Instructor Solution Manual for Principles of Information Security 7th Edition by Ace Test Banks

Instructor Solution Manual for Principles of Information Security 7th Edition

richard@qwconsultancy.com

1|Pa ge

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 5 Module Outline .............................................................................................................................. 5 Discussion Questions .................................................................................................................. 18 Suggested Usage for Lab Activities ............................................................................................ 19 Additional Activities and Assignments ....................................................................................... 21 Additional Resources................................................................................................................... 21 Cengage Video Resources ....................................................................................................................... 21 Internet Resources .................................................................................................................................. 21 Appendix ...................................................................................................................................... 22 Grading Rubrics ....................................................................................................................................... 22

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Purpose and Perspective of the Module The first module of the course in information security provides learners the foundational knowledge to become well versed in the protection systems of any size need within an organization today. The module begins with fundamental knowledge of what information security is and the how computer security evolved into what we know now as information security today. Additionally, learners will gain knowledge on the how information security can be viewed either as an art or a science and why that is the case.

Cengage Supplements The following product-level supplements are available in the Instructor Resource Center and provide additional information that may help you in preparing your course: • • • • •

PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual

Module Objectives The following objectives are addressed in this module: 1.1

Define information security.

1.2

Discuss the history of computer security and explain how it evolved into information security.

1.3

Define key terms and critical concepts of information security.

1.4

Describe the information security roles of professionals within an organization.

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 1.1–1.2 1.3 1.4 1.1–1.4

PPT slide

Activity/Assessment

Duration

2 19–20 34–35 39–40 MindTap

Icebreaker: Interview Simulation Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Module 01 Review Questions

10 minutes 2 minutes 2 minutes 2 minutes 30–40 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

1.1 – 1.4 1.1 – 1.4

MindTap MindTap

Module 01 Case Exercises Module 01 Exercises

1.1 – 1.4 1.1 – 1.4

MindTap MindTap

Module 01 Security for Life Module 01 Quiz

30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: computer security: In the early days of computers, this term specified the protection of the physical location and assets associated with computer technology from outside threats, but it later came to represent all actions taken to protect computer systems from losses. security: A state of being secure and free from danger or harm as well as the actions taken to make someone or something secure. information security: Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology. network security: A subset of communications security; the protection of voice and data networking components, connections, and content. C.I.A. triad: The industry standard for computer security since the development of the mainframe; the standard is based on three characteristics that describe the attributes of information that are important to protect: confidentiality, integrity, and availability. confidentiality: An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. personally identifiable information (PII): Information about a person’s history, background, and attributes that can be used to commit identity theft that typically includes a person’s name, address, Social Security number, family information, employment history, and financial information. integrity: An attribute of information that describes how data is whole, complete, and uncorrupted. availability: An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. accuracy: An attribute of information that describes how data is free of errors and has the value that the user expects.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

authenticity: An attribute of information that describes how data is genuine or original rather than reproduced or fabricated. utility: An attribute of information that describes how data has value or usefulness for an end purpose. possession: An attribute of information that describes how the data’s ownership or control is legitimate or authorized. McCumber Cube: A graphical representation of the architectural approach used in computer and information security that is commonly shown as a cube composed of 3×3×3 cells, similar to a Rubik’s Cube. information system: The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization. physical security: The protection of material items, objects, or areas from unauthorized access and misuse. bottom-up approach: A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems. top-up approach: A methodology of establishing security policies and/or practices that is initiated by upper management. chief information officer (CIO): An executive-level position that oversees the organization’s computing technology and strives to create efficiency in the processing and access of the organization’s information. chief information security officer (CISO): The title typically assigned to the top information security manager in an organization. data owners: Individuals who control and are therefore ultimately responsible for the security and use of a particular set of information. data custodians: Individuals who are responsible for the storage, maintenance, and protection of information. data stewards: See data custodians. data trustees: Individuals who are assigned the task of managing a particular set of information and coordinating its protection, storage, and use. data users: Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization’s planning and operations. community of interest: A group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

[return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: • • •

This Module was Chapter 1 in the 6th edition. The content that covered Systems Development was moved to Module 11: Implementation. The Module was given a general update and given more current examples.

[return to top]

Module Outline Introduction to Information Security (1.1, 1.2, PPT Slides 4–17) I.

Recognize that organizations, regardless of their size or purpose, have information they must protect and store internally and externally.

II.

Analyze the importance and reasoning an organization must be responsible for the information they collect, store, and use.

III.

Review the concept of computer security and when the need for it initially arose.

IV.

Discuss how badges, keys, and facial recognition of authorized personnel are required to access military locations deemed sensitive.

Describe the primary threats to security: physical theft of equipment, product espionage, and sabotage.

VI.

Examine information security practices in the World War II era and compare with modern day needs.

The 1960s I.

Explain the purpose of the Department of Defense’s Advanced Research Procurement Agency (ARPA) and their need to create redundant networked communications systems so that the military can exchange information.

II.

Identify Dr. Larry Roberts as the creator of the ARPANET project and now the modern-day Internet.

The 1970s and ’80s I.

Critique the use of ARPANET and how it became more widely used and consequentially misused.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

II.

Recognize that Robert M. Metcalfe expressed concerns about ARPANET and how it could be easily hacked into due to password structure vulnerabilities, lack of safety protocols, and widely distributed phone numbers for system access.

III.

Conclude that a lack of controls in place provided users limited safeguards to protect themselves from unauthorized remote users.

IV.

Discuss how dial-up connections lacked safety protocols when connecting to ARPANET.

Recall that authorizations into the system and a lack of user identification were significant security risks for ARPANET during this time.

VI.

Evaluate the movement of stronger security protocols thanks to the implementation of conclusions from the Rand Report R-609.

VII.

Relate how the need of physical security protocols grew to include computer security protocols as part of a holistic information security plan.

MULTICS I.

Define the purpose of the Multiplexed Information and Computing Service (MULTICS) and its importance to information security.

II.

Relate that the restructuring of the MULTICS project created the UNIX operating system in 1969.

III.

Contrast the facts that the MULTICS system had multiple security levels planned, whereas the new UNIX system did not have them included.

IV.

Examine the decentralization of data processing and why it is important to modernday information security protocols.

Distinguish that in the late 1970s microprocessors transformed computing capabilities but also established new security threats.

VI.

Recall the Defense Advanced Research Projects Agency (DARPA) created the Computer Emergency Response Team (CERT) in 1988.

VII.

Conclude that not until the mid-1980s computer security was a non-issue for federal information systems.

The 1990s I.

Understand that as more computers and their networks became more common, the need to connect networks rose in tandem during this time. Hence, the Internet was born out of the need to have a global network of networks.

II.

Analyze the consequences of how exponential growth of the Internet early on resulted in security being a low priority over other core components.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

III.

Identify that the networked computers were the most common style of computing during this time. However, a result of this was the lessened ability to secure a physical computer and stored data is more exposed to security threats internally and externally.

IV.

Recognize that toward the turn of the new millennium, numerous large corporations demonstrated the need and integration of security into their internal systems. Antivirus products grew in popularity and information security grown into its own discipline because of these proactive initiatives.

2000 to Present I.

Recall the fact that millions of unsecured computer networks and billions of computing devices are communicating with each other.

II.

Recognize and apply the fact that cyberattacks are increasing and have caused governments and corporations to resign themselves to stronger information security protocols.

III.

Examine the exponential rise in mobile computing and how these devices bring their own set of vulnerabilities with respect to information security.

IV.

Apply the fact that one’s ability to secure the information stored in their device is influenced by security protocols on the others they are connected to.

Establish that wireless networks and their associated risks often have minimal security protocols in place and can be a catalyst for anonymous attacks.

What Is Security? (1.3, PPT Slides 18 and 21–26) I.

Define the term security and why it is important to have multiple layers of it to protect people, operations, infrastructure, functions, communications, and information.

II.

Emphasize the role of the Committee on National Security Systems (CNSS) and its role in defining information security. This includes the protection of critical elements such as systems and hardware that stores, transmits, and use information.

III.

Recognize the importance of the C.I.A. Triad but which is no longer an adequate model to apply to modern information security needs.

Key Information Security Concepts I.

Comprehend and define the following security terms and concepts: •

Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls regulate this ability.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

•

Asset: The organizational resource that is being protected. An asset can be logical, such as a Web site, software information, or data, or an asset can be physical, such as a person, computer system, hardware, or other tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting to protect.

•

Attack: An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Someone who casually reads sensitive information not intended for his or her use is committing a passive attack. A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a building fire is an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems—for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the attacker’s choosing, can operate autonomously or under the attacker’s direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself. Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.

•

Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The various levels and types of controls are discussed more fully in the following modules.

•

Exploit: A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain, or an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.

•

Exposure: A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker.

•

Loss: A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. When an organization’s information is stolen, it has suffered a loss. Protection profile or security posture is the entire set of controls and safeguards—including policy, education, training and awareness, and technology—that the organization implements to protect the asset. The terms are sometimes used interchangeably

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

with the term security program although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs. •

Risk: The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk they are willing to accept.

•

Subjects and objects of attack: A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack: the target entity. See Figure 1-8. A computer can also be both the subject and object of an attack. For example, it can be compromised by an attack (object) and then used to attack other systems (subject).

•

Threat: Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat. The two terms are technically distinct, but to simplify discussion, the text will continue to use the term threat to describe threat sources.

•

Threat agent: The specific instance or a component of a threat. For example, the threat source of “trespass or espionage” is a category of potential danger to information assets, while “external professional hacker” (like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat source known as “acts of God/acts of nature.”

•

Threat event: An occurrence of an event caused by a threat agent. An example of a threat event might be damage caused by a storm. This term is commonly used interchangeably with the term attack.

•

Threat source: A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful or undirected. For example, threat agent “hackers,” as part of the threat source “acts of trespass or espionage,” purposely threaten unprotected information systems, while threat agent “severe storms,” as part of the threat source “acts of God/acts of nature,” incidentally threaten buildings and their contents.

•

Vulnerability: A potential weakness in an asset or its defensive control system(s). Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered).

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Critical Characteristics of Information I.

Recognize that when a characteristic of information changes, the value of that information may increase but more so decreases.

II.

Comprehend and define the following security terms and concepts: confidentiality, personally identifiable information (PII), integrity, availability, accuracy, authenticity, utility, and possession.

Confidentiality I.

Define the purpose of confidentiality and the measures that must be in place to protect information. •

Information classification

•

Securely storing documents

•

Applying general security policies and protocols

•

Educating information custodians and end users

II.

Analyze common reasons confidentiality breaches occur.

III.

Review the concept of personally identifiable information (PII) and its application to confidentiality.

Integrity I.

Examine the concept of integrity and its application to information security principles.

II.

Justify that file corruption is not strictly the result of hackers or other external forces but can include internal forces such as noise, low-voltage circuits, and retransmissions.

Availability I.

Define the concept of availability and how it allows users to access information without restriction in their required formats.

Accuracy I.

Understand that accuracy of data transmitted in information is important as it must be free of mistakes or errors, and it aligns with end user’s expectations.

Authenticity I.

Identify the fact that information is authentic when it is given to a user in the same state that it was created, placed, stored, or transferred.

II.

Evaluate the example of e-mail spoofing and how messages sent look authentic on the surface but are, in fact, not.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Utility I.

Examine the usefulness of information and how it can be applied for an end purpose.

Possession I.

Recall this attribute as one where the ownership or control of information has legitimacy or authorization.

II.

Assess the scenario where a breach of possession does not always equate to a breach of confidentiality.

CNSS Security Model I.

II.

Discuss the concept of the McCumber Cube and its application into computer and information security protocols. •

Quantify via Figure 1-9 (page 14) within the text that there are a total of 27 areas (3 x 3 x 3) that must be properly addressed during a security process.

•

Understand the fact that as policy, education, and technology increase, so too the needs for confidentiality, integrity, availability, storage, processing, and transmission.

Conclude that a common exclusion in this model is the need for guidelines and policies that provide direction for implementation technologies and the practices of doing so.

Components of an Information System (1.3, PPT Slide 27) I.

Gain an understanding that to have a full understanding of the importance of an information system, one must have an awareness of what all is included within it.

II.

Review the six most common elements of an information system. •

Software

•

Hardware

•

Data

•

People

•

Procedures

•

Networks

Software

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Compare and contrast the different types of software that are used to digitally operate an information system. These include applications or programs, operating systems, and assorted command utilities. II. Justify the core reason that software is used is to carry information through an organization.

Hardware I.

Classify that this part of an information system is the physical technologies that house and execute software, stores and transports data, and provides an interface for entry and removal of information within it. II. Acquire an understanding of the concept of physical security and its importance to an information system.

Data I.

Recall that data that is stored, processed, and/or transmitted must be protected as it is the most valuable asset an organization possesses. II. Gain awareness that the protection of physical information is just as important as the protection of electronic information.

People I.

Establish that people are often the weakest link of an information system since they provide direction, design, develop, and ultimately use and game them to operate in the business world.

Procedures I.

Recall that procedures are written instructions that are created to accomplish a specific task or action. Note that they may or may not use the technology of an information system. II. Recognize that they provide the foundation for technical controls and security systems that must be designed so they can be implemented.

Networks I.

Acknowledge the fact that modern information processing systems are highly complex and rely on numerous internal and external connections. II. Conclude that networks are the highway in which information systems pass data and users complete their tasks on a daily basis. III. Justify that proper network controls in an organization are vital to managing information flows and the security of data transmitted internally and externally. Quick Quiz 1

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

1. True or False: Network security addresses the issues needed to protect items, objects, or areas. Answer: False 2. Which type of security addresses the protection of all communications media, technology, and content? a. information b. network c. physical d. communication Answer: d 3. Which type of security encompasses the protection of voice and data networking components, connections, and content? a. information b. network c. physical d. communications Answer: b 4. What term is used to describe the quality or state of ownership or control of information? a. confidentiality b. possession c. authenticity d. integrity Answer: b 5. True or False: If information has a state of being genuine or original and is not a fabrication, it has the characteristic of authenticity. Answer: True

Security and the Organization (1.4, PPT Slides 28–33, 36–38, and 41) I.

Analyze components that make up security as a program and the professionals who are tasked with maintaining it within an organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Recall that everyone does not have carte blanche access to all data that is transmitted, processed, or stored within or outside an organization.

II. Comprehend that security is never an absolute as it is a process and not a goal. III. Interpret that security is a delicate balance between protection and availability.

Approaches to Information Security Implementation I.

Compare and contrast the two most commonly used approaches to information security implementation: bottom-up and top-down. •

•

Bottom-up approaches implement security policies and/or policies from the ground up where system administrators are responsible for improving the security of the system. A top-down approach is quite the opposite where upper management determines security policies for an organization. This is usually the Chief Information Officer (CIO) or the Vice President of Information Technology (VP-IT).

II. Conclude that often a bottom-up approach rarely works, and a top-down approach has the most effectiveness in an organization.

Security Professionals I.

Compare and contrast the different positions that are part of an implementation for an information security program. •

The Chief Information Officer (CIO) is the senior technology officer of an organization and provides guidance to the owner or CEO strategic planning that affects information management in an organization.

•

The Chief Security Officer (CISO) assesses, manages, and implements information security in an organization.

Senior Management I.

II.

Examine that the Chief Information Officer (CIO) is the senior technology officer although other titles such as vice president of information, VP of information technology, and VP of systems may also be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. Contrast with the CIO that the Chief Information Security Officer (CISO) is the individual primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the manager for security, the security administrator, or a similar title.

Information Security Project Team

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Review the core team members of an information security project team and their specific role: •

•

• •

Champion: A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. Team leader: A project manager, who may be a departmental line manager or staff unit manager and who understands project management, personnel management, and information security technical requirements. Security policy developers: Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies. Risk assessment specialists: Individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used. Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint. Systems administrators: Individuals whose primary responsibility is administering the systems that house the information used by the organization. End users: Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

Data Responsibilities I.

Compare and contrast persons who own and safeguard data within an organization. •

•

Data Owners: Those responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organizational change. Data Custodians: Those responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. Data Trustees: Individuals appointed by data owners who oversee the management of an information set and its use. Though these are often executives, they appoint someone else to handle these responsibilities.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Data Users: End users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role. II. Recall that data stewards are also known as data custodians. •

Communities of Interest I.

Establish an understanding that each organization develops and maintains its own unique culture and values. II. Recall that a community of interest is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. III. Disseminate the fact there can be many different communities of interest in an organization which aid in information security practices.

Information Security Management and Professionals I.

Apply knowledge that these professionals are aligned with an information security’s community of interest.

II.

Review the fact that their goal is to protect an organization’s information and stored information from internal and external attacks.

Information Technology Management and Professionals I.

Recognize that these individuals are often a team of IT managers and skilled professionals in a number of areas: systems design, programming, and networks at a minimum.

II.

Establish an understanding their goals do not always align with the information security community based on an organization’s structure. Conflict may result if there are inconsistencies between them.

Organization Management and Professionals I.

Analyze that this group of persons in an organization are often other managers and professionals who are consumers of information being secure.

Information Security: Is It an Art or a Science? (PPT Slides 42–43) I.

Gain an understanding that the implementation of information security has often been described as a combination of art and science due to the complex nature of information systems. II. Discuss the concept of a “security artisan” and explain how it is based on the way individuals see technologists as computers became more commonplace in the workplace.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Security as Art I.

Recognize that there are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. II. Conclude that there is no one user’s manual that can solve all security issues that a system may encounter. As an organization becomes more complex, so do the controls and technology needed to keep it together.

Security as a Science I.

Establish an understanding that technologies that are developed are enacted by highly trained computer scientists and engineers who are required to operate at rigorous levels of performance. II. Conclude that specific scientific conditions often cause virtually all actions that occur in a computer system. Nearly everything that negatively occurs in a system is a result of an interaction between software and hardware. III. Justify that with enough time and resources, developers could eliminate faults that occur.

Security as a Social Science I.

