisor’s
office for the bad news. Upon receiving the termination notice, he is escorted to his
office, cubicle, or personal area and allowed to collect personal effects. No organizational
property is allowed to be taken from the premises, including diskettes, pens, papers, and
books. After their personal property has been gathered, the employees are asked to
surrender all keys, keycards, and other organizational identification and access devices,
PDAs, pagers, cell phones, and all remaining company property. They are then escorted
out of the building.
Friendly departures (voluntary) include retirement, promotion, or relocation. In this case,
the employee may have tendered notice well in advance of the actual departure date.
Employee accounts are usually allowed to continue with a new expiration date.
Employees come and go at will and usually collect their own belongings and leave under
their own cognizance. They are asked to drop off all organizational property "on their
way out the door."
7. How do the security considerations for temporary or contract employees differ from
those of the regular full-time employee?
Temporary employees typically perform secretarial or administrative support, and may be
exposed to a wide range of information. For a security standpoint, access to information
for these individuals should be limited to that necessary to perform their duties. Although
the organization wants to have temporary employees sign nondisclosure agreements and
fair use policies to avoid security breach by these individuals, this procedure can create a
situation that is awkward and potentially dangerous. Therefore, the ideal way is to ensure
that the temporary employee’s supervisor restricts the information to which he or she has
access and makes sure all employees follow good security practices, especially the clean
desk policies and the security of classified data.
Typical contract employees include groundskeepers, maintenance service people,
electrical contractors, mechanical service contractors, and other service repair people.
Although some individuals may require access to virtually all areas of the organization to
do their jobs, they seldom need access to information or information resources. They may
need access to various facilities; however, this does not mean they should be allowed to.
8. What two career paths do most experienced professionals take when moving into the
information security discipline? Are there other pathways available? If so, describe them.
Ex-law enforcement or military and technical professionals
Network experts, programmers, database administrators and system administrators and
graduates
The two primary career paths used by professionals to move into the security field are
military/law enforcement and technical IT professionals. Many colleges are starting to
offer courses and degrees in information security, so many students are starting to work
their way into the information security field as well.
9. Why is it important to use specific and clearly defined job descriptions for hiring
information security professionals?
_____________________________________________________________________________________________
Page: 95
______________________________________________________________________________
It is important to use standard job descriptions for hiring information security

