This document is a guide for the detailed development, selection implementation of information system and program level procedures to indicate the execution, effectiveness, and impact of security controls along with and other security associated activities.
What is Information Security?
Information security means that the confidentiality, integrity and availability of information assets is maintained.
Confidentiality: This means that information is only used by people who are authorized to access it.
Integrity: It ensures that information remains intact and unaltered. Any changes to the information through malicious action, natural disaster, or even a simple innocent mistake are tracked.
Availability: This means that the information is accessible when authorized users need it.
Information Security Threats:
Most common types of information security threats are:
Theft of confidential information by hacking
System sabotage by hackers
Phishing and other social engineering attacks
Virus, spyware and malware
Social Media-the fraud threat
Theft of Confidential Information:
One of the major threat to information security is the theft of confidential data by hacking. This includes theft of employee information or theft of trade secrets and other intellectual property (IP).
Theft of Employee Information
Employee information includes credit card information, corporate credit card information, social security number , address, etc. It also includes theft of healthcare records as they contain personal information such date of birth, address, and name of relatives.
Theft of Trade Secrets and other Intellectual Property (IP)
Technology from various verticals including IT, aerospace, and telecommunications are constantly stolen by outsiders or insiders (industrial espionage). China is a growing offender as it continues to advance in technology relying on theft of international trade secrets and IP.
Piracy/copyright infringement.
Corporate business strategies including marketing strategies, product introduction strategies.
System Sabotage:
What is system sabotage?
Planting malware on networks of target organization and generating an enormous amount of transaction activity resulting in malfunction or crash of the system.
Who would perpetrate it?
System sabotage is usually committed by disgruntled ex-employees and by remote cyber-attackers for no particular reason.
The most sensational case of system sabotage: One of the recent examples is the sabotage of Sony PlayStation.
Phishing:
To obtain confidential data about individuals-customers, clients, employees or vendors that can be used to commit various types of identity fraud such as:
Opening bank accounts in victim’s name
Applying for loans in victim’s name
Applying for credit cards in victim’s name
Obtaining medical services in victims name (e-death)
Other kind of more sophisticated social engineering attacks include spear-phishing.
Spear-phishing targets specific individuals such as AP manger, controller, senior accountant to gain access to corporate bank accounts and transfer funds abroad.
Other threats include:
Smishing: Phishing via SMS (texting)
Vishing: Phishing via voice (phone)
Mobile hackin
What is Information Security?
Information security means that the confidentiality, integrity and availability of information assets is maintained.
Confidentiality: This means that information is only used by people who are authorized to access it.
Integrity: It ensures that information remains intact and unaltered. Any changes to the information through malicious action, natural disaster, or even a simple innocent mistake are tracked.
Availability: This means that the information is accessible when authorized users need it.
Information Security Threats:
Most common types of information security threats are:
Theft of confidential information by hacking
System sabotage by hackers
Phishing and other social engineering attacks
Virus, spyware and malware
Social Media-the fraud threat
Theft of Confidential Information:
One of the major threat to information security is the theft of confidential data by hacking. This includes theft of employee information or theft of trade secrets and other intellectual property (IP).
Theft of Employee Information
Employee information includes credit card information, corporate credit card information, social security number , address, etc. It also includes theft of healthcare records as they contain personal information such date of birth, address, and name of relatives.
Theft of Trade Secrets and other Intellectual Property (IP)
Technology from various verticals including IT, aerospace, and telecommunications are constantly stolen by outsiders or insiders (industrial espionage). China is a growing offender as it continues to advance in technology relying on theft of international trade secrets and IP.
Piracy/copyright infringement.
Corporate business strategies including marketing strategies, product introduction strategies.
System Sabotage:
What is system sabotage?
Planting malware on networks of target organization and generating an enormous amount of transaction activity resulting in malfunction or crash of the system.
Who would perpetrate it?
System sabotage is usually committed by disgruntled ex-employees and by remote cyber-attackers for no particular reason.
The most sensational case of system sabotage: One of the recent examples is the sabotage of Sony PlayStation.
Phishing:
To obtain confidential data about individuals-customers, clients, employees or vendors that can be used to commit various types of identity fraud such as:
Opening bank accounts in victim’s name
Applying for loans in victim’s name
Applying for credit cards in victim’s name
Obtaining medical services in victims name (e-death)
Other kind of more sophisticated social engineering attacks include spear-phishing.
Spear-phishing targets specific individuals such as AP manger, controller, senior accountant to gain access to corporate bank accounts and transfer funds abroad.
Other threats include:
Smishing: Phishing via SMS (texting)
Vishing: Phishing via voice (phone)
Mobile hackin
Securing information system (Management Information System)Masudur Rahman
Here mainly i discuss about " How we will securing our information system. mainly discuss about the threat,Cause and the way of securing our most impotent data."
Security is ever changing, and best practices are constantly being replaced by new methods to prevernt new threats. For more information, visit https://www.facebook.com/DanielMorganGS/ and https://dmgs.org/
This is one of the presentations I have personally taken great quality time to prepare. It is a lecture class presentation on Chapter 7: IT Security and Risk Mitigation, part of the course BIT 1208: Information Technology for Financial Services under the Bachelor of Information Technology at Makerere University. The outline includes topics like Basic principles, Key concepts, Authenticity, Banking security standards, Risk of password sharing, Mitigation controls, Administrative, Logical, Physical, Security processes and management, Security governance, Incident response, Risk management and IT auditing, Business continuity, Disaster recovery planning, Professionalism and ethical standards, IT audit framework/ standardization, International certifications in IT security, International standards of IT security, and SBP IT Audit
This slide provide various details regarding Information security. The Database its Advantage, Regarding DBMS, RDBMS, IS Design conderations. Various Cyber crime Techniques. Element of Information i.e Integrity, Availability , Classification of Threats. Information Security Risk Assessment. Four Stages of Risk Management. NIST Definition. Risk Assessment Methodologies. Security Risk Assessment Approach. Risk Mitigation Options. Categories of controls. Technical Controls etc.
A Method for Evaluating End-User Development TechnologiesClaudia Melo
Presentation at Americas Conference on Information Systems, 2017. Paper abstract:
End-user development (EUD) is a strategy that can reduce a considerable amount of business demand on
IT departments. Empowering the end-user in the context of software development is only possible
through technologies that allow them to manipulate data and information without the need for deep
programming knowledge. The successful selection of appropriate tools and technologies is highly
dependent on the context in which the end-user is embedded. End-users should be a central piece in any
software package evaluation, being key in the evaluation process in the end-user development context.
However, little research has empirically examined software package evaluation criteria and techniques in
general, and in the end-user development context in particular. This paper aims to provide a method for
technology evaluation in the context of end-user development and to present the evaluation of two
platforms. We conclude our study proposing a set of suggestions for future research.
Securing information system (Management Information System)Masudur Rahman
Here mainly i discuss about " How we will securing our information system. mainly discuss about the threat,Cause and the way of securing our most impotent data."
Security is ever changing, and best practices are constantly being replaced by new methods to prevernt new threats. For more information, visit https://www.facebook.com/DanielMorganGS/ and https://dmgs.org/
This is one of the presentations I have personally taken great quality time to prepare. It is a lecture class presentation on Chapter 7: IT Security and Risk Mitigation, part of the course BIT 1208: Information Technology for Financial Services under the Bachelor of Information Technology at Makerere University. The outline includes topics like Basic principles, Key concepts, Authenticity, Banking security standards, Risk of password sharing, Mitigation controls, Administrative, Logical, Physical, Security processes and management, Security governance, Incident response, Risk management and IT auditing, Business continuity, Disaster recovery planning, Professionalism and ethical standards, IT audit framework/ standardization, International certifications in IT security, International standards of IT security, and SBP IT Audit
This slide provide various details regarding Information security. The Database its Advantage, Regarding DBMS, RDBMS, IS Design conderations. Various Cyber crime Techniques. Element of Information i.e Integrity, Availability , Classification of Threats. Information Security Risk Assessment. Four Stages of Risk Management. NIST Definition. Risk Assessment Methodologies. Security Risk Assessment Approach. Risk Mitigation Options. Categories of controls. Technical Controls etc.