Understand a combination of both components of art and science make security a social science. II. Identify a social science as the examination of people’s behavior and their interactions with (information) systems. III. Conclude that end users who need the information security personnel protect are often the weakest links in the security chain. Quick Quiz 2 1. When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow which approach? b. executive-led c. trickle down d. top-down e. bottom-up Answer: c 2. ________ ensures that only users with the rights, privileges, and need to access information are able to do so. a. confidentiality b. enhanced credentials c. software engineers © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

d. awareness Answer: a 3. True or False: The person responsible for the storage, maintenance, and protection of the information is the data custodian. Answer: True 4. Which critical characteristic of information discussed is one that focuses on the fact when information stored, transferred, created, or placed is in the same state as it was received? a. utility b. possession c. accuracy d. authenticity Answer: d 5. Which of the following examines the behavior of individuals as they interact with systems, whether societal systems or information systems? a. community science b. social science c. societal science d. interaction management Answer: b [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

2. When reviewing the critical characteristics of information, which one is the most important? Why is that the case and should all receive equal attention? (1.3, PPT Slides 18 and 25–26) Duration 15 minutes. 3. Do information security professionals have superiority over one another outside of their ranking in an organization? Why or why not? (1.4, PPT Slides 29–33) Duration 15 minutes. [return to top]

Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks

Web Browser Security

Malware Defense

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Windows Password Management

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Log Management & Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab.

30 minutes to 1 hour

15–20 minutes

60–90 minutes

30 minutes to 1 hour

40–60 minutes

2–3 hours

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Image Analysis Using Autopsy

Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include the following: 1. Using the Internet, find a recent feature article about a CISO or other IT professional with CISO job functions. Write a short summary of that individual and how he or she came to hold that position. The publications ComputerWorld and Information Week often have these kinds of features. Have students list the hardware assets found in a computing lab and then list the attributes of those assets. They should provide as many facts about each asset as possible. 2. Using a library with current periodicals, find a recent news article about a topic related to information security. Write a one- to two-page review of the article and how it is related to the principles of information security introduced in the textbook. [return to top]

Additional Resources Cengage Video Resources •

MindTap Video: What is Information Security

Internet Resources • • • •

Internet Society—Histories of the Internet CNSS National Information Assurance Glossary Microsoft Security Development Lifecycle The Role of a Chief Security Officer

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security

Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3

Exceeds Expectations

Meets Expectations • Student demonstrates accurate understanding of the concept. • Student applies the concept appropriately. • Student develops a complete response to the prompt.

Needs Improvement • Student’s response demonstrates a gap in understanding of the concept. • Student applies the concept incorrectly. • Student’s response is poorly developed or incomplete.

Inadequate • Student’s response is missing or incomplete. • Student’s response demonstrates a critical gap in understanding. • Student is unable to apply the concept.

• Student demonstrates accurate understanding of the concept. • Student applies the concept appropriately. • Student uses sound critical analysis to develop an insightful and comprehensive response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 9 Module Outline ............................................................................................................................ 10 Discussion Questions .................................................................................................................. 35 Suggested Usage for Lab Activities ............................................................................................ 35 Additional Activities and Assignments ....................................................................................... 37 Additional Resources................................................................................................................... 37 Cengage Video Resources ....................................................................................................................... 37 Internet Resources .................................................................................................................................. 37 Appendix ...................................................................................................................................... 39 Grading Rubrics ....................................................................................................................................... 39

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Purpose and Perspective of the Module Protecting information is one of the most important tasks an organization must monitor around the clock and regardless as to where personnel are located. In this module, students will gain knowledge as to the purpose of information security and the need that is present in organizations. Next, they will gain an understanding of why a successful information security program is the shared responsibility of the entire organization and not just departments that focus on technology. In the second half of the module, emphasis is placed on threats that occur to trigger information security solutions and common attacks of them. The final part of the module lists common information security issues that result from poor software development efforts.

Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. • • • • •

PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual

Module Objectives The following objectives are addressed in this module: 2.1

Discuss the need for information security.

2.2

Explain why a successful information security program is the shared responsibility of the entire organization.

2.3

List and describe the threats posed to information security and common attacks associated with those threats.

2.4

List the common information security issues that result from poor software development efforts.

Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective

PPT slide

Activity/Assessment

Duration

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

2.1, 2.2, and 2.3 2.3 and 2.4 2.4 2.1–2.4

11–12

Knowledge Check Activity 1

2 minutes

31–32 64–65 77 MindTap MindTap MindTap

Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 02 Review Questions Module 02 Case Exercises Module 02 Exercises

MindTap MindTap

Module 02 Security for Life Module 02 Quiz

2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: information asset: The focus of information security; information that has value to the organization and the systems that store, process, and transmit the information. media: As a subset of information assets, the systems, technologies, and networks that store and transmit information. data: Items of fact collected by an organization; includes raw numbers, facts, and words. information: Data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness. database: A collection of related data stored in a structured form and usually managed by specialized systems. database security: A subset of information security that focuses on the assessment and protection of information stored in data repositories. exploit: A technique used to compromise a system; may also describe the tool, program, or script used in the compromise. intellectual property (IP): Original ideas and inventions created, owned, and controlled by a particular person or organization; IP includes the representation of original ideas. software piracy: The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property. availability disruption: An interruption or disruption in service, usually from a service provider, which causes an adverse event within an organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

service level agreement (SLA): A document or part of a document that specifies the expected level of service from a service provider, including provisions for minimum acceptable availability and penalties or remediation procedures for downtime. uptime: The percentage of time a particular service is available. downtime: The percentage of time a particular service is not available. blackout: A long-term interruption (outage) in electrical power availability. brownout: A long-term decrease in quality of electrical power availability. fault: A short-term interruption in electrical power availability. noise: The presence of additional and disruptive signals in network communications or electrical power delivery. sag: A short-term decrease in electrical power availability. spike: A short-term increase in electrical power availability, also known as a swell. surge: A long-term increase in electrical power availability. competitive intelligence: The collection and analysis of information about an organization’s business competitors through legal and ethical means to gain business intelligence and competitive advantage. industrial espionage: The collection and analysis of information about an organization’s business competitors, often through illegal or unethical means, to gain an unfair competitive advantage; also known as corporate spying. shoulder surfing: The direct, covert operation of individual information or system use. trespass: Unauthorized entry into the real or virtual property of another party. hacker: A person who accesses systems and information without authorization and often illegally. expert hacker: A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information, and who often creates automated exploits, scripts, and tools used by other hackers; also known as an elite hacker. novice hacker: A relatively unskilled hacker who uses the work of expert hackers to perform attacks; also known as a neophyte, n00b, newbie, script kiddie, or packet monkey. professional hacker: A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government; not to be confused with a penetration tester. penetration tester: An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems; also known as a pen tester. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

pen tester: See penetration tester. script kiddies: Novice hackers who use expertly written software to attack a system; also known as skids, skiddies, or script bunnies. packet monkey: A novice hacker who uses automated exploits to engage in denial-ofservice attacks. privilege escalation: The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources. jailbreaking: Escalating privileges to gain administrator-level or root access control over a smartphone operating system; typically associated with Apple iOS smartphones. See also rooting. rooting: Escalating privileges to gain administrator-level control over a computer system (including smartphones); typically associated with Android OS smartphones. See also jailbreaking. cracker: A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use. phreaker: A hacker who manipulates the public telephone system to make free calls or disrupt services. cracking: Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software (see cracker). brute force password attack: An attempt to guess a password by attempting every possible combination of characters and numbers in it. 10.4 password rule: An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one of the following four elements: an uppercase letter, one lowercase letter, one number, and one special character. dictionary password attack: A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information. rainbow table: A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file. social engineering: The process of using interpersonal skills to convince people to reveal access credentials or other valuable information to an attacker. business e-mail compromise (BEC): A social engineering attack involving the compromise of an organization’s e-mail system followed by a series of forged e-mail messages directing

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

employees to transfer funds to a specified account, or to purchase gift cards and send them to an individual outside the organization. advance-fee fraud (AFF): A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only to send a small advance fee or personal banking information to facilitate the transfer. phishing: A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information. spear phishing: A highly targeted phishing attack. pretexting: A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target’s identity, but the real object is to trick the target into revealing confidential information; commonly performed by telephone. information extortion: The act of an attacker or trusted insider who steals or interrupts access to information from a computer system and demands compensation for its return or for an agreement not to disclose the information. cyberextortion: See information extortion. ransomware: Computer software specifically designed to identify and encrypt valuable information in a victim’s system in order to extort payment for the key needed to unlock the encryption. hacktivist: A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. cyberactivist: See hacktivist. doxing: A practice of using online resources to find and then disseminate compromising information, perhaps without lawful authority, with the intent to embarrass or harm the reputation of an individual or organization. The term originates from dox, an abbreviation of documents. cyberterrorism: The conduct of terrorist activities via networks or Internet pathways. cyberterrorist: A hacker who attacks systems to conduct terrorist activities via networks or Internet pathways. cyberwarfare: Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state; sometimes called information warfare.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

malware: Computer software specifically designed to perform malicious or unwanted actions. malicious software: See malware. zero-day attack: An attack that makes use of malware that is not yet known by the antimalware software companies. adware: Malware intended to provide undesired marketing and advertising, including popups and banners on a user’s screens. spyware: Any technology that aids in gathering information about people or organizations without their knowledge. virus: A type of malware that is attached to other executable programs and, when activated, replicates and propagates itself to multiple systems, spreading by multiple communications vectors. macro virus: A type of virus written in a specific language to target applications that use the language and activated when the application’s product is opened; typically affects documents, slideshows, e-mails, or spreadsheets created by office suite applications. boot virus: Also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system’s hard drive or removable storage media. memory-resident virus: A virus that is capable of installing itself in a computer’s operating system, starting when the computer is activated, and residing in the system’s memory even after the host application is terminated; also known as a resident virus. non-memory-resident virus: A virus that terminates after it has been activated, infected its host system, and replicated itself; does not reside in an operating system or memory after executing and is also known as a non-resident virus. worm: A type of malware that is capable of activation and replication without being attached to an existing program. Trojan horse: A malware program that hides its true nature and reveals its designed behavior only when activated. polymorphic threat: Malware that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures. malware hoax: A message that reports the presence of nonexistent malware and wastes valuable time as employees share the message. back door: A malware payload that provides access to a system by bypassing normal access controls or an intentional access control bypass left by a system designer to facilitate development.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

trap door: See back door. maintenance hook: See back door. denial-of-service (DoS) attack: An attack that attempts to overwhelm a computer target’s ability to handle incoming communications, prohibiting legitimate users from accessing those systems. distributed denial-of-service (DDoS) attack: A form of attack in which a coordinated stream of requests is launched against a target from multiple locations at the same time using bots or zombies. bot: An abbreviation of robot, an automated software program that executes certain commands when it receives a specific input; also known as a zombie. zombie: See bot. spam: Undesired e-mail, typically commercial advertising transmitted in bulk. mail bomb: An attack designed to overwhelm the receiver with excessive quantities of email. packet sniffer: A software program or hardware appliance that can intercept, copy, and interpret network traffic. sniffer: See packet sniffer. spoofing: The use of a communications identifier, such as a phone number, network address, or e-mail address, that is not accurately assigned to the source. IP spoofing: A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host. pharming: The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information. Domain Name System (DNS) cache poisoning: The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations; also known as DNS spoofing. man-in-the-middle: A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner; some of these attacks involve encryption functions. TCP hijacking: A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications. session hijacking: See TCP hijacking.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

mean time between failure (MTBF): The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures. mean time to failure (MTTF): The average amount of time until the next hardware failure. mean time to diagnose (MTTD): The average amount of time a computer repair technician needs to determine the cause of a failure. mean time to repair (MTTR): The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit. annualized failure rate (AFR): The probability of a failure of hardware based on the manufacturer’s data of failures per year. cross-site scripting (XSS): A Web application fault that occurs when an application running on a Web server inserts commands into a user’s browser session and causes information to be sent to a hostile server. buffer overrun: An application error that occurs when more data is sent to a program buffer than it is designed to handle. integer bug: A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers. command injection: An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function. theft: The illegal taking of another’s property, which can be physical, electronic, or intellectual. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: • • •

This module was Chapter 2 in the 6th edition. The sections on the threats and attacks were updated to reflect the latest trends, and examples were updated. The entire module was refreshed with a general update and given more current examples.

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Module Outline Introduction to the Need for Information Security (2.1, 2.2, PPT Slides 3–9) I.

Discuss the view that information security is unlike any other aspect of information technology. The primary mission is to ensure things stay the way they are. Point out that if there were no threats to information and systems, we could focus on improving systems that support the information.

II.

Explain that organizations must understand the environment in which information systems operate so that their information security programs can address actual and potential problems.

III.

Emphasize to students the four important functions for an organization with respect to information security: •

Protecting the organization’s ability to function

•

Protecting the data and information the organization collects and uses

•

Enabling the safe operation of applications running on the organization’s IT systems

•

Safeguarding the organization’s technology assets

Business Needs First I.

Explain that without the underlying business to generate revenue and use information, it has a likelihood to lose value and the need for it would go to zero.

II.

Stress that the decisions that need to be made with respect to information security and their assets should be done carefully and holistically.

III.

Emphasize that the responsibility of protecting information within an organization is everyone’s responsibility. Regardless of their title, rank in the firm, or position, everyone must proactively protect the data it stores and uses.

Protecting Functionality I.

Discuss the fact that general management, IT management, and information security management are responsible for implementing information security to protect the ability of the organization to function.

II.

Relate to students that information security is a management issue in addition to a technical issue; it is a people issue in addition to the technical issue.

III.

Explain that to assist management in addressing the need for information security, communities of interest must communicate in terms of business impact and the

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

cost of business interruption, and they must avoid arguments expressed only in technical terms.

Protecting Data That Organizations Collect and Use I.

Stress to students that they should understand that many organizations realize that one of their most valuable assets is their data. Without data, an organization loses its record of transactions and/or its ability to deliver value to its customers.

II.

Explain the concept of data security. This concept is about protecting data in motion and data at rest, a critical aspect of information security. An effective information security program is essential to the protection of the integrity and value of the organization’s data.

III.

Detail how information is stored. This is often stored using databases and database security is important because it applies a broad range of control mechanisms to numerous areas of information security.

Enabling the Safe Operation of Applications I.

Distinguish an understanding that a modern organization needs to create an environment that protects and safeguards applications, specifically ones that are important elements to the infrastructure of a firm—operating systems, platforms, operational applications, e-mail, instant messaging applications, and text messaging platforms.

Safeguarding Technology Assets in Organizations I.

Relate to students that as an organization grows, so does its need for more robust technologies and commercial-grade solutions.

II.

Explain the example that is provided in the textbook that lists core components of security technologies (a commercial-grade, unified security architecture device, complete with intrusion detection and prevention systems, public key infrastructure (PKI), and virtual private network (VPN) capabilities).

III.

Establish that although cloud services provide another way to solve business information management challenges, they inherit their own set of risks and concerns that must be defended against.

Information Security Threats and Attacks (2.3, PPT Slides 10 and 13–23) I.

Remind students that to make sound decisions about information security as well as to create and enforce policies, management must be informed of the various kinds of threats facing the organization and its applications, data, and information systems.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II.

Explain that a threat is an object, person, or other entity that represents a constant danger to an asset. Point out that an attack represents an ongoing act against the asset that could result in a loss. Also mention that threat agents use exploits to take advantage of vulnerabilities where controls are not present or are no longer effective.

4.8 Billion Potential Hackers I.

State that about 62 percent of the world’s population (about 4.8 billion) have some form of internet access, which is significantly up from 2015, when 49.2 percent of the population had access.

II.

Discuss the agreement that the threat from external sources increases when an organization connects to the Internet.

III.

Guide students to briefly review the world Internet usage spread in Table 2-1.

Other Studies of Threats I.

Point out to students that according to a recent study and survey, 67.1 precent of responding organizations suffered malware infections. Also, more than 98 percent of responding organizations identified malware as the second-highest threat source behind electronic phishing/spoofing.

II.

Discuss Tables 2-2, 2-3, and 2-4 that outline threats from internal and external stakeholders as well as general threats to information assets.

Common Attack Pattern Enumeration and Classification (CAPEC) I.

Introduce students to the CAPEC Web site, which can be used by security professionals to understand attacks.

II.

Explain that this resource is a good tool for information security professionals to use to gain additional insight on how attacks occur procedurally.

The 12 Categories of Threats (2.3, 2.4, PPT Slides 24–72) I.

Apply the use of Table 2-5 to explain the 12 categories of threats that represent a clear and present danger to an organization’s people, information, and systems. In summary, they are the following: •

Compromises to intellectual property

•

Deviations in quality of service

•

Espionage or trespass

•

Forces of nature

•

Human error or failure

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II.

•

Information extortion

•

Sabotage or vandalism

•

Software attacks

•

Technical hardware failures or errors

•

Technical software failures or errors

•

Technological obsolescence

•

Theft

Recognize that a threat to an organization may include more than one of these categories, depending on the severity of the attack.

Compromises to Intellectual Property I.

Explain that many organizations create or support the development of intellectual property (IP) as part of their business operations. Intellectual property is defined as “the ownership of ideas and control over the tangible or virtual representation of those ideas.”

II.

Recall that intellectual property for an organization includes trade secrets, copyrights, trademarks, and patents. Once intellectual property has been defined and properly identified, breaches to IP constitute a threat to the security of this information. Most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy.

Software Piracy I.

Emphasize to students that the most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy.

II.

Outline that in addition to the laws surrounding software piracy, two watchdog organizations investigate allegations of software abuse: the Software and Information Industry Association (SIIA), formerly the Software Publishers Association, and the Business Software Alliance (BSA).

III.

Quantify the severity of software privacy with the following statistics mentioned in the text:

IV.

•

The BSA estimates that 37 percent of software installed on personal computers globally was not properly licensed in 2018.

•

Some countries indicate unlicensed rates of more than 50 percent.

Recall that malware attacks significantly increase with the use of unlicensed software.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Discuss that enforcement of copyright laws has been attempted through several technical security mechanisms, such as digital watermarks, embedded code, and copyright codes.

