The History of Information Security
• Began immediately following development first mainframes
• Developed for code-breaking computations During World
War II
• Multiple levels of security were implemented
• Primary threats
• Defending against physical theft, espionage, and sabotage
The 1960s
• Advanced Research Project Agency (ARPA)
• Examined feasibility of redundant networked
communications
• Larry Roberts developed ARPANET from its inception
• Plan
• Link computers
• Resource sharing
• Link 17 Computer Research Centers
• Cost 3.4M
• ARPANET is predecessor to the Internet
The 1970s and 80s
• ARPANET grew in popularity
• Potential for misuse grew
• Fundamental problems with ARPANET security
• Individual remote sites were not secure from unauthorized
users
• Vulnerability of password structure and formats
• No safety procedures for dial-up connections to ARPANET
• Non-existent user identification and authorization to System
Rand Report R-609
• Paper that started the study of computer security
• Information Security as we know it began
• Scope of computer security grew from physical security to
include:
• Safety of data
• Limiting unauthorized access to data
• Involvement of personnel from multiple levels of an
organization
MULTICS
• Early focus of computer security research
• System called Multiplexed Information and Computing
Service (MULTICS)
• First operating system created with security as its primary
goal
• Several MULTICS key players created UNIX
• Late 1970s
•Microprocessor expanded computing capabilities
•Mainframe presence reduced
• Expanded security threats
The 1990s
• Networks of computers became more common
• Need to interconnect networks grew
• Internet became first manifestation of a global network of
networks
• In early Internet deployments, security was treated as a low
priority 2000 to Present
• Millions of computer networks communicate
• Many of the communication unsecured and became more
exposed to security threats.
• Growing threat of cyber attacks has increased the need for
improved security
What is Security?
• “The quality or state of being secure—to be free from
danger”
• A successful organization should have multiple layers of
security in place:
• Physical security- To protect the physical items,
objects, or areas of an organization from
unauthorized access and misuse.
• Personal security - To protect the individual or
group of individuals who are authorized to access the
organization and its operations.
• Operations security – To protect the details of a
particular operation or series of activities.
• Communications security – To protect an
organization’s communications media, technology,
and content.
• Network security – To protect networking
components, connections, and contents.
 Information security, to protect the confidentiality,
integrity and availability of information assets, whether in
storage, processing, or transmission.
What is Information Security?
• The protection of information and its critical elements,
including systems and hardware that use, store, and transmit
that information
• Necessary tools: policy, awareness, training, education,
Technology
Key Information Security Concepts
• Access- a subject or object’s ability to use, manipulate,
modify, or affect another subject or object.
• Asset- the organizational resource that is being protected.
• Exposure- a single instance of being open to damage.
• Loss- When an organization’s information is stolen, it has
suffered a loss.
• Exploit- to take advantage of weaknesses or vulnerability in
a system.
• Attack- an act that is an intentional or unintentional attempt
to cause damage or compromise to the information and/or the
systems that support it.
• Control, Safeguard, or Countermeasure- security
mechanisms, policies, or procedures that can successfully
counter attacks, reduce risk, resolve vulnerabilities, and
otherwise improve the security within an organization
• Hack - Good: to use computers or systems for enjoyment;
Bad: to illegally gain access to a computer or system.
• Risk- the probability that something can happen.
•Security Blueprint - the plan for the implementation of new
security measures in the organization.
• Security Model - a collection of specific security rules that
represents the implementation of a security policy.
• Subjects and Objects- an active entity that interacts with an
information system and causes information to move through
the system for a specific end purpose.
• Threat- a category of objects, persons, or other entities that
represents a potential danger to an asset.
• Threat Agent - a specific instance or component of a more
general threat.
• Vulnerability - weaknesses or faults in a system or
protection mechanism that expose information to attack or
damage.
Critical Characteristics of Information
• The value of information comes from the characteristics it
possesses:
• Availability- Enables users who need to access
information to do so without interference or
obstruction and in the required format.
• Accuracy- Free from mistake or error and having
the value that the end user expects
• Authenticity- The quality or state of being genuine
or original, rather than a reproduction or fabrication
• Confidentiality- The quality or state of preventing
disclosure or exposure to unauthorized individuals or
systems
• Integrity- The quality or state of being whole,
complete, and uncorrupted.
• Possession- The quality or state of having
ownership or control of some object or item
Components of an Information System
• Information system (IS) is entire set of components
necessary to use information as a resource in the organization
• Software
• Hardware
• Data
• People
• Procedures
• Networks
Balancing Information Security and Access
• Impossible to obtain perfect security
• Process, not an absolute
• Security should be considered balance between protection
and availability
• Must allow reasonable access, yet protect against threats
Approaches to Information Security Implementation:
Bottom-Up Approach
• Grassroots effort -systems administrators drive
• Key advantage: technical expertise of individual
administrators
• Seldom works
• Lacks number of critical features:
• Participant support
• Organizational staying power
Top-Down Approach
• Initiated by upper management
• Issue policy, procedures, and processes
• Dictate goals and expected outcomes of project
• Determine accountability for each required action
• Most successful
• Involves formal development strategy
• Systems development life cycle
Security Professionals and the Organization
• Wide range of professionals required to support a diverse
information security program
• Senior management is key component
• Additional administrative support and technical expertise are
required to implement details of IS program
Senior Management
• Chief Information Officer (CIO)
• Senior technology officer
• Primarily responsible for advising senior executives
on strategic planning
• Chief Information Security Officer (CISO)
• Primarily responsible for assessment, management,
and implementation of IS in the organization
• Usually reports directly to the CIO
Information Security Project Team
• A number of individuals who are experienced in one or more
facets of required technical and nontechnical areas:
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
Data Responsibilities
• Data owner: responsible for the security and use of a
particular set of information
• Data custodian: responsible for storage, maintenance, and
protection of information
• Data users: end users who work with information to perform
their daily jobs supporting the mission of the organization
Communities of Interest
• Group of individuals united by similar interests/values within
an organization
• Information security management and professionals
• Information technology management and professionals
• Organizational management and professionals
Introduction
• Primary mission of information security is to ensure systems
and contents stay the same
• If no threats existed, resources could be focused on
improving systems, resulting in vast improvements in ease of
use and usefulness
• Attacks on information systems are a daily Occurrence
Business Needs First
• Information security performs four important functions for
an organization
– Protects the organization’s ability to function
 – Enables safe operation of applications implemented
on its IT systems
– Protects data the organization collects and uses
– Safeguards technology assets in use
Protecting the Functionality of an Organization
• Management (general and IT) responsible for
implementation
• Information security is both management issue and people
issue
• Organization should address information security in terms of
business impact and cost
Enabling the Safe Operation of Applications
• Organization needs environments that safeguard applications
using IT systems
• Management must continue to oversee infrastructure once in
place—not relegate to IT department
Protecting Data that Organizations Collect and Use
• Organization, without data, loses its record of transactions
and/or ability to deliver value to customers
• Protecting data in motion and data at rest are both critical
aspects of information security
Safeguarding Technology Assets in Organizations
• Organizations must have secure infrastructure services based
on size and scope of enterprise
• Additional security services may be needed as organization
grows
• More robust solutions may be needed to replace security
programs the organization has outgrown
THREATS
• Threat: an object, person, or other entity that represents a
constant danger to an asset
• Management must be informed of the different threats facing
the organization
Compromises to Intellectual Property
• Intellectual property (IP): “ownership of ideas and control
over the tangible or virtual representation of those ideas”
• The most common IP breaches involve software piracy
• Two watchdog organizations investigate software abuse:
– Software & Information Industry Association
(SIIA)
– Business Software Alliance (BSA)
• Enforcement of copyright law has been attempted with
technical security mechanisms
Deliberate Software Attacks
• Malicious software (malware) designed to damage, destroy,
or deny service to target systems includes:
– Viruses
– Worms
– Trojan horses
– Logic bombs
– Polymorphic threats
– Rootkit
– Man-in-The-Middle
– Ransomware
– Adware
– Bot
Deviations in Quality of Service
• Includes situations where products or services are not
delivered as expected
• Information system depends on many interdependent support
systems
• Internet service, communications, and power irregularities
dramatically affect availability of information and systems
• Internet service issues
– Internet service provider (ISP) failures can
considerably undermine availability of information
– Outsourced Web hosting provider assumes
responsibility for all Internet services as well as
hardware and Website operating system software
• Communications and other service provider issues
– Other utility services affect organizations:
telephone, water, wastewater, trash pickup, etc.