A Method for Evaluating End-User Development TechnologiesClaudia Melo
Presentation at Americas Conference on Information Systems, 2017. Paper abstract:
End-user development (EUD) is a strategy that can reduce a considerable amount of business demand on
IT departments. Empowering the end-user in the context of software development is only possible
through technologies that allow them to manipulate data and information without the need for deep
programming knowledge. The successful selection of appropriate tools and technologies is highly
dependent on the context in which the end-user is embedded. End-users should be a central piece in any
software package evaluation, being key in the evaluation process in the end-user development context.
However, little research has empirically examined software package evaluation criteria and techniques in
general, and in the end-user development context in particular. This paper aims to provide a method for
technology evaluation in the context of end-user development and to present the evaluation of two
platforms. We conclude our study proposing a set of suggestions for future research.
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
Strategic Management models and diagrams for professional business presentation.
More downloadable business diagrams on
http://www.drawpack.com
your visual business knowledge
Hosted by Jack Welde (Smartling) with panelists: Sergey Parievsky (VMWare), Spence Green (Lilt), Yan Yu (Spartan Software), Justin Thorne (Age of Learning).
Outsourcing is an imperative process for many companies to stay competitive. However inevitable it is, outsourcing often involves risk and fear to unknown. What are those risk and fear? How to manage them. While some are doing it for years, why can't we? What are the upside and downside of outsourcing?
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
Essay Questions
Answer all questions below in a single document, preferably below the corresponding topic.
Responses should be no longer than half a page.
One
1. A security program should address issues from a strategic, tactical, and operational view. The
security program should be integrated at every level of the enterprise’s architecture. List a
security program in each level and provide a list of security activities or controls applied in these
levels. Support your list with real-world application data.
2. The objectives of security are to provide availability, integrity, and confidentiality protection to
data and resources. List examples of these security states where an asset could lose these
security states when attacked, compromised, or became vulnerable. Your examples could
include fictitious assets that have undergone some changes.
3. Risk assessment can be completed in a qualitative or quantitative manner. Explain each risk
assessment methodology and provide an example of each.
Two
1. Access controls are security features that are usually considered the first line of defense in
asset protection. They are used to dictate how subjects access objects, and their main goal is to
protect the objects from unauthorized access.
These controls can be administrative, physical, or technical in nature and should be applied in a
layered approach, ensuring that an intruder would have to compromise more than one
countermeasure to access critical assets. Explain each of these controls of administrative,
physical, and technical with examples of real-world applications.
2. Access control defines how users should be identified, authenticated, and authorized. These
issues are carried out differently in different access control models and technologies, and it is up
to the organization to determine which best fits its business and security needs. Explain each of
these access control models with examples of real-world applications.
3. The architecture of a computer system is very important and comprises many topics. The
system has to ensure that memory is properly segregated and protected, ensure that only
authorized subjects access objects, ensure that untrusted processes cannot perform activities
that would put other processes at risk, control the flow of information, and define a domain of
resources for each subject. It also must ensure that if the computer experiences any type of
disruption, it will not result in an insecure state. Many of these issues are dealt with in the
system’s security policy, and the security model is built to support the requirements of this
policy. Given these definitions, provide an example where you could better design computer
architecture to secure the computer system with real-world applications. You may use fictitious
examples to support your argument.
Three
1. Our distributed environments have put much more responsibility on the individual user, facility
management, and administrative procedures and controls than in th.
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
Running Head: SECURITY AWARENESS
Security Awareness 2
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical sec ...
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docxeugeniadean34240
1
Running head: IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAINING PLAN STRATEGY
Identity management and security awareness training plan strategy 4
Identity management and security awareness training plan strategy
Student’s name
Institutional affiliation
Security Plan for the Organization
A good security awareness training in IT puts focus on problems that are broader, that do not give themselves to only technology solutions (Long, 2010). The training can be split into two main groups; one, the general security training is suitable for the entire employees despite their work role. Two, the group specific training in security centers on specific skills which are significant to only a section of the organization.
General Security Training:
1. Procedures and policies education.
2. Information on the person to be contacted when an employee thinks that she or he has recognized a security risk or threat.
3. Rules for handling information that is confidential.
Group specific training:
1. Regarding the IT operations employees: There should be training in business continuity and disaster recovery planning (Willemssen, 2000).
2. Concerning development organization: Training for design, architecture or coding should be performed.
3. For the staff of finance in the organization, training in fraud detection should be offered.
In conclusion, a security awareness training program that is properly implemented does not only give the Human Resource department with documentation that is necessary for following actions against the staff who disrespect security practices, but also minimizes the amount of penalizing actions (Webel, 2004).
References
Long, J. (2010). Global information security factors. International Journal of Information Security and Privacy (IJISP), 4(2), 49-60.
Webel, B. (2004). The Economic Impact of Cyber-Attacks. Congressional Research Service, Government and Finance Division. Washington DC: The Library of Congress.
Willemssen, J. (2000). "FAA Computer Security". GAO/T-AIMD-00-330. Presented at Committee on Science, House of Representatives.
Running head: FORENSICS AND CSIRT 1
SECURITY PLAN 5
Forensics and CSIRT
Name
Institution
SECURITY PLAN
Abstract.
CSIRT, commonly known as a Computer Security Incident Response Team, refers to an organization mandated with the responsibility of reviewing, receiving and correction of security incidence related to computers for governments, Corporate and religious institutions or even paid clients(Stein, 2009). This paper shows the forensics and CSIRT plan strategy for the organization.
Introduction.
Network administrators are given the responsibility to maintain computer networks. Security is an important requirement in the organizations systems, as these have an impact on day to day activities. Unauthorized access to organizations critical information is detrimental to its operations and could be used to cause the failure of the .
An Empirical Study on the Security Measurements of Websites of Jordanian Publ...CSCJournals
Most of the Jordanian universities’ inquiries systems, i.e. educational, financial, administrative, and research systems are accessible through their campus networks. As such, they are vulnerable to security breaches that may compromise confidential information and expose the universities to losses and other risks. At Jordanian universities, security is critical to the physical network, computer operating systems, and application programs and each area has its own set of security issues and risks. This paper presents a comparative study on the security systems at the Jordanian universities from the viewpoint of prevention and intrusion detection. Robustness testing techniques are used to assess the security and robustness of the universities’ online services. In this paper, the analysis concentrates on the distribution of vulnerability categories and identifies the mistakes that lead to a severe type of vulnerability. The distribution of vulnerabilities can be used to avoid security flaws and mistakes.
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
The CompTIA Cybersecurity Analyst (CySA+) certification is the industry standard for demonstrating that cybersecurity professionals can analyze data and interpret the results to detect vulnerabilities, threats, and risks to an organization.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
IT security controls are a result of protecting information system resources against unauthorized attempts that seek to access them. In an empirical view, this establishes a logical dichotomy between protecting the inside from the outside - not too terribly different than what we do when we lock the doors in our homes at night. This inside/outside approach has matured greatly, and continues to do so in todays information systems environment. Traditionally, most of the observed research and its results have produced technical measures in the forms of controls and best practices, which act as templates to “secure” information systems from those not authorized access to it. As a natural result, many guides primarily outline technical controls that prevent external access to internal information systems.