II.

Identify that online registrations combat piracy because users must register their software to complete the installation process. Caution students that key generators can be used to override and outsmart online registration tools and still result in intellectual property losses.

Deviations in Quality of Service I. Summarize that concerns in this category represent situations in which a product or service is not delivered to the organization as expected. II. Explain that the organization’s information system depends on the successful operation of many interdependent support systems, including power grids, telecom networks, parts suppliers, service vendors, and even the janitorial staff and garbage haulers.

Internet Service Issues I.

Explain that Internet service, communications, and power irregularities are three sets of service issues that dramatically affect the availability of information and systems. This is regardless of if a person is at the office or connecting through a virtual private network (VPN) connection.

II.

Justify that the U.S. government’s Federal Communications Commission (FCC) maintains a Network Outage Reporting System (NORS), which according to FCC regulation 47 C.F.R. Part 4, requires communications providers to report outages that disrupt communications at certain facilities, like emergency services and airports.

III.

Report that when an Internet service provider fails to meet the terms in a service level agreement (SLA), it is often fined to cover client losses, although the lost business exceeds anything recovered. This is even with vendors promoting high availability of uptime (or low downtime).

IV.

Apply the example of Amazon and how a 30- to 40-minute outage cost them a significant amount of money ($3-4 million) in just that short amount of time.

Identify the most common causes of downtime and the financial impact of those incidents from the data provided in Figure 2-4.

Communication and Other Service Provider Issues I.

Describe communications and other service provider issues: other utility services can impact organizations as well. Among these are telephone, water, wastewater,

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

trash pickup, cable television, natural or propane gas, and custodial services. The loss of these services can impair the ability of an organization to function properly.

Power Irregularities I.

Describe power irregularities: irregularities from power utilities are common and can lead to fluctuations, such as power excesses, power shortages, and power losses. In the United States, we are “fed” 120-volt, 60-cycle power usually through 15-amp and 20-amp circuits.

II.

Explain that voltage levels are subject to a spike (momentary increase), surge (prolonged increase), sag (momentary decrease), brownout (prolonged drop in voltage), fault (momentary complete loss of power) or blackout (a lengthier loss of power).

III.

Emphasize that organizations with dedicated power needs must think of backup solutions such as generators to provide power in the event an outage were to occur. This is especially the case for information technology and security-related systems.

IV.

Predict that because sensitive electronic equipment—especially networking equipment, computers, and computer-based systems—is susceptible to fluctuations, controls should be applied to manage power quality.

Espionage or Trespass I.

Explain that this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information.

II.

Establish that when an unauthorized individual gains access to the information an organization is trying to protect, that act is categorized as a deliberate act of espionage or trespass.

III.

Contrast the thoughts that some people assume that information-gathering techniques are illegal when, in fact, they are not. When they are done properly, this is referred to as competitive intelligence. However, if a legal or ethical threshold is crossed, persons doing this are conducting industrial espionage.

IV.

Describe the concept of shoulder surfing. Emphasize that these commonly occur at computer terminals, desks, ATM machines, smartphones, or other places where a person is accessing confidential information.

Justify the notion that users should constantly be aware of the presence of others when they are always accessing sensitive data.

Hackers I.

Present the fact that trespassing often leads to unauthorized, real, or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II.

Discuss that the classic perpetrator of deliberate acts of espionage or trespass is the hacker. In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to bypass the controls placed around information that is the property of someone else. The hacker frequently spends long hours examining the types and structures of the targeted systems.

III.

Remind students that there are generally two skill levels among hackers. The first is the expert hacker, who develops software scripts and program exploits used by the second category, the novice, or unskilled hacker.

IV.

Explain that the expert hacker is usually a master of several programming languages, networking protocols, and operating systems and exhibits a mastery of the technical environment of the chosen targeted system.

Demonstrate that expert hackers who have become bored with directly attacking systems have turned to writing software. The software they write are automated exploits that allow novice hackers to become script kiddies (or packet monkeys)— hackers of limited skill who use expertly written software to exploit a system, but do not fully understand or appreciate the systems they hack.

VI.

Compare and contrast the difference between professional hackers and penetration (pen) testers. Although they are doing the same thing, which is testing the information and network defenses, professional hackers are doing it illegally, whereas pen testers are conducting them ethically and professionally.

Escalation of Privileges I.

Discuss the term privilege escalation. Explain that a common example of privilege escalation is called jailbreaking or rooting.

II.

Justify that according to the U.S. Copyright Office, the practice of jailbreaking smartphones was considered legal as a special exemption under the Digital Millennium Copyright Act, but jailbreaking a tablet (such as the iPad) was not and often voids any manufacturer warranty.

Hacker Variants I.

Describe that there are other terms for system rule breakers as mentioned in the text: •

Crackers are now commonly associated with an individual who “cracks” or removes software protection that is designed to prevent unauthorized duplication.

•

Phreakers hack the public telephone network to make free calls, disrupt services, and generally wreak havoc. Although more common in the 1970’s, they can still do a number on phone systems.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Password Attacks I.

Emphasize that password attacks fall under the category of espionage and are a serious offense.

II.

Outline the four approaches to password cracking: •

brute force password attack: An attempt to guess a password by attempting every possible combination of characters and numbers in it.

•

dictionary password attack: A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information.

•

rainbow table: A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file.

•

social engineering: An attempt to gain access by contacting low-level employees and offering to help with their computer issues.

III.

Evaluate the purpose and composition of the 10.4 password rule and how it can provide a method for users to generate a stronger password that is less likely to be hacked.

IV.

Recommend that students review Table 2-6 and see how the odds increase the more characters are in a password, and the time it would take to do so based on a 2020-era computer system.

Social Engineering Password Attacks I.

Stress that by hackers posing as friendly help-desk associates or repair techs, they have an easy inroad into servers and systems even if they resolve a user’s issue.

II.

Critique the scenario where hackers can work inside an organization and even at a help desk using this method to gain systems access where they would otherwise be denied entry. This is true even if their background check comes up clean.

III.

Distinguish the fact that attempts to gain access like this are often subtle and go unnoticed until it is too late.

Forces of Nature I.

Discuss how forces of nature, force majeure, or acts of God pose some of the most dangerous threats, because they are unexpected and can occur with little warning.

II.

Emphasize that pandemics, such as the 2020 COVID-19 outbreak, are considered a force of nature even though most things remained operational.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

III.

Explain that these threats can disrupt not only the lives of individuals but also the storage, transmission, and use of information. Since it is not possible to avoid many of these threats, management must implement controls to limit damage and prepare contingency plans for continued operations.

IV.

Outline the 11 forces of nature that are outlined in the text. They are the following: •

Fires

•

Floods

•

Earthquakes

•

Lightning

•

Landslides or mudslides

•

Tornados or severe windstorms

•

Hurricanes, typhoons, and tropical depressions

•

Tsunamis

•

Electrostatic discharge (ESD)

•

Dust contamination

•

Solar activity

Fire I.

Outline ways a fire can cause damage to computing equipment up to the point of compromising all or part of a system. This includes the fire itself, suppression systems such as sprinklers, or water from firefighting hoses.

II.

Demonstrate that this threat often can be mitigated with fire casualty insurance or business interruption insurance policies.

Floods I.

Detail the net effects a flood can do to a facility and computing equipment. On top of damaging the systems, building access may also be compromised.

II.

Explain that this specific threat often may be mitigated with flood insurance or business interruption insurance. This is especially important if the business is in a potential flood zone as deemed by FEMA.

Earthquakes I.

Present that an earthquake can cause direct damage to information system equipment and/or the facilities that house the equipment.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II.

Stress that not only physical structures are at risk. Give the example in the text of a large earthquake off the coast of Taiwan that severed underwater communications cables.

III.

Explain that this specific threat can sometimes be mitigated with casualty or business interruption insurance. Often, as mentioned, it is covered under its own policy.

Lightning I.

Illustrate what a lightning strike is. It is an abrupt, discontinuous natural electric discharge in the atmosphere.

II.

Recognize that lightning strikes not only can damage all or part of an information system but also cause building damage, fires, or other damage.

III.

Emphasize proactive measures that can be taken by installing specialized lightning rods placed strategically on and around the organization’s facilities and by installing special circuit protectors in the organization’s electrical service.

IV.

Classify that this type of natural cause can sometimes be mitigated with multipurpose casualty or business interruption insurance.

Landslides, Mudslides, and Avalanches I.

Relate that these are downward slides of masses of earth, rock, or snow and are sometimes sudden or with minimal notice so evacuations can take place.

II.

Direct students to understand the impacts here to buildings that house the systems. Depending on the severity of the incident, they may be destroyed or temporarily buried.

III.

Classify that this type of natural cause can sometimes be mitigated with multipurpose casualty or business interruption insurance.

Tornados and Severe Windstorms I.

Contrast the differences between a tornado and wind shear events.

II.

Denote that a tornado facility housing the information systems can directly damage all or part of the structure, depending on the strength of the funnel cloud and wind speed.

III.

Explain that this brief but impactful type of natural disaster may be mitigated with casualty or business interruption insurance.

Hurricanes, Typhoons, and Tropical Depressions I.

Compare the difference between a typhoon and a hurricane. Note that it is virtually the same thing with the exception of its location in the world.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II.

Stress that excessive rainfall and high winds from these storms can directly damage all or part of the information system or, more likely, the building that houses it. Organizations in coastal or low-lying areas may suffer flooding as well, which would restrict access to the buildings that house information systems.

III.

Guide students to understand that this brief but impactful type of natural disaster may be mitigated with casualty or business interruption insurance.

Tsunamis I.

Describe the impact of a tsunami and the severity of impact that just one event may cause.

II.

Apply the tsunami that occurred in 2011 as a threat that affected the world directly and indirectly.

III.

Explain how in most cases that this threat can sometimes be mitigated with casualty insurance or business interruption insurance.

Electrostatic Discharge I.

Illustrate what an electrostatic discharge (ESD) is and the impact it can have to flammable mixtures or electronic components.

II.

Stress that as little as 10 volts can cause catastrophic damage to information systems equipment, and humans cannot detect static electricity until it reaches about 1,500 volts. Discharges from walking across dry carpet can exceed 12,000 volts.

III.

Emphasize that the financial repercussions of static discharge could result in millions of dollars of damage and significant loss of production time in information processing. Although ESD can disrupt information systems, it is not usually an insurable loss unless covered by business interruption insurance.

Dust Contamination I.

Relate that dust particle buildups and debris inside systems can dramatically reduce the effectiveness and efficiency of the equipment. This often leads to unexpected shutdowns and overheating.

II.

Stress that this can often shorten the life of information systems and disrupt normal operations.

Solar Activity I.

Recognize that solar flares or extremes in radiation can affect power grids and power lines, blow out transformers, and shut down power stations.

II.

Emphasize that businesses that rely on satellites should have alternate options available should communications from them be disrupted.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Human Error or Failure I.

Describe this category and comment to students that it includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization.

II.

Discuss the fact that employees constitute one of the greatest threats to information security, as they are the individuals closest to the organizational data. Employee mistakes can easily lead to the following: revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information.

III.

Note that many threats can be prevented with controls, ranging from simple procedures, such as requiring the user to type a critical command twice, to more complex procedures, such as the verification of commands by a second party.

IV.

Explain that this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information.

Social Engineering I.

Define within the context of information security that social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.

II.

Explain that people are the weakest link. You can have the best technology— firewalls, intrusion-detection systems, biometric devices—and somebody can call an unsuspecting employee and obtain a wealth of information.

Business E-Mail Compromise (BEC) I.

Stress that this is one of the newest forms of social engineering attack methods being deployed on organizations today.

II.

Detail the process of how an attacker gains access to the system either through another social engineering attack or technical exploit and then proceeds to request that employees within the organization, usually administrative assistants to highlevel executives, transfer funds to an outside account or purchase gift cards and send them to someone outside the organization.

III.

Emphasize that in 2019 alone, there were 24,000 BEC complaints and projected losses of more than $1.7 billion dollars.

Advance-Fee Fraud I. Compare and contrast one of most common social engineering attacks, known as the advance-fee fraud (AFF) and phishing.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II.

Stress that AFF is also known as 4-1-9 fraud due to it being named after a Nigerian Penal Code and not an area code in northern Ohio.

III.

Examine a sample letter, as illustrated in Figure 2-9, which illustrates this scheme in practice.

IV.

Outline to students that this scam is one for stealing funds from credulous people, first by requiring them to participate in a proposed money-making venture by sending money up front, and then by soliciting an endless series of fees. In the most serious cases, kidnapping, extortion, or murder can result.

Quantify that most recently in 2020, up to $100 billion dollars has been swindled using this method.

Phishing I.

Distinguish phishing as an attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity.

II.

Emphasize that a variant is spear phishing, a label that applies to any highly targeted phishing attack. While normal phishing attacks target as many recipients as possible, a spear phisher sends a message that appears to be from an employer, a colleague, or other legitimate correspondent to a small group, or even one specific person.

III.

Discuss that phishing attacks use two primary techniques, often used in combination with one another: URL manipulation and Web site forgery.

Pretexting I.

Point out another form of social engineering is called pretexting, which is sometimes referred to as phone phishing.

II. Emphasize that VOIP phone services have made it easy to spoof caller IDs and hence hide the identity of someone who may be on the other end of the line.

Information Extortion I.

Illustrate how information extortion involves the possibility of an attacker or trusted insider stealing information from a computer system and demanding compensation for its return or for an agreement to not disclose the information. Extortion is common in credit card number theft.

II.

Give examples provided in the textbook of different information extortion incidents and the impacts to their respective businesses. Translate to students that regardless of a company’s size or function, they are susceptible to extortion.

Ransomware

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Explain that the latest type of attack in this category is known as ransomware, which is a malware attack on the host system that denies access to the user and then offers to provide a key to allow access back to the user’s system and data for a fee.

II.

Compare and contrast the two different types of ransomwares: lockscreen and encryption.

III.

•

Lockscreen ransomware denies access to the system by disabling access to the desktop and preventing the user from bypassing the ransom screen that demands payment for access.

•

Encryption ransomware is more severe, as it requires payment up front to access one’s hard drive after their information has been encrypted.

Illustrate the three examples of ransomware activities highlighted in the text and stress to students that these types of attacks occur daily, and an information security team must be on guard to overcome and nullify these.

Sabotage or Vandalism I.

Summarize that this type of threat involves the deliberate sabotage of a computer system or business or acts of vandalism to either destroy an asset or damage the image of an organization.

II.

Emphasize that these threats can range from petty vandalism by employees to organized sabotage against an organization.

III.

Identify that organizations frequently rely on image to support the generation of revenue, and vandalism to a Web site can erode consumer confidence, thus reducing the organization’s sales and net worth. Compared to Web site defacement, vandalism within a network is more malicious in intent and less public.

Online Activism I.

Explain that security experts are noticing a rise in another form of online vandalism, hacktivist or cyberactivist operations. A more extreme version is referred to as cyberterrorism (which is explained next).

II.

Stress that the concept of doxing is where a hacker would use online resources to find and disseminate compromising information for the purpose of harming or harassing an individual, group, or government entity. Apply Figure 2-14 as an example of this in action.

Cyberterrorism and Cyberwarfare I. Detail the purpose of cyberterrorism and what the United States and other government bodies are doing to combat this.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II. Differentiate between the three examples provided in the text with respect to supposed cyberterrorism attacks and why it is important to be on guard. III. Relate that some government entities express concern that cyberattacks that are aimed at disrupting their entities are likely to be seen as cyberwarfare. Note that their purpose is to take down critical infrastructure. IV. Apply one of the most recent attacks on critical infrastructure in the United States— the Colonial Pipeline shutdown that wreaked havoc in the eastern part of the country—as an example of a cyberterrorism threat in the eyes of the federal government.

Positive Online Activism I. Compare cyberterrorism to more positive online activism, such as using Facebook, Twitter, and so on to perform fundraising and raise awareness of social issues. II. Stress that positive online activism is a legal right to enact provided it does not cross the moral threshold of doing illegal activities. Quick Quiz 1 1. True or False: The three communities of interest are general management, operations management, and information security management. Answer: False 2. Hackers of limited skill who use expertly written software to attack a system are known as which of the following? a. cyberterrorists b. script kiddies c. jailbreakers d. social engineers Answer: b 3. Which of the following occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it? a. information extortion b. technological extortion c. insider trading d. information hoarding Answer: a

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

4. Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways? a. cyberattackers b. electronic terrorists c. cyberterrorists d. electronic hackers Answer: c 5. True or False: Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during the war in Kosovo. Answer: True 6. True or False: When looking at forces of nature that could cause destruction or damage to information systems, electrostatic discharge (ESD) is not considered to be one of them. Answer: False

Software Attacks I.

Emphasize that an attack is a deliberate act that exploits a vulnerability to compromise a controlled system. This attack can consist of specially crafted software that attackers trick users into installing on their systems.

II.

State that the most common form of software attacks is malware, viruses, worms, back doors, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, e-mail communication, and communication interception attacks.

Malware I.

Describe malware as malicious code or malicious software. Point out that other attacks that use software, such as redirect attacks and denial-of-service attacks, also fall under this threat. Note that the malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.

II.

Explain that the polymorphic, or multivector, worm is a state-of-the-art attack system. Point out that these attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in commonly found information system devices.

III.

Emphasize to students that when an attack makes use of malware that is not yet known by the antimalware software companies, it is said to be a zero-day attack.

IV.

Summarize other forms of malware, including covert software applications—bots, spyware, and adware—that are designed to work out of sight of users, or via an

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

apparently innocuous user action. Use Table 2-7 to review some of the most dangerous malware attacks to date.

Viruses I.

State that a computer virus consists of code segments that perform malicious actions. Point out to students that one of the most common methods of virus transmission is via e-mail attachments.

II.

Mention that viruses can be classified by how they spread themselves. Discuss the most common types of information system viruses, which are the macro virus and the boot virus.

III.

Explain the classification known as memory-resident and non-memory-resident viruses. Note that resident viruses are capable of reactivating when the computer is booted and continuing their actions until the system is shut down.

