SlideShare a Scribd company logo
Instructor Manual Principles of Information
Security, 7th Edition by Michael E.Whitman
Instructor Manual
Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module
1: Introduction to Information Security
Table of Contents
Purpose and Perspective of the Module ......................................................................................2
Cengage Supplements ................................................................................................................2
Module Objectives.......................................................................................................................2
Complete List of Module Activities and Assessments...................................................................2
Key Terms...................................................................................................................................3
What's New in This Module .........................................................................................................4
Module Outline............................................................................................................................4
Discussion Questions................................................................................................................15
Suggested Usage for Lab Activities ...........................................................................................16
Additional Activities and Assignments........................................................................................17
Additional Resources.................................................................................................................17
Cengage Video Resources........................................................................................................................ 17
Internet Resources................................................................................................................................... 17
Appendix...................................................................................................................................18
Grading Rubrics ....................................................................................................................................... 18
Purpose and Perspective of the Module
The first module of the course in information security provides learners the foundational
knowledge to become well versed in the protection systems of any size need within an
organization today. The module begins with fundamental knowledge of what information
security is and the how computer security evolved into what we know now as information
security today. Additionally, learners will gain knowledge on the how information security can be
viewed either as an art or a science and why that is the case.
Cengage Supplements
The following product-level supplements are available in the Instructor Resource Center and
provide additional information that may help you in preparing your course:
 PowerPoint slides
 Test banks, available in Word, as LMS-ready files, and on the Cognero platform
 MindTap Educator Guide
 Solution and Answer Guide
 This instructor‘s manual
Module Objectives
The following objectives are addressed in this module:
1.1 Define information security.
1.2 Discuss the history of computer security and explain how it evolved into information
security.
1.3 Define key terms and critical concepts of information security.
1.4 Describe the information security roles of professionals within an organization.
Complete List of Module Activities and Assessments
For additional guidance refer to the MindTap Educator Guide.
Module
Objective
PPT slide Activity/Assessment Duration
2 Icebreaker: Interview Simulation 10 minutes
1.1–1.2 19–20 Knowledge Check Activity 1 2 minutes
1.3 34–35 Knowledge Check Activity 2 2 minutes
1.4 39–40 Knowledge Check Activity 3 2 minutes
1.1–1.4 MindTap Module 01 Review Questions 30–40 minutes
1.1 – 1.4 MindTap Module 01 Case Exercises 30 minutes
1.1 – 1.4 MindTap Module 01 Exercises 10–30 minutes per
question; 1+ hour
per module
1.1 – 1.4 MindTap Module 01 Security for Life 1+ hour
1.1 – 1.4 MindTap Module 01 Quiz 10–15 minutes
[return to top]
Key Terms
In order of use:
computer security: In the early days of computers, this term specified the protection of the
physical location and assets associated with computer technology from outside threats, but it
later came to represent all actions taken to protect computer systems from losses.
security: A state of being secure and free from danger or harm as well as the actions taken to
make someone or something secure.
information security: Protection of the confidentiality, integrity, and availability of information
assets, whether in storage, processing, or transmission, via the application of policy, education,
training and awareness, and technology.
network security: A subset of communications security; the protection of voice and data
networking components, connections, and content.
C.I.A. triad: The industry standard for computer security since the development of the
mainframe; the standard is based on three characteristics that describe the attributes of
information that are important to protect: confidentiality, integrity, and availability.
confidentiality: An attribute of information that describes how data is protected from disclosure
or exposure to unauthorized individuals or systems.
personally identifiable information (PII): Information about a person‘s history, background,
and attributes that can be used to commit identity theft that typically includes a person‘s name,
address, Social Security number, family information, employment history, and financial
information.
integrity: An attribute of information that describes how data is whole, complete, and
uncorrupted.
availability: An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
accuracy: An attribute of information that describes how data is free of errors and has the value
that the user expects.
authenticity: An attribute of information that describes how data is genuine or original rather
than reproduced or fabricated.
utility: An attribute of information that describes how data has value or usefulness for an end
purpose.
possession: An attribute of information that describes how the data‘s ownership or control is
legitimate or authorized.
McCumber Cube: A graphical representation of the architectural approach used in computer
and information security that is commonly shown as a cube composed of 3×3×3 cells, similar to
a Rubik‘s Cube.
information system: The entire set of software, hardware, data, people, procedures, and
networks that enable the use of information resources in the organization.
physical security: The protection of material items, objects, or areas from unauthorized access
and misuse.
bottom-up approach: A method of establishing security policies and/or practices that begins as
a grassroots effort in which systems administrators attempt to improve the security of their
systems.
top-up approach: A methodology of establishing security policies and/or practices that is
initiated by upper management.
chief information officer (CIO): An executive-level position that oversees the organization‘s
computing technology and strives to create efficiency in the processing and access of the
organization‘s information.
chief information security officer (CISO): The title typically assigned to the top information
security manager in an organization.
data owners: Individuals who control and are therefore ultimately responsible for the security
and use of a particular set of information.
data custodians: Individuals who are responsible for the storage, maintenance, and protection
of information.
data stewards: See data custodians.
data trustees: Individuals who are assigned the task of managing a particular set of information
and coordinating its protection, storage, and use.
data users: Internal and external stakeholders (customers, suppliers, and employees) who
interact with information in support of their organization‘s planning and operations.
community of interest: A group of individuals who are united by similar interests or values
within an organization and who share a common goal of helping the organization to meet its
objectives.
[return to top]
What's New in This Module
The following elements are improvements in this module from the previous edition:
 This Module was Chapter 1 in the 6th edition.
 The content that covered Systems Development was moved to Module 11:
Implementation.
 The Module was given a general update and given more current examples.
[return to top]
Module Outline
Introduction to Information Security (1.1, 1.2, PPT Slides 4–17)
I. Recognize that organizations, regardless of their size or purpose, have information they
must protect and store internally and externally.
II. Analyze the importance and reasoning an organization must be responsible for the
information they collect, store, and use.
III. Review the concept of computer security and when the need for it initially arose.
IV. Discuss how badges, keys, and facial recognition of authorized personnel are required
to access military locations deemed sensitive.
V. Describe the primary threats to security: physical theft of equipment, product espionage,
and sabotage.
VI. Examine information security practices in the World War II era and compare with modern
day needs.
The 1960s
I. Explain the purpose of the Department of Defense‘s Advanced Research Procurement
Agency (ARPA) and their need to create redundant networked communications systems
so that the military can exchange information.
II. Identify Dr. Larry Roberts as the creator of the ARPANET project and now the modern-
day Internet.
The 1970s and ’80s
I. Critique the use of ARPANET and how it became more widely used and consequentially
misused.
II. Recognize that Robert M. Metcalfe expressed concerns about ARPANET and how it
could be easily hacked into due to password structure vulnerabilities, lack of safety
protocols, and widely distributed phone numbers for system access.
III. Conclude that a lack of controls in place provided users limited safeguards to protect
themselves from unauthorized remote users.
IV. Discuss how dial-up connections lacked safety protocols when connecting to ARPANET.
V. Recall that authorizations into the system and a lack of user identification were
significant security risks for ARPANET during this time.
VI. Evaluate the movement of stronger security protocols thanks to the implementation of
conclusions from the Rand Report R-609.
VII. Relate how the need of physical security protocols grew to include computer security
protocols as part of a holistic information security plan.
MULTICS
I. Define the purpose of the Multiplexed Information and Computing Service (MULTICS)
and its importance to information security.
II. Relate that the restructuring of the MULTICS project created the UNIX operating system
in 1969.
III. Contrast the facts that the MULTICS system had multiple security levels planned,
whereas the new UNIX system did not have them included.
IV. Examine the decentralization of data processing and why it is important to modern-day
information security protocols.
V. Distinguish that in the late 1970s microprocessors transformed computing capabilities
but also established new security threats.
VI. Recall the Defense Advanced Research Projects Agency (DARPA) created the
Computer Emergency Response Team (CERT) in 1988.
VII. Conclude that not until the mid-1980s computer security was a non-issue for federal
information systems.
The 1990s
I. Understand that as more computers and their networks became more common, the
need to connect networks rose in tandem during this time. Hence, the Internet was born
out of the need to have a global network of networks.
II. Analyze the consequences of how exponential growth of the Internet early on resulted in
security being a low priority over other core components.
III. Identify that the networked computers were the most common style of computing during
this time. However, a result of this was the lessened ability to secure a physical
computer and stored data is more exposed to security threats internally and externally.
IV. Recognize that toward the turn of the new millennium, numerous large corporations
demonstrated the need and integration of security into their internal systems. Antivirus
products grew in popularity and information security grown into its own discipline
because of these proactive initiatives.
2000 to Present
I. Recall the fact that millions of unsecured computer networks and billions of computing
devices are communicating with each other.
II. Recognize and apply the fact that cyberattacks are increasing and have caused
governments and corporations to resign themselves to stronger information security
protocols.
III. Examine the exponential rise in mobile computing and how these devices bring their
own set of vulnerabilities with respect to information security.
IV. Apply the fact that one‘s ability to secure the information stored in their device is
influenced by security protocols on the others they are connected to.
V. Establish that wireless networks and their associated risks often have minimal security
protocols in place and can be a catalyst for anonymous attacks.
What Is Security? (1.3, PPT Slides 18 and 21–26)
I. Define the term security and why it is important to have multiple layers of it to protect
people, operations, infrastructure, functions, communications, and information.
II. Emphasize the role of the Committee on National Security Systems (CNSS) and its role
in defining information security. This includes the protection of critical elements such as
systems and hardware that stores, transmits, and use information.
III. Recognize the importance of the C.I.A. Triad but which is no longer an adequate model
to apply to modern information security needs.
Key Information Security Concepts
I. Comprehend and define the following security terms and concepts:
 Access: A subject or object‘s ability to use, manipulate, modify, or affect another
subject or object. Authorized users have legal access to a system, whereas hackers
must gain illegal access to a system. Access controls regulate this ability.
 Asset: The organizational resource that is being protected. An asset can be logical,
such as a Web site, software information, or data, or an asset can be physical, such
as a person, computer system, hardware, or other tangible object. Assets,
particularly information assets, are the focus of what security efforts are attempting to
protect.
 Attack: An intentional or unintentional act that can damage or otherwise compromise
information and the systems that support it. Attacks can be active or passive,
intentional or unintentional, and direct or indirect. Someone who casually reads
sensitive information not intended for his or her use is committing a passive attack. A
hacker attempting to break into an information system is an intentional attack. A
lightning strike that causes a building fire is an unintentional attack. A direct attack is
perpetrated by a hacker using a PC to break into a system. An indirect attack is a
hacker compromising a system and using it to attack other systems—for example, as
part of a botnet (slang for robot network). This group of compromised computers,
running software of the attacker‘s choosing, can operate autonomously or under the
attacker‘s direct control to attack systems and steal user information or conduct
distributed denial-of-service attacks. Direct attacks originate from the threat itself.
Indirect attacks originate from a compromised system or resource that is
malfunctioning or working under the control of a threat.
 Control, safeguard, or countermeasure: Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities,
and otherwise improve security within an organization. The various levels and types
of controls are discussed more fully in the following modules.
 Exploit: A technique used to compromise a system. This term can be a verb or a
noun. Threat agents may attempt to exploit a system or other information asset by
using it illegally for their personal gain, or an exploit can be a documented process to
take advantage of a vulnerability or exposure, usually in software, that is either
inherent in the software or created by the attacker. Exploits make use of existing
software tools or custom-made software components.
 Exposure: A condition or state of being exposed; in information security, exposure
exists when a vulnerability is known to an attacker.
 Loss: A single instance of an information asset suffering damage or destruction,
unintended or unauthorized modification or disclosure, or denial of use. When an
organization‘s information is stolen, it has suffered a loss. Protection profile or
security posture is the entire set of controls and safeguards—including policy,
education, training and awareness, and technology—that the organization
implements to protect the asset. The terms are sometimes used interchangeably with
the term security program although a security program often comprises managerial
aspects of security, including planning, personnel, and subordinate programs.
 Risk: The probability of an unwanted occurrence, such as an adverse event or loss.
Organizations must minimize risk to match their risk appetite—the quantity and
nature of risk they are willing to accept.
 Subjects and objects of attack: A computer can be either the subject of an
attack—an agent entity used to conduct the attack—or the object of an attack: the
target entity. See Figure 1-8. A computer can also be both the subject and object of
an attack. For example, it can be compromised by an attack (object) and then used
to attack other systems (subject).
 Threat: Any event or circumstance that has the potential to adversely affect
operations and assets. The term threat source is commonly used interchangeably
with the more generic term threat. The two terms are technically distinct, but to
simplify discussion, the text will continue to use the term threat to describe threat
sources.
 Threat agent: The specific instance or a component of a threat. For example, the
threat source of ―trespass or espionage‖ is a category of potential danger to
information assets, while ―external professional hacker‖ (like Kevin Mitnick, who was
convicted of hacking into phone systems) is a specific threat agent. A lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat source known as ―acts
of God/acts of nature.‖
 Threat event: An occurrence of an event caused by a threat agent. An example of a
threat event might be damage caused by a storm. This term is commonly used
interchangeably with the term attack.
 Threat source: A category of objects, people, or other entities that represents the
origin of danger to an asset—in other words, a category of threat agents. Threat
sources are always present and can be purposeful or undirected. For example,
threat agent ―hackers,‖ as part of the threat source ―acts of trespass or espionage,‖
purposely threaten unprotected information systems, while threat agent ―severe
storms,‖ as part of the threat source ―acts of God/acts of nature,‖ incidentally
threaten buildings and their contents.
 Vulnerability: A potential weakness in an asset or its defensive control system(s).
Some examples of vulnerabilities are a flaw in a software package, an unprotected
system port, and an unlocked door. Some well-known vulnerabilities have been
examined, documented, and published; others remain latent (or undiscovered).
Critical Characteristics of Information
I. Recognize that when a characteristic of information changes, the value of that
information may increase but more so decreases.
II. Comprehend and define the following security terms and concepts: confidentiality,
personally identifiable information (PII), integrity, availability, accuracy, authenticity,
utility, and possession.
Confidentiality
I. Define the purpose of confidentiality and the measures that must be in place to protect
information.
 Information classification
 Securely storing documents
 Applying general security policies and protocols
 Educating information custodians and end users
II. Analyze common reasons confidentiality breaches occur.
III. Review the concept of personally identifiable information (PII) and its application to
confidentiality.
Integrity
I. Examine the concept of integrity and its application to information security principles.
II. Justify that file corruption is not strictly the result of hackers or other external forces but
can include internal forces such as noise, low-voltage circuits, and retransmissions.
Availability
I. Define the concept of availability and how it allows users to access information without
restriction in their required formats.
Accuracy
I. Understand that accuracy of data transmitted in information is important as it must be
free of mistakes or errors, and it aligns with end user‘s expectations.
Authenticity
I. Identify the fact that information is authentic when it is given to a user in the same state
that it was created, placed, stored, or transferred.
II. Evaluate the example of e-mail spoofing and how messages sent look authentic on the
surface but are, in fact, not.
Utility
I. Examine the usefulness of information and how it can be applied for an end purpose.
Possession
I. Recall this attribute as one where the ownership or control of information has legitimacy
or authorization.
II. Assess the scenario where a breach of possession does not always equate to a breach
of confidentiality.
CNSS Security Model
I. Discuss the concept of the McCumber Cube and its application into computer and
information security protocols.
 Quantify via Figure 1-9 (page 14) within the text that there are a total of 27 areas
(3 x 3 x 3) that must be properly addressed during a security process.
 Understand the fact that as policy, education, and technology increase, so too
the needs for confidentiality, integrity, availability, storage, processing, and
transmission.
II. Conclude that a common exclusion in this model is the need for guidelines and policies
that provide direction for implementation technologies and the practices of doing so.
Components of an Information System (1.3, PPT Slide 27)
I. Gain an understanding that to have a full understanding of the importance of an
information system, one must have an awareness of what all is included within it.
II. Review the six most common elements of an information system.
 Software
 Hardware
Software
 Data
 People
 Procedures
 Networks
I. Compare and contrast the different types of software that are used to digitally operate an
information system. These include applications or programs, operating systems, and
assorted command utilities.
II. Justify the core reason that software is used is to carry information through an
organization.
Hardware
I. Classify that this part of an information system is the physical technologies that house
and execute software, stores and transports data, and provides an interface for entry
and removal of information within it.
II. Acquire an understanding of the concept of physical security and its importance to an
information system.
Data
I. Recall that data that is stored, processed, and/or transmitted must be protected as it is
the most valuable asset an organization possesses.
II. Gain awareness that the protection of physical information is just as important as the
protection of electronic information.
People
I. Establish that people are often the weakest link of an information system since they
provide direction, design, develop, and ultimately use and game them to operate in the
business world.
Procedures
I. Recall that procedures are written instructions that are created to accomplish a specific
task or action. Note that they may or may not use the technology of an information
system.
II. Recognize that they provide the foundation for technical controls and security systems
that must be designed so they can be implemented.
Networks
I. Acknowledge the fact that modern information processing systems are highly complex
and rely on numerous internal and external connections.
II. Conclude that networks are the highway in which information systems pass data and
users complete their tasks on a daily basis.
III. Justify that proper network controls in an organization are vital to managing information
flows and the security of data transmitted internally and externally.
Quick Quiz 1
1. True or False: Network security addresses the issues needed to protect items, objects,
or areas.
Answer: False
2. Which type of security addresses the protection of all communications media,
technology, and content?
a. information
b. network
c. physical
d. communication
Answer: d
3. Which type of security encompasses the protection of voice and data networking
components, connections, and content?
a. information
b. network
c. physical
d. communications
Answer: b
4. What term is used to describe the quality or state of ownership or control of information?
a. confidentiality
b. possession
c. authenticity
d. integrity
Answer: b
5. True or False: If information has a state of being genuine or original and is not a
fabrication, it has the characteristic of authenticity.
Answer: True
Security and the Organization (1.4, PPT Slides 28–33, 36–38, and 41)
I. Analyze components that make up security as a program and the professionals who are
tasked with maintaining it within an organization.
Balancing Information Security and Access
I. Recall that everyone does not have carte blanche access to all data that is transmitted,
processed, or stored within or outside an organization.
II. Comprehend that security is never an absolute as it is a process and not a goal.
III. Interpret that security is a delicate balance between protection and availability.
Approaches to Information Security Implementation
I. Compare and contrast the two most commonly used approaches to information security
implementation: bottom-up and top-down.
 Bottom-up approaches implement security policies and/or policies from the ground
up where system administrators are responsible for improving the security of the
system.
 A top-down approach is quite the opposite where upper management determines
security policies for an organization. This is usually the Chief Information Officer
(CIO) or the Vice President of Information Technology (VP-IT).
II. Conclude that often a bottom-up approach rarely works, and a top-down approach has
the most effectiveness in an organization.
Security Professionals
I. Compare and contrast the different positions that are part of an implementation for an
information security program.
 The Chief Information Officer (CIO) is the senior technology officer of an organization
and provides guidance to the owner or CEO strategic planning that affects
information management in an organization.
 The Chief Security Officer (CISO) assesses, manages, and implements information
security in an organization.
Senior Management
I. Examine that the Chief Information Officer (CIO) is the senior technology officer although
other titles such as vice president of information, VP of information technology, and VP
of systems may also be used. The CIO is primarily responsible for advising the chief
executive officer, president, or company owner on the strategic planning that affects the
management of information in the organization.
II. Contrast with the CIO that the Chief Information Security Officer (CISO) is the individual
primarily responsible for the assessment, management, and implementation of securing
the information in the organization. The CISO may also be referred to as the manager
for security, the security administrator, or a similar title.
Information Security Project Team
I. Review the core team members of an information security project team and their specific
role:
 Champion: A senior executive who promotes the project and ensures its support,
both financially and administratively, at the highest levels of the organization.
 Team leader: A project manager, who may be a departmental line manager or staff
unit manager and who understands project management, personnel management,
and information security technical requirements.
 Security policy developers: Individuals who understand the organizational culture,
policies, and requirements for developing and implementing successful policies.
 Risk assessment specialists: Individuals who understand financial risk assessment
techniques, the value of organizational assets, and the security methods to be used.
 Security professionals: Dedicated, trained, and well-educated specialists in all
aspects of information security from both a technical and nontechnical standpoint.
 Systems administrators: Individuals whose primary responsibility is administering
the systems that house the information used by the organization.
 End users: Those whom the new system will most directly impact. Ideally, a
selection of users from various departments, levels, and degrees of technical
knowledge assist the team in focusing on the application of realistic controls applied
in ways that do not disrupt the essential business activities they seek to safeguard.
Data Responsibilities
I. Compare and contrast persons who own and safeguard data within an organization.
 Data Owners: Those responsible for the security and use of a particular set of
information. Data owners usually determine the level of data classification associated
with the data, as well as changes to that classification required by organizational
change.
 Data Custodians: Those responsible for the storage, maintenance, and protection
of the information. The duties of a data custodian often include overseeing data
storage and backups, implementing the specific procedures and policies laid out in
the security policies and plans, and reporting to the data owner.
 Data Trustees: Individuals appointed by data owners who oversee the management
of an information set and its use. Though these are often executives, they appoint
someone else to handle these responsibilities.
 Data Users: End users who work with the information to perform their daily jobs
supporting the mission of the organization. Everyone in the organization is
responsible for the security of data, so data users are included here as individuals
with an information security role.
II. Recall that data stewards are also known as data custodians.
Communities of Interest
I. Establish an understanding that each organization develops and maintains its own
unique culture and values.
II. Recall that a community of interest is a group of individuals who are united by similar
interests or values within an organization and who share a common goal of helping the
organization to meet its objectives.
III. Disseminate the fact there can be many different communities of interest in an
organization which aid in information security practices.
Information Security Management and Professionals
I. Apply knowledge that these professionals are aligned with an information security‘s
community of interest.
II. Review the fact that their goal is to protect an organization‘s information and stored
information from internal and external attacks.
Information Technology Management and Professionals
I. Recognize that these individuals are often a team of IT managers and skilled
professionals in a number of areas: systems design, programming, and networks at a
minimum.
II. Establish an understanding their goals do not always align with the information security
community based on an organization‘s structure. Conflict may result if there are
inconsistencies between them.
Organization Management and Professionals
I. Analyze that this group of persons in an organization are often other managers and
professionals who are consumers of information being secure.
Information Security: Is It an Art or a Science? (PPT Slides 42–43)
I. Gain an understanding that the implementation of information security has often been
described as a combination of art and science due to the complex nature of information
systems.
II. Discuss the concept of a ―security artisan‖ and explain how it is based on the way
individuals see technologists as computers became more commonplace in the
workplace.
Security as Art
I. Recognize that there are no hard and fast rules regulating the installation of various
security mechanisms, nor are there many universally accepted complete solutions.
II. Conclude that there is no one user‘s manual that can solve all security issues that a
system may encounter. As an organization becomes more complex, so do the controls
and technology needed to keep it together.
Security as a Science
I. Establish an understanding that technologies that are developed are enacted by highly
trained computer scientists and engineers who are required to operate at rigorous levels
of performance.
II. Conclude that specific scientific conditions often cause virtually all actions that occur in a
computer system. Nearly everything that negatively occurs in a system is a result of an
interaction between software and hardware.
III. Justify that with enough time and resources, developers could eliminate faults that occur.
Security as a Social Science
I. Understand a combination of both components of art and science make security a social
science.
II. Identify a social science as the examination of people‘s behavior and their interactions
with (information) systems.
III. Conclude that end users who need the information security personnel protect are often
the weakest links in the security chain.
Quick Quiz 2
1. When projects are initiated at the highest levels of an organization and then pushed to
all levels, they are said to follow which approach?
b. executive-led
c. trickle down
d. top-down
e. bottom-up
Answer: c
2. ensures that only users with the rights, privileges, and need to access
information are able to do so.
a. confidentiality
b. enhanced credentials
c. software engineers
d. awareness
Answer: a
3. True or False: The person responsible for the storage, maintenance, and protection of
the information is the data custodian.
Answer: True
4. Which critical characteristic of information discussed is one that focuses on the fact
when information stored, transferred, created, or placed is in the same state as it was
received?
a. utility
b. possession
c. accuracy
d. authenticity
Answer: d
5. Which of the following examines the behavior of individuals as they interact with
systems, whether societal systems or information systems?
a. community science
b. social science
c. societal science
d. interaction management
Answer: b
[return to top]
Discussion Questions
You can assign these questions several ways: in a discussion forum in your LMS, as whole-
class discussions in person, or as a partner or group activity in class.
These questions are separate from the review questions and exercises in the textbook. For
answers to the textbook questions, see the associated solutions for this module.
Additional class discussion options:
1. What are the defining differences between computer security and information security?
(1.2, PPT Slides 5, 7–9, and 13) Duration 15 minutes.
2. When reviewing the critical characteristics of information, which one is the most
important? Why is that the case and should all receive equal attention? (1.3, PPT Slides
18 and 25–26) Duration 15 minutes.
3. Do information security professionals have superiority over one another outside of their
ranking in an organization? Why or why not? (1.4, PPT Slides 29–33) Duration 15
minutes.
[return to top]
Suggested Usage for Lab Activities
A series of hands-on labs has been developed to complement the text material for this course
and are available for download at the Instructor Center. The labs do not depend on specific
chapter content, so instructors can insert them where they best suit the syllabus. The following
is a list of lab titles, objectives, and approximate durations to assist with lesson planning.
Lab Title Objective Duration
Ethical
Considerations in IT
and Detecting
Phishing Attacks
Upon completion of this activity, you will:
 have a better understanding of the
ethical expectations of IT
professionals; and
 be able to identify several types of
social engineering attacks that use
phishing techniques.
Ethical Considerations
lab in 15 to 20 minutes.
Phishing E-Mail lab in 60
to 75 minutes.
Web Browser
Security
Upon completion of this activity, the
student will be able to:
 Review and configure the security and
privacy settings in the most popular
web browsers.
1 to 1.5 hours
Malware Defense Upon completion of this activity, the
student will be able to:
 Understand the basic setup and
use of an open-source AV product.
 Install and use Clam AV on a
Windows system.
 Using a USB storage device create
a portable AV scanner.
 Understand what a YARA file is
and how it is used.
1 to 1.5 hours
Windows Password
Management
Upon completion of this activity, the
student will be able to:
 Review and configure password
management policies in a Windows
client computer.
30 minutes to 1 hour
Backup and
Recovery and File
Integrity Monitoring
Upon completion of this activity, you will be
able to:
 Describe backup and recovery
processes and will be aware of
basic backup activities using
Windows 10 or another desktop
operating system (OS).
 Perform file integrity monitoring
using file hash values.
15–20 minutes
OS Processes and
Services
Upon completion of this activity, the
student will be able to:
 Review available and enabled OS
services.
 Review available and enabled OS
processes.
60–90 minutes
 Review current system resource
utilization.
Log Management &
Security
Upon completion of this activity, the
student will be able to:
 Access and review the various logs
present in a Windows 10 computer.
30 minutes to 1 hour
Footprinting,
Scanning, and
Enumeration
Upon completion of this activity, the
student will be able to:
 Identify network addresses
associated with an organization.
 Identify the systems associated
with the network addresses.
40–60 minutes
AlienVault OSSIM Upon completion of this activity, the
student will be much more knowledgeable
about the AlienVault OSSIM software and
how to install, configure, and operate it.
You will use the software more extensively
in a subsequent lab.
2–3 hours
Image Analysis Using
Autopsy
Upon completion of this activity, the
student will be able to perform basic drive
image analysis using the Autopsy software
package.
45–70 minutes
[return to top]
Additional Activities and Assignments
Please see associated solutions for the Closing Scenario at the end of the textbook module.
Additional project options include the following:
1. Using the Internet, find a recent feature article about a CISO or other IT professional with
CISO job functions. Write a short summary of that individual and how he or she came to
hold that position. The publications ComputerWorld and Information Week often have
these kinds of features. Have students list the hardware assets found in a computing lab
and then list the attributes of those assets. They should provide as many facts about
each asset as possible.
2. Using a library with current periodicals, find a recent news article about a topic related to
information security. Write a one- to two-page review of the article and how it is related
to the principles of information security introduced in the textbook.
[return to top]
Additional Resources
Cengage Video Resources
 MindTap Video: What is Information Security
Internet Resources
 Internet Society—Histories of the Internet
 CNSS National Information Assurance Glossary
 Microsoft Security Development Lifecycle
 The Role of a Chief Security Officer
[return to top]
Appendix
Grading Rubrics
Providing students with rubrics helps them understand expectations and components of
assignments. Rubrics help students become more aware of their learning process and progress,
and they improve students‘ work through timely and detailed feedback.
Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the
discussion rubric indicates 30 points.
Grading Rubric
These grading criteria can be applied to open-ended Review Questions, Real-World
Exercises, Case Studies, and Security for Life activities
3
Exceeds Expectations
2
Meets Expectations
1
Needs Improvement
0
Inadequate
 Student
demonstrates
accurate
understanding of the
concept.
 Student applies the
concept
appropriately.
 Student uses sound
critical analysis to
develop an insightful
and comprehensive
response to the
prompt.
 Student
demonstrates
accurate
understanding of
the concept.
 Student applies
the concept
appropriately.
 Student develops
a complete
response to the
prompt.
 Student‘s response
demonstrates a
gap in
understanding of
the concept.
 Student applies the
concept incorrectly.
 Student‘s response
is poorly developed
or incomplete.
 Student‘s response
is missing or
incomplete.
 Student‘s response
demonstrates a
critical gap in
understanding.
 Student is unable to
apply the concept.
[return to top]
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
20
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
Instructor Manual
Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module
2: The Need for Information Security
Table of Contents
Purpose and Perspective of the Module ....................................................................................20
Cengage Supplements ..............................................................................................................20
Module Objectives.....................................................................................................................20
Complete List of Module Activities and Assessments.................................................................20
Key Terms.................................................................................................................................21
What's New in This Module .......................................................................................................26
Module Outline..........................................................................................................................26
Discussion Questions................................................................................................................47
Suggested Usage for Lab Activities ...........................................................................................47
Additional Activities and Assignments........................................................................................49
Additional Resources.................................................................................................................49
Cengage Video Resources........................................................................................................................ 49
Internet Resources................................................................................................................................... 49
Appendix...................................................................................................................................50
Grading Rubrics ....................................................................................................................................... 50
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
21
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
Purpose and Perspective of the Module
Protecting information is one of the most important tasks an organization must monitor around
the clock and regardless as to where personnel are located. In this module, students will gain
knowledge as to the purpose of information security and the need that is present in
organizations. Next, they will gain an understanding of why a successful information security
program is the shared responsibility of the entire organization and not just departments that
focus on technology. In the second half of the module, emphasis is placed on threats that occur
to trigger information security solutions and common attacks of them. The final part of the
module lists common information security issues that result from poor software development
efforts.
Cengage Supplements
The following product-level supplements provide additional information that may help you in
preparing your course. They are available in the Instructor Resource Center.
 PowerPoint slides
 Test banks, available in Word, as LMS-ready files, and on the Cognero platform
 MindTap Educator Guide
 Solution and Answer Guide
 This instructor‘s manual
Module Objectives
The following objectives are addressed in this module:
2.1 Discuss the need for information security.
2.2 Explain why a successful information security program is the shared responsibility of the
entire organization.
2.3 List and describe the threats posed to information security and common attacks
associated with those threats.
2.4 List the common information security issues that result from poor software development
efforts.
Complete List of Module Activities and Assessments
For additional guidance, refer to the MindTap Educator Guide.
Module
Objective
PPT slide Activity/Assessment Duration
2.1, 2.2, and
2.3
11–12 Knowledge Check Activity 1 2 minutes
2.3 and 2.4 31–32 Knowledge Check Activity 2 2 minutes
2.4 64–65 Knowledge Check Activity 3 2 minutes
2.1–2.4 77 Self-Assessment 5 minutes
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
22
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
MindTap Module 02 Review Questions 30–40 minutes
MindTap Module 02 Case Exercises 30 minutes
MindTap Module 02 Exercises 10–30 minutes per
question; 1+ hour
per module
MindTap Module 02 Security for Life 1+ hour
MindTap Module 02 Quiz 10–15 minutes
[return to top]
Key Terms
In order of use:
information asset: The focus of information security; information that has value to the
organization and the systems that store, process, and transmit the information.
media: As a subset of information assets, the systems, technologies, and networks that store
and transmit information.
data: Items of fact collected by an organization; includes raw numbers, facts, and words.
information: Data that has been organized, structured, and presented to provide additional
insight into its context, worth, and usefulness.
database: A collection of related data stored in a structured form and usually managed by
specialized systems.
database security: A subset of information security that focuses on the assessment and
protection of information stored in data repositories.
exploit: A technique used to compromise a system; may also describe the tool, program, or
script used in the compromise.
intellectual property (IP): Original ideas and inventions created, owned, and controlled by a
particular person or organization; IP includes the representation of original ideas.
software piracy: The unauthorized duplication, installation, or distribution of copyrighted
computer software, which is a violation of intellectual property.
availability disruption: An interruption or disruption in service, usually from a service provider,
which causes an adverse event within an organization.
service level agreement (SLA): A document or part of a document that specifies the expected
level of service from a service provider, including provisions for minimum acceptable availability
and penalties or remediation procedures for downtime.
uptime: The percentage of time a particular service is available.
downtime: The percentage of time a particular service is not available.
blackout: A long-term interruption (outage) in electrical power availability.
brownout: A long-term decrease in quality of electrical power availability.
fault: A short-term interruption in electrical power availability.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
23
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
noise: The presence of additional and disruptive signals in network communications or
electrical power delivery.
sag: A short-term decrease in electrical power availability.
spike: A short-term increase in electrical power availability, also known as a swell.
surge: A long-term increase in electrical power availability.
competitive intelligence: The collection and analysis of information about an organization‘s
business competitors through legal and ethical means to gain business intelligence and
competitive advantage.
industrial espionage: The collection and analysis of information about an organization‘s
business competitors, often through illegal or unethical means, to gain an unfair competitive
advantage; also known as corporate spying.
shoulder surfing: The direct, covert operation of individual information or system use.
trespass: Unauthorized entry into the real or virtual property of another party.
hacker: A person who accesses systems and information without authorization and often
illegally.
expert hacker: A hacker who uses extensive knowledge of the inner workings of computer
hardware and software to gain unauthorized access to systems and information, and who often
creates automated exploits, scripts, and tools used by other hackers; also known as an elite
hacker.
novice hacker: A relatively unskilled hacker who uses the work of expert hackers to perform
attacks; also known as a neophyte, n00b, newbie, script kiddie, or packet monkey.
professional hacker: A hacker who conducts attacks for personal financial benefit or for a
crime organization or foreign government; not to be confused with a penetration tester.
penetration tester: An information security professional with authorization to attempt to gain
system access in an effort to identify and recommend resolutions for vulnerabilities in those
systems; also known as a pen tester.
pen tester: See penetration tester.
script kiddies: Novice hackers who use expertly written software to attack a system; also
known as skids, skiddies, or script bunnies.
packet monkey: A novice hacker who uses automated exploits to engage in denial-of-service
attacks.
privilege escalation: The unauthorized modification of an authorized or unauthorized system
user account to gain advanced access and control over system resources.
jailbreaking: Escalating privileges to gain administrator-level or root access control over a
smartphone operating system; typically associated with Apple iOS smartphones. See also
rooting.
rooting: Escalating privileges to gain administrator-level control over a computer system
(including smartphones); typically associated with Android OS smartphones. See also
jailbreaking.
cracker: A hacker who intentionally removes or bypasses software copyright protection
designed to prevent unauthorized duplication or use.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
24
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
phreaker: A hacker who manipulates the public telephone system to make free calls or disrupt
services.
cracking: Attempting to reverse-engineer, remove, or bypass a password or other access
control protection, such as the copyright protection on software (see cracker).
brute force password attack: An attempt to guess a password by attempting every possible
combination of characters and numbers in it.
10.4 password rule: An industry recommendation for password structure and strength that
specifies passwords should be at least 10 characters long and contain at least one of the
following four elements: an uppercase letter, one lowercase letter, one number, and one special
character.
dictionary password attack: A variation of the brute force password attack that attempts to
narrow the range of possible passwords guessed by using a list of common passwords and
possibly including attempts based on the target‘s personal information.
rainbow table: A table of hash values and their corresponding plaintext values that can be used
to look up password values if an attacker is able to steal a system‘s encrypted password file.
social engineering: The process of using interpersonal skills to convince people to reveal
access credentials or other valuable information to an attacker.
business e-mail compromise (BEC): A social engineering attack involving the compromise of
an organization‘s e-mail system followed by a series of forged e-mail messages directing
employees to transfer funds to a specified account, or to purchase gift cards and send them to
an individual outside the organization.
advance-fee fraud (AFF): A form of social engineering, typically conducted via e-mail, in which
an organization or some third party indicates that the recipient is due an exorbitant amount of
money and needs only to send a small advance fee or personal banking information to facilitate
the transfer.
phishing: A form of social engineering in which the attacker provides what appears to be a
legitimate communication (usually e-mail), but it contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract personal or confidential information.
spear phishing: A highly targeted phishing attack.
pretexting: A form of social engineering in which the attacker pretends to be an authority figure
who needs information to confirm the target‘s identity, but the real object is to trick the target into
revealing confidential information; commonly performed by telephone.
information extortion: The act of an attacker or trusted insider who steals or interrupts access
to information from a computer system and demands compensation for its return or for an
agreement not to disclose the information.
cyberextortion: See information extortion.
ransomware: Computer software specifically designed to identify and encrypt valuable
information in a victim‘s system in order to extort payment for the key needed to unlock the
encryption.
hacktivist: A hacker who seeks to interfere with or disrupt systems to protest the operations,
policies, or actions of an organization or government agency.
cyberactivist: See hacktivist.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
25
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
doxing: A practice of using online resources to find and then disseminate compromising
information, perhaps without lawful authority, with the intent to embarrass or harm the reputation
of an individual or organization. The term originates from dox, an abbreviation of documents.
cyberterrorism: The conduct of terrorist activities via networks or Internet pathways.
cyberterrorist: A hacker who attacks systems to conduct terrorist activities via networks or
Internet pathways.
cyberwarfare: Formally sanctioned offensive operations conducted by a government or state
against information or systems of another government or state; sometimes called information
warfare.
malware: Computer software specifically designed to perform malicious or unwanted actions.
malicious software: See malware.
zero-day attack: An attack that makes use of malware that is not yet known by the antimalware
software companies.
adware: Malware intended to provide undesired marketing and advertising, including pop-ups
and banners on a user‘s screens.
spyware: Any technology that aids in gathering information about people or organizations
without their knowledge.
virus: A type of malware that is attached to other executable programs and, when activated,
replicates and propagates itself to multiple systems, spreading by multiple communications
vectors.
macro virus: A type of virus written in a specific language to target applications that use the
language and activated when the application‘s product is opened; typically affects documents,
slideshows, e-mails, or spreadsheets created by office suite applications.
boot virus: Also known as a boot sector virus, a type of virus that targets the boot sector or
Master Boot Record (MBR) of a computer system‘s hard drive or removable storage media.
memory-resident virus: A virus that is capable of installing itself in a computer‘s operating
system, starting when the computer is activated, and residing in the system‘s memory even
after the host application is terminated; also known as a resident virus.
non-memory-resident virus: A virus that terminates after it has been activated, infected its
host system, and replicated itself; does not reside in an operating system or memory after
executing and is also known as a non-resident virus.
worm: A type of malware that is capable of activation and replication without being attached to
an existing program.
Trojan horse: A malware program that hides its true nature and reveals its designed behavior
only when activated.
polymorphic threat: Malware that over time changes the way it appears to antivirus software
programs, making it undetectable by techniques that look for preconfigured signatures.
malware hoax: A message that reports the presence of nonexistent malware and wastes
valuable time as employees share the message.
back door: A malware payload that provides access to a system by bypassing normal access
controls or an intentional access control bypass left by a system designer to facilitate
development.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
26
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
trap door: See back door.
maintenance hook: See back door.
denial-of-service (DoS) attack: An attack that attempts to overwhelm a computer target‘s
ability to handle incoming communications, prohibiting legitimate users from accessing those
systems.
distributed denial-of-service (DDoS) attack: A form of attack in which a coordinated stream of
requests is launched against a target from multiple locations at the same time using bots or
zombies.
bot: An abbreviation of robot, an automated software program that executes certain commands
when it receives a specific input; also known as a zombie.
zombie: See bot.
spam: Undesired e-mail, typically commercial advertising transmitted in bulk.
mail bomb: An attack designed to overwhelm the receiver with excessive quantities of e-mail.
packet sniffer: A software program or hardware appliance that can intercept, copy, and
interpret network traffic.
sniffer: See packet sniffer.
spoofing: The use of a communications identifier, such as a phone number, network address,
or e-mail address, that is not accurately assigned to the source.
IP spoofing: A technique for gaining unauthorized access to computers using a forged or
modified source IP address to give the perception that messages are coming from a trusted
host.
pharming: The redirection of legitimate user Web traffic to illegitimate Web sites with the intent
to collect personal information.
Domain Name System (DNS) cache poisoning: The intentional hacking and modification of a
DNS database to redirect legitimate traffic to illegitimate Internet locations; also known as DNS
spoofing.
man-in-the-middle: A group of attacks whereby a person intercepts a communications stream
and inserts himself in the conversation to convince each of the legitimate parties that he is the
other communications partner; some of these attacks involve encryption functions.
TCP hijacking: A form of man-in-the-middle attack whereby the attacker inserts himself into
TCP/IP-based communications.
session hijacking: See TCP hijacking.
mean time between failure (MTBF): The average amount of time between hardware failures,
calculated as the total amount of operation time for a specified number of units divided by the
total number of failures.
mean time to failure (MTTF): The average amount of time until the next hardware failure.
mean time to diagnose (MTTD): The average amount of time a computer repair technician
needs to determine the cause of a failure.
mean time to repair (MTTR): The average amount of time a computer repair technician needs
to resolve the cause of a failure through replacement or repair of a faulty unit.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
27
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
annualized failure rate (AFR): The probability of a failure of hardware based on the
manufacturer‘s data of failures per year.
cross-site scripting (XSS): A Web application fault that occurs when an application running on
a Web server inserts commands into a user‘s browser session and causes information to be
sent to a hostile server.
buffer overrun: An application error that occurs when more data is sent to a program buffer
than it is designed to handle.
integer bug: A class of computational error caused by methods that computers use to store
and manipulate integer numbers; this bug can be exploited by attackers.
command injection: An application error that occurs when user input is passed directly to a
compiler or interpreter without screening for content that may disrupt or compromise the
intended function.
theft: The illegal taking of another‘s property, which can be physical, electronic, or intellectual.
[return to top]
What's New in This Module
The following elements are improvements in this module from the previous edition:
 This module was Chapter 2 in the 6th edition.
 The sections on the threats and attacks were updated to reflect the latest trends, and
examples were updated.
 The entire module was refreshed with a general update and given more current
examples.
[return to top]
Module Outline
Introduction to the Need for Information Security (2.1, 2.2, PPT Slides
3–9)
VII. Discuss the view that information security is unlike any other aspect of information
technology. The primary mission is to ensure things stay the way they are. Point out that
if there were no threats to information and systems, we could focus on improving
systems that support the information.
VIII. Explain that organizations must understand the environment in which information
systems operate so that their information security programs can address actual and
potential problems.
IX. Emphasize to students the four important functions for an organization with respect to
information security:
a. Protecting the organization‘s ability to function
b. Protecting the data and information the organization collects and uses
c. Enabling the safe operation of applications running on the organization‘s IT systems
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
28
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
d. Safeguarding the organization‘s technology assets
Business Needs First
I. Explain that without the underlying business to generate revenue and use information, it
has a likelihood to lose value and the need for it would go to zero.
II. Stress that the decisions that need to be made with respect to information security and
their assets should be done carefully and holistically.
III. Emphasize that the responsibility of protecting information within an organization is
everyone‘s responsibility. Regardless of their title, rank in the firm, or position, everyone
must proactively protect the data it stores and uses.
Protecting Functionality
I. Discuss the fact that general management, IT management, and information security
management are responsible for implementing information security to protect the ability
of the organization to function.
II. Relate to students that information security is a management issue in addition to a
technical issue; it is a people issue in addition to the technical issue.
III. Explain that to assist management in addressing the need for information security,
communities of interest must communicate in terms of business impact and the cost of
business interruption, and they must avoid arguments expressed only in technical terms.
Protecting Data That Organizations Collect and Use
I. Stress to students that they should understand that many organizations realize that one
of their most valuable assets is their data. Without data, an organization loses its record
of transactions and/or its ability to deliver value to its customers.
II. Explain the concept of data security. This concept is about protecting data in motion and
data at rest, a critical aspect of information security. An effective information security
program is essential to the protection of the integrity and value of the organization‘s
data.
III. Detail how information is stored. This is often stored using databases and database
security is important because it applies a broad range of control mechanisms to
numerous areas of information security.
Enabling the Safe Operation of Applications
I. Distinguish an understanding that a modern organization needs to create an
environment that protects and safeguards applications, specifically ones that are
important elements to the infrastructure of a firm—operating systems, platforms,
operational applications, e-mail, instant messaging applications, and text messaging
platforms.
Safeguarding Technology Assets in Organizations
I. Relate to students that as an organization grows, so does its need for more robust
technologies and commercial-grade solutions.
II. Explain the example that is provided in the textbook that lists core components of
security technologies (a commercial-grade, unified security architecture device,
complete with intrusion detection and prevention systems, public key infrastructure
(PKI), and virtual private network (VPN) capabilities).
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
29
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
III. Establish that although cloud services provide another way to solve business information
management challenges, they inherit their own set of risks and concerns that must be
defended against.
Information Security Threats and Attacks (2.3, PPT Slides 10 and 13–23)
I. Remind students that to make sound decisions about information security as well as to
create and enforce policies, management must be informed of the various kinds of
threats facing the organization and its applications, data, and information systems.
II. Explain that a threat is an object, person, or other entity that represents a constant
danger to an asset. Point out that an attack represents an ongoing act against the asset
that could result in a loss. Also mention that threat agents use exploits to take advantage
of vulnerabilities where controls are not present or are no longer effective.
4.8 Billion Potential Hackers
I. State that about 62 percent of the world‘s population (about 4.8 billion) have some form
of internet access, which is significantly up from 2015, when 49.2 percent of the
population had access.
II. Discuss the agreement that the threat from external sources increases when an
organization connects to the Internet.
III. Guide students to briefly review the world Internet usage spread in Table 2-1.
Other Studies of Threats
I. Point out to students that according to a recent study and survey, 67.1 precent of
responding organizations suffered malware infections. Also, more than 98 percent of
responding organizations identified malware as the second-highest threat source behind
electronic phishing/spoofing.
II. Discuss Tables 2-2, 2-3, and 2-4 that outline threats from internal and external
stakeholders as well as general threats to information assets.
Common Attack Pattern Enumeration and Classification (CAPEC)
I. Introduce students to the CAPEC Web site, which can be used by security professionals
to understand attacks.
II. Explain that this resource is a good tool for information security professionals to use to
gain additional insight on how attacks occur procedurally.
The 12 Categories of Threats (2.3, 2.4, PPT Slides 24–72)
I. Apply the use of Table 2-5 to explain the 12 categories of threats that represent a clear
and present danger to an organization‘s people, information, and systems. In summary,
they are the following:
 Compromises to intellectual property
 Deviations in quality of service
 Espionage or trespass
 Forces of nature
 Human error or failure
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
30
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
 Information extortion
 Sabotage or vandalism
 Software attacks
 Technical hardware failures or errors
 Technical software failures or errors
 Technological obsolescence
 Theft
II. Recognize that a threat to an organization may include more than one of these
categories, depending on the severity of the attack.
Compromises to Intellectual Property
I. Explain that many organizations create or support the development of intellectual
property (IP) as part of their business operations. Intellectual property is defined as ―the
ownership of ideas and control over the tangible or virtual representation of those ideas.‖
II. Recall that intellectual property for an organization includes trade secrets, copyrights,
trademarks, and patents. Once intellectual property has been defined and properly
identified, breaches to IP constitute a threat to the security of this information. Most
common IP breaches involve the unlawful use or duplication of software-based
intellectual property, known as software piracy.
Software Piracy
I. Emphasize to students that the most common IP breaches involve the unlawful use or
duplication of software-based intellectual property, known as software piracy.
II. Outline that in addition to the laws surrounding software piracy, two watchdog
organizations investigate allegations of software abuse: the Software and Information
Industry Association (SIIA), formerly the Software Publishers Association, and the
Business Software Alliance (BSA).
III. Quantify the severity of software privacy with the following statistics mentioned in the
text:
 The BSA estimates that 37 percent of software installed on personal computers
globally was not properly licensed in 2018.
 Some countries indicate unlicensed rates of more than 50 percent.
IV. Recall that malware attacks significantly increase with the use of unlicensed software.
Copyright Protection and User Registration
I. Discuss that enforcement of copyright laws has been attempted through several
technical security mechanisms, such as digital watermarks, embedded code, and
copyright codes.
II. Identify that online registrations combat piracy because users must register their
software to complete the installation process. Caution students that key generators can
be used to override and outsmart online registration tools and still result in intellectual
property losses.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
31
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
Deviations in Quality of Service
I. Summarize that concerns in this category represent situations in which a product or
service is not delivered to the organization as expected.
II. Explain that the organization‘s information system depends on the successful operation of
many interdependent support systems, including power grids, telecom networks, parts
suppliers, service vendors, and even the janitorial staff and garbage haulers.
Internet Service Issues
I. Explain that Internet service, communications, and power irregularities are three sets of
service issues that dramatically affect the availability of information and systems. This is
regardless of if a person is at the office or connecting through a virtual private network
(VPN) connection.
II. Justify that the U.S. government‘s Federal Communications Commission (FCC)
maintains a Network Outage Reporting System (NORS), which according to FCC
regulation 47 C.F.R. Part 4, requires communications providers to report outages that
disrupt communications at certain facilities, like emergency services and airports.
III. Report that when an Internet service provider fails to meet the terms in a service level
agreement (SLA), it is often fined to cover client losses, although the lost business
exceeds anything recovered. This is even with vendors promoting high availability of
uptime (or low downtime).
IV. Apply the example of Amazon and how a 30- to 40-minute outage cost them a significant
amount of money ($3-4 million) in just that short amount of time.
V. Identify the most common causes of downtime and the financial impact of those
incidents from the data provided in Figure 2-4.
Communication and Other Service Provider Issues
I. Describe communications and other service provider issues: other utility services can
impact organizations as well. Among these are telephone, water, wastewater, trash
pickup, cable television, natural or propane gas, and custodial services. The loss of
these services can impair the ability of an organization to function properly.
Power Irregularities
I. Describe power irregularities: irregularities from power utilities are common and can lead
to fluctuations, such as power excesses, power shortages, and power losses. In the
United States, we are ―fed‖ 120-volt, 60-cycle power usually through 15-amp and 20-
amp circuits.
II. Explain that voltage levels are subject to a spike (momentary increase), surge
(prolonged increase), sag (momentary decrease), brownout (prolonged drop in voltage),
fault (momentary complete loss of power) or blackout (a lengthier loss of power).
III. Emphasize that organizations with dedicated power needs must think of backup
solutions such as generators to provide power in the event an outage were to occur.
This is especially the case for information technology and security-related systems.
IV. Predict that because sensitive electronic equipment—especially networking equipment,
computers, and computer-based systems—is susceptible to fluctuations, controls should
be applied to manage power quality.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
32
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
Espionage or Trespass
I. Explain that this threat represents a well-known and broad category of electronic and
human activities that breach the confidentiality of information.
II. Establish that when an unauthorized individual gains access to the information an
organization is trying to protect, that act is categorized as a deliberate act of espionage
or trespass.
III. Contrast the thoughts that some people assume that information-gathering techniques
are illegal when, in fact, they are not. When they are done properly, this is referred to as
competitive intelligence. However, if a legal or ethical threshold is crossed, persons
doing this are conducting industrial espionage.
IV. Describe the concept of shoulder surfing. Emphasize that these commonly occur at
computer terminals, desks, ATM machines, smartphones, or other places where a
person is accessing confidential information.
V. Justify the notion that users should constantly be aware of the presence of others when
they are always accessing sensitive data.
Hackers
I. Present the fact that trespassing often leads to unauthorized, real, or virtual actions that
enable information gatherers to enter premises or systems they have not been
authorized to enter.
II. Discuss that the classic perpetrator of deliberate acts of espionage or trespass is the
hacker. In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to
bypass the controls placed around information that is the property of someone else. The
hacker frequently spends long hours examining the types and structures of the targeted
systems.
III. Remind students that there are generally two skill levels among hackers. The first is the
expert hacker, who develops software scripts and program exploits used by the second
category, the novice, or unskilled hacker.
IV. Explain that the expert hacker is usually a master of several programming languages,
networking protocols, and operating systems and exhibits a mastery of the technical
environment of the chosen targeted system.
V. Demonstrate that expert hackers who have become bored with directly attacking
systems have turned to writing software. The software they write are automated exploits
that allow novice hackers to become script kiddies (or packet monkeys)—hackers of
limited skill who use expertly written software to exploit a system, but do not fully
understand or appreciate the systems they hack.
VI. Compare and contrast the difference between professional hackers and penetration
(pen) testers. Although they are doing the same thing, which is testing the information
and network defenses, professional hackers are doing it illegally, whereas pen testers
are conducting them ethically and professionally.
Escalation of Privileges
I. Discuss the term privilege escalation. Explain that a common example of privilege
escalation is called jailbreaking or rooting.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
33
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
II. Justify that according to the U.S. Copyright Office, the practice of jailbreaking
smartphones was considered legal as a special exemption under the Digital Millennium
Copyright Act, but jailbreaking a tablet (such as the iPad) was not and often voids any
manufacturer warranty.
Hacker Variants
I. Describe that there are other terms for system rule breakers as mentioned in the text:
 Crackers are now commonly associated with an individual who ―cracks‖ or removes
software protection that is designed to prevent unauthorized duplication.
 Phreakers hack the public telephone network to make free calls, disrupt services,
and generally wreak havoc. Although more common in the 1970‘s, they can still do a
number on phone systems.
Password Attacks
I. Emphasize that password attacks fall under the category of espionage and are a serious
offense.
II. Outline the four approaches to password cracking:
 brute force password attack: An attempt to guess a password by attempting every
possible combination of characters and numbers in it.
 dictionary password attack: A variation of the brute force password attack that
attempts to narrow the range of possible passwords guessed by using a list of
common passwords and possibly including attempts based on the target‘s personal
information.
 rainbow table: A table of hash values and their corresponding plaintext values that
can be used to look up password values if an attacker is able to steal a system‘s
encrypted password file.
 social engineering: An attempt to gain access by contacting low-level employees
and offering to help with their computer issues.
III. Evaluate the purpose and composition of the 10.4 password rule and how it can provide
a method for users to generate a stronger password that is less likely to be hacked.
IV. Recommend that students review Table 2-6 and see how the odds increase the more
characters are in a password, and the time it would take to do so based on a 2020-era
computer system.
Social Engineering Password Attacks
I. Stress that by hackers posing as friendly help-desk associates or repair techs, they have
an easy inroad into servers and systems even if they resolve a user‘s issue.
II. Critique the scenario where hackers can work inside an organization and even at a help
desk using this method to gain systems access where they would otherwise be denied
entry. This is true even if their background check comes up clean.
III. Distinguish the fact that attempts to gain access like this are often subtle and go
unnoticed until it is too late.
Forces of Nature
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
34
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
I. Discuss how forces of nature, force majeure, or acts of God pose some of the most
dangerous threats, because they are unexpected and can occur with little warning.
II. Emphasize that pandemics, such as the 2020 COVID-19 outbreak, are considered a
force of nature even though most things remained operational.
III. Explain that these threats can disrupt not only the lives of individuals but also the
storage, transmission, and use of information. Since it is not possible to avoid many of
these threats, management must implement controls to limit damage and prepare
contingency plans for continued operations.
IV. Outline the 11 forces of nature that are outlined in the text. They are the following:
 Fires
 Floods
 Earthquakes
 Lightning
 Landslides or mudslides
 Tornados or severe windstorms
 Hurricanes, typhoons, and tropical depressions
 Tsunamis
 Electrostatic discharge (ESD)
 Dust contamination
 Solar activity
Fire
I. Outline ways a fire can cause damage to computing equipment up to the point of
compromising all or part of a system. This includes the fire itself, suppression systems
such as sprinklers, or water from firefighting hoses.
II. Demonstrate that this threat often can be mitigated with fire casualty insurance or
business interruption insurance policies.
Floods
I. Detail the net effects a flood can do to a facility and computing equipment. On top of
damaging the systems, building access may also be compromised.
II. Explain that this specific threat often may be mitigated with flood insurance or business
interruption insurance. This is especially important if the business is in a potential flood
zone as deemed by FEMA.
Earthquakes
I. Present that an earthquake can cause direct damage to information system equipment
and/or the facilities that house the equipment.
II. Stress that not only physical structures are at risk. Give the example in the text of a large
earthquake off the coast of Taiwan that severed underwater communications cables.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
35
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
III. Explain that this specific threat can sometimes be mitigated with casualty or business
interruption insurance. Often, as mentioned, it is covered under its own policy.
Lightning
I. Illustrate what a lightning strike is. It is an abrupt, discontinuous natural electric
discharge in the atmosphere.
II. Recognize that lightning strikes not only can damage all or part of an information system
but also cause building damage, fires, or other damage.
III. Emphasize proactive measures that can be taken by installing specialized lightning rods
placed strategically on and around the organization‘s facilities and by installing special
circuit protectors in the organization‘s electrical service.
IV. Classify that this type of natural cause can sometimes be mitigated with multipurpose
casualty or business interruption insurance.
Landslides, Mudslides, and Avalanches
I. Relate that these are downward slides of masses of earth, rock, or snow and are
sometimes sudden or with minimal notice so evacuations can take place.
II. Direct students to understand the impacts here to buildings that house the systems.
Depending on the severity of the incident, they may be destroyed or temporarily buried.
III. Classify that this type of natural cause can sometimes be mitigated with multipurpose
casualty or business interruption insurance.
Tornados and Severe Windstorms
I. Contrast the differences between a tornado and wind shear events.
II. Denote that a tornado facility housing the information systems can directly damage all or
part of the structure, depending on the strength of the funnel cloud and wind speed.
III. Explain that this brief but impactful type of natural disaster may be mitigated with
casualty or business interruption insurance.
Hurricanes, Typhoons, and Tropical Depressions
I. Compare the difference between a typhoon and a hurricane. Note that it is virtually the
same thing with the exception of its location in the world.
II. Stress that excessive rainfall and high winds from these storms can directly damage all
or part of the information system or, more likely, the building that houses it.
Organizations in coastal or low-lying areas may suffer flooding as well, which would
restrict access to the buildings that house information systems.
III. Guide students to understand that this brief but impactful type of natural disaster may be
mitigated with casualty or business interruption insurance.
Tsunamis
I. Describe the impact of a tsunami and the severity of impact that just one event may
cause.
II. Apply the tsunami that occurred in 2011 as a threat that affected the world directly and
indirectly.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
36
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
III. Explain how in most cases that this threat can sometimes be mitigated with casualty
insurance or business interruption insurance.
Electrostatic Discharge
I. Illustrate what an electrostatic discharge (ESD) is and the impact it can have to
flammable mixtures or electronic components.
II. Stress that as little as 10 volts can cause catastrophic damage to information systems
equipment, and humans cannot detect static electricity until it reaches about 1,500 volts.
Discharges from walking across dry carpet can exceed 12,000 volts.
III. Emphasize that the financial repercussions of static discharge could result in millions of
dollars of damage and significant loss of production time in information processing.
Although ESD can disrupt information systems, it is not usually an insurable loss unless
covered by business interruption insurance.
Dust Contamination
I. Relate that dust particle buildups and debris inside systems can dramatically reduce the
effectiveness and efficiency of the equipment. This often leads to unexpected shutdowns
and overheating.
II. Stress that this can often shorten the life of information systems and disrupt normal
operations.
Solar Activity
I. Recognize that solar flares or extremes in radiation can affect power grids and power
lines, blow out transformers, and shut down power stations.
II. Emphasize that businesses that rely on satellites should have alternate options available
should communications from them be disrupted.
Human Error or Failure
I. Describe this category and comment to students that it includes the possibility of acts
performed without intent or malicious purpose by an individual who is an employee of an
organization.
II. Discuss the fact that employees constitute one of the greatest threats to information
security, as they are the individuals closest to the organizational data. Employee
mistakes can easily lead to the following: revelation of classified data, entry of erroneous
data, accidental deletion or modification of data, storage of data in unprotected areas,
and failure to protect information.
III. Note that many threats can be prevented with controls, ranging from simple procedures,
such as requiring the user to type a critical command twice, to more complex
procedures, such as the verification of commands by a second party.
IV. Explain that this threat represents a well-known and broad category of electronic and
human activities that breach the confidentiality of information.
Social Engineering
I. Define within the context of information security that social engineering is the process of
using social skills to convince people to reveal access credentials or other valuable
information to the attacker.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
37
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
II. Explain that people are the weakest link. You can have the best technology— firewalls,
intrusion-detection systems, biometric devices—and somebody can call an unsuspecting
employee and obtain a wealth of information.
Business E-Mail Compromise (BEC)
I. Stress that this is one of the newest forms of social engineering attack methods being
deployed on organizations today.
II. Detail the process of how an attacker gains access to the system either through another
social engineering attack or technical exploit and then proceeds to request that
employees within the organization, usually administrative assistants to high-level
executives, transfer funds to an outside account or purchase gift cards and send them to
someone outside the organization.
III. Emphasize that in 2019 alone, there were 24,000 BEC complaints and projected losses
of more than $1.7 billion dollars.
Advance-Fee Fraud
I. Compare and contrast one of most common social engineering attacks, known as the
advance-fee fraud (AFF) and phishing.
II. Stress that AFF is also known as 4-1-9 fraud due to it being named after a Nigerian
Penal Code and not an area code in northern Ohio.
III. Examine a sample letter, as illustrated in Figure 2-9, which illustrates this scheme in
practice.
IV. Outline to students that this scam is one for stealing funds from credulous people, first
by requiring them to participate in a proposed money-making venture by sending money
up front, and then by soliciting an endless series of fees. In the most serious cases,
kidnapping, extortion, or murder can result.
V. Quantify that most recently in 2020, up to $100 billion dollars has been swindled using
this method.
Phishing
I. Distinguish phishing as an attempt to gain personal or financial information from an
individual, usually by posing as a legitimate entity.
II. Emphasize that a variant is spear phishing, a label that applies to any highly targeted
phishing attack. While normal phishing attacks target as many recipients as possible, a
spear phisher sends a message that appears to be from an employer, a colleague, or
other legitimate correspondent to a small group, or even one specific person.
III. Discuss that phishing attacks use two primary techniques, often used in combination
with one another: URL manipulation and Web site forgery.
Pretexting
I. Point out another form of social engineering is called pretexting, which is sometimes
referred to as phone phishing.
II. Emphasize that VOIP phone services have made it easy to spoof caller IDs and hence
hide the identity of someone who may be on the other end of the line.
Information Extortion
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
38
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
I. Illustrate how information extortion involves the possibility of an attacker or trusted
insider stealing information from a computer system and demanding compensation for
its return or for an agreement to not disclose the information. Extortion is common in
credit card number theft.
II. Give examples provided in the textbook of different information extortion incidents and
the impacts to their respective businesses. Translate to students that regardless of a
company‘s size or function, they are susceptible to extortion.
Ransomware
I. Explain that the latest type of attack in this category is known as ransomware, which is a
malware attack on the host system that denies access to the user and then offers to
provide a key to allow access back to the user‘s system and data for a fee.
II. Compare and contrast the two different types of ransomwares: lockscreen and
encryption.
 Lockscreen ransomware denies access to the system by disabling access to the
desktop and preventing the user from bypassing the ransom screen that demands
payment for access.
 Encryption ransomware is more severe, as it requires payment up front to access
one‘s hard drive after their information has been encrypted.
III. Illustrate the three examples of ransomware activities highlighted in the text and stress
to students that these types of attacks occur daily, and an information security team
must be on guard to overcome and nullify these.
Sabotage or Vandalism
I. Summarize that this type of threat involves the deliberate sabotage of a computer
system or business or acts of vandalism to either destroy an asset or damage the image
of an organization.
II. Emphasize that these threats can range from petty vandalism by employees to
organized sabotage against an organization.
III. Identify that organizations frequently rely on image to support the generation of revenue,
and vandalism to a Web site can erode consumer confidence, thus reducing the
organization‘s sales and net worth. Compared to Web site defacement, vandalism within
a network is more malicious in intent and less public.
Online Activism
I. Explain that security experts are noticing a rise in another form of online vandalism,
hacktivist or cyberactivist operations. A more extreme version is referred to as
cyberterrorism (which is explained next).
II. Stress that the concept of doxing is where a hacker would use online resources to find
and disseminate compromising information for the purpose of harming or harassing an
individual, group, or government entity. Apply Figure 2-14 as an example of this in
action.
Cyberterrorism and Cyberwarfare
I. Detail the purpose of cyberterrorism and what the United States and other government
bodies are doing to combat this.
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
39
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
II. Differentiate between the three examples provided in the text with respect to supposed
cyberterrorism attacks and why it is important to be on guard.
III. Relate that some government entities express concern that cyberattacks that are aimed at
disrupting their entities are likely to be seen as cyberwarfare. Note that their purpose is to
take down critical infrastructure.
IV. Apply one of the most recent attacks on critical infrastructure in the United States—the
Colonial Pipeline shutdown that wreaked havoc in the eastern part of the country—as an
example of a cyberterrorism threat in the eyes of the federal government.
Positive Online Activism
I. Compare cyberterrorism to more positive online activism, such as using Facebook,
Twitter, and so on to perform fundraising and raise awareness of social issues.
II. Stress that positive online activism is a legal right to enact provided it does not cross the
moral threshold of doing illegal activities.
Quick Quiz 1
1. True or False: The three communities of interest are general management, operations
management, and information security management.
Answer: False
2. Hackers of limited skill who use expertly written software to attack a system are known
as which of the following?
a. cyberterrorists
b. script kiddies
c. jailbreakers
d. social engineers
Answer: b
3. Which of the following occurs when an attacker or trusted insider steals information from
a computer system and demands compensation for its return or for an agreement not to
disclose it?
a. information extortion
b. technological extortion
c. insider trading
d. information hoarding
Answer: a
4. Which type of attacker will hack systems to conduct terrorist activities via network or
Internet pathways?
a. cyberattackers
b. electronic terrorists
c. cyberterrorists
d. electronic hackers
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for
Information Security
40
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible
website, in whole or in part.
IF YOU WANT THIS TEST BANK OR SOLUTION MANUAL EMAIL
ME donc8246@gmail.com TO RECEIVE ALL CHAPTERS IN PDF
FORMAT

More Related Content

What's hot

GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
3Sixty Insights
 
الأطفال ضحايا العنف الأسري.ppt
الأطفال ضحايا العنف الأسري.pptالأطفال ضحايا العنف الأسري.ppt
الأطفال ضحايا العنف الأسري.ppt
Heba Essawy, MD
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPR
Corporater
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact Us
PECB
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
Max Neira Schliemann
 
امن المعلومات المحاضرة الرابعه
امن المعلومات المحاضرة الرابعهامن المعلومات المحاضرة الرابعه
امن المعلومات المحاضرة الرابعه
ايمن البيلي
 
Information security
 Information security Information security
Information security
Jin Castor
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
PECB
 
Managing Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointManaging Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPoint
Ascendore Limited
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
Boris Loukanov
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
طرق لتعليم أطفالك الثقافة المالية
طرق لتعليم أطفالك الثقافة الماليةطرق لتعليم أطفالك الثقافة المالية
طرق لتعليم أطفالك الثقافة الماليةlaurancegerges
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
Sounil Yu
 
Whitman_Ch05.pptx
Whitman_Ch05.pptxWhitman_Ch05.pptx
Whitman_Ch05.pptx
Siphamandla9
 
Into to Fraud Examination
Into to Fraud ExaminationInto to Fraud Examination
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
Capgemini
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War:  Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War:  Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
Radware
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and Beyond
Nandita Nityanandam
 
Cyber Security Maturity Assessment
 Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Doreen Loeber
 

What's hot (20)

GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
 
الأطفال ضحايا العنف الأسري.ppt
الأطفال ضحايا العنف الأسري.pptالأطفال ضحايا العنف الأسري.ppt
الأطفال ضحايا العنف الأسري.ppt
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPR
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact Us
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
 
امن المعلومات المحاضرة الرابعه
امن المعلومات المحاضرة الرابعهامن المعلومات المحاضرة الرابعه
امن المعلومات المحاضرة الرابعه
 
Information security
 Information security Information security
Information security
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
 
Managing Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointManaging Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPoint
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
طرق لتعليم أطفالك الثقافة المالية
طرق لتعليم أطفالك الثقافة الماليةطرق لتعليم أطفالك الثقافة المالية
طرق لتعليم أطفالك الثقافة المالية
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
 
Whitman_Ch05.pptx
Whitman_Ch05.pptxWhitman_Ch05.pptx
Whitman_Ch05.pptx
 
Into to Fraud Examination
Into to Fraud ExaminationInto to Fraud Examination
Into to Fraud Examination
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War:  Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War:  Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and Beyond
 
Cyber Security Maturity Assessment
 Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 

Similar to Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx

information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Elumalai Vasan
 
Information security management.doc
Information security management.docInformation security management.doc
Information security management.doc
Avinash Avuthu
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
IAS101_Week 2-3_Introduction to Information Systems and Security.pptxIAS101_Week 2-3_Introduction to Information Systems and Security.pptx
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
Angela Arago
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx
moggdede
 
information-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.pptinformation-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.ppt
MuhammadAbdullah311866
 
Ch2 Introduction to Information Security (3).pdf
Ch2 Introduction to Information Security (3).pdfCh2 Introduction to Information Security (3).pdf
Ch2 Introduction to Information Security (3).pdf
mominabotayea1997
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
Ana Meskovska
 
Report on Information Security
Report on Information SecurityReport on Information Security
Report on Information Security
Uraz Pokharel
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Introduction to the management of information security
Introduction to the management of information security  Introduction to the management of information security
Introduction to the management of information security
Sammer Qader
 
Lecture 1-2.pdf
Lecture 1-2.pdfLecture 1-2.pdf
Lecture 1-2.pdf
FumikageTokoyami4
 
Jb ia
Jb   iaJb   ia
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
jenkinsmandie
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
Marius FAILLOT DEVARRE
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
christiandean12115
 

Similar to Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx (20)

information security management
information security managementinformation security management
information security management
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information security management.doc
Information security management.docInformation security management.doc
Information security management.doc
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
IAS101_Week 2-3_Introduction to Information Systems and Security.pptxIAS101_Week 2-3_Introduction to Information Systems and Security.pptx
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx
 
information-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.pptinformation-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.ppt
 
Ch2 Introduction to Information Security (3).pdf
Ch2 Introduction to Information Security (3).pdfCh2 Introduction to Information Security (3).pdf
Ch2 Introduction to Information Security (3).pdf
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Report on Information Security
Report on Information SecurityReport on Information Security
Report on Information Security
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Introduction to the management of information security
Introduction to the management of information security  Introduction to the management of information security
Introduction to the management of information security
 
Lecture 1-2.pdf
Lecture 1-2.pdfLecture 1-2.pdf
Lecture 1-2.pdf
 
Jb ia
Jb   iaJb   ia
Jb ia
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 

More from Donc Test

Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...
Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...
Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...
Donc Test
 
Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...
Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...
Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...
Donc Test
 
Test bank Criminal Behavior a Psychological Approach 12e Bartol
Test bank Criminal Behavior a Psychological Approach 12e BartolTest bank Criminal Behavior a Psychological Approach 12e Bartol
Test bank Criminal Behavior a Psychological Approach 12e Bartol
Donc Test
 
TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...
TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...
TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...
Donc Test
 
TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...
TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...
TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...
Donc Test
 
Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...
Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...
Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...
Donc Test
 
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Donc Test
 
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...
Donc Test
 
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...
Donc Test
 
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
Donc Test
 
TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...
TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...
TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...
Donc Test
 
TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...
TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...
TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...
Donc Test
 
TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...
TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...
TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...
Donc Test
 
TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...
TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...
TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...
Donc Test
 
Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...
Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...
Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...
Donc Test
 
Test Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdf
Test Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdfTest Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdf
Test Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdf
Donc Test
 
Test Bank for Anatomy of Oriented Structure 8th edition.pdf
Test Bank for Anatomy of Oriented Structure 8th edition.pdfTest Bank for Anatomy of Oriented Structure 8th edition.pdf
Test Bank for Anatomy of Oriented Structure 8th edition.pdf
Donc Test
 
TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...
TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...
TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...
Donc Test
 
Test bank clinical nursing skills a concept based approach 4e pearson educati...
Test bank clinical nursing skills a concept based approach 4e pearson educati...Test bank clinical nursing skills a concept based approach 4e pearson educati...
Test bank clinical nursing skills a concept based approach 4e pearson educati...
Donc Test
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
Donc Test
 

More from Donc Test (20)

Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...
Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...
Solution Manual For Fundamentals of Financial Accounting, 8th Edition 2024 by...
 
Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...
Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...
Solution Manual For Fundamentals of Financial Accounting, 7th Edition by Fred...
 
Test bank Criminal Behavior a Psychological Approach 12e Bartol
Test bank Criminal Behavior a Psychological Approach 12e BartolTest bank Criminal Behavior a Psychological Approach 12e Bartol
Test bank Criminal Behavior a Psychological Approach 12e Bartol
 
TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...
TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...
TEST BANK Principles of cost accounting 17th edition edward j vanderbeck mari...
 
TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...
TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...
TEST BANK For Microbiology Fundamentals A Clinical Approach, 4th Edition by M...
 
Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...
Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...
Libby/Libby/Hodge Financial Accounting 11th Edition TEST BANK & SOLUTION MANU...
 
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
 
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 4th...
 
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...
TEST BANK For Community and Public Health Nursing: Evidence for Practice, 3rd...
 
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
 
TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...
TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...
TEST BANK For CURRENT Diagnosis & Treatment Pediatrics, 26th Edition by Maya ...
 
TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...
TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...
TEST BANK For Current Medical Diagnosis And Treatment 2024, 63rd Edition By M...
 
TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...
TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...
TEST BANK For Davis Advantage for Pathophysiology Introductory Concepts and C...
 
TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...
TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...
TEST BANK For Discovering the Life Span, 5th Edition Robert S. Feldman, Verif...
 
Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...
Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...
Test Bank - Karch Focus on Nursing Pharmacology 9th Edition by Rebecca Tucker...
 
Test Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdf
Test Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdfTest Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdf
Test Bank For Clinical Nursing Skills and Techniques 10th Edition (1).pdf
 
Test Bank for Anatomy of Oriented Structure 8th edition.pdf
Test Bank for Anatomy of Oriented Structure 8th edition.pdfTest Bank for Anatomy of Oriented Structure 8th edition.pdf
Test Bank for Anatomy of Oriented Structure 8th edition.pdf
 
TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...
TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...
TEST BANK Essentials of dental radiography 9th edition by Evelyn Thomson, Orl...
 
Test bank clinical nursing skills a concept based approach 4e pearson educati...
Test bank clinical nursing skills a concept based approach 4e pearson educati...Test bank clinical nursing skills a concept based approach 4e pearson educati...
Test bank clinical nursing skills a concept based approach 4e pearson educati...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 

Recently uploaded

Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
gaurisiddhivinayakte
 
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
usaisofficial
 
Bilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital MarketingBilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar
 
Material Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdfMaterial Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdf
sandeepmetsuae
 
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
Alexa Bale
 
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
betterworlds2012
 
Check SIM Owner Details | +447490809237 | Sim Details in Pakistan
Check SIM Owner Details | +447490809237 | Sim Details in PakistanCheck SIM Owner Details | +447490809237 | Sim Details in Pakistan
Check SIM Owner Details | +447490809237 | Sim Details in Pakistan
ownerdetailssim
 
Generate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model StrategyGenerate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model Strategy
RNayak3
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
tonytkelly6
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
sandeepmetsuae
 
Top 10 Proven Ways for Optimizing a WordPress Website for SEO.pptx
Top 10 Proven Ways for Optimizing a WordPress Website for SEO.pptxTop 10 Proven Ways for Optimizing a WordPress Website for SEO.pptx
Top 10 Proven Ways for Optimizing a WordPress Website for SEO.pptx
e-Definers Technology
 
Best Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA StudiesBest Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA Studies
SAGA Studies
 
Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024
growthgrids
 
Solar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In OneSolar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In One
John McHale
 
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report –  What the Certified Fraud Examiner Should KnowThe Fraud Examiner’s Report –  What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price
#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price
#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price
ownerdetailssim
 
Electrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptxElectrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptx
sandeepmetsuae
 
How Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdfHow Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdf
KenWaterhouse
 
sim owner details | +447490809237 | sim owner details pakistan
sim owner details | +447490809237 | sim owner details pakistansim owner details | +447490809237 | sim owner details pakistan
sim owner details | +447490809237 | sim owner details pakistan
ownerdetailssim
 
Exceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in MelbourneExceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in Melbourne
Outdoor Home Decor Company
 

Recently uploaded (20)

Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
 
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
 
Bilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital MarketingBilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital Marketing
 
Material Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdfMaterial Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdf
 
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
 
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
 
Check SIM Owner Details | +447490809237 | Sim Details in Pakistan
Check SIM Owner Details | +447490809237 | Sim Details in PakistanCheck SIM Owner Details | +447490809237 | Sim Details in Pakistan
Check SIM Owner Details | +447490809237 | Sim Details in Pakistan
 
Generate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model StrategyGenerate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model Strategy
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
 
Top 10 Proven Ways for Optimizing a WordPress Website for SEO.pptx
Top 10 Proven Ways for Optimizing a WordPress Website for SEO.pptxTop 10 Proven Ways for Optimizing a WordPress Website for SEO.pptx
Top 10 Proven Ways for Optimizing a WordPress Website for SEO.pptx
 
Best Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA StudiesBest Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA Studies
 
Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024
 
Solar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In OneSolar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In One
 
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report –  What the Certified Fraud Examiner Should KnowThe Fraud Examiner’s Report –  What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
 
#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price
#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price
#1 Call Girls in Islamabad || 03274100048 || Quick Booking at Affordable Price
 
Electrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptxElectrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptx
 
How Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdfHow Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdf
 
sim owner details | +447490809237 | sim owner details pakistan
sim owner details | +447490809237 | sim owner details pakistansim owner details | +447490809237 | sim owner details pakistan
sim owner details | +447490809237 | sim owner details pakistan
 
Exceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in MelbourneExceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in Melbourne
 

Instructor Manual Principles of Information Security, 7th Edition by Michael E. Whitman Complete Verified Chapter's.docx

  • 1. Instructor Manual Principles of Information Security, 7th Edition by Michael E.Whitman
  • 2. Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security Table of Contents Purpose and Perspective of the Module ......................................................................................2 Cengage Supplements ................................................................................................................2 Module Objectives.......................................................................................................................2 Complete List of Module Activities and Assessments...................................................................2 Key Terms...................................................................................................................................3 What's New in This Module .........................................................................................................4 Module Outline............................................................................................................................4 Discussion Questions................................................................................................................15 Suggested Usage for Lab Activities ...........................................................................................16 Additional Activities and Assignments........................................................................................17 Additional Resources.................................................................................................................17 Cengage Video Resources........................................................................................................................ 17 Internet Resources................................................................................................................................... 17 Appendix...................................................................................................................................18 Grading Rubrics ....................................................................................................................................... 18
  • 3. Purpose and Perspective of the Module The first module of the course in information security provides learners the foundational knowledge to become well versed in the protection systems of any size need within an organization today. The module begins with fundamental knowledge of what information security is and the how computer security evolved into what we know now as information security today. Additionally, learners will gain knowledge on the how information security can be viewed either as an art or a science and why that is the case. Cengage Supplements The following product-level supplements are available in the Instructor Resource Center and provide additional information that may help you in preparing your course:  PowerPoint slides  Test banks, available in Word, as LMS-ready files, and on the Cognero platform  MindTap Educator Guide  Solution and Answer Guide  This instructor‘s manual Module Objectives The following objectives are addressed in this module: 1.1 Define information security. 1.2 Discuss the history of computer security and explain how it evolved into information security. 1.3 Define key terms and critical concepts of information security. 1.4 Describe the information security roles of professionals within an organization. Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective PPT slide Activity/Assessment Duration 2 Icebreaker: Interview Simulation 10 minutes 1.1–1.2 19–20 Knowledge Check Activity 1 2 minutes 1.3 34–35 Knowledge Check Activity 2 2 minutes 1.4 39–40 Knowledge Check Activity 3 2 minutes 1.1–1.4 MindTap Module 01 Review Questions 30–40 minutes 1.1 – 1.4 MindTap Module 01 Case Exercises 30 minutes 1.1 – 1.4 MindTap Module 01 Exercises 10–30 minutes per question; 1+ hour per module 1.1 – 1.4 MindTap Module 01 Security for Life 1+ hour 1.1 – 1.4 MindTap Module 01 Quiz 10–15 minutes [return to top]
  • 4. Key Terms In order of use: computer security: In the early days of computers, this term specified the protection of the physical location and assets associated with computer technology from outside threats, but it later came to represent all actions taken to protect computer systems from losses. security: A state of being secure and free from danger or harm as well as the actions taken to make someone or something secure. information security: Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology. network security: A subset of communications security; the protection of voice and data networking components, connections, and content. C.I.A. triad: The industry standard for computer security since the development of the mainframe; the standard is based on three characteristics that describe the attributes of information that are important to protect: confidentiality, integrity, and availability. confidentiality: An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. personally identifiable information (PII): Information about a person‘s history, background, and attributes that can be used to commit identity theft that typically includes a person‘s name, address, Social Security number, family information, employment history, and financial information. integrity: An attribute of information that describes how data is whole, complete, and uncorrupted. availability: An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. accuracy: An attribute of information that describes how data is free of errors and has the value that the user expects. authenticity: An attribute of information that describes how data is genuine or original rather than reproduced or fabricated. utility: An attribute of information that describes how data has value or usefulness for an end purpose. possession: An attribute of information that describes how the data‘s ownership or control is legitimate or authorized. McCumber Cube: A graphical representation of the architectural approach used in computer and information security that is commonly shown as a cube composed of 3×3×3 cells, similar to a Rubik‘s Cube. information system: The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization. physical security: The protection of material items, objects, or areas from unauthorized access and misuse.
  • 5. bottom-up approach: A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems. top-up approach: A methodology of establishing security policies and/or practices that is initiated by upper management. chief information officer (CIO): An executive-level position that oversees the organization‘s computing technology and strives to create efficiency in the processing and access of the organization‘s information. chief information security officer (CISO): The title typically assigned to the top information security manager in an organization. data owners: Individuals who control and are therefore ultimately responsible for the security and use of a particular set of information. data custodians: Individuals who are responsible for the storage, maintenance, and protection of information. data stewards: See data custodians. data trustees: Individuals who are assigned the task of managing a particular set of information and coordinating its protection, storage, and use. data users: Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization‘s planning and operations. community of interest: A group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. [return to top] What's New in This Module The following elements are improvements in this module from the previous edition:  This Module was Chapter 1 in the 6th edition.  The content that covered Systems Development was moved to Module 11: Implementation.  The Module was given a general update and given more current examples. [return to top] Module Outline Introduction to Information Security (1.1, 1.2, PPT Slides 4–17) I. Recognize that organizations, regardless of their size or purpose, have information they must protect and store internally and externally. II. Analyze the importance and reasoning an organization must be responsible for the information they collect, store, and use. III. Review the concept of computer security and when the need for it initially arose.
  • 6. IV. Discuss how badges, keys, and facial recognition of authorized personnel are required to access military locations deemed sensitive. V. Describe the primary threats to security: physical theft of equipment, product espionage, and sabotage. VI. Examine information security practices in the World War II era and compare with modern day needs. The 1960s I. Explain the purpose of the Department of Defense‘s Advanced Research Procurement Agency (ARPA) and their need to create redundant networked communications systems so that the military can exchange information. II. Identify Dr. Larry Roberts as the creator of the ARPANET project and now the modern- day Internet. The 1970s and ’80s I. Critique the use of ARPANET and how it became more widely used and consequentially misused. II. Recognize that Robert M. Metcalfe expressed concerns about ARPANET and how it could be easily hacked into due to password structure vulnerabilities, lack of safety protocols, and widely distributed phone numbers for system access. III. Conclude that a lack of controls in place provided users limited safeguards to protect themselves from unauthorized remote users. IV. Discuss how dial-up connections lacked safety protocols when connecting to ARPANET. V. Recall that authorizations into the system and a lack of user identification were significant security risks for ARPANET during this time. VI. Evaluate the movement of stronger security protocols thanks to the implementation of conclusions from the Rand Report R-609. VII. Relate how the need of physical security protocols grew to include computer security protocols as part of a holistic information security plan. MULTICS I. Define the purpose of the Multiplexed Information and Computing Service (MULTICS) and its importance to information security. II. Relate that the restructuring of the MULTICS project created the UNIX operating system in 1969. III. Contrast the facts that the MULTICS system had multiple security levels planned, whereas the new UNIX system did not have them included. IV. Examine the decentralization of data processing and why it is important to modern-day information security protocols. V. Distinguish that in the late 1970s microprocessors transformed computing capabilities but also established new security threats. VI. Recall the Defense Advanced Research Projects Agency (DARPA) created the Computer Emergency Response Team (CERT) in 1988.
  • 7. VII. Conclude that not until the mid-1980s computer security was a non-issue for federal information systems. The 1990s I. Understand that as more computers and their networks became more common, the need to connect networks rose in tandem during this time. Hence, the Internet was born out of the need to have a global network of networks. II. Analyze the consequences of how exponential growth of the Internet early on resulted in security being a low priority over other core components. III. Identify that the networked computers were the most common style of computing during this time. However, a result of this was the lessened ability to secure a physical computer and stored data is more exposed to security threats internally and externally. IV. Recognize that toward the turn of the new millennium, numerous large corporations demonstrated the need and integration of security into their internal systems. Antivirus products grew in popularity and information security grown into its own discipline because of these proactive initiatives. 2000 to Present I. Recall the fact that millions of unsecured computer networks and billions of computing devices are communicating with each other. II. Recognize and apply the fact that cyberattacks are increasing and have caused governments and corporations to resign themselves to stronger information security protocols. III. Examine the exponential rise in mobile computing and how these devices bring their own set of vulnerabilities with respect to information security. IV. Apply the fact that one‘s ability to secure the information stored in their device is influenced by security protocols on the others they are connected to. V. Establish that wireless networks and their associated risks often have minimal security protocols in place and can be a catalyst for anonymous attacks. What Is Security? (1.3, PPT Slides 18 and 21–26) I. Define the term security and why it is important to have multiple layers of it to protect people, operations, infrastructure, functions, communications, and information. II. Emphasize the role of the Committee on National Security Systems (CNSS) and its role in defining information security. This includes the protection of critical elements such as systems and hardware that stores, transmits, and use information. III. Recognize the importance of the C.I.A. Triad but which is no longer an adequate model to apply to modern information security needs. Key Information Security Concepts I. Comprehend and define the following security terms and concepts:  Access: A subject or object‘s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls regulate this ability.
  • 8.  Asset: The organizational resource that is being protected. An asset can be logical, such as a Web site, software information, or data, or an asset can be physical, such as a person, computer system, hardware, or other tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting to protect.  Attack: An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Someone who casually reads sensitive information not intended for his or her use is committing a passive attack. A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a building fire is an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems—for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the attacker‘s choosing, can operate autonomously or under the attacker‘s direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself. Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.  Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The various levels and types of controls are discussed more fully in the following modules.  Exploit: A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain, or an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.  Exposure: A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker.  Loss: A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. When an organization‘s information is stolen, it has suffered a loss. Protection profile or security posture is the entire set of controls and safeguards—including policy, education, training and awareness, and technology—that the organization implements to protect the asset. The terms are sometimes used interchangeably with the term security program although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs.  Risk: The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk they are willing to accept.  Subjects and objects of attack: A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack: the target entity. See Figure 1-8. A computer can also be both the subject and object of an attack. For example, it can be compromised by an attack (object) and then used to attack other systems (subject).
  • 9.  Threat: Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat. The two terms are technically distinct, but to simplify discussion, the text will continue to use the term threat to describe threat sources.  Threat agent: The specific instance or a component of a threat. For example, the threat source of ―trespass or espionage‖ is a category of potential danger to information assets, while ―external professional hacker‖ (like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat source known as ―acts of God/acts of nature.‖  Threat event: An occurrence of an event caused by a threat agent. An example of a threat event might be damage caused by a storm. This term is commonly used interchangeably with the term attack.  Threat source: A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful or undirected. For example, threat agent ―hackers,‖ as part of the threat source ―acts of trespass or espionage,‖ purposely threaten unprotected information systems, while threat agent ―severe storms,‖ as part of the threat source ―acts of God/acts of nature,‖ incidentally threaten buildings and their contents.  Vulnerability: A potential weakness in an asset or its defensive control system(s). Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered). Critical Characteristics of Information I. Recognize that when a characteristic of information changes, the value of that information may increase but more so decreases. II. Comprehend and define the following security terms and concepts: confidentiality, personally identifiable information (PII), integrity, availability, accuracy, authenticity, utility, and possession. Confidentiality I. Define the purpose of confidentiality and the measures that must be in place to protect information.  Information classification  Securely storing documents  Applying general security policies and protocols  Educating information custodians and end users II. Analyze common reasons confidentiality breaches occur. III. Review the concept of personally identifiable information (PII) and its application to confidentiality. Integrity
  • 10. I. Examine the concept of integrity and its application to information security principles. II. Justify that file corruption is not strictly the result of hackers or other external forces but can include internal forces such as noise, low-voltage circuits, and retransmissions. Availability I. Define the concept of availability and how it allows users to access information without restriction in their required formats. Accuracy I. Understand that accuracy of data transmitted in information is important as it must be free of mistakes or errors, and it aligns with end user‘s expectations. Authenticity I. Identify the fact that information is authentic when it is given to a user in the same state that it was created, placed, stored, or transferred. II. Evaluate the example of e-mail spoofing and how messages sent look authentic on the surface but are, in fact, not. Utility I. Examine the usefulness of information and how it can be applied for an end purpose. Possession I. Recall this attribute as one where the ownership or control of information has legitimacy or authorization. II. Assess the scenario where a breach of possession does not always equate to a breach of confidentiality. CNSS Security Model I. Discuss the concept of the McCumber Cube and its application into computer and information security protocols.  Quantify via Figure 1-9 (page 14) within the text that there are a total of 27 areas (3 x 3 x 3) that must be properly addressed during a security process.  Understand the fact that as policy, education, and technology increase, so too the needs for confidentiality, integrity, availability, storage, processing, and transmission. II. Conclude that a common exclusion in this model is the need for guidelines and policies that provide direction for implementation technologies and the practices of doing so. Components of an Information System (1.3, PPT Slide 27) I. Gain an understanding that to have a full understanding of the importance of an information system, one must have an awareness of what all is included within it. II. Review the six most common elements of an information system.  Software  Hardware
  • 11. Software  Data  People  Procedures  Networks I. Compare and contrast the different types of software that are used to digitally operate an information system. These include applications or programs, operating systems, and assorted command utilities. II. Justify the core reason that software is used is to carry information through an organization. Hardware I. Classify that this part of an information system is the physical technologies that house and execute software, stores and transports data, and provides an interface for entry and removal of information within it. II. Acquire an understanding of the concept of physical security and its importance to an information system. Data I. Recall that data that is stored, processed, and/or transmitted must be protected as it is the most valuable asset an organization possesses. II. Gain awareness that the protection of physical information is just as important as the protection of electronic information. People I. Establish that people are often the weakest link of an information system since they provide direction, design, develop, and ultimately use and game them to operate in the business world. Procedures I. Recall that procedures are written instructions that are created to accomplish a specific task or action. Note that they may or may not use the technology of an information system. II. Recognize that they provide the foundation for technical controls and security systems that must be designed so they can be implemented. Networks I. Acknowledge the fact that modern information processing systems are highly complex and rely on numerous internal and external connections. II. Conclude that networks are the highway in which information systems pass data and users complete their tasks on a daily basis. III. Justify that proper network controls in an organization are vital to managing information flows and the security of data transmitted internally and externally. Quick Quiz 1
  • 12. 1. True or False: Network security addresses the issues needed to protect items, objects, or areas. Answer: False 2. Which type of security addresses the protection of all communications media, technology, and content? a. information b. network c. physical d. communication Answer: d 3. Which type of security encompasses the protection of voice and data networking components, connections, and content? a. information b. network c. physical d. communications Answer: b 4. What term is used to describe the quality or state of ownership or control of information? a. confidentiality b. possession c. authenticity d. integrity Answer: b 5. True or False: If information has a state of being genuine or original and is not a fabrication, it has the characteristic of authenticity. Answer: True Security and the Organization (1.4, PPT Slides 28–33, 36–38, and 41) I. Analyze components that make up security as a program and the professionals who are tasked with maintaining it within an organization. Balancing Information Security and Access I. Recall that everyone does not have carte blanche access to all data that is transmitted, processed, or stored within or outside an organization. II. Comprehend that security is never an absolute as it is a process and not a goal. III. Interpret that security is a delicate balance between protection and availability. Approaches to Information Security Implementation
  • 13. I. Compare and contrast the two most commonly used approaches to information security implementation: bottom-up and top-down.  Bottom-up approaches implement security policies and/or policies from the ground up where system administrators are responsible for improving the security of the system.  A top-down approach is quite the opposite where upper management determines security policies for an organization. This is usually the Chief Information Officer (CIO) or the Vice President of Information Technology (VP-IT). II. Conclude that often a bottom-up approach rarely works, and a top-down approach has the most effectiveness in an organization. Security Professionals I. Compare and contrast the different positions that are part of an implementation for an information security program.  The Chief Information Officer (CIO) is the senior technology officer of an organization and provides guidance to the owner or CEO strategic planning that affects information management in an organization.  The Chief Security Officer (CISO) assesses, manages, and implements information security in an organization. Senior Management I. Examine that the Chief Information Officer (CIO) is the senior technology officer although other titles such as vice president of information, VP of information technology, and VP of systems may also be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. II. Contrast with the CIO that the Chief Information Security Officer (CISO) is the individual primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the manager for security, the security administrator, or a similar title. Information Security Project Team I. Review the core team members of an information security project team and their specific role:  Champion: A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.  Team leader: A project manager, who may be a departmental line manager or staff unit manager and who understands project management, personnel management, and information security technical requirements.  Security policy developers: Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.  Risk assessment specialists: Individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.  Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.  Systems administrators: Individuals whose primary responsibility is administering the systems that house the information used by the organization.
  • 14.  End users: Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard. Data Responsibilities I. Compare and contrast persons who own and safeguard data within an organization.  Data Owners: Those responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organizational change.  Data Custodians: Those responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.  Data Trustees: Individuals appointed by data owners who oversee the management of an information set and its use. Though these are often executives, they appoint someone else to handle these responsibilities.  Data Users: End users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role. II. Recall that data stewards are also known as data custodians. Communities of Interest I. Establish an understanding that each organization develops and maintains its own unique culture and values. II. Recall that a community of interest is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. III. Disseminate the fact there can be many different communities of interest in an organization which aid in information security practices. Information Security Management and Professionals I. Apply knowledge that these professionals are aligned with an information security‘s community of interest. II. Review the fact that their goal is to protect an organization‘s information and stored information from internal and external attacks. Information Technology Management and Professionals I. Recognize that these individuals are often a team of IT managers and skilled professionals in a number of areas: systems design, programming, and networks at a minimum. II. Establish an understanding their goals do not always align with the information security community based on an organization‘s structure. Conflict may result if there are inconsistencies between them. Organization Management and Professionals