The landscape of the information technology (IT) security controls has widened significantly over the past few decades, especially since the adoption of the public internet, and proliferation of internet service providers. Even today further fueled by the rise of connectedness via mobile means, whether smart phones or tablet devices, or even publicly available wifi frequently available any time and nearly anywhere.
This shift has transitioned the philosophical approach to IT security to information security - information being the actual asset that is being protected though IT security controls. With this understanding, we must further recognize, accept, and conclude that information has value, and within markets of competition, within and between the same or different industries, unauthorized attempts to access information systems are no longer just external configuration issues. They are also internal behavioral issues, which also drive not just technological implementations traditionally spawned by vendor configuration anomalies, but organizational structure, policies, vigilance, and training.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
System Security Threats and Risks)
1. INFORMATION ASSURANCE METRICS
System Security
Threats
And
Risks
Cleveland China
Brian Palmer
Ervin Kelly
April 20, 2010
IFSM 485
Seth J. Hudak
Page 1 of 36
4/20/2010
China/Kelly/Palmer
2. INFORMATION ASSURANCE METRICS
Table of Contents
1. Introduction
1.1 System Security Threats and Risk Scope and objective
This document is a guide for the detailed development, selection implementation of
information system and program level procedures to indicate the execution, effectiveness, and
impact of security controls along with and other security associated activities. Mell, Kent, &
Nusbaum (2005) acknowledged certain guiding principles on how an organization, through the
use of procedures, identifies the capability of security controls, policies, and procedures currently
existing in an organization. It provides tools to help management choose where to devote
additional information security resources, recognize and assess nonproductive security controls,
and prioritize security controls for constant monitoring. This publication is proposed to assist
organizations in understanding the threats posed by malware and alleviate the risks related to
malware incidents. This manuscript will provides additionally background information on the
major categories of malware, practical real world assistance on preventing malware incidents and
responding to malware incidents in an effective, efficient manner (Mell, Kent, & Nusbaum,
2005).
Page 2 of 36
4/20/2010
China/Kelly/Palmer
3. INFORMATION ASSURANCE METRICS
2. Definition of Information Assurance
Protecting data and the platforms that accommodate it is becoming one of the most
important technical jobs in many major corporations. Information assurance (IA) is the technical
discipline of data protection. Keeping information and its warehousing safe are a part of general
information security, which includes forecasting future dangers and preparing offensively for any
possible risks that are detected. The most important factor of information assurance is keeping
privileged and proprietary information out of the hands of the public. The second priority of
information assurance is keeping information platforms safe from intrusions that could
potentially dismantle warehousing, endangering or causing the loss of vital information.
Information assurance involves protection against anyone attempting to harm the
information itself as well as information storage systems, viruses, and other coded programs
created by hackers to wipe out data and the storage facilities for data. Securing information must
be in accordance with government standards and also “smart” and progressive enough to keep up
with the changing demands coupled with handling the frequently growing viruses and malware
that destroy data that is not appropriately protected. Information assurance also involves the
reconstituting of data and its housing after it has been compromised. This means refurbishing, rehousing, and re-securing data as well as reestablishing the list of those with authorized access
and assigning new login names and pass codes for all authorized parties (Encyclopedia of
Management, 2009).
2.1.1 System Assurance
Page 3 of 36
4/20/2010
China/Kelly/Palmer
4. INFORMATION ASSURANCE METRICS
As stated by Liles & Kamali (2006), “Systems assurance is the practice of hardening
operating systems from identified threats, analyzing and auditing hardware and devices for
identified threats, and remediating the devices and computing platforms within the enterprise
(Maconachy, 2001). For instance, proper configuration and defensive strategies employed for
protecting a network and specifically a router would be considered systems assurance.” (Liles &
Kamali, 2006, p. 3). System assurance includes making sure each user’s accounts are active and
appropriately used with permissions inside of the enterprise.
Table 1 Systems Assurance Courses
Systems Assurance Courses
Fundamentals of Information Assurance:
This course covers security mechanisms, fundamental aspects, operational issues,
policy, attacks, security domains, forensics, information states, security services,
threat analysis, vulnerabilities, and other topics.
Systems Assurance:
This course covers the implementation of systems assurance with computing
systems. Topics include confidentiality, integrity, authentication, non-repudiation,
intrusion detection, physical security, and encryption. Extensive laboratory exercises
are assigned.
Assured Systems Design and Implementation:
This course covers the design and implementation of assured systems in an enterprise
environment. Topics include hardening of operating systems, choice of platforms,
design criteria within the assured systems domain. Extensive laboratory exercises are
assigned.
Computer Forensics:
This course covers the techniques used in the forensic analysis of computerized
systems for gathering evidence to detail how a system has been exploited or used.
Extensive laboratory exercises are assigned.
(Liles & Kamali, 2006, p. 385)
2.1.2 Software Assurance
Page 4 of 36
4/20/2010
China/Kelly/Palmer
5. INFORMATION ASSURANCE METRICS
After further observation, Liles & Kamali (2006) identified that software assurance is an
assortment of secondary disciplines combined into practice. “Software assurance is the practice
of requirements gathering, secure coding, testing, auditing, and implementation of software in
the enterprise protecting against known vulnerabilities. Software assurance involves the
preparation of source codes such that recognized vulnerabilities are excluded from the product.
Additionally software assurance concerns preparing strong source codes so that unidentified
vulnerabilities generate protected failure conditions (Software, 1992). Preparation includes
auditing commercial off the shelf software (COTS), or free open source software (F/OSS) being
implemented within the enterprise, or third party prepared and/or contracted source codes.
Software assurance includes normally related computer science topics such as Software
Engineering (SE), Software Quality Assurance (SQA), Highly Assured Computing (HAC),
Capability Maturity Model (CMM), and other development lifecycle issues. Software assurance
elements include field crossing topics such as end of life cycle, maintenance, retirement,
reusability, and inheritance variation strategies. Software assurance definitively includes practice
oriented computing concepts including secure coding, threat modeling, vulnerability analysis,
execution, auditing, and defensive incorporation of software within the enterprise” (Liles &
Kamali, 2006, p. 3).
Table 2 Software Assurance Courses
Software Assurance Courses
Programming Fundamentals:
This course covers fundamental data structures, fundamental programming constructs,
objectoriented programming, algorithms and problem-solving, event-driven programming,
recursion, and other topics.
Advanced Programming:
This course covers advanced topics in programming languages, GUI development, threaded
applications, components, testing and debugging methods and advanced topics in event-driven
and object oriented programming techniques. Extensive laboratory exercises are assigned.
Page 5 of 36
4/20/2010
China/Kelly/Palmer
6. INFORMATION ASSURANCE METRICS
Software Assurance:
This course covers defensive programming techniques, bounds analysis, error handling,
advanced testing techniques, detailed code auditing, and software specification in a trusted
assured environment. Extensive laboratory exercises are assigned.
(Liles & Kamali, 2006, p. 386)
2.1.3 Operations Assurance
Operations assurance advocates the components of physical security and operational
characteristics found in an organized information technology organization (Software,1999). The
scope of operational assurance involves concepts of physical security, data center design, and
legal and procedural reporting. Items of extreme concern to the enterprise would be found here,
which includes disaster recovery and planning. Business continuity and risk analysis are threads
of knowledge that run through the area of operations assurance.
Within operations assurance one would find for example the implications of the Health
Insurance Portability and accountability Act (HIPPA), Digital Millennium Copyright Act
(DMCA), or the concepts of physical security. Ironically, items frequently ignored as part of
information assurance would be the concept of backup and recovery testing procedures,
insurance, and other litigation aspects of operations. Defining, categorizing, and applying
financial loss expectation documents to management of an enterprise are a valuable skill in
operations assurance (Liles & Kamali, 2006).
