For Amy, the day began like any other at the Sequential Label and Supply Company (SLS)
help desk.
Taking calls and helping office workers with computer problems was not glamorous, but she enjoyed
the work; it was challenging and paid well. Some of her friends in the industry worked at bigger
companies, some at cutting-edge tech companies, but they all agreed that jobs in information
technology were a good way to pay the bills. The phone rang, as it did on average about four times
an hour and about 28 times a day. The first call of the day, from a worried user hoping Amy could
help him out of a jam, seemed typical. The call display on her monitor gave some of the facts: the
user’s name, his phone number, the department in which he worked, where his office was on the
company campus, and a list of all the calls he’d made in the past. “Hi, Bob,” she said. “Did you get
that document formatting problem squared away?” “Sure did, Amy. Hope we can figure out what’s
going on this time.” “We’ll try, Bob. Tell me about it.” “Well, my PC is acting weird,” Bob said. “When
I go to the screen that has my e-mail pro gram running, it doesn’t respond to the mouse or the
keyboard.” “Did you try a reboot yet?” 1 2 Chapter 1 “Sure did. But the window wouldn’t close, and I
had to turn it off. After it restarted, I opened the e-mail program, and it’s just like it was before—no
response at all. The other stuff is working OK, but really, really slowly. Even my Internet browser is
sluggish.” “OK, Bob. We’ve tried the usual stuff we can do over the phone. Let me open a case.
What Is Security? In general, security is “the quality or state of being secure—to be free from
danger.”11 In other words, protection against adversaries—from those who would do harm,
intentionally or otherwise—is the objective. National security, for example, is a multilayered system
that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appro
priate level of security for an organization also requires a multifaceted system. A successful
organization should have the following multiple layers of security in place to pro tect its operations:
● ● ● ● ● ● Physical security, to protect physical items, objects, or areas from unauthorized access
and misuse Personnel security, to protect the individual or group of individuals who are autho rized
to access the organization and its operations Operations security, to protect the details of a
particular operation or series of activities Communications security, to protect communications
media, technology, and content Network security, to protect networking components, connections,
and contents Information security, to protect the confidentiality, integrity and availability of infor
mation assets, whether in storage, processing, or transmission. It is achieved via the application of
policy, education, training and awareness, and technology. The Committee on National Security
Systems (CNSS) defines information security as the protection of information and its critical
elements, including the systems and hardware that use, store, and transmit that information.12
Figure 1-3 shows that information security includes the broad areas of information security
management, computer and data security, and network security. The CNSS model of information
security evolved from a concept devel oped by the computer security industry called the C.I.A.
triangle. The C.I.A. triangle has been the industry standard for computer security since the
development of the mainframe. It is based on the three characteristics of information that give it
value to organizations: confidenti ality, integrity, and availability. The security of these three
characteristics of information is as important today as it has always been, but the C.I.A. triangle
model no longer adequately addresses the constantly changing environment. The threats to the
confidentiality, integrity, and availability of information have evolved into a vast collection of events,
including acciden tal or intentional damage, destruction, theft, unintended or unauthorized
modification, or other misuse from human or nonhuman threats. This new environment of many
constantly evolving threats has prompted the development of a more robust model that addresses
the complexities of the current information security environment. The expanded model con sists of a
list of critical characteristics of information, which are described in the next © Cengage Learning. All
�rights reserved. No distribution allowed without express authorization. Introduction to Information
Security 9 Information security © Cengage Learning. All rights reserved. No distribution allowed
without express authorization. Figure 1-3 Components of Information Security Source: Course
Technology/Cengage Learning Network security Management of information security Policy
Computer & data security section. C.I.A. triangle terminology is used in this chapter because of the
breadth of material that is based on it. Key Information Security Concepts This book uses a number
of terms and concepts that are essential to any discussion of infor mation security. Some of these
terms are illustrated in Figure 1-4; all are covered in greater detail in subsequent chapters. ● ● ●
Access: A subject or object’s ability to use, manipulate, modify, or affect another sub ject or object.
Authorized users have legal access to a system, whereas hackers have illegal access to a system.
Access controls regulate this ability. Asset: The organizational resource that is being protected. An
asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a
person, computer system, or other tangible object. Assets, and particularly information assets, are
the focus of security efforts; they are what those efforts are attempting to protect. Attack: An
intentional or unintentional act that can cause damage to or otherwise com promise information
and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and
direct or indirect. Someone casually reading sensitive information not intended for his or her use is a
passive attack. A hacker attempting to break into an information system is an intentional attack. A
lightning strike that causes a fire in a building is an unintentional attack. A direct attack is a hacker
using a personal computer to break into a system. An indirect attack is a hacker compromising a
system and using it to attack other systems, for example, as part of a botnet (slang for robot net
work). This group of compromised computers, running software of the attacker’s choos ing, can
operate autonomously or under the attacker’s direct control to attack systems and steal user
information or conduct distributed denial-of-service attacks. Direct attacks orig inate from the threat
itself. Indirect attacks originate from a compromised system or resource that is malfunctioning or
working under …..
�Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security
within an organization. The various levels and types of controls are discussed more fully in the
following chapters. Exploit: A technique used to compromise a system. This term can be a verb or a
noun. Threat agents may attempt to exploit a system or other information asset by using it illegally
for their personal gain. Or, an exploit can be a documented process to take advantage of a
vulnerability or exposure, usually in software, that is either inherent in the software or is created by
the attacker. Exploits make use of existing software tools or custom-made software components.
Exposure: A condition or state of being exposed. In information security, exposure exists when a
vulnerability known to an attacker is present. Loss: A single instance of an information asset
suffering damage or unintended or unauthorized modification or disclosure. When an organization’s
information is stolen, it has suffered a loss. Protection profile or security posture: The entire set of
controls and safeguards, including policy, education, training and awareness, and technology, that
the © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Introduction to Information Security 11 organization implements (or fails to implement) to protect
the asset. The terms are sometimes used interchangeably with the term security program, although
the security program often comprises managerial aspects of security, including planning, personnel,
and subordinate programs. ● ● © Cengage Learning. All rights reserved. No distribution allowed
without express authorization. ● ● ● Risk: The probability that something unwanted will happen.
Organizations must min imize risk to match their risk appetite—the quantity and nature of risk the
organiza tion is willing to accept. Subjects and objects: A computer can be either the subject of an
attack—an agent entity used to conduct the attack—or the object of an attack—the target entity, as
shown in Figure 1-5. A computer can be both the subject and object of an attack, when, for example,
it is compromised by an attack (object), and is then used to attack other systems (subject). Threat: A
category of objects, persons, or other entities that presents a danger to an asset. Threats are always
present and can be purposeful or undirected. For example, hackers purposefully threaten
unprotected information systems, while severe storms incidentally threaten buildings and their
contents. Threat agent: The specific instance or a component of a threat. For example, all hack ers in
the world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone
systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent
that is part of the threat of severe storms. Vulnerability: A weaknesses or fault in a system or
protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw
in a software pack age, an unprotected system port, and an unlocked door. Some well-known
vulnerabil ities have been examined, documented, and published; others remain latent (or
undiscovered)
