1.11.22.1Negotiating Intimacy, Equality and Sexual.docx

1.1
1.2
2.1
Negotiating Intimacy, Equality and Sexuality in
the Transition to Parenthood
by Charlotte Faircloth
University of Roehampton
Sociological Research Online, 20 (4), 3
<http://www.socresonline.org.uk/20/4/3.html>
DOI: 10.5153/sro.3705
Received: 9 Dec 2014 | Accepted: 12 Jun 2015 | Published: 30
Nov 2015
Abstract
Whilst both 'parenting' and 'intimacy' have been explored
extensively in recent social scientific research (for example,
Lee et al
2014,Gabb and Silva 2011 ), their intersections in the context of
family life remain curiously absent. This paper presents
findings from
on-going longitudinal research with parents in London, which
investigates how the care of children, and particularly the
feeding of
infants, affects the parental couple's 'intimate' relationship. In
particular, as part of this special section, it looks at couples'

accounts of
sex as they make the transition to parenthood, as a lens on the
themes of gender, intimacy and equality. Far from being an easy
relationship between them, as predicted by some scholars, this
research shows that they are in fact, 'uncomfortable bedfellows'.
Keywords: Parenting, Gender, Intimacy, Equality, Sex, Couples
Negotiating intimacy, equality and sexuality in the transition to
parenthood
Based on longitudinal work with new parents in London, this
paper draws on research which
investigates how the care of children, and particularly the
feeding of infants, affects the parental couple's intimate
relationship. To that end, it brings together two (traditionally
distinct) bodies of literature – one calling attention to
a shift in British parenting culture towards a more 'intensive'
and 'child-centred' form of care, the other, looking at
changes to intimate relationships in an age of 'reflexive
modernisation' and greater gender equality. Specifically,
this paper focuses in on couples' accounts of sex as they make
the transition to parenthood, as a lens on the
themes of gender, intimacy and equality.
Whilst intimacy itself can incorporate a range of different
practices, as a vehicle for intimacy, sexual
intercourse often serves as a barometer for couples in how they
assess the quality of their relationship (Weeks
1995). In line with other papers in this special section, then, the
research shows that far from being a
straightforward correlation between gender equality and greater
intimacy, (as predicted by Giddens et al 1992),
the two are, in fact, 'uncomfortable bedfellows', particularly
once couples become parents. The article briefly
reviews the two bodies of literature, explains the policy context
around parental leave and childcare in the UK,

discusses the study methodology, and then presents findings,
analysis and discussion by way of conclusion.
Theoretical background: Intimacy and parenting
As Gabb and Silva (2011) note, the 'conceptual challenge to
researchers working in the field of family
and relationship studies…is how to carry on building concepts
and finding new methods to capture the vitality of
personal relationships while keeping sight of the social
contexts, patterns and practices of contemporary intimate
life' (1.1, 2011). Famously, work by Giddens (1992), Bauman
(2005) Beck (1992) Beck and Beck-Gernsheim
(1995) and others has explored shifting patterns of intimacy in
the contemporary age of 'individualisation'.
Broadly speaking, this body of work argued that, in the age of
'reflexive modernisation', there had been a shift
away from traditional, patriarchal couple relationships, based on
an inherent inequality between men and
women, toward a more equitable, mutually fulfilling model,
accompanied by the rise of a more 'plastic' sexuality in
http://www.socresonline.org.uk/20/4/3.html 1 30/11/2015
http://www.socresonline.org.uk/20/4/3/faircloth.html
http://crossmark.crossref.org/dialog/?doi=10.5153%2Fsro.3705
&domain=pdf&date_stamp=2015-11-30
2.2
2.3
2.4
2.5

2.6
particular (Giddens 1992; this special section). Giddens argued
that in the late twentieth century, in the place of
traditional patterns of marriage, for example, individuals
became more aware of the need for a fulfilling
relationship, based on 'confluent love'; one that is active and
contingent. The 'pure relationship', which is not
bound by traditional notions of duty and obligation, has come to
depend, instead, on communication and
negotiation. The implication of this work is both that greater
equality leads to greater intimacy, and that this is a
desirable aspiration for contemporary relationships.
Since this work was published, however, scholars working in
the field of family and relationship studies
have critiqued the model, arguing for a more nuanced
perspective, grounded in the realities of everyday
experience. Specifically, Gabb and Silva identify three main
strands of thinking which have been particularly
influential in shaping and reorienting contemporary UK family
and relationship studies over the past 15 years,
since the publication of Beck and Giddens' work, including
Morgan's notion of 'doing family' as sets of
expectations and obligations connected to kin relations (1996);
Smart's conception of 'personal life' beyond that
of the family (2007); and Jamieson's notion of intimacy defined
as 'any form of close association in which people
acquire familiarity, that is shared detailed knowledge about
each other' (Jamieson 1998: 8).
The last of these is particularly relevant here, specifically as it
relates to changes in the division of labour
between couples once children arrive. For Jamieson, '[t]he
majority of people in Euro-North American societies
have lives which are sufficiently privileged to seek 'good

relationships' which are not dominated by necessity.
However [even then] most personal relationships include a mix
of love, care, sharing, understanding and
knowing, which involve a degree of relying on, needing or
depending on the other, if not desperate necessity'
(1998: 174).
The intention here is to bring this perspective on intimacy to
bear on the subject of parenting, my own
area of research to date (Faircloth 2013). The underlying
argument of that work was that there has been a
significant shift in 'parenting culture' in the UK over the last
twenty years. The word 'parent', for example, has
shifted from a noun denoting a relationship with a child
(something you are), to a verb (something you do).
Parenting is now an occupation in which adults (particularly
mothers) are expected to be emotionally absorbed
and become personally fulfilled; it is also a growing site of
interest to policy makers, thought to be both the cause
of, and solution to, a whole host of social problems (Lee et al
2014). 'Ideal' parenting is financially, physically and
emotionally intensive, and parents are encouraged to spend a
large amount of time, energy and money in raising
their children, often with the aid of 'experts' (Hays 1996).
Whilst this ideology of parenting is not carried out by all
parents, or affects all parents in the same way, it nevertheless
serves as an ideal standard to which all become
accountable (Arendell 2000). This 'intensive parenting' climate,
as several scholars have now argued, has
changed how parents experience their social role, to the point
that one's style of parenting has become more and
more central to adult 'identity-work' (for example, whether one
is a 'Tiger Mother', an 'Attachment Parent' or a
'Gina Fordist '). Drawing on Goffman (1959) this term is used in
place of a more static 'identity' to highlight the
active processes by which identity is constructed, and the

inherently social nature of this enterprise, as opposed
to being simply a means of self-expression (Faircloth 2013).
Accounts of the development of this 'intensive parenting'
culture, including my own, have emphasized
how it influences mothers in particular, noting how the demands
placed on women in their role as mothers have
intensified as women have continued to enter the labour market
(rather than decrease, as one might expect).
Partly as a means to counter this imbalance, which sees women
working the 'double shift' Hochschild (2003),
British society has witnessed the construction of the 'involved
father' – mirroring, to some extent the more familiar
'intensification' of motherhood (Dermott 2008, Miller 2011).
Men are increasingly encouraged to be 'engaged' in
childcare, with a particular emphasis on the importance of
creating a close emotional connection with children, in
place of the more traditional model of the patriarchal
breadwinner (Dermott 2008, Lee et. al 2014). Involved
fatherhood is also promoted as a means of building stronger
communities, with a particular concern about rates
of single motherhood in poorer communities (BBC 2007). Not
surprisingly, then, accounts from sociologists
reveal that fatherhood is becoming more and more central to
men's 'identity work' in their accounts of personal
life.
Yet whilst discursively fathers may be encouraged to be
'involved' in parenting and take more of an
equal load of childcare, in reality, it is women who continue to
shoulder most of the responsibility for this (Dermott
2008, Lee et. al 2014). It is women who typically take extended
periods of time away from paid work, and move
to part-time hours when they do return to the work place, if they
return at all. What is more, despite this emphasis
on the importance of splitting responsibilities, optimal infant

care as promoted by the state is an inherently
gendered, embodied one: women are strongly encouraged to
breastfeed their babies by health professionals and
[1]
2.7
3.1
3.2
3.3
3.4
4.1
policy makers, particularly in the early months, a practice which
has a cascading impact on many other aspects
of infant care (such as soothing and sleeping).
To heed Jamieson's caution again, then, we need to consider
how relationships alter when children
arrive, and the increased 'necessity' and 'dependence' they create
between partners. How, for example, does
'plastic sexuality' work in the context of parenthood, for both
men and women? Does the equitable model of the
'new fatherhood' fit into this picture, or does the reality of life
as parents inevitably engender a more traditional
family set up? And finally, how does the state provision of care
affect couples' 'choices' in this matter? The

analysis therefore moves to consider the role of the state in
creating and sustaining gender roles in parenting
culture.
The policy context: Parental leave and childcare provision
Since April 2011 (replacing the previous arrangement of twelve
months leave for mothers, two weeks for
partners) employed mothers who return to work before their
child is twelve months old have been able, in effect,
to transfer any outstanding leave (of up to six months) to the
father or partner. Her leave is calculated at 90% of
her previous earnings for the first six weeks, the middle 33
weeks at a statutory rate of around £130/week, and
then unpaid leave for the final 13 weeks (although some women
may have this 'topped up' by their employers).
Additional paternity leave is calculated as the last six months of
a mother's leave – i.e, three months of statutory
leave, then three months of unpaid leave. Currently, the couple
can only take this sequentially. In the last few
months, however, new proposals have been legislated which
will alter this provision again, as of April 2015, so
that the couple will have more flexibility in how to divide their
leave, with the entire year being taken by the
partner, after a period of medical leave by the mother, and/or
leave taken concurrently (Guardian 2015).
Critics have some reservations about this new leave structure,
because whilst the discourse is there
around equality, the financial support (or supportive bosses)
may not be. As Asher says 'Parents may worry
about fathers taking the earnings hit involved… Fathers may
fear alienating bosses by going on extended
paternity leave. Families in which mothers can afford not to
return to work earlier than twelve months may be
minded to stick with the status quo: habits within the household
have already been formed at this stage in the

