Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx

Instructor Manual Principles of Information
Security, 7th Edition by Michael E.Whitman

Instructor Manual
Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module
1: Introduction to Information Security
Table of Contents
Purpose and Perspective of the Module ......................................................................................2
Cengage Supplements ................................................................................................................2
Module Objectives.......................................................................................................................2
Complete List of Module Activities and Assessments...................................................................2
Key Terms...................................................................................................................................3
What's New in This Module .........................................................................................................4
Module Outline............................................................................................................................4
Discussion Questions................................................................................................................15
Suggested Usage for Lab Activities ...........................................................................................16
Additional Activities and Assignments........................................................................................17
Additional Resources.................................................................................................................17
Cengage Video Resources........................................................................................................................ 17
Internet Resources................................................................................................................................... 17
Appendix...................................................................................................................................18
Grading Rubrics ....................................................................................................................................... 18

Purpose and Perspective of the Module
The first module of the course in information security provides learners the foundational
knowledge to become well versed in the protection systems of any size need within an
organization today. The module begins with fundamental knowledge of what information
security is and the how computer security evolved into what we know now as information
security today. Additionally, learners will gain knowledge on the how information security can be
viewed either as an art or a science and why that is the case.
Cengage Supplements
The following product-level supplements are available in the Instructor Resource Center and
provide additional information that may help you in preparing your course:
 PowerPoint slides
 Test banks, available in Word, as LMS-ready files, and on the Cognero platform
 MindTap Educator Guide
 Solution and Answer Guide
 This instructor‘s manual
Module Objectives
The following objectives are addressed in this module:
1.1 Define information security.
1.2 Discuss the history of computer security and explain how it evolved into information
security.
1.3 Define key terms and critical concepts of information security.
1.4 Describe the information security roles of professionals within an organization.
Complete List of Module Activities and Assessments
For additional guidance refer to the MindTap Educator Guide.
Module
Objective
PPT slide Activity/Assessment Duration
2 Icebreaker: Interview Simulation 10 minutes
1.1–1.2 19–20 Knowledge Check Activity 1 2 minutes
1.3 34–35 Knowledge Check Activity 2 2 minutes
1.1–1.4 MindTap Module 01 Review Questions 30–40 minutes
1.1 – 1.4 MindTap Module 01 Case Exercises 30 minutes
1.1 – 1.4 MindTap Module 01 Exercises 10–30 minutes per
question; 1+ hour
per module
1.1 – 1.4 MindTap Module 01 Security for Life 1+ hour
1.1 – 1.4 MindTap Module 01 Quiz 10–15 minutes
[return to top]

Key Terms
In order of use:
computer security: In the early days of computers, this term specified the protection of the
physical location and assets associated with computer technology from outside threats, but it
later came to represent all actions taken to protect computer systems from losses.
security: A state of being secure and free from danger or harm as well as the actions taken to
make someone or something secure.
information security: Protection of the confidentiality, integrity, and availability of information
assets, whether in storage, processing, or transmission, via the application of policy, education,
training and awareness, and technology.
network security: A subset of communications security; the protection of voice and data
networking components, connections, and content.
C.I.A. triad: The industry standard for computer security since the development of the
mainframe; the standard is based on three characteristics that describe the attributes of
information that are important to protect: confidentiality, integrity, and availability.
confidentiality: An attribute of information that describes how data is protected from disclosure
or exposure to unauthorized individuals or systems.
personally identifiable information (PII): Information about a person‘s history, background,
and attributes that can be used to commit identity theft that typically includes a person‘s name,
address, Social Security number, family information, employment history, and financial
information.
integrity: An attribute of information that describes how data is whole, complete, and
uncorrupted.
availability: An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
accuracy: An attribute of information that describes how data is free of errors and has the value
that the user expects.
authenticity: An attribute of information that describes how data is genuine or original rather
than reproduced or fabricated.
utility: An attribute of information that describes how data has value or usefulness for an end
purpose.
possession: An attribute of information that describes how the data‘s ownership or control is
legitimate or authorized.
McCumber Cube: A graphical representation of the architectural approach used in computer
and information security that is commonly shown as a cube composed of 3×3×3 cells, similar to
a Rubik‘s Cube.
information system: The entire set of software, hardware, data, people, procedures, and
networks that enable the use of information resources in the organization.
physical security: The protection of material items, objects, or areas from unauthorized access
and misuse.

bottom-up approach: A method of establishing security policies and/or practices that begins as
a grassroots effort in which systems administrators attempt to improve the security of their
systems.
top-up approach: A methodology of establishing security policies and/or practices that is
initiated by upper management.
chief information officer (CIO): An executive-level position that oversees the organization‘s
computing technology and strives to create efficiency in the processing and access of the
organization‘s information.
chief information security officer (CISO): The title typically assigned to the top information
security manager in an organization.
data owners: Individuals who control and are therefore ultimately responsible for the security
and use of a particular set of information.
data custodians: Individuals who are responsible for the storage, maintenance, and protection
of information.
data stewards: See data custodians.
data trustees: Individuals who are assigned the task of managing a particular set of information
and coordinating its protection, storage, and use.
data users: Internal and external stakeholders (customers, suppliers, and employees) who
interact with information in support of their organization‘s planning and operations.
community of interest: A group of individuals who are united by similar interests or values
within an organization and who share a common goal of helping the organization to meet its
objectives.
[return to top]
What's New in This Module
The following elements are improvements in this module from the previous edition:
 This Module was Chapter 1 in the 6th edition.
 The content that covered Systems Development was moved to Module 11:
Implementation.
 The Module was given a general update and given more current examples.
[return to top]
Module Outline
Introduction to Information Security (1.1, 1.2, PPT Slides 4–17)
I. Recognize that organizations, regardless of their size or purpose, have information they
must protect and store internally and externally.
II. Analyze the importance and reasoning an organization must be responsible for the
information they collect, store, and use.
III. Review the concept of computer security and when the need for it initially arose.

IV. Discuss how badges, keys, and facial recognition of authorized personnel are required
to access military locations deemed sensitive.
V. Describe the primary threats to security: physical theft of equipment, product espionage,
and sabotage.
VI. Examine information security practices in the World War II era and compare with modern
day needs.
The 1960s
I. Explain the purpose of the Department of Defense‘s Advanced Research Procurement
Agency (ARPA) and their need to create redundant networked communications systems
so that the military can exchange information.
II. Identify Dr. Larry Roberts as the creator of the ARPANET project and now the modern-
day Internet.
The 1970s and ’80s
I. Critique the use of ARPANET and how it became more widely used and consequentially
misused.
II. Recognize that Robert M. Metcalfe expressed concerns about ARPANET and how it
could be easily hacked into due to password structure vulnerabilities, lack of safety
protocols, and widely distributed phone numbers for system access.
III. Conclude that a lack of controls in place provided users limited safeguards to protect
themselves from unauthorized remote users.
IV. Discuss how dial-up connections lacked safety protocols when connecting to ARPANET.
V. Recall that authorizations into the system and a lack of user identification were
significant security risks for ARPANET during this time.
VI. Evaluate the movement of stronger security protocols thanks to the implementation of
conclusions from the Rand Report R-609.
VII. Relate how the need of physical security protocols grew to include computer security
protocols as part of a holistic information security plan.
MULTICS
I. Define the purpose of the Multiplexed Information and Computing Service (MULTICS)
and its importance to information security.
II. Relate that the restructuring of the MULTICS project created the UNIX operating system
in 1969.
III. Contrast the facts that the MULTICS system had multiple security levels planned,
whereas the new UNIX system did not have them included.
IV. Examine the decentralization of data processing and why it is important to modern-day
information security protocols.
V. Distinguish that in the late 1970s microprocessors transformed computing capabilities
but also established new security threats.
VI. Recall the Defense Advanced Research Projects Agency (DARPA) created the
Computer Emergency Response Team (CERT) in 1988.