professionals because it can increase the degree of professionalism in the information
security field and also improve upon the consistency of roles and responsibilities between
organizations.
10. What functions does the CISO perform, and what are the key qualifications and
requirements for the position?
 Manages the overall information security program for the organization
 Drafts or approves information security policies
 Works with the CIO on strategic plans, develops tactical plans, and works with
security managers on operational plans.
 Develops information security budgets based on available funds.
 Sets priorities for the purchase and implementation of information security
projects and technology
 Makes decisions or recommendations on the recruiting, hiring, and firing of
security staff
 Acts as the spokesperson for the security team
Qualifications include CISSP certification, Graduate degree in criminal justice, business,
technology, or other related fields.
Managers the overall information security program for the organization
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security
managers on operational plans
Develops information security budgets based on available funding
Sets priorities for the purchase and implementation of information security projects and
technology
Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team
Certified Information Systems Security Professional
Graduate Degree in a related field
Experience with budging, planning and policy
11. What functions does the security manager perform, and what are the key
qualifications and requirements for the position?
The security manager is responsible for the day-to-day operations of the information
security program and complete the objectives set form by the CISO and resolve any
issues that are identified by technicians.
_____________________________________________________________________________________________
Page: 96
______________________________________________________________________________
The key qualifications of the security manager include the ability to draft middle and
lower level policies and standards and guidelines. The security manager often holds a
CISSP, but is not required. The security manager is required to have experience in
traditional business matters and must be able to manage technicians in the assigning of
tasks and monitoring activities.
12. What functions does the security technician perform, and what are the key
qualifications and requirements for the position?
Functions:
Configure security hardware and software and coordinate with administrators to ensure
security is properly implemented.
Configure firewalls, implement security software, diagnose and troubleshoot problems,
and coordinate with systems and network administrators to ensure security technology is
properly implemented. Key Qualifications require the individual to be an expert,
certified proficient, technician.
Qualifications and requirements:
The technical qualifications and position requirements for a security technician are
varied.
Organizations prefer the expert, certified, proficient technician.
Regardless of the area, the particular job description covers some level of experience with
a particular hardware and software package.
Sometimes familiarity with a technology secures an applicant an interview; however,
experience in using the technology is usually required.
13. What rationale should an aspiring information security professional use in
acquiring professional credentials?
Most companies desire to have a measurable means of judging how well suited a person
is for a particular job before making a decision on whether or not to extend a job offer.
Professional certifications allow decision makers to gauge how well versed an individual
is on a particular subject matter during the recruiting phase. Although professional
certifications do not guarantee a job, it does help an individual gain an amount of respect
from the decision makers and a chance for at least an interview.
14. List and describe the credentials of the various information security certifications
listed in this chapter.
The certification credentials available to the information security professional are CISSP
(Certified Information Systems Security Professional), SSCP (Systems Security Certified
Practitioner, GIAC (Global Information Assurance Certification), Security Certified
Professional, T.I.C.S.A. (TruuSecure ICSA Certified Security Associate) and T.I.C.S.E.
(TruSecure ICSA Certified Security Expert, Security+, CISA (Certified Information
Systems Auditor, and Certified Information Systems Forensics Investigator.
15. Who should pay for the expenses of certification? Why?
_____________________________________________________________________________________________
Page: 97
______________________________________________________________________________
It depends. Individuals not currently working in the field of the certification being
pursued should have to pay for the certification themselves. If management is mandating
the certification for an individual already performing the job functions, then the company
should have to bear the responsibilities of the certification.
16. List and describe the standard personnel practices that are part of the information
security function. What happens to these practices when they are integrated with
information security concepts?
 Reviewing and updating all job descriptions to verify that access privileges are
not revealed to prospective employees when advertising positions.
 Educate HR to limit the information provided which is provided to the candidate
on the responsibilities and access rights the new hire would have during an
interview.
 Discuss with HR Manager what (if any) background checks should be performed
against prospective new hires
 Have new employees sign the fair and responsible use policies regarding
information and information resources
 Explain all major policies and procedures during new hire orientation
 On the job security training
 Verify that all access to the organization’s systems are disabled, hard drives
secured, file cabinet locks are changed, office door locks changed, keycard access
revoked, and personal effects removed after the termination of an employee.
17. Why shouldn’t an organization give an employee candidate a tour of secure areas
during the candidate’s interview?
Candidates who are shown around can retain enough information about the operations or
information security functions to represent a potential threat.
18. List and describe the typical relationships that organizations have with
nonemployees. What are the special security precautions that an organization must
consider for workers involved in these associations, and why are they significant?
Temporary Employees – access to information should be limited to that necessary to
perform their duties.
Contract Employees – Most contracted employees should not have access to information
or information resources (unless they are contracted to service computing resources).
Also contracted employees should be escorted in secured facilities.
Consultants – consultants should be handled the same as contract employees, with special
requirements for information or facility access requirements integrated into the contract
before these individuals are allowed outside the conference room.
Business Partners – there must be a meticulous deliberate process of determining what
information is to be exchanged, in what format, and to whom.
_____________________________________________________________________________________________
Page: 98
______________________________________________________________________________
All of these considerations must be taken into account to prevent accidental or intentional
breaches of confidentiality, integrity, or availability that could negatively affect the
organization.
19. What is separation of duties? How can it be used to improve an organization’s
information security practices?
Separation of duties is a control used to reduce the chance of an individual violating
information security and breaching the confidentiality, integrity, or availability of the
information.
It is used to improve an organization’s information security practices by requiring two
people to complete a significant task that involves sensitive information. If one person
has the authorization to access a particular set of information, there may be nothing to
prevent this individual from copying it and removing it from the premises.
20. What is job rotation, and what benefits does it offer an organization?
Job rotation or task rotation is the requirement that every employee be able to perform the
work of another employee. If it is not feasible that one employee learn the entire job of
another, then the organization should at least try to ensure that for each critical task it has
multiple individuals on staff who are capable of performing it. Job or task rotations such
as these can greatly increase the chance that an employee’s misuse of the system or abuse
of the information will be detected by another. They also ensure that no one employee is
performing actions that cannot be physically audited by another employee. In general,
this method makes good business sense.
_____________________________________________________________________________________________
Page: 99
______________________________________________________________________________
Exercises
1. Search your library’s database and the Web for an article related to individuals
violating their organization’s policy and being terminated. Did you find many? Why or
why not?
Answer will be unique for each student.
Students will not locate many articles, if any, since these are frequently considered
“internal actions” and not externally reported. They also reveal weakness in the
organization and possible poor judgment in the hiring and or retention of the terminated
employees.
2. Go to the (ISC)2 Web site at www.isc2.org. Research the knowledge areas included
in the tests for both the CISSP and the SSCP. What areas must you study that are not
included in this text?
CISSP Certification candidates must meet the following requirements prior to taking the
CISSP examination.
Subscribe to the (ISC)2 Code of Ethics.
Have a minimum 3 years of direct full-time security professional work experience in one
or more of the ten test domains of the information systems security Common Body of
Knowledge (CBK). Valid experience includes information systems security-related work
performed as a practitioner, auditor, consultant, vendor, investigator or instructor, or that
which requires IS security knowledge and involves direct application of that knowledge.
CISSP – Information not covered in this text:
Applications & Systems Development
Law, Investigation & Ethics
Cryptography
SSCP Certification candidates must meet the following requirements prior to taking the
SSCP examination.
Subscribe to the (ISC)2 Code of Ethics.
Have at least 1 year of cumulative work experience in one or more of the seven test
domains in information systems [IS] security. Valid experience includes information
systems security-related work performed as a practitioner or that which requires IS
security knowledge and involves direct application of that knowledge.
SSCP – Information not covered in this text:
Audit and Monitoring
Cryptography
Malicious Code/Malware
_____________________________________________________________________________________________
Page: 100
______________________________________________________________________________
3. Using the Web, identify some certifications with an information security component
that were not discussed in this chapter.
Answer will be unique for each student.
4. Search the Web for at least five job postings for a security administrator. What
qualifications do the listings have in common?
Application Security Architect
Security consultant to handle the following:
* Application Security
* LDAP to third party synch (RDBMS, RACF etc.)
* Directory services
* Single Sign on
Required Skills:
LDAP-Active Directory, Netscape Directory, or Open LDAP
UNIX Security Architect
Responsibilities include:
Assessing the existing environment, planning a comprehensive security approach, and
executing the plan to completion. The candidate's tasks will include the following...
* Perform periodic security reviews of existing Unix environment to