leave period; and women may be reluctant to give up what has
been established as 'their' leave.' (2011:52-3).
Indeed estimates put the percentage of eligible men who
actually take up any or all of this leave at only 1.437.
Furthermore, after the initial 12-month leave period, parents
often find themselves in a more financially
taxing situation than before. The average cost for a full-time
nursery place/after school club for one child in
London in 2014 was £189.16/week, or nearly £10,000/annum,
with only a limited amount of this paid for out of
pre-tax earnings (Daycare Trust 2014). For many couples,
childcare becomes an expense narrowly second to a
mortgage repayment. In a city like London, which typically
requires a considerable commute to work places,
many parents also require 'wrap-around care' in the form of a
nanny or breakfast club to cover the period before
a nursery opens or when it closes and they are able to reach
home. At three years old, all children currently
qualify for 15 hours of free nursery care per week (and some 2
year olds do in deprived areas), although this
frequently has to be taken in regular shifts (for example, five
mornings between 9am-12pm), which clearly
requires considerable top-up if both parents are working.
Where childcare is largely seen as the responsibility of the
family (as opposed to a state provision, as it
might be in other European countries, for example), it will
clearly sit uncomfortably with a dual-earner family set-
up. The cost of care in the UK means that for many couples,
what makes 'most sense' is for the lower-earner to
be the one who cuts back their hours, or stops work entirely,
whilst the other acts as a breadwinner, particularly if
they have more than one child. (It is worth reiterating here then
that whilst it is more noticeable after the birth of
children, a gender pay gap continues to exist before this point

too). Indeed, even for those in professional
occupations, and earning over the average wage (£476/week or
£24,750/annum) , the reality is effectively to
start living on the equivalent of one salary anyway – either
because one person stops work entirely, or because
one salary's worth of post-tax pay is spent on childcare.
Methods
This paper presents preliminary findings from an on-going study
which includes repeat in-depth
interviews with 30 participants (15 first-time parent,
heterosexual couples), one-off interviews with a further 10
participants (5 couples who were lesbian, gay, and/or second
time parents), and a survey with a sample of 125
parents (distributed via Qualtrics to a demographically diverse
panel of parents in the UK with children under a
year old). The intention of the study as a whole was to explore
the relationship between gender, equality and
[2]
[3]
4.2
4.3
4.4
4.5
4.6

4.7
intimacy as couples make the transition to parenthood.
Where other publications from the project look more
specifically at the corrosive effect of this child-
centred parenting on the couple relationship, or at the
theoretical contradictions of policy measures designed to
promote 'equality' in parenting, this paper looks more
specifically at sexuality – an emergent theme from the
interviews with (some) couples when asked about 'intimacy'.
The focus is on the accounts of the dual earner
heterosexual professional couples who are first time parents,
and on a selection of those couples in particular to
explore the issues at hand in depth, and map directions for
future research. In addition to being those who spoke
most openly about sex, these were couples who most readily
seemed to embody the conflicts between intimacy
and equality, magnifying many of the tensions common to the
sample as a whole, as I explain below. The
analysis here therefore focuses on a sub-section of the main
sample, in part as a result of this grounded and
iterative approach to data collection and analysis.
Drawing on past work, I was particularly interested in finding
parents who internalise the injunction to 'do
parenting' in line with expert advice, and who consciously
reflect on and articulate their decisions as an element
of their 'identity work'. Furthermore, I wanted to work with
couples who would technically be able to afford an
'equitable' division of parental leave, even if they chose not to.
Bringing together these aims, I contacted parents
through a range of antenatal education classes and courses in
London – such as the National Childbirth Trust,
recognised by a number of scholars (for example Kitzinger

1990; Thomson et al 2011) as being primarily made
up of this demographic.
I interviewed these couples in various areas of London . After
meeting one or both of them at an
antenatal group or similar, and a discussion with the aid of a
study information sheet, couples were asked to fill
out a brief online survey (designed and administered via
Qualtrics) to collect demographic data, using sections
from the 2011 census as a template (e.g., age/marital status etc).
These couples were then interviewed, usually
in their homes, at times convenient to them. The first interview
(both together and separate) was before their
child was born, and then jointly when their child was 1-2
months old, at 6 months old, and then finally at 11-12
months old, when we also repeated the individual interviews.
Recordings were transcribed and coded, with the
aid of relevant software. More recently, I have contacted the
couples again to ask for their experiences of
childcare, now that their children are 2-and-a-half years old,
and on the cusp of the 15 hours free provision, to
ask whether this would make any difference to their current
domestic/working arrangements. Around a third of
these couples are now expecting their second child, which will
feed in to the results of the study moving forward.
I also refer to the interview material from the heterosexual dual-
earner professional couple expecting
their second baby. Much research with second-time parents has
noted that that the 'ideal' picture of parenting
and gender norms, so strong for first time parents, tends to be a
more pragmatic one for these more experienced
couples. Seeing how parents have negotiated parental leave and
childcare arrangements over the course of
several years also gives an interesting contextualisation on the
parental leave measures available to new

parents.
Of course, one of the key problems with writing about
parenting, intimacy, or indeed any aspect of family
life, is how to go about accessing it at all. Analytically and
methodologically, I drew on inspiration from Gabb's
discussion of 'interactive' interviews (2010) and have taken a
largely narrative approach to research here. Many
scholars have emphasized the role of language in the
constitution of personhood, and have argued 'that human
beings actually live out their lives as 'narratives', [and] that we
make use of the stories of the self that our culture
makes available to us to plan out our lives… to account for
events and give them significance, to accord
ourselves an identity' (Rose 1999: xviii). Looking at how
couples 'accounted' for the division of labour within their
respective partnerships was the intention of the study, analysing
both anticipation and outcomes before and after
children were born.
Nevertheless, there are clearly limitations to the interview
method, particularly when talking about
sensitive issues. The intention was to study intimate practices
generally but not necessarily sexual practices. As
a rule, I did not ask couples directly about their sex lives, but
rather, would open the space for them to address it,
either together or separately (on the whole, this topic was easier
to broach with mothers in one-on-one
interviews, rather than with couples or with fathers). Typically,
this would involve asking a question such as
'Given this study is titled 'Gender, intimacy and equality' could
you tell me what those terms mean to you?' It was
interesting, however, that for most couples that the word
'intimacy' was taken as an invitation to discuss sex,
even though this was not directly intended. Indeed, the
assumption that intimacy meant sexual intercourse gave

rise to this paper, with the couples featured here being most
open about their expectations and experiences of
[4]
4.8
4.9
5.1
5.2
5.3
5.4
this topic. Again, this points to some interesting assumptions
around what sex is taken to stand for in
relationships, as is discussed further below.
Demographic profile
The majority of the couples interviewed – and on whom the
analysis here is based – were largely middle
class (in that they overwhelmingly had higher educational
qualifications and professions) middle aged (between
45 and 29 though typically 34 or 35), white, heterosexual and
married (all were living in long-term relationships,
though if they were not married 'partner' was used, rather than
'husband' or 'wife'). The average household
income for the group ranged between £30,000 (in the case of a
couple where the wife was undertaking a PhD)

and over £200,000, with the majority between £50,000 and
£150,000. All interviews were conducted in English,
though some participants were born outside the United
Kingdom.
As might be imagined, these couples demonstrated the sort of
attitudes that the current policy around
parenting tries to foster: that it is an intensive, fulfilling and
rewarding activity that both parents (notably fathers)
should want to be 'involved' in (a word that cropped up a lot).
That said, however, these 'attitudes' around
equality appeared to be aspirational, rather than enacted in a
practical sense (clearly chiming with the kind of
'identity-work' fostered in the more reflexive age, mentioned
above). The majority of couples stuck to the
traditional division of parental leave – with mothers taking
longer periods than fathers in all cases, and only one
couple seeming to know about the possibility of splitting leave
more equitably. This is discussed further
elsewhere, but clearly this raises some interesting questions
around choice, accountability and preference (that
is, how far these decisions are pragmatic, and how far they are
what each partner 'wants').
Accounts: Intimacy and sex
In reading literature from the area of sexuality studies in
preparation for writing about this aspect of the
study, it quickly became apparent that much of this concerns
desire or sexual identity. There was less on
changing patterns of sexual activity over the lifecourse. To this
extent, this paper – like Van Hoof's in this special
section – contributes to what Jackson calls the 'everyday' aspect
of studying sex and relationships (2008). In
particular, these findings reveal the importance of sexual
intercourse for couples as a means of assessing the
strength of their relationships (Weeks 1995). It therefore maps

the ways anticipations around sexual intercourse
matched up (or not) with realities once children were born, as a
lens on changing understandings of intimacy and
equality. These accounts are foregrounded as evidence of a
cultural contradiction between the competing
ideologies of intensive parenting, gender equality and fulfilling
intimate relationships.
Providing a useful introduction to this subject is Clare, the only
mother cited in this paper to have had a
child already. She works full-time as a secondary school
teacher, having taken 6-9 months of leave with each
child, and talks about how important sex is for her and her
husband – not only in the sense of being a physically
pleasurable sensation, but more for what it represents for them:
Clare: No, but do you know what? It's so important to have sex
in a relationship. You just always come back to it
because if you don't you are very, very good friends and there's
that intimacy lacking. [My husband] and I get
scratchy with each other and we lose our connection when we
don't have sex frequently and regularly for me. If we
manage once a week I'm really proud of that and that's pretty
good, that's what we do. I'm really quite…I feel quite
proud of that. Sometimes it goes down to every couple of weeks
but if it's not every couple of weeks then we both get
really sad.
In what might be referred to as a hierarchy of intimacy,
(penetrative) sex with a partner has come to
symbolise the pinnacle of intimate relations (as opposed to, say,
cooking for each other, sleeping in the same
bed or massage, which might be others sorts of 'intimate'
behaviours) (Weeks 1995). She continues – with the
benefit of hindsight as a second time mother – to talk about how
this changes over a couple's relationship, in

