Professional Documents
Culture Documents
Protecting the data and information the organization collects and uses
Malware
Malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts
with the intent to destroy or steal information.
Virus
A computer virus consists of code segments that perform malicious actions. Point out to students that
one of the most common methods of virus transmission is via e-mail attachments.
A denial-of-service attack begins when an attacker sends a large number of connection or information
requests to a target. So many requests are made that the target system cannot handle them successfully
along with other legitimate requests for service. This may result in the system crashing or simply
becoming unable to perform ordinary functions.
E-mail Attacks
Spam is unsolicited commercial e-mail. While many consider spam a nuisance rather than an attack, it is
emerging as a vector for some attacks.
- Packet Sniffer
- Spoofing
Pharming
Pharming is “the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining
private information.”
Man-in-the-Middle
An attacker sniffs packets from the network, modifies them, and inserts them back into the network. In a
TCP hijacking attack, the attacker uses address spoofing to impersonate other legitimate entities on the
network. This is also known as session hijacking.
Buffer overruns
Cross-site scripting
Information leakage
A race condition
SQL Injection
Module 3:
Dissemination (distribution)
Review (reading)
Comprehension (understanding)
Compliance (agreement)
Uniform enforcement
Types of Law:
1. Civil law represents a wide variety of laws that govern a nation or state and deal with the relationships
and conflicts between organizational entities and people.
2. Criminal law addresses violations harmful to society and is actively enforced by the state.
3. Private law regulates the relationship between the individual and the organization, and encompasses
family law, commercial law, and labor law.
4. Public law regulates the structure and administration of government agencies and their relationships
with citizens, employees, and other governments, providing careful checks and balances. Examples of
public law include criminal, administrative, and constitutional law.
Thou shalt not use interfere with other people´s computer work.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people´s computer resources without authorization or proper compensation.
Thou shalt think about the social consequences of the program you are writing of the system you are
designing.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
During this module we explored the difference between laws and ethics. Laws are rules that mandate or
prohibit certain behavior in society. In the United States there are laws being established that are
significant to information security in organizations from the government, industries, and academia.
Ethics define socially acceptable behaviors and are based on cultural values, habits, patterns. They
express the fixed moral attitudes or customs of a particular group. The information security field have no
explicit rules governing ethical behavior in the workplace, or a binding code of ethics. Instead,
professional associations and accreditation agencies (such as ISC2) work to establish the profession’s
ethical codes of conduct.
Key Terms
Aggregate information: collective data that relates to a group or category of people and that has been
altered to remove characteristics or components that make it possible to identify individuals within the
group.
Due care: the legal standard that requires a prudent organization and its employees to act legally and
ethically and know the consequences of their actions. Also referred to as the standard of due care.
Due diligence: considered a subset of the standard of due care, the legal standard that requires a
prudent organization and its employees to maintain the standard of due care and ensure that their
actions are effective. Also referred to as the standard of due diligence.
Ethics: Codes or principles of an individual or group that regulate and define acceptable behavior.
Identity theft: The unauthorized taking of personally identifiable information with the intent of
committing fraud and abuse of a person’s financial and personal reputation, purchasing goods and
services without authorization, and generally impersonating the victim for illegal or unethical purposes.
Information aggregation: pieces of nonprivate data that, when combined, may create information that
violates privacy.
Information assurance: The affirmation or guarantee of the confidentiality, integrity, and availability of
information in storage, processing, and transmission.
Jurisdiction: a court’s right to hear a case if a wrong is committed in its territory or involves its citizenry.
Laws: Rules that mandate or prohibit certain behavior and are enforced by the state.
Liability: the legal obligation of an entity that extends beyond criminal or contract law.
Long arm jurisdiction: the application of laws to people currently residing outside a court’s normal
jurisdiction, usually granted when a person performs an illegal action within the court’s jurisdiction and
then leaves.
Personally identifiable information (PII): information about a person’s history, background, and attributes
that can be used to commit identity theft. This information typically includes a person’s name, address,
Social Security number, family information, employment history, and financial information.
Policies: managerial directives that specify acceptable and unacceptable employee behavior in the
workplace.
Privacy: in the context of information security, the right of individuals or groups to protect themselves
and their information from unauthorized access, providing confidentiality.
Restitution: the legal obligation to compensate an injured party for wrongs committed.
Signals intelligence: collection, analysis, and distribution of information from foreign communications
networks for intelligence and counterintelligence purposes and in support of military operations.
Module 4
1) Strategic alignment of information security with business strategy to support organizational objectives
2) Risk management by executing appropriate measures to manage and mitigate threats to information
resources
3) Resource management by utilizing information security knowledge and infrastructure efficiently and
effectively