Include a gap analysis, solution planning, etc... More
Required Skills:
Unix (Solaris, AIX), LDAP, LDAP based security solutions , LDAP PAM modules,
LDAP schema expertise, Authentication and authorization services, Knowledge of SSL
and other encryption technologies, System Architecture Diagramming, Unix Shell
Scripting and PERL, UDB/DB2 and Unix user and account integration
Enterprise Security Engineer (Radware)
Dynamic Technology firm is seeking a "Top Notch" Security Engineer to implement the
latest in security technologies into production environments. This candidate must have a
strong customer focus! This candidate MUST have solid experience working in large
enterprise environment ... More
Required Skills:
_____________________________________________________________________________________________
Page: 101
______________________________________________________________________________
MUST have exp. w/ real world implementations w/ the Radware Product line, to include
installing the product in many environs. Must have solid knowledge of Radware product
line, to include: Linkproof, fireproof, web server director, network proximity & SSL
accelerator. 3+ yrs exp: Implementing security systems, networking infrastructure, strong
hands on firewall exp. in one or more of the following: Symantec Rapture, Cyberguard,
Checkpoint, & Sonic wall. Exp. w/ Intrusion Detection Tools (ISS, NFR etc)
WAN / Cyber Security Engineer
Required Skills:
PLEASE DO NOT APPLY IF YOU DO NOT HAVE A MINIMUM OF A CCNP
CERTIFICATION OR EQUIVALENT EXPERIENCE EQUAL TO A CCIE!!!! BS
Engineering or equivalent 4-6 years WAN & CYBER SECURITY experience CCNP &
Lucent/Avaya Certifications
All job postings had the following qualifications in common:
Bachelors degree in IS or related field
4+ years of experience in IT or Information Security
Others that were not common between all five included:
Professional certifications and technical writing skills.
5. Search the Web for three different employee hiring and termination policies. Review
each and look carefully for inconsistencies. Do each of the policies have sections addressing
information security requirements? What clauses should a termination policy contain to
prevent disclosure of an organization’s information? Create your own version of either a
hiring or termination policy.
Of the three hiring/termination policies reviewed, none of them contained any
information regarding information security requirements. All of them included
information about benefits, payment information, and other corporate policy information.
At most, the policies included information about an exit interview.
A termination policy should include clauses about taking and revealing corporate
information that they have learned or been privileged to while employed. It should also
include clauses concerning deleting or altering company information for malicious
purposes. All the clauses should clearly define the consequences and lengths to which the
company is willing to ensure that the company is protected.
_____________________________________________________________________________________________
Page: 102
______________________________________________________________________________

Chapter 12
Review Questions
1. List and define the factors that are likely to shift in an organization’s information
security environment.
Factors that are likely to shift the information security environment include:
 New assets acquired – additional hardware added to the environment.
 New vulnerabilities associated with the new or existing assets emerge – constantly
learning of new exploits.
 Business priorities shift – a change in the organizational focus
 New partnerships are formed – new relationships that need to be evaluated.
 Old partnerships dissolve – removing access from old partnerships
 Organizational divestiture and acquisitions occur – changes in company structure.
 Employees who are trained, educated, and made aware of the new policies,
procedures, and technologies leave – ensuring corporate date is safe
 New personnel are hired, thus possibly creating new vulnerabilities – background
checks of new hires along with training on company procedures.
2. Who decides if the information security program can adapt to change adequately?
The CISO determines whether the information security group can adapt adequately and
maintain the information security profile of the organization or whether the macroscopic
process of the SecSDLC must start anew to redevelop a fundamentally new information
security profile.
3. List and briefly describe the five domains of the maintenance model.
External Monitoring – provide early awareness of new and emerging threats, threat
agents, vulnerabilities, and attacks that is needed to mount an effective and timely
defense.
Internal Monitoring – maintain an informed awareness of the state of all of the
organizations networks.
Planning and risk assessment – keep a weather eye on the entire information security
program.
_____________________________________________________________________________________________
Page: 103
______________________________________________________________________________
Vulnerability assessment and remediation – the identification of specific, documented

vulnerabilities and their timely remediation.
Readiness and review – keep the information security program functioning as designed
and to keep it continuously improving over time.
4. What are the three primary aspects of information security risk management? Why
is each important?
These aspects include threats, assets, and vulnerabilities. This triple is used to carefully
evaluate the security posture of the organization via security maintenance and readiness.
By carefully monitoring these three aspects of the organizations security, the organization
will be more prepared for possible problems. By creating an aggressive monitoring
policy, the organization can stay abreast of changes in the environment.
5. What is a management model? What does it accomplish?