– Loss of these services can affect organization’s
ability to function
• Power irregularities
– Commonplace
– Organizations with inadequately conditioned power
are susceptible
– Controls can be applied to manage power quality
– Fluctuations (short or prolonged)
• Excesses (spikes or surges) – voltage increase
• Shortages (sags or brownouts) – low voltage
• Losses (faults or blackouts) – loss of power
Espionage or Trespass
• Access of protected information by unauthorized individuals
• Shoulder surfing can occur anywhere a person accesses
confidential information
• Hackers use skill, guile, or fraud to bypass controls
protecting others’ information
• Expert hacker
– Develops software scripts and program exploits
– Usually a master of many skills
– Will often create attack software and share with
others
• Unskilled hacker
– Many more unskilled hackers than expert hackers
– Use expertly written software to exploit a system
– Do not usually fully understand the systems they
hack
• Other terms for system rule breakers:
– Cracker: “cracks” or removes software protection
designed to prevent unauthorized duplication
– Phreaker: hacks the public telephone Network
Forces of Nature
• Forces of nature are among the most dangerous threats
• Disrupt not only individual lives, but also storage,
transmission, and use of information
• Organizations must implement controls to limit damage and
prepare contingency plans for continued operations
Human Error or Failure
• Includes acts performed without malicious intent
• Causes include:
– Inexperience
 – Improper training
– Incorrect assumptions
• Employees are among the greatest threats to an
organization’s data
• Employee mistakes can easily lead to:
– Revelation of classified data
– Entry of erroneous data
– Accidental data deletion or modification
– Data storage in unprotected areas
– Failure to protect information
• Many of these threats can be prevented with Controls
Information Extortion
• Attacker steals information from computer system and
demands compensation for its return or nondisclosure
• Commonly done in credit card number theft
Missing, Inadequate, or Incomplete Organizational Policy
or Planning and Controls
• Can make organizations vulnerable to loss, damage, or
disclosure of information assets
• Can make an organization more likely to suffer losses when
other threats lead to attacks
Sabotage or Vandalism
• Threats can range from petty vandalism to organized
sabotage
• Web site defacing can erode consumer confidence, dropping
sales and organization’s net worth
• Threat of hacktivist or cyber-activist operations rising
• Cyberterrorism: much more sinister form of hacking
Theft
• Illegal taking of another’s physical, electronic, or intellectual
property
• Physical theft is controlled relatively easily
• Electronic theft is more complex problem; evidence of crime
not readily apparent
Technical Hardware Failures or Errors
• Occur when manufacturer distributes equipment containing
flaws to users
• Can cause system to perform outside of expected parameters,
resulting in unreliable or poor service.
• Some errors are terminal; some are Intermittent
Technical Software Failures or Errors
• Purchased software that contains unrevealed faults.
• Combinations of certain software and hardware can reveal
new software bugs.
• Entire Web sites dedicated to documenting bugs.
Technological Obsolescence
• Antiquated/outdated infrastructure can lead to unreliable,
untrustworthy systems
• Proper managerial planning should prevent technology
obsolescence
• IT plays large role
Attacks
– Acts or actions that exploits vulnerability (i.e., an identified
weakness) in controlled system
– Accomplished by threat agent that damages or steals
organization’s Information
Types of attacks
– Malicious code: includes execution of viruses, worms,
Trojan horses, and active Web scripts with intent to destroy or
steal information
– Hoaxes: transmission of a virus hoax with a real virus
attached; more devious form of attack.
– Back door: gaining access to system or network using
known or previously unknown/newly discovered access
mechanism
– Password crack: attempting to reverse calculate a password
– Brute force: trying every possible combination of options of
a password
– Dictionary: selects specific accounts to attack and uses
commonly used passwords to guide guesses
– Denial-of-service (DoS): attacker sends large number of
connection or information requests to a target
• Target system cannot handle successfully along with
other, legitimate service requests
• May result in system crash or inability to perform
ordinary functions
– Distributed denial-of-service (DDoS): coordinated stream
of requests is launched against target from many locations
simultaneously
– Spoofing: technique used to gain unauthorized access;
intruder assumes a trusted IP address
– Man-in-the-middle: attacker monitors network packets,
modifies them, and inserts them back into network
– Mail bombing: also a DoS; attacker routes large quantities
of e-mail to target
– Sniffers: program or device that monitors data traveling
over network; can be used both for legitimate purposes and for
stealing information from a network
– Phishing: an attempt to gain personal/financial information
from individual, usually by posing as legitimate entity
– Pharming: redirection of legitimate Web traffic (e.g.,
browser requests) to illegitimate site for the purpose of
obtaining private information
– Social engineering: using social skills to convince people to
reveal access credentials or other valuable information to
attacker
– “People are the weakest link. You can have the best
technology; firewalls, intrusion-detection systems,
biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby.