IV.

Differentiate between different types of attack replication vectors illustrated in Table 2-8 within the text and stress that regardless of which one is used, the impact can still be crippling to an organization.

Worms I.

Explain that worms are viruses that replicate themselves like bunnies until all available resources have been exhausted.

II.

Relate to the speed that worms can spread by applying the examples of the Nimda outbreak in 2001 and the Klez worm that infiltrated computers much in the same way.

III.

Examine the consequences of a perpetrator creating and distributing a virus. Use the example of Jeffrey Lee Parson, an 18-year-old high school student who committed such an act.

IV.

Compare and contrast the definitions of a worm with a Trojan horse. Note that a Trojan horse on the surface looks legitimate, but once opened, it instills a virus onto the devices it infects. Recommend students review Figure 2-15 for an illustration of this in practice.

Illustrate that a more modern version of a Trojan horse attack is known as a SMiShing, in which the victim is tricked into downloading malware onto a mobile phone via a text message. SMiShing is an abbreviation for SMS phishing.

VI.

Evaluate the ever-changing nature of a polymorphic threat and how it changes its size and other characteristics to stay one step ahead of antivirus software programs.

VII.

Consequentially, point out that malware hoaxes, or messages sent that warn of dangerous viruses when no credible threat exists, result in significant resources and

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

time wasted. Point out the author’s comment that there are Web sites that can be checked to determine the validity and credibility of a supposed threat.

Back Doors I.

Discuss how by using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Point out that these doors are often referred to as maintenance hooks.

II.

Stress that a back door, or trap door, access process is difficult to detect because the person or program that places it often makes the access exempt from the system’s usual audit logging features and makes every attempt to keep the back door hidden from the system’s legitimate owners.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks I.

Explain that a denial-of-service attack begins when an attacker sends many connections or information requests to a target. So many requests are made that the target system cannot handle them successfully along with other legitimate requests for service. This may result in the system crashing or simply becoming unable to perform ordinary functions.

II.

Define a distributed denial-of-service attack as one in which a coordinated stream of requests is launched against a target from many locations at the same time.

III.

Relate how compromised machines are turned into bots or zombies that can be directed remotely by the attacker to participate in the attack. Apply Figure 2-16 as part of providing this point to students.

IV.

Emphasize that in most cases, the attacks are short-lived, but their impacts are significant and can last well beyond the time it took to initiate the act.

E-Mail Attacks I.

Recall that spam is unsolicited commercial e-mail. While many consider spam a nuisance rather than an attack, it is emerging as a vector for some attacks.

II.

Explain that mail bombing is another form of e-mail attack that is also a denial of service (DoS), in which an attacker routes large quantities of e-mail to the target.

III.

Comment that phishing attacks may occur via e-mail, but they are aligned with social engineering designed to trick users to perform an action then making them a target of a larger DoS e-mail attack.

Communications Interception Attacks I.

Explain that common software-based communications attacks include several subcategories designed to intercept and collect information in transit. Point out to

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

students that the emergence of the Internet of Things (IoT) increases the possibility of these types of attacks. II.

Describe that a packet sniffer is a software program or hardware appliance that can intercept, copy, and interpret network traffic. Stress that these can be extremely dangerous because of them being virtually impossible to detect.

III.

Establish that Internet protocol spoofing (or IP spoofing) is another way that hackers take trusted IP addresses and modify their packet headers and insert fake addresses. Apply the sequence shown in Figure 2-17 to demonstrate how the process occurs. Emphasize, however, that most modern routers can offer some level of protection from this.

IV.

Describe the term pharming and that it is “the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining private information.” Note that pharming may also exploit the Domain Name System (DNS) by causing it to transform the legitimate host name into the invalid site’s IP address. This form of pharming is also known as DNS cache poisoning.

Outline that an attacker sniffs packets from the network, modifies them, and inserts them back into the network. Point out that in a TCP hijacking attack, the attacker uses address spoofing to impersonate other legitimate entities on the network. Mention that this is also known as session hijacking or a man-in-the-middle scenario.

Technical Hardware Failures or Errors I.

Emphasize that technical hardware failures or errors occur when a manufacturer distributes a user’s equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable or unavailable service.

II.

Discuss that some errors are terminal in that they result in the unrecoverable loss of the equipment. Some errors are intermittent in that they only periodically manifest themselves, resulting in faults that are not easily repeated.

III.

Stress that applying Murphy’s Law, it is more of a matter of when and not if computing equipment will break down.

The Intel Pentium CPU Failure I.

Illustrate that one of the best-known hardware failures was the Intel Pentium II chip.

II.

Since a simple quotient problem caused systems to crash, the Pentium floatingpoint division bug (FDIV) led to a public-relations disaster for Intel that resulted in its first-ever chip recall and a loss of more than $475 million. A few months later,

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

disclosure of another bug, known as the Dan-0411 flag erratum, further eroded the chip manufacturer’s public image.

Mean Time Between Failures I.

II.

Compare and contrast the differences between mean time between failure (MTBF) and mean time to failure (MTTF). •

Explain that in hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF). Point out that MTBF and MTTF are sometimes used interchangeably.

•

Also note that additionally, the mean time to diagnose (MTTD) is the average amount of time a technician needs to determine the cause of a failure, and the mean time to repair (MTTR) is the average time it will take to rectify the issue.

Calculate the MTBF by adding up the sum of MTTF, MTTD, and MTTR.

Technical Software Failures or Errors I.

Explain that this category involves threats that come from purchasing software with unknown, hidden faults. Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved.

II.

Discuss how combinations of certain software and hardware can reveal new bugs. Sometimes these items are not errors, but rather are purposeful shortcuts left by programmers for benign or malign reasons.

The OWASP Top 10 I.

List the top 10 Web application security risks, as outlined by the Open Web Application Security Project (OWASP): •

Injection

•

Broken authentication

•

Sensitive data exposure

•

XML external entities (XXE)

•

Broken access control

•

Security misconfiguration

•

Cross-site scripting (XSS)

•

Insecure deserialization

•

Insufficient logging & monitoring

•

Insecure direct object references

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

II.

Emphasize that these have rarely changed since 2010, but the threat is just as big— if not bigger comparatively speaking in terms of time.

The Deadly Sins in Software Security I.

Explain that some software development problems result in software that is difficult or impossible to deploy in a secure fashion. There are at least two dozen problem areas or categories in software development (which is also called software engineering) that are recommended to be summarized to students.

II.

Describe SQL injection as it occurs when developers fail to properly validate user input before using it to query a relational database. The possible effects of the ability to “inject” SQL of the attacker’s choosing into the program are not just limited to improper access to information but could potentially allow an attacker to drop tables or even shut down the database.

III.

Mention to students that the same cross-site scripting attacks that can infect a client system can also be used to attack Web servers. Cross-site request forgery (XSRF or CSRF) attacks and scripting cause users to attack servers they access legitimately.

IV.

Discuss Web client-related vulnerability (XSS). Client-side cross-site scripting errors can cause problems that allow an attacker to send malicious code to the user’s computer by inserting the script into a normal Web site.

Describe the use of magic URLs and hidden forms.

VI.

•

Because HTTP is a stateless protocol and computer programs on either end of the communication channel cannot rely on guaranteed delivery of any message, it is difficult for software developers to track a user’s exchanges with a Web site over multiple interactions.

•

Too often, sensitive state information is simply included in a “magic” URL (e.g., the authentication ID is passed as a parameter in the URL for the exchanges that will follow) or included in hidden form fields on the HTML page.

•

If this information is stored as plain text, an attacker can harvest the information from a magic URL as it travels across the network or use scripts on the client to modify information in hidden form fields.

Detail what buffer overruns are and how they occur. This is a situation in which buffers are used when there is a mismatch in the processing rates between two entities involved in a communication process. A buffer overrun (or buffer overflow) is an application error that occurs when more data is sent to a program buffer than it is designed to handle. During a buffer overrun, an attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

VII.

Illustrate format string problems and the reason that they occur. Computer languages are often equipped with built-in capabilities to reformat data while they are outputting it. The formatting instructions are usually written as a “format string.” An attacker may embed characters meaningful as formatting directives into malicious input. If this input is then interpreted by the program as formatting directives, the attacker may be able to access information or overwrite very targeted portions of the program’s stack with data of the attacker’s choosing.

VIII.

Discuss integer bugs (overflows/underflows). Although paper and pencil can deal with arbitrary numbers of digits, the binary representations used by computers are of a particular fixed length. “Integer bugs fall into four broad classes: overflows, underflows, truncations, and signedness errors. Integer bugs are usually exploited indirectly—that is, triggering an integer bug enables an attacker to corrupt other areas of memory, gaining control of an application.”

IX.

Summarize the occurrence of C++ catastrophes. Note that this programming language has been around for nearly 40 years, and due to its age, security concerns have arisen. Since operating systems have API that use these pointers to control execution code, they are susceptible to diverting program flows and open the door for a hacker to take them over.

Explain that effective software can catch and resolve exceptions, which are unusual situations that require special processing.

XI.

Define command injection and explain that command injection problems occur when user input is passed directly to a compiler or interpreter. The underlying issue is the developer’s failure to ensure that command input is validated before it is used in the program.

XII.

Comprehend that failure to handle errors can cause a variety of unexpected system behaviors. Programmers are expected to anticipate problems and prepare their application code to handle them.

XIII.

Analyze that information leakage is one of the most common methods of obtaining inside and classified information that is directly or indirectly from an individual, usually an employee. By warning employees against disclosing information, organizations can protect the secrecy of their operation.

XIV.

Justify that a race condition is the failure of a program that occurs when an unexpected ordering of events in the execution of the program results in a conflict over access to the same system resource.

XV.

Stress that employees prefer to do things “the easy way” when the official way is too difficult or cumbersome to complete. They must be reminded that there is only one way to do things—the secure way! If users choose the easier way, they are likely to experience loss of some kind very quickly.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

XVI.

Relate that the complexity of updating applications and/or systems increases over time, and without catching the errors, they become harder to find. As a result, hackers can sneak in through those vulnerabilities and, as a result, create an urgent security risk.

XVII.

Recall that when computers have more privileges than they need, this sets up numerous critical security issues. One of the greatest concerns in this area occurs when individuals download and run code from public sources, like Web sites.

XVIII.

Distinguish the fact that mobile code is an application, applet, macro, or script that may be imbedded in another application or document and thus downloaded and executed without the user even knowing, and especially without consenting. This potentially results in a security risk from occurring as well.

XIX.

Apply the process of cryptography and how weak passwords are an open door for hackers and viruses to work their way into systems. As one of many safeguards to protect access, administrators should limit the number of attempts an incorrect password is entered.

XX.

Discuss the failure to use cryptographically strong random numbers. Many computer systems use random number generators. These “random” number generators use a mathematical algorithm, based on a seed value and another system component (such as the computer clock), to simulate a random number. Those who understand the workings of such a “random” number generator can predict values at particular times.

XXI.

Emphasize that cryptography is a powerful tool to protect information, especially information that may travel outside the organization’s protective networks and systems. Using untested or undertested cryptographic algorithms and programs can cause issues. Using weak crypto keys or reusing the same crypto keys can cause issues, as can sending crypto keys through the same medium as the encrypted messages.

XXII.

Describe the failure to protect network traffic and explain that with the growing popularity of wireless networking comes a corresponding increase in the risk that wirelessly transmitted data will be intercepted. Most wireless networks are installed and operated with little or no protection for the information that is broadcast between the client and the network wireless access point. Without appropriate encryption (such as that afforded by WPA), attackers can intercept and view your data. Traffic on a wired network is also vulnerable to interception in some situations.

XXIII.

Discuss the improper use of SSL. Programmers use Secure Sockets Layer (SSL) to transfer sensitive data such as credit card numbers and other personal information between a client and server. SSL and its successor, Transport Layer Security (TLS),

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

both need certificate validation to be utterly secure. Failure to use secure HTTP, to validate the certificate authority and then validate the certificate itself, or to validate the information against a certificate revocation list (CRL), can compromise the security of SSL traffic. XXIV.

Explain that the DNS is a core function of the Internet and World Wide Web and that it is subject to cache poisoning. In other words, when the DNS is compromised, the valid IP address associated with a domain name change into one the attacker chooses, usually a fake Web site designed to obtain personal information or one that accrues a benefit to the attacker—for example, redirecting shoppers from a competitor’s site. This may include additional attacks to other primary and secondary DNS servers linked to a specific domain.

XXV.

Stress the issue of neglecting change control. Developers use a process known as change control to ensure that the working system delivered to users represents the intent of the developers. Change control processes ensure that developers do not work at cross purposes by altering the same programs or parts of programs at the same time. They also ensure that only authorized changes are introduced and that all changes are adequately tested before being released.

Technological Obsolescence I.

Discuss how antiquated or outdated infrastructure leads to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity from attacks.

II.

Explain that proper planning by management should prevent technology from becoming obsolete. However, when obsolescence is identified, management must take immediate action.

III.

Illustrate examples of obsolete technologies as provided in Figure 2-20 within the text. If available, provide additional examples of items virtually or in person.

Theft I.

Define theft as the illegal taking of another’s property. Within an organization, that property can be physical, electronic, or intellectual.

II.

Summarize how physical theft can be controlled quite easily. Many measures can be taken, including locking doors, training security personnel, and installing alarm systems.

III.

Contrast electronic theft, however, as a more complex problem to manage and control. Organizations may not even know it has occurred.

Quick Quiz 2

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

1. Using a known or previously installed access mechanism is known as which of the following? a. hidden bomb b. vector c. spoof d. back door Answer: d 2. True or False: When a program tries to reverse-calculate passwords, this is known as a brute force spoof. Answer: False 3. True or False: Warnings of attacks that are not valid are usually called hoaxes. Answer: False 4. What is another name for a man-in-the-middle attack? a. TCP hijacking b. mail bombing c. spoofing d. denial of service Answer: a 5. Which of the following is an application error that occurs when more data is sent to a program buffer than it is designed to handle? a. buffer underrun b. buffer overrun c. heap overflow d. heap attack Answer: b 6. True or False: A SQL injection occurs when developers fail to properly validate user input before using it to query a relational database. Answer: True 7. True or False: The Domain Name System (DNS) is a function of the World Wide Web that converts a URL (Uniform Resource Locator) such as www.course.com into the IP address of the Web server host.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Answer: True [return to top]

Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Discuss the differences between a threat and an attack. How are they similar and how are they different with respect to the need for information security at an organization? (2.1, 2.3, PPT Slides 3, 10, 73–76) Duration 15 minutes. 2. Detail the reasons why everyone in an organization should be responsible for information security and not just persons in information technology or security. What are the consequences to users and the firm with a tunnel vision-based approach? (2.2, 2.4, PPT Slides 8–10, 68–70, and 72) Duration 15 minutes. 3. Is there an ethically acceptable reason to study and use the various attack methods described in this chapter? Why or why not? (2.3, 2.4, PPT Slides 3–10 and 33–35) Duration 15 minutes. [return to top]

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Web Browser Security

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Log Management & Security

Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

60–90 minutes

30 minutes to 1 hour

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Using the Internet, browse www.cert.org and find the most recent CERT advisory. Have students report on any recent vulnerabilities posted on the site. 2. Using the Internet, find and read the SANS/FBI Top 20 Vulnerabilities. Assign each student 1 or 2 of the 20 vulnerabilities listed and have them identify the threat group and threat category it warns about. [return to top]

Additional Resources Cengage Video Resources •

MindTap Video: Information Security Terminology

Internet Resources •

Build Security In: Making the Case for Software Assurance

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

• • • • •

Build Security In: Secure Software Development Lifecycle Cross-Site Scripting FAQ Governing for Enterprise Security Implementation Guide Hackers Breached Colonial Pipeline Using Compromised Password Verizon Data Break Investigation Report (2016)

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 3 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 7 Module Outline .............................................................................................................................. 7 Discussion Questions .................................................................................................................. 35 Suggested Usage for Lab Activities ............................................................................................ 35 Additional Activities and Assignments ....................................................................................... 37 Additional Resources................................................................................................................... 37 Cengage Video Resources ....................................................................................................................... 37 Internet Resources .................................................................................................................................. 37 Appendix ...................................................................................................................................... 39 Grading Rubrics ....................................................................................................................................... 39

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Purpose and Perspective of the Module Maintaining the security of information is paramount to any organization thriving and surviving in the digital age. In this module, students will gain an understanding of the different management functions that are required to maintain information security. One topic that is important to note that is part of this is information security governance. Think of this as the guiderails for maintaining and protecting information in an organization. The role management has in this is critical for policies, procedures, standards, and practices, not to mention guidelines. Students will also gain knowledge on different elements that should be in security education and training and the composition of a blueprint. This module is a foundational piece to comprehend the more complex topics later in the text.

PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual

Module Objectives The following objectives are addressed in this module: 3.1

Describe the different management functions with respect to information security.

3.2

Define information security governance and list the expectations of the organization’s senior management with respect to it.

3.3

Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.

3.4

List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization.