A management model deals with methods to manage and operate a particular business
operation. It is designed to help provide clear guidelines on what needs to be done in
order to accomplish the outlined goals of the organization.
6. What changes needed to be made to the model presented in SP 800-100 to adapt it

for use in security management maintenance?
No major changes are needed. This document is written for use in information security
management applications, and while it will need to be tailored for specific local
requirements and implementation details, it is functionally useable as it is presented.
7. What are the ongoing responsibilities security managers have in securing the
SDLC?
The ongoing responsibilities of security management involve the maintenance of the
contingency plan. The contingency plan must always be in a ready state for use
immediately upon notification. Periodic reviews of the plan must be conducted for
currency of key personnel and vendor information, system components and
dependencies, the recovery strategy, vital records, and operational requirements.
8. What is vulnerability assessment?

Vulnerability assessment is the assessment of physical and logical vulnerabilities present
both in the information security and related systems. These systems may be technical and
non-technical.
_____________________________________________________________________________________________
Page: 104
______________________________________________________________________________
9. What is penetration testing?

Penetration testing involves security personnel simulating or performing specific and
controlled attacks to compromise or disrupt their own systems by exploiting documented
vulnerabilities. Penetration testing from outside the organization is commonly performed
on network connections, as security personnel attempt to exploit vulnerabilities in the
system from the attacker’s viewpoint.
10. What is the difference between configuration management and change

management?
Configuration management is the administration of the configuration of the components
of the security program. On the other hand, change management is the administration of
changes in the strategy, operation, or components of the information security program.
Each type of management involves both technical (impacting the technology
implemented to support security efforts in the hardware, software, and data components)
and non-technical changes (impacting procedures and people).
11. What is a performance baseline?

A performance baseline is an expected level of performance against which all subsequent
levels of performance are compared.
12. What is the difference between vulnerability assessment and penetration testing?
The primary goal of the vulnerability assessment is to identify specific, documented
vulnerabilities. Using the inventory of environment characteristics stored in the risk,
threat, and attack database, the vulnerability assessment processes identify and document
vulnerabilities. These vulnerabilities are stored, tracked, and reported within the
vulnerability database until they are remediated. Penetration testing, a level beyond
vulnerability testing, is a set of security tests and evaluations that simulate attacks by a
malicious external source (hacker). A penetration test, or pen test, is usually performed
periodically as part of a full security audit. While in most security tests, such as
vulnerability assessments, great care is taken not to disrupt normal business operations, in
pen testing the analyst tries to get as far as possible, simulating the actions of an attacker.
13. What are the objectives of the external monitoring domain of the maintenance
model?
The objective of the external monitoring domain within the maintenance model is to
provide the early awareness of new and emerging threats, threat agents, vulnerabilities,
and attacks that the organization needs in order to mount an effective and timely defense.
Figure 12-2 shows the primary components of the external monitoring process.
14. List and describe four vulnerability inte\lligence sources. Of those that you listed,
which seems the most effective? Why?
_____________________________________________________________________________________________
Page: 105
______________________________________________________________________________
Bugtraq is a mailing list for detailed, full disclosure discussions and announcements of
computer security vulnerabilities.
CERT is a website and has a mailing list. The website is considered definitive when
emerging threats become demonstrated vulnerabilities. The mailing list just sends
advisories.
ISS is a website that has a focus on their commercial IDS and other security products.
NESSUS-DEVEL is a mailing list and is dedicated to the Nessus vulnerability test
product. It contains information about emerging threats and how to test for them.
Vulnerabilities ISS – Commercial site with a focus on their commercial IDS and other
security products.
Packet Storm – Commercial site with a focus on current security tool resources
The most effective of these seems to be Bugtraq because it gives you information such as
identifying the vulnerabilities, documenting how they are exploited, and reports on how
to remediate them.
CERT is also effective because it provides vulnerability information and has no
commercial affiliation. However it is a slow source of information due to the approval
process that takes place to declare a vulnerability to be true.
15. What does CERT stand for? Is there more than one CERT?
CERT stands for Computer Emergency Response Teams and there are several varying
forms of CERT, including USCERT.
16. What are the primary objectives of the internal monitoring domain?
The primary objective of the internal monitoring domain is to maintain an informed
awareness of the state of all of the organizations networks, information systems and
information system defenses.
17. What is the objective of the planning and risk assessment domain of the
maintenance model? Why is this important?
The objective of the planning and risk assessment domain is to keep a lookout over the
entire information security program. It is important because it allows them to identify
any risks from projects going on or that already may be in the environment and then take
steps to reduce those risks.
18. What is the primary goal of the vulnerability assessment and remediation domain of
the maintenance model? Is this important to an organization with an Internet presence?
Why?
_____________________________________________________________________________________________
Page: 106
______________________________________________________________________________
The primary goal of the vulnerability assessment and remediation domain of the
maintenance model is the identification of specific, documented vulnerabilities and their
timely remediation. It is important to an organization with an Internet presence because
attackers can take advantage of any loophole or flaw that may be present in the public
facing network.
19. List and describe the five vulnerability assessment processes described in the text.
Can you think of some other assessment processes that might exist?
Internet Vulnerability Assessment is a process designed to find and document the
vulnerabilities that may be present in the public-facing network of the organization.
Intranet Vulnerability Assessment is a process designed to find and document selected
vulnerabilities that are likely to be present on the internal network of the organization.
Platform Security Validation is a process designed to find and document the
vulnerabilities that may be present because of misconfigured systems in use within the
organization.
Wireless Vulnerability Assessment is the process designed to find and document the
vulnerabilities that may be present in the wireless local area networks of the organization.
Modem Vulnerability Assessment is the process designed to find and document any
vulnerability that is present on dial-up modems connected to the organization’s networks.
20. What is digital forensics, and when is it used in a business setting?