Table 3 Operations Assurance Courses
Operations Assurance Courses
Ethical and Legal Issues of IT:
This course covers professional communications, social context of computing, teamwork
concepts and issues, intellectual properties, legal issues in computing, organization context,
professional and ethical issues, responsibilities, privacy and civil liberties, and other topics.
Disaster recovery and planning:
This course covers risk management and business continuity. Topics include disaster
recovery strategies, mitigation strategies, risk analysis, and development of contingency plans
for unexpected outages and component failures. Extensive laboratory exercises are assigned.
Page 6 of 36
4/20/2010
China/Kelly/Palmer
7. INFORMATION ASSURANCE METRICS
Information Assurance Risk Assessment:
This course covers industry and government requirements and guidelines for information
assurance and auditing of computing systems. Topics include risk assessment and
implementation of standardized requirements and guidelines.
(Liles & Kamali, 2006, p. 386)
2.2 FIVE PILLARS OF INFORMATION ASSURANCE
According to the Central Security Service, successful information assurance can be
broken down into five pillars; the five pillars are availability, integrity, authentication,
confidentiality, and nonrepudiation. The five pillars formulate specific information assurance
policy that ensures the maximum level of success for commercial entities that relate it to their
day to day business operations.
“The five pillars are used by the United States government for their information
assurance; the five pillars receive different amounts of use depending on the type of threat in
play. The same is true for any company that uses the five pillars for the protection of
information. Additionally, each company has different needs for security; each company’s needs
are based on industry, size, reputation, Internet presence, and other factors. Those most widely
used of the five pillars involve the education of personnel, the use of encryption, the
implementation of the most up-to-date information technologies, and the use of some form of
alarm system with the ability to warn personnel of an intrusion” (Encyclopedia of Management,
2009, p. 383-385).
2.3 ROLES AND RESPONSIBILITIES
Roles and responsibilities for developing and implementing information security
measures must be adhered to for organizational success. Information security is one of the
Page 7 of 36
4/20/2010
China/Kelly/Palmer
8. INFORMATION ASSURANCE METRICS
primary duties of every affiliate belonging to the organization, it is important that all members be
aware of their roles and responsibilities across the entire operation (Chew et al., 2008).
2.3.1 Agency Head
The Agency Head has various responsibilities related to information security measures.
The Agency Head ensures that information security measures are used in support of agency’s
strategic and operation planning process to secure the organization’s mission. Additionally, the
Agency Head is responsible for making sure information security measures are incorporated into
annual reports on the effectiveness of agency information security program by the Chief
Information Officer (CIO). The Agency Head supports information security measure
development and implementation, and communicates official support to the agency. They also
ensure that information security measurement activities have adequate financial and human
resources for success; actively promote information security measurement as an essential
facilitator of information security performance improvement throughout the agency; and approve
policies to officially institute measures collection (Chew et al., 2008).
2.3.2 Chief Information Officer
The Chief Information Officer (CIO) is responsible for using information security
measures to assist in monitoring compliance with applicable information security requirements.
The CIO uses information security measures in annual reports on effectiveness of the agency
information security program to the agency head. The CIO is committed to the responsibilities of
assessing information security procedures that support policies routinely. Some other areas of
concern for the CIO will be:
1
Properly marketing the value for using information security measures to monitor the
overall health of the information security program and to conform to related regulations
Page 8 of 36
4/20/2010
China/Kelly/Palmer
9. INFORMATION ASSURANCE METRICS
2
Making certain that information security programs are established and put into practice
3
Assign sufficient monetary and human resources to the information security measurement
program
4
Review resource allocation, and evaluate the information security program position and
operational risks to agency information systems
5
Give information security training to staff alone with other duties
(Chew et al., 2008).
2.3.3 Program Manager/Information System Owner
As stated by Chew et al. (2008) “Program managers, as well as information system
owners, are responsible for ensuring that proper security controls are in place to address the
confidentiality, integrity, and availability of information and information systems. The program
manager/information system owner has the following responsibilities related to information
security measurement:
1
Participating in information security measurement program development and
implementation by providing feedback on the feasibility of data collection and
identifying data sources and repositories;
2
Educating staff on the development, collection, analysis, and reporting of information
security measures and how it will affect information security policy, requirements,
resource allocation, and budget decisions;
Page 9 of 36
4/20/2010
China/Kelly/Palmer
10. INFORMATION ASSURANCE METRICS
3
Ensuring that measurement data is collected consistently and accurately and is provided
to designated staff who are analyzing and reporting the data;
4
Directing full participation and cooperation of staff, when required;
5
Reviewing information security measures data regularly and using it for policy, resource
allocation, and budget decisions; and
6
Supporting implementation of corrective actions, identified through measuring
information security performance” (Chew et al., 2008, p. 8).
2.3.4 Information System Security Officer
Acknowledging the significant duties, Chew et al. (2008) recognized “The Information
System Security Officer (ISSO) has the following responsibilities related to information security
measurement:
1
Participating in information security measurement program development and
implementation by providing feedback on feasibility of data collection and identifying
data sources and repositories;
2
Collecting data or providing measurement data to designated staff that are collecting,
analyzing, and reporting the data” (Chew et al., 2008, p. 8).
2.3.5 Other Related Roles
Information security measurement may require inputs from a variety of organizational
personnel components or stakeholders, including incident response, information technology
Page 10 of 36
4/20/2010
China/Kelly/Palmer
11. INFORMATION ASSURANCE METRICS
operations, privacy, enterprise architecture, human resources, physical security, and others
(Chew et al., 2008).
3. Identify Malware Categories
Many organizations face threats everyday with or without warnings from the security
controls set in place. The task of preventing potential attacks is getting difficult as attackers
continue to find ways to bypass an organization’s security. There are different types of malware
that an organization could face when protecting its information assets. However, this section of
the document will focus on worms, rootkits, botnets, and denial of service/distributed denial of
service (DoS/DDoS).
3.1.1
Worms
“Worms are self-replicating programs that are completely self-contained, allowing it not
to require a host program to infect an information system. Unlike viruses, worms also are selfpropagating, thus creating fully functional copies and executing themselves without user
intervention. This has made worms increasingly popular with attackers, because a worm has the
potential to infect many more systems in a short period of time than a virus can. Worms take
advantage of known vulnerabilities and configuration weaknesses, such as unsecured Windows
shares. Although some worms are intended mainly to waste system and network resources, many
worms damage systems by installing backdoors, perform distributed denial of service (DDoS)
attacks against other hosts, or perform other malicious acts. The two primary categories of
worms are network service worms and mass mailing worms” (Mell, Kent, & Nusbaum, 2005, p.
17-18).
Page 11 of 36
4/20/2010
China/Kelly/Palmer
12. INFORMATION ASSURANCE METRICS
“Network service worms spread by exploiting vulnerability in a network service
associated with an operating system (OS) or an application. Once a worm infects a system, it
typically uses that system to scan for other systems running the targeted service and then
attempts to infect those systems as well. Because they act completely without human
intervention, network service worms can typically propagate more quickly than other forms of
malware. The rapid spread of worms and the intensive scanning they often perform to identify
new targets often overwhelm networks and security systems (e.g., network intrusion detection
sensors), as well as infected systems” (Mell, Kent, & Nusbaum, 2005, p. 18).