3.5

Explain what an information security blueprint is, identify its major components, and explain how it supports the information security program.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective 3.1, 3.2, and 3.3 3.4 and 3.5 3.4 and 3.5 3.1–3.5

PPT slide

Activity/Assessment

Duration

16–17

Knowledge Check Activity 1

2 minutes

37–38 53–55 62–63 MindTap MindTap MindTap

Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 03 Review Questions Module 03 Case Exercises Module 03 Exercises

MindTap MindTap

Module 03 Security for Life Module 03 Quiz

2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: strategic planning: The process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort. goals: A term sometimes used synonymously with objectives; the desired end of a planning cycle. strategic plan: The documented product of strategic planning; a plan for the organization’s intended strategic efforts over the next several years. objectives: A term sometimes used synonymously with goals; the intermediate states obtained to achieve progress toward a goal or goals. governance, risk management, and compliance (GRC): An approach to information security strategic guidance from a board of directors’ or senior management perspective that seeks to integrate the three components of information security governance, risk management, and regulatory compliance. governance: The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. corporate governance: Executive management’s responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use. information security governance: The application of the principles and practices of corporate governance to the information security function, emphasizing the responsibility of the board of directors and/or senior management for the oversight of information security in the organization. tactical plan: The documented product of tactical planning; a plan for the organization’s intended tactical efforts over the next few years. operational plan: The documented product of operational planning; a plan for the organization’s intended operational efforts on a day-to-day basis for the next several months. tactical planning: The actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives. operational planning: The actions taken by management to specify the short-term goals and objectives of the organization in order to obtain specified tactical goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives. policy: Instructions that dictate certain behavior within an organization. standard: A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. de facto standard: A standard that has been widely adopted or accepted by a public group rather than a formal standards organization. de jure standard: A standard that has been formally evaluated, approved, and ratified by a formal standards organization. guidelines: Nonmandatory recommendations the employee may use as a reference in complying with a policy. procedures: Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. practices: Examples of actions that illustrate compliance with policies.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

information security policy: Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets. enterprise information security policy (EISP): The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts; also known as a security program policy, general security policy, IT security policy, highlevel InfoSec policy, or simply an InfoSec policy. issue-specific security policy (ISSP): An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. systems-specific security policies (SysSPs): Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups—managerial guidance and technical specifications— but may be written as a single unified SysSP document. managerial guidance SysSP: A policy that expresses management’s intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective. technical specifications SysSP: A policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective; usually includes details on configuration rules, systems policies, and access control. access control list (ACL): Specifications of authorization that govern the rights and privileges of users to a particular information asset; includes user access lists, matrices, and capabilities tables. capabilities table: A lattice-based access control with rows of attributes associated with a particular subject (such as a user). access control matrix: An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings; contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user. configuration rules: The instructions a system administrator codes into a server, networking device, or security device to specify how it operates. policy administrator: An employee responsible for the creation, revision, distribution, and storage of a policy in an organization. sunset clause: A component of policy or law that defines an expected end date for its applicability.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

security, education, training, and awareness (SETA): A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization’s employees. information security blueprint: In information security, a framework or security model customized to an organization, including implementation details. information security framework: In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. Information security model: A well-recognized information security framework, usually promoted by a government agency, standards organization, or industry group. managerial controls: Information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization’s security administration; they include governance and risk management. operational controls: Information security safeguards focusing on lower-level planning that deals with the functionality of the organization’s security; they include disaster recovery planning, incident response planning, and SETA programs. technical controls: Information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets; they include firewalls, virtual private networks, and IDPSs. defense in depth: A strategy for the protection of information assets that uses multiple layers and different types of controls to provide optimal protection; typically, implementation of many different types of controls. redundancy: The use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information; typically, multiple instances of the same type of control. security perimeter: The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas. security domain: An area of trust within which information assets share the same level of protection; communication between these trust areas requires evaluation of communications traffic. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

What's New in This Module The following elements are improvements in this module from the previous edition: •

This module was mostly drawn from Chapter 4 in the 6th edition.

•

The internal organization of the module was restructured to an updated approach, expanding from planning to a more complete presentation on security management.

•

The content on contingency planning was moved to Module 5.

•

The entire module was refreshed with a general update and given more current examples.

[return to top]

Module Outline Introduction to the Management of Information Security (3.1, PPT Slides 3–5) I.

Stress that an information security program begins with policies, standards, and practices that are the foundation for the program and its blueprint. This will require coordinated planning, and it should be done regardless of an organization’s size.

II.

Denote that the information security (InfoSec) team’s goals are different than information technology’s goals. Hence, the primary focus of the IT group is to ensure the effective and efficient processing of information, whereas the primary focus of the InfoSec group is to ensure the confidentiality, integrity, and availability of information.

III.

Propose to students that even though security slows down information, the validation, verification, and assessment against attacks is worth the sacrifice so that an organization can run properly.

IV.

List out “the six Ps” of information security management: planning, policies, programs, protection, people, and project management. These are discussed further in the subsections below.

Planning I.

Outline that within the planning stage of the InfoSec model are activities that are necessary to support the design, creation, and implementation of strategies within the planning environments of an organization. Emphasize that this does include the information technology (IT) department.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

II.

Report that information that is received from other departments is essential for information needed so that the chief information security officer (CISO) and chief information officer (CIO) can develop strategies from the top down in the firm.

III.

Classify that the net result of these initiatives are to protect the organization for unexpected incidents and be able to respond to them in a timely and efficient manner.

Policy I.

Review the three categories of policy that are presented here. Note that these are covered in more depth later in the module: •

Enterprise information security policy (EISP): Developed within the context of the strategic IT plan, this sets the tone for the InfoSec department and the InfoSec climate across the organization. The CISO typically drafts the program policy, which is usually supported and signed by the CIO or the CEO.

•

Issue-specific security policies (ISSPs): These are sets of rules that define acceptable behavior within a specific organizational resource, such as e-mail or Internet usage.

•

Systems-specific policies (SysSPs): A merger of technical and managerial intent, SysSPs include both the managerial guidance for the implementation of a technology as well as the technical specifications for its configuration.

Programs I.

Relate that InfoSec operations that are specifically managed are often known as programs (or entities). Apply the example of security education, training, and awareness (SETA) programs or a risk management program.

II.

Give additional examples of different programs that may be part of InfoSec operations.

Protection I.

Summarize that the protection function is done through a set of risk management activities in addition to protection mechanisms, technologies, and tools. Note that these are critical pieces of an overall InfoSec plan.

People I.

Emphasize that people are the most critical link of the InfoSec program. State that people may include security personnel (professional information security employees), the security of personnel in an organization, and items mentioned in the SETA.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Recognize that whatever will be implemented in the InfoSec space, it must be managed as a project.

II.

Identify that project management involves the application of a project management discipline to all elements of the InfoSec program. Project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal.

III.

Provide examples of projects that an information security manager may want to execute to maintain information assets in the organization.

Information Security Planning and Governance (3.2, PPT Slides 6–11) I.

Explain that long-term strategic planning is critical to the information security program and that the planning effort should have specific clearly defined goals for the organization.

II.

Discuss the organization of the planning process from the broad goals and vision of the organization down to the division and subsequent levels of the organization.

III.

Remind students that the translation of goals at one level into actionable items at the next level depends on the skill of the executive in charge of that level and is more art than science.

IV.

Analyze and present to students that the executives are often the decision makers and may be referred to as the C-level or C-suite.

Information Security Leadership I.

Recognize that the information security function that delivers strategic planning and corporate responsibility is best done applying the approach of governance, risk management, and compliance (GRC).

II.

Comment that risk is not just strictly a responsibility of the InfoSec team but rather the whole organization.

III.

Classify that InfoSec objectives must be addressed at the highest levels of an organization’s management team. This must be done so the effectiveness and sustainability of any approach is achieved.

IV.

Compare and contrast the differences between corporate and information security governance.

Outline the core set of activities provided by the Corporate Governance Task Force (CGTF) needed to develop and implement an InfoSec governance program: •

Conduct an annual InfoSec evaluation, the results of which the CEO should review with staff and then report to the board of directors.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

VI.

VII.

•

Conduct periodic risk assessments of information assets as part of a risk management program.

•

Implement policies and procedures based on risk assessments to secure information assets.

•

Establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability.

•

Develop plans and initiate actions to provide adequate InfoSec for networks, facilities, systems, and information.

•

Treat InfoSec as an integral part of the system life cycle.

•

Provide InfoSec awareness, training, and education to personnel.

•

Conduct periodic testing and evaluation of the effectiveness of InfoSec policies and procedures.

•

Create and execute a plan for remedial action to address any InfoSec inefficiencies.

•

Develop and implement incident response procedures.

•

Establish plans, procedures, and tests to provide continuity of operations.

•

Use security best practices guidance, such as the ISO 27000 series, to measure InfoSec performance.

Distinguish that ISO 27014:2013 is the ISO 27000 series standard of Governance of Information Security and list the six high-level “action-oriented” principles that make up this standard: •

Establish organization-wide information security.

•

Adopt a risk-based approach.

•

Set the direction of investment decisions.

•

Ensure conformance with internal and external requirements.

•

Foster a security-positive environment.

•

Review performance in relation to business outcomes.

Outline the five governance processes that should be adopted by the organization’s executive management and governing board that are also part of the ISO 27014:2013 standard: •

Evaluate: Review the status of current and projected progress toward organizational information security objectives and decide whether modifications of the program or its strategy are needed to keep on track with strategic goals.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

•

Direct: The board of directors provides instruction for developing or implementing changes to the security program. This could include modification of available resources, structure of priorities of effort, adoption of policy, recommendations for the risk management program, or alteration to the organization’s risk tolerance.

•

Monitor: The review and assessment of organizational information security performance toward goals and objectives by the governing body. Monitoring is enabled by ongoing performance measurement.

•

Communicate: The interaction between the governing body and external stakeholders, where information on organizational efforts and recommendations for change are exchanged.

•

Assure: The assessment of organizational efforts by external entities like certification or accreditation groups, regulatory agencies, auditors, and other oversight entities, to validate organizational security governance, security programs, and strategies.

Apply Figure 3-1 as an additional visual to assist with the comprehension of this standard for students. VIII.

IX.

Review the Information Technology Governance Institute’s view on information governance and how it is similar to and different from the ISO standard. Note that in their eyes, the following must be provided by the board of directors and executive management: •

Strategic direction

•

Establishment of directives

•

Progress measurement

•

Verification that risk management practices are appropriate

•

Validation that the organization’s assets are used properly

Reference Figure 3-2 as a summarized view of information security governance, roles, and responsibilities for personnel in an organization.

Information Security Governance Outcomes I. State that governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. II. Define the term governance and why the board of directors are the ones that must be involved to provide strategic direction. Note the five key tasks they are responsible for: •

Strategic direction

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

•

Establishment of objectives

•

Measurement of progress toward these objectives

•

Verification that risk management practices are appropriate

•

Validation that the organization’s assets are used properly

III. List the five goals of information security governance: •

Strategic alignment of information security with business strategy to support organizational objectives

•

Risk management by executing appropriate measures to manage and mitigate threats to information resources

•

Resource management by utilizing information security knowledge and infrastructure efficiently and effectively

•

Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved

•

Value delivery by optimizing information security investments in support of organizational objectives

Planning Levels I.

Explain to students that strategic plans and objectives are used to create tactical plans, which are used to develop operational plans.

II.

Compare and contrast tactical planning (one- to two-year timelines) with operational planning (day-to-day) tasks.

III.

Discuss how the chief information security officer (CISO) uses tactical plans to organize, prioritize, and acquire resources for major projects.

Planning and the CISO I.

Remind students that the primary objective of the CISO and the Information Security (IS) management team is to create the security strategic plan. Explain that this plan is an evolving statement of how the CISO will implement the objectives expressed in the Enterprise Information Security Plan.

II.

Stress that clearly directed strategies flow from top to bottom, and a systematic approach is required so that all members of an organization are aware.

III.

Define that everyone in the organization will likely use the information provided and not just strictly information security or technology professionals.

Quick Quiz 1

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

1. What type of planning occurs where the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals are followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives? a. strategic b. tactical c. operational d. financial Answer: b 2. According to the text and the information security governance roles and responsibilities graphic, who is responsible for policy implementation, reporting security vulnerabilities, and breaches? a. Chief executive officer b. Mid-level managers c. Janitorial staff d. Enterprise staff/employees Answer: d 3. The ________ process entails the review and assessment of organizational information security performance toward goals and objectives by the governing body. a. evaluate b. direct c. monitor d. assure Answer: c 4. True or False: ISO 27014:2021 is the ISO 27000 series standard for Governance of Information Security. Answer: False 5. True or False: Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. It should also guide organizational efforts and focus resources toward specific, clearly defined goals. Answer: True

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Information Security Policy, Standards, and Practices (3.3, PPT Slides 12–13 and 18–30) I.

Establish how management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.

II.

Explain how policies direct how issues should be addressed and how technologies should be used.

III.

Emphasize that they should not explain the proper operation of hardware or software. This information should be placed in standards, procedures, and systems documentation.

IV.

State that policies should never contradict laws because they must be properly administered through dissemination and documented acceptance.

Explain that quality security programs begin and end with policy.

VI.

Report how security policies are the least expensive control to execute, but the most difficult to implement properly.

Policy as the Foundation for Planning I.

Explain how policies are organizational laws in that they dictate acceptable and unacceptable behavior within the context of the organization’s culture. Like laws, policies must contain information on what is right and wrong, what the penalties are for violating policy, and what the appeal process is.

II.

Contrast how standards are more detailed statements of what must be done to comply with policies that are broader.

III.

Discuss how the level of acceptance of standards may be informal, as in de facto standards. Alternatively, standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards.

IV.

Identify the relationship between policies, processes, practices, procedures, and guidelines as outlined in Table 3-1.

Relate that the term of security policy strictly depends on the context in which it is used. As mentioned by the authors, this is a set of rules that protect an organization’s assets.

VI.

Define the term information security policy as it provides rules for protecting an organization’s information assets. Reference NIST’s SP 800-14 for the three types of security policy: •

Enterprise information security policies

•

Issue-specific security policies

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

• VII.

Systems-specific security policies

Emphasize how for a policy to be effective and legally enforceable, it must be properly disseminated, read, understood, agreed to, and enforced equally upon all members of the organization.

Enterprise Information Security Policy I.

Detail how an enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. This policy sets the strategic direction, scope, and tone for all security efforts within the organization.

II.

Arrange the understanding that the EISP is often an executive-level document drafted by the CIO and is about 2 to 10 pages long.

III.

Recall the guidance that the NIST provides and that the EISP typically addresses compliance in the following two areas: •

General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components.

•

The use of specified penalties and disciplinary action.

EISP Elements I.

Construct the following elements that an EISP should have. Give students an opportunity to review Table 3-2 as an example of what is included in an EISP. •

An overview of the corporate philosophy on security

•

Information on the structure of the information security organization and people who fulfill the information security role

•

Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)

•

Fully articulated responsibilities for security that are unique to each role within the organization

Issue-Specific Security Policy I.

Explain how as an organization executes various technologies and processes to support routine operations, certain guidelines are needed to instruct employees to use these technologies and processes properly.

II.

Review the purpose of the ISSP and the components that, at a minimum, should be included within it: •

Addresses specific areas of technology

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

III.

•

Requires frequent updates

•

Contains a statement on the organization’s position on a specific issue

Outline topics that are often part of an issue-specific security policy (ISSP): •

E-mail

•

Use of the Internet and World Wide Web

•

Specific minimum configurations of computers to defend against worms and viruses

•

Prohibitions against hacking or testing organization security controls

•

Home use of company-owned computer equipment

•

Use of personal equipment on company networks (BYOD: bring your own device)

•

Use of telecommunications technologies, such as fax and phone

•

Use of photocopy equipment

•

Use of portable storage devices such as USB memory sticks, backpack drives, game players, music players, and any other device capable of storing digital files

•

Use of cloud-based storage services that are not self-hosted by the organization or engaged under contract; such services include Google Drive, Dropbox, and Microsoft OneDrive

•

Use of networked infrastructure devices, “intelligent assistants” such as Google Assistant and Amazon Echo, and accompanying devices usually classified as the Internet of Things (IoT)

•

Use of programmable logic controller (PLC) devices and associated control protocols with corporate data networks and production-focused industrial networks

IV.

Propose the three common ways that ISSPs can be created within an organization. These are tailored to specific issues, a single comprehensive ISSP document that covers all issues, or a modular ISSP document that unifies policy creation and administration while giving autonomy to each specific issue’s requirements.

Critique the three different approaches to ISSP development and conclude that the optimal balance between the independent and comprehensive ISSP is the modular ISSP approach.

VI.

Name the core components of an ISSP as outlined in Table 3-3. Emphasize that these are explained in detail within this part of the module.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Detail the purpose of a statement of policy. Emphasize that it should begin with a clear statement and purpose.

II.

Comment that within the introductory section, the following questions should be answered: •

What is the scope of the policy?

•

Who is responsible and accountable for policy implementation?

•

What technologies and issues does the policy document address?

Authorized Access and Usage of Equipment I.

Justify that this section of the policy statement addresses who can use the technology governed by the policy, and the purposes for which it can be used.

II.

Assess that additionally, this section defines “fair and responsible use” of equipment and other organizational assets and should also address key legal issues, such as protection of personal information and privacy.

Prohibited Use of Equipment I.

Stress that this section of the policy provides strict guidance with respect to where technology is prohibited to be used.

II.

Predict the fact that an organization and its employees cannot be penalized if a particular use is strictly prohibited.

Systems Management I.

Explain that this section provides focus on the users’ relations to systems management.

II.

Emphasize that it is important to identify all responsibilities delegated to both users and systems administrators to avoid confusion.

Violations of Policy I.

Label this part of the policy the consequences and penalties for violating an information security policy.

II.

Guide students to understand that this section also provides instructions on how to report policy violations.

Policy Review and Modification I.

Explain that each policy should have a procedure and a timetable for a periodic review.

Limitations of Liability

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Recall that this section is often the final section of a policy and has a general statement of liability or disclaimers.

II.

Summarize that the policy should state that if employees violate a company policy or any law using company technologies, the company will not protect them and is not liable for their actions.

Systems-Specific Security Policy (SysSP) I.

Emphasize that while issue-specific policies are formalized as written documents to be distributed to users and agreed to in writing, SysSPs are frequently codified as standards and procedures to be used when configuring or maintaining systems.

II.

Explain that systems-specific policies can be combined into a single policy document or separated into two groups: managerial guidance and technical specifications.

Managerial Guidance of SysSPs I.

Discuss the managerial guidance SysSPs. Note that a managerial guidance SysSP document is created by leadership to guide the implementation and configuration of technology, as well as to address the behavior of people in the organization in ways that support the security of information.

II.

Establish an understanding that any system that affects the confidentiality, integrity, or availability of information must be assessed to evaluate the trade-off between improved security and restrictions.

Technical Specifications of SysSPs I.

Discuss that while a manager can work with a systems administrator to create managerial policy as described in the preceding section, the system administrator may need to create a policy to implement the managerial policy.