Digital forensics involves the preservation, identification, extraction, documentation, and
interpretation of computer media for evidentiary and/or root cause analysis.
Digital forensics is used in a business setting to investigate what happened in the event of
a policy or legal violation on the part of an employee, contractors or outsider, or in the
event of an attack on a physical or information asset.
_____________________________________________________________________________________________
Page: 107
______________________________________________________________________________
Exercises
1. Search the World Wide Web for the Forum of Incident Response and Security
Teams (FIRST). In your own words, what is the forum’s mission?
The Forum of Incident Response and Security Teams (FIRST) is an international
consortium of computer incident response and security teams who work together to
handle computer security incidents and to promote preventive activities.
The mission of FIRST (http://www.first.org) is to provide its members with technical
information and tools, methods, assistance, and guidance. It also coordinates proactive
liaison activities and analytical support.
FIRST encourages the development of quality products and services and works to
improve national and international information security for government, private industry,
academia and the individual.
The forum also enhances the image and status of the incident response and security teams
(IRST) community in the outside world.
2. Search the World Wide Web for two or more sites that discuss the ISO management
model. What other components of network management, as outlined by this model, can be
adapted for use in the security management model?
Following sites discuss ISO management model:
Solstice Enterprise Manager Application Development Guide
http://www.dkrz.de/~k202046/em/products/sem/Manuals/dev_guide/network.doc.html#4
70
HP Open View Performance Insight Courses: Student Pre-course Study Guide
http://www.hp.com/education/briefs/u1614s_prestudy.pdf
The ISO network management model addresses management and operation through five
topics:
· Fault management
· Configuration and name management
· Accounting management
· Performance management
· Security management
_____________________________________________________________________________________________
Page: 108
______________________________________________________________________________
A major component of the network management that can be adapted to the security
management model is a firewall that serves dual role to keep external intrusion from
entering an organizations internal data for the confidential, integrity and availability of
the system. Fault management is a component of the network that can be adapted to the
security model by detecting, log, notify users of, and automatically fix network problems
to keep the network running effectively. Because faults can cause downtime or
unacceptable network degradation, fault management is perhaps the most widely
implemented of the ISO network management elements. Security management model
identifies sensitive network resources (including systems, files, and other entities) and
determine mappings between sensitive network resources and user sets. They also
monitor access points to sensitive network resources and log inappropriate access to
sensitive network resources.
3. This chapter lists five tools that can be used by security administrators, network
administrators, and hackers alike. Search the World Wide Web for three to five other tools
that fit this same description. Who do the sites promoting these tools claim to support?
Answer will vary over time.
4. Using the names of the tools you found in Exercise 3, and a browser on the World
Wide Web, find a site that claims to be dedicated to supporting hackers. Do you find any
references to any other hacker tools? If you do, create a list of the tools with their names
and a short description of what they do and how they work.
In looking at the hacker sites the funny occurrence was that many of the sites are no
longer functional (broken links). The only similar tool I noticed several times on both
types of sites was Nmap ("Network Mapper"). I did notice similar topics on the sites.
For example, where the hacker site would tell how to compromise a system such as NT
Web Server, the sites geared toward security administrators would bring up security
issues for NT Web Server and how to protect against known vulnerabilities.
5. Using the risk assessment documentation components presented in the chapter,