“Mass mailing worms are similar to e-mail-borne viruses, however mass mailing worms
are self-contained instead of infecting an existing file as e-mail-borne viruses do. Once a mass
mailing worm has infected a system, it typically searches the system for e-mail addresses and
then sends copies of itself to those addresses, using either the system’s e-mail client or a selfcontained mailer built into the worm itself. A mass mailing worm typically sends a single copy
of itself to multiple recipients at once. Besides overwhelming e-mail servers and networks with
massive volumes of e-mails, mass mailing worms often cause serious performance issues for
infected systems” (Mell, Kent, & Nusbaum, 2005, p. 18).
3.1.2 Rootkits
According to the United States Computer Emergency Readiness Team (US-CERT), a
rootkit “is a piece of software that can be installed and hidden on your computer without your
knowledge. Attackers may be able to access information, monitor your actions, modify
programs, or perform other functions on your computer without being detected” (McDowell,
2008, p. 1). If a rootkit has been installed, an organization may not be aware that their
information system(s) has been compromised, and traditional anti-virus software may not be able
Page 12 of 36
4/20/2010
China/Kelly/Palmer
13. INFORMATION ASSURANCE METRICS
to detect the malicious programs. Attackers are also creating more sophisticated programs that
update themselves so that they are even harder to detect (McDowell, 2008).
3.1.3 Botnets
Botnets are computers that are able to be controlled by one, or many, outside sources.
“An attacker usually gains control by infecting the computers with a virus or other malicious
code that gives the attacker access”(McDowell, 2008, p. 1). An organization’s information
systems may be part of a botnet even though it appears to be operating normally. Botnets are
often used to conduct a range of activities, from distributing spam and viruses to conducting
denial-of-service attacks (McDowell, 2008).
3.1.4 DoS/DDoS
A distributed denial-of-service attack (DDos) occurs when an attacker uses many
computers to flood a network and/or attack another computer. He or she could then force your
computer to send huge amounts of data to a website or send spam to particular email addresses.
The attack is "distributed" because the attacker is using multiple computers to launch the denialof-service attack. However, the following symptoms could indicate a DDoS attack:
1
unusually slow network performance (opening files or accessing websites)
2
unavailability of a particular website
3
inability to access any website
4
dramatic increase in the amount of spam you receive in your account
(McDowell, 2009).
Page 13 of 36
4/20/2010
China/Kelly/Palmer
14. INFORMATION ASSURANCE METRICS
When a DDoS attack is launced against an organization, business operations can cease
from a few hours to a few days depending on how bad the attack is. The DDos can flood the
network causing all network services to become unavailable. For example, organizations whom
are in the e-commerce market can lose consumers because their website is not available. As a
result, the organization loses out on revenue generated by everyday consumers. The risk of bad
publicity can also occur if the organization does not resolve the issue quickly.
3.2 Potential Impacts from Vulnerabilities
Organizations tend to focus more on outside threats than inside threats. In reality, the
insider threat should be equally taken into consideration as well because there may be a risk of
malicious employees attempting to perform suspicious activities on the network. There has been
a realization that “the insider and outsider threats are merging as outsiders are more and more
easily penetrating the security perimeters and becoming “insiders” (Gilligan, 2009, p. 5).
Specific controls such as network segmentation, control of administrative rights, enforcement of
need to know, data leakage protection, and effective incident response all directly address the
key ways that insider threats can be mitigated. The controls implemented to limit unauthorized
access within the organization work effectively to mitigate both insider and outsider threats.
It is important to note that these controls are meant to deal with multiple types of attacks,
including but not limited to malicious internal employees and contractors, independent individual
external actors, organized crime groups, terrorists, and nation state actors, as well a combination
of these different threats (Gilligan, 2009). As Gilligan (2009) states, “these controls are not
limited to blocking only the initial compromise of systems, but also address detecting already‐
compromised machines, and preventing or disrupting attacker’s actions” (Gilligan, 2009, p. 6).
The defenses identified through these controls deal with decreasing the initial attack surface
Page 14 of 36
4/20/2010
China/Kelly/Palmer
15. INFORMATION ASSURANCE METRICS
through improving architectures and hardening security, identifying already‐compromised
machines to address long‐term threats inside an organization’s network, controlling users’
privileges on systems, and disrupting attackers’ command‐and‐control of implanted malicious
code (Gilligan, 2009). The Figure below illustrates the scope of different kinds of attacker
activities that these controls are designed to help thwart.
(Gilligan, 2009, p. 6)
The rings represent the actions attackers may take against target information systems.
These actions include initially compromising an information system by exploiting one or more
vulnerabilities (i.e., “Getting In”). Attackers can then maintain long‐term access on a system,
often by creating accounts, subverting existing accounts, or altering the software on the computer
to include backdoors and rootkits (i.e., “Staying In”). Attackers with access to information
systems can also cause damage, which could include stealing, altering, or destroying
information; impairing the system’s functionality to jeopardize its business effectiveness or
mission; or using it as a jump‐off point for compromise of other systems in the environment (i.e.
Page 15 of 36
4/20/2010
China/Kelly/Palmer
16. INFORMATION ASSURANCE METRICS
“Acting”). Where these rings overlap, illustrates attackers having more ability to compromise
sensitive information or cause damage. Outside of each set of rings in the figure, various
defensive strategies are presented to help limit the abilities of attackers (Gilligan, 2009).
3.3 Threats associated with Information Security
This section of the paper identifies the goals and major threats that are associated with
information security. Jesan (2006) acknowledged that, “information is one of the very important
assets in almost all organizations” (Jesan, 2006, p. 1). Information security is just as valuable
and noteworthy as is information. The main goals of Information Security are to protect the
confidentiality, integrity and availability of the information that its processes and handles within
a network system. Once the networks infrastructure is connected to the internet, the information
that is acquitted and processed, it becomes a potential target for cyber attacks (Jesan, 2006).
Organizations and business have spent billions of dollar as a preventive measure to save the lost
of value and sensitive information. Security threats and breaches remain high as a potential
danger to a network infrastructure. Consequently, businesses and organizations make uses of
various techniques and methods to prevent the saboteur or tampering against their networking
system. Some organizations utilize a self-hacking-audit tool to eliminate any possible threats
that may be of harm to their networking system. The following threats have been identified to
eliminate any possible compromise or accidental lost of information that is considered dangerous
to any networking system, they are:
3.3.1 Hacking
Hacking is considered be nothing more than a people gaining access to a computer
system without the knowledge of its owner. Once an individual gain access to a target computer
Page 16 of 36
4/20/2010
China/Kelly/Palmer
17. INFORMATION ASSURANCE METRICS
system, sensitive and private information can be compromise and used to destroy or damage an
individual identity. Hackers target eCommerence, banks and others websites that contains
valuable information on an individual. Although, some hackers utilize their talent for fun, others
focus on finding ways to penetrate a network by exposing their vulnerability and weakness
within the infrastructure. Hackers used a variety of malicious code and viruses to find loop holes
and unsecured terminals to achieve their objective (Jesan, 2006).
3.3.2 Viruses and Worms
Viruses and Worms are computer programs which are released inside a computer with
the sole intend to destroy or damage the equipment. Although both program are used for the
same propose, their function are totally different. Both programs have the ability to replicate
itself, but when they are activated on a computer network, the virus need a carrier to travel on the
network to work correctly, whereas the worm has the ability to travel throughout the network
without any assistance. As per Trendmicro, a total of 400 new viruses are created each month
and over 60,000 viruses have been identified which spread very quickly to destroy an
organization computer infrastructural (Jesan, 2006).
3.3.3 Trojan Horse
Trojan Horse is a very dangerous program if manage by the wrong person. This
program is a function that is used by system administrators’ to control work-station remotely.