II.

State the purpose and definition of access control lists (ACLs). Comment that these are user access lists, matrices, and capability tables that govern the rights and privileges of users. A capability table specifies which subjects and objects users or groups can access; in some systems, capability tables are called user profiles or user policies.

III.

Summarize the purpose of an ACL and what it regulates: •

Who can use the system

•

What authorized users can access

•

When authorized users can access the system

•

Where authorized users can access the system from

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

IV.

Recall the purpose of configuration rule policies, as they are specific instructions entered into a security system that govern how it reacts to data it receives. Note that these are more specific than ACLs to the operation of a system and may or may not deal with users directly.

Combination SysSPs I.

Explain that many organizations create a single document that combines the management guidance SysSP and the technical specifications SysSP. This often is confusing to casual users but is practical since it puts the guidance from both managerial and technical perspectives in a single place.

Developing and Implementing Effective Security Policy I.

Develop the six tasks that must be done properly in order for a policy to be legally defensible: •

Development: Policies must be written using industry-accepted practices and formally approved by management.

•

Dissemination: Policies must be distributed using all appropriate methods.

•

Review: Policies must be readable and read by all employees.

•

Comprehension: Policies must be understood by all employees.

•

Compliance: Policies must be formally agreed to by act or affirmation.

•

Enforcement: Policies must be uniformly applied to all employees.

Developing Information Security Policy I.

II.

Outline that in most cases, policy development is comprised of three parts: •

Designed and written

•

Senior management or an executive along with legal counsel reviews and approves the document

•

Management processes developed in the final state, which, in turn, results in policy enforcement within the organization

Emphasize the importance of security managers using all resources available to create policies, but give credit where it is due when referencing external sources outside of the organization.

Policy Distribution I.

Compare and contrast the options of providing hard copy policy documents and electronic ones.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

II.

Stress that distribution of materials, regardless of method, may still not get to individuals. Unlike in law, ignorance of policy, where policy is inadequately distributed, is considered an acceptable excuse.

III.

Distinguish that distribution of classified policies—those containing confidential information—requires additional levels of controls, in the labeling of the document, in the dissemination and storage of new policy, and in the collection and destruction of older versions to ensure the confidentiality of the information contained within the policy documents themselves.

Policy Review I.

Identify that one of the common barriers of employees reading policies arises from literacy or language issues. Provide the fact that, according to Macrotrends, 1 in 15 adults cannot read and write with understanding. Language issues are even more prevalent in organizations with multiple locations around the world.

II.

Stress that alternate forms of materials such as braille, an audio version, or a sign language intrpreter of policies must be available to accommodate employees who are visually impaired or deaf.

Policy Comprehension I.

Review the two aspects of policy comprehension: the target audience can understand the policy, and the organization has assessed how well they understand it.

II.

Apply the use of software or add-ons that examine the readability of a document. For example, the Flesch Reading Ease test recommends a score of 60 to 70 on its 100-point scale for corporate documents. The Flesh–Kincaid Grade Level test, alternately, recommends a score of 7.0 to 8.0 for similar documents.

III.

Classify the use of assessments to gauge how well employees comprehend underlying issues. Quizzes and other forms of examination can be employed to assess quantitatively which employees understand the policy by earning a minimum score (e.g., 70 percent) and which employees require additional training and awareness efforts before the policy can be enforced.

Policy Compliance I.

Record that an employee must agree to policies by act or affirmation with respect to policies developed within an organization.

II.

Emphasize that through direct collection of a signature or the equivalent digital alternative the organization can prove that it has obtained an agreement to comply with policy, which also demonstrates that the previous conditions have been met.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

III.

Give an example of what may happen when an employee refuses to agree to comply with a policy. In most cases, they will be terminated. However, organizations can avoid this dilemma by incorporating policy confirmation statements into employment contracts, annual evaluations, or other documents necessary for the individual’s continued employment.

Policy Enforcement I.

Recognize that the final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination— organizations must establish high standards of due care about policy management.

II.

Consequentially, state that an employee who is punished, censured, or dismissed because of a refusal to follow policy and is subsequently able to demonstrate that the policies are not uniformly applied or enforced, the organization may find itself facing punitive as well as compensatory damages.

Policy Development and Implementation Using the SDLC I.

Apply the concept of the systems development life cycle (SDLC) to creating policies.

II.

Outline information and processes that the policy development team should obtain in each of the five phases, as arranged below: •

Investigation Phase: o

Support from senior management because any project without it has a reduced chance of success. Only with the support of top management will a specific policy receive the attention it deserves from the intermediate-level managers who must implement it and from the users who must comply with it.

Support and active involvement of IT management, specifically the CIO. Only with the CIO’s active support will technology-area managers be motivated to participate in policy development and support the implementation efforts to deploy it once created.

Clear articulation of goals. Without a detailed and succinct expression of the goals and objectives of the policy, broken into distinct expectations, the policy will lack the structure it needs to obtain full implementation.

Participation of the correct individuals from the communities of interest affected by the recommended policies. Assembling the right team, by ensuring the participation of the proper representatives from the groups that will be affected by the new policies, is very important. The team must

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

include representatives from the legal department, the human resources department, and end users of the various IT systems covered by the policies, as well as a project champion with sufficient stature and prestige to accomplish the goals of the project and a capable project manager to see the project through to completion. o •

A detailed outline of the scope of the policy development project and sound estimates for the cost and scheduling of the project.

Analysis Phase: o

A new or recent risk assessment or IT audit documenting the current InfoSec needs of the organization. This risk assessment should include any loss history, as well as past lawsuits, grievances, or other records of negative outcomes from InfoSec areas.

The gathering of key reference materials, including any existing policies. Sometimes policy documents that affect InfoSec will be housed in the human resources department as well as the accounting, finance, legal, or corporate security departments.

The policy development committee must determine the fundamental philosophy of the organization when it comes to policy. This will dictate the general development of all policies, but in particular, the format to be used in the crafting of all ISSPs. This philosophy typically falls into one of two groups: 1. “That which is not permitted is prohibited.” Also known as the “whitelist” approach, this is the more restrictive of the two, and focuses on creating an approach where specific authorization is provided for various actions and behaviors; all other actions and behaviors (and uses) are prohibited or at least require specific permissions. This approach can impede normal business operations if appropriate options emerge but cannot be incorporated into policy until subsequent revisions are made. 2. “That which is not prohibited is permitted.” Also known as the “blacklist” approach, this alternate approach specifies what actions, behaviors, and uses are prohibited and then allows all others by default. While easier to implement, this approach can result in issues as more and more areas that should be prohibited are discovered by users.

•

Design Phase:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Note that this is the first task in the design phase and drafting of the actual document. Most times this is done by a single author but can be a committee sometimes. The following resources are often available: 1. The Web: You can search for other similar policies. The point here is not to advocate wholesale copying of these policies but to encourage you to look for ideas for your own policy. For example, dozens of policies available on the Web describe fair and responsible use of various technologies. What you may not find, however, are policies that relate to sensitive internal documents or processes. 2. Government sites: Sites such as http://csrc.nist.gov contain numerous sample policies and policy support documents, including SP 800-100, “Information Security Handbook: A Guide for Managers.” While these policies are typically applicable to federal government Web sites, you may be able to adapt some sections to meet your organization’s needs. 3. Professional literature: Several authors have published books on the subject. Of particular note is Charles Cresson Wood’s Information Security Policies Made Easy series, which not only provides more than 1,000 pages of policies, but it also makes those policies available in electronic format, complete with permission to use them in internal documents. Exercise caution when using such resources, however; it is extremely easy to take large sections of policy and end up with a massive, unwieldy document that is neither publishable nor enforceable. 4. Peer networks: Other InfoSec professionals must write similar policies and implement similar plans. Attend meetings like those offered by the Information Systems Security Association (www.issa.org) or the Information Systems Audit and Control Association (www.isaca.org) and ask your peers. 5. Professional consultants: Policy is one area of InfoSec that can certainly be developed in-house. However, if your organization does not have the requisite expertise, or if your team simply cannot find the time to develop your own policy, then hiring an outside consultant may be your best option. Keep in mind that no consultant can know your organization as well as you do; you may decide to have the consultant design generic policies that you can then adapt to your specific needs.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

•

After the document is drafted and the document has committee approval, this is then sent to the approving manager or executive for sign-off.

Implementation Phase: o

This is the step during which the team must create a strategic plan to distribute and verify the distribution of policies. In most cases, the simplest way to document acknowledgment of a written policy is to attach a cover sheet that states “I have received, read, understood, and agreed to this policy.” The employee’s signature and date provide a paper trail of his or her receipt of the policy.

Emphasize that a stronger form of acknowledgement requires personnel to take a quiz to test their knowledge on the policy.

This phase should also include the ability for any automated tool used for the creation and management of policy documents and revisions to feasibility analysis reports based on improved costs and benefits as designs are clarified.

Maintenance Phase: o

This is when the policy team monitors, maintains, and modifies existing policies and procedures.

Options should be available for personnel to anonymously report issues or problems of policies published. This is to ensure uniform policy development and enforcement.

Policy Management I. Describe the purpose of policy management and stress that they are living documents that must be managed and nurtured, as they constantly change and grow. These documents must be properly disseminated and managed. II. Assess situations where special considerations should be made. Give examples of this being organizations undergoing mergers, takeovers, and partnerships. III. Relate that viable security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date.

Responsible Manager I.

Detail that a policy administrator is the person that is responsible for the creation, revision, distribution, and storage of a policy in an organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

II.

Stress that this person does not have to have proficient knowledge in the technologies, but rather policy administration requires only a moderate technical background.

III.

The policy administrator must be clearly identified in the policy document as the primary point of contact for additional information or suggested revisions to the policy.

Schedule of Reviews I.

Organize understanding that policies can be only so effective provided they are kept current. Hence, an organization must actively seek to meet the requirements of the market they operate in.

II.

Justify that once a year for policy review is a minimum baseline, but it is up to the leadership to determine if it needs to be more frequent.

Review Procedures and Practices I.

Explain that to facilitate policy reviews, the policy manager should implement a mechanism by which people can comfortably make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box.

II.

Assess the benefits of using automation, which can streamline the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved, and tracking when employees have read the policy.

Policy, Review, and Revision Dates I.

Comment that a simple action of not including a date on a policy can cause mass confusion for an organization.

II.

Stress that without the dates, it will be nearly impossible to determine which version of a policy is the most current or if a past version needs to be referenced, which one that is.

III.

Emphasize that some policies may need a sunset clause that contains an expiration date.

Automated Policy Management I. II.

III.

Explain that this is a new practice in the workplace, which can assist with some of the busywork policy managers have to deal with. Outline that automation streamlines the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved, and tracking when employees have read the policy. Quantify to students that some of the benefits that can be achieved from this include being able to train staff through computer-based training (CBT) and increased awareness of policies and procedures, among other benefits.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Security Education, Training, and Awareness Program (3.4, PPT Slides 31–36) I.

Explain that as soon as the policies outlining the general security policy have been drafted, policies to implement security education, training, and awareness (SETA) programs in the organization should follow.

II.

Describe the SETA program, which is a control measure designed to reduce the incidences of accidental security breaches by employees. SETA programs are designed to supplement the general education and training programs that many organizations have in place to educate staff on information security.

III.

Identify that the SETA program consists of three elements: security education, security training, and security awareness.

IV.

Present that the purpose of SETA is to enhance security by the following three ways:

•

Improving awareness of the need to protect system resources

•

Developing skills and knowledge so computer users can perform their jobs more securely

•

Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

Recommend students review Table 3-4, as it provides a comparative framework of SETA that can be applied to in-class discussions and potential projects.

Security Education I.

Emphasize that everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security.

II.

Discuss that when formal education for appropriate individuals in security is needed, with the support of management, an employee can identify curriculum available from local institutions of higher learning or continuing education.

Security Training I.

Relate how security training involves providing members of the organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely.

II.

Present how management of information security can develop customized in-house training or outsource the training program. This is beneficial to the organization, as it is specific to themselves, although the likelihood of it needing to be adjusted would occur with changes in material.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Security Awareness I.

Stress that a security awareness program is one of the least frequently implemented but most beneficial programs in an organization.

II.

Explain that a security awareness program is designed to keep information security at the forefront of the users’ minds as they work daily. This helps stimulate them to care about security as well.

III.

Establish that if the program is not actively implemented, employees begin to “tune out,” and the risk of employee accidents and failures increases.

Information Security Blueprint, Models, and Frameworks (3.5, PPT Slides 39–52 and 55–58) I.

State how the security blueprint is the basis for the design, selection, and implementation of all security program elements.

II.

Explain that the blueprint builds on top of the organization’s information security policies and that it is a scalable, upgradeable, comprehensive plan to meet the organization’s current and future information security needs.

III.

Discuss how the blueprint is a detailed version of the information security framework, which is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.

IV.

Summarize that one approach to selecting a methodology is to adapt or adopt a published model, or framework, for information security.

The ISO 27000 Series I.

Explain that one of the most widely referenced and often discussed security models is the Information Technology—Code of Practice for Information Security Management, which was originally published as the British Standard BS7799.

II.

Outline that in 2000, this code of practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799. Further explain that it was renamed as ISO 27002 in 2007 to align it with ISO 27001.

III.

Discuss and present the core sections of ISO/IEC 27002:2013, as outlined in Table 35 within the textbook.

IV.

Evaluate Figure 3-9 and the core steps and deliverables that make up procedure ISO/IEC 27001:2013.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Reference that an alternate approach is available as mentioned in the textbook, which provides numerous documents available for reference from the Computer Security Resource Center of the National Institute for Standards and Technology (http://csrc.nist.gov).

II.

Emphasize that NIST documents are publicly available at no charge and have been available for some time. They have been broadly reviewed by government and industry professionals, and they are among the references cited by the federal government when it decided not to select the ISO/IEC 17799 standards.

III.

Explain how SP 800-12, “An Introduction to Computer Security,” is an excellent reference and guide for the security manager or administrator in the routine management of information security.

IV.

Describe SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems,” which provides best practices and security principles that can direct the security team in the development of a security blueprint.

List the following NIST documents that can assist in the design of a security framework: •

SP 800-12, Rev. 1: “An Introduction to Information Security”

•

SP 800-18, Rev. 1: “Guide for Developing Security Plans for Federal Information Systems”

•

SP 800-30, Rev. 1: “Guide for Conducting Risk Assessments”

•

SP 800-37, Rev. 2: “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”

•

SP 800-39: “Managing Information Security Risk: Organization, Mission, and Information System View”

•

SP 800-50: “Building an Information Technology Security Awareness and Training Program”

•

SP 800-55, Rev. 1: “Performance Measurement Guide for Information Security”

•

SP 800-100: “Information Security Handbook: A Guide for Managers”

NIST SP 800-12 I.

Recognize that this is an excellent reference and guide for a security manager or administrator in the routine management of information security.

II.

Stress that it, however, provides little guidance for the design and implementation of new security systems, and therefore should be used only as a precursor to understanding an information security blueprint.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

NIST SP 800-14 I.

Present that this provides the best practices and security principles that can direct the security team in the development of a security blueprint.

II.

Assess and discuss the philosophical principles that the security team should integrate into the entire security process, as described below: •

Security supports the organization.

•

Security is an integral element of sound management.

•

Security should be cost-effective.

•

Systems owners have security responsibilities outside their own organizations.

•

Security responsibilities and accountability should be made explicit.

•

Secure requires a comprehensive and integrated approach.

•

Security should be periodically assessed.

•

Security is constrained by societal factors.

NIST SP 800-18, Rev. 1 I.

State that this document can be used for a comprehensive security blueprint and framework. It can also be a useful guide to the activities described in this module and as an aid in the planning process. It also includes templates for major application security plans.

II.

Stress that a blueprint must be customized to meet the needs of an organization.

NIST and the Risk Management Framework I.

II.

Analyze the following with respect to NIST’s approach to managing risk in the organization. Note that this is discussed in the next module in more detail: •

Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls

•

Maintaining awareness of the security state of information systems on an ongoing basis through enhanced monitoring processes

•

Providing essential information to help senior leaders make decisions about accepting risk to an organization’s operations and assets, individuals, and other organizations arising from the use of information systems

Examine the characteristics that are part of the Risk Management Framework (RMF):

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

•

Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring

•

Encourages the use of automation to provide senior leaders with necessary information to make cost-effective, risk-based decisions about information systems that support an organization’s core missions and business functions

•

Integrates information security into the enterprise architecture and system development life cycle

•

Emphasizes the selection, implementation, assessment, and monitoring of security controls and the authorization of information systems

•

Links risk management processes at the information system level to risk management processes at the organization level through a risk executive function

•

Establishes responsibility and accountability for security controls deployed within an organization’s information systems and inherited by those systems (i.e., common controls)

The NIST Cybersecurity Framework I.

Recognize that in early 2014, the NIST published a new Cybersecurity Framework in response to Executive Order 13636 from President Barack Obama. The purpose of this was to create a voluntary framework that provides an effective approach to “manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.”

II.

Describe that the intent of the framework was to accomplish five things: “1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; and 5) Communicate among internal and external stakeholders about cybersecurity risk.”

III.

Outline and summarize the three fundamental components: •

The framework core: A set of information security activities an organization is expected to perform, as well as their desired results.

•

The framework tiers: A compilation of a self-defined set of four tiers so organizations can relate the maturity of their security programs and implement corresponding measures and functions.

•

The framework profile: Organizations are expected to identify which tier their security programs most closely match and then use corresponding

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

recommendations within the framework to improve their programs. This framework profile is then used to perform a gap analysis—comparing the current state of information security and risk management to a desired state, identifying the difference, and developing a plan to move the organization toward the desired state. IV. Apply the materials provided in the NIST framework to follow a seven-step approach to implementing or improving their risk management and information security programs. These are provided below: •

Step 1: Prioritize and scope: The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process.

•

Step 2: Orient: Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets.

•

Step 3: Create a current profile: The organization develops a current profile by indicating which category and subcategory outcomes from the framework core are currently being achieved.