draft a tentative risk assessment of one area of your university (a lab, department, or
office). Outline the critical faults found and discuss these with your class.
Answer specific to location.
_____________________________________________________________________________________________
Page: 109
______________________________________________________________________________
Case Studies
Case Study #1
The next day at SLS found everyone in technical support busy restoring computer systems to
their former state and installing new virus and worm control software. Amy found herself
learning how to install desktop computer operating systems and applications as SLS made a
heroic effort to recover from the attack of the previous day.
Q1. Do you think this event was caused by an insider or outsider? Why do you think this?
A. I would say either or. An insider could have been involved, unfortunately, but
unintentionally, by attaching a personal usb flash removable drive to the office computer,
that unbeknownst to the owner, was infected elsewhere with a virus or worm. But, more
than likely the culprit was an outsider because it was stated in narrative that the problems
started when the users clicked their e-mail attachments. And most e-mails normally come
from the outside.
Q2. Other than installing virus and worm control software, what can SLS do to prepare for
the next incident?
A. They should install an industry-standard firewall into their systems. Actually they should
have had one already, otherwise this problem would not have happened. But I guess they do
not have a robust security policy in place. Also, the fact that they were installing NEW virus
software tells me that they either had a cheap one installed before or that they never had one
in the first place.
Q3. Do you think this attack was the result of a virus or a worm? Why do you think this?
A. It would have to be both. A virus can destroy your computer system and a worm is used to
spread it. The fact that Amy received a bunch of infected e-mails simultaneously tells me
that this is a devastating worm that propagates a virus and spreads it rapidly through the e-
mails via their attachments.
_____________________________________________________________________________________________
Page: 110
______________________________________________________________________________
Case Study #2
Soon after the board of directors meeting, Charlie was promoted to Chief Information Security
Officer, a new position that reports to the CIO, Gladys Williams, and that was created to provide
leadership for SLS’s efforts to improve its security profile.
Q1. How do Fred, Gladys, and Charlie perceive the scope and scale of the new information
security effort?
A. Charlie’s proposed Information Security plan aims at securing business software, data, the
networks and computers which store information. The scope of the Information Security effort is
quite vast, aiming at securing each vulnerability. In addition to the aforementioned, the new
Information Security system plan also focuses on the company’s staff. Since extra effort will be
required to implement the new managerial plan and install new software security and tools, the
scale of this operation is quite large.
Q2. How will Fred measure success when he evaluates Gladys’ performance for this
project? How will he evaluate Charlie’s performance?
A. Gladys is appointed as CIO of the team, which is gathered to improve the security of the
company due to virus attack that caused a loss in the company; I believe Fred will measure
Gladys success by her ability to lead, keep the plan on track (i.e. time management) and
successfully sticking to the proposed budget. Charlie was promoted to CISO, a new position that
reports to the CIO; I believe Fred will Charlie’s success by his ability to implement the new plan,
report his/their progress and the overall success of the new system.
Q3. Which of the threats discussed in this chapter should receive Charlie’s attention early
in his planning process?
A. Portable Media Management (Ex. USB, DVD-R/W) should receive Charlie’s attention early
in his planning process.
_____________________________________________________________________________________________
Page: 111
______________________________________________________________________________
Case Study #3
Iris called the company security hotline. The hotline was an anonymous way to report any
suspicious activity or abuse of company policy, although Iris chose to identify herself. The next
morning, she was called to a meeting with an investigator from corporate security, which led to
more meetings with others in corporate security, and then finally a meeting with the director of
human resources and Gladys Williams, the CIO of SLS.
Q1. Why was Iris justified in determining who the owner of the CD was?
A. Iris is justified in determining who the owner of the CD was because she followed the norms
of an ethical behavior and followed the protocol installed by her organization.
Q2. Should Iris have approached Henry directly, or was the hotline the most effective way
to take action? Why do you think so?
A. If Iris had approached Henry, it might had become a personal matter rather than professional.
Following the proper protocol is the best way to report in any organization.
Q3. Should Iris have placed the CD back at the coffee station and forgotten the whole
thing? Explain why that action would have been ethical or unethical.
A. In my opinion this would not have been a good professional practice. In any organization,
every employee is expected of adopting to an ethical behavior. In the current circumstances, Iris
made the correct ethical decision.
_____________________________________________________________________________________________
Page: 112
______________________________________________________________________________
Case Study #4
As Charlie wrapped up the meeting, he ticked off a few key reminders for everyone involved in
the asset identification project. “Okay, everyone, before we finish, please remember that you
should try to make your asset lists complete, but be sure to focus your attention on the more
valuable assets first. Also, remember that we evaluate our assets based on business impact to
profitability first, and then economic cost of replacement. Make sure you check with me about
any questions that come up. We will schedule our next meeting in two weeks, so please have
your draft inventories ready.”
Q1. Did Charlie effectively organize the work before the meeting? Why or why not? Make
a list of the important issues you think should be covered by the work plan. For each issue,
provide a short explanation.
A. Yes Charlie did effectively organize the work before the meeting because he went through
each important item that the team should focus on and was clearly specific in what everybody
should do and not do until the next meeting arrives. Charlie clearly states that everyone should
try and make their assets list complete and more importantly focus on the valuable assets and that
should be the main objective until the next meeting.
Q2. Will the company get useful information from the team it has assembled? Why or why
not?
A. If the assembled team follows instructions, does their assigned tasks efficiently and produces
positive outcomes then there is a lot of useful information the company can acquire from this
group of individuals.
Q3. Why might some attendees resist the goals of the meeting? Does it seem that each
person invited was briefed on the importance of the event and the issues behind it?
A. Some attendees could resist the goals of the meeting due to an ongoing quarrel or
disagreement with the team manager, they might have some better and more innovative ideas, or
because they weren’t fully debriefed regarding the objectives of the meeting.
_____________________________________________________________________________________________
Page: 113
______________________________________________________________________________
Case Study #5
Charlie sat at his desk the morning after his nightmare. He had answered the most pressing e-
mail in his Inbox and had a piping hot cup of coffee at his elbow. He looked down at a blank
legal pad ready to make notes about what to do in case his nightmare became reality.
Q1. What would be the first note you would write down if you were Charlie?
A. If I was Charlie, the very first note I would write is what caused the problem Charlie is so
worried about and how to avoid it. I would then make a list of ideas on how to avoid the
impending disaster.
Q2. What else should be on Charlie’s list?