There are two components to the system administrator’s job: One program runs the clients
function and the other runs as a server. This is one unique tool in which a hacker used to gain
control of a network system. If a hacker gain control of this type of activity, they have the ability
to monitor all transmitting data that are transmitted over a corporation network (Jesan, 2006).
3.3.4 Spoofing
Page 17 of 36
4/20/2010
China/Kelly/Palmer
18. INFORMATION ASSURANCE METRICS
Spoofing is the ability to deceive other computer users about the sources information being
provided is actually coming form a legitimate user. Spoofing has been divided into three type
spoofing technique used to prevent this type of action from happen. The following three
spoofing type is:
1. IP Spoofing is the ability to changes the source-address of an IP packet, so that it
identifies the sources address as a legitimate address, and not an address of a hacker.
The function of an IP spoofing is to authenticate the original message to prevent a
disruption within the network (Jesan, 2006).
2. DNS Spoofing utilizes a different technique of directing users to a different website
for the purpose of collecting personal information. DNS spoofing control the main
domain, where names and IP addresses are created. This process is very dangerous,
because it gives a hacker access to the entire domain database, which creates a living
nightmare for customers that has sensitive information stored (Jesan, 2006).
3. ARP(Address Resolution Protocol) Spoofing maintain the table of MAC address of the
entire computer install on an organization network. All information that comes to the
ARP is directly delivered to the computer based on the mapping available on the
ARP’s table. This process updates all information that is transmitted to the ARP’s
table, whereby hackers can update and steal IP address (Jesan, 2006).
3.3.5 Sniffing
Sniffing is the procedure used to confirm that all packets of a message pass safely
through the network. This technique was first used to fix network problems. Hackers
Page 18 of 36
4/20/2010
China/Kelly/Palmer
19. INFORMATION ASSURANCE METRICS
utilize this method to scan login IDs and passwords transmitted over the wire. Any data
obtained during this process become valuable to the hacker during their attacks on the
network system. To avoid sniffing attack, it is suggested that all the data transmitted over
the network be encrypted for safety reason (Jesan, 2006).
3.4 Information Security Challenges
The securities surrounding protecting sensitive information within an organization are careful
measure as a big challenge for a security officer. Chew et al. (2008) identified certain security
measures that are very beneficial to an organization. Chew recognized that gathering
information successfully depends on the construction of the security plan within the unit. An
existence program maturity when the organization follows all policies and procedures that have
been implemented in the organization. As policies become more detailed, it is imperative that
the policies become more standardized and implemented at all level of the organization.
The challenges that information security faces depends on the goals and objectives that are set
forth by upper-management within the organization. Each goal and objective must be fully
understood and enforced at all level to be effective. Standard policies and procedures must be
well documented, posted and addressed throughout the entire agency. During the
implementation phase of the informational security awareness program, each challenge must be
fully addressed with a resolvable solution before moving to the next phase. To overcome any
challenges of an information security goal, management must establish an effective tracking
system mechanism to document and quantify various aspects of the information security
performance. In order for this program to be effective, each phase of the program must show
mature progress and the measurement of each phase must be evaluated as an improved
Page 19 of 36
4/20/2010
China/Kelly/Palmer
20. INFORMATION ASSURANCE METRICS
performance. The following illustration shows a progression of an information security program
(Chew et al., 2008).
(Chew, et al., 2008, p. 12)
3.5 Risk Managing
As security controls are implemented for an information system, concern risk and
vulnerability becomes a major factor involving management at all level. Ross et al., (2007)
recommended the significant elements used to manage an organization’s information security
program are to provide the organization with an effective framework for selecting the
appropriate security controls for an information system. Network enterprise are encourage to
follow security controls such as Executive Orders, policies, regulations, directives, standards and
applicable laws must be adhered to and strictly enforced. To be effective, one can apply the
Page 20 of 36
4/20/2010
China/Kelly/Palmer
21. INFORMATION ASSURANCE METRICS
context of the system development life cycle and the Federal Enterprise Architecture to both
legacy and new information system. Listed below is a listed of the components and related
activities that are associated in managing any potential risk within an organization, also known
as the NIST Risk Management Framework (Ross et al., 2007).
1
“Categorize – the information systems and the information resident within that system
based on FIPS 199 impact analysis.
2
Select – an initial set of security controls for the information system based on the FIPS
199 security categorization and the minimum security requirements defined in FIPS 200.
3
Supplement – the initial set of tailored security controls based on an assessment of risk
and local conditions including organization-specific security requirement, specific threat
information, cost-benefit analyses, or special circumstances.
4
Document – the agreed-upon set of security controls in the system security plan including
the organization’s rationale for any refinements or adjustments to the initial set of
controls.
5
Implement – the security controls in the information system. For legacy systems, some
or all of the security controls selected may already be in place.
6
Assess – the security controls using appropriate methods and procedures to determine the
extent to which the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security requirements for the
system.
Page 21 of 36
4/20/2010
China/Kelly/Palmer
22. INFORMATION ASSURANCE METRICS
7
Authorize – information system operation based upon a determination of the risk to
organizational operations, organizational assets, or to individuals resulting from the
operation of the information system and the decision that this risk is acceptable.
8
Monitor and assess selected security controls in the information system on a continuous
basis including documenting changes to the system, conducting security impact analyses
of the associated changes, and reporting the security status of the system to appropriate
organizational officials on a regular basis” (Ross et al., 2007, p. 24-23).
3.6 Security Metrics
The groundwork of powerful senior level executive support is necessary for the success
of the security program and others such as for the performance of a security metrics program.
The support launches a focal point on security inside the highest levels of the organization.
Without a steady platform the success of the security metrics program can collapse when
difficulties created by politics and budget limitations.
3.6.1 Definition
Based on thoughts of George Jelen, SMART is an acronym that represents specific,
measurable, attainable, repeatable, and time-dependent. George Jelen is an associate of the
International Systems Security Engineering Association (ISSEA). SMART can be used to define
an excellent metrics. Valuable metrics specify to the extent in which security goals, such as data
confidentiality, are being achieved, and they reinforce procedures taken to better an
organization’s overall security plan. Making a distinction between metrics meaningful mainly to
individuals with direct duty for security management separately from those that converse directly
Page 22 of 36
4/20/2010
China/Kelly/Palmer
23. INFORMATION ASSURANCE METRICS
to senior management interests and matters is important to maturity of an effective security
metrics program (Payne, 2006).
3.6.2 Build
To make possible comprehension and acceptance at every stages of a new security
metrics plan, it is sensible to position the plan in course of action enhancement frameworks that
are already known to the organization. For instance, the Dupont Corporation program foundation
is based on “Six Sigma Breakthrough Strategy”, an advertised management method that shed
spotlight on defect elimination. There are numerous other corporations that attach their metrics
program to corporate security standards compliance. No matter what the core framework is;
seven essential approaches for establishing a security metrics plan can be used as a guide.
1. Define the metrics program goal(s) and objectives
2. Decide which metrics to generate
3. Develop strategies for generating the metrics
4. Establish benchmarks and targets
5. Determine how the metrics will be reported
6. Create an action plan and act on it, and
7. Establish a formal program review/refinement cycle
(Payne, 2006)
Page 23 of 36
4/20/2010
China/Kelly/Palmer
24. INFORMATION ASSURANCE METRICS
3.6.3 Value
An extensively accepted management belief is that an action cannot be controlled if it
cannot be measured. Security settles under this rubric. Metrics can be a valuable utensil for
security executives to distinguish the success of different mechanisms of their security programs,
the security of a precise system, product or process, and the skill of staff or departments inside an
organization to tackle security concerns for which they are accountable. Metrics could also assist
with discovering the level of risk in not taking a given action, and in that way give supervision in
putting into place corrective procedures. Also, metrics might be used to elevate the level of
security responsiveness inside the organization. Lastly, security administrators can better respond
to difficult questions from their senior managers and others like; are we better protected today
than we were previous, how do we measure up to others in this regard, or are we safe enough, all
due to understanding achieved through metrics (Payne, 2006).
3.6.4 7-Step Methodology
Step 1: Define the metrics program goal(s) and objectives
Since creating and sustaining a security metrics plan could require substantial effort and
reroute assets away from other safety measures actions, therefore distinct and decided target(s)
with intentions of the program is important to be settled upon up front. A lone objective that
evidently states the end toward which all measurement and metrics assembling efforts should be
intended for is a good approach, even though there is no solid and quick rule about this. For
instance, a target avowal might be:
“Afford metrics that plainly and purely express how professionally and successfully
Page 24 of 36
4/20/2010
China/Kelly/Palmer
25. INFORMATION ASSURANCE METRICS
our company is harmonizing security risks and protective measures, so that
investments in our security program can be properly sized and targeted to meet
our overall security goals” (Payne, 2006, p. 3-4).
Step 2: Decide which metrics to generate
To give an idea of this step, a “Six Sigma” approach would focus on security processes
for which defects could be detected and managed, and Step 2 duty of crafting a metrics plan
would be to point out those specific safety procedures. A conformity-based advance would
evaluate how closely recognized security values are being adhered to.
Either a top-down or a bottom-up approach for deciding which metrics might be wanted
would provide support if any preexisting framework was missing. The top-down tactic begins
with the goals of the security program, and followed by backward duty identifying detailed
metrics that would assist to determine if those goals are being achieved, and to finish
measurements needed to produce those metrics.
(Payne, 2006, p. 4)
The bottom-up approach initially captures describing which security processes, products,
services, and so on are in place that can be or already are measured, then bearing in mind which
Page 25 of 36
4/20/2010
China/Kelly/Palmer
26. INFORMATION ASSURANCE METRICS
significant metrics could be resulting from those measurements. It concludes reviewing how
sound those metrics link to the overall security program goals (Payne, 2006).
(Payne, 2006, p. 5)
Step 3: Develop Strategies for Generating the Metrics
Strategies for gathering required information and deriving the metrics must be crafted
after what is to be measured is well comprehended. These strategies must identify several goals
which are: the source of the information, the rate of recurrence of information collection, and the
person accountable for raw information correctness, information collection into measurements,
and creation of the metric (Payne, 2006).
Step 4: Establish benchmarks and targets
During this stage suitable targets would be acknowledged and enhancement targets
positioned. This course of action offers new thoughts for supervising an activity, but also can
provide relative information required to create metrics more significant. Benchmarks assist with
instituting attainable targets for enforcing enhancements in existing practices. Benchmarking is
ultimately the practice of contrasting one’s personal duty and obligations against teammates
inside the business or noted “best practice” organizations outside the business. A security
Page 26 of 36
4/20/2010
China/Kelly/Palmer
27. INFORMATION ASSURANCE METRICS
administrator must seek advice from industry-specific information resources for probable
benchmarks and best practices (Payne, 2006).
Step 5: Determine how the metrics will be reported
Security metrics efforts have to be successfully communicated in order to get positive
results. Only distribute metrics to personnel it pertains to such as the security manager and staff.
Other metrics may be utilized for corrective measures within an organization. The context,
format, frequency, distribution method, and responsibility for reporting metrics must be clear up
front, so the end product can be pictured by those involved in establishing the metrics and the
individuals using the metrics for decision-making (Payne, 2006).
Step 6: Create an action plan and act on it
The action plan must enclose all tasks to be accomplished to begin the security metrics
program, to include projected end dates and assignments. Action items should be derived from
the objectives. So all involved understands and stay focused on the importance of an action plan
you must document the connection of actions to the objectives. The plan must have a testing
process. Deficiencies may show some metrics to be impractical and need reconsideration of
what is to be measured and how (Payne, 2006).
Step 7: Establish a formal program review/refinement cycle
Finally, the whole security metrics program should formal and habitual be checked, this
must be instilled into the overall process. During the assessment process questions like; is there
motive to distrust the accurateness of any of the metrics? Are the metrics helpful in deciding new
strategy for the overall security program? How much energy will it take to produce the metrics?
These questions and others will be imperative to answer. A new look into security metrics
Page 27 of 36
4/20/2010
China/Kelly/Palmer
28. INFORMATION ASSURANCE METRICS
standards and finest practices inside and outside the business must also be carried out to aid in
identifying new improvements and opportunities to tweak the program (Payne, 2006).
3.7 Metrics Program Implementation
The metrics program implementation practice works a metrics program that is iterative by
character and guarantees that suitable features of Information Technology (IT) security are
considered for a particular moment in time. Implementation of Information Technology security
metrics involves using Information Technology security metrics for monitoring IT security
control performance and using the outcomes of the observing to start performance enhancement
activities. The iterative process entails six segments, which, when completely carried out, will
guarantee uninterrupted use of Information Technology security metrics for security managed
performance monitoring and enhancement. Illustrated below is a figure of the Information
Technology security metrics program implementation process (Chew et al., 2008).
(Chew et al., 2008, p. 35)
4.1 Malware Incident Preventive
Malware incident prevention consists of a few key rudiments which are policy,
awareness, vulnerability mitigation, and threat mitigation. Making certain that policies
Page 28 of 36
4/20/2010
China/Kelly/Palmer
29. INFORMATION ASSURANCE METRICS
concentrate on malware deterrence it supplies a foundation for putting into practice preventive
controls. Human error that is the cause for unpleasant incident can be lessened by instituting and
upholding common malware awareness programs for every user plus particular awareness
training for the Information Technology personnel directly concerned with malware prevention
related activities. A number of potential attack vectors can be eradicated by applying effort on
defenselessness alleviations. By putting into service a mixture of threat mitigation methods and
tools like antivirus software and firewalls, can stop threats from effectively attacking systems
and networks.
When setting up a method to malware prevention, organizations must be aware of the
attack vectors that are almost certain to be executed at present and in the near future. They must
also think about how much control they will have over their systems are in relation to
manage/non-manage settings; this has important posture on the success of a variety of protective
measures. Also, businesses should integrate established protective means into their malware
prevention efforts. Conversely, businesses ought to be conscious to the fact that no matter how
much time and energy they devote to malware incident prevention, incidents will still take place.
That's why, organizations must encompass healthy malware incident treatment functions to limit
the harm that malware can cause and restore data and services proficiently (Mell, Kent, &
Nusbaum, 2005).
4.2 Malware Incident Response
As defined in NIST SP 800-61, Computer Security Incident Handling Guide, the incident
response process has four major phases: preparation, detection and analysis,
containment/eradication/recovery, and post-incident activity (Mell, Kent, & Nusbaum, 2005).
Page 29 of 36
4/20/2010
China/Kelly/Palmer
30. INFORMATION ASSURANCE METRICS
(Mull, Kent, & Nusbaum, 2005, p. 4-1)
The first stage of malware incident response entails carrying out introductory activities,
for instance like creating particular malware incident managing procedures and training courses
for incident response teams. The prep period also invests energy and time in policy usage,
awareness activities, weakness mitigation, and safety tools to diminish the amount of malware
incidents. Reoccurring risk will without doubt continue, and no tactic is fail-safe, regardless of
measures. Detection of malware infections is thus necessary to alert the organization whenever
incidents occur. Fast discovery is vital for malware incidents since they are more likely than
other kind of incidents to distress countless users and systems in little time, and sooner discovery
can assist in lessen the amount of contaminated systems. The business ought to act fittingly
depending on the severity of the incident, and that’s for every incident to alleviate its impact by
controlling it, wiping out infections, and eventually recovering from the incident. This can be
very difficult during extensive contagion, especially when majority of an organization’s systems
may be infected all at once. Following an incident, the organization should present a description
that delivers the fine points for cause and cost of the incident along with the steps the
organization must take to avoid unforeseen incidents and to get ready more effectively to attack
incidents that do transpire. Even though the rudimentary incident conduct process is the alike for
Page 30 of 36
4/20/2010
China/Kelly/Palmer
31. INFORMATION ASSURANCE METRICS
any sort of malware incident, ubiquitous infections offer various challenges that the normal
incident response process does not address (Mell, Kent, & Nusbaum, 2005).