terms of what it symbolises:
Clare: It comes to symbolise such different things, like when
you first meet somebody you're at it all the time and it's
a kind of bonding, it's a really fun thing as well. Then when you
move in together you're very cosy and settled. Then
maybe when you get married it will happen more. Then when
you want to have a baby you will have sex all the time
and it will become a military procedure but [then] you will
probably start enjoying it again.
Anticipation and reality: Accounting for dissonance
Like the other stages Clare mentions, it was certainly true that
having children meant a major shift in
sexual practices for most couples. This was something that was
anticipated (albeit without much clarity as to
http://www.socresonline.org.uk/20/4/4.html
5.5
5.6
5.7
what these changes would actually be) during pregnancy by
many first-time parents. Interestingly, many couples
were confused as to how to negotiate actually having sex with
the physical presence of a new baby in their
bedroom (the ideal sleeping arrangement parents are advised to
adopt for the first six months). Like Lucy, below,
couples often spoke about the importance of maintaining their
regular patterns of sex, which they hoped would

get back to normal after the disruption of pregnancy, birth
and/or breastfeeding. Already on her anticipated year-
long maternity leave from work at one of the large trade unions,
she is speaking a few days before she gave birth
to her first baby here:
Lucy: …you were asking about how you think it's going to
affect your relationship, one of the reasons I was saying
about the bed and sharing thing is the sexual aspect of it and I
don't want that to get lost although it has recently, he's
been really worried about hurting me or the bump, he's been a
bit put off things, and I guess that's one of the things
that worries me most about breastfeeding is your breasts going
from being this sexual thing to a feeding practical
thing for the baby, so I think that's one of my worries about our
relationship and about breastfeeding…So we want to
try and make an effort … That's the other thing … you shouldn't
even like leave the baby on its own in the room, not
even to have a shower, I mean I don't know what you're
supposed to do, but if you want to have sex or whatever, are
you supposed to have the baby in the room? I haven't thought
very hard about it but … I'm sure you can leave the
baby to have a shower for 10 minutes.
Despite some awareness about embodied changes, unfortunately
the experiences of post-baby sex
were worse than expected in some cases, and many women I
spoke with were totally shocked by how their
bodies had undergone what one mother described as a 'total
physical onslaught', which they felt totally
unprepared for. Speaking when their baby was around 6 weeks
old, this couple, who work in HR and fashion
design respectively, point out not only the physical barrier to
having sex, but emotional and practical ones too:
Katie: Ah yeah. I feel I'm neglecting [him].

Paddy: No you're not.
Katie: And because of that I have the episiotomy, I'm really
scared about having sex…So that's really sort of…But I
mean it hasn't even been for six weeks yet…I am scared. It feels
like it's going to be months, if not years. So, …so
yeah. But even the thought of having sex because she's in the
bedroom, I don't even know how it would work really.
Seems a bit weird. So, yeah that's a bit strange. And yeah it
does just feel like you don't get any time together. You're
just talking about what you going to have to do now. 'Do you
want to cook dinner?' 'I'll wash up'. That's it really. 'Do
you want to change the baby's nappy?' 'Do you want to hold the
baby?'
The same mother said at 6 months (as the main earner, she
returned to work full-time when her baby
was around 10 months, whilst her partner worked part-time, and
their daughter attended a nursery part-time):
Katie: We've only had sex three or four times since she's been
born and I didn't think that would fall apart the way it
has. But it is just timing and opportunity and not feeling tired
and being in the same room. If we had our own room, it
might be different…And the episiotomy is quite painful.
Author: Is it still quite sore?
Katie: Well, it was last time! I think all those things have
contributed to … and that really worries me because you
need that for a healthy relationship…I think I knew that it
would put a strain on the relationship but you can't really
imagine it happening until it has happened. And my sister just
kept saying everything that's wrong with the
relationship is magnified when you have children and she's
going through a really bad patch with her husband. So I
did know to expect it and I don't know, it is good and it isn't
good. But I think it's not helped by [his] working pattern
and that situation, by him being around but not really being

there to help, it's made me a bit resentful.
Intimacy and inequality: Embodying difference
Like Clare, we can see here that Katie uses how often she has
sex with her partner as a barometer for
the relationship as a whole. This points to the way in which a
'good sex life' is linked to notions of a 'healthy
relationship' – and something to be 'performed' (in the
sociological sense) both to each other as partners, and to
friends, family (and researchers) as peers. Like Woodiwiss's
research, then (also in this special issue), we see
how powerful the discourse of 'compulsory sexuality' can be for
individuals, at all stages of the life course. This
comes from Cathy, a 32-year-old academic at a London
university, who planned to take 6 months off work, and
then return 4 days a week. Her husband, a 31 year old IT
manager in a bank, was planning on taking 2 weeks of
statutory leave, and then also moving to a 4 day week when
their baby was 6 months, so that they each do a day
of childcare, with a nanny or relatives covering the other three
days. At this point she earned around £45,000 he
earned around £95,000.
Cathy: It's just so hard to explain that I've felt like a physical
continuous onslaught… this massive physical thing that
5.8
5.9
5.10

5.11
5.12
6.1
happens to your body. Whereas other people, like Libby, had a
reasonably quick and easy birth. Was back having
sex all the time within about a week or something. And they
were just like, back on the…and their…they put Alice
out in the other room, after five weeks or something, because it
was ruining their sex life. I was just like, I'm not…but
she was sleeping through the night from, like, three weeks old.
They just had a whole completely different
experience. So I know that it can be the ideal thing. That does
happen. […]
Colin: It could be that she's lying to you.
Cathy: No. She told [Emma].
Cathy also talked about the physicality of motherhood (and
breastfeeding, in particular) coming as a
shock, and a limit on her 'intimacy time' with her husband,
which made her feel less desirable, something many
women reported as a problem of the 'mother/lover' division. She
describes the shift from bodies being conduits of
pleasure to being sources of nutrition particularly graphically
here:
Cathy: Yeah. My body was alien to me for a period of time. I
embraced it more when I was pregnant, I was annoyed
by it but after, particularly with the breastfeeding, you can't
take your bra off ever. With mine, because I had such a
milk supply and I'd have to wear those breast pads all the time
and how many would I get through in a day, six or
seven?… So we were buying stacks and stacks of them and as

soon as I'd take my bra off, I'd go into the shower, I'd
just be squirting everywhere so it makes physical intimacy very
difficult.
Whilst I do not expand on it here this couple had quite an
interesting experience of the division of
childcare. They trialled their '4-day week each' arrangement by
using some of their holiday allowances, though
sadly – and perhaps tellingly – when her husband requested the
arrangement on a more permanent basis, he
was made redundant. This meant that he had a period of several
months at home, without work (but with a
generous payment package; and interestingly, rather than a
period of full-time childcare; a nanny 3 days a
week). He subsequently found another job, working 5 days a
week.
Given that they were so busy, they talked at length about how
important it was for them to schedule other
sorts of 'intimacy time', including, but not limited to sex,
particularly because they could no longer be
spontaneous in spending time with each other, and that their son
would 'take all of their attention' otherwise:
Cathy: [Speaking to her husband] But even with [our son], if
you were with him, I could quite easily come into the
room at the end of the day and just give [our son] all of my
attention and not even kiss you hello. And it would happen
the other way round too. He takes all of our attention, you have
to remind yourself that the other person is right there
and needs to be greeted and made into a person by actually
being recognised!
Negotiating cultural contradiction
It is also interesting to note here the inherent contradiction
between government advice to mothers

around breastfeeding and the ideological commitment to 'shared'
parental leave. (Exclusive breastfeeding for six
months and anything up to two years or beyond clearly not
being the easiest of activities to split according to a
50/50 model or similar). As we can see from these accounts,
new parents often find themselves at the juncture of
several competing cultural discourses: one around the
importance of intensive, embodied care carried out by
biological mothers, particularly as it relates to feeding; another
about the importance of gender equality at home
and work, particularly as it relates to providing 'child-centred'
care; and another around the importance of
maintaining a healthy couple relationship, particularly as it
relates to having regular sex. No wonder many of
them reported feeling tired and 'torn'.
If there was a 'typical response' amongst this group of new
parents, then, this couple probably best
capture it. Reflecting on working full-time in the charity sector
and taking on full-time childcare (whilst training to
be a certified child minder in place of returning to
administrative work) respectively, Mark writes:
Mark: Well, we don't have as much sex as we would like. [My
wife] in particular is always tired, and I am pretty tired
too so am often easy to put off! However we try to schedule
sexytime so that it doesn't fall off the radar, as it easily
could. We both realize the importance of this, as when we didn't
have sex for some time after the birth of [our
daughter], we felt that our relationship changed. I wouldn't call
it deteriorating, but we just didn't feel as close to each
other in a way, which we missed. Maybe we felt too much like a
'team' and a little less like lovers! So we are less
impulsive, but if it was left to chance it wouldn't happen! We
are getting more time on our own recently, due to family
members taking her away for weekends and longer, so that too

is changing.
Discussion
In her study, When Couples Become Parents based on
interviews with couples in Canada, Bonnie Fox
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
also observed that there was a 'dramatic change in sexuality'
during the first year of parenthood for most of her
participants (2009:249), a loss that was more keenly felt by
men. Women's need to recuperate, their tiredness,
and the fact that they were breastfeeding reduced their desire
for sex. And even when they did have sex, it was
different to before, clearly chiming with the set of accounts here
around expectation not matching up to reality.
Developing a useful typology, Fox notes that these changes in