They got everything.” — Kevin Mitnick
– Timing attack: relatively new; works by exploring contents
of a Web browser’s cache to create malicious cookie
Laws: rules that mandate or prohibit certain societal behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
 Laws carry sanctions of a governing authority; ethics do
not
Organizational Liability and the Need for Counsel
(LRDDJL)
 Liability: legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution
 Restitution: to compensate for wrongs committed by
an organization or its employees
 Due care: insuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
 Due diligence: making a valid effort to protect
others; continually maintaining level of effort
 Jurisdiction: court's right to hear a case if the wrong
was committed in its territory or involved its
citizenry
 Long arm jurisdiction: right of any court to impose
its authority over an individual or organization if it
can establish jurisdiction
Policy versus Law
• Policies: body of expectations that describe acceptable and
unacceptable employee behaviors in the workplace
• Policies function as laws within an organization; must be
crafted carefully to ensure they are complete, appropriate,
fairly applied to everyone
• Difference between policy and law: ignorance of a policy is
an acceptable defense
Criteria for policy enforcement: (DRCCU)
– Dissemination (distribution) - – The organization must be
able to demonstrate that the relevant policy has been made
readily available for review by the employee. Common
dissemination techniques include hard copy and electronic
distribution.
– Review (reading) - The organization must be able to
demonstrate that it disseminated the document in an
intelligible form, including versions for illiterate, nonEnglish
reading, and reading-impaired employees. Common
techniques include recordings of the policy in English and
alternate languages.
–Comprehension (understanding) - – The organization must
be able to demonstrate that the employee understood the
requirements and content of the policy. Common techniques
include quizzes and other assessments
– Compliance (agreement) - – The organization must be able
to demonstrate that the employee agrees to comply with the
policy, through act or affirmation. Common techniques
include logon banners which require a specific action (mouse
click or keystroke) to acknowledge agreement, or a signed
document clearly indicating the employee has read,
understood, and agreed to comply with the policy.
–Uniform enforcement – The organization must be able to
demonstrate that the policy has been uniformly enforced,
regardless of employee status or assignment.
Types of Law (CCPP)
• Civil: governs nation or state; manages
relationships/conflicts between organizational entities
and people.
• Criminal: addresses violations harmful to society;
actively enforced by the state
• Private: regulates relationships between individuals
and organizations.
• Public: regulates structure/administration of
government agencies and relationships with citizens,
employees, and other governments
Civil Cases
• According to the Michigan Association of Townships, “If
you decide to sue another person, an organization or a
business, your case is a civil case. Private individuals,
businesses or the government can sue other people and
organizations. The person who is suing is called the plaintiff
and the person who is being sued is called the defendant.
Some examples of civil cases are:
 A person who is hurt in a car accident sues the
driver of the other car;
• A worker sues his employer after the worker hurts
his back at work and can never work again;
• A homeowner who has hired a builder to build a
new kitchen sues the builder when the kitchen is
badly built and has to be fixed;
• A family sues their doctor when the doctor does not
discover that the mother has cancer in time for the
cancer to be treated.
Criminal Cases (MRTRK)
• Murder.
• Robbery.
• Treason.
• Rape.
• Kidnapping.
Private cases
• Divorce and Infidelity Investigations. The end of a
marriage often involves the loss of trust between
spouses. ...
• Child Custody Disputes. ...
• Finding Missing Loved Ones. ...
• Serving Legal Papers. ...
• Trial Preparation. ...
• Social Media Investigations. ...
• Background Investigations.
Relevant U.S. Laws
• United States has been a leader in the development and
implementation of information security legislation
• Implementation of information security legislation
contributes to a more reliable business environment and a
stable economy
• U.S. has demonstrated understanding of problems facing the
information security field; has specified penalties for
individuals and organizations failing to follow requirements
set forth in U.S. civil statutes
General Computer Crime Laws
• Computer Fraud and Abuse Act of 1986 (CFA Act):
cornerstone of many computer-related federal laws and
enforcement efforts
– The CFAA prohibits intentionally accessing a computer
without authorization or in excess of authorization, but fails to
define what “without authorization” means.
 National Information Infrastructure Protection Act of
1996 - Revises Federal criminal code provisions
regarding fraud and related activity in connection with
computers. Sets penalties with respect to anyone who
having knowingly accessed a computer without
authorization or exceeding authorized access, obtains
specified restricted information or data, and, with reason
to believe that such information could be used to the
injury of the United States or to the advantage of any
foreign nation, willfully communicates, delivers, or
transmits it to any person not entitled to receive it (or
causes or attempts such communication)
• National Information Infrastructure Protection Act of 1996:
– Modified several sections of the previous act and
increased the penalties for selected crimes
– Severity of penalties judged on the purpose
• For purposes of commercial advantage
• For private financial gain
• In furtherance of a criminal act
 USA PATRIOT Act of 2001: provides law enforcement
agencies with broader latitude in order to combat
terrorism-related activities
• USA PATRIOT Improvement and Reauthorization Act:
made permanent fourteen of the sixteen expanded powers of
the Department of Homeland Security and the FBI in
investigating terrorist activity
• Computer Security Act of 1987: one of the first attempts to
protect federal computer systems by establishing minimum
acceptable security practices
Privacy
• One of the hottest topics in information security
• Is a “state of being free from unsanctioned intrusion” -
lacking effective or authoritative approval or consent
• Ability to aggregate data from multiple sources allows
creation of information databases previously impossible
• The number of statutes addressing an individual’s right to
privacy has grown
• the state or condition of being free from being observed or
disturbed by other people
US Regulations
– Privacy of Customer Information Section of the common
carrier regulation
– Federal Privacy Act of 1974
– Electronic Communications Privacy Act of 1986
– Health Insurance Portability and Accountability Act of 1996
(HIPAA), aka Kennedy-Kassebaum Act
– Financial Services Modernization Act, or GrammLeach-
Bliley Act of 1999
Identity Theft
– Federal Trade Commission: “occurring when someone
uses your personally identifying information, like your name,
Social Security number, or credit card number, without your
permission, to commit fraud or other crimes”
– Fraud And Related Activity In Connection With
Identification Documents, Authentication Features, And
Information (Title 18, U.S.C. § 1028)
If someone suspects identity theft
– Report to the three dominant consumer reporting
companies that your identity is threatened
– Account
• Close compromised account
• Dispute accounts opened without permission
– Register your concern with the FTC
– Report the incident to either your local police or
police in the location where the identity theft
occurred
Health Insurance Portability and Accountability Act of
1996 (HIPAA)
• Protects the confidentiality and security of health care data
by establishing and enforcing standards and by standardizing
electronic data interchange
• Consumer control of medical information
• Boundaries on the use of medical information
• Accountability for the privacy of private information
• Balance of public responsibility for the use of medical
information for the greater good measured against impact to
the individual
• Security of health information
Export and Espionage Laws
• Economic Espionage Act of 1996 (EEA)
• Security And Freedom Through Encryption Act of 1999
(SAFE)
• The acts include provisions about encryption that:
– Reinforce the right to use or sell encryption
algorithms, without concern of key registration
– Prohibit the federal government from requiring it
– Make it not probable cause in criminal activity
– Relax export restrictions
– Additional penalties for using it in a crime
Economic Espionage Act of 1996 (EEA)
• Economic espionage is the unlawful or clandestine targeting
or acquisition of sensitive financial, trade or economic policy
information; proprietary economic information; or
technological information.