4.3 The Future of Malware
The future of malware starts with the preventive measures that are put in place by
organizations and businesses to defend potential attacks against viruses, threats and malicious
codes. Larks (2007) predicted that 40% of motivated cyber crime will target organizations
network infrastructure for a financial gain. These figures point out the events surrounding the
uses of malware as an encouraging factor to promote the financial gain for cyber criminals
(Larks, 2007). Although the future of malware is unpredictable, organizations are recording all
known existing threats to create a database as a baseline for future study. Due to the variation of
the increase of IT solutions and security controls that are in place, criminals often exploited all
possible ways of attacking a network infrastructure from multiple routes. As technology
continues to press forward in the 21st century, electronic devices such as cell phones and PDA’s
are potential target equipment used to help transmit worms, malicious codes and viruses to attack
non-traditional platforms. To effectively control malware incidents and malware prevention,
businesses and organizations must developed a short and long term preventive system to mitigate
all activities that would increase the response of effectively stopping a malicious code from
destroying a informational technology infrastructure.
Page 31 of 36
4/20/2010
China/Kelly/Palmer
32. INFORMATION ASSURANCE METRICS
4.4 Acronyms
Capability Maturity Model (CMM)
Chief Information Officer (CIO)
Commercial off the Shelf Software (COTS)
Denial of Service/Distributed Denial of Service (DoS/DDoS)
Digital Millennium Copyright Act (DMCA)
Federal Information Processing Standards (FIPS)
Free Open Source Software (F/OSS)
Health Insurance Portability and accountability Act (HIPAA)
Highly Assured Computer (HAC)
Information Assurance (IA)
International Systems Security Engineering Association (ISSEA)
Information System Security Officer (ISSO)
Information Technology (IT)
National Institute of Standards and Technology (NIST)
Operating System (OS)
Software Engineering (SE)
Software Quality Assurance (SQA)
Specific Measurable Attainable Repeatable and Time-dependent (SMART)
United States Computer Emergency Readiness Team (US-CERT)
Page 32 of 36
4/20/2010
China/Kelly/Palmer
33. INFORMATION ASSURANCE METRICS
5. Conclusion
As new threats and attacks are created daily, the implementation of a system security
threats and risk analysis will assist an organization of safeguarding the authentication,
confidentiality, integrity, availability, and non-repudiation of data relevant to an organization.
Though every incident cannot be prevented, the mechanisms and tools involved will ensure
business operations can continue during and/or after an incident occurs. The organization’s
essential personnel such as the CIO, and ISSO will oversee this information security program is
maintaining its overall performance for the organization. The information security challenges
facing an organization can be minimal once the proper execution, effectiveness, and impact of
security controls, and other security associated activities are achieved. As a result, the
organization will be able to carry out the mission, goals, and objectives of its business
operations.
Page 33 of 36
4/20/2010
China/Kelly/Palmer
34. INFORMATION ASSURANCE METRICS
REFERENCES
Bryant, A. (2007). Developing a Framework for Evaluating Organization Information Assurance
Metric Programs. Retrieved February 8, 2010, from
http://www.dtic.mil/cgibin/GetTRDoc?AD=ADA467367&Location=U2&doc=GetTRDo
c.pdf
Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., & Robinson, W. (2008).
Performance Measurement Guide for Information Security, National Institute of
Standards and Technology, Retrieved February 24, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
Choo, K. R. (2007). Trends & issues in crime and criminal justice no. 333: Zombies and Botnets.
Australian Institute of Criminology, Retrieved February 18, 2010, from
https://www-hsd1-org.ezproxy.umuc.edu/homesec/docs/foreign/nps49-11040907.pdf&code=d946a975b896bc1ad8cba801138fa09e
Encyclopedia of Management. 6th ed. Detroit: Gale, Retrieved February 17, 2010, from
http://go.galegroup.com.ezproxy.umuc.edu/ps/i.do?&id=GALE%7CCX3273100129&v=
2.1&u=umuc&it=&r&p=GVRL&sw=w
Gilligan, J. (2009). Twenty Most Important Controls and Metrics for Effective Cyber Defense
and Continuous FISMA Compliance. Retrieved February 26, 2010, from
http://www.scribd.com/doc/12755648/Twenty-Most-Important-Controls-and-Metricsfor-Effective-Cyber-Defense-and-Continuous-FISMA-Compliance
Jesan, J. (2006). Information Security. Ubiquity, (v) 2. Retrieved February 23, 2010, from
http://portal.acm.org.ezproxy.umuc.edu/citation.cfm?id=1119621.1117695&coll=ACM
&dl=ACM&CFID=77541277&CFTOKEN=20025986
Page 34 of 36
4/20/2010
China/Kelly/Palmer
35. INFORMATION ASSURANCE METRICS
(Con’t) REFERENCES
Larks, T. (2007). THE FUTURE OF SECURITY. MicroScope,37. Retrieved March 17, 2010,
from ABI/INFORM Trade & Industry. (Document ID: 1386198221).
Liles, S. & Kamali, R., (2006) An Information and Security Curriculum Implementation, (v) 3.
Retrieved March 13, 2010 from
http://informingscience.org/proceedings/InSITE2006/IISITLile135.pdf
McDowell, M. (2008). Understanding Hidden Threats: Rootkits and Botnets. United States
Computer Emergency Readiness Team. Retrieved February 16, 2010, from
http://www.us-cert.gov/cas/tips/ST06-001.html
McDowell, M. (2009). Understanding Denial-of-Service Attacks. United States
Computer Emergency Readiness Team. Retrieved February 17, 2010, from
http://www.us-cert.gov/cas/tips/ST04-015.html
Mell, P., Kent, K., & Nusbaum (2005). Guide to Malware Incident Prevention and Handling.
National Institute of Standards and Technology. Retrieved February 27, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
Payne, S. C. (2006). A guide to security metrics. SANA Security Essentials GSEC Practical
Assignment Version 1.2e. Retrieved February 10, 2010, from
https://www-hsdl-org.ezproxy.umuc.edu/homesec/docs/edu/nps36-08300704.pdf&code=73dca2ad3a05b0c16e6aaf1cd7055bbc
Peng T., Leckie, C., & Ramamohanarao, K. (2007). Survey of network-based mechanisms
Countering the DoS and DDoS problems. ACM Computing Surveys, 39(1), 1-42.
doi: 10.1145/1216370.1216373
Page 35 of 36
4/20/2010
China/Kelly/Palmer
36. INFORMATION ASSURANCE METRICS
(Con’t) REFERENCES
Rees, J., & Allen, J. (2008). The state of risk assessment practices in information security: An
exploratory investigation. Journal of Organizational Computing and Electronic
Commerce, 18, 255-277. doi:10.1080/10919390802421242
Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, G., & Rogers, G.(2008).
Recommended Security Control for Federal Information Systems, National Institute of
Standards and Technology, Retrieved February 25, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
Page 36 of 36
4/20/2010
China/Kelly/Palmer