sexual activity were indicative of other
kinds of changes that occurred in couples' relationships as they
negotiated the first year of parenthood. In the
first pattern (around 30 percent of couples) the relationships
deteriorated, and were 'riddled with tension and
worn down by the upset and anger of one or both partners'
(2009:252) In these cases, she describes
relationships on the brink of divorce, or 'nonexistent'.
In the second pattern, made up of around 25 percent of couples,
the relationship was marked by tension
between the partners, but 'there was no noticeable weakening of
the relationship over the year. Often the anger
was about the men's avoidance of the newly expanded
housework, for example, and it created tensions that were
new to these relationships. Nevertheless, these couples'
happiness about being parents sometimes meant that
they – especially the men- felt closer to their partners'
(2009:252).
In the third pattern, which comprised another 25 percent, the
relationships neither seemed to weaken or
strengthen, but 'clearly suffered from the absence of time for
intimacy' (2009:252). 'In these relationships, there
was only minimal tension between partners – usually blamed on
tiredness – but both people found the year to be
difficult emotionally, given how little time they spent together.'
Lastly, in the final 20 percent were couples whose relationships
were improved by parenthood. These
were couples who experienced parenthood 'largely as an
addition to their relationship' (2009:252)
What Fox notices is that in those couples that displayed the first
pattern, there was a lot of anger and
resentment. This was 'fostered by the gender-based divisions

organising their daily lives and sometimes
enhanced by the insularity of their families… men's detachment
from the care of their babies and the dramatic
differences in the men's and women's daily experiences –
especially when the women were home full-time –
were usually what undermined mutual understanding and often
support. When both parties were stressed by the
high demands of their daily work, that stress could further erode
empathy, negate any hope of mutual gratitude,
and produce considerable anger' (2009:265).
Less equality, less intimacy? Accounting for cultural
contradiction
Fox's typology is useful in understanding the accounts presented
here. The issue of 'resentment' and
feelings of inequality and unfairness were demonstrated by
participants such as Katie, above. Writing about the
emergence of the 'companionate marriage' (as opposed to the
more traditional patriarchal one), Collins (2003)
notes that 'The keywords of companionship were intimacy and
equality. Intimacy was at once achieved and
expressed through privacy, closeness, communication, sharing,
understanding and friendship' (Collins 2003:24).
However, he identifies a problem with this once children come
along: parenthood accentuated the sexual division
of labour and had the potential to divide companionate couples
every bit as profoundly as their patriarchal
counterparts. Whereas spouses were able to live 'almost
identical lives' before they had children, any resulting
intimacy came under pressure from the inescapable
differentiation between the two sexes once there is a child.
Particularly if women were earning less than their partners
before (which in all but one case they were)
what usually emerged from the interviews is that it made 'most
sense' that they were the ones to take time off

work, or stop work entirely. Many women 'accounted' for this in
an understandably contradictory way as they
went about trying to narrativise it; it was both what they
'wanted' to do, and what they 'had' to do: They had an
ideological commitment to equality in career opportunities, yet
a gendered 'pull' towards a model of intensive
parenting (or, motherhood).
It is important to contextualize these accounts in our particular
historical moment, then. In line with much
sociological and popular literature, the accounts here show that
the transition to motherhood is felt particularly
acutely by many women today (for example, Cusk 2001, Miller
2005). This is, no doubt, in part as a reflection of
the shift Giddens et al identify – the period before children is
(discursively at least) one of equality for
contemporary men and women, particularly in the middle
classes: women match their male counterparts through
the education system and (largely) have professional
opportunities unfettered by gender, being able to gain
financial independence. Furthermore, they have freedom in
romantic and sexual unions and are able to express
6.10
6.11
6.12
6.13
6.14

7.1
disdain for housework and homemaking in ways unthinkable in
the past (Bristow 2008, Giddens 1992).
As the narratives point to, however, something happens around
the time of motherhood that means that
many women suddenly 'get' feminism, and indeed their
biological difference to men in a more explicit way than in
the past (Bristow 2008). Bodies, which had so far been a marker
of the self (and self-control) started to 'betray'
them, as Cathy puts it. This realisation of biological difference
– that Cathy points to in her account – is often
accompanied by a shift from being financially independent
towards dependence whilst on maternity leave.
Similarly, when she does go back to work, like many other
women in the sample, Cathy sees her career fall
more readily into the 'mummy track' of a 4-day week, where her
husband continues with the same 5-day pattern,
despite an ideological commitment (and practical agreement)
around the importance of career parity for both
parents.
Furthermore, housework is no longer a case of taking 'turns' to
carry out chores, but a hugely expanded
task which has to be carefully orchestrated to keep all
household members fed and clean. The invisibility – and
cultural de-valuation of – this labour after motherhood is
something many other women in the sample also
expressed resentment about, feeling that their partners simply
'didn't see' the extra work they were doing, often
by virtue of being the ones at home more often. These material
and practical changes to women's financial
situation (despite being coupled with a policy emphasis on
'equal parenting') often serve to magnify this sense of

injustice. And clearly, for many women, losing their previous
identities as workers could create its own kind of
challenges here.
This has an impact on intimacy, as expressed through sex. So,
where before, sex is something that is
'kind of fun' and 'bonding' for couples, as Clare puts it,
afterwards, Katie talks about it like more of a gendered
currency, or something she feels she 'owes' her partner, despite
feeling physically uncomfortable. (It is notable
too that at the point she makes that remark, she is being
supported by him financially; in this instance, policy has
clearly entered the bedroom). Furthermore, many couples are
simply too tired, or physically uncomfortable to
resume a 'normal' pattern of intercourse.
In terms of the theoretical contribution of this paper, in part,
then, these observations back up the shift
Giddens et al describe – clearly, any cultural focus on female
sexual pleasure and the fact that many women
were able to talk about their sexual needs and desires so openly
is proof of a move towards a more equitable
focus on mutual pleasure in relationships today than in the past
(1992). However, rather than moving in a
progressive fashion from patriarchal to companionate to more
'plastic' intimacies, for example, there appears to
be some movement back and forwards between these various
arrangements, with parenthood often pushing
couples back into an unfamiliar patriarchal set up (at least
financially, if not ideologically). Clearly, this shift back
into a more traditional pattern is exacerbated by a lack of
resources – for many couples, there is no choice but to
opt for more gender segregated roles. As this paper has shown,
however, even in the case where a couple has a
joint income of nearly £150,000 (such as Cathy and Colin) there
still seems to be a 'pull' towards these more

traditional patterns. It is worth reiterating the impressive power
of the intensive mothering ideology in shaping
women's perceptions of themselves as good mothers, and
working out how they 'want' to arrange their working
and home lives. Yet again we see how an equal parenting
ideology meshes uncomfortably with a culturally
elaborated intensive, embodied commitment to motherhood.
Similarly, there is clearly a tension between a more 'plastic
sexuality' and the transition to parenthood.
Whilst Giddens' theory of a more 'pure' relationship might have
some purchase on how sex is at least imagined
prior to the arrival of children, the idea that the couples here are
only in relationships for as long as they are
individually satisfying is not substantiated by the account here:
clearly parenthood creates demands and
necessities that they view as valuable, beyond their own
individual sexual pleasure. Most couples acknowledged
that the first year of parenthood was a particularly tough time
for their relationship, but it was, essentially, a
temporary state of affairs that would eventually pass. (Although
it is true that if they did not take steps to
reintroduce 'sexytime', as Mark puts it, they recognised their
relationship would deteriorate). Yet again, we see
how policy frameworks, and material resources, therefore shape
even the most intimate of our interactions as we
go about negotiating these competing ideologies.
Conclusions and future directions
These accounts show how couples' experience of changing
sexual practices can offer us a lens on the
relationship between gender equality and intimacy. Far from
being a straightforward correlation between them,
they are, in fact 'uncomfortable bedfellows', fraught with
frustrations from all sides. In contributing both to the
literature around changes to intimate relations and parenting

culture, this paper provides evidence that whilst our
7.2
7.3
gender roles are less and less scripted before children arrive,
they are very often thrown back into traditional
models once they do.
Whilst efforts to make parenting more equitable are clearly
laudable, the evidence here seems to imply
that current policy is missing the point: even for couples who
are ideologically committed to, and can afford, a
more equal split there seems not to be an practical commitment
to sharing care. This certainly suggests that for
those social groups who cannot afford this division that such
policy drives will be even more irrelevant (Gillies
2009). What is more, there is a danger that though these moves
would be beneficial in giving parents more
freedom in how to divide up their time, many of the efforts to
involve fathers in childcare appear only to extend a
cultural logic around parenting to men – an intensive one, which
puts children at the centre of all considerations.
This has the potential to leave two parents feeling 'torn', rather
than, for example, challenging our view of children
as requiring one-on one care by a biological relative, or
alleviating a cultural guilt around the place of childcare.
This has its own knock-on effect on couple intimacy. Mark and
his wife talk about feeling more like a 'team' of
partners, rather than 'lovers', as they have little space to think
about themselves as a couple beyond being

parents to their daughter (although this raises its own
interesting considerations around how sexual desire
intersects with 'gender equality').
How 'equality' and 'intimacy' work themselves out in a couple's
practices is demonstrably deeply
uncomfortable for their 'identity work' as gendered beings, in
negotiating dissonance between expectation and
outcome. For many parents in this study, struggles around how
to negotiate competing cultural discourses –
about good parenting, about good relationships and about
gender equality – are indicative of an interesting
historical moment in social life. Rather than showing a
straightforward correlation between (or continual
progression towards) greater intimacy and equality, these
accounts show the two are in a state of flux. As this,
and other papers in this section demonstrate, then, attention to
these 'everyday' experiences, provide interesting
intellectual reflections, far beyond the bedroom.
Notes
Gina Ford is one of the best selling parenting experts in the UK,
advocating a structured approach to
infant care, with practices such as scheduled feeding and
sleeping routines.
http://www.publications.parliament.uk/pa/cm201314/cmhansrd/c
m140403/text/140403w0001.htm
Accessed 25.11.2014
http://www.ons.gov.uk/ons/rel/lms/labour-market-
statistics/may-2014/info-awe-may-2014.html Accessed
25.11.2014
Ethical approval for the study was granted by the University of
Kent's Review Board, in accordance with