VII. Conclude that not until the mid-1980s computer security was a non-issue for federal
information systems.
The 1990s
I. Understand that as more computers and their networks became more common, the
need to connect networks rose in tandem during this time. Hence, the Internet was born
out of the need to have a global network of networks.
II. Analyze the consequences of how exponential growth of the Internet early on resulted in
security being a low priority over other core components.
III. Identify that the networked computers were the most common style of computing during
this time. However, a result of this was the lessened ability to secure a physical
computer and stored data is more exposed to security threats internally and externally.
IV. Recognize that toward the turn of the new millennium, numerous large corporations
demonstrated the need and integration of security into their internal systems. Antivirus
products grew in popularity and information security grown into its own discipline
because of these proactive initiatives.
2000 to Present
I. Recall the fact that millions of unsecured computer networks and billions of computing
devices are communicating with each other.
II. Recognize and apply the fact that cyberattacks are increasing and have caused
governments and corporations to resign themselves to stronger information security
protocols.
III. Examine the exponential rise in mobile computing and how these devices bring their
own set of vulnerabilities with respect to information security.
IV. Apply the fact that one‘s ability to secure the information stored in their device is
influenced by security protocols on the others they are connected to.
V. Establish that wireless networks and their associated risks often have minimal security
protocols in place and can be a catalyst for anonymous attacks.
What Is Security? (1.3, PPT Slides 18 and 21–26)
I. Define the term security and why it is important to have multiple layers of it to protect
people, operations, infrastructure, functions, communications, and information.
II. Emphasize the role of the Committee on National Security Systems (CNSS) and its role
in defining information security. This includes the protection of critical elements such as
systems and hardware that stores, transmits, and use information.
III. Recognize the importance of the C.I.A. Triad but which is no longer an adequate model
to apply to modern information security needs.
Key Information Security Concepts
I. Comprehend and define the following security terms and concepts:
 Access: A subject or object‘s ability to use, manipulate, modify, or affect another
subject or object. Authorized users have legal access to a system, whereas hackers
must gain illegal access to a system. Access controls regulate this ability.

 Asset: The organizational resource that is being protected. An asset can be logical,
such as a Web site, software information, or data, or an asset can be physical, such
as a person, computer system, hardware, or other tangible object. Assets,
particularly information assets, are the focus of what security efforts are attempting to
protect.
 Attack: An intentional or unintentional act that can damage or otherwise compromise
information and the systems that support it. Attacks can be active or passive,
intentional or unintentional, and direct or indirect. Someone who casually reads
sensitive information not intended for his or her use is committing a passive attack. A
hacker attempting to break into an information system is an intentional attack. A
lightning strike that causes a building fire is an unintentional attack. A direct attack is
perpetrated by a hacker using a PC to break into a system. An indirect attack is a
hacker compromising a system and using it to attack other systems—for example, as
part of a botnet (slang for robot network). This group of compromised computers,
running software of the attacker‘s choosing, can operate autonomously or under the
attacker‘s direct control to attack systems and steal user information or conduct
distributed denial-of-service attacks. Direct attacks originate from the threat itself.
Indirect attacks originate from a compromised system or resource that is
malfunctioning or working under the control of a threat.
 Control, safeguard, or countermeasure: Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities,
and otherwise improve security within an organization. The various levels and types
of controls are discussed more fully in the following modules.
 Exploit: A technique used to compromise a system. This term can be a verb or a
noun. Threat agents may attempt to exploit a system or other information asset by
using it illegally for their personal gain, or an exploit can be a documented process to
take advantage of a vulnerability or exposure, usually in software, that is either
inherent in the software or created by the attacker. Exploits make use of existing
software tools or custom-made software components.
 Exposure: A condition or state of being exposed; in information security, exposure
exists when a vulnerability is known to an attacker.
 Loss: A single instance of an information asset suffering damage or destruction,
unintended or unauthorized modification or disclosure, or denial of use. When an
organization‘s information is stolen, it has suffered a loss. Protection profile or
security posture is the entire set of controls and safeguards—including policy,
education, training and awareness, and technology—that the organization
implements to protect the asset. The terms are sometimes used interchangeably with
the term security program although a security program often comprises managerial
aspects of security, including planning, personnel, and subordinate programs.
 Risk: The probability of an unwanted occurrence, such as an adverse event or loss.
Organizations must minimize risk to match their risk appetite—the quantity and
nature of risk they are willing to accept.
 Subjects and objects of attack: A computer can be either the subject of an
attack—an agent entity used to conduct the attack—or the object of an attack: the
target entity. See Figure 1-8. A computer can also be both the subject and object of
an attack. For example, it can be compromised by an attack (object) and then used
to attack other systems (subject).

 Threat: Any event or circumstance that has the potential to adversely affect
operations and assets. The term threat source is commonly used interchangeably
with the more generic term threat. The two terms are technically distinct, but to
simplify discussion, the text will continue to use the term threat to describe threat
sources.
 Threat agent: The specific instance or a component of a threat. For example, the
threat source of ―trespass or espionage‖ is a category of potential danger to
information assets, while ―external professional hacker‖ (like Kevin Mitnick, who was
convicted of hacking into phone systems) is a specific threat agent. A lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat source known as ―acts
of God/acts of nature.‖
 Threat event: An occurrence of an event caused by a threat agent. An example of a
threat event might be damage caused by a storm. This term is commonly used
interchangeably with the term attack.
 Threat source: A category of objects, people, or other entities that represents the
origin of danger to an asset—in other words, a category of threat agents. Threat
sources are always present and can be purposeful or undirected. For example,
threat agent ―hackers,‖ as part of the threat source ―acts of trespass or espionage,‖
purposely threaten unprotected information systems, while threat agent ―severe
storms,‖ as part of the threat source ―acts of God/acts of nature,‖ incidentally
threaten buildings and their contents.
 Vulnerability: A potential weakness in an asset or its defensive control system(s).
Some examples of vulnerabilities are a flaw in a software package, an unprotected
system port, and an unlocked door. Some well-known vulnerabilities have been
examined, documented, and published; others remain latent (or undiscovered).
Critical Characteristics of Information
I. Recognize that when a characteristic of information changes, the value of that
information may increase but more so decreases.
II. Comprehend and define the following security terms and concepts: confidentiality,
personally identifiable information (PII), integrity, availability, accuracy, authenticity,
utility, and possession.
Confidentiality
I. Define the purpose of confidentiality and the measures that must be in place to protect
information.
 Information classification
 Securely storing documents
 Applying general security policies and protocols
 Educating information custodians and end users
II. Analyze common reasons confidentiality breaches occur.
III. Review the concept of personally identifiable information (PII) and its application to
confidentiality.
Integrity

I. Examine the concept of integrity and its application to information security principles.
II. Justify that file corruption is not strictly the result of hackers or other external forces but
can include internal forces such as noise, low-voltage circuits, and retransmissions.
Availability
I. Define the concept of availability and how it allows users to access information without
restriction in their required formats.
Accuracy
I. Understand that accuracy of data transmitted in information is important as it must be
free of mistakes or errors, and it aligns with end user‘s expectations.
Authenticity
I. Identify the fact that information is authentic when it is given to a user in the same state
that it was created, placed, stored, or transferred.
II. Evaluate the example of e-mail spoofing and how messages sent look authentic on the
surface but are, in fact, not.
Utility
I. Examine the usefulness of information and how it can be applied for an end purpose.
Possession
I. Recall this attribute as one where the ownership or control of information has legitimacy
or authorization.
II. Assess the scenario where a breach of possession does not always equate to a breach
of confidentiality.
CNSS Security Model
I. Discuss the concept of the McCumber Cube and its application into computer and
information security protocols.
 Quantify via Figure 1-9 (page 14) within the text that there are a total of 27 areas
(3 x 3 x 3) that must be properly addressed during a security process.
 Understand the fact that as policy, education, and technology increase, so too
the needs for confidentiality, integrity, availability, storage, processing, and
transmission.
II. Conclude that a common exclusion in this model is the need for guidelines and policies
that provide direction for implementation technologies and the practices of doing so.
Components of an Information System (1.3, PPT Slide 27)
I. Gain an understanding that to have a full understanding of the importance of an
information system, one must have an awareness of what all is included within it.
II. Review the six most common elements of an information system.
 Software
 Hardware

Software
 Data
 People
 Procedures
 Networks
I. Compare and contrast the different types of software that are used to digitally operate an
information system. These include applications or programs, operating systems, and
assorted command utilities.
II. Justify the core reason that software is used is to carry information through an
organization.
Hardware
I. Classify that this part of an information system is the physical technologies that house
and execute software, stores and transports data, and provides an interface for entry
and removal of information within it.
II. Acquire an understanding of the concept of physical security and its importance to an
information system.
Data
I. Recall that data that is stored, processed, and/or transmitted must be protected as it is
the most valuable asset an organization possesses.
II. Gain awareness that the protection of physical information is just as important as the
protection of electronic information.
People
I. Establish that people are often the weakest link of an information system since they
provide direction, design, develop, and ultimately use and game them to operate in the
business world.
Procedures
I. Recall that procedures are written instructions that are created to accomplish a specific
task or action. Note that they may or may not use the technology of an information
system.
II. Recognize that they provide the foundation for technical controls and security systems
that must be designed so they can be implemented.
Networks
I. Acknowledge the fact that modern information processing systems are highly complex
and rely on numerous internal and external connections.
II. Conclude that networks are the highway in which information systems pass data and
users complete their tasks on a daily basis.
III. Justify that proper network controls in an organization are vital to managing information
flows and the security of data transmitted internally and externally.
Quick Quiz 1