A. Charlie’s list should include contingency plans incase his nightmare became a reality and a
list of the necessary steps and risks that he will have to undergo in an attempt to make sure his
nightmare doesn’t come to life.
_____________________________________________________________________________________________
Page: 114
______________________________________________________________________________
Case Study #6
The next morning at 8 o’clock, Kelvin called the meeting to order. The first person to address the
group was the network design consultant, Susan Hamir. She reviewed the critical points from her
earlier design report, going over the options it had presented and outlining the tradeoffs in those
design choices. When she finished, she sat down and Kelvin addressed the group again: “We
need to break the logjam on this design issue. We have all the right people in this room to make
the right choice for the company. Now here are the questions I want us to consider over the next
three hours.” Kelvin pressed the key on his PC to show a slide with a list of discussion questions
on the projector screen.
Q1. What questions do you think Kelvin should have included on his slide to start the
discussion?
A. The questions that should have been in his presentation are: What is the cause of the issue?
What should be the solution? How are we going to find the solution? Does anyone have any
suggestions?
Q2. If the questions to be answered were broken down into two categories, they would be
cost versus maintaining high security while keeping flexibility. Which is most important for
SLS?
A. I think the most important thing for SLS is to maintain a high level of security because of how
sensitive and important the information is to the company’s assets. Such information should
always be classified and never be shared with anyone and hence it is important for SLS to
maintain a relatively high level of security regarding its information.
_____________________________________________________________________________________________
Page: 115
______________________________________________________________________________
Case Study #7
Miller Harrison was still working his way down his attack protocol. Nmap started out as it
usually did: giving the program identification and version number. Then it started reporting back
on the first host in the SLS network. It reported all of the open ports on this server. Then the
program moved on to a second host and began reporting back the open ports on that system, too.
Once it reached the third host, however, it suddenly stopped. Miller restarted Nmap, using the
last host IP as the starting point for the next scan. No response. He opened up another command
window and tried to ping the first host he had just port-scanned. No luck. He tried to ping the
SLS firewall. Nothing. He happened to know the IP address for the SLS edge router. He pinged
that and got the same result. He had been black holed—meaning his IP address had been put on a
list of addresses from which the SLS edge router would no longer accept packets. This was,
ironically, his own doing. The IDPS he had been helping SLS configure seemed to be working
just fine at the moment. His attempt to hack the SLS network was shut down cold.
Q1. Do you think Miller is out of options as he pursues his vendetta? If you think there are
additional actions he could take in his effort to damage the SLS network, what are they?
A. I think Miller had one more attempt left and that would be to damage the SLS network and
that would be to give the system a complete reboot and start over.
Q2. Suppose a system administrator at SLS happened to read the details of this case. What
steps should he or she take to improve the company’s information security program?
A. One important step that should be undertaken when developing an attack protocol in the
future is to make sure to not try and give too much security to the system as it will create the risk
of the administrator to be locked out himself.
_____________________________________________________________________________________________
Page: 116
______________________________________________________________________________
Case Study #8
Charlie was just getting ready to head home when the phone rang. Caller ID showed it was Peter.
“Hi, Peter,” he said into the receiver. “Want me to start the file cracker on your spreadsheet?”
“No, thanks,” Peter answered, taking the joke well. “I remembered my passphrase. But I want to
get your advice on what we need to do to make the use of encryption more effective and to get it
properly licensed for the whole company. I see the value in using it for certain kinds of
information, but I’m worried about forgetting a passphrase again or even worse, that someone
else forgets a passphrase or leaves the company. How would we get their files back?” “We need
to use a feature called key recovery, which is usually part of PKI software,” said Charlie.
“Actually, if we invest in PKI software, we could solve that problem as well as several others.”
“OK,” said Peter. “Can you see me tomorrow at 10 o’clock to talk about this PKI solution and
how we can make better use of encryption?”
Q1. Was Charlie exaggerating when he gave Peter an estimate for the time that would be
required to crack the encryption key using a brute force attack?
A. Yes Charlie was exaggerating because a brute force attack generally takes much longer to be
executed then what Charlie suggested to Peter.
Q2. Are there any tools that someone like Peter can use safely, other than key recovery, to
avoid losing his or her passphrase?
A. The best tool or method to avoid losing one’s passphrase other than key recovery is to safely
store all important PIN numbers, passcodes, passwords in one designated place so should
someone ever forget his or her passphrase, he or she can just search it up from that location
where he or she stored a backup.
_____________________________________________________________________________________________
Page: 117
______________________________________________________________________________
Case Study #9
Amy walked into her office cubicle and sat down. The entire episode with the blond man had
taken well over two hours of her day. Plus, the police officers had told her the district attorney
would also be calling to make an appointment to speak to her, which meant she would have to
spend even more time dealing with this incident. She hoped her manager would understand.
Q1. Based on this case study, what security awareness and training documents and posters
had an impact in this event?
A. I think that the threat of some kind of security breach is what had a major impact on this event
and is what led to all these meetings with the blond man as well as the district attorney for Amy.
Q2. Do you think Amy should have done anything differently? What would you have done
in the situation in which Amy found herself to be in?
A. Yes Amy should have taken a different approach. If I were in her shoes, I would have
consulted my manager beforehand and if we came to an agreement then I would arranged any
meetings with outside individuals just so my manager was satisfied and would be able to
understand once the meetings were over.
_____________________________________________________________________________________________
Page: 118

