Information security:

Protecting the organization’s ability to function

Protecting the data and information the organization collects and uses

Enabling the safe operation of applications running on the organization’s IT systems

Safeguarding the organization’s technology assets

Malware

Malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts
with the intent to destroy or steal information.

Virus

A computer virus consists of code segments that perform malicious actions. Point out to students that
one of the most common methods of virus transmission is via e-mail attachments.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

A denial-of-service attack begins when an attacker sends a large number of connection or information
requests to a target. So many requests are made that the target system cannot handle them successfully
along with other legitimate requests for service. This may result in the system crashing or simply
becoming unable to perform ordinary functions.

E-mail Attacks

Spam is unsolicited commercial e-mail. While many consider spam a nuisance rather than an attack, it is
emerging as a vector for some attacks.

- Packet Sniffer

- Spoofing

Pharming
Pharming is “the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining
private information.”

Man-in-the-Middle

An attacker sniffs packets from the network, modifies them, and inserts them back into the network. In a
TCP hijacking attack, the attacker uses address spoofing to impersonate other legitimate entities on the
network. This is also known as session hijacking.

The Deadly Sins in Software Security:

software development problems

Buffer overruns

Command injection problems

Cross-site scripting

Failure to handle errors

Failure to protect network traffic

Failure to use cryptographically strong random numbers

Format string problems

The issue of neglecting change control

Improper file access

Improper use of SSL

Information leakage

Integer bugs (Overflows/Underflows)

A race condition

SQL Injection

Trusting network address resolution

Unauthenticated key exchange

Use of magic URLs and hidden forms.

The use of weak password-based systems

Module 3:

Organizational Liability and the Need for Counsel

Policy Versus Law

Dissemination (distribution)

Review (reading)

Comprehension (understanding)

Compliance (agreement)

Uniform enforcement

Types of Law:

1. Civil law represents a wide variety of laws that govern a nation or state and deal with the relationships
and conflicts between organizational entities and people.

2. Criminal law addresses violations harmful to society and is actively enforced by the state.

3. Private law regulates the relationship between the individual and the organization, and encompasses
family law, commercial law, and labor law.

4. Public law regulates the structure and administration of government agencies and their relationships
with citizens, employees, and other governments, providing careful checks and balances. Examples of
public law include criminal, administrative, and constitutional law.

Ethics in Information Security

The Ten Commandments of Computer Ethics from the Computer Ethics Institute

Thou shalt not use a computer to harm other people.

Thou shalt not use interfere with other people´s computer work.

Thou shalt not snoop around in other people´s computer files.

Thou shalt not use a computer to steal.

Thou shalt not a computer to bear false witness.

Thou shalt not copy or use proprietary software for which you have not paid.

Thou shalt not use other people´s computer resources without authorization or proper compensation.

Thou shalt not appropriate other people´s intellectual output.

Thou shalt think about the social consequences of the program you are writing of the system you are
designing.

Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

During this module we explored the difference between laws and ethics. Laws are rules that mandate or
prohibit certain behavior in society. In the United States there are laws being established that are
significant to information security in organizations from the government, industries, and academia.

Types of laws: civil, criminal, private, and public.

Some of the most relevant U.S. laws are:

Computer Fraud and Abuse Act of 1986 (CFA Act)

National Information Infrastructure Protection Act of 1996

USA PATRIOT Act of 2001

USA PATRIOT Improvement and Reauthorization Act

Computer Security Act of 1987

Title 18, U.S.C. § 1028

Ethics define socially acceptable behaviors and are based on cultural values, habits, patterns. They
express the fixed moral attitudes or customs of a particular group. The information security field have no
explicit rules governing ethical behavior in the workplace, or a binding code of ethics. Instead,
professional associations and accreditation agencies (such as ISC2) work to establish the profession’s
ethical codes of conduct.

Key Terms

Aggregate information: collective data that relates to a group or category of people and that has been
altered to remove characteristics or components that make it possible to identify individuals within the
group.

Cultural mores: the fixed moral attitudes or customs of a particular group.

Due care: the legal standard that requires a prudent organization and its employees to act legally and
ethically and know the consequences of their actions. Also referred to as the standard of due care.

Due diligence: considered a subset of the standard of due care, the legal standard that requires a
prudent organization and its employees to maintain the standard of due care and ensure that their
actions are effective. Also referred to as the standard of due diligence.

Ethics: Codes or principles of an individual or group that regulate and define acceptable behavior.

Identity theft: The unauthorized taking of personally identifiable information with the intent of
committing fraud and abuse of a person’s financial and personal reputation, purchasing goods and
services without authorization, and generally impersonating the victim for illegal or unethical purposes.

Information aggregation: pieces of nonprivate data that, when combined, may create information that
violates privacy.

Information assurance: The affirmation or guarantee of the confidentiality, integrity, and availability of
information in storage, processing, and transmission.

Jurisdiction: a court’s right to hear a case if a wrong is committed in its territory or involves its citizenry.

Laws: Rules that mandate or prohibit certain behavior and are enforced by the state.

Liability: the legal obligation of an entity that extends beyond criminal or contract law.

Long arm jurisdiction: the application of laws to people currently residing outside a court’s normal
jurisdiction, usually granted when a person performs an illegal action within the court’s jurisdiction and
then leaves.

Personally identifiable information (PII): information about a person’s history, background, and attributes
that can be used to commit identity theft. This information typically includes a person’s name, address,
Social Security number, family information, employment history, and financial information.

Policies: managerial directives that specify acceptable and unacceptable employee behavior in the
workplace.

Privacy: in the context of information security, the right of individuals or groups to protect themselves
and their information from unauthorized access, providing confidentiality.

Restitution: the legal obligation to compensate an injured party for wrongs committed.

Signals intelligence: collection, analysis, and distribution of information from foreign communications
networks for intelligence and counterintelligence purposes and in support of military operations.

Module 4

Five goals of information security governance:

1) Strategic alignment of information security with business strategy to support organizational objectives

2) Risk management by executing appropriate measures to manage and mitigate threats to information
resources

3) Resource management by utilizing information security knowledge and infrastructure efficiently and
effectively

4) Performance measurement by measuring, monitoring, and reporting information security governance

metrics to ensure that organizational objectives are achieved

5) , Value delivery by optimizing information security investments in support of organizational objectives