BSA guidance
http://www.britsoc.co.uk/media/27107/StatementofEthicalPracti
ce.pdf
References
ARENDELL, T. (2000) 'Conceiving and Investigating
Motherhood: The Decade's Scholarship', Journal of
Marriage and the Family 62(November): p. 1192-1207.
[doi:10.1111/j.1741-3737.2000.01192.x]
ASHER, R. (2011) Shattered. Modern Motherhood and the
Illusion of Equality. London, Harvill Secker
BAUMAN, Z (2005) Liquid Life Cambridge: Polity Press.
BBC NEWS. (2007) 'Gang Crime 'Due To Absent Dads','
Retrieved 1 April 2011 from
http://news.bbc.co.uk/1/hi/uk_politics/6956303.stm
BECK, U. (1992) Risk Society: Towards a new modernity
London: Sage.
BECK, Ulrich and Beck-Gernsheim, Elisabeth. (1995) The
Normal Chaos of Love. Cambridge: Polity Press.
1
2
3
4

http://www.publications.parliament.uk/pa/cm201314/cmhansrd/c
m140403/text/140403w0001.htm
http://www.ons.gov.uk/ons/rel/lms/labour-market-
statistics/may-2014/info-awe-may-2014.html
http://www.britsoc.co.uk/media/27107/StatementofEthicalPracti
ce.pdf
http://dx.doi.org/10.1111/j.1741-3737.2000.01192.x
http://news.bbc.co.uk/1/hi/uk_politics/6956303.stm
BRISTOW, J. (2008) 'Why we need a parents' liberation
movement'. Spiked Review of Books. http://www.spiked-
online.com/review_of_books/article/5386.
COLLINS, M. (2003) Modern Love: An Intimate History of
Men and Women in Twentieth-Century Britain London:
Atlantic Books
CUSK, Rachel. (2001) A Life's Work: On Becoming a Mother.
London: Fourth Estate.
DAYCARE TRUST. (2014) 'Childcare Costs Survey 2014'.
London: Daycare Trust
http://www.familyandchildcaretrust.org/childcare-costs-surveys.
DERMOTT, E. (2008) Intimate Fatherhood: A Sociological
Analysis London: Routledge.
FAIRCLOTH, C. (2013) Militant Lactivism? Attachment
Parenting and Intensive Motherhood in the UK and
France Oxford and New York: Berghahn Books.
FOX, B. (2009) When couples become parent:s The creation of
gender in the transition to parenthood Toronto:
University of Toronto Press.

GABB, J. (2010) Researching Intimacy in Families. London,
Palgrave Macmillan.
GABB, J. and Silva. E. (2011) Introduction to Critical
Concepts: Families, Intimacies and Personal Relationships.
Special Issue, Sociological Research Online
http://www.socresonline.org.uk/16/4/23.html.
GILLIES, V. (2009) 'Understandings and experiences of
involved fathering in the United Kingdom: exploring
classed dimensions', The Annals of the American Academy of
Political and Social Science, 624, p. 49-
60. [doi:10.1177/0002716209334295]
GOFFMAN, E. (1959) The Presentation of Self in Everyday
Life London: Penguin.
GUARDIAN. (2015) 'Shared parental leave: 'nightmare' new
rules, or the first baby steps to equality?'
http://www.theguardian.com/money/2015/apr/11/shared-
parental-leave-rules-equality Accessed 20 April
2015.
GIDDENS, A. (1992) Transformation of Intimacy: Sexuality,
love and eroticism in modern societies Cambridge:
Polity.
HAYS, S. (1996) The Cultural Contradictions of Motherhood.
New Haven and London: Yale University Press.
HOCHSCHILD, A. (2003) The Second Shift (London and New
York: Penguin Books).
JACKSON, S. 2008. Ordinary Sex. Sexualities, 11(1/2), 33-37.
[doi:10.1177/13634607080110010204]

KITZINGER, J. (1990) 'Strategies of the Early Childbirth
Movement: A Case-Study of the National Childbirth
Trust', in Garcia, J., Kilpatrick, R. and Richards, M. (eds), The
Politics of Maternity Care: Services for
Childbearing Women in Twentieth-Century Britain. Oxford:
Clarendon Press, p. 92-115.
LEE, E. Bristow, J. Faircloth, C. and Macvarish, J. (2014)
Parenting Culture Studies Basingstoke and New York:
Palgrave Macmillan.
JAMIESON, L. (1998) Intimacy: Personal relationships in
modern societies Cambridge: Polity Press.
MILLER, T. (2011a) Making Sense of Fatherhood Cambridge:
Cambridge University Press.
MILLER, T. (2005) Making Sense of Motherhood: A Narrative
Approach. Cambridge: Cambridge University
Press. [doi:10.1017/CBO9780511489501]
SMART, C. (2007) Personal Life: New Directions in
Sociological Thinking. Cambridge, Polity.
ROSE, N. (1999 [1989]). Governing the Soul: The Shaping of
the Private Self. London: Routledge.
THOMSON, R, Kehily, M.J, Hadfield, L and Sharpe, S. (2011)
Making Modern Mothers Bristol: Policy Press.
WEEKS, J. (1995) Invented Moralities, Sexual Values in an Age
of Uncertainty. Cambridge: Polity Press.
http://www.spiked-online.com/review_of_books/article/5386

http://www.familyandchildcaretrust.org/childcare-costs-surveys
http://dx.doi.org/10.1177/0002716209334295
http://www.theguardian.com/money/2015/apr/11/shared-
parental-leave-rules-equality
http://dx.doi.org/10.1177/13634607080110010204
http://dx.doi.org/10.1017/CBO9780511489501
Negotiating Intimacy, Equality and Sexuality in the Transition
to ParenthoodAbstractKeywords: Parenting, Gender, Intimacy,
Equality, Sex, CouplesNegotiating intimacy, equality and
sexuality in the transition to parenthoodTheoretical background:
Intimacy and parentingThe policy context: Parental leave and
childcare provisionMethodsDemographic profileAccounts:
Intimacy and sexAnticipation and reality: Accounting for
dissonanceIntimacy and inequality: Embodying
differenceNegotiating cultural contradictionDiscussionLess
equality, less intimacy? Accounting for cultural
contradictionConclusions and future directionsNotesReferences
CHAPTER
2
Managing Risk: Threats, Vulnerabilities, and Exploits
A KEY STEP WHEN MANAGING RISKS is to first understand
and manage the source. This includes threats and
vulnerabilities, and especially threat/vulnerability pairs. Once
you understand these elements, it’s much easier to identify
mitigation techniques. Exploits are a special type of
threat/vulnerability pair that often includes buffer overflow
attacks.
Fortunately, the U.S. federal government has initiated several
steps to help protect information technology (IT) resources. The
National Institute of Standards and Technology has done a lot

of research on risk management. The results of this research are
freely available in the form of Special Publications.
Additionally, the Department of Homeland Security oversees
several other initiatives related to IT security.
Chapter 2 Topics
This chapter covers the following topics and concepts:
• What threats are and how they can be managed
• What vulnerabilities are and how they can be managed
• What exploits are and how they can be managed
• Which risk management initiatives the U.S. federal
government sponsors
Chapter 2 Goals
When you complete this chapter, you will be able to:
• Describe the uncontrollable nature of threats
• List unintentional and intentional threats
• Identify best practices for managing threats
• Identify threat/vulnerability pairs
• Define mitigation
• List and describe methods used to mitigate vulnerabilities
• Identify best practices for managing vulnerabilities
• Define exploit
• Describe the perpetrator’s role in vulnerabilities and exploits
• Identify mitigation techniques
• Identify best practices for managing exploits
• Identify the purpose of different U.S. federal government risk
management initiatives
Understanding and Managing Threats
A threat is any activity that represents a possible danger. This
includes any circumstances or events with the potential to
adversely impact confidentiality, integrity, or availability of a
business’s assets.
Threats are a part of the equation that creates risk:
Risk = Vulnerability × Threat
Any attempt to manage risk requires a thorough knowledge of
threats. This section includes the following topics:
• The uncontrollable nature of threats

• Unintentional threats
• Intentional threats
• Best practices for managing threats within your IT
infrastructure
The Uncontrollable Nature of Threats
It’s important to realize a few basic facts about threats. These
include:
• Threats can’t be eliminated.
• Threats are always present.
• You can take action to reduce the potential for a threat to
occur.
• You can take action to reduce the impact of a threat.
• You cannot affect the threat itself.
Consider the threat of a car thief. Car thieves steal cars, and you
can’t prevent that. However, you can take steps to either
enhance or reduce the threat against your car. To increase the
chances of a thief stealing your car, you can park it in a busy
parking lot. Leave the keys in and the car running. Leave a $20
bill on the dashboard. Leave a few expensive items on the front
seat. It’s just a matter of time before your car is stolen.
However, you can take different steps to reduce the potential
threat and impact. Remove the keys and lock the doors. Install a
car alarm. Hide valuables in the trunk. A car thief might still
visit that parking lot, but it is less likely that your car will be
stolen.
Sometimes a car thief looks for a specific model, year, and
color of car. If your car is a match, the thief will likely steal it
no matter what you do. However, you can reduce the impact of
the loss. If you have insurance, it will reimburse you if your car
is never recovered.
Threats to IT are similar. Lightning strikes hit buildings.
Malware authors constantly write new programs. Script kiddies
run malware programs just to see what they can do. Professional
attackers spend 100 percent of their work time trying to break
into government and corporate networks. You can’t stop them.
However, there are many things you can do to reduce the

potential harm that these threats can do to your network. You
can take steps to reduce the impact of these threats.
Unintentional Threats
Unintentional threats are threats that don’t have a perpetrator.
They don’t occur because someone is specifically trying to
attack. Natural events and disasters, human errors, and simple
accidents are all considered unintentional.
There are four primary categories of unintentional threats. They
are:
• Environmental—Threats affecting the environment. This
includes weather events such as floods, tornadoes, and
hurricanes. Earthquakes and volcanoes are environmental
threats too. Illnesses or an epidemic can cause a loss to the
labor force and reduce the availability of systems.
• Human—Errors caused by people. A simple keystroke error
can cause incorrect or invalid data to be entered. A user may
forget to enter key data. A technician could fail to follow a
backup procedure resulting in an incomplete backup. An
administrator may write incomplete or incorrect backup
procedures. Undiscovered software bugs can also cause serious
problems.
• Accidents—Anything from a minor mishap to a major
catastrophe. A backhoe digging a new trench for new cables can
accidentally cut power or data cables. An employee might
accidentally start a fire in a break room.
• Failures—Equipment problems. A hard drive can crash. A
server can fail. A router can stop routing traffic. The air
conditioner might stop blowing cool air, causing multiple
systems to overheat and fail. Any of these failures can result in
the loss of availability of data or services.
TIP
You can use a hot, warm, or cold site to provide an alternate
location for IT functions.
Although these threats are unintentional, you can address them
with a risk management plan. Here are some common methods:
• Managing environmental threats—You can purchase