1. True or False: Network security addresses the issues needed to protect items, objects,
or areas.
Answer: False
2. Which type of security addresses the protection of all communications media,
technology, and content?
a. information
b. network
c. physical
d. communication
Answer: d
3. Which type of security encompasses the protection of voice and data networking
components, connections, and content?
a. information
b. network
c. physical
d. communications
Answer: b
4. What term is used to describe the quality or state of ownership or control of information?
a. confidentiality
b. possession
c. authenticity
d. integrity
Answer: b
5. True or False: If information has a state of being genuine or original and is not a
fabrication, it has the characteristic of authenticity.
Answer: True
Security and the Organization (1.4, PPT Slides 28–33, 36–38, and 41)
I. Analyze components that make up security as a program and the professionals who are
tasked with maintaining it within an organization.
Balancing Information Security and Access
I. Recall that everyone does not have carte blanche access to all data that is transmitted,
processed, or stored within or outside an organization.
II. Comprehend that security is never an absolute as it is a process and not a goal.
III. Interpret that security is a delicate balance between protection and availability.
Approaches to Information Security Implementation

I. Compare and contrast the two most commonly used approaches to information security
implementation: bottom-up and top-down.
 Bottom-up approaches implement security policies and/or policies from the ground
up where system administrators are responsible for improving the security of the
system.
 A top-down approach is quite the opposite where upper management determines
security policies for an organization. This is usually the Chief Information Officer
(CIO) or the Vice President of Information Technology (VP-IT).
II. Conclude that often a bottom-up approach rarely works, and a top-down approach has
the most effectiveness in an organization.
Security Professionals
I. Compare and contrast the different positions that are part of an implementation for an
information security program.
 The Chief Information Officer (CIO) is the senior technology officer of an organization
and provides guidance to the owner or CEO strategic planning that affects
information management in an organization.
 The Chief Security Officer (CISO) assesses, manages, and implements information
security in an organization.
Senior Management
I. Examine that the Chief Information Officer (CIO) is the senior technology officer although
other titles such as vice president of information, VP of information technology, and VP
of systems may also be used. The CIO is primarily responsible for advising the chief
executive officer, president, or company owner on the strategic planning that affects the
management of information in the organization.
II. Contrast with the CIO that the Chief Information Security Officer (CISO) is the individual
primarily responsible for the assessment, management, and implementation of securing
the information in the organization. The CISO may also be referred to as the manager
for security, the security administrator, or a similar title.
Information Security Project Team
I. Review the core team members of an information security project team and their specific
role:
 Champion: A senior executive who promotes the project and ensures its support,
both financially and administratively, at the highest levels of the organization.
 Team leader: A project manager, who may be a departmental line manager or staff
unit manager and who understands project management, personnel management,
and information security technical requirements.
 Security policy developers: Individuals who understand the organizational culture,
policies, and requirements for developing and implementing successful policies.
 Risk assessment specialists: Individuals who understand financial risk assessment
techniques, the value of organizational assets, and the security methods to be used.
 Security professionals: Dedicated, trained, and well-educated specialists in all
aspects of information security from both a technical and nontechnical standpoint.
 Systems administrators: Individuals whose primary responsibility is administering
the systems that house the information used by the organization.

 End users: Those whom the new system will most directly impact. Ideally, a
selection of users from various departments, levels, and degrees of technical
knowledge assist the team in focusing on the application of realistic controls applied
in ways that do not disrupt the essential business activities they seek to safeguard.
Data Responsibilities
I. Compare and contrast persons who own and safeguard data within an organization.
 Data Owners: Those responsible for the security and use of a particular set of
information. Data owners usually determine the level of data classification associated
with the data, as well as changes to that classification required by organizational
change.
 Data Custodians: Those responsible for the storage, maintenance, and protection
of the information. The duties of a data custodian often include overseeing data
storage and backups, implementing the specific procedures and policies laid out in
the security policies and plans, and reporting to the data owner.
 Data Trustees: Individuals appointed by data owners who oversee the management
of an information set and its use. Though these are often executives, they appoint
someone else to handle these responsibilities.
 Data Users: End users who work with the information to perform their daily jobs
supporting the mission of the organization. Everyone in the organization is
responsible for the security of data, so data users are included here as individuals
with an information security role.
II. Recall that data stewards are also known as data custodians.
Communities of Interest
I. Establish an understanding that each organization develops and maintains its own
unique culture and values.
II. Recall that a community of interest is a group of individuals who are united by similar
interests or values within an organization and who share a common goal of helping the
organization to meet its objectives.
III. Disseminate the fact there can be many different communities of interest in an
organization which aid in information security practices.
Information Security Management and Professionals
I. Apply knowledge that these professionals are aligned with an information security‘s
community of interest.
II. Review the fact that their goal is to protect an organization‘s information and stored
information from internal and external attacks.
Information Technology Management and Professionals
I. Recognize that these individuals are often a team of IT managers and skilled
professionals in a number of areas: systems design, programming, and networks at a
minimum.
II. Establish an understanding their goals do not always align with the information security
community based on an organization‘s structure. Conflict may result if there are
inconsistencies between them.
Organization Management and Professionals

I. Analyze that this group of persons in an organization are often other managers and
professionals who are consumers of information being secure.
Information Security: Is It an Art or a Science? (PPT Slides 42–43)
I. Gain an understanding that the implementation of information security has often been
described as a combination of art and science due to the complex nature of information
systems.
II. Discuss the concept of a ―security artisan‖ and explain how it is based on the way
individuals see technologists as computers became more commonplace in the
workplace.
Security as Art
I. Recognize that there are no hard and fast rules regulating the installation of various
security mechanisms, nor are there many universally accepted complete solutions.
II. Conclude that there is no one user‘s manual that can solve all security issues that a
system may encounter. As an organization becomes more complex, so do the controls
and technology needed to keep it together.
Security as a Science
I. Establish an understanding that technologies that are developed are enacted by highly
trained computer scientists and engineers who are required to operate at rigorous levels
of performance.
II. Conclude that specific scientific conditions often cause virtually all actions that occur in a
computer system. Nearly everything that negatively occurs in a system is a result of an
interaction between software and hardware.
III. Justify that with enough time and resources, developers could eliminate faults that occur.
Security as a Social Science
I. Understand a combination of both components of art and science make security a social
science.
II. Identify a social science as the examination of people‘s behavior and their interactions
with (information) systems.
III. Conclude that end users who need the information security personnel protect are often
the weakest links in the security chain.
Quick Quiz 2
1. When projects are initiated at the highest levels of an organization and then pushed to
all levels, they are said to follow which approach?
b. executive-led
c. trickle down
d. top-down
e. bottom-up
Answer: c
2. ensures that only users with the rights, privileges, and need to access
information are able to do so.
a. confidentiality
b. enhanced credentials

c. software engineers
d. awareness
Answer: a
3. True or False: The person responsible for the storage, maintenance, and protection of
the information is the data custodian.
Answer: True
4. Which critical characteristic of information discussed is one that focuses on the fact
when information stored, transferred, created, or placed is in the same state as it was
received?
a. utility
b. possession
c. accuracy
d. authenticity
Answer: d
5. Which of the following examines the behavior of individuals as they interact with
systems, whether societal systems or information systems?
a. community science
b. social science
c. societal science
d. interaction management
Answer: b
[return to top]
Discussion Questions
You can assign these questions several ways: in a discussion forum in your LMS, as whole-
class discussions in person, or as a partner or group activity in class.
These questions are separate from the review questions and exercises in the textbook. For
answers to the textbook questions, see the associated solutions for this module.
Additional class discussion options:
1. What are the defining differences between computer security and information security?
(1.2, PPT Slides 5, 7–9, and 13) Duration 15 minutes.
2. When reviewing the critical characteristics of information, which one is the most
important? Why is that the case and should all receive equal attention? (1.3, PPT Slides
18 and 25–26) Duration 15 minutes.
3. Do information security professionals have superiority over one another outside of their
ranking in an organization? Why or why not? (1.4, PPT Slides 29–33) Duration 15
minutes.
[return to top]