•

Step 4: Conduct a risk assessment: This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization.

•

Step 5: Create a target profile: The organization creates a target profile that focuses on the assessment of the framework categories and subcategories describing the organization’s desired cybersecurity outcomes.

•

Step 6: Determine, analyze, and prioritize gaps: The organization compares the current profile and the target profile to determine gaps. Next, it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost-benefit analysis, and understanding of risk to achieve the outcomes in the target profile. The organization then determines resources necessary to address the gaps.

•

Step 7: Implement action plan: The organization determines which actions to take regarding the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the target profile.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Other Sources of Security Frameworks I.

Review the text, as it offers several professional societies and organizations that have Web sites and resources that can assist with building strong security frameworks.

Design of the Security Architecture I.

Examine the overview of different types of security architectures that can help with blueprint construction, implementation, and maintenance. These include spheres of security, levels of controls, defense in depth, and security perimeters.

Spheres of Security I.

Establish that spheres of security are the core of a security framework. Figure 3-10 illustrates how information is under attack from several sources, both internally and externally.

II.

Illustrate that the left side of the graphic illustrates that a layer of protection must exist between each layer of the sphere of use.

III.

Relate that there are often three layers to information security implementation: policies, people, and technology. These layers are commonly referred to as PPT. Each layer contains controls and safeguards to protect the information and information system assets that the organization values.

IV.

Emphasize before moving forward that before any technical controls are in place, policies must be in place and solidified.

Levels of Controls I.

Summarize that information security safeguards offer three levels of controls: managerial, operational, and technical.

II.

Managerial controls are security processes that are designed by strategic planners and implemented by the security administration of the organization. Management controls set the direction and scope of the security process, and they provide detailed instructions for its conduct, while addressing the design and implementation of the security planning process and security program management.

III.

Operational controls are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning. Operational controls also address personnel security, physical security, and the protection of production inputs and outputs.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

IV.

Technical controls are the tactical and technical implementations of security in the organization. Technical controls are the components put in place to protect an organization’s information assets.

Compare and contrast the differences between the three level of controls. Focus on the fact that managerial controls influence operational and technical controls that must be in place for security to be effective.

Defense in Depth I.

Distinguish that a basic tenet of security architectures is layered implementation of security. Thus, an organization must establish multiple layers of security controls and safeguards, which can be organized into policy, training and education, and technologies, as shown in the CNSS model presented in the first module.

II.

Demonstrate that to achieve defense in depth, an organization must establish multiple layers of security controls and safeguards, which can be organized into policy, training and education, and technology.

III.

Recall that while policy may not prevent attacks, it prepares the organization to handle them, and coupled with other layers, it can deter attacks.

IV.

Implementing multiple types of technology and thereby preventing the failure of one system from compromising the security of information is referred to as redundancy.

Security Perimeter I.

Describe the purpose a security perimeter. This is the boundary between the outer limit of an organization’s security and the beginning of the outside world. It is the level of security that protects all internal systems from outside threats.

II.

Relate that the security perimeter does not protect against internal attacks from employee threats or on-site physical threats.

III.

Explain that the key components of the security perimeter are firewalls, DMZs, proxy servers, and IDPSs.

Quick Quiz 2 1. Which of the following terms best describes a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls? a. blueprint b. the NIST handbook c. information security framework d. security plan © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Answer: c 2. Which document is an excellent reference for security managers involved in the routine management of information security? a. SP 800-12, “An Introduction to Computer Security” b. SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology” c. SP-800-30 Rev. 1: “Guide for Conducting Risk Assessments” d. SP-800-50: “Building an Information Technology Security Awareness and Training Program” Answer: a 3. True or False: SP 800-18, “Guide for Developing Security Plans for Federal Information Systems,” is considered the foundation for a comprehensive security blueprint and framework. Answer: True 4. As indicated earlier, one of the foundations of security architectures is the requirement to implement security in layers. This layered approach is referred to as which of the following? a. framework b. security perimeter c. security domain d. defense in depth Answer: d 5. Which of the following defines the edge between the outer limit of an organization’s security and the beginning of the outside world? a. framework b. security perimeter c. security domain d. defense in depth Answer: b [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. There are several management functions that apply to information security. Have the class discuss which ones that were outlined were the most important and least important and why. (3.1, PPT Slides 3–12) Duration 15 minutes. 2. Keeping policy current is critical. Have the class discuss how policy needs to be updated to accommodate current events. (3.4, 3.5, PPT Slides 39–52 and 55–58) Duration 15 minutes. 3. Enact a discussion with students in the course with respect to management figures and their roles in policy development. Should a CEO be involved in the policy development, or should they take a hands-off approach? Divide the course up into two camps: one that supports the CEO being a part and the other that does not. (3.5, PPT Slides #15, 18–36, and 39–52) Duration 15 minutes. [return to top]

Web Browser Security

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Log Management & Security

and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer.

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

60–90 minutes

30 minutes to 1 hour

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Engage students to search the Web for examples of technology-specific security policies. What types of technology are being controlled? 2. Direct students go to the library, find a journal or magazine article on defense in depth, and write a short summary to share with the class. [return to top]

Additional Resources Cengage Video Resources • •

MindTap Video: Goverance MindTap Video: Information Security Policy

Internet Resources • • •

A Guide to Security Metrics COBIT Framework for IT Governance and Control ITIL

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

• •

Information Security Governance Strategic Planning (in a nonprofit and for-profit organization)

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 5 Module Outline .............................................................................................................................. 6 Discussion Questions .................................................................................................................. 24 Suggested Usage for Lab Activities ............................................................................................ 25 Additional Activities and Assignments ....................................................................................... 27 Additional Resources................................................................................................................... 27 Cengage Video Resources ....................................................................................................................... 27 Internet Resources .................................................................................................................................. 27 Appendix ...................................................................................................................................... 28 Grading Rubrics ....................................................................................................................................... 28

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Purpose and Perspective of the Module The purpose of this module is to examine the processes necessary to undertake formal risk management activities in the organization. Risk management is the process of identifying, assessing, and reducing risk to an acceptable level and implementing effective control measures to maintain that level of risk. This is done with a number of processes from risk analysis through various types of feasibility analyses, including quantitative and qualitative assessment measures and evaluation of security controls.

PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual

Module Objectives The following objectives are addressed in this module: 4.1

Define risk management and describe its importance.

4.2

Explain the risk management framework and process model, including major components.

4.3

Define risk appetite and explain how it relates to residual risk.

4.4

Describe how risk is identified and documented.

4.5

Discuss how risk is assessed based on likelihood and impact.

4.6

Describe various options for a risk treatment strategy.

4.7

Discuss conceptual frameworks for evaluating risk controls and formulating a costbenefit analysis.

4.8

Compare and contrast the dominant risk management methodologies.

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective

PPT slide

Activity/Assessment

Duration

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

4.1 and 4.2 4.3–4.5 4.3–4.5 4.1–4.8

7–8 29–30 61–62 86 MindTap MindTap MindTap

Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 04 Review Questions Module 04 Case Exercises Module 04 Exercises

MindTap MindTap

Module 04 Security for Life Module 04 Quiz

2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: risk management: The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. risk assessment: The identification, analysis, and evaluation of risk as initial parts of risk management. risk treatment: The application of safeguards or controls to reduce the risks of an organization’s information assets to an acceptable level. risk control: See risk treatment. RM framework: The overall structure of the strategic planning and design for the entirety of the organization’s RM efforts. RM process: The identification, analysis, evaluation, and treatment of risk to information assets, as specified in the RM framework. risk management (RM) plan: A document that contains specifications for the implementation and conduct of RM efforts. residual risk: The risk to information assets that remains even after current controls have been applied. risk appetite: The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. risk tolerance: The assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization’s overall risk appetite.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

risk threshold: See risk tolerance. zero-tolerance risk exposure: An extreme level of risk tolerance whereby the organization is unwilling to allow any successful attacks or suffer any loss to an information asset. risk appetite statement: A formal document developed by the organization that specifies its overall willingness to accept risk to its information assets, based on a synthesis of individual risk tolerances. risk identification: The recognition, enumeration, and documentation of risks to an organization’s information assets. data classification scheme: A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it. threat assessment: An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. risk analysis: A determination of the extent to which an organization’s information assets are exposed to risk. likelihood: The probability that a specific vulnerability within an organization will be attacked by a threat. impact: An understanding of the potential consequences of a successful attack on an information asset by a threat. uncertainty: The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes. risk evaluation: The process of comparing an information asset’s risk rating to the numerical representation of the organization’s risk appetite or risk threshold to determine if risk treatment is required. mitigation risk treatment strategy: The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of a successful attack on an information asset, also known as the defense strategy. risk defense: See mitigation risk treatment strategy. risk mitigation: See mitigation risk treatment strategy transference risk treatment strategy: The risk treatment strategy that attempts to shift risk to other assets, processes, or organizations. risk sharing: See transference risk treatment strategy.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

risk transfer: See transference risk treatment strategy. acceptance risk treatment strategy: The risk treatment strategy that indicates the organization is willing to accept the current level of residual risk, and as a result, the organization makes a conscious decision to do nothing else to protect an information asset from risk and to “live with” the outcome from any resulting exploitation. risk acceptance: See acceptance risk treatment strategy. termination risk treatment strategy: The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service. risk avoidance: See termination risk treatment strategy. risk termination: See termination risk treatment strategy. process communications: The necessary information flow within and between the governance group, RM framework team, and RM process team during the implementation of RM. process monitoring and review: The data collection and feedback associated with performance measures used during the conduct of the process. cost avoidance: The financial savings from using the mitigation risk treatment strategy to implement a control and eliminate the financial ramifications of an incident. cost-benefit analysis (CBA): The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, also known as an economic feasibility study. asset valuation: The process of assigning financial value or worth to each information asset. single loss expectancy (SLE): In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact); the SLE is the product of the asset’s value and the exposure factor. annualized rate of occurrence (ARO): In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis. annualized loss expectancy (ALE): In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition:

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

●

This Module was Chapter 5 in the 6th edition.

●

Risk Management methodology has been updated to reflect the ISO model.

●

Module content has been refined and restructured.

●

Module has been updated to include new NIST SP content.

[return to top]

Module Outline Introduction to Risk Management (4.1, PPT Slides 3 and 4) I.

Emphasize how as aspiring information security professionals your students will have a key role to play in risk management.

II.

Remind your students that the IT community must serve the information technology needs of the broader organization, and at the same time, leverage the special skills and insights of the information security community.

III.

Explain how the information security team must lead the way with skill, professionalism, and flexibility as it works with the other communities of interest to appropriately balance the usefulness and security of the information system.

IV.

Discuss how in the past an organization could establish a competitive business model, method, or technique to provide a product or service that was superior and create a competitive advantage.

Explain that in order to keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain the confidentiality, privacy, and integrity of organizational data.

Sun Tzu and the Art of Risk Management I.

Explain how risk management is the process of identifying vulnerabilities in an organization’s information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organization’s information system.

II.

Emphasize how risk management requires three major undertakings: risk identification, risk assessment, and risk control.

III.

Define risk identification, which is the process of examining and documenting the security posture of an organization’s information technology and the risks it faces.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

IV.

Define risk control, which is the application of controls that reduce the risks to an organization’s information systems.

Know Yourself I.

Emphasize how we must first know ourselves by identifying, examining, and understanding the information and systems currently in place.

II.

Explain how in order to protect our assets, defined here as the systems that use, store, and transmit information, we have to understand everything about the information.

III.

Note that the policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure they remain effective.

Know the Enemy I.

Emphasize how for information security knowing the enemy means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization’s information assets.

II.

Discuss how we can use our understanding of these aspects to create a list of threats prioritized by importance to the organization.

The Risk Management Framework (4.2, PPT Slides 5–6 and 9–12) I.

Explain how to identify the risk.

II.

Explain how to determine the current level of risk (risk analysis).

III.

Discuss how to determine if the current level of risk is acceptable (risk evaluation).

IV.

Determine how to treat the risk to bring it to an acceptable level.

The Roles of the Communities of Interest I.

Explain how each community of interest must manage the risks the organization encounters.

II.

Explain how information security understands the threats and attacks that introduce risk into the organization, so they often take a leadership role.

III.

Explain how management and users play a part in the early detection and response process and ensure that sufficient resources are allocated

IV.

Explain how the information technology community assists in building secure systems and operating them safely.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Emphasize how general management, IT management, and information security management are collectively accountable for identifying and classifying all levels of risk.

VI.

Explain that the three communities of interest that are also responsible for the following: a. Evaluating current and proposed risk controls b. Determining which control options are cost effective for the organization c. Acquiring or installing the needed controls d. Ensuring that the controls remain effective

Quick Quiz 1 1. Risk identification is performed within a larger process of identifying and justifying risk controls that is called which of the following? a. risk assessment b. risk management c. risk control d. risk identification Answer: c 2. The application of controls that reduce the risks to an organization’s information assets to an acceptable level is known as which of the following? a. risk assessment b. risk management c. risk control d. risk identification Answer: c 3. For information security purposes, which of the following terms is used to describe the systems that use, store, and transmit information? a. inventory b. threats c. controls d. assets Answer: d

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

4. True or False: The information technology community of interest must assist in risk management by configuring and operating information systems in a secure fashion. Answer: True 5. True or False: The information technology community of interest must ensure sufficient resources are allocated to the risk management process. Answer: False

The RM Policy I.

Explain that the RM policy is a strategic document that formalizes much of the intent of the governance group.

II.

Explain that the RM policy must include purpose and scope, RM intent and objectives, roles and responsibilities, resource requirements, risk appetite and tolerances, RM program development guidelines, special instructions and revision information and references to other key policies, plans, standards, and guidelines.

Framework Design I.

Explain that designing the RM program means defining and specifying the details tasked to be performed by the framework team and the process team.

II.

Understand that the framework team must also formally document and define the organization’s risk appetite and draft the RM plan.

Defining the Organization’s Risk Tolerance and Risk Appetite I.

Explain that the RM Framework team needs to understand and determine residual risk.

II.

Document risk appetite.

Framework Implementation I.

Explain how the organization may distribute the plan to managers for a desk check prior to deployment.

II.

Understand that the organization could pilot-test the plan and use a phased approach to implement the plan.

III.

Understand that the RM framework team should carefully monitor, communicate, and review the implementation plan.

Framework Monitoring and Review I.

Introduce that the framework team continues to monitor the conduct of the RM process while simultaneously reviewing the success of the framework planning.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

II.

Understand that the framework team is concerned with the oversight of the RM framework and plan.

The Risk Management Process (4.3–4.5, PPT Slides 13–28 and 31–54) I.

Introduce how to establish the context, which includes understanding the organization’s internal and external operating environments and other factors that could impact the RM process.

II.

Identify the risk: a. Create an inventory of information assets b. Classify and organize assets meaningfully c. Assign a value to teach information asset d. Identify threats to the cataloged assets. e. Pinpoint vulnerable assets by tying specific threats to specific assets.

III.

Analyze the risk: a. Determining the likelihood that vulnerable systems will be attacked. b. Assessing the relative risk facing the organization’s information assets c. Calculating the risks to which assets are exposed. d. Looking at controls that might come into play for identified vulnerabilities and how to control those risks. e. Documenting and reporting the findings of risk identification and assessment.

IV.

Evaluate the risk by comparing identified uncontrolled risks against the risk appetite.

Treat the unacceptable risk.

VI.

Discuss summarizing the findings and stating the conclusions of the investigation.

VII.

Explain how a risk management strategy calls on information security professionals to identify, classify, and prioritize their organizations’ information assets.

RM Process Preparation – Establishing the Context I.

Introduce the RM process as preparing for the risk process by performing the following tasks: •

Identify the purpose of the assessment.

•

Identify the scope of the assessment.

•

Identify the assumptions and constraints associated with the assessment.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

•

Identify the sources of information to be used as inputs to the assessment.

•

Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment.

External Context I.

Understand that the external context means understanding the impact the following external factors could have on the RM process, its goals, and its objectives: • • • • •

The business environment and its customers, suppliers, competitors. The legal/regulatory/compliance environment: laws, regulations, industry standards. The threat environment: threats, known vulnerabilities, attack vectors. The support environment: government agencies like NIST and DHS, professional associations like ISSA, and service agencies such as SecurityFocus. Perhaps other factors known to the subject-matter experts that make up the team.

Internal Context I.

Understand the internal factors that could impact or influence the RM process: • • • • •

The organization’s governance structure (or lack thereof). The organization’s internal stakeholders. The organization’s culture. The maturity of the organization’s information security program. The organization’s experience in policy, planning, and risk management in general.

Risk Assessment: Risk Identification I.

Understand that risk identification begins with the process of self-examination.

Identification of Information Assets I.

Describe the iterative process, which begins with the identification of assets, including all of the following elements of an organization’s system: people, procedures, data, software, hardware, and networking components.

II. Discuss the identification of people, procedures, and data assets. Identifying human resources, documentation, and data information is more difficult than identifying hardware and software assets. • As the people, procedures, and data assets are identified, they should be recorded using a reliable data-handling process. III. Explain that when deciding which information assets to track, consider the following asset attributes: •

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

People: Position name/number/ID (try to avoid names and stick to identifying positions, roles, or functions); supervisor; security clearance level; special skills • Procedures: Description; intended purpose; relationship to software, hardware, and networking elements; storage location for reference; storage location for update • Data: Classification; owner, creator, and manager; size of data structure; data structure used (sequential or relational); online or offline; location; backup procedures employed IV. Describe the identification of hardware, software, and network assets. •

•

Depending on the needs of the organization and its risk management efforts, as well as the preferences and needs of the management of the information security and information technology communities, when deciding which information assets to track, you may want to consider including these asset attributes: o

Name

IP address

MAC address

Element type ▪

DeviceClass = S (server)

▪

DeviceOS = W2K (Windows 2000)

▪

DeviceCapacity = AS (advanced server)

Serial number

Manufacturer’s name

Manufacturer’s model number or part number

Software version, update revision, or FCO number

Physical location

Logical location

Controlling entity

V. Discuss automated risk identification tools. • •

Automated tools can sometimes identify the system elements that make up the hardware, software, and network components. Once stored, typically in a database or in a form that can be exported to a database, the inventory list must be kept current by using a tool that periodically refreshes the data.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

In the later steps of risk management, which require involved calculations, the case is strong for the use of automated risk management tools for tracking information assets. At this point in the process, however, simple wordprocessing, spreadsheet, and database tools can provide adequate record keeping. VI. When discussing asset categorization, point out the several new subdivisions of risk management categorizations. •

Prioritizing (Rank-Ordering) Information Assets I.