• An Act to punish acts of interference with the foreign
relations, and the foreign commerce of the United States, to
punish espionage, and better to enforce the criminal laws of
the United States, and for other purposes.
Security and Freedom Through Encryption (SAFE) Act
• Establishes in the Department of Justice (DOJ) a
National Electronic Technologies (NET) Center to:
(1) serve as a center for Federal, State, and local law
enforcement authorities for information and assistance
regarding decryption and other access requirements and for
industry and Government entities to exchange information and
methodology regarding information security techniques and
technologies;
(2) examine encryption techniques and methods to facilitate
the ability of law enforcement to gain efficient access to
plaintext of communications and electronic information;
(3) develop efficient methods and improve the efficiency of
existing methods of accessing such plaintext;
(4) investigate techniques and technologies to facilitate access
to communications and electronic information; and
(5) obtain information regarding the most current hardware,
software, telecommunications, and other capabilities to
understand how to access information transmitted across
networks.
U.S. Copyright Law
• Intellectual property recognized as protected asset in the
U.S.; copyright law extends to electronic formats
• With proper acknowledgment, permissible to include
portions of others’ work as reference
• U.S. Copyright Office Web site: www.copyright.gov
Financial Reporting
• Sarbanes-Oxley Act of 2002
• Affects executive management of publicly traded
corporations and public accounting firms
• Seeks to improve reliability and accuracy of financial
reporting and increase the accountability of corporate
governance
• Penalties for noncompliance range from fines to jail terms
• Reliability assurance will require additional emphasis on
confidentiality and integrity
Freedom of Information Act of 1966 (FOIA)
• Allows access to federal agency records or information not
determined to be matter of national security
• U.S. government agencies required to disclose any requested
information upon receipt of written request
• Some information protected from disclosure
State and Local Regulations
• Restrictions on organizational computer technology use exist
at international, national, state, local levels
• Information security professional responsible for
understanding state regulations and ensuring organization is
compliant with regulations
International Laws and Legal Bodies
• When organizations do business on the Internet, they do
business globally
• Professionals must be sensitive to laws and ethical values of
many different cultures, societies, and countries
• Because of political complexities of relationships among
nations and differences in culture, there are few international
laws relating to privacy and information security
• These international laws are important but are limited in their
enforceability
European Council Cyber-Crime Convention
• Establishes international task force overseeing Internet
security functions for standardized international technology
laws
• Attempts to improve effectiveness of international
investigations into breaches of technology law
• Well received by intellectual property rights advocates due to
emphasis on copyright infringement prosecution
• Lacks realistic provisions for enforcement
Agreement on Trade-Related Aspects of Intellectual
Property Rights
• Created by World Trade Organization (WTO)
• First significant international effort to protect intellectual
property rights
• Outlines requirements for governmental oversight and
legislation providing minimum levels of protection for
intellectual property
Agreement covers five issues:
– Application of basic principles of trading system and
international intellectual property agreements
– Giving adequate protection to intellectual property rights
– Enforcement of those rights by countries in their own
territories
– Settling intellectual property disputes
– Transitional arrangements while new system is being
introduced
Ethics and Information Security
• Many Professional groups have explicit rules governing
ethical behavior in the workplace
• IT and IT security do not have binding codes of ethics
• Professional associations and certification agencies work to
establish codes of ethics
– Can prescribe ethical conduct
– Do not always have the ability to ban violators
from practice in field
Ethical Differences Across Cultures
• Cultural differences create difficulty in determining what is
and is not ethical
• Difficulties arise when one nationality’s ethical behavior
conflicts with ethics of another national group
• Scenarios are grouped into:
– Software License Infringement
– Illicit Use
– Misuse of Corporate Resources
• Cultures have different views on the scenarios
Ethics and Education
• Overriding factor in levelling ethical perceptions within a
small population is education
• Employees must be trained in expected behaviors of an
ethical employee, especially in areas of information security
• Proper ethical training is vital to creating informed, well
prepared, and low-risk system user
Deterring Unethical and Illegal Behavior
• Three general causes of unethical and illegal behavior:
ignorance, accident, intent
• Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical controls
• Laws and policies only deter if three conditions are present:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered
Codes of Ethics and Professional Organizations
• Several professional organizations have established codes of
conduct/ethics
• Codes of ethics can have positive effect; unfortunately, many
employers do not encourage joining these professional
organizations
• Responsibility of security professionals to act ethically and
according to policies of employer, professional organization,
and laws of society
Major IT Professional Organizations (AISI)
• Association of Computing Machinery (ACM)
– Established in 1947 as “the world's first educational
and scientific computing society”
 – Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property
 International Information Systems Security Certification
Consortium, Inc. (ISC)2
– Nonprofit organization focusing on development and
implementation of information security certifications and
credentials
– Code primarily designed for information security
professionals who have certification from (ISC)2
– Code of ethics focuses on four mandatory canons
 System Administration, Networking, and Security
Institute (SANS)
– Professional organization with a large membership
dedicated to protection of information and systems
– SANS offers set of certifications called Global
Information Assurance Certification (GIAC)
 Information Systems Audit and Control Association
(ISACA)
– Professional association with focus on auditing, control,
and security
– Concentrates on providing IT control practices and
standards
– ISACA has code of ethics for its professionals
Information Systems Security Association (ISSA)
– Nonprofit society of information security (IS)
professionals
– Primary mission to bring together qualified IS
practitioners for information exchange and educational
development
– Promotes code of ethics similar to (ISC)2, ISACA, and
ACM
Key U.S. Federal Agencies (DFNU)
• Department of Homeland Security (DHS)
– Made up of five directorates, or divisions
– Mission is to protect the people as well as the
physical and informational assets of the US
• Federal Bureau of Investigation’s National InfraGard
Program
– Maintains an intrusion alert network
– Maintains a secure Web site for communication
about suspicious activity or intrusions
– Sponsors local chapter activities
– Operates a help desk for questions
 National Security Agency (NSA)
– Is the Nation’s cryptologic organization
– Protects US information systems
– Produces foreign intelligence information
– Responsible for signal intelligence and information
system security
• U.S. Secret Service
– In addition to protective services, charged with the detection
and arrest of persons committing a federal office relating to
computer fraud or false identification
Introduction
• Organizations must design and create safe
environments in which business processes and
procedures can function
• Risk management: process of identifying and
controlling risks facing an organization
• Risk identification: process of examining an
organization’s current information technology
security situation
• Risk control: applying controls to reduce risks to an
organization’s data and information systems
Security Risk Management
• the ongoing process of identifying these security risks
and implementing plans to address them.
• Risk is determined by considering the likelihood that
known threats will exploit vulnerabilities and the
impact they have on valuable assets.