insurance to reduce the impact of many environmental threats.
A business may decide to move to reduce the threat. For
example, a business in the area of the Mount St. Helens volcano
can relocate to avoid eruptions. Companies in a hurricane zone
can transfer operations elsewhere.
• Reducing human errors—Automation and input validation are
common methods used to reduce errors. Any process that can be
automated will consistently run the same way. Input validation
checks data to ensure it is valid before it is used. For example,
if a program expects a first name, the input validator checks
whether the data looks like a valid name. Rules for a valid first
name may be no more than 20 characters, no numbers, and only
specific special characters. Input validation can’t check to
ensure that data is accurate, but it can ensure that data is valid.
• Preventing accidents—Contact the 1-800-MISS-DIG company
in Michigan, or similar companies or agencies in other states, to
identify underground cables before digging. You can stress
safety to prevent common accidents.
• Avoiding failures—Use fault-tolerant and redundant systems
to protect against the immediate impact of failures. A RAID
system can help ensure data availability, and failover clusters
ensure users can access servers at all times.
Intentional Threats
Intentional threats are acts that are hostile to the organization.
One or more perpetrators are involved in carrying out the threat.
Perpetrators are generally motivated by one of the following:
• Greed—Many attackers want to make money through the
attacks. Attackers steal data and use it to perform acts of fraud.
They steal customer data from databases and commit identity
theft. Criminals steal proprietary data from competitors. Social
engineers try to trick users into giving up passwords for
financial sites.
• Anger—When anger is the motivator, the attacker often wants
the victim to pay a price. Anger can result in attempts to
destroy assets or disrupt operations. These threats often result
in a loss of availability.

• Desire to damage—Some attackers just want to cause damage.
The result is the same as if an attacker is motivated by anger. It
can result in a loss of availability.
Although the preceding list helps you understand what
motivates attackers, the items don’t identify who the attackers
are. Some people still have the image of a bored teenager
launching random threats from his or her room. However,
attackers are much more sophisticated today.
Some of the more common attackers today are:
• Criminals—Opportunities to make money from online attacks
have resulted in a growth in criminal activity. Furthermore,
criminal activity is far more organized today. This activity
includes fraud and theft. For example, rogueware tricks users
into installing bogus antivirus software. Then they must pay to
get it removed. Criminals have extorted millions of dollars
using rogueware. More recently, this has morphed
into ransomware. Criminals restrict access to the system and
display messages to the user demanding ransoms to get access
to his or her computer and/or files.
• Advanced persistent threats (APTs)—Attackers focus on a
specific target. APTs have high levels of expertise and almost
unlimited resources. Nation states or terrorist groups often
sponsor them. They attack both government and private targets.
Operation Aurora is an example of an APT attack.
Investigations indicate the APT attack originated from China. It
attacked several private companies such as Google. A McAfee
white paper titled “Revealed: Operation Shady RAT” discusses
71 different APT attacks. Twenty-one of these were government
targets. Fifty were private companies.
• Vandals—Some attackers are intent on doing damage. They
damage just for the sake of damaging something. Their targets
are often targets of opportunity.
• Saboteurs—A saboteur commits sabotage. This could be
sabotage against a competing company or against another
country. The primary goal is to cause a loss of availability.
• Disgruntled employees—Dissatisfied employees often present

significant threats to a company. There are countless reasons
why an employee may be dissatisfied; for example, an employee
who did not receive a pay raise might be disgruntled.
Employees with a lot of access can cause a lot of damage.
• Activists—Occasionally, activists present a threat to a
company. Activists often operate with a mindset of “the end
justifies the means.” In other words, if your company does
something the activist doesn’t approve of, the activist considers
it acceptable to attack.
• Other nations—International espionage is a constant threat.
For example, McAfee’s “Operation Shady RAT” white paper
details espionage activities widely believed to come from
China. Attackers use remote access tools (RATs) to collect
information. They have infiltrated several governments and
private companies. Many countries include cyberwarfare as a
part of their offensive and defensive strategies.
• Hackers—Hackers attempt to breach systems. Depending on
the goal of the hacker, the motivation may range from innocent
curiosity to malicious intent.
TIP
There is a technical difference between a hacker and a
cracker. Hackers have historically been known as “white-hat
hackers” or “ethical hackers”—the good guys. They hack into
systems to learn how it can be done, but not for personal
gain. Crackers have been known as “black-hat hackers” or
“malicious hackers”—the bad guys. They hack into systems to
damage, steal, or commit fraud. Many black-hat hackers present
themselves as white-hat hackers claiming that their actions are
innocent. However, most mainstream media put all hackers in
the same black-hat category. The general perception is that all
hackers are bad guys.
Best Practices for Managing Threats Within Your IT
Infrastructure
There are many steps you can take to manage threats within
your IT infrastructure. The following list represents steps that
IT security professionals consider best practices:

• Create a security policy—Senior management identifies and
supports the role of security and creates a security policy. This
policy provides a high-level overview of the goals of security
but not details of how to implement security techniques.
Managers use this policy to identify resources and create plans
to implement the policy. Security policies are an important first
step in reducing the impact from threats. Once the security
policy is approved, it needs to be implemented and enforced.
• Purchase insurance—Purchase insurance to reduce the impact
of threats. Companies commonly purchase insurance for fire,
theft, and losses due to environmental events.
• Use access controls—Require users to authenticate. Grant
users access only to what they need. This includes the following
two principles:
• Principle of least privilege—Grant users only the rights and
permissions they need to perform their job and no more. This
prevents users from accidentally or intentionally causing
problems.
• Principle of need to know—Grant users access only to the
data they need to perform their job and no more. For example, a
person may have a security clearance for Secret data. However,
that person doesn’t automatically receive access to all Secret
data. Instead, the person is granted access only to what he or
she needs for the job. This helps prevent unauthorized access.
• Use automation—Automate processes as much as possible to
reduce human errors.
• Include input validation—Test data to determine if it is valid
before any applications use it.
• Provide training—Use training to increase safety awareness
and reduce accidents. You can also use training to increase
security awareness to reduce security incidents.
• Use antivirus software—Make sure you install antivirus
software on all systems. Schedule virus definition updates to
occur automatically.
• Protect the boundary—Protect the boundary between the
intranet and the Internet with a firewall, at a minimum. You can

also use intrusion detection systems for an added layer of
protection.
TIP
A security policy may include several individual policies. For
example, it could include a password policy, an acceptable use
policy, and a firewall policy.
NOTE
Privileges include rights and permissions. Rights refer to
actions users can perform on objects. For example, a user might
have the right to change the system time. Permissions refer to
object access. For example, a user might have permission to
read and modify a file. The principle of least privilege includes
both rights and permissions. The principle of need to
know focuses on data permissions.
CSI Computer Crime and Security Survey 2010/2011
The Computer Security Institute (CSI) completes regular
surveys that identify many of the trends related to IT security.
The 2010/2011 report includes responses from 5,412 security
practitioners.
Some of the notable findings in this report were:
• Malware infections are the most commonly seen attack. Over
67 percent of respondents reported malware infections. This is
an increase of 3 percent from the previous year. The lowest was
50 percent in 2007.
• About 29 percent reported zombies within their network. A
zombie is a computer joined to a botnet. This is an increase of 5
percent from the previous year.
• Most respondents attribute losses to outsiders. Almost 60
percent indicated they did not believe any of their losses were
due to malicious insiders.
• Only about 25 percent reported insider abuse of network
access or e-mail usage. This is a significant reduction from a
high of 59 percent in 2007.
• Of respondents reporting incidents, 45.6 percent reported they
were the subject of at least one targeted attack. The trend is
more attacks from advanced persistent threats (APTs).

• Losses due to financial fraud declined from almost 19 percent
to about 8 percent during the period.
• Respondents indicated that regulatory compliance efforts had
a positive effect on their security programs.
• Almost half of the organizations reported they were using
cloud computing, but only 10 percent indicated they were using
cloud-specific security tools.
Understanding and Managing Vulnerabilities
A vulnerability can be a weakness in an asset or the
environment. You can also consider a weakness as a flaw in any
system or any business process.
A vulnerability leads to a risk, but by itself it does not become a
loss. The loss occurs when a threat exploits the vulnerability.
This is also referred to as a threat/vulnerability pair.
Figure 2-1 shows the flow of a threat to a loss. You can use
mitigation techniques to reduce the vulnerability, the loss, or
both.
FIGURE 2-1
The flow of threat/vulnerability pairs.
This section presents the following topics:
• Threat/vulnerability pairs
• Vulnerabilities can be mitigated
• Mitigation techniques
• Best practices for managing vulnerabilities within your IT
infrastructure
Threat/Vulnerability Pairs
A threat/vulnerability pair occurs when a threat exploits a
vulnerability. The vulnerabilities provide a path for the threat
that results in a harmful event or a loss. It’s important to know
that both the threat and the vulnerability must come together to
result in a loss.
Vulnerabilities depend on your organization. For example, if
you’re hosting public-facing servers, the servers have several
potential weaknesses. However, if you don’t have any public-
facing servers, there aren’t any vulnerabilities for the

organization in this area. Thus, the risk is zero.
Table 2-1 shows some examples of threat/vulnerability pairs and
the potential losses. This table only scratches the surface. The
list of vulnerabilities for any single network can be quite
extensive.
TABLE 2-1 Examples of threat/vulnerability pairs and potential
losses.
THREAT
VULNERABILITY
HARMFUL EVENT OR LOSS
Fire
Lack of fire detection and suppression equipment
Can be total loss of business
Hurricane, earthquake, tornado
Location
Can be total loss of business
Malware
Lack of antivirus software Outdated definitions
Infection
(impact of loss determined by payload of malware)
Equipment failure
Data not backed up
Loss of data availability (impact of loss determined by value of
data)
Stolen data
Access controls not properly implemented
Loss of confidentiality of data
Denial of service (DoS) or distributed denial of service (DDoS)
attack
Public-facing servers not protected with firewalls and intrusion
detection systems
Loss of service availability
Users
Lack of access controls
Loss of confidentiality
Social engineer