Information Security Notes

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Information Security Notes

Încărcat de

Drepturi de autor:

Formate disponibile

Principles of Information Security, 4th Edition

1. What is the difference between a threat agent and a threat?

Confidentiality – Policy – Transmission: An example of protecting the confidentiality of

information that is being processed by means of education could be accomplished by

Principles of Information Security, 4th Edition

1. Why is information security a management problem? What can management do

A major concern to an organization in Las Vegas might be dust contamination. Tornado is

A distributed denial-of-service attack is potentially more dangerous and devastating. In

Why do employees constitute one of the greatest threats to information security?

Technical failures. For instance, if part of the organizations software has an

Management failure. This hacker attack could happen if management were to

Deliberate acts of espionage or trespass- HYPERLINK

Principles of Information Security, 4th Edition

1. What is the difference between law and ethics?

10. Which 1997 law provides guidance on the use of encryption?

U.S. Copyright law governs the protection of IP in the US.

The Digital Millennium Copyright Act (DMCA) is the American contribution to an

The Association of Computing Machinery (ACM) was established in 1947 as “the

20. What can be done to deter someone from committing a crime?

 Probability of penalty being administered—Potential offenders must believe that

Spearheading a movement to repeal the Children’s Internet Protection Act of 2000

Principles of Information Security, 4th Edition

INFORMATIO CO SENSI FOR

Programmer mistakes $5,000 1 per week 5,000 52.0 $ 260,000

SLE ARO ALE CBA

Software piracy 500 100% 6,000 -10,000

Web defacement 500 100% 2,000 -14,000

Theft of equipment 5,000 50% 2,500 -12,500

Principles of Information Security, 4th Edition

The governance of information security is a strategic planning responsibility whose

5. Classify each of the following occurrences as an incident or disaster. If an

Principles of Information Security, 4th Edition

4. How is static filtering different from dynamic filtering of packets? Which is

5. What is stateful inspection? How is state information maintained during a network

9. What is a hybrid firewall?

Second Generation. Second generation firewalls are application-level firewalls or proxy

11. How does a commercial-grade firewall appliance differ from a commercial-grade

15. What is a sacrificial host? What is a bastion host?

18. What is RADIUS? What advantage does it have over TACACS?

4. Using the Internet, determine what applications are commercially available to

5. Using a Microsoft XP or Vista system, open Internet Explorer. Open Internet

Principles of Information Security, 4th Edition

3. How does a network-based IDPS differ from a host-based IDPS?

4. How does a signature-based IDPS differ from a behavior-based IDPS?

5. What is a monitoring (or SPAN) port? What is it used for?

7. What is a honeypot? How is it different from a honeynet?

8. How does a padded cell system differ from a honeypot?

9. What is network footprinting? What is network fingerprinting? How are they

12. What is a vulnerability scanner? How is it used to improve security?

15. What capabilities should a wireless security toolkit include?

Principles of Information Security, 4th Edition

1. What are cryptography and cryptanalysis?

15. IPSec can be used in two modes. What are they?

Each student will prepare a different answer.

Principles of Information Security, 4th Edition

 Information security management and professionals: Perform risk assessments

Biometric Locks – Uses fingerprint, voice recognition, palm print etc to

20. What can you do to reduce the risk of laptop theft?

e. Heating, ventilating, and air conditioning

Principles of Information Security, 4th Edition

1. What is a project plan? List what a project plan can accomplish.

tasks at one time is risky. Moreover, problems of interrelated conflicts between

If the task of a WBS is "Configure Firewall", the deliverable could be an implementation