Define data classification schemes as a formal access control methodology used to assign a level of confidentiality to an information asset, restricting the number of people who can access it.

II. Point out examples of data classification categories: confidential, internal, and public. Mention that any classification method must be specific enough to enable determination of priority levels. III. Discuss data classification and management. •

Corporate and military organizations use a variety of data classification schemes.

•

The typical information classification scheme has three categories: o

Confidential: Used for corporate information that must be tightly controlled, even within the company. Access to this information is strictly on a need-toknow basis or as required by the terms of a contract.

Internal: Used for internal information that does not meet the criteria for the confidential category. It is to be viewed only by corporate employees, authorized contractors, and other third parties.

External: This includes all information that has been approved by management for public release.

•

Many developments in data communications and information security are the result of government-sponsored research. For most information, the government uses a three-level classification scheme: Confidential, Secret, and Top Secret.

•

Federal agencies such as the FBI and CIA also use specialty classification schemes, like Need-to-Know and Named Projects.

•

Most organizations do not need the detailed level of classification used by the military or federal agencies.

IV. Describe security clearances.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

•

The other side of the data classification scheme is the personnel security clearance structure. For each user of data in the organization, a single level of authorization must be assigned that indicates the level of classification he or she is authorized to view.

•

Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know standard. This extra level of protection ensures that the confidentiality of information is properly maintained.

V. Discuss the management of classified data. I.

Management of classified data includes its storage, distribution, transportation, and destruction.

II. Information that is not unclassified or public must be clearly marked as such.

Use Figure 5-5 in your explanation. III. When classified data is stored, it must be available only to authorized

individuals. IV. When an individual carries classified information, it should be transported via

inconspicuous means, such as in a locked briefcase or portfolio. V. The clean desk policy requires employees to secure all information in

appropriate storage containers at the end of each day. VI. When copies of classified information are no longer valuable or excessive copies

exist, proper care should be taken to destroy them by means of shredding, burning, or transferring to an authorized document destruction service. •

It is important to enforce policies to ensure that no classified information is disposed of in trash or recycling areas since some individuals would not hesitate to engage in dumpster diving to retrieve information that could embarrass an organization or compromise information security.

Threat Assessment I.

Identify and assess threats for individual organizations.

II. Understand how much danger a threat possesses to information assets. III. Determine how probable and severe a threat is to an organization.

The TVA Worksheet I.

Explain that the TVA worksheet serves as the starting point for the next step in the risk management process-risk assessment. Refer students to the sample TVA spreadsheet in Table 5-8 and discuss how to use the worksheet.

Risk Assessment: Risk Analysis

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Explain how we can determine the relative risk for each of the vulnerabilities through a process called risk assessment.

II. Discuss risk assessment, which assigns a risk rating or score to each information asset, which is useful in gauging the relative risk to each vulnerable information asset and making comparative ratings later in the risk control process.

Mitigation of Applicable Controls I.

Explain how mitigation is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.

II. Explain how mitigation begins with early detection of an attack in progress and relies on the ability of the organization to respond quickly, efficiently, and effectively. III. Discuss the three types of plans in this approach: the incident response plan (IRP), the disaster recovery plan (DRP), and the business continuity plan (BCP).

Determining the Likelihood of a Threat Event I.

Explain how after identifying and performing the preliminary classification of an organization’s information assets, the analysis phase examines the threats facing the organization.

II. Emphasize how each threat must be examined to assess its potential impact on the organization. This is referred to as a threat assessment. III. Explain how to begin a threat assessment by answering a few questions: •

Which threats present a danger to the organization’s assets in the given environment?

•

Which threats represent the most danger to the organization’s information?

•

How much would it cost to recover from a successful attack?

•

Which of these threats would require the greatest expenditure to prevent?

IV. Emphasize how answering these questions helps establish a framework for the discussion of threat assessment. An organization's guidelines and/or policies should influence this process and may require the posing of additional questions.

Assessing Potential Impact on Asset Value I.

Explain that after identification of the organization’s information assets and documentation of criteria for beginning to assess the threats it faces, review each information asset for each threat it faces and create a list of vulnerabilities.

II. Discuss vulnerabilities, which are specific avenues that threat agents can exploit to attack an information asset.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

III. Explain how a list of the organization’s assets and their vulnerabilities is created. This process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions. Use Table 5-7 in your explanation. IV. Define threats-vulnerabilities-assets (TVA) worksheet as a document that shows a comparative ranking of prioritized assets against prioritized threats with an indication of any vulnerabilities in the asset/threat pairings. V. Explain that the TVA worksheet serves as the starting point for the next step in the risk management process-risk assessment. Refer students to the sample TVA spreadsheet in Table 5-8 and discuss how to use the worksheet.

Aggregation I.

Explain that organizations may use risk aggregation to roll up several discrete or lower-level risks into a more general or higher-level risk. II. Explain that organizations may also use risk aggregation to efficiently manage the scope and scale of risk assessments involving multiple information systems and multiple mission/business processes with specified relationships and dependencies among those systems and processes.

Uncertainty I.

For the purpose of relative risk determination, explain that risk equals loss frequency times loss magnitude plus an element of uncertainty. Discuss the risk calculation examples given in the text.

Risk Determination I.

For the purpose of relative risk determination, explain that risk equals loss frequency times loss magnitude plus an element of uncertainty. Discuss the risk calculation examples given in the text.

Risk Evaluation I.

Explain how for each threat and its associated vulnerabilities that have residual risk we need to create a ranking of their relative risk levels. II. Explain that when the organization’s risk appetite is less than the asset’s residual risk, it must move to the next stage of risk control and look for additional strategies to further reduce the risk. III. Explain how the goal of this process has been to identify the organization’s information assets that have specific vulnerabilities and list them, ranked according to those that most need protection. IV. Discuss how in preparing this list, we have collected and preserved a wealth of factual information about the assets, the threats they face, and the vulnerabilities

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

they expose, as well as some information about the controls that are already in place. V. Describe the final summarized document, which is the ranked vulnerability risk worksheet and contains the following data: •

Asset: Each vulnerable asset.

•

Asset relative value: Shows the results for this asset from the weighted factor analysis worksheet.

•

Vulnerability: Each uncontrolled vulnerability.

•

Loss frequency: The likelihood of the realization of the vulnerability by a threat agent, as noted in the vulnerability analysis step.

•

Loss magnitude: The figure calculated from the asset impact multiplied by loss frequency.

VI. Discuss the ranked vulnerability risk worksheet, which is the working document for the next step in the risk management process: assessing and controlling risk.

Documenting the Results of Risk Assessment I.

Discuss how the results of risk assessment activities can be delivered. There are a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. II. Explain that when the organization is pursuing an overall risk management program, it requires a systematic report that enumerates the opportunities for controlling risk. This report documents a series of proposed controls, each of which has been justified by one or more feasibility or rationalization approaches. III. Explain how another option is to document the outcome of the control strategy for each information asset-threat pair in an action plan. This action plan includes concrete tasks, each with accountability assigned to an organizational unit or to an individual. IV. Remind students that sometimes a risk assessment is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy or because it is good project management practice. The project risk assessment should identify the sources of risk in the finished IT system with suggestions for remedial controls as well as those risks that might impede the completion of the project. V. Explain how when management requires details about a specific risk to the organization, risk assessment may be documented in a topic-specific report. These are usually demand reports that are prepared at the direction of senior management and are focused on a narrow area of information systems operational risk.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Evaluating Risk I. Discuss the process for evaluating risk. II. Explain that evaluating risk requires extensive input from the RM process team,

along with recommendations and cost estimates.

Risk Treatment/Risk Response (4.6, PPT Slides 55–60 and 63) I.

Introduce the four strategies to treat risks for assets: a. Mitigation: Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk. b. Transference: Shifting risks to other areas or to outside entities. c. Acceptance: Understanding the consequences of choosing to leave an information asset’s vulnerability facing the current level of risk but only after a formal evaluation and intentional acknowledgement of this decision. d. Termination: Removing or discontinuing the information asset from the organization’s operating environment.

Risk Mitigation I.

Explain how mitigation is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.

Risk Transference I.

Explain that the transfer control strategy attempts to shift the risk to other assets, other processes, or other organizations. II. Mention that this principle should be considered whenever an organization begins to expand its operations. III. Explain that if an organization does not already have quality security management and administration experience, it should hire individuals or firms that provide such expertise. IV. Point out that it is up to the owner of the information asset, IT management, and the information security team to ensure that the disaster recovery requirements of the outsourcing contract are sufficient and have been met before they are needed for recovery efforts.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Emphasize that the acceptance of risk is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. This may or may not be a conscious business decision. II. Clarify how the only acceptance strategy that is recognized as valid occurs when the organization has done the following: I.

●

Determined the level of risk.

●

Assessed the probability of attack.

●

Estimated the potential damage that could occur from these attacks.

●

Performed a thorough cost-benefit analysis.

●

Evaluated controls using each appropriate type of feasibility.

●

Decided that the particular function, service, information, or asset did not justify the cost of protection.

V. Explain how if every vulnerability identified in the organization is handled by means of acceptance, it may reflect an inability to conduct proactive security activities and an apathetic approach to security in general.

Risk Termination I.

Remind students that the final risk control strategy directs the organization to avoid business activities that introduce uncontrollable risks.

Process Communications, Monitoring, and Review I. Define process communications. II. Define process monitoring and review. III. Explain that the process team needs to give continual feedback to the framework team about the relative success and challenges of its RM activities.

Mitigation and Risk I.

Explain that this form of mitigation is part of contingency planning (CP), which students will learn about in Module 5. II. Note that CP mitigation derives its value from the ability to detect, react to, respond to, and recover from incidents and disasters as quickly as possible, thus minimizing the damage to an information asset.

Managing Risk (4.6, 4.7, PPT Slides 64–70) I.

Discuss the actual and perceived advantages to implementing a control as opposed to the actual and perceived disadvantages.

II.

Discuss how a risk management process requires applying the organization’s project management principles to the risk management process.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

III.

Explain that the process will need a proper project plan with periodic deliverables, including a task list and appropriate assignments.

IV.

Explain how planned expenditures to implement a control strategy must be justified, and budget authorities must be convinced to spend the necessary amount to protect a particular asset from an identified threat.

Note that another factor to consider is that each control or safeguard affects more than one asset-threat pair. Information security professionals manage a dynamic matrix covering a broad range of threats, information assets, controls, and identified vulnerabilities.

VI.

Explain how if a new safeguard is implemented, there is a risk decrease associated with all subsequent control evaluations. The action of implementing a control may change the values assigned or calculated in a prior estimate.

VII.

Emphasize how there is an ongoing search for ways to design security architectures that go beyond the direct application of specific controls in which each is justified for a specific information asset vulnerability, to safeguards that can be applied to several vulnerabilities at once.

VIII.

IX.

Explain that when the organization is pursuing an overall risk management program, it requires a systematic report that enumerates the opportunities for controlling risk. This report documents a series of proposed controls, each of which has been justified by one or more feasibility or rationalization approaches.

Explain how another option is to document the outcome of the control strategy for each information asset-threat pair in an action plan. This action plan includes concrete tasks, each with accountability assigned to an organizational unit or to an individual.

XI.

Remind students that sometimes a risk assessment is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy, or because it is good project management practice. The project risk assessment should identify the sources of risk in the finished IT system with suggestions for remedial controls as well as those risks that might impede the completion of the project.

XII.

Explain how when management requires details about a specific risk to the organization, risk assessment may be documented in a topic-specific report. These are usually demand reports that are prepared at the direction of senior

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

management and are focused on a narrow area of information systems operational risk.

Feasibility and Cost-Benefit Analysis I.

Discuss that before deciding on the treatment strategy for a specific TVA triple, an organization should explore all readily accessible information about the economic and noneconomic consequences of a vulnerability’s exploitation when the threat causes a loss to the asset. II. Explain that some of the techniques of cost-benefit analysis use dollar-denominated expenses and savings from economic cost avoidance while others use noneconomic feasibility criteria.

Cost I.

Discuss the factors that help to determine the cost of safeguarding information: • Cost of development or acquisition—Hardware, software, and services. • Training fees—Cost to train personnel. • Cost of implementation—Installing, configuring, and testing hardware, software, and services. • Service costs—Vendor fees for maintenance and upgrades or from outsourcing the information asset’s protection and/or insurance. • Cost of maintenance—Labor expense to verify and continually test, maintain, train, and update. • Potential cost from the loss of the asset—Either from removal of service (termination) or compromise by attack.

Benefit I.

Define benefit as the value to the organization of using controls to prevent losses associated with a specific vulnerability. II. Explain that this result is expressed as the annualized loss expectancy (ALE).

Asset Valuation I.

Discuss what needs to be considered as each asset of the organization is assigned to a category. The following questions assist in developing the weighting criteria to be used for asset valuation. These questions include the following: •

Which information asset is the most critical to the success of the organization?

•

Which information asset generates the most revenue?

•

Which of these assets plays the biggest role in generating revenue or delivering services?

•

Which information asset would be the most expensive to replace?

•

Which information asset would be the most expensive to protect?

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

•

Which information asset would most expose the company to liability or embarrassment if revealed?

II. Discuss what is necessary to calculate, estimate or derive values for information

assets; consideration might be given to the following: •

Value retained from the cost of creating the information asset.

•

Value retained from past maintenance of the information asset.

•

Value implied by the cost of replacing the information.

•

Value from providing the information.

•

Value incurred from the cost of protecting the information.

•

Value to owners.

•

Value of intellectual property.

•

Value to adversaries.

III. Note how additional company-specific criteria may add value to the asset evaluation

process and should be identified, documented, and added to the process. IV. Explain that to finalize this step the organization should assign a weight to each

asset based on their given answers. V. Discuss information asset prioritization. •

Once the process of inventorying and assessing value is complete, you can prioritize each asset using weighted factor analysis. Use Table 5-2 in your explanation.

•

In this process, each information asset is assigned a score for each critical factor. In addition, each critical factor is also assigned a weight (ranging from 1 to 100) to show that criteria’s assigned importance for the organization.

Alternative Risk Management Methodologies (4.8, PPT Slides 71–77) I.

Explain there are alternative approaches to risk management, including international and national standards and methodologies from industry-leading organizations.

The OCTAVE Methods I.

Define the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method.

FAIR

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Explain how Factor Analysis of Information Risk (FAIR) can help organizations understand, analyze, and measure information risk.

II.

Discuss the four major stages of the FAIR methodology, which consist of 10 steps in four stages.

ISO Standards for InfoSec Risk Management I.

Discuss how the International Organization for Standardization (ISO) has standards related to information security and risk management.

NIST Risk Management Framework (RMF) I.

Investigate the National Institute of Standards and Technology (NIST) risk management framework. https://csrc.nist.gov/publications/sp.

Selecting the Best Risk Management Model I.

Determine how to select the best risk management model.

Quick Quiz 2 1. True or False: The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation. Answer: False 2. The probability that a specific vulnerability within an organization will be the target of an attack is known as which of the following? a. probability b. manageability c. likelihood d. practicality Answer: c 3. Which risk control strategy attempts to reduce the impact of a successful attack through planning and preparation? a. Transference b. Defense c. Acceptance d. Mitigation Answer: d

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

4. Which risk control strategy attempts to shift residual risk to other assets, other processes, or other organizations? a. Transference b. Defense c. Acceptance d. Mitigation Answer: a 5. The calculation of the value associated with the most likely loss from an attack is called which of the following? a. ARO b. ALE c. CBA d. SLE Answer: d 6. Which of the following terms best describes comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate? a. baselining b. performance gap c. benchmarking d. feasibility reporting Answer: c [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

1. What is the best value that should be assessed when evaluating the worth of an information asset to the organization—replacement cost or lost income while repairing or replacing? (4.1, PPT Slides 3–6, 25, 79, and 81) Duration 15 minutes. 2. What is the likelihood value of a vulnerability that no longer must be considered? (4.6, PPT Slides 33, 35–37, 40, 42, and 46–60) Duration 15 minutes. 3. In what instances is baselining or benchmarking superior to cost benefit analysis? (4.7, PPT Slides 64–70) Duration 15 minutes. [return to top]

Web Browser Security

Malware Defense

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Windows Password Management

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Log Management & Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

30 minutes to 1 hour

15–20 minutes

60–90 minutes

30 minutes to 1 hour

40–60 minutes

2–3 hours

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Image Analysis Using Autopsy

Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Have students review the information assets in a campus departmental office and estimate the value of each asset. 2. Have students list the hardware assets found in a computing lab and then list the attributes of those assets. They should provide as many facts about each asset as possible. 3. Provide your students with a list of information security controls. Have them classify them as preventive or detective. [return to top]

Additional Resources Cengage Video Resources • •

MindTap Video: Risk Assessment MindTap Video: Risk Control

Internet Resources • • • •

Cultivating a Risk Intelligent Culture Creating a Culture of Risk Avoidance Effective IT Risk Management An Introduction to Cost Benefit Analysis

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 8 Module Outline .............................................................................................................................. 8 Discussion Questions .................................................................................................................. 42 Suggested Usage for Lab Activities ............................................................................................ 43 Additional Activities and Assignments ....................................................................................... 45 Additional Resources................................................................................................................... 45 Cengage Video Resources ....................................................................................................................... 45 Internet Resources .................................................................................................................................. 45 Appendix ...................................................................................................................................... 47 Grading Rubrics ....................................................................................................................................... 47

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Purpose and Perspective of the Module