Lack of security awareness
Loss depends on the goals and success of attacker
Vulnerabilities Can Be Mitigated
You can mitigate or reduce vulnerabilities, which reduces
potential risk. The risk reduction comes from one of the
following:
• Reducing the rate of occurrence
• Reducing the impact of the loss
It’s rare that a vulnerability is completely eliminated. Instead,
it’s more common that the risk is reduced to an acceptable
level. The remaining risk is referred to as the residual
risk. Table 2-2 matches the threat/vulnerabilities pairs
from Table 2-1 with possible mitigation steps.
TABLE 2-2 Common threat/vulnerability pairs and possible
mitigation steps.
THREAT
VULNERABILITY
MITIGATION
Fire
Lack of fire detection and suppression equipment
Install fire detection and suppression equipment
Purchase insurance
Hurricane, earthquake, tornado
Location
Purchase insurance
Designate alternate sites
Malware
Lack of antivirus software
Outdated definitions
Install antivirus software
Update definitions at least weekly
Equipment failure
Data not backed up
Back up data regularly
Keep copies of backup off-site
Stolen data

Access controls not properly implemented
Implement both authentication and access controls
Use principle of “need to know”
DoS or DDoS attack
Public-facing servers not protected with firewalls and intrusion
detection systems
Implement firewalls
Implement intrusion detection systems
Users
Lack of access controls
Implement both authentication and access controls
Social engineer
Lack of security awareness
Provide training
Raise awareness through posters, occasional e-mails, and mini-
presentations
Mitigation Techniques
You can use a wide variety of mitigation techniques in any
enterprise. As you explore the techniques in this section, keep
the following elements in mind:
• The value of the technique
• The initial cost of the technique
• Ongoing costs
For example, antivirus software has an initial cost. This initial
cost includes a subscription for updates for a period of time,
such as a year. When the subscription expires, it must be
renewed.
When estimating the value and cost of any of these techniques,
you can consider the value of the resource and the impact of the
loss. For example, training in basic social engineering tactics
may cost $10,000 a year. However, if users don’t receive the
training, the company may lose $100,000. This indicates the
value of the training is $90,000.
However, there are other variables to consider when estimating
the value of a mitigation technique. A company may have lost
$100,000 last year. If people are trained, the company estimates

it will only lose $5,000 this year. This would give a value of
$85,000 to the training. This is calculated as:
Last Year’s Loss – Training Cost – This Year’s Loss, or
$100,000 – $10,000 – $5,000 = $85,000.
The following list identifies many common mitigation
techniques you can use in any enterprise:
• Policies and procedures—Written policies and procedures
provide standards. These standards make it clear what should be
implemented and how. Many organizations start by creating a
security policy as mentioned earlier. You should review policies
and procedures on a regular basis.
• Documentation—Documentation is useful in a wide number
of areas. Up-to-date documentation of networks makes problems
easier to troubleshoot. Once problems occur, you can repair
them more quickly. This results in improved availability times.
As the network and systems change, you need to be sure to
update documentation.
• Training—Training helps employees understand that security
is everyone’s responsibility. Some training is geared to all
users; other training must be targeted to specific users. For
example, you should train all end users about social engineers.
Train administrators on current threats and vulnerabilities.
Train management on risk management strategies. Training is
an ongoing event—as things change, you should offer updated
training classes.
• Separation of duties—The separation of duties principle
ensures that any single person does not control all the functions
of a critical process. It’s designed to prevent fraud, theft, and
errors. For example, accounting separates accounts receivable
from accounts payable. One division accepts and approves bills.
The other division pays the approved bills. Separation of duties
also helps prevent conflicts of interest.
• Configuration management—When system configuration is
standardized, systems are easier to troubleshoot and maintain.
One method of configuration management is to use baselines.
For example, you configure a system and then create a system

image. You can deploy the image to 100 other systems, so every
system is identical. Maintenance of each of these systems is the
same. When technicians learn one system, they learn them all.
Without a baseline, the systems may be configured 100 different
ways. Technicians need to learn how each system is configured
before they can provide effective support. Images are updated
as the configuration changes.
Configuration management also ensures that systems are not
improperly modified. Most organizations have change
management processes in place. This ensures that only
authorized changes are made. Compliance auditing is done to
ensure that unauthorized changes don’t occur.
• Version control—When multiple people work on the same
document or the same application, data can be lost or
corrupted. Version control systems are commonly used with the
development of applications. They track all changes and can
reduce wasted time and effort, especially if changes need to be
reversed. The process requires programmers to check out
modules or files before modifying them. After the file is
modified, it can be checked in and someone else can modify the
file. Some version control software allows multiple changes to
be merged into a single file.
• Patch management—Over time, you may discover bugs in
software. Software bugs are vulnerabilities that can be
exploited. When the bugs are discovered, they are patched by
vendors; however, attackers also find out about the bugs.
Systems that aren’t patched are vulnerable to attack. A
comprehensive patch management policy governs how patches
are understood, tested, and rolled out to systems and clients. It
should include compliance audits to verify that clients are
current. Patch management can also include the ability to
quarantine unpatched clients. Patch management is an almost
continuous process.
• Intrusion detection system—An intrusion detection system
(IDS) is designed to detect threats. It cannot prevent a threat. A
passive IDS will log the event and may provide an alert. An

active IDS may modify the environment to block the attack after
it is detected. Many IDS systems use definitions the way
antivirus software uses signatures. A network-based intrusion
detection system (NIDS) provides overall network protection. A
host-based intrusion detection system (HIDS) can protect
individual systems.
NOTE
Symantec’s Ghost is a common tool used to deploy multiple
clients. Ghost allows you to capture images and store them on a
DVD or on a Ghost casting server. You can then deploy the
image to any client from the DVD. You can also cast the image
to multiple clients simultaneously from the server.
NOTE
Microsoft releases patches on the second Tuesday of every
month. This has become known as Patch Tuesday. When the
patches aren’t deployed, attackers can exploit the bugs.
• Incident response—When a company is prepared and able to
respond to an incident, it has a better chance to reduce the
impact. An important step when responding to an incident is
containment, which ensures the incident doesn’t spread to other
systems. An incident response team tries to identify what
happened. They look for the vulnerabilities that allowed the
incident. They then seek ways to reduce the vulnerability in the
future. On the other hand, some companies would like to
quickly put the incident behind them. They try to fix the
immediate issue without addressing the underlying problem.
When you address underlying problems, you reduce the chance
of recurring incidents for the same issue.
• Continuous monitoring—Security work is never
finished. Continuous monitoring is necessary. You implement
controls and then check and audit to ensure they are still in
place. You deploy patches. Later, through compliance audits,
you verify that all systems are patched. Through access controls
you lock down systems and data. Later, you check to ensure
they haven’t been modified. You record a wide range of activity
in logs and then monitor these logs for trends and suspicious

events. Luckily, there are many tools that you can use to audit
and monitor systems within a network.
• Technical controls—Controls that use technology to reduce
vulnerabilities. IT professionals implement the controls and
computers enforce them. For example, after an IT professional
installs antivirus software, the software prevents infections.
Some other examples of technical controls include intrusion
detection systems, access controls, and firewalls. As you
discover new vulnerabilities, you can implement new technical
controls.
• Physical controls—Physical controls prevent unauthorized
personnel from having physical access to areas or systems. For
example, you should locate servers in server rooms and keep the
server room doors locked. Place network devices in wiring
closets and keep the wiring closet doors locked. Physical
security can also include guards, cameras, and other monitoring
equipment. For mobile equipment, such as laptops, you can use
cable or hardware locks.
Best Practices for Managing Vulnerabilities Within Your IT
Infrastructure
Vulnerabilities are the portion of the threat/vulnerability pair
that you can control. Therefore, it’s very important to take steps
to manage vulnerabilities. Here are some of the best practices
you can use to do this:
• Identify vulnerabilities—Several tools are available that you
can use to identify vulnerabilities. For example, audits and
system logs help identify weaknesses. Use all the available
tools, and examine all seven domains of the typical IT
infrastructure.
• Match the threat/vulnerability pairs—The vulnerabilities you
want to address first are the ones that have matching threats.
Some vulnerabilities may not have a matching threat. If so, the
weakness may not need to be addressed. For example, you may
have an isolated network used for testing that does not have any
access to the Internet. Weaknesses that can be exploited only
from Internet threats can’t reach this network and may be

ignored.
• Use as many of the mitigation techniques as feasible—Several
mitigation techniques were listed in this section. It’s certainly
possible to use all of these techniques. Depending on your IT
infrastructure, you may use more. With multiple techniques in
place, you create multiple layers of security.
• Perform vulnerability assessments—Vulnerability
assessments can help you identify weaknesses. You can perform
them internally or hire external experts to perform them.
Understanding and Managing Exploits
Losses occur when threats exploit vulnerabilities. If you want to
reduce losses due to risks, you’ll need to have a good
understanding of what exploits are and how to manage them.
This section covers the following topics:
• What an exploit is
• How perpetrators initiate an exploit
• Where perpetrators find information about vulnerabilities and
exploits
• Mitigation techniques
• Best practices for managing exploits within your IT
infrastructure
What Is an Exploit?
An exploit is the act of taking advantage of a vulnerability. It
does so by executing a command or program against an IT
system to take advantage of a weakness. The result is a
compromise to the system, an application, or data. You can also
think of an exploit as an attack executed by code.
In this context, an exploit primarily attacks a public-facing
server. In other words, it attacks servers that are available on
the Internet. Common Internet servers are:
• Web servers
• Simple Mail Transfer Protocol (SMTP) e-mail servers
• File Transfer Protocol (FTP) servers
Figure 2-2 shows how these public-facing servers are often
configured in a network. They are placed within two firewalls
configured as a demilitarized zone (DMZ). A DMZ is also