Suggested Usage for Lab Activities
A series of hands-on labs has been developed to complement the text material for this course
and are available for download at the Instructor Center. The labs do not depend on specific
chapter content, so instructors can insert them where they best suit the syllabus. The following
is a list of lab titles, objectives, and approximate durations to assist with lesson planning.
Lab Title Objective Duration
Ethical
Considerations in IT
and Detecting
Phishing Attacks
Upon completion of this activity, you will:
 have a better understanding of the
ethical expectations of IT
professionals; and
 be able to identify several types of
social engineering attacks that use
phishing techniques.
Ethical Considerations
lab in 15 to 20 minutes.
Phishing E-Mail lab in 60
to 75 minutes.
Web Browser
Security
Upon completion of this activity, the
student will be able to:
 Review and configure the security and
privacy settings in the most popular
web browsers.
1 to 1.5 hours
Malware Defense Upon completion of this activity, the
 Understand the basic setup and
use of an open-source AV product.
 Install and use Clam AV on a
Windows system.
 Using a USB storage device create
a portable AV scanner.
 Understand what a YARA file is
and how it is used.
1 to 1.5 hours
Windows Password
Management
 Review and configure password
management policies in a Windows
client computer.
30 minutes to 1 hour
Backup and
Recovery and File
Integrity Monitoring
Upon completion of this activity, you will be
able to:
 Describe backup and recovery
processes and will be aware of
basic backup activities using
Windows 10 or another desktop
operating system (OS).
 Perform file integrity monitoring
using file hash values.
15–20 minutes
OS Processes and
Services
 Review available and enabled OS
services.
 Review available and enabled OS
processes.
60–90 minutes

 Review current system resource
utilization.
Log Management &
Security
 Access and review the various logs
present in a Windows 10 computer.
30 minutes to 1 hour
Footprinting,
Scanning, and
Enumeration
 Identify network addresses
associated with an organization.
 Identify the systems associated
with the network addresses.
40–60 minutes
AlienVault OSSIM Upon completion of this activity, the
student will be much more knowledgeable
about the AlienVault OSSIM software and
how to install, configure, and operate it.
You will use the software more extensively
in a subsequent lab.
2–3 hours
Image Analysis Using
Autopsy
student will be able to perform basic drive
image analysis using the Autopsy software
package.
45–70 minutes
[return to top]
Additional Activities and Assignments
Please see associated solutions for the Closing Scenario at the end of the textbook module.
Additional project options include the following:
1. Using the Internet, find a recent feature article about a CISO or other IT professional with
CISO job functions. Write a short summary of that individual and how he or she came to
hold that position. The publications ComputerWorld and Information Week often have
these kinds of features. Have students list the hardware assets found in a computing lab
and then list the attributes of those assets. They should provide as many facts about
each asset as possible.
2. Using a library with current periodicals, find a recent news article about a topic related to
information security. Write a one- to two-page review of the article and how it is related
to the principles of information security introduced in the textbook.
[return to top]
Additional Resources
Cengage Video Resources
 MindTap Video: What is Information Security
Internet Resources
 Internet Society—Histories of the Internet

 CNSS National Information Assurance Glossary
 Microsoft Security Development Lifecycle
 The Role of a Chief Security Officer
[return to top]
Appendix
Grading Rubrics
Providing students with rubrics helps them understand expectations and components of
assignments. Rubrics help students become more aware of their learning process and progress,
and they improve students‘ work through timely and detailed feedback.
Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the
discussion rubric indicates 30 points.
Grading Rubric
These grading criteria can be applied to open-ended Review Questions, Real-World
Exercises, Case Studies, and Security for Life activities
3
Exceeds Expectations
2
Meets Expectations
1
Needs Improvement
0
Inadequate
 Student
demonstrates
accurate
understanding of the
concept.
 Student applies the
concept
appropriately.
 Student uses sound
critical analysis to
develop an insightful
and comprehensive
response to the
prompt.
 Student
demonstrates
accurate
understanding of
the concept.
 Student applies
the concept
appropriately.
 Student develops
a complete
response to the
prompt.
 Student‘s response
demonstrates a
gap in
understanding of
the concept.
 Student applies the
concept incorrectly.
is poorly developed
or incomplete.
is missing or
incomplete.
demonstrates a
critical gap in
understanding.
 Student is unable to
apply the concept.
[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
20
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
Instructor Manual
Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module
2: The Need for Information Security
Table of Contents
Purpose and Perspective of the Module ....................................................................................20
Cengage Supplements ..............................................................................................................20
Module Objectives.....................................................................................................................20
Complete List of Module Activities and Assessments.................................................................20
Key Terms.................................................................................................................................21
What's New in This Module .......................................................................................................26
Module Outline..........................................................................................................................26
Discussion Questions................................................................................................................47
Suggested Usage for Lab Activities ...........................................................................................47
Additional Activities and Assignments........................................................................................49
Additional Resources.................................................................................................................49
Cengage Video Resources........................................................................................................................ 49
Internet Resources................................................................................................................................... 49
Appendix...................................................................................................................................50
Grading Rubrics ....................................................................................................................................... 50

21
Purpose and Perspective of the Module
Protecting information is one of the most important tasks an organization must monitor around
the clock and regardless as to where personnel are located. In this module, students will gain
knowledge as to the purpose of information security and the need that is present in
organizations. Next, they will gain an understanding of why a successful information security
program is the shared responsibility of the entire organization and not just departments that
focus on technology. In the second half of the module, emphasis is placed on threats that occur
to trigger information security solutions and common attacks of them. The final part of the
module lists common information security issues that result from poor software development
efforts.
Cengage Supplements
The following product-level supplements provide additional information that may help you in
preparing your course. They are available in the Instructor Resource Center.
 PowerPoint slides
 Test banks, available in Word, as LMS-ready files, and on the Cognero platform
 MindTap Educator Guide
 Solution and Answer Guide
 This instructor‘s manual
Module Objectives
The following objectives are addressed in this module:
2.1 Discuss the need for information security.
2.2 Explain why a successful information security program is the shared responsibility of the
entire organization.
2.3 List and describe the threats posed to information security and common attacks
associated with those threats.
2.4 List the common information security issues that result from poor software development
efforts.
Complete List of Module Activities and Assessments
For additional guidance, refer to the MindTap Educator Guide.
Module
Objective
PPT slide Activity/Assessment Duration
2.1, 2.2, and
2.3
11–12 Knowledge Check Activity 1 2 minutes
2.3 and 2.4 31–32 Knowledge Check Activity 2 2 minutes
2.1–2.4 77 Self-Assessment 5 minutes

22
MindTap Module 02 Review Questions 30–40 minutes
MindTap Module 02 Case Exercises 30 minutes
MindTap Module 02 Exercises 10–30 minutes per
question; 1+ hour
per module
MindTap Module 02 Security for Life 1+ hour
MindTap Module 02 Quiz 10–15 minutes
[return to top]
Key Terms
In order of use:
information asset: The focus of information security; information that has value to the
organization and the systems that store, process, and transmit the information.
media: As a subset of information assets, the systems, technologies, and networks that store
and transmit information.
data: Items of fact collected by an organization; includes raw numbers, facts, and words.
information: Data that has been organized, structured, and presented to provide additional
insight into its context, worth, and usefulness.
database: A collection of related data stored in a structured form and usually managed by
specialized systems.
database security: A subset of information security that focuses on the assessment and
protection of information stored in data repositories.
exploit: A technique used to compromise a system; may also describe the tool, program, or
script used in the compromise.
intellectual property (IP): Original ideas and inventions created, owned, and controlled by a
particular person or organization; IP includes the representation of original ideas.
software piracy: The unauthorized duplication, installation, or distribution of copyrighted
computer software, which is a violation of intellectual property.
availability disruption: An interruption or disruption in service, usually from a service provider,
which causes an adverse event within an organization.
service level agreement (SLA): A document or part of a document that specifies the expected
level of service from a service provider, including provisions for minimum acceptable availability
and penalties or remediation procedures for downtime.
uptime: The percentage of time a particular service is available.
downtime: The percentage of time a particular service is not available.
blackout: A long-term interruption (outage) in electrical power availability.
brownout: A long-term decrease in quality of electrical power availability.
fault: A short-term interruption in electrical power availability.

23
noise: The presence of additional and disruptive signals in network communications or
electrical power delivery.
sag: A short-term decrease in electrical power availability.
spike: A short-term increase in electrical power availability, also known as a swell.
surge: A long-term increase in electrical power availability.
competitive intelligence: The collection and analysis of information about an organization‘s
business competitors through legal and ethical means to gain business intelligence and
competitive advantage.
industrial espionage: The collection and analysis of information about an organization‘s
business competitors, often through illegal or unethical means, to gain an unfair competitive
advantage; also known as corporate spying.
shoulder surfing: The direct, covert operation of individual information or system use.
trespass: Unauthorized entry into the real or virtual property of another party.
hacker: A person who accesses systems and information without authorization and often
illegally.
expert hacker: A hacker who uses extensive knowledge of the inner workings of computer
hardware and software to gain unauthorized access to systems and information, and who often
creates automated exploits, scripts, and tools used by other hackers; also known as an elite
hacker.
novice hacker: A relatively unskilled hacker who uses the work of expert hackers to perform
attacks; also known as a neophyte, n00b, newbie, script kiddie, or packet monkey.
professional hacker: A hacker who conducts attacks for personal financial benefit or for a
crime organization or foreign government; not to be confused with a penetration tester.
penetration tester: An information security professional with authorization to attempt to gain
system access in an effort to identify and recommend resolutions for vulnerabilities in those
systems; also known as a pen tester.
pen tester: See penetration tester.
script kiddies: Novice hackers who use expertly written software to attack a system; also
known as skids, skiddies, or script bunnies.
packet monkey: A novice hacker who uses automated exploits to engage in denial-of-service
attacks.
privilege escalation: The unauthorized modification of an authorized or unauthorized system
user account to gain advanced access and control over system resources.
jailbreaking: Escalating privileges to gain administrator-level or root access control over a
smartphone operating system; typically associated with Apple iOS smartphones. See also
rooting.
rooting: Escalating privileges to gain administrator-level control over a computer system
(including smartphones); typically associated with Android OS smartphones. See also
jailbreaking.
cracker: A hacker who intentionally removes or bypasses software copyright protection
designed to prevent unauthorized duplication or use.

24
phreaker: A hacker who manipulates the public telephone system to make free calls or disrupt
services.
cracking: Attempting to reverse-engineer, remove, or bypass a password or other access
control protection, such as the copyright protection on software (see cracker).
brute force password attack: An attempt to guess a password by attempting every possible
combination of characters and numbers in it.
10.4 password rule: An industry recommendation for password structure and strength that
specifies passwords should be at least 10 characters long and contain at least one of the
following four elements: an uppercase letter, one lowercase letter, one number, and one special
character.
dictionary password attack: A variation of the brute force password attack that attempts to
narrow the range of possible passwords guessed by using a list of common passwords and
possibly including attempts based on the target‘s personal information.
rainbow table: A table of hash values and their corresponding plaintext values that can be used
to look up password values if an attacker is able to steal a system‘s encrypted password file.
social engineering: The process of using interpersonal skills to convince people to reveal
access credentials or other valuable information to an attacker.
business e-mail compromise (BEC): A social engineering attack involving the compromise of
an organization‘s e-mail system followed by a series of forged e-mail messages directing
employees to transfer funds to a specified account, or to purchase gift cards and send them to
an individual outside the organization.
advance-fee fraud (AFF): A form of social engineering, typically conducted via e-mail, in which
an organization or some third party indicates that the recipient is due an exorbitant amount of
money and needs only to send a small advance fee or personal banking information to facilitate
the transfer.
phishing: A form of social engineering in which the attacker provides what appears to be a
legitimate communication (usually e-mail), but it contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract personal or confidential information.
spear phishing: A highly targeted phishing attack.
pretexting: A form of social engineering in which the attacker pretends to be an authority figure
who needs information to confirm the target‘s identity, but the real object is to trick the target into
revealing confidential information; commonly performed by telephone.
information extortion: The act of an attacker or trusted insider who steals or interrupts access
to information from a computer system and demands compensation for its return or for an
agreement not to disclose the information.
cyberextortion: See information extortion.
ransomware: Computer software specifically designed to identify and encrypt valuable
information in a victim‘s system in order to extort payment for the key needed to unlock the
encryption.
hacktivist: A hacker who seeks to interfere with or disrupt systems to protest the operations,
policies, or actions of an organization or government agency.
cyberactivist: See hacktivist.

25
doxing: A practice of using online resources to find and then disseminate compromising
information, perhaps without lawful authority, with the intent to embarrass or harm the reputation
of an individual or organization. The term originates from dox, an abbreviation of documents.
cyberterrorism: The conduct of terrorist activities via networks or Internet pathways.
cyberterrorist: A hacker who attacks systems to conduct terrorist activities via networks or
Internet pathways.
cyberwarfare: Formally sanctioned offensive operations conducted by a government or state
against information or systems of another government or state; sometimes called information
warfare.
malware: Computer software specifically designed to perform malicious or unwanted actions.
malicious software: See malware.
zero-day attack: An attack that makes use of malware that is not yet known by the antimalware
software companies.
adware: Malware intended to provide undesired marketing and advertising, including pop-ups
and banners on a user‘s screens.
spyware: Any technology that aids in gathering information about people or organizations
without their knowledge.
virus: A type of malware that is attached to other executable programs and, when activated,
replicates and propagates itself to multiple systems, spreading by multiple communications
vectors.
macro virus: A type of virus written in a specific language to target applications that use the
language and activated when the application‘s product is opened; typically affects documents,
slideshows, e-mails, or spreadsheets created by office suite applications.
boot virus: Also known as a boot sector virus, a type of virus that targets the boot sector or
Master Boot Record (MBR) of a computer system‘s hard drive or removable storage media.
memory-resident virus: A virus that is capable of installing itself in a computer‘s operating
system, starting when the computer is activated, and residing in the system‘s memory even
after the host application is terminated; also known as a resident virus.
non-memory-resident virus: A virus that terminates after it has been activated, infected its
host system, and replicated itself; does not reside in an operating system or memory after
executing and is also known as a non-resident virus.
worm: A type of malware that is capable of activation and replication without being attached to
an existing program.
Trojan horse: A malware program that hides its true nature and reveals its designed behavior
only when activated.
polymorphic threat: Malware that over time changes the way it appears to antivirus software
programs, making it undetectable by techniques that look for preconfigured signatures.
malware hoax: A message that reports the presence of nonexistent malware and wastes
valuable time as employees share the message.
back door: A malware payload that provides access to a system by bypassing normal access
controls or an intentional access control bypass left by a system designer to facilitate
development.

26
trap door: See back door.
maintenance hook: See back door.
denial-of-service (DoS) attack: An attack that attempts to overwhelm a computer target‘s
ability to handle incoming communications, prohibiting legitimate users from accessing those
systems.
distributed denial-of-service (DDoS) attack: A form of attack in which a coordinated stream of
requests is launched against a target from multiple locations at the same time using bots or
zombies.
bot: An abbreviation of robot, an automated software program that executes certain commands
when it receives a specific input; also known as a zombie.
zombie: See bot.
spam: Undesired e-mail, typically commercial advertising transmitted in bulk.
mail bomb: An attack designed to overwhelm the receiver with excessive quantities of e-mail.
packet sniffer: A software program or hardware appliance that can intercept, copy, and
interpret network traffic.
sniffer: See packet sniffer.
spoofing: The use of a communications identifier, such as a phone number, network address,
or e-mail address, that is not accurately assigned to the source.
IP spoofing: A technique for gaining unauthorized access to computers using a forged or
modified source IP address to give the perception that messages are coming from a trusted
host.
pharming: The redirection of legitimate user Web traffic to illegitimate Web sites with the intent
to collect personal information.
Domain Name System (DNS) cache poisoning: The intentional hacking and modification of a
DNS database to redirect legitimate traffic to illegitimate Internet locations; also known as DNS
spoofing.
man-in-the-middle: A group of attacks whereby a person intercepts a communications stream
and inserts himself in the conversation to convince each of the legitimate parties that he is the
other communications partner; some of these attacks involve encryption functions.
TCP hijacking: A form of man-in-the-middle attack whereby the attacker inserts himself into
TCP/IP-based communications.
session hijacking: See TCP hijacking.
mean time between failure (MTBF): The average amount of time between hardware failures,
calculated as the total amount of operation time for a specified number of units divided by the
total number of failures.
mean time to failure (MTTF): The average amount of time until the next hardware failure.
mean time to diagnose (MTTD): The average amount of time a computer repair technician
needs to determine the cause of a failure.
mean time to repair (MTTR): The average amount of time a computer repair technician needs
to resolve the cause of a failure through replacement or repair of a faulty unit.

27
annualized failure rate (AFR): The probability of a failure of hardware based on the
manufacturer‘s data of failures per year.
cross-site scripting (XSS): A Web application fault that occurs when an application running on
a Web server inserts commands into a user‘s browser session and causes information to be
sent to a hostile server.
buffer overrun: An application error that occurs when more data is sent to a program buffer
than it is designed to handle.
integer bug: A class of computational error caused by methods that computers use to store
and manipulate integer numbers; this bug can be exploited by attackers.
command injection: An application error that occurs when user input is passed directly to a
compiler or interpreter without screening for content that may disrupt or compromise the
intended function.
theft: The illegal taking of another‘s property, which can be physical, electronic, or intellectual.
[return to top]
What's New in This Module
The following elements are improvements in this module from the previous edition:
 This module was Chapter 2 in the 6th edition.
 The sections on the threats and attacks were updated to reflect the latest trends, and
examples were updated.
 The entire module was refreshed with a general update and given more current
examples.
[return to top]
Module Outline
Introduction to the Need for Information Security (2.1, 2.2, PPT Slides
3–9)
VII. Discuss the view that information security is unlike any other aspect of information
technology. The primary mission is to ensure things stay the way they are. Point out that
if there were no threats to information and systems, we could focus on improving
systems that support the information.
VIII. Explain that organizations must understand the environment in which information
systems operate so that their information security programs can address actual and
potential problems.
IX. Emphasize to students the four important functions for an organization with respect to
information security:
a. Protecting the organization‘s ability to function
b. Protecting the data and information the organization collects and uses
c. Enabling the safe operation of applications running on the organization‘s IT systems

28
d. Safeguarding the organization‘s technology assets
Business Needs First
I. Explain that without the underlying business to generate revenue and use information, it
has a likelihood to lose value and the need for it would go to zero.
II. Stress that the decisions that need to be made with respect to information security and
their assets should be done carefully and holistically.
III. Emphasize that the responsibility of protecting information within an organization is
everyone‘s responsibility. Regardless of their title, rank in the firm, or position, everyone
must proactively protect the data it stores and uses.
Protecting Functionality
I. Discuss the fact that general management, IT management, and information security
management are responsible for implementing information security to protect the ability
of the organization to function.
II. Relate to students that information security is a management issue in addition to a
technical issue; it is a people issue in addition to the technical issue.
III. Explain that to assist management in addressing the need for information security,
communities of interest must communicate in terms of business impact and the cost of
business interruption, and they must avoid arguments expressed only in technical terms.
Protecting Data That Organizations Collect and Use
I. Stress to students that they should understand that many organizations realize that one
of their most valuable assets is their data. Without data, an organization loses its record
of transactions and/or its ability to deliver value to its customers.
II. Explain the concept of data security. This concept is about protecting data in motion and
data at rest, a critical aspect of information security. An effective information security
program is essential to the protection of the integrity and value of the organization‘s
data.
III. Detail how information is stored. This is often stored using databases and database
security is important because it applies a broad range of control mechanisms to
numerous areas of information security.
Enabling the Safe Operation of Applications
I. Distinguish an understanding that a modern organization needs to create an
environment that protects and safeguards applications, specifically ones that are
important elements to the infrastructure of a firm—operating systems, platforms,
operational applications, e-mail, instant messaging applications, and text messaging
platforms.
Safeguarding Technology Assets in Organizations
I. Relate to students that as an organization grows, so does its need for more robust
technologies and commercial-grade solutions.
II. Explain the example that is provided in the textbook that lists core components of
security technologies (a commercial-grade, unified security architecture device,
complete with intrusion detection and prevention systems, public key infrastructure
(PKI), and virtual private network (VPN) capabilities).

29
III. Establish that although cloud services provide another way to solve business information
management challenges, they inherit their own set of risks and concerns that must be
defended against.
Information Security Threats and Attacks (2.3, PPT Slides 10 and 13–23)
I. Remind students that to make sound decisions about information security as well as to
create and enforce policies, management must be informed of the various kinds of
threats facing the organization and its applications, data, and information systems.
II. Explain that a threat is an object, person, or other entity that represents a constant
danger to an asset. Point out that an attack represents an ongoing act against the asset
that could result in a loss. Also mention that threat agents use exploits to take advantage
of vulnerabilities where controls are not present or are no longer effective.
4.8 Billion Potential Hackers
I. State that about 62 percent of the world‘s population (about 4.8 billion) have some form
of internet access, which is significantly up from 2015, when 49.2 percent of the
population had access.
II. Discuss the agreement that the threat from external sources increases when an
organization connects to the Internet.
III. Guide students to briefly review the world Internet usage spread in Table 2-1.
Other Studies of Threats
I. Point out to students that according to a recent study and survey, 67.1 precent of
responding organizations suffered malware infections. Also, more than 98 percent of
responding organizations identified malware as the second-highest threat source behind
electronic phishing/spoofing.
II. Discuss Tables 2-2, 2-3, and 2-4 that outline threats from internal and external
stakeholders as well as general threats to information assets.
Common Attack Pattern Enumeration and Classification (CAPEC)
I. Introduce students to the CAPEC Web site, which can be used by security professionals
to understand attacks.
II. Explain that this resource is a good tool for information security professionals to use to
gain additional insight on how attacks occur procedurally.
The 12 Categories of Threats (2.3, 2.4, PPT Slides 24–72)
I. Apply the use of Table 2-5 to explain the 12 categories of threats that represent a clear
and present danger to an organization‘s people, information, and systems. In summary,
they are the following:
 Compromises to intellectual property
 Deviations in quality of service
 Espionage or trespass
 Forces of nature
 Human error or failure

30
 Information extortion
 Sabotage or vandalism
 Software attacks
 Technical hardware failures or errors
 Technical software failures or errors
 Technological obsolescence
 Theft
II. Recognize that a threat to an organization may include more than one of these
categories, depending on the severity of the attack.
Compromises to Intellectual Property
I. Explain that many organizations create or support the development of intellectual
property (IP) as part of their business operations. Intellectual property is defined as ―the
ownership of ideas and control over the tangible or virtual representation of those ideas.‖
II. Recall that intellectual property for an organization includes trade secrets, copyrights,
trademarks, and patents. Once intellectual property has been defined and properly
identified, breaches to IP constitute a threat to the security of this information. Most
common IP breaches involve the unlawful use or duplication of software-based
intellectual property, known as software piracy.
Software Piracy
I. Emphasize to students that the most common IP breaches involve the unlawful use or
duplication of software-based intellectual property, known as software piracy.
II. Outline that in addition to the laws surrounding software piracy, two watchdog
organizations investigate allegations of software abuse: the Software and Information
Industry Association (SIIA), formerly the Software Publishers Association, and the
Business Software Alliance (BSA).
III. Quantify the severity of software privacy with the following statistics mentioned in the
text:
 The BSA estimates that 37 percent of software installed on personal computers
globally was not properly licensed in 2018.
 Some countries indicate unlicensed rates of more than 50 percent.
IV. Recall that malware attacks significantly increase with the use of unlicensed software.
Copyright Protection and User Registration
I. Discuss that enforcement of copyright laws has been attempted through several
technical security mechanisms, such as digital watermarks, embedded code, and
copyright codes.
II. Identify that online registrations combat piracy because users must register their
software to complete the installation process. Caution students that key generators can
be used to override and outsmart online registration tools and still result in intellectual
property losses.

31
Deviations in Quality of Service
I. Summarize that concerns in this category represent situations in which a product or
service is not delivered to the organization as expected.
II. Explain that the organization‘s information system depends on the successful operation of
many interdependent support systems, including power grids, telecom networks, parts
suppliers, service vendors, and even the janitorial staff and garbage haulers.
Internet Service Issues
I. Explain that Internet service, communications, and power irregularities are three sets of
service issues that dramatically affect the availability of information and systems. This is
regardless of if a person is at the office or connecting through a virtual private network
(VPN) connection.
II. Justify that the U.S. government‘s Federal Communications Commission (FCC)
maintains a Network Outage Reporting System (NORS), which according to FCC
regulation 47 C.F.R. Part 4, requires communications providers to report outages that
disrupt communications at certain facilities, like emergency services and airports.
III. Report that when an Internet service provider fails to meet the terms in a service level
agreement (SLA), it is often fined to cover client losses, although the lost business
exceeds anything recovered. This is even with vendors promoting high availability of
uptime (or low downtime).
IV. Apply the example of Amazon and how a 30- to 40-minute outage cost them a significant
amount of money ($3-4 million) in just that short amount of time.
V. Identify the most common causes of downtime and the financial impact of those
incidents from the data provided in Figure 2-4.
Communication and Other Service Provider Issues
I. Describe communications and other service provider issues: other utility services can
impact organizations as well. Among these are telephone, water, wastewater, trash
pickup, cable television, natural or propane gas, and custodial services. The loss of
these services can impair the ability of an organization to function properly.
Power Irregularities
I. Describe power irregularities: irregularities from power utilities are common and can lead
to fluctuations, such as power excesses, power shortages, and power losses. In the
United States, we are ―fed‖ 120-volt, 60-cycle power usually through 15-amp and 20-
amp circuits.
II. Explain that voltage levels are subject to a spike (momentary increase), surge
(prolonged increase), sag (momentary decrease), brownout (prolonged drop in voltage),
fault (momentary complete loss of power) or blackout (a lengthier loss of power).
III. Emphasize that organizations with dedicated power needs must think of backup
solutions such as generators to provide power in the event an outage were to occur.
This is especially the case for information technology and security-related systems.
IV. Predict that because sensitive electronic equipment—especially networking equipment,
computers, and computer-based systems—is susceptible to fluctuations, controls should
be applied to manage power quality.

32
Espionage or Trespass
I. Explain that this threat represents a well-known and broad category of electronic and
human activities that breach the confidentiality of information.
II. Establish that when an unauthorized individual gains access to the information an
organization is trying to protect, that act is categorized as a deliberate act of espionage
or trespass.
III. Contrast the thoughts that some people assume that information-gathering techniques
are illegal when, in fact, they are not. When they are done properly, this is referred to as
competitive intelligence. However, if a legal or ethical threshold is crossed, persons
doing this are conducting industrial espionage.
IV. Describe the concept of shoulder surfing. Emphasize that these commonly occur at
computer terminals, desks, ATM machines, smartphones, or other places where a
person is accessing confidential information.
V. Justify the notion that users should constantly be aware of the presence of others when
they are always accessing sensitive data.
Hackers
I. Present the fact that trespassing often leads to unauthorized, real, or virtual actions that
enable information gatherers to enter premises or systems they have not been
authorized to enter.
II. Discuss that the classic perpetrator of deliberate acts of espionage or trespass is the
hacker. In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to
bypass the controls placed around information that is the property of someone else. The
hacker frequently spends long hours examining the types and structures of the targeted
systems.
III. Remind students that there are generally two skill levels among hackers. The first is the
expert hacker, who develops software scripts and program exploits used by the second
category, the novice, or unskilled hacker.
IV. Explain that the expert hacker is usually a master of several programming languages,
networking protocols, and operating systems and exhibits a mastery of the technical
environment of the chosen targeted system.
V. Demonstrate that expert hackers who have become bored with directly attacking
systems have turned to writing software. The software they write are automated exploits
that allow novice hackers to become script kiddies (or packet monkeys)—hackers of
limited skill who use expertly written software to exploit a system, but do not fully
understand or appreciate the systems they hack.
VI. Compare and contrast the difference between professional hackers and penetration
(pen) testers. Although they are doing the same thing, which is testing the information
and network defenses, professional hackers are doing it illegally, whereas pen testers
are conducting them ethically and professionally.
Escalation of Privileges
I. Discuss the term privilege escalation. Explain that a common example of privilege
escalation is called jailbreaking or rooting.

33
II. Justify that according to the U.S. Copyright Office, the practice of jailbreaking
smartphones was considered legal as a special exemption under the Digital Millennium
Copyright Act, but jailbreaking a tablet (such as the iPad) was not and often voids any
manufacturer warranty.
Hacker Variants
I. Describe that there are other terms for system rule breakers as mentioned in the text:
 Crackers are now commonly associated with an individual who ―cracks‖ or removes
software protection that is designed to prevent unauthorized duplication.
 Phreakers hack the public telephone network to make free calls, disrupt services,
and generally wreak havoc. Although more common in the 1970‘s, they can still do a
number on phone systems.
Password Attacks
I. Emphasize that password attacks fall under the category of espionage and are a serious
offense.
II. Outline the four approaches to password cracking:
 brute force password attack: An attempt to guess a password by attempting every
possible combination of characters and numbers in it.
 dictionary password attack: A variation of the brute force password attack that
attempts to narrow the range of possible passwords guessed by using a list of
common passwords and possibly including attempts based on the target‘s personal
information.
 rainbow table: A table of hash values and their corresponding plaintext values that
can be used to look up password values if an attacker is able to steal a system‘s
encrypted password file.
 social engineering: An attempt to gain access by contacting low-level employees
and offering to help with their computer issues.
III. Evaluate the purpose and composition of the 10.4 password rule and how it can provide
a method for users to generate a stronger password that is less likely to be hacked.
IV. Recommend that students review Table 2-6 and see how the odds increase the more
characters are in a password, and the time it would take to do so based on a 2020-era
computer system.
Social Engineering Password Attacks
I. Stress that by hackers posing as friendly help-desk associates or repair techs, they have
an easy inroad into servers and systems even if they resolve a user‘s issue.
II. Critique the scenario where hackers can work inside an organization and even at a help
desk using this method to gain systems access where they would otherwise be denied
entry. This is true even if their background check comes up clean.
III. Distinguish the fact that attempts to gain access like this are often subtle and go
unnoticed until it is too late.
Forces of Nature

34
I. Discuss how forces of nature, force majeure, or acts of God pose some of the most
dangerous threats, because they are unexpected and can occur with little warning.
II. Emphasize that pandemics, such as the 2020 COVID-19 outbreak, are considered a
force of nature even though most things remained operational.
III. Explain that these threats can disrupt not only the lives of individuals but also the
storage, transmission, and use of information. Since it is not possible to avoid many of
these threats, management must implement controls to limit damage and prepare
contingency plans for continued operations.
IV. Outline the 11 forces of nature that are outlined in the text. They are the following:
 Fires
 Floods
 Earthquakes
 Lightning
 Landslides or mudslides
 Tornados or severe windstorms
 Hurricanes, typhoons, and tropical depressions
 Tsunamis
 Electrostatic discharge (ESD)
 Dust contamination
 Solar activity
Fire
I. Outline ways a fire can cause damage to computing equipment up to the point of
compromising all or part of a system. This includes the fire itself, suppression systems
such as sprinklers, or water from firefighting hoses.
II. Demonstrate that this threat often can be mitigated with fire casualty insurance or
business interruption insurance policies.
Floods
I. Detail the net effects a flood can do to a facility and computing equipment. On top of
damaging the systems, building access may also be compromised.
II. Explain that this specific threat often may be mitigated with flood insurance or business
interruption insurance. This is especially important if the business is in a potential flood
zone as deemed by FEMA.
Earthquakes
I. Present that an earthquake can cause direct damage to information system equipment
and/or the facilities that house the equipment.
II. Stress that not only physical structures are at risk. Give the example in the text of a large
earthquake off the coast of Taiwan that severed underwater communications cables.

35
III. Explain that this specific threat can sometimes be mitigated with casualty or business
interruption insurance. Often, as mentioned, it is covered under its own policy.
Lightning
I. Illustrate what a lightning strike is. It is an abrupt, discontinuous natural electric
discharge in the atmosphere.
II. Recognize that lightning strikes not only can damage all or part of an information system
but also cause building damage, fires, or other damage.
III. Emphasize proactive measures that can be taken by installing specialized lightning rods
placed strategically on and around the organization‘s facilities and by installing special
circuit protectors in the organization‘s electrical service.
IV. Classify that this type of natural cause can sometimes be mitigated with multipurpose
casualty or business interruption insurance.
Landslides, Mudslides, and Avalanches
I. Relate that these are downward slides of masses of earth, rock, or snow and are
sometimes sudden or with minimal notice so evacuations can take place.
II. Direct students to understand the impacts here to buildings that house the systems.
Depending on the severity of the incident, they may be destroyed or temporarily buried.
III. Classify that this type of natural cause can sometimes be mitigated with multipurpose
Tornados and Severe Windstorms
I. Contrast the differences between a tornado and wind shear events.
II. Denote that a tornado facility housing the information systems can directly damage all or
part of the structure, depending on the strength of the funnel cloud and wind speed.
III. Explain that this brief but impactful type of natural disaster may be mitigated with
Hurricanes, Typhoons, and Tropical Depressions
I. Compare the difference between a typhoon and a hurricane. Note that it is virtually the
same thing with the exception of its location in the world.
II. Stress that excessive rainfall and high winds from these storms can directly damage all
or part of the information system or, more likely, the building that houses it.
Organizations in coastal or low-lying areas may suffer flooding as well, which would
restrict access to the buildings that house information systems.
III. Guide students to understand that this brief but impactful type of natural disaster may be
mitigated with casualty or business interruption insurance.
Tsunamis
I. Describe the impact of a tsunami and the severity of impact that just one event may
cause.
II. Apply the tsunami that occurred in 2011 as a threat that affected the world directly and
indirectly.

36
III. Explain how in most cases that this threat can sometimes be mitigated with casualty
insurance or business interruption insurance.
Electrostatic Discharge
I. Illustrate what an electrostatic discharge (ESD) is and the impact it can have to
flammable mixtures or electronic components.
II. Stress that as little as 10 volts can cause catastrophic damage to information systems
equipment, and humans cannot detect static electricity until it reaches about 1,500 volts.
Discharges from walking across dry carpet can exceed 12,000 volts.
III. Emphasize that the financial repercussions of static discharge could result in millions of
dollars of damage and significant loss of production time in information processing.
Although ESD can disrupt information systems, it is not usually an insurable loss unless
covered by business interruption insurance.
Dust Contamination
I. Relate that dust particle buildups and debris inside systems can dramatically reduce the
effectiveness and efficiency of the equipment. This often leads to unexpected shutdowns
and overheating.
II. Stress that this can often shorten the life of information systems and disrupt normal
operations.
Solar Activity
I. Recognize that solar flares or extremes in radiation can affect power grids and power
lines, blow out transformers, and shut down power stations.
II. Emphasize that businesses that rely on satellites should have alternate options available
should communications from them be disrupted.
Human Error or Failure
I. Describe this category and comment to students that it includes the possibility of acts
performed without intent or malicious purpose by an individual who is an employee of an
organization.
II. Discuss the fact that employees constitute one of the greatest threats to information
security, as they are the individuals closest to the organizational data. Employee
mistakes can easily lead to the following: revelation of classified data, entry of erroneous
data, accidental deletion or modification of data, storage of data in unprotected areas,
and failure to protect information.
III. Note that many threats can be prevented with controls, ranging from simple procedures,
such as requiring the user to type a critical command twice, to more complex
procedures, such as the verification of commands by a second party.
IV. Explain that this threat represents a well-known and broad category of electronic and
human activities that breach the confidentiality of information.
Social Engineering
I. Define within the context of information security that social engineering is the process of
using social skills to convince people to reveal access credentials or other valuable
information to the attacker.

37
II. Explain that people are the weakest link. You can have the best technology— firewalls,
intrusion-detection systems, biometric devices—and somebody can call an unsuspecting
employee and obtain a wealth of information.
Business E-Mail Compromise (BEC)
I. Stress that this is one of the newest forms of social engineering attack methods being
deployed on organizations today.
II. Detail the process of how an attacker gains access to the system either through another
social engineering attack or technical exploit and then proceeds to request that
employees within the organization, usually administrative assistants to high-level
executives, transfer funds to an outside account or purchase gift cards and send them to
someone outside the organization.
III. Emphasize that in 2019 alone, there were 24,000 BEC complaints and projected losses
of more than $1.7 billion dollars.
Advance-Fee Fraud
I. Compare and contrast one of most common social engineering attacks, known as the
advance-fee fraud (AFF) and phishing.
II. Stress that AFF is also known as 4-1-9 fraud due to it being named after a Nigerian
Penal Code and not an area code in northern Ohio.
III. Examine a sample letter, as illustrated in Figure 2-9, which illustrates this scheme in
practice.
IV. Outline to students that this scam is one for stealing funds from credulous people, first
by requiring them to participate in a proposed money-making venture by sending money
up front, and then by soliciting an endless series of fees. In the most serious cases,
kidnapping, extortion, or murder can result.
V. Quantify that most recently in 2020, up to $100 billion dollars has been swindled using
this method.
Phishing
I. Distinguish phishing as an attempt to gain personal or financial information from an
individual, usually by posing as a legitimate entity.
II. Emphasize that a variant is spear phishing, a label that applies to any highly targeted
phishing attack. While normal phishing attacks target as many recipients as possible, a
spear phisher sends a message that appears to be from an employer, a colleague, or
other legitimate correspondent to a small group, or even one specific person.
III. Discuss that phishing attacks use two primary techniques, often used in combination
with one another: URL manipulation and Web site forgery.
Pretexting
I. Point out another form of social engineering is called pretexting, which is sometimes
referred to as phone phishing.
II. Emphasize that VOIP phone services have made it easy to spoof caller IDs and hence
hide the identity of someone who may be on the other end of the line.
Information Extortion

38
I. Illustrate how information extortion involves the possibility of an attacker or trusted
insider stealing information from a computer system and demanding compensation for
its return or for an agreement to not disclose the information. Extortion is common in
credit card number theft.
II. Give examples provided in the textbook of different information extortion incidents and
the impacts to their respective businesses. Translate to students that regardless of a
company‘s size or function, they are susceptible to extortion.
Ransomware
I. Explain that the latest type of attack in this category is known as ransomware, which is a
malware attack on the host system that denies access to the user and then offers to
provide a key to allow access back to the user‘s system and data for a fee.
II. Compare and contrast the two different types of ransomwares: lockscreen and
encryption.
 Lockscreen ransomware denies access to the system by disabling access to the
desktop and preventing the user from bypassing the ransom screen that demands
payment for access.
 Encryption ransomware is more severe, as it requires payment up front to access
one‘s hard drive after their information has been encrypted.
III. Illustrate the three examples of ransomware activities highlighted in the text and stress
to students that these types of attacks occur daily, and an information security team
must be on guard to overcome and nullify these.
Sabotage or Vandalism
I. Summarize that this type of threat involves the deliberate sabotage of a computer
system or business or acts of vandalism to either destroy an asset or damage the image
of an organization.
II. Emphasize that these threats can range from petty vandalism by employees to
organized sabotage against an organization.
III. Identify that organizations frequently rely on image to support the generation of revenue,
and vandalism to a Web site can erode consumer confidence, thus reducing the
organization‘s sales and net worth. Compared to Web site defacement, vandalism within
a network is more malicious in intent and less public.
Online Activism
I. Explain that security experts are noticing a rise in another form of online vandalism,
hacktivist or cyberactivist operations. A more extreme version is referred to as
cyberterrorism (which is explained next).
II. Stress that the concept of doxing is where a hacker would use online resources to find
and disseminate compromising information for the purpose of harming or harassing an
individual, group, or government entity. Apply Figure 2-14 as an example of this in
action.
Cyberterrorism and Cyberwarfare
I. Detail the purpose of cyberterrorism and what the United States and other government
bodies are doing to combat this.

39
II. Differentiate between the three examples provided in the text with respect to supposed
cyberterrorism attacks and why it is important to be on guard.
III. Relate that some government entities express concern that cyberattacks that are aimed at
disrupting their entities are likely to be seen as cyberwarfare. Note that their purpose is to
take down critical infrastructure.
IV. Apply one of the most recent attacks on critical infrastructure in the United States—the
Colonial Pipeline shutdown that wreaked havoc in the eastern part of the country—as an
example of a cyberterrorism threat in the eyes of the federal government.
Positive Online Activism
I. Compare cyberterrorism to more positive online activism, such as using Facebook,
Twitter, and so on to perform fundraising and raise awareness of social issues.
II. Stress that positive online activism is a legal right to enact provided it does not cross the
moral threshold of doing illegal activities.
Quick Quiz 1
1. True or False: The three communities of interest are general management, operations
management, and information security management.
Answer: False
2. Hackers of limited skill who use expertly written software to attack a system are known
as which of the following?
a. cyberterrorists
b. script kiddies
c. jailbreakers
d. social engineers
Answer: b
3. Which of the following occurs when an attacker or trusted insider steals information from
a computer system and demands compensation for its return or for an agreement not to
disclose it?
a. information extortion
b. technological extortion
c. insider trading
d. information hoarding
Answer: a
4. Which type of attacker will hack systems to conduct terrorist activities via network or
Internet pathways?
a. cyberattackers
b. electronic terrorists
c. cyberterrorists
d. electronic hackers

40
IF YOU WANT THIS TEST BANK OR SOLUTION MANUAL EMAIL
ME donc8246@gmail.com TO RECEIVE ALL CHAPTERS IN PDF
FORMAT

Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx

Recommended

Recommended

More Related Content

Similar to Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx

Similar to Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx (20)

More from marcuskenyatta275

More from marcuskenyatta275 (17)

Recently uploaded

Recently uploaded (20)

Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx