32677_01 6/29/2004 7:58:4 Page 1
C
H
A
P
1
T
E
R
O
N
E
INFORMATION SECURITY
FUNDAMENTALS
I
f you could somehow visit rural America from 50 years ago, you would probably
notice how open and unrestricted everything seemed to be. Front doors to homes
were left unlocked while the occupants visited friends out of town. Windows were
Copyright © 2005 by Course Technology. All rights reserved.This publication
1 is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:39 Page 2
2
Chapter 1
Information Security Fundamentals
propped open on warm summer nights as children slept. Complete strangers were invited
into homes for a meal and a place to stay. Flying on a commercial airliner, although not
commonplace, involved little more than walking onto the plane. Little thought needed to be
given to individual security.
Since then, our world has changed significantly. Our homes and apartments are locked tight.
Strangers are shunned.A visit to the airport to catch a plane has become an ordeal: we park
our cars far from the terminal, have our luggage x-rayed for weapons, walk through metal
detectors, and present photo identification cards every step of the way—all this before we
even board the airplane. Ours has become the age of wariness and watchfulness.
Just as a changing world has affected the security of our daily lives, so too has it dramatically
changed how we use and maintain computers and networks. Ten years ago, firewalls,
intrusion-detection systems (IDSs), antivirus software, and operating system updates were
rare. Today, the national evening news might open with a story on the latest worldwide
computer virus attack. Our e-mail in-boxes are constantly scanned for suspicious attachments that might contain a harmful virus. Computer network managers work overtime to
build the latest security defenses and keep them up-to-date. Computer attacks via the
Internet are ever present, making computer security one of our prime concerns.
The demand for information technology (IT) professionals who know how to protect
networks and computers from attacks is at an all-time high.Today businesses and organizations require employees and prospective employees to demonstrate that they are familiar
with computer security practices. Many organizations use the CompTIA Security+ certification to verify security competence. As the most widely recognized vendor-neutral
security certification, Security+ has become the security foundation for IT professionals.
This chapter introduces the fundamentals of Security+ network security. It begins by
examining the current challenges in network security.You will see why network security is
important and learn to define information security and the terminology that it uses.You will
also explore the CompTIA Security+ certification for IT professionals, and survey the types
of careers open in the information security field.
IDENTIFYING
THE
CHALLENGES
FOR INFORMATION
SECURITY
The challenge of keeping networks and computers secure has never been greater.A number
of trends illustrate why security is becoming increasingly difficult.These include:
■
Speed of attacks—With modern tools at their disposal, attackers can quickly scan
systems to find weaknesses and then launch attacks with unprecedented speed. For
example, in 2003, the Slammer worm infected 75,000 computers in the first 11
minutes after it was released, and infections doubled every 8.5 seconds.At its peak,
Slammer was scanning 55 million computers per second looking for a computer to
infect. Later that year, the Blaster worm infected 138,000 computers in its first four
hours and eventually infected over 1.4 million computers. Many tools can now
initiate new attacks without any human intervention, increasing their speed.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:40 Page 3
Identifying the Challenges for Information Security
3
■
Sophistication of attacks—Security attacks are becoming more complex. Some
attacker tools vary their behavior so the same attack appears differently each time,
making detection very difficult.Attackers now use protocols such as the Hypertext
Transfer Protocol (HTTP) to send data or commands to attack computers, making
it difficult to distinguish an attack from legitimate network traffic.
■
Faster detection of weaknesses—The number of newly discovered system vulnerabilities doubles annually, making it more difficult for software developers to keep pace
updating their products. One of the looming fears is the increasing number of day
zero attacks. While most attacks take advantage of vulnerabilities that someone
has already uncovered, a day zero attack occurs when an attacker discovers and
exploits a previously unknown flaw. Providing no warning, a day zero attack can be
especially crippling to networks and computers because the attack runs rampant
while time is spent trying to identify the vulnerability.
■
Distributed attacks—Attackers can now use hundreds or thousands of computers in
an attack against a single computer or network.This “many against one” approach
makes it impossible to stop an attack by identifying and blocking the source.
■
Difficulties in patching—One of the primary defenses against attacks is applying
patches, software that repairs security flaws and other problems in an application
or operating system. However, managing patches and knowing which ones to
install can be difficult. Most attacks have been successful because users did not
apply patches that had been released long before the attack occurred. Table 1-1
shows the interval between the release of a patch to address a security weakness and
an attack exploiting that particular weakness.
The Gartner Group estimates that by 2006 more than 30% of attacks worldwide will be day zero attacks, or attacks that occur before a vulnerability is
discovered or a fix is available.
To apply the concepts in this topic, see Hands-On Project 1-1
at the end of this chapter.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:35:40 Page 4
4
Chapter 1
Table 1-1
Information Security Fundamentals
Delay between patches and attacks
Attack
Name
Impact of Attack
Date Patch
First Issued
Date Attack
Began
Bugbear
Infected more than 2
million computers
Unleashed 7,000
attacks per day as an
e-mail distributed
denial-of-service
(DDoS) worm
Spread 12 variants in
the first 12 months
of activity
Found in more than
40 countries
Infected 7.2% of
computers worldwide
Spread worldwide in
30 minutes
Infected almost half
a million computers
Doubled the number
of infections every
8.5 seconds
Doubled the number
of infections every
37 minutes
Infected more than
1.4 million computers
5/16/01
9/30/02
Days between
Patch and
Attack
502
5/16/01
6/22/02
402
5/16/01
06/01/02
381
5/16/01
4/17/02
336
5/16/01
4/17/02
336
10/17/00
9/18/01
336
5/16/01
11/24/01
192
7/24/02
1/25/03
185
6/18/01
7/19/01
31
7/16/03
8/11/03
26
Yaha
Frethem
ELKern
Klez
Nimda
Badtrans
SQL Slammer
Code Red
Blaster
These trends have resulted in security attacks growing at an alarming rate.The Computer
Emergency Response Team (CERT) security organization compiles statistics regarding the
number of reported incidents of attacks. Table 1-2 shows the explosive growth of these
incidences.
Table 1-2
Year
1988
1990
1992
1994
1996
1998
Number of reported incidences
Reported Incidences
6
252
773
2,340
2,573
3,734
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:41 Page 5
Defining Information Security
Table 1-2
5
Number of reported incidences (continued)
Year
2000
2001
2002
2003
Reported Incidences
21,756
52,658
82,094
137,529
The increased challenge of computer security can be illustrated by an attack released in late
2003. Posing as an official e-mail software security update from Microsoft, a malicious
program prompted users with “Yes” or “No” buttons to agree to install an update. Regardless
of which choice users made, the malicious software was installed on their computer. It
launched whenever Windows was started and then detected and disabled antivirus software
or other Windows security features that could be used to disable it.
To apply the concepts in this topic, see Hands-On Projects 1-2,
1-3, and 1-4 at the end of this chapter.
DEFINING INFORMATION SECURITY
In a general sense, security is defined as a state of freedom from danger or risk. For example,
a nation’s security depends on its military having the strength to protect its citizens from a
hostile outside force.The nation enjoys this state of freedom because protective measures are
established and maintained. However, the mere existence of an army does not guarantee that
a nation will never be attacked. Attacks from powerful outside forces can come at anytime.
The goal of national security is to defend against these inevitable attacks so that the nation
itself does not collapse.
The term information security describes the tasks of guarding digital information, which
is typically processed by a computer (such as a personal computer), stored on a magnetic or
optical storage device (such as a hard drive or DVD), and transmitted over a network (such
as a local area network or the Internet).To create a more precise definition of information
security, consider the goals of information security and how they are accomplished.
First, information security ensures that protective measures are properly implemented. Just as
with national security, information security cannot completely prevent attacks or guarantee
that a system is totally secure. Rather, information security creates a defense that attempts to
ward off attacks and prevents the collapse of the system when an attack occurs. Thus,
information security is protection.
Second, information security is intended to protect information. Information must be
protected because it has value, and that value comes from the characteristics of the
information. Three of the characteristics of information that must be protected by information security are:
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:35:41 Page 6
6
Chapter 1
Information Security Fundamentals
1. Integrity—Integrity ensures that the information is correct and that no unauthorized person or malicious software program can or has altered that data.
2. Confidentiality—Confidentiality ensures that only authorized parties can view
information.
3. Availability—Although a secure computer must restrict access attempts by unauthorized users, it must still make the data available to allow authorized users
immediate access.
It is these three characteristics of information that information security attempts to
safeguard. Thus information security protects the integrity, confidentiality, and availability of
information.
Information security involves more than protecting the information itself. The third
objective of information security is illustrated in Figure 1-1. The center of the diagram
shows what needs to be protected, which is information. Because this information is stored
on computer hardware, manipulated by software, and transmitted by communications, each
of these areas must also be protected. Thus, information security protects the integrity,
confidentiality, and availability of information on the devices that store, manipulate, and transmit
the information.
Finally, information security is achieved through a combination of three entities. Returning
to Figure 1-1, information, hardware, software, and communications are protected in three
successive layers. The innermost layer consists of the products that provide the necessary
security. These products can be as basic as door locks or as complicated as intrusiondetection systems and firewalls.They form the physical security around the data.The next
layer is people.Without people implementing and properly using the security products, the
data can never be protected.The final layer consists of procedures, which include the plans
and policies established by an organization to ensure that people correctly use the products.
These three layers interact with each other.The procedures tell the people how to use the
products to protect the information. Thus, information security protects the integrity,
confidentiality, and availability of information on the devices that store, manipulate, and
transmit the information through products, people, and procedures.
UNDERSTANDING
THE IMPORTANCE OF INFORMATION
SECURITY
Information security is important to businesses and individuals because it can prevent data
theft, avoid the legal consequences of not securing information, maintain productivity, foil
cyberterrorism, and thwart identify theft. The following sections discuss these reasons in
more detail.
Preventing Data Theft
Security is often associated with theft prevention. Drivers install security systems on their
cars to prevent the cars from being stolen. The same is true with information security:
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:42 Page 7
Understanding the Importance of Information Security
7
s (organizational sec
dure
urit
e
c
y)
Pro
sonnel secu
r
e
p
(
e
l
p
r
i
o
t
e
y
)
P
cts (physical securit
u
d
y)
Pro
Communications
Confidentiality
Integrity
Information
Availability
Hardware
Figure 1-1
Software
Information security components
businesses often cite preventing data theft as the primary goal of information security. Data
theft involves stealing proprietary business information such as research for a new drug or a
list of customers that competitors are eager to acquire.
The theft of data is the single largest cause of financial loss due to a security breach. In the
latest Federal Bureau of Investigation (FBI) annual Computer Crime and Security Survey,
more than 500 U.S. businesses lost an average of about $6.5 million each because of data
theft. Several businesses reported that data theft resulted in losses exceeding $50 million. Of
the companies included in the FBI survey, the estimated total annual loss due to data theft
was more than $170 million.
The actual figure of estimated loss could be much higher than $170 million
considering that some businesses might have been reluctant to report losses
because of the bad publicity it could generate.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:35:42 Page 8
8
Chapter 1
Information Security Fundamentals
Data theft is not limited to businesses. Individuals can likewise be victims of data thievery.
The number of reported incidents of credit card numbers stolen from Internet computers
continues to soar, with one bank reporting losses from the fraudulent use of online credit
card information approaching $4 million annually.
One of the most important objectives of information security is to protect important
business and personal data from theft. Because of its high dollar impact, some industry
experts consider the prevention of data theft as the most important job of information
security.
Avoiding Legal Consequences
In recent years, a number of federal and state laws have been enacted to protect the privacy
of electronic data. Businesses that fail to protect data may face serious penalties. Some of
these laws include the following:
■
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)—Under the
Health Insurance Portability and Accountability Act (HIPAA), healthcare
enterprises must guard protected health information and implement policies and
procedures to safeguard it, whether it be in paper or electronic format. HIPAA has
two parts.Title I protects health insurance coverage for workers and their families.
Title II simplifies health insurance administration by putting a government agency
in charge of national standards for electronic healthcare transactions and national
identifiers for healthcare providers and employers.Those who wrongfully disclose
individually identifiable health information with the intent to sell it can be fined
up to $250,000 and spend 10 years in prison.
■
The Sarbanes-Oxley Act of 2002 (Sarbox)—As a reaction to a rash of corporate fraud,
the Sarbanes-Oxley Act (Sarbox) is an attempt to fight corporate corruption.
Sarbox covers the corporate officers, auditors, and attorneys of publicly traded
companies. Stringent reporting requirements and internal controls on electronic
financial reporting systems are required. Corporate officers who willfully and
knowingly certify a false financial report can be fined up to $5 million and serve
20 years in prison.
■
The Gramm-Leach-Bliley Act (GLBA)—Like HIPAA, the Gramm-Leach-Bliley
Act (GLBA) protects private data. GLBA requires banks and financial institutions
to alert customers of their policies and practices in disclosing customer
information. All electronic and paper containing personally identifiable financial
information must be protected. The penalty for noncompliance for a class of
individuals is up to $500,000.
■
USA PATRIOT Act (2001)—Passed shortly after the terrorist attack of September
11, 2001, the USA PATRIOT Act is designed to broaden the surveillance of law
enforcement agencies so they can detect and suppress terrorism. Businesses,
organizations, and even colleges must provide information, including records and
documents, to law enforcement agencies under the authority of a valid court order,
subpoena, or other authorized agency. These records include borrowed print
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:42 Page 9
Understanding the Importance of Information Security
9
material from a college library, Internet site access, and e-mail and telephone
communications. The act also authorizes law enforcement to install electronic
monitoring devices to assess computer and telephone usage.There are a variety of
penalties for violating this act.
■
The California Database Security Breach Act (2003)—The California Database
Security Breach Act is a state law covering any state agency, person, or company
that does business in California. It requires businesses to inform California residents within 48 hours if a breach of personal information has or is believed to have
occurred. It defines personal information as a name with a social security number,
driver’s license number, state ID card, account number, credit card number, or debit
card number and required security access codes.
■
Children’s Online Privacy Protection Act of 1998 (COPPA)—In November 1998, the
U.S. Congress passed the Children’s Online Privacy Protection Act
(COPPA) and directed the FederalTrade Commission (FTC) to establish rules for
its implementation. COPPA requires operators of online services or Web sites
designed for children under the age of 13 to obtain parental consent prior to the
collection, use, disclosure, or display of a child’s personal information. The same
requirements apply to general-audience sites and services when the operator
actually knows that it is collecting, using, or disclosing a child’s personal
information. COPPA also prohibits sites from limiting children’s participation in
an activity unless they disclose more personal information than is reasonably
necessary to participate.
The penalties for violating these laws can be severe. Businesses and individuals must make
every effort to keep electronic data secure from hostile outside forces to ensure compliance
with these laws and avoid serious legal consequences.
Maintaining Productivity
After an attack on information security, clean-up efforts divert resources, such as time and
money, away from normal activities. Employees cannot be productive and complete important tasks during an attack and cleanup because computers and networks cannot function
properly. According to a Corporate IT Forum survey of major corporations, each attack
costs a company an average of $213,000 in lost man-hours and related costs, while one-third
of the corporations reported an average of more than 3,000 man-hours lost. Results from
the latest Computer Crime and Security Survey, conducted with the FBI and the Computer
Security Institute (CSI), indicate that virus attacks alone cost more than $27 million. The
most expensive malicious attack on record, the 2000 Love Bug, cost an estimated $8.7
billion.Table 1-3 provides an estimate of the lost salary and productivity during a virus attack
and cleanup for businesses with 100, 250, 500, and 1000 employees.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:35:42 Page 10
10
Chapter 1
Table 1-3
Number
of Total
Employees
100
250
500
1000
Information Security Fundamentals
Cost of attacks
Average
Hourly
Salary
$25
$25
$30
$30
Number of
Employees to
Combat Attack
1
3
5
10
Hours Required
to Stop Attack
and Clean Up
48
72
80
96
Total Lost
Salaries
$4,066
$17,050
$28,333
$220,000
Total Lost
Hours of
Productivity
81
300
483
1,293
Spam, or unsolicited e-mail messages, was originally considered to be more of a nuisance
than a security breach. However, because many computer attacks can be launched through
e-mail messages, most network professionals now count spam as a security risk. Although
you can take steps to restrict spam from entering your e-mail account, many unsolicited
messages can still slip through.According to Ferris Research, spam now accounts for 30% of
the total number of daily e-mail messages sent in the United States. Ferris estimates that U.S.
businesses lose $9 billion each year in productivity as employees spend time trying to restrict
spam and deleting spam from their e-mail accounts.
By the year 2007, Ferris estimates that the percentage of spam e-mails will
increase to more than 70% of the total e-mail messages sent.
Foiling Cyberterrorism
An area of growing concern among many defense experts are surprise attacks by terrorist
groups using computer technology and the Internet.These attacks could cripple a nation’s
electronic and commercial infrastructure. Such an attack is called cyberterrorism. Utility
companies, telecommunications, and financial services are considered prime targets of
cyberterrorists because they can significantly disrupt business and personal activities by
destroying a few targets. For example, disabling an electrical power plant could cripple
businesses, homes, transportation services, and communications over a wide area.
In August 2003, a malicious program launched through the Internet actually
disabled portions of an Ohio nuclear power plant’s monitoring system.
One challenge in combating cyberterrorism is that many prime targets are not owned and
managed by the federal government. For example, almost 85% of the nation’s most critical
computer networks and infrastructures are owned and managed by private companies.
Because these networks are not centrally controlled by the government, it is difficult to
maintain security.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:43 Page 11
Understanding Information Security Terminology
11
Information security is the key to ensuring that the nation’s ability to withstand an attack
and respond appropriately is not compromised. Many industry experts believe that security
to protect against cyberterrorism is vital in the nation’s war against terrorism.
Thwarting Identity Theft
Identity theft involves using someone’s personal information, such as social security numbers, to establish bank or credit card accounts that are then left unpaid, leaving the victim
with the debts and ruining their credit rating. In some instances, thieves have bought cars and
houses by taking out loans in someone else’s name. According to the Federal Trade
Commission (FTC), at least seven million Americans, or about 3.4% of the adult population, have been victims of identity theft with almost 750,000 new victims annually.
More than 28% of identity theft victims are between the ages of 18 and 29.
According to the Identity Theft Resource Center, a victim of identity theft
spends an average of more than 600 hours and $1,400 of out-of-pocket
expenses restoring their credit by contacting credit bureaus, canceling credit
cards, and negotiating with creditors.
National, state, and local legislation continues to be enacted to deal with the growing
problem of identity theft. For example, the Fair and Accurate CreditTransactions Act of 2003
is a federal law that addresses identify theft. This law establishes a national system of fraud
detection and alerts, and requires credit agencies to identify patterns common to identity
theft to prevent its occurrence. Consumers can also receive a free copy of their credit report
each year to help recognize more quickly when their identity has been stolen. However,
industry experts agree that the best defense against identity theft is to prevent private data
from being stolen. It is the role of information security to thwart identity theft by making
it more difficult for thieves to break into computers and networks that contain personal
information.
Based on the number of convictions, identity thieves today have about a 1 in
700 chance of being caught by authorities.
UNDERSTANDING INFORMATION SECURITY TERMINOLOGY
As with many advanced subjects, information security has its own terminology. The
following scenario helps to illustrate information security terms and how they are used.
Amanda wants to purchase a new stereo for her car. However, because several cars have been
broken into near her apartment, she is concerned about someone stealing the stereo.
Although she locks her car whenever she parks it, a hole in the fence surrounding her
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:35:43 Page 12
12
Chapter 1
Information Security Fundamentals
apartment complex makes it possible for someone to access the parking lot without
restriction. Amanda’s car and the threats to her car stereo are illustrated in Figure 1-2.
Risk: likelihood stolen
Loss of stereo (threat)
Exploit
(go through
fence hole)
Car
stereo (asset)
Fence hole
(vulnerability)
Figure 1-2
Thief (threat agent)
Amanda’s car stereo
Amanda’s new car stereo is an asset, which is something that has a value.What Amanda is
trying to protect her new car stereo from is a threat, which is an event or object that might
defeat the security measures in place and result in a loss. Information security threats are
likewise events or actions that represent a danger to information.A threat by itself does not
mean that security has been compromised; rather, it simply means that the potential for
creating a loss is real. Although for Amanda the loss would be the theft of her stereo, in
information security a loss can be the theft of information, a delay in transmitting
information that results in a financial penalty, or the loss of good will or a reputation.
A threat agent is a person or thing that has the power to carry out a threat. For Amanda,
the threat agent is a thief. In information security, a threat agent could be a person
attempting to break into a secure computer network. It could also be a force of nature such
as a tornado or flood that could destroy computer equipment and thus destroy information,
or it could be a virus that attacks a computer network.
Amanda wants to protect her new car stereo and is concerned about a hole in the fence
surrounding her apartment’s parking lot. The hole in the fence is a vulnerability or
weakness that allows a threat agent to bypass security. An example of a vulnerability that
information security must deal with is a software defect in an operating system that allows
an unauthorized user to gain access to a computer without a password.
If a thief can get to Amanda’s car because of the hole in the fence, then that thief is taking
advantage of the vulnerability.This is known as exploiting the security weakness. Hackers
who send infected e-mail messages to users knowing that their e-mail system does not scan
attachments for a virus are exploiting a vulnerability.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:43 Page 13
Exploring the CompTIA Security+ Certification Exam
13
Amanda must decide if the risk of theft is too high for her to purchase the new stereo.A risk
is the likelihood that the stereo will be stolen. In information security, a risk is the likelihood
that a threat agent will exploit a vulnerability. Realistically, risk cannot ever be entirely
eliminated; it would cost too much and take too long. Rather, some degree of risk must
always be assumed. Organizations should ask,“How much risk can we tolerate?”They have
three options when answering that question: accept the risk, diminish the risk, or transfer the
risk. In Amanda’s case, she could accept the risk and buy the new stereo, knowing that the
chances of it being stolen are high. Or she could diminish the risk by parking the car in a
locked garage when possible and not letting anyone borrow her car keys. A third option is
for Amanda to transfer the risk to someone else by purchasing additional car insurance.The
insurance company would then absorb the loss and pay her if the stereo is stolen. In
information security, most risks should be diminished if possible.
Table 1-4 summarizes information security terms.
Table 1-4
Information security terminology
Term
Asset
Threat
Threat agent
Vulnerability
Exploit
Risk
EXPLORING
Example in Amanda’s
Scenario
Car stereo
Steal stereo from car
Thief
Hole in fence
Climb through hole
Transfer to insurance
company
THE
Example in Information
Security
Employee database
Steal data
Attacker, virus, tornado
Software defect
Send virus to unprotected
e-mail server
Educate users
COMPTIA SECURITY+ CERTIFICATION EXAM
Since 1982, the ComputingTechnology Industry Association (CompTIA) has been working
to advance the growth of the IT industry and those people working within it.With more
than 19,000 members in 89 countries, CompTIA is the leading global IT trade association
and has influence in all areas of the IT industry worldwide.
CompTIA is also the world’s largest developer of vendor-neutral IT certification exams.
Experts and industry leaders from the public and private sectors, including corporate
training, government, and colleges and universities, work with CompTIA to develop exams
that validate an individual’s IT skill set. This group of experts provides the resources and
subject-matter expertise necessary to build a vendor-neutral industry-defined exam. Currently, more than 600,000 people worldwide have received a CompTIA certification.
The CompTIA Security+ certification tests for mastery in security concepts and practices.
The exam was designed with input from security industry leaders, such as VeriSign,
Symantec, RSA Security, Microsoft, Sun, IBM, Novell, and Motorola.The group concluded
that foundational security knowledge required, on average, either two years of on-the-job
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:35:44 Page 14
14
Chapter 1
Information Security Fundamentals
networking experience with some emphasis on security or equivalent classroom and
laboratory work. The exam covers a variety of industry topics, including communications
security, infrastructure security, operational and organizational security, and the basics of
cryptography. It also requires well-rounded knowledge of general security concepts—access
control, authentication, attack and malicious code risk reduction, auditing, logging, and
system scanning, as well as the nuances of social engineering and the risks associated with it.
The Security+ exam is designed to ensure that those passing the test have the minimum
acceptable level of IT security knowledge for a person to effectively perform an information
security role.
The Security+ exam is designed to cover a broad range of security topics. The topics are
categorized into five areas or domains. Table 1-5 lists the domains and the percentage of
questions from each domain.
Table 1-5
Security+ domains
Security+ Domain
General security concepts
Communication security
Infrastructure security
Basics of cryptography
Operational and organizational security
Percentage of Test Questions
30
20
20
15
15
SURVEYING INFORMATION SECURITY CAREERS
One of the fastest growing career fields is information security. As information attacks
increase, companies are becoming more aware of their vulnerabilities and are looking for
ways to reduce their risks and liabilities. Information security spans the entire business
enterprise from top to bottom and affects the daily activities of every employee.This creates
a wide range of job opportunities.
Whereas in the past, security professionals were almost exclusively technicians, their role
today has broadened. Not only must information security personnel know how to install a
firewall, but they must understand and communicate why the equipment is needed and why
an organization must develop strong policies, perform auditing, and encourage enforcement.
Information security jobs are sometimes divided into three general roles: security management, security engineering, and security administration. A security manager focuses on
developing corporate security plans and policies, providing education and awareness, and
communicating with executive management about security issues. Security engineers
design, build, and test security solutions to meet the policies while still addressing business
needs. Security administrators configure and maintain security solutions to ensure proper
service levels and availability.They also maintain the services in production by troubleshooting and monitoring security.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:44 Page 15
Chapter Summary
15
If you want to enter the field of information security, the training and background you need
depend on which role you want to perform—administration, engineering, or management.
However, all roles share some particular requirements.You should have a strong technology
background, a willingness to keep learning, a sense of how to balance risk with the costs,
excellent communication skills, and the highest level of integrity.
Certifications such as CompTIA Security+ are becoming more important for jobs in
information security. Certifications help employers determine who has the skills and
knowledge necessary to secure their systems and data. Students with the Security+ certification have clearly demonstrated that they possess the necessary skill sets, have a current
knowledge base, and can handle challenging tasks. In addition, those employed in information security must continue their professional education to achieve higher levels of certifications and advanced degrees.
CHAPTER SUMMARY
The challenge of keeping computers secure is becoming increasingly difficult.Attacks can
be launched without human intervention and infect millions of computers in a few
hours. Attacks are also becoming more complex and harder to identify. Weaknesses in
hardware and software are being discovered daily, making it difficult to keep pace with the
long list of patches that software vendors release. Distributed attacks from thousands of
computers make isolating and shutting off the attack at the source almost impossible.
These and other factors make information security an ever-increasing challenge.
Information security protects the integrity, confidentiality, and availability of information
on the devices that store, manipulate, and transmit the information through products,
people, and procedures.
Preventing the theft of information is generally the single most important reason for
protecting data. Other reasons include avoiding legal consequences, maintaining productivity, foiling cyberterrorism, and thwarting identity theft.
Information security has its own set of terminology.A threat is an event or an action that
can defeat security measures and result in a loss.A threat agent is a person or thing that has
the power to carry out a threat.A vulnerability is a weakness that allows a threat agent to
bypass security. Taking advantage of a vulnerability is called an exploit. A risk is the
likelihood that a threat agent will exploit a vulnerability.
CompTIA has been working to advance the growth of the IT industry and those
individuals working within it. CompTIA is also the world’s largest developer of vendorneutral IT certification exams. The CompTIA Security+ certification tests for security
knowledge mastery.The Security+ exam is designed to ensure that those passing the test
have the minimum acceptable level of IT security knowledge for a person to effectively
perform an information security role.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:35:45 Page 16
16
Chapter 1
Information Security Fundamentals
Careers in information security can be rewarding and challenging.There is a high demand
for security professionals in IT management, engineering, and administration.Those with
the CompTIA Security+ certification have clearly demonstrated their expertise in
security fundamentals.
KEY TERMS
asset — An entity that has value.
California Database Security Breach Act — A state act that requires disclosure to
California residents if a breach of personal information has or is believed to have occurred.
Children’s Online Privacy Protection Act (COPPA) — A federal act that requires
operators of online services or Web sites directed at children under the age of 13 to obtain
parental consent prior to the collection, use, disclosure, or display of a child’s personal
information.
cyberterrorism — A surprise attack by terrorist groups using computer technology and
the Internet that could cripple a nation’s electronic and commercial infrastructure.
day zero attack — An attack based on a previously unknown flaw that provides zero days
of warning.
exploit — To take advantage of a vulnerability.
Gramm-Leach-Bliley Act (GLBA) — A federal act that requires private data to be
protected by banks and other financial institutions.
Health Insurance Portability and Accountability Act (HIPAA) — A federal act that
requires healthcare enterprises to guard protected health information.
information security — The protection of the integrity, confidentiality, and availability of
information on the devices that store, manipulate, and transmit the information through
products, people, and procedures.
patch — A software update to fix a security flaw or other problem.
risk — The likelihood that a threat agent will exploit a vulnerability.
Sarbanes-Oxley Act (Sarbox) — A federal act that enforces reporting requirements and
internal controls on electronic financial reporting systems.
threat — An event or action that might defeat security measures in place and result in a loss.
threat agent — A person or thing that has the power to carry out a threat.
USA PATRIOT Act — A federal act that broadens the surveillance of law enforcement
agencies to enhance the detection and suppression of terrorism.
vulnerability — A weakness that allows a threat agent to bypass security.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:45 Page 17
Review Questions
17
REVIEW QUESTIONS
1
1. Each of the following factors illustrates why information security is increasingly difficult except
.
a. faster computer processors
b. growing sophistication of attacks
c. faster detection of weaknesses
d. distributed attacks
2. A type of software that repairs security flaws in an application is called a(n)
.
a. hot fix
b. exploit
c. repair
d. patch
3. The primary goal of information security is to protect
a. procedures
b. people
c. information
d. products
.
4. Each of the following is a characteristic of information except
.
a. integrity
b. confidentiality
c. conformity
d. availability
5. Each of the following is intended to protect information except
.
a. people
b. policies
c. equipment
d. confidentiality
6. Information security procedures tell people how to use products to protect
information.True or false?
7. Hackers now use protocols such as the Hypertext Transfer Protocol (HTTP) to send
data or commands to attack computers, making it difficult to distinguish an attack
from legitimate network traffic.True or false?
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:35:45 Page 18
18
Chapter 1
Information Security Fundamentals
8. The theft of data is the least significant cause of financial loss due to a security
breach.True or false?
9. Integrity ensures that information is correct and that no unauthorized person or
malicious software program can alter or has altered that data.True or false?
10. Attackers can now use hundreds or thousands of computers in an attack against a
single computer or network, making it impossible to stop an attack by identifying
and blocking the source.True or false?
11. While most attacks today take advantage of vulnerabilities that someone has already
uncovered, a(n)
occurs when a hacker discovers and exploits a
previously unknown flaw.
12.
involves assuring that only authorized parties can view
information.
13. Under the
, healthcare enterprises must guard protected health
information and implement policies and procedures to safeguard it.
14. The
act is designed to broaden the surveillance of law enforcement agencies to help them detect and suppress terrorism.
15. Attacks by terrorists using computer technology and the Internet are called
.
16. What is a distributed attack?
17. What is the difference between a threat and a threat agent?
18. What is a risk and how can it be mitigated?
19. Explain how people, products, and procedures help protect information.
20. Identify some problems with software patches when trying to protect information.
HANDS-ON PROJECTS
Project 1-1: Installing and Managing Microsoft Windows
Updates
One of the most important tasks in keeping a personal computer secure is to install patches,
or updates, to the operating system. In this project, you will install the latest Windows
updates on your computer and then set up your computer to automatically download the
updates.You should be using a computer running Windows XP that is connected to the
Internet. If you are using a computer in a school’s computer lab or another computer that
is not your own, you should first talk to the lab manager or network administrator.You might
need special permissions set to complete this project.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:36:31 Page 19
Hands-On Projects
19
1. On a Windows XP computer, click Start, point to All Programs, and then click
Windows Update. Internet Explorer starts and connects you to the Microsoft Windows Update Web site, shown in Figure 1-3.
Figure 1-3
Microsoft Windows Update Web site
2. Click Scan for updates.Windows Update checks your computer’s operating system
to determine if the latest patches have been installed. Patches are divided into three
categories: Critical Updates and Service Packs (updates you should install for security
and performance),Windows XP (recommended updates to the operating system),
and Driver Updates (recommended updates to driver software).
3. Click Review and install updates. In the right pane,Windows Update lists any
Critical Updates or Service Packs that need to be installed. Follow the instructions
on the screen, and then return to the Windows Update Web site, restarting your
computer, if necessary.
4. To also install Windows XP updates, click Windows XP in the left pane and then
click the Add button next to each update in the right pane that you want to install,
as shown in Figure 1-4. (Your list of updates will vary.) To install driver updates, click
Driver Updates in the left pane, and then click the Add button to select the driver
updates you want to install.
5. Click Review and install updates.Windows Update lists the updates that you
selected, displays their total size, and estimates how long it will take to download and
install them. Click the Install Now button to install the updates, which might take a
few minutes.
6. After Windows Update downloads and installs the updates, you might be instructed
to restart your computer. Click the OK button to restart your computer. If you are
not instructed to restart your computer, close Internet Explorer.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:37:8 Page 20
20
Chapter 1
Figure 1-4
Information Security Fundamentals
Adding Windows XP updates
Although you can check for updates at any time, it is easier to have Windows automatically
check for you.You set up automatic updates using the System Properties dialog box.
1. To open the System Properties dialog box, hold down the Windows key and press
the Break key (located above the Page Up key on most keyboards). Or you can
click Start and then click Control Panel. If the Control Panel window opens in
Category view, click Performance and Maintenance, and then click System. If
the Control Panel window opens in Classic view, double-click System.
2. In the System Properties dialog box, click the Automatic Updates tab to display
the Automatic Updates options, shown in Figure 1-5.
3. If necessary, check the Keep my computer up to date box.
4. In the Settings area, click the Download the updates automatically and notify
me when they are ready to be installed option button.Your computer will
automatically download any Critical Updates and Service Packs from the Microsoft
Web site when they are available. However, they will not be installed until you give
approval.
5. Click Apply and then OK.
Project 1-2: Analyzing Security Using the Microsoft Baseline
Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) is a tool that allows you to scan one or
more Windows computers for common security holes. When MBSA scans a Windows
computer, it checks the operating system and other installed Microsoft components to
determine whether the security settings are properly configured and reflect current recommended security updates.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:37:8 Page 21
Hands-On Projects
21
1
Figure 1-5
Automatic Updates options in the System Properties dialog box
In this project, you will install and use the MBSA.You should be using a computer running
Windows XP that is connected to the Internet. If you are using a computer in a school’s
computer lab or another computer that is not your own, you should first talk to the lab
manager or network administrator.You might need special permissions set to complete this
project.
1. On a computer using Windows XP, use Internet Explorer to go to the MBSA Web
page at www.microsoft.com/technet/security/tools/mbsahome.mspx.
Content on Microsoft’s Web site is frequently moved. If you cannot reach the MBSA
page at this link, go to www.microsoft.com and search for MBSA.
2. In the Download Now section, click the link for the English language version.
Note that MBSA can be installed and run on Microsoft Windows 2000 Server,
Windows 2000 Professional,Windows XP Home Edition,Windows XP Professional,
and Windows Server 2003. It does not run on Windows 95, 98, or Me systems.
3. When the File Download dialog box appears, click Open.
4. When the Microsoft Baseline Security Analyzer Setup Wizard appears, click Next.
5. Click I accept the license agreement and then click Next.
6. When asked for a destination folder, click Next to accept the default location.
7. Click Install.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:37:41 Page 22
22
Chapter 1
Information Security Fundamentals
If your antivirus program displays a warning about detecting a script, follow the
instructions to authorize this script to execute.
8. When a message appears indicating that the MBSA has been set up, click OK.
Now you are ready to run the MBSA tool to check for security vulnerabilities on your
computer.
1. Double-click the Microsoft Baseline Security Analyzer icon on your desktop.
(You can also click Start, point to All Programs, and then click Microsoft Baseline Security Analyzer 1.2.) The Microsoft Baseline Security Analyzer window
opens, shown in Figure 1-6.
Figure 1-6
Microsoft Baseline Security Analyzer window
2. Click Scan a computer.
3. When asked to pick a computer to scan, click Start scan.
The MBSA scans the computer for weaknesses (which might take a few minutes), and
then displays the results in a security report, as shown in Figure 1-7. Scroll through the
report.
The report lists the weaknesses on this computer. Those with a red X indicate that
action must be taken immediately, while those with a yellow X mean action should be
taken soon. A green check mark means that no action is needed, while a blue asterisk
means that this item was skipped. For items with a red or yellow X, click What was
scanned, then click Result details, and finally click How to correct this, reading
each description and closing the window when you’re finished. Try to correct each
problem.
4. In the Actions section in the left pane, click Print, and then click the Print button
in the Print dialog box to print a copy of the report.
5. Close the Microsoft Baseline Security Analyzer window.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:37:42 Page 23
Hands-On Projects
23
1
Figure 1-7
Microsoft Baseline Security Analyzer report
Project 1-3: Locating Open Ports Using ShieldsUp!
Recall that the Transmission Control Protocol (TCP) portion of the Transmission Control
Protocol/Internet Protocol (TCP/IP) suite is responsible for the reliable transmission of data
from one host to another, and is based on port numbers. Just as an IP address indicates the
address of a host computer on a network, a port number identifies what program or service
on the receiving computer is being accessed. There are a total of 65,535 available port
numbers, while 1,023 are called well-known port numbers, which are associated with
particular programs or services. Some of the well-known port numbers are 21 (FTP service),
23 (Telnet), 25 (e-mail), and 80 (HTTP).
Because an open port serves as an entry point into a computer, several Web-based tools can
analyze the security of a computer by sending probes to determine which ports appear open
to the outside world.Attackers can take advantage of open ports to transmit malicious code
to your computer when it is connected to the Internet or another network. In this project,
you will analyze your computer using Gibson Research’s ShieldsUp!.You should be using a
computer running Windows XP that is connected to the Internet.
1. On a computer using Windows XP, use Internet Explorer to go to the Web site
www.grc.com.Wait to be redirected to the ShieldsUp! page.
2. Scroll down, and then click ShieldsUp!.
Content on the Web site periodically changes.You might need to search the site for a
link to the ShieldsUp! page.
3. If you receive a security alert that you are now viewing a secure page, click OK.
4. Click the Proceed button. If you receive a security alert that you are now leaving a
secure page, click Yes.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:37:43 Page 24
24
Chapter 1
Information Security Fundamentals
The ShieldsUp! page opens, shown in Figure 1-8.
Figure 1-8
Shields Up! Web page
5. Click the File Sharing button. Shields Up! probes your computer to determine
what information hackers can find on your computer. A report like the one shown
in Figure 1-9 appears.
Figure 1-9
File sharing report
6. Print the File Sharing report by clicking File on the menu bar, clicking Print, and
then clicking the Print button in the Print dialog box.
7. Click the Back button on your browser to return to the ShieldsUp! page.
8. Click the All Service Ports button to scan additional openings on your computer.
When the scan is finished, scroll the report to view the results. See Figure 1-10.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:37:44 Page 25
Hands-On Projects
25
1
Figure 1-10
Service ports report
9. Print the Service Ports report by clicking File on the menu bar, clicking Print, and
then clicking the Print button in the Print dialog box.
10. Close the browser window.
Project 1-4: Identifying Processes Using Open Ports
The ShieldsUp! program that you used in Project 1-3 might have identified which ports
appear open on your computer. In this project, you will identify the programs (also called
processes) that are using different ports. This information can be valuable if a port is
identified as being open. Simply closing the port could then result in that process being
unable to function properly. Instead, you should first examine the process to determine if it
is needed.You can turn off unnecessary processes and then close the port.
1. Click Start, point to All Programs, point to Accessories, and then click
Command Prompt to open a Command Prompt window.
2. Type netstat –ano and then press Enter to see the established connections and the
ports on which your computer is listening for new connections. See Figure 1-11.
Settings in the State column indicate whether the computer is “listening” on a
particular port or if the port is closed.The PID column lists unique numbers associated
with a process using that port.
3. To determine which process has a particular PID, right-click a blank area of the taskbar, and then click Task Manager to display the Windows Task Manager window.
4. Click the Processes tab.
5. Click View on the menu bar, and then click Select Columns. Check the PID
(Process Identifier) box, if necessary, and then click OK.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:37:45 Page 26
26
Chapter 1
Figure 1-11
Information Security Fundamentals
Netstat output
6. Click the PID column heading to sort the process by PID, as shown in Figure 1-12.
(The appearance of your window and the processes listed will vary.)
Figure 1-12
Windows Task Manager window
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_01 6/28/2004 13:38:35 Page 27
Case Projects
27
7. Using the information from the Netstat command, locate a port that is in “listening”
mode and find its PID.Then locate that same PID on the Task Manager screen to
identify the process.
8. Close all open windows.
CASE PROJECTS
Case Project 1-1: The Security Challenge
On your first day on the job as an IT intern, you attend a meeting with several department
heads regarding proposed budget reductions. One of the department heads suggests that
money for information security be cut by at least 40 percent because the company has not
been infected with a virus in the last three months, proving that the current defenses are
adequate. What would you say in response? Write a one-page memo that outlines why
security is more important today than ever before.
Case Project 1-2: Security for Everyone
Security experts agree that average home computer users have very little knowledge
regarding how to make their computers secure. How can this deficiency be addressed? What
suggestions would you offer to make more users security competent? Outline your ideas in
a one-page paper.
Case Project 1-3: Day Zero Attacks
The imminent threat of day zero attacks is of considerable concern to IT professionals and
all network users. Using the Internet and other sources, research day zero attacks.What are
some of the attacks that have occurred with no warning? What was their impact? What steps
are being taken to combat this threat? Should people who discover software vulnerabilities
be fined if they publicly release this information? Write a one-page paper on your findings.
Case Project 1-4: Federal Data Protection Laws
The Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act
(Sarbox), and the Gramm-Leach-Bliley Act (GLBA) are three recent federal laws that are
intended to protect private data. Do they go far enough? Research the basics of these three
acts. In your opinion, are they sufficient? Make two recommendations per act that you think
would make them better.
Case Project 1-5: Worms versus Viruses
The Western Consulting Group (WCG) provides services for a broad range of businesses in
your area.They ask you to help them with a project.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
1
32677_01 6/28/2004 13:37:45 Page 28
28
Chapter 1
Information Security Fundamentals
A local florist with three locations wants to offer Web-based ordering. However, the owner
(who does not have a technical background) believes that security concerns are “overblown”
because his computer at home has never been hit with a virus.WCG asks you to prepare a
PowerPoint presentation about the security issues that the florist might face.You can go to
www.cmsconnect.com/Marketing/CalcMain.htm and use the online cost calculators to help
determine how much the business could lose if hit by an attack. Limit your presentation to
about 15 minutes.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.