An Overview of Risk Management
• Know yourself: identify, examine, and understand
the information and systems currently in place
• Know the enemy: identify, examine, and understand
threats facing the organization
• Responsibility of each community of interest within
an organization to manage risks that are encountered
The Roles of the Communities of Interest
• Information security, management and users, and
information technology all must work together
• Communities of interest are responsible for:
– Evaluating the risk controls
– Determining which control options are cost
effective for the organization
– Acquiring or installing the needed controls
– Ensuring that the controls remain effective
Risk Identification
• Risk management involves identifying, classifying,
and prioritizing an organization’s assets
• A threat assessment process identifies and quantifies
the risks facing each asset
• Components of risk identification
– People
– Procedures
– Data
– Software
– Hardware
Plan and Organize the Process
• First step in the Risk Identification process is to
follow your project management principles
• Begin by organizing a team with representation
across all affected groups
• The process must then be planned out
 – Periodic deliverables
– Reviews
– Presentations to management
• Tasks laid out, assignments made and timetables
discussed
Figure 4-2 Components of Risk Identification
Asset Identification and Inventory
• Iterative process; begins with identification of assets,
including all elements of an organization’s system
(people, procedures, data and information, software,
hardware, networking)
• Assets are then classified and categorized
Table 4-1 Categorizing the Components of an Information
System
People, Procedures, and Data Asset Identification
• Human resources, documentation, and data
information assets are more difficult to identify
• Important asset attributes:
– People: position name/number/ID;
supervisor; security clearance level; special
skills
– Procedures: description; intended purpose;
what elements it is tied to; storage location
for reference; storage location for update
– Data: classification; owner/creator/
manager; data structure size; data structure
used; online/offline; location; backup
procedures employee
Hardware, Software, and Network Asset Identification
• What information attributes to track depends on:
– Needs of organization/risk management
efforts
– Preferences/needs of the security and
information technology communities
• Asset attributes to be considered are: name; IP
address; MAC address; element type; serial number;
manufacturer name; model/part number; software
version; physical or logical location; controlling
entity
• Automated tools can identify system elements for
hardware, software, and network components
Data Classification and Management
• Variety of classification schemes used by corporate
and military organizations
• Information owners responsible for classifying their
information assets
• Information classifications must be reviewed
periodically
• Most organizations do not need detailed level of
classification used by military or federal agencies;
however, organizations may need to classify data to
provide protection
• Security clearance structure
– Each data user assigned a single level of
authorization indicating classification level
– Before accessing specific set of data,
employee must meet need-to-know
requirement
• Management of Classified Data
• Storage, distribution, portability, and destruction of
classified data
• Clean desk policy
• Dumpster diving
Classifying and Prioritizing Information Assets
• Many organizations have data classification schemes
(e.g., confidential, internal, public data)
• Classification of components must be specific to
allow determination of priority levels
• Categories must be comprehensive and mutually
exclusive
Information Asset Valuation
• Questions help develop criteria for asset valuation
• Which information asset:
– Is most critical to organization’s success?
– Generates the most revenue/profitability?
– Would be most expensive to replace or
protect?
– Would be the most embarrassing or cause
greatest liability if revealed?
• Information asset prioritization
– QQCreate weighting for each category
based on the answers to questions
– Calculate relative importance of each asset
using weighted factor analysis
– List the assets in order of importance using a
weighted factor analysis worksheet
Identifying and Prioritizing Threats
• Realistic threats need investigation; unimportant
threats are set aside
• Threat assessment:
– Which threats present danger to assets?
– Which threats represent the most danger to
information?
– How much would it cost to recover from
attack?
– Which threat requires greatest expenditure
to prevent?

Table 4-3 Threats to Information Security5
Vulnerability Identification
• Specific avenues threat agents can exploit to attack
an information asset are called vulnerabilities
• Examine how each threat could be perpetrated and
list organization’s assets and vulnerabilities
• Process works best when people with diverse
backgrounds within organization work iteratively in a
series of brainstorming sessions
• At end of risk identification process, list of assets and
their vulnerabilities is achieved
Risk Assessment
• Risk assessment evaluates the relative risk for each
vulnerability
• Assigns a risk rating or score to each information
asset
• The goal at this point: create a method for evaluating
the relative risk of each listed vulnerability
Likelihood
• The probability that a specific vulnerability will be
the object of a successful attack
• Assign numeric value: number between 0.1 (low) and
1.0 (high), or a number between 1 and 100
• Zero not used since vulnerabilities with zero
likelihood are removed from asset/vulnerability list
• Use selected rating model consistently
• Use external references for values that have been
reviewed/adjusted for your circumstances
Risk Determination
• For the purpose of relative risk assessment:
– Risk EQUALS
– Likelihood of vulnerability occurrence
– TIMES value (or impact)
– MINUS percentage risk already controlled
– PLUS an element of uncertainty
Identify Possible Controls
• For each threat and associated vulnerabilities that
have residual risk, create preliminary list of control
ideas
• Residual risk is risk that remains to information asset
even after existing control has been applied
• There are three general categories of controls:
– Policies
– Programs
– Technologies
Documenting the Results of Risk Assessment
• Final summary comprised in ranked vulnerability risk
• Worksheet details asset, asset impact, vulnerability,
vulnerability likelihood, and risk-rating factor
• Ranked vulnerability risk worksheet is initial
working document for next step in risk management
process: assessing and controlling risk
Risk Control Strategies
• Once ranked vulnerability risk worksheet complete,
must choose one of five strategies to control each
risk:
– Defend
– Transfer
– Mitigate - Lessening the likelihood and/or
impact of the risk, but not fixing it entirely.