  • 15. I. Analyze that this group of persons in an organization are often other managers and professionals who are consumers of information being secure. Information Security: Is It an Art or a Science? (PPT Slides 42–43) I. Gain an understanding that the implementation of information security has often been described as a combination of art and science due to the complex nature of information systems. II. Discuss the concept of a ―security artisan‖ and explain how it is based on the way individuals see technologists as computers became more commonplace in the workplace. Security as Art I. Recognize that there are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. II. Conclude that there is no one user‘s manual that can solve all security issues that a system may encounter. As an organization becomes more complex, so do the controls and technology needed to keep it together. Security as a Science I. Establish an understanding that technologies that are developed are enacted by highly trained computer scientists and engineers who are required to operate at rigorous levels of performance. II. Conclude that specific scientific conditions often cause virtually all actions that occur in a computer system. Nearly everything that negatively occurs in a system is a result of an interaction between software and hardware. III. Justify that with enough time and resources, developers could eliminate faults that occur. Security as a Social Science I. Understand a combination of both components of art and science make security a social science. II. Identify a social science as the examination of people‘s behavior and their interactions with (information) systems. III. Conclude that end users who need the information security personnel protect are often the weakest links in the security chain. Quick Quiz 2 1. When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow which approach? b. executive-led c. trickle down d. top-down e. bottom-up Answer: c 2. ensures that only users with the rights, privileges, and need to access information are able to do so. a. confidentiality b. enhanced credentials
  • 16. c. software engineers d. awareness Answer: a 3. True or False: The person responsible for the storage, maintenance, and protection of the information is the data custodian. Answer: True 4. Which critical characteristic of information discussed is one that focuses on the fact when information stored, transferred, created, or placed is in the same state as it was received? a. utility b. possession c. accuracy d. authenticity Answer: d 5. Which of the following examines the behavior of individuals as they interact with systems, whether societal systems or information systems? a. community science b. social science c. societal science d. interaction management Answer: b [return to top] Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as whole- class discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. What are the defining differences between computer security and information security? (1.2, PPT Slides 5, 7–9, and 13) Duration 15 minutes. 2. When reviewing the critical characteristics of information, which one is the most important? Why is that the case and should all receive equal attention? (1.3, PPT Slides 18 and 25–26) Duration 15 minutes. 3. Do information security professionals have superiority over one another outside of their ranking in an organization? Why or why not? (1.4, PPT Slides 29–33) Duration 15 minutes. [return to top]
  • 17. Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Objective Duration Ethical Considerations in IT and Detecting Phishing Attacks Upon completion of this activity, you will:  have a better understanding of the ethical expectations of IT professionals; and  be able to identify several types of social engineering attacks that use phishing techniques. Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes. Web Browser Security Upon completion of this activity, the student will be able to:  Review and configure the security and privacy settings in the most popular web browsers. 1 to 1.5 hours Malware Defense Upon completion of this activity, the student will be able to:  Understand the basic setup and use of an open-source AV product.  Install and use Clam AV on a Windows system.  Using a USB storage device create a portable AV scanner.  Understand what a YARA file is and how it is used. 1 to 1.5 hours Windows Password Management Upon completion of this activity, the student will be able to:  Review and configure password management policies in a Windows client computer. 30 minutes to 1 hour Backup and Recovery and File Integrity Monitoring Upon completion of this activity, you will be able to:  Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS).  Perform file integrity monitoring using file hash values. 15–20 minutes OS Processes and Services Upon completion of this activity, the student will be able to:  Review available and enabled OS services.  Review available and enabled OS processes. 60–90 minutes
  • 18.  Review current system resource utilization. Log Management & Security Upon completion of this activity, the student will be able to:  Access and review the various logs present in a Windows 10 computer. 30 minutes to 1 hour Footprinting, Scanning, and Enumeration Upon completion of this activity, the student will be able to:  Identify network addresses associated with an organization.  Identify the systems associated with the network addresses. 40–60 minutes AlienVault OSSIM Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. 2–3 hours Image Analysis Using Autopsy Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package. 45–70 minutes [return to top] Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include the following: 1. Using the Internet, find a recent feature article about a CISO or other IT professional with CISO job functions. Write a short summary of that individual and how he or she came to hold that position. The publications ComputerWorld and Information Week often have these kinds of features. Have students list the hardware assets found in a computing lab and then list the attributes of those assets. They should provide as many facts about each asset as possible. 2. Using a library with current periodicals, find a recent news article about a topic related to information security. Write a one- to two-page review of the article and how it is related to the principles of information security introduced in the textbook. [return to top] Additional Resources Cengage Video Resources  MindTap Video: What is Information Security Internet Resources  Internet Society—Histories of the Internet
  • 19.  CNSS National Information Assurance Glossary  Microsoft Security Development Lifecycle  The Role of a Chief Security Officer [return to top] Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students‘ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 Exceeds Expectations 2 Meets Expectations 1 Needs Improvement 0 Inadequate  Student demonstrates accurate understanding of the concept.  Student applies the concept appropriately.  Student uses sound critical analysis to develop an insightful and comprehensive response to the prompt.  Student demonstrates accurate understanding of the concept.  Student applies the concept appropriately.  Student develops a complete response to the prompt.  Student‘s response demonstrates a gap in understanding of the concept.  Student applies the concept incorrectly.  Student‘s response is poorly developed or incomplete.  Student‘s response is missing or incomplete.  Student‘s response demonstrates a critical gap in understanding.  Student is unable to apply the concept. [return to top]
  • 20. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 20 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security Table of Contents Purpose and Perspective of the Module ....................................................................................20 Cengage Supplements ..............................................................................................................20 Module Objectives.....................................................................................................................20 Complete List of Module Activities and Assessments.................................................................20 Key Terms.................................................................................................................................21 What's New in This Module .......................................................................................................26 Module Outline..........................................................................................................................26 Discussion Questions................................................................................................................47 Suggested Usage for Lab Activities ...........................................................................................47 Additional Activities and Assignments........................................................................................49 Additional Resources.................................................................................................................49 Cengage Video Resources........................................................................................................................ 49 Internet Resources................................................................................................................................... 49 Appendix...................................................................................................................................50 Grading Rubrics ....................................................................................................................................... 50
  • 21. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 21 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Purpose and Perspective of the Module Protecting information is one of the most important tasks an organization must monitor around the clock and regardless as to where personnel are located. In this module, students will gain knowledge as to the purpose of information security and the need that is present in organizations. Next, they will gain an understanding of why a successful information security program is the shared responsibility of the entire organization and not just departments that focus on technology. In the second half of the module, emphasis is placed on threats that occur to trigger information security solutions and common attacks of them. The final part of the module lists common information security issues that result from poor software development efforts. Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center.  PowerPoint slides  Test banks, available in Word, as LMS-ready files, and on the Cognero platform  MindTap Educator Guide  Solution and Answer Guide  This instructor‘s manual Module Objectives The following objectives are addressed in this module: 2.1 Discuss the need for information security. 2.2 Explain why a successful information security program is the shared responsibility of the entire organization. 2.3 List and describe the threats posed to information security and common attacks associated with those threats. 2.4 List the common information security issues that result from poor software development efforts. Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective PPT slide Activity/Assessment Duration 2.1, 2.2, and 2.3 11–12 Knowledge Check Activity 1 2 minutes 2.3 and 2.4 31–32 Knowledge Check Activity 2 2 minutes 2.4 64–65 Knowledge Check Activity 3 2 minutes 2.1–2.4 77 Self-Assessment 5 minutes
  • 22. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 22 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. MindTap Module 02 Review Questions 30–40 minutes MindTap Module 02 Case Exercises 30 minutes MindTap Module 02 Exercises 10–30 minutes per question; 1+ hour per module MindTap Module 02 Security for Life 1+ hour MindTap Module 02 Quiz 10–15 minutes [return to top] Key Terms In order of use: information asset: The focus of information security; information that has value to the organization and the systems that store, process, and transmit the information. media: As a subset of information assets, the systems, technologies, and networks that store and transmit information. data: Items of fact collected by an organization; includes raw numbers, facts, and words. information: Data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness. database: A collection of related data stored in a structured form and usually managed by specialized systems. database security: A subset of information security that focuses on the assessment and protection of information stored in data repositories. exploit: A technique used to compromise a system; may also describe the tool, program, or script used in the compromise. intellectual property (IP): Original ideas and inventions created, owned, and controlled by a particular person or organization; IP includes the representation of original ideas. software piracy: The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property. availability disruption: An interruption or disruption in service, usually from a service provider, which causes an adverse event within an organization. service level agreement (SLA): A document or part of a document that specifies the expected level of service from a service provider, including provisions for minimum acceptable availability and penalties or remediation procedures for downtime. uptime: The percentage of time a particular service is available. downtime: The percentage of time a particular service is not available. blackout: A long-term interruption (outage) in electrical power availability. brownout: A long-term decrease in quality of electrical power availability. fault: A short-term interruption in electrical power availability.
  • 23. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 23 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. noise: The presence of additional and disruptive signals in network communications or electrical power delivery. sag: A short-term decrease in electrical power availability. spike: A short-term increase in electrical power availability, also known as a swell. surge: A long-term increase in electrical power availability. competitive intelligence: The collection and analysis of information about an organization‘s business competitors through legal and ethical means to gain business intelligence and competitive advantage. industrial espionage: The collection and analysis of information about an organization‘s business competitors, often through illegal or unethical means, to gain an unfair competitive advantage; also known as corporate spying. shoulder surfing: The direct, covert operation of individual information or system use. trespass: Unauthorized entry into the real or virtual property of another party. hacker: A person who accesses systems and information without authorization and often illegally. expert hacker: A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information, and who often creates automated exploits, scripts, and tools used by other hackers; also known as an elite hacker. novice hacker: A relatively unskilled hacker who uses the work of expert hackers to perform attacks; also known as a neophyte, n00b, newbie, script kiddie, or packet monkey. professional hacker: A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government; not to be confused with a penetration tester. penetration tester: An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems; also known as a pen tester. pen tester: See penetration tester. script kiddies: Novice hackers who use expertly written software to attack a system; also known as skids, skiddies, or script bunnies. packet monkey: A novice hacker who uses automated exploits to engage in denial-of-service attacks. privilege escalation: The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources. jailbreaking: Escalating privileges to gain administrator-level or root access control over a smartphone operating system; typically associated with Apple iOS smartphones. See also rooting. rooting: Escalating privileges to gain administrator-level control over a computer system (including smartphones); typically associated with Android OS smartphones. See also jailbreaking. cracker: A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
  • 24. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 24 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. phreaker: A hacker who manipulates the public telephone system to make free calls or disrupt services. cracking: Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software (see cracker). brute force password attack: An attempt to guess a password by attempting every possible combination of characters and numbers in it. 10.4 password rule: An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one of the following four elements: an uppercase letter, one lowercase letter, one number, and one special character. dictionary password attack: A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target‘s personal information. rainbow table: A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system‘s encrypted password file. social engineering: The process of using interpersonal skills to convince people to reveal access credentials or other valuable information to an attacker. business e-mail compromise (BEC): A social engineering attack involving the compromise of an organization‘s e-mail system followed by a series of forged e-mail messages directing employees to transfer funds to a specified account, or to purchase gift cards and send them to an individual outside the organization. advance-fee fraud (AFF): A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only to send a small advance fee or personal banking information to facilitate the transfer. phishing: A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information. spear phishing: A highly targeted phishing attack. pretexting: A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target‘s identity, but the real object is to trick the target into revealing confidential information; commonly performed by telephone. information extortion: The act of an attacker or trusted insider who steals or interrupts access to information from a computer system and demands compensation for its return or for an agreement not to disclose the information. cyberextortion: See information extortion. ransomware: Computer software specifically designed to identify and encrypt valuable information in a victim‘s system in order to extort payment for the key needed to unlock the encryption. hacktivist: A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. cyberactivist: See hacktivist.
  • 25. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 25 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. doxing: A practice of using online resources to find and then disseminate compromising information, perhaps without lawful authority, with the intent to embarrass or harm the reputation of an individual or organization. The term originates from dox, an abbreviation of documents. cyberterrorism: The conduct of terrorist activities via networks or Internet pathways. cyberterrorist: A hacker who attacks systems to conduct terrorist activities via networks or Internet pathways. cyberwarfare: Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state; sometimes called information warfare. malware: Computer software specifically designed to perform malicious or unwanted actions. malicious software: See malware. zero-day attack: An attack that makes use of malware that is not yet known by the antimalware software companies. adware: Malware intended to provide undesired marketing and advertising, including pop-ups and banners on a user‘s screens. spyware: Any technology that aids in gathering information about people or organizations without their knowledge. virus: A type of malware that is attached to other executable programs and, when activated, replicates and propagates itself to multiple systems, spreading by multiple communications vectors. macro virus: A type of virus written in a specific language to target applications that use the language and activated when the application‘s product is opened; typically affects documents, slideshows, e-mails, or spreadsheets created by office suite applications. boot virus: Also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system‘s hard drive or removable storage media. memory-resident virus: A virus that is capable of installing itself in a computer‘s operating system, starting when the computer is activated, and residing in the system‘s memory even after the host application is terminated; also known as a resident virus. non-memory-resident virus: A virus that terminates after it has been activated, infected its host system, and replicated itself; does not reside in an operating system or memory after executing and is also known as a non-resident virus. worm: A type of malware that is capable of activation and replication without being attached to an existing program. Trojan horse: A malware program that hides its true nature and reveals its designed behavior only when activated. polymorphic threat: Malware that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures. malware hoax: A message that reports the presence of nonexistent malware and wastes valuable time as employees share the message. back door: A malware payload that provides access to a system by bypassing normal access controls or an intentional access control bypass left by a system designer to facilitate development.
  • 26. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 26 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. trap door: See back door. maintenance hook: See back door. denial-of-service (DoS) attack: An attack that attempts to overwhelm a computer target‘s ability to handle incoming communications, prohibiting legitimate users from accessing those systems. distributed denial-of-service (DDoS) attack: A form of attack in which a coordinated stream of requests is launched against a target from multiple locations at the same time using bots or zombies. bot: An abbreviation of robot, an automated software program that executes certain commands when it receives a specific input; also known as a zombie. zombie: See bot. spam: Undesired e-mail, typically commercial advertising transmitted in bulk. mail bomb: An attack designed to overwhelm the receiver with excessive quantities of e-mail. packet sniffer: A software program or hardware appliance that can intercept, copy, and interpret network traffic. sniffer: See packet sniffer. spoofing: The use of a communications identifier, such as a phone number, network address, or e-mail address, that is not accurately assigned to the source. IP spoofing: A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host. pharming: The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information. Domain Name System (DNS) cache poisoning: The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations; also known as DNS spoofing. man-in-the-middle: A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner; some of these attacks involve encryption functions. TCP hijacking: A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications. session hijacking: See TCP hijacking. mean time between failure (MTBF): The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures. mean time to failure (MTTF): The average amount of time until the next hardware failure. mean time to diagnose (MTTD): The average amount of time a computer repair technician needs to determine the cause of a failure. mean time to repair (MTTR): The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
  • 27. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 27 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. annualized failure rate (AFR): The probability of a failure of hardware based on the manufacturer‘s data of failures per year. cross-site scripting (XSS): A Web application fault that occurs when an application running on a Web server inserts commands into a user‘s browser session and causes information to be sent to a hostile server. buffer overrun: An application error that occurs when more data is sent to a program buffer than it is designed to handle. integer bug: A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers. command injection: An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function. theft: The illegal taking of another‘s property, which can be physical, electronic, or intellectual. [return to top] What's New in This Module The following elements are improvements in this module from the previous edition:  This module was Chapter 2 in the 6th edition.  The sections on the threats and attacks were updated to reflect the latest trends, and examples were updated.  The entire module was refreshed with a general update and given more current examples. [return to top] Module Outline Introduction to the Need for Information Security (2.1, 2.2, PPT Slides 3–9) VII. Discuss the view that information security is unlike any other aspect of information technology. The primary mission is to ensure things stay the way they are. Point out that if there were no threats to information and systems, we could focus on improving systems that support the information. VIII. Explain that organizations must understand the environment in which information systems operate so that their information security programs can address actual and potential problems. IX. Emphasize to students the four important functions for an organization with respect to information security: a. Protecting the organization‘s ability to function b. Protecting the data and information the organization collects and uses c. Enabling the safe operation of applications running on the organization‘s IT systems
  • 28. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 28 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. d. Safeguarding the organization‘s technology assets Business Needs First I. Explain that without the underlying business to generate revenue and use information, it has a likelihood to lose value and the need for it would go to zero. II. Stress that the decisions that need to be made with respect to information security and their assets should be done carefully and holistically. III. Emphasize that the responsibility of protecting information within an organization is everyone‘s responsibility. Regardless of their title, rank in the firm, or position, everyone must proactively protect the data it stores and uses. Protecting Functionality I. Discuss the fact that general management, IT management, and information security management are responsible for implementing information security to protect the ability of the organization to function. II. Relate to students that information security is a management issue in addition to a technical issue; it is a people issue in addition to the technical issue. III. Explain that to assist management in addressing the need for information security, communities of interest must communicate in terms of business impact and the cost of business interruption, and they must avoid arguments expressed only in technical terms. Protecting Data That Organizations Collect and Use I. Stress to students that they should understand that many organizations realize that one of their most valuable assets is their data. Without data, an organization loses its record of transactions and/or its ability to deliver value to its customers. II. Explain the concept of data security. This concept is about protecting data in motion and data at rest, a critical aspect of information security. An effective information security program is essential to the protection of the integrity and value of the organization‘s data. III. Detail how information is stored. This is often stored using databases and database security is important because it applies a broad range of control mechanisms to numerous areas of information security. Enabling the Safe Operation of Applications I. Distinguish an understanding that a modern organization needs to create an environment that protects and safeguards applications, specifically ones that are important elements to the infrastructure of a firm—operating systems, platforms, operational applications, e-mail, instant messaging applications, and text messaging platforms. Safeguarding Technology Assets in Organizations I. Relate to students that as an organization grows, so does its need for more robust technologies and commercial-grade solutions. II. Explain the example that is provided in the textbook that lists core components of security technologies (a commercial-grade, unified security architecture device, complete with intrusion detection and prevention systems, public key infrastructure (PKI), and virtual private network (VPN) capabilities).