known as a buffer area, or a perimeter zone. The firewall
connected to the Internet allows access to these public-facing
servers. The firewall connected to the internal network restricts
traffic from the Internet.
Since the servers in the DMZ are public facing, they are
accessible to anyone with a public Internet Protocol (IP)
address. This includes attackers or black-hat hackers.
While internal servers are susceptible to attacks from
employees, it isn’t common for an employee to use an exploit to
attack an internal server. Employees can attack and cause
damage. However, it’s much easier for an employee to steal data
or perform acts of sabotage. An insider usually won’t take the
time to write a program to attack an internal system. Insiders
have the advantage of at least some basic employee privileges
and internal knowledge. It’s also common that the internal
network is trusted, so the company gives less attention to
exploits on the internal network.
FIGURE 2-2
Public-facing servers in a DMZ bounded by two firewalls.
A buffer overflow is a common type of exploit. A buffer
overflow can occur when an attacker sends more data or
different data than a system or application expects. The
vulnerability exists when the system or application is not
prepared to reject it. This can cause the system to act
unreliably. Additionally, if the exploit’s creator is especially
skilled, the exploit runs extra instructions, gaining the attacker
additional privileges on a system.
Normally, the system will validate data and reject data that isn’t
expected. Occasionally, a bug allows invalid data to be used.
For example, imagine a simple calculation: X / Y = Z. The
program expects the value of X and Y to be provided. It will
then divide the two to calculate the value of Z. However, if zero
is given as the value of Y, Z cannot be calculated. You can’t
divide anything by zero. If the program didn’t check to ensure
that Y was a valid number, the program could fail when a user

enters zero. If the error isn’t handled gracefully, an attacker
may be able to exploit the failure.
NOTE
While a divide-by-zero error is simple to explain, it’s unlikely
this will cause a problem today. Most applications will detect
the problem and never try to divide by zero. However, there are
many more advanced errors that aren’t predicted.
Buffer overflow errors allow attackers to insert additional data.
This additional data can be malware that will remain in the
system’s memory until it’s rebooted. It could insert a worm that
spreads through the network. It could be code that seeks and
destroys data on the system. It could cause the server to shut
down and no longer be able to reboot.
When a vendor finds buffer overflow vulnerabilities, it patches
the code to prevent the error in the future. You should download
this patch and apply it to plug the hole.
The Nimda Virus
The Nimda virus is an example of an older virus that took
advantage of a buffer overflow problem in Microsoft’s Internet
Information Services (IIS). This virus helps explain many of the
lessons learned with IT risk management.
First, IIS was installed by default when Windows 2000 Server
was installed. Since IIS was installed by default, it often wasn’t
managed. An unmanaged service is easier to attack.
When the buffer overflow was discovered, Microsoft released a
patch. This patch corrected the problem as long as it was
applied. However, patch management was in its infancy at that
time. Many companies didn’t have effective patch management
programs and didn’t apply patches consistently. Many system
administrators concluded incorrectly that because they weren’t
using IIS, their systems weren’t vulnerable. However, because
IIS was installed by default, their systems were, in fact,
vulnerable.
Nimda was released on the Internet and had a multipronged
approach. The buffer overflow allowed it to exploit an IIS
system. It had a worm component that allowed it to seek and

infect other systems on the internal network. It also looked for
other IIS servers on the Internet susceptible to the same buffer
overflow. It slowed network activity to a crawl and destroyed
data.
Two of the basic security practices that were reinforced by
Nimda are:
• Reduce the attack surface of servers—Unneeded services and
protocols should not be installed. If they were installed, they
should be removed. If IIS wasn’t installed on a server, it
couldn’t have been attacked by Nimda.
• Keep systems up to date—If IIS servers had been updated
with the released patch, they wouldn’t have been susceptible to
the attack.
Other exploits include:
• SQL injection attacks—SQL injection attacks take advantage
of dynamic SQL. Many Web sites require users to enter data in
a text box or Web address. If the user-supplied data is used
directly in a SQL statement, a SQL injection attack can occur.
Instead of giving the data that’s expected, a SQL injection
attack gives a different string of SQL code. This different code
can compromise the database. SQL injection attacks are easy to
avoid by using parameters and stored procedures that first
review the code. However, all database developers aren’t aware
of the risks.
NOTE
Structured Query Language (SQL) is the language used to query
and modify databases. It has specific rules that you must follow.
Dynamic SQL is a SQL statement that accepts input from a user
directly. For example, the statement may be SELECT FROM
Users Where LName = ‘txt.Name’. In this example, the value
of txt.Name is retrieved from the text box named txt.Name and
used when the program is run. Permitting input directly from a
user without any input filtering is not recommended.
• Denial of service (DoS) attacks—Denial of service (DoS)
attacks are designed to prevent a system from providing a
service. For example, a SYN flood attack is very common.

Normally TCP uses a three-way handshake to start a connection.
A host sends a packet with the SYN flag set. The server
responds with the SYN and ACK flags set. The host then
responds with the ACK flag set to complete the handshake. In
the SYN flood attack, the host never responds with the third
packet. It’s as if the host stuck out his hand to shake, the server
put his hand out, and then the host pulled his hand away. The
server is left hanging. When this is repeatedly done in a short
time period, it consumes the server’s resources and can cause it
to crash.
• Distributed denial of service (DDoS) attacks—Distributed
denial of service (DDoS) attacks are initiated from multiple
clients at the same time. For example, many criminals and
attackers run botnets from a command and control center. A
botnet controls multiple hosts as clones or zombies. These
clones can be given a command at any time to attack, and they
all attack at the same time. The attack could be as simple as
constantly pinging the same server. If thousands of clients are
pinging a server at the same time, it can’t respond to other
requests as easily.
How Do Perpetrators Initiate an Exploit?
Most exploits are launched by programs developed by attackers.
The attackers create and run the programs against vulnerable
computers.
You’ve probably heard about script kiddies. These are attackers
with very little knowledge, sometimes just young teenagers.
However, they can download scripts and small programs and
launch attacks. They don’t have to be very intelligent about
computers or even about the potential harm they can do. Some
programs are so simple, the script kiddie can just enter an IP
address and click Go to launch an attack.
However, the attackers most companies are worried about are
much more sophisticated. They have programming skills. They
know how to target specific servers. They know methods to
infiltrate networks. They erase evidence to cover their tracks.
They are professional attackers.

Imagine a country hostile to the United States with extensive
computer expertise. They could create their own internal secret
department with separate divisions. Each division could be
assigned specific jobs or tasks. Each of the divisions could work
together to launch exploits as soon as they become known. This
department could have the following divisions:
• Public server discovery—Every system on the Internet has a
public IP address. This division could use ping scanners to
identify any systems that are operational with public IP
addresses. IP addresses are assigned geographically, so servers
can also be mapped to geographical locations.
• Server fingerprinting—This division could use several
methods to learn as much about the discovered server as
possible. They can use a ping to identify if the systems are
running UNIX or Microsoft operating systems. They can use
port scans to identify what ports are open. Based on what ports
are open, they can identify the running protocols. For example,
port 80 is the well-known port for Hypertext Transfer Protocol
(HTTP), so if port 80 is open, HTTP is probably running. If
HTTP is running, it is probably a Web server. The department
can use other techniques to determine if it’s an Apache Web
server or an IIS Web server.
• Vulnerability discovery—Investigators and hackers in this
division could constantly be on the lookout for any new
weaknesses. They could just try new things to see what can be
done. They could lurk on newsgroups to hear about new bugs
that aren’t widely known. They could subscribe to professional
journals or read blogs by IT security experts. When they
discover a vulnerability, they would pass it on to programmers
or attackers to exploit.
• Programmers—Once vulnerabilities are discovered,
programmers can write code or applications to exploit them. It
could be just a few lines of code that are embedded into a Web
page and downloaded when a user visits the Web site. It could
be a virus that is released to exploit the weakness. It could be
an application that is installed on zombie computers waiting for

the botnet command to attack.
• Attackers—Attackers initiate the exploit. For example,
attackers may discover a new vulnerability for Apache servers.
The attackers may want to target servers in Washington D.C.
They could get a list of servers in D.C. running Apache from
other divisions. They can then launch an attack on those
servers. This group might regularly launch legacy attacks that
current patches block. Most systems will be patched, but if
group members find an unpatched system, they can exploit it.
Say they launch an attack on 10,000 computers. Even if they
have only a 1 percent success rate, they’ve exploited 100
computers.
NOTE
Attackers often use diversion when launching attacks. Instead of
launching the attack from their own computer, they will often
take control of one or more other computers on the Internet.
They then direct the attack from that remote-controlled
computer.
This secret department in a hostile country is presented as
fictitious. However, cyberattacks from one country against
another are not fiction. The news reports cyberattacks regularly.
Operation Aurora and Operation Shady RAT (mentioned
previously in this chapter) are two recent examples. If you
wanted to commit cyberwarfare against a hostile country, how
would you do so? It’s very possible you would design a similar
department with similar divisions.
Even if it is a single perpetrator launching an attack, the steps
listed above would be separated. The attacker would take time
through reconnaissance to learn as much about a target as
possible. The attacker may develop a program to automate the
attack. The actual attack is usually quick.
It’s important to realize that attackers very often spend 100
percent of their work time on attacks. Since many attacks often
return significant amounts of money, they aren’t shy about
working more than 40 hours a week. They take time to discover
targets. They take time to identify weaknesses. They take time

1.11.22.1Negotiating Intimacy, Equality and Sexual.docx

1.11.22.1Negotiating Intimacy, Equality and Sexual.docx

Recommended

Recommended

More Related Content

Similar to 1.11.22.1Negotiating Intimacy, Equality and Sexual.docx

Similar to 1.11.22.1Negotiating Intimacy, Equality and Sexual.docx (20)

More from jeremylockett77

More from jeremylockett77 (20)

Recently uploaded

Recently uploaded (20)

1.11.22.1Negotiating Intimacy, Equality and Sexual.docx