– Accept
– Terminate
Defend
• Attempts to prevent exploitation of the vulnerability
• Preferred approach
• Accomplished through countering threats, removing
asset vulnerabilities, limiting asset access, and adding
protective safeguards
• Three common methods of risk avoidance:
– Application of policy
– Training and education
– Applying technology
Transfer
• Control approach that attempts to shift risk to other
assets, processes, or organizations
• If lacking, organization should hire individuals/firms
that provide security management and administration
expertise
• Organization may then transfer risk associated with
management of complex systems to another
organization experienced in dealing with those risks
Mitigate
• Attempts to reduce impact of vulnerability
exploitation through planning and preparation
• Approach includes three types of plans
– Incident response plan (IRP): define the
actions to take while incident is in progress
– Disaster recovery plan (DRP): most
common mitigation procedure
– Business continuity plan (BCP):
encompasses continuation of business
activities if catastrophic event occurs
Accept
• Doing nothing to protect a vulnerability and
accepting the outcome of its exploitation
 • Valid only when the particular function, service,
information, or asset does not justify cost of
protection
Terminate
• Directs the organization to avoid those business
activities that introduce uncontrollable risks
• May seek an alternate mechanism to meet customer
needs
Selecting a Risk Control Strategy
• Level of threat and value of asset play major role in
selection of strategy
• Rules of thumb on strategy selection can be applied:
– When a vulnerability exists
– When a vulnerability can be exploited
– When attacker’s cost is less than potential
gain
– When potential loss is substantial
Feasibility Studies
• Before deciding on strategy, all information about
economic/noneconomic consequences
vulnerability of information asset must be explored
• A number of ways exist to determine advantage of a
specific control
Cost Benefit Analysis (CBA)
• Begun by evaluating worth of assets to be protected
and the loss in value if they are compromised
• The formal process to document this is called cost
benefit analysis or economic feasibility study
• Items that affect cost of a control or safeguard
include: cost of development or acquisition; training
fees; implementation cost; service costs; cost of
maintenance
• Benefit: value an organization realizes using controls
to prevent losses from a vulnerability
• Asset valuation: process of assigning financial value
or worth to each information asset
• Process result is estimate of potential loss per risk
• Expected loss per risk stated in the following
equation:
• Annualized loss expectancy (ALE) =
single loss expectancy (SLE) ×
annualized rate of occurrence (ARO)
• SLE = asset value × exposure factor (EF)
The Cost Benefit Analysis (CBA) Formula
• CBA determines if alternative being evaluated is
worth cost incurred to control vulnerability
– CBA most easily calculated using ALE from
earlier assessments, before implementation
of proposed control:
• CBA = ALE(prior) – ALE(post) –
ACS
– ALE(prior) is annualized loss expectancy of
risk before implementation of control
– ALE(post) is estimated ALE based on
control being in place for a period of time
– ACS is the annualized cost of the safeguard
Evaluation, Assessment, and Maintenance of Risk Controls
• Selection and implementation of control strategy is
not end of process
• Strategy and accompanying controls must be
monitored/reevaluated on ongoing basis to determine
effectiveness and to calculate more accurately the
estimated residual risk
• Process continues as long as organization continues
to function
Quantitative versus Qualitative Risk Control Practices
• Performing the previous steps using actual values or
estimates is known as quantitative assessment
• Possible to complete steps using evaluation process
based on characteristics using nonnumerical
of
measures; called qualitative assessment
• Utilizing scales rather than specific estimates relieves
organization from difficulty of determining exact
values
Benchmarking and Best Practices
• An alternative approach to risk management
• Benchmarking: process of seeking out and studying
practices in other organizations that one’s own
organization desires to duplicate
• One of two measures typically used to compare
practices:
– Metrics-based measures
– Process-based measures
• Standard of due care: when adopting levels of
security for a legal defense, organization shows it has
done what any prudent organization would do in
similar circumstances
• Due diligence: demonstration that organization is
diligent in ensuring that implemented standards
continue to provide required level of protection
• Failure to support standard of due care or due
diligence can leave organization open to legal
liability
• Best business practices: security efforts that provide a
superior level of information protection
• When considering best practices for adoption in an
organization, consider:
 – Does organization resemble identified target
with best practice?
– Are resources at hand similar?
– Is organization in a similar threat
environment?
• Problems with the application of benchmarking and
best practices
– Organizations don’t talk to each other
(biggest problem)
– No two organizations are identical
– Best practices are a moving target
– Knowing what was going on in information
security industry in recent years through
benchmarking doesn’t necessarily prepare
for what’s next
• Baselining
– Analysis of measures against established
standards
– In information security, baselining is
comparison of security activities and events
against an organization’s future performance
– Useful during baselining to have a guide to
the overall process
Other Feasibility Studies
• Organizational: examines how well proposed IS
alternatives will contribute to organization’s
efficiency, effectiveness, and overall operation
• Operational: examines user and management
acceptance and support, and the overall requirements
of the organization’s stakeholders
• Technical: examines if organization has or can
acquire the technology necessary to implement and
support the control alternatives
• Political: defines what can/cannot occur based on
consensus and relationships
Risk Management Discussion Points
• Organization must define level of risk it can live with
• Risk appetite: defines quantity and nature of risk that
organizations are willing to accept as trade-offs
between perfect security and unlimited accessibility
• Residual risk: risk that has not been completely
removed, shifted, or planned for
Documenting Results
• At minimum, each information asset-threat pair
should have documented control strategy clearly
identifying any remaining residual risk
• Another option: document outcome of control
strategy for each information asset-vulnerability pair
as an action plan
• Risk assessment may be documented in a topic-
specific report
Recommended Risk Control Practices
• Convince budget authorities to spend up to value of
asset to protect from identified threat
• Final control choice may be balance of controls
providing greatest value to as many asset-threat pairs
as possible
• Organizations looking to implement controls that
don’t involve such complex, inexact, and dynamic
calculations
Summary
• Risk identification: formal process of examining and
documenting risk in information systems
• Risk control: process of taking carefully reasoned
steps to ensure the confidentiality, integrity, and
availability of components of an information system
• Risk identification
– A risk management strategy enables
identification, classification, and
prioritization of organization’s information
assets
– Residual risk: risk remaining to the
information asset even after the existing
control is applied
• Risk control: five strategies are used to control risks
that result from vulnerabilities:
– Defend, Transfer, Mitigate, Accept,
Terminate
• Selecting a risk control strategy
1. Cost Benefit Analysis 2. Feasibility Study
• Qualitative versus Quantitative Risk Control
– Best Practices and Benchmarks
– Organizational Feasibility, Operational
Feasibility, Technical Feasibility, and
Political Feasibility
• Risk Appetite: organizational risk tolerance
• Residual risk: risk remaining after application of risk
controls
Introduction
• Creation of information security program begins with
creation and/or review of an organization’s
information security policies, standards, and practices
• Then, selection or creation of information security
architecture and the development and use of a
detailed information security blueprint creates a plan
for future success
• Without policy, blueprints, and planning, an
organization is unable to meet information security
needs of various communities of interest
Information Security Planning and Governance
• Planning levels
 • Planning and the CISO
• Information Security Governance
– Governance:
• Set of responsibilities and practices
exercised by the board and
executive management
• Goal to provide strategic direction,
ensuring that objectives are
achieved
• Ascertaining that risks are managed
appropriately and verifying that the
enterprise’s resources are used
responsibly
• Information Security Governance outcomes
– Five goals
• Strategic alignment
• Risk management
• Resource management
Performance measures
• Value delivery
• Governance framework
Information Security Policy, Standards,
and Practices
• Communities of interest must consider policies as the
basis for all information security efforts
• Policies direct how issues should be addressed and
technologies used
• Policies should never contradict law
• Security policies are the least expensive controls to
execute but most difficult to implement properly
• Shaping policy is difficult
Definitions
• Policy: course of action used by organization to
convey instructions from management to those who
perform duties
• Policies are organizational laws
• Standards: more detailed statements of what must be
done to comply with policy -
• Practices, procedures, and guidelines effectively
explain how to comply with policy
• For a policy to be effective, it must be properly
disseminated, read, understood, and agreed to by all
members of organization and uniformly enforced
Standard in IS
• ISO/IEC 27001 is used worldwide as a yardstick to
indicate effective information security management.
It is the only generally recognized certification
standard for information and cyber security.