  • 29. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 29 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. III. Establish that although cloud services provide another way to solve business information management challenges, they inherit their own set of risks and concerns that must be defended against. Information Security Threats and Attacks (2.3, PPT Slides 10 and 13–23) I. Remind students that to make sound decisions about information security as well as to create and enforce policies, management must be informed of the various kinds of threats facing the organization and its applications, data, and information systems. II. Explain that a threat is an object, person, or other entity that represents a constant danger to an asset. Point out that an attack represents an ongoing act against the asset that could result in a loss. Also mention that threat agents use exploits to take advantage of vulnerabilities where controls are not present or are no longer effective. 4.8 Billion Potential Hackers I. State that about 62 percent of the world‘s population (about 4.8 billion) have some form of internet access, which is significantly up from 2015, when 49.2 percent of the population had access. II. Discuss the agreement that the threat from external sources increases when an organization connects to the Internet. III. Guide students to briefly review the world Internet usage spread in Table 2-1. Other Studies of Threats I. Point out to students that according to a recent study and survey, 67.1 precent of responding organizations suffered malware infections. Also, more than 98 percent of responding organizations identified malware as the second-highest threat source behind electronic phishing/spoofing. II. Discuss Tables 2-2, 2-3, and 2-4 that outline threats from internal and external stakeholders as well as general threats to information assets. Common Attack Pattern Enumeration and Classification (CAPEC) I. Introduce students to the CAPEC Web site, which can be used by security professionals to understand attacks. II. Explain that this resource is a good tool for information security professionals to use to gain additional insight on how attacks occur procedurally. The 12 Categories of Threats (2.3, 2.4, PPT Slides 24–72) I. Apply the use of Table 2-5 to explain the 12 categories of threats that represent a clear and present danger to an organization‘s people, information, and systems. In summary, they are the following:  Compromises to intellectual property  Deviations in quality of service  Espionage or trespass  Forces of nature  Human error or failure
  • 30. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 30 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Information extortion  Sabotage or vandalism  Software attacks  Technical hardware failures or errors  Technical software failures or errors  Technological obsolescence  Theft II. Recognize that a threat to an organization may include more than one of these categories, depending on the severity of the attack. Compromises to Intellectual Property I. Explain that many organizations create or support the development of intellectual property (IP) as part of their business operations. Intellectual property is defined as ―the ownership of ideas and control over the tangible or virtual representation of those ideas.‖ II. Recall that intellectual property for an organization includes trade secrets, copyrights, trademarks, and patents. Once intellectual property has been defined and properly identified, breaches to IP constitute a threat to the security of this information. Most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy. Software Piracy I. Emphasize to students that the most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy. II. Outline that in addition to the laws surrounding software piracy, two watchdog organizations investigate allegations of software abuse: the Software and Information Industry Association (SIIA), formerly the Software Publishers Association, and the Business Software Alliance (BSA). III. Quantify the severity of software privacy with the following statistics mentioned in the text:  The BSA estimates that 37 percent of software installed on personal computers globally was not properly licensed in 2018.  Some countries indicate unlicensed rates of more than 50 percent. IV. Recall that malware attacks significantly increase with the use of unlicensed software. Copyright Protection and User Registration I. Discuss that enforcement of copyright laws has been attempted through several technical security mechanisms, such as digital watermarks, embedded code, and copyright codes. II. Identify that online registrations combat piracy because users must register their software to complete the installation process. Caution students that key generators can be used to override and outsmart online registration tools and still result in intellectual property losses.
  • 31. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 31 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Deviations in Quality of Service I. Summarize that concerns in this category represent situations in which a product or service is not delivered to the organization as expected. II. Explain that the organization‘s information system depends on the successful operation of many interdependent support systems, including power grids, telecom networks, parts suppliers, service vendors, and even the janitorial staff and garbage haulers. Internet Service Issues I. Explain that Internet service, communications, and power irregularities are three sets of service issues that dramatically affect the availability of information and systems. This is regardless of if a person is at the office or connecting through a virtual private network (VPN) connection. II. Justify that the U.S. government‘s Federal Communications Commission (FCC) maintains a Network Outage Reporting System (NORS), which according to FCC regulation 47 C.F.R. Part 4, requires communications providers to report outages that disrupt communications at certain facilities, like emergency services and airports. III. Report that when an Internet service provider fails to meet the terms in a service level agreement (SLA), it is often fined to cover client losses, although the lost business exceeds anything recovered. This is even with vendors promoting high availability of uptime (or low downtime). IV. Apply the example of Amazon and how a 30- to 40-minute outage cost them a significant amount of money ($3-4 million) in just that short amount of time. V. Identify the most common causes of downtime and the financial impact of those incidents from the data provided in Figure 2-4. Communication and Other Service Provider Issues I. Describe communications and other service provider issues: other utility services can impact organizations as well. Among these are telephone, water, wastewater, trash pickup, cable television, natural or propane gas, and custodial services. The loss of these services can impair the ability of an organization to function properly. Power Irregularities I. Describe power irregularities: irregularities from power utilities are common and can lead to fluctuations, such as power excesses, power shortages, and power losses. In the United States, we are ―fed‖ 120-volt, 60-cycle power usually through 15-amp and 20- amp circuits. II. Explain that voltage levels are subject to a spike (momentary increase), surge (prolonged increase), sag (momentary decrease), brownout (prolonged drop in voltage), fault (momentary complete loss of power) or blackout (a lengthier loss of power). III. Emphasize that organizations with dedicated power needs must think of backup solutions such as generators to provide power in the event an outage were to occur. This is especially the case for information technology and security-related systems. IV. Predict that because sensitive electronic equipment—especially networking equipment, computers, and computer-based systems—is susceptible to fluctuations, controls should be applied to manage power quality.
  • 32. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 32 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Espionage or Trespass I. Explain that this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information. II. Establish that when an unauthorized individual gains access to the information an organization is trying to protect, that act is categorized as a deliberate act of espionage or trespass. III. Contrast the thoughts that some people assume that information-gathering techniques are illegal when, in fact, they are not. When they are done properly, this is referred to as competitive intelligence. However, if a legal or ethical threshold is crossed, persons doing this are conducting industrial espionage. IV. Describe the concept of shoulder surfing. Emphasize that these commonly occur at computer terminals, desks, ATM machines, smartphones, or other places where a person is accessing confidential information. V. Justify the notion that users should constantly be aware of the presence of others when they are always accessing sensitive data. Hackers I. Present the fact that trespassing often leads to unauthorized, real, or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. II. Discuss that the classic perpetrator of deliberate acts of espionage or trespass is the hacker. In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to bypass the controls placed around information that is the property of someone else. The hacker frequently spends long hours examining the types and structures of the targeted systems. III. Remind students that there are generally two skill levels among hackers. The first is the expert hacker, who develops software scripts and program exploits used by the second category, the novice, or unskilled hacker. IV. Explain that the expert hacker is usually a master of several programming languages, networking protocols, and operating systems and exhibits a mastery of the technical environment of the chosen targeted system. V. Demonstrate that expert hackers who have become bored with directly attacking systems have turned to writing software. The software they write are automated exploits that allow novice hackers to become script kiddies (or packet monkeys)—hackers of limited skill who use expertly written software to exploit a system, but do not fully understand or appreciate the systems they hack. VI. Compare and contrast the difference between professional hackers and penetration (pen) testers. Although they are doing the same thing, which is testing the information and network defenses, professional hackers are doing it illegally, whereas pen testers are conducting them ethically and professionally. Escalation of Privileges I. Discuss the term privilege escalation. Explain that a common example of privilege escalation is called jailbreaking or rooting.
  • 33. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 33 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. II. Justify that according to the U.S. Copyright Office, the practice of jailbreaking smartphones was considered legal as a special exemption under the Digital Millennium Copyright Act, but jailbreaking a tablet (such as the iPad) was not and often voids any manufacturer warranty. Hacker Variants I. Describe that there are other terms for system rule breakers as mentioned in the text:  Crackers are now commonly associated with an individual who ―cracks‖ or removes software protection that is designed to prevent unauthorized duplication.  Phreakers hack the public telephone network to make free calls, disrupt services, and generally wreak havoc. Although more common in the 1970‘s, they can still do a number on phone systems. Password Attacks I. Emphasize that password attacks fall under the category of espionage and are a serious offense. II. Outline the four approaches to password cracking:  brute force password attack: An attempt to guess a password by attempting every possible combination of characters and numbers in it.  dictionary password attack: A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target‘s personal information.  rainbow table: A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system‘s encrypted password file.  social engineering: An attempt to gain access by contacting low-level employees and offering to help with their computer issues. III. Evaluate the purpose and composition of the 10.4 password rule and how it can provide a method for users to generate a stronger password that is less likely to be hacked. IV. Recommend that students review Table 2-6 and see how the odds increase the more characters are in a password, and the time it would take to do so based on a 2020-era computer system. Social Engineering Password Attacks I. Stress that by hackers posing as friendly help-desk associates or repair techs, they have an easy inroad into servers and systems even if they resolve a user‘s issue. II. Critique the scenario where hackers can work inside an organization and even at a help desk using this method to gain systems access where they would otherwise be denied entry. This is true even if their background check comes up clean. III. Distinguish the fact that attempts to gain access like this are often subtle and go unnoticed until it is too late. Forces of Nature
  • 34. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 34 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. I. Discuss how forces of nature, force majeure, or acts of God pose some of the most dangerous threats, because they are unexpected and can occur with little warning. II. Emphasize that pandemics, such as the 2020 COVID-19 outbreak, are considered a force of nature even though most things remained operational. III. Explain that these threats can disrupt not only the lives of individuals but also the storage, transmission, and use of information. Since it is not possible to avoid many of these threats, management must implement controls to limit damage and prepare contingency plans for continued operations. IV. Outline the 11 forces of nature that are outlined in the text. They are the following:  Fires  Floods  Earthquakes  Lightning  Landslides or mudslides  Tornados or severe windstorms  Hurricanes, typhoons, and tropical depressions  Tsunamis  Electrostatic discharge (ESD)  Dust contamination  Solar activity Fire I. Outline ways a fire can cause damage to computing equipment up to the point of compromising all or part of a system. This includes the fire itself, suppression systems such as sprinklers, or water from firefighting hoses. II. Demonstrate that this threat often can be mitigated with fire casualty insurance or business interruption insurance policies. Floods I. Detail the net effects a flood can do to a facility and computing equipment. On top of damaging the systems, building access may also be compromised. II. Explain that this specific threat often may be mitigated with flood insurance or business interruption insurance. This is especially important if the business is in a potential flood zone as deemed by FEMA. Earthquakes I. Present that an earthquake can cause direct damage to information system equipment and/or the facilities that house the equipment. II. Stress that not only physical structures are at risk. Give the example in the text of a large earthquake off the coast of Taiwan that severed underwater communications cables.
  • 35. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 35 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. III. Explain that this specific threat can sometimes be mitigated with casualty or business interruption insurance. Often, as mentioned, it is covered under its own policy. Lightning I. Illustrate what a lightning strike is. It is an abrupt, discontinuous natural electric discharge in the atmosphere. II. Recognize that lightning strikes not only can damage all or part of an information system but also cause building damage, fires, or other damage. III. Emphasize proactive measures that can be taken by installing specialized lightning rods placed strategically on and around the organization‘s facilities and by installing special circuit protectors in the organization‘s electrical service. IV. Classify that this type of natural cause can sometimes be mitigated with multipurpose casualty or business interruption insurance. Landslides, Mudslides, and Avalanches I. Relate that these are downward slides of masses of earth, rock, or snow and are sometimes sudden or with minimal notice so evacuations can take place. II. Direct students to understand the impacts here to buildings that house the systems. Depending on the severity of the incident, they may be destroyed or temporarily buried. III. Classify that this type of natural cause can sometimes be mitigated with multipurpose casualty or business interruption insurance. Tornados and Severe Windstorms I. Contrast the differences between a tornado and wind shear events. II. Denote that a tornado facility housing the information systems can directly damage all or part of the structure, depending on the strength of the funnel cloud and wind speed. III. Explain that this brief but impactful type of natural disaster may be mitigated with casualty or business interruption insurance. Hurricanes, Typhoons, and Tropical Depressions I. Compare the difference between a typhoon and a hurricane. Note that it is virtually the same thing with the exception of its location in the world. II. Stress that excessive rainfall and high winds from these storms can directly damage all or part of the information system or, more likely, the building that houses it. Organizations in coastal or low-lying areas may suffer flooding as well, which would restrict access to the buildings that house information systems. III. Guide students to understand that this brief but impactful type of natural disaster may be mitigated with casualty or business interruption insurance. Tsunamis I. Describe the impact of a tsunami and the severity of impact that just one event may cause. II. Apply the tsunami that occurred in 2011 as a threat that affected the world directly and indirectly.
  • 36. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 36 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. III. Explain how in most cases that this threat can sometimes be mitigated with casualty insurance or business interruption insurance. Electrostatic Discharge I. Illustrate what an electrostatic discharge (ESD) is and the impact it can have to flammable mixtures or electronic components. II. Stress that as little as 10 volts can cause catastrophic damage to information systems equipment, and humans cannot detect static electricity until it reaches about 1,500 volts. Discharges from walking across dry carpet can exceed 12,000 volts. III. Emphasize that the financial repercussions of static discharge could result in millions of dollars of damage and significant loss of production time in information processing. Although ESD can disrupt information systems, it is not usually an insurable loss unless covered by business interruption insurance. Dust Contamination I. Relate that dust particle buildups and debris inside systems can dramatically reduce the effectiveness and efficiency of the equipment. This often leads to unexpected shutdowns and overheating. II. Stress that this can often shorten the life of information systems and disrupt normal operations. Solar Activity I. Recognize that solar flares or extremes in radiation can affect power grids and power lines, blow out transformers, and shut down power stations. II. Emphasize that businesses that rely on satellites should have alternate options available should communications from them be disrupted. Human Error or Failure I. Describe this category and comment to students that it includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization. II. Discuss the fact that employees constitute one of the greatest threats to information security, as they are the individuals closest to the organizational data. Employee mistakes can easily lead to the following: revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information. III. Note that many threats can be prevented with controls, ranging from simple procedures, such as requiring the user to type a critical command twice, to more complex procedures, such as the verification of commands by a second party. IV. Explain that this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information. Social Engineering I. Define within the context of information security that social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.
  • 37. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 37 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. II. Explain that people are the weakest link. You can have the best technology— firewalls, intrusion-detection systems, biometric devices—and somebody can call an unsuspecting employee and obtain a wealth of information. Business E-Mail Compromise (BEC) I. Stress that this is one of the newest forms of social engineering attack methods being deployed on organizations today. II. Detail the process of how an attacker gains access to the system either through another social engineering attack or technical exploit and then proceeds to request that employees within the organization, usually administrative assistants to high-level executives, transfer funds to an outside account or purchase gift cards and send them to someone outside the organization. III. Emphasize that in 2019 alone, there were 24,000 BEC complaints and projected losses of more than $1.7 billion dollars. Advance-Fee Fraud I. Compare and contrast one of most common social engineering attacks, known as the advance-fee fraud (AFF) and phishing. II. Stress that AFF is also known as 4-1-9 fraud due to it being named after a Nigerian Penal Code and not an area code in northern Ohio. III. Examine a sample letter, as illustrated in Figure 2-9, which illustrates this scheme in practice. IV. Outline to students that this scam is one for stealing funds from credulous people, first by requiring them to participate in a proposed money-making venture by sending money up front, and then by soliciting an endless series of fees. In the most serious cases, kidnapping, extortion, or murder can result. V. Quantify that most recently in 2020, up to $100 billion dollars has been swindled using this method. Phishing I. Distinguish phishing as an attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity. II. Emphasize that a variant is spear phishing, a label that applies to any highly targeted phishing attack. While normal phishing attacks target as many recipients as possible, a spear phisher sends a message that appears to be from an employer, a colleague, or other legitimate correspondent to a small group, or even one specific person. III. Discuss that phishing attacks use two primary techniques, often used in combination with one another: URL manipulation and Web site forgery. Pretexting I. Point out another form of social engineering is called pretexting, which is sometimes referred to as phone phishing. II. Emphasize that VOIP phone services have made it easy to spoof caller IDs and hence hide the identity of someone who may be on the other end of the line. Information Extortion
  • 38. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 38 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. I. Illustrate how information extortion involves the possibility of an attacker or trusted insider stealing information from a computer system and demanding compensation for its return or for an agreement to not disclose the information. Extortion is common in credit card number theft. II. Give examples provided in the textbook of different information extortion incidents and the impacts to their respective businesses. Translate to students that regardless of a company‘s size or function, they are susceptible to extortion. Ransomware I. Explain that the latest type of attack in this category is known as ransomware, which is a malware attack on the host system that denies access to the user and then offers to provide a key to allow access back to the user‘s system and data for a fee. II. Compare and contrast the two different types of ransomwares: lockscreen and encryption.  Lockscreen ransomware denies access to the system by disabling access to the desktop and preventing the user from bypassing the ransom screen that demands payment for access.  Encryption ransomware is more severe, as it requires payment up front to access one‘s hard drive after their information has been encrypted. III. Illustrate the three examples of ransomware activities highlighted in the text and stress to students that these types of attacks occur daily, and an information security team must be on guard to overcome and nullify these. Sabotage or Vandalism I. Summarize that this type of threat involves the deliberate sabotage of a computer system or business or acts of vandalism to either destroy an asset or damage the image of an organization. II. Emphasize that these threats can range from petty vandalism by employees to organized sabotage against an organization. III. Identify that organizations frequently rely on image to support the generation of revenue, and vandalism to a Web site can erode consumer confidence, thus reducing the organization‘s sales and net worth. Compared to Web site defacement, vandalism within a network is more malicious in intent and less public. Online Activism I. Explain that security experts are noticing a rise in another form of online vandalism, hacktivist or cyberactivist operations. A more extreme version is referred to as cyberterrorism (which is explained next). II. Stress that the concept of doxing is where a hacker would use online resources to find and disseminate compromising information for the purpose of harming or harassing an individual, group, or government entity. Apply Figure 2-14 as an example of this in action. Cyberterrorism and Cyberwarfare I. Detail the purpose of cyberterrorism and what the United States and other government bodies are doing to combat this.
  • 39. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 39 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. II. Differentiate between the three examples provided in the text with respect to supposed cyberterrorism attacks and why it is important to be on guard. III. Relate that some government entities express concern that cyberattacks that are aimed at disrupting their entities are likely to be seen as cyberwarfare. Note that their purpose is to take down critical infrastructure. IV. Apply one of the most recent attacks on critical infrastructure in the United States—the Colonial Pipeline shutdown that wreaked havoc in the eastern part of the country—as an example of a cyberterrorism threat in the eyes of the federal government. Positive Online Activism I. Compare cyberterrorism to more positive online activism, such as using Facebook, Twitter, and so on to perform fundraising and raise awareness of social issues. II. Stress that positive online activism is a legal right to enact provided it does not cross the moral threshold of doing illegal activities. Quick Quiz 1 1. True or False: The three communities of interest are general management, operations management, and information security management. Answer: False 2. Hackers of limited skill who use expertly written software to attack a system are known as which of the following? a. cyberterrorists b. script kiddies c. jailbreakers d. social engineers Answer: b 3. Which of the following occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it? a. information extortion b. technological extortion c. insider trading d. information hoarding Answer: a 4. Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways? a. cyberattackers b. electronic terrorists c. cyberterrorists d. electronic hackers
  • 40. Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security 40 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. IF YOU WANT THIS TEST BANK OR SOLUTION MANUAL EMAIL ME donc8246@gmail.com TO RECEIVE ALL CHAPTERS IN PDF FORMAT