Enterprise Information Security Policy (EISP)
• Sets strategic direction, scope, and tone for all
security efforts within the organization
• Executive-level document, usually drafted by or with
CIO of the organization
• Typically addresses compliance in two areas
– Ensure meeting requirements to establish
program and responsibilities assigned
therein to various organizational
components
– Use of specified penalties and disciplinary
action
• EISP elements
EISP Elements
• An overview of the corporate philosophy on security
• Information on the structure of the information
security organization and individuals who fulfill the
information security role
• Fully articulated responsibilities for security that are
shared by all members of the organization
(employees, contractors, consultants, partners, and
visitors)
• Fully articulated responsibilities for security that are
unique to each role within the organization
Organizational Specific Policy
• Every organization should have an organizational (or
master) security policy. This policy is a strategic plan
that presents the value of security to the organization
and discusses the importance of security in all of the
various activities within the organization. Features of
an organizational security policy include defining
roles, audit requirements, enforcement procedures,
compliance requirements, and acceptable risk levels.
Issue Specific Security Policy
• An issue-specific security policy focuses on a
function or service within the organization that has
distinct security requirements. Examples of issue-
specific policies include an email policy, a media
disposal policy, or a physical security policy.
System Specific Security Policy
• A system-specific security policy is concerned with
specific systems or types of system. It describes
hardware and software approved for that system and
how that system is to be protected.
Issue-Specific Security Policy (ISSP)
• The ISSP:
– Addresses specific areas of technology
– Requires frequent updates
– Contains statement on organization’s
position on
specific issue
• Three approaches when creating and managing
ISSPs:
– Create a number of independent ISSP
documents
– Create a single comprehensive ISSP
document
 – Create a modular ISSP document
• Components of the policy
– Statement of Policy
– Authorized Access and Usage of Equipment
– Prohibited Use of Equipment
– Systems Management
– Violations of Policy
– Policy Review and Modification
– Limitations of Liability
Systems-Specific Policy (SysSP)
• SysSPs frequently function as standards and
procedures used when configuring or maintaining
systems
• Systems-specific policies fall into two groups
– Managerial guidance
– Technical specifications
• ACLs can restrict access for a particular user,
computer, time, duration—even a particular file
• Configuration rule policies
• Combination SysSPs
Policy Management
• Policies must be managed as they constantly change
• To remain viable, security policies must have:
– Individual responsible for the policy (policy
administrator)
– A schedule of reviews
– Method for making recommendations for
reviews
– Specific policy issuance and revision date
– Automated policy management
The Information Security Blueprint
• Basis for design, selection, and implementation of all
security policies, education and training programs,
and technological controls
• More detailed version of security framework (outline
of overall information security strategy for
organization)
• Should specify tasks to be accomplished and the
order in which they are to be realized
• Should also serve as scalable, upgradeable, and
comprehensive plan for information security needs
for coming years
The ISO 27000 Series
• One of the most widely referenced and often
discussed security models
• Framework for information security that states
organizational security policy is needed to provide
management direction and support
• Purpose is to give recommendations for information
security management
• Provides a common basis for developing
organizational security
NIST Security Models
• Documents available from Computer Security
Resource Center of NIST
– SP 800-12, The Computer Security
Handbook
– SP 800-14, Generally Accepted Principles
and Practices for Securing IT Systems
– SP 800-18, The Guide for Developing
Security Plans for IT Systems
– SP 800-26, Security Self-Assessment Guide
for Information Technology Systems
– SP 800-30, Risk Management Guide for
Information Technology Systems
NIST Special Publication 800-14
• Security supports mission of organization; is an
integral element of sound management
• Security should be cost effective; owners have
security responsibilities outside their own
organizations
• Security responsibilities and accountability should be
made explicit; security requires a comprehensive and
integrated approach
• Security should be periodically reassessed; security is
constrained by societal factors
• 33 principles for securing systems
IETF Security Architecture
• Security Area Working Group acts as advisory board
for protocols and areas developed and promoted by
the Internet Society
• RFC 2196: Site Security Handbook covers five basic
areas of security with detailed discussions on
development and implementation
Baselining and Best Business Practices
• Baselining and best practices are solid methods for
collecting security practices, but provide less detail
than a complete methodology
• Possible to gain information by baselining and using
best practices and thus work backwards to an
effective design
• The Federal Agency Security Practices (FASP) site
(http://csrc.nist.gov/groups/SMA/fasp ) is designed to
provide best practices for public agencies and is
adapted easily to private institutions
Design of Security Architecture
• Spheres of security: foundation of the security
framework
• Levels of controls
– Management controls : cover security
processes designed by strategic planners and
performed by security administration
– Operational controls deal with operational
functionality of security in organization
– Technical controls address tactical and
technical implementations related to
designing and implementing security in
organization

• Defense in depth
– Implementation of security in layers
– Requires that organization establish
sufficient security controls and safeguards
so that an intruder faces multiple layers of
controls
• Security perimeter
– Point at which an organization’s security
protection ends and outside world begins
– Does not apply to internal attacks from
employee threats or on-site physical threats
• Firewall: device that selectively discriminates against
information flowing in or out of organization
• DMZs: no-man’s land between inside and outside
networks where some place Web servers
• Proxy servers: performs actions on behalf of another
system
• Intrusion detection systems (IDSs): in effort to detect
unauthorized activity within inner network, or on
individual machines, organization may wish to
implement an IDS
Security Education, Training, and Awareness Program
• As soon as general security policy exists, policies to
implement security education, training, and
awareness (SETA) program should follow
• SETA is a control measure designed to reduce
accidental security breaches
• Security education and training builds on the general
knowledge the employees must possess to do their
jobs, familiarizing them with the way to do their jobs
securely
• The SETA program consists of: security education;
security training; and security awareness
Security Education
• Everyone in an organization needs to be trained and
aware of information security; not every member
needs formal degree or certificate in information
security
• When formal education for individuals in security is
needed, an employee can identify curriculum
available from local institutions of higher learning or
continuing education
• A number of universities have formal coursework in
information security
Security Training
• Involves providing members of organization with
detailed information and hands-on instruction
designed to prepare them to perform their duties
securely
• Management of information security can develop
customized in-house training or outsource the
training program
• Alternatives to formal training include conferences
and programs offered through professional
organizations
Security Awareness
• One of least frequently implemented but most
beneficial programs is the security awareness
program
• Designed to keep information security at the forefront
of users’ minds
• Need not be complicated or expensive
• If the program is not actively implemented,
employees begin to “tune out” and risk of employee
accidents and failures increases
Continuity Strategies
• Incident response plans (IRPs); disaster recovery
plans (DRPs); business continuity plans (BCPs)
• Primary functions of above plans
– IRP focuses on immediate response; if
attack escalates or is disastrous, process
changes to disaster recovery and BCP
– DRP typically focuses on restoring systems
after disasters occur; as such, is closely
associated with BCP
– BCP occurs concurrently with DRP when
damage is major or long term, requiring
more than simple restoration of information
and information resources
• Before planning can actually begin, a team has to
plan the effort and prepare resulting documents
• Champion: high-level manager to support, promote,
and endorse findings of project
• Project manager: leads project and makes sure sound
project planning process is used, a complete and
useful project plan is developed, and project
resources are prudently managed
• Team members: should be managers, or their
representatives, from various communities of
interest: business, IT, and information security
Business Impact Analysis (BIA)
• Investigation and assessment of the impact that
various attacks can have on the organization
• Assumes security controls have been bypassed, have
failed, or have proven ineffective, and attack has
succeeded
• Stages of BIA
– Threat attack identification and prioritization
– Business unit analysis
– Attack success scenario development
– Potential damage assessment
– Subordinate plan classification
Incident Response Planning
• Incident response planning covers identification of,
classification of, and response to an incident
• Attacks classified as incidents if they:
– Are directed against information assets
– Have a realistic chance of success
– Could threaten confidentiality, integrity, or
availability of information resources
• Incident response (IR) is more reactive than
proactive, with the exception of planning that must
occur to prepare IR teams to be ready to react to an
incident
• Incident Planning
– First step in overall process of incident
response planning
– Predefined responses enable organization to
react quickly and effectively to detected
incident if:
• Organization has IR team
• Organization can detect incident
– IR team consists of individuals needed to
handle systems as incident takes place
– Planners should develop guidelines for
reacting to and recovering from incident
• Incident response plan
– Format and content
– Storage
– Testing
• Incident detection
– Most common occurrence is complaint
about technology support, often delivered to
help desk
– Careful training needed to quickly identify
and classify an incident
– Once attack is properly identified,
organization can respond
• Incident reaction
– Consists of actions that guide organization
to stop incident, mitigate the impact of
incident, and provide information for
recovery from incident
– Actions that must occur quickly:
• Notification of key personnel
• Documentation of incident
• Incident containment strategies
– First the areas affected must be determined
– Organization can stop incident and attempt
to recover control through a number or
strategies
• Incident recovery
– Once incident has been contained and
control of systems regained, the next stage is
recovery
– First task is to identify human resources
needed and launch them into action
– Full extent of the damage must be assessed
– Organization repairs vulnerabilities,
addresses any shortcomings in safeguards,
and restores data and services of the systems
• Damage assessment
– Several sources of information on damage,
including system logs; intrusion detection
logs; configuration logs and documents;
documentation from incident response; and
results of detailed assessment of systems and
data storage
– Computer evidence must be carefully
collected, documented, and maintained to be
acceptable in formal or informal
proceedings
– Individuals who assess damage need special
training
• Automated response
– New systems can respond to incident threat
autonomously
– Downsides of current automated response
systems may outweigh benefits
• Legal liabilities of a counterattack
• Ethical issues
Disaster Recovery Planning
• Disaster recovery planning (DRP) is planning the
preparation for and recovery from a disaster
• The contingency planning team must decide which
actions constitute disasters and which constitute
incidents
• When situations classified as disasters, plans change
as to how to respond; take action to secure most
valuable assets to preserve value for the longer term
• DRP strives to reestablish operations at the primary
site
Business Continuity Planning
• Outlines reestablishment of critical business
operations during a disaster that impacts operations
• If disaster has rendered the business unusable for
continued operations, there must be a plan to allow
business to continue functioning
• Development of BCP is somewhat simpler than IRP
or DRP
– Consists primarily of selecting a continuity
strategy and integrating off-site data storage
and recovery functions into this strategy
• Continuity strategies
– There are a number of strategies for
planning for business continuity
– Determining factor in selecting between
options is usually cost
– Dedicated recovery site options
• Hot sites – fully operational sites
• Warm sites – fully operational
hardware but software may not be
present
• Cold sites – rudimentary services
and facilities
• Shared site options: time-share, service bureaus, and
mutual agreements
• Time-share - A hot, warm, or cold site that is leased
in conjunction with a business partner or sister
organization
• Service Bureaus – An agency that provides a service
for a fee.
• Mutual agreement - A contract between two or more
organizations that specifies how each will assist the
other in the event of a disaster.
 • Off-Site disaster data storage
– To get sites up and running quickly, an
organization must have the ability to port
data into new site’s systems
– Options for getting operations up and
running include:
• Electronic vaulting
• Remote journaling
• Database shadowing
Crisis Management
• Actions taken during and after a disaster that focus on
people involved and address viability of business
• What may truly distinguish an incident from a
disaster are the actions of the response teams
• Disaster recovery personnel must know their roles
without any supporting documentation
– Preparation
– Training
– Rehearsal
• Crisis management team is responsible for managing
event from an enterprise perspective and covers:
– Supporting personnel and families during
crisis
– Determining impact on normal business
operations and, if necessary, making disaster
declaration
– Keeping the public informed
– Communicating with major customers,
suppliers, partners, regulatory agencies,
industry organizations, the media, and other
interested parties
Model for a Consolidated Contingency Plan
• Single document set approach supports concise
planning and encourages smaller organizations to
develop, test, and use IR and DR plans
• Model is based on analyses of disaster recovery and
incident response plans of dozens of organizations
• The planning document
• Six steps in contingency planning process
• Identifying mission- or business-critical
functions
• Identifying resources that support critical
functions
• Anticipating potential contingencies or
disasters
• Selecting contingency planning strategies
• Implementing contingency strategies
• Testing and revising strategy
Law Enforcement Involvement
• When incident at hand constitutes a violation of law,
organization may determine involving law
enforcement is necessary
• Questions:
– When should law enforcement involved?
– What level of law enforcement agency
should be involved (local, state, federal)?
– What happens when law enforcement
agency is involved?
• Some questions are best answered by the legal
department
Benefits and Drawbacks of Law Enforcement Involvement
• Involving law enforcement agencies has advantages:
– Agencies may be better equipped at
processing evidence
– Organization may be less effective in
convicting suspects
– Law enforcement agencies are prepared to
handle any necessary warrants and
subpoenas
– Law enforcement is skilled at obtaining
witness statements and other information
collection
• Involving law enforcement agencies has
disadvantages:
– Once a law enforcement agency takes over
case, organization cannot control chain of
events
– Organization may not hear about case for
weeks or months
– Equipment vital to the organization’s
business may be tagged as evidence
– If organization detects a criminal act, it is
legally obligated to involve appropriate law
enforcement officials
Summary
• Management has essential role in development,
maintenance, and enforcement of information
security policy, standards, practices, procedures, and
guidelines
• Information security blueprint is planning document
that is basis for design, selection, and implementation
of all security policies, education and training
programs, and technological controls
• Information security education, training, and
awareness (SETA) is control measure that reduces
accidental security breaches and increases
organizational resistance to many other forms of
attack
• Contingency planning (CP) made up of three
components: incident response planning (IRP),
disaster recovery planning (DRP), and business
continuity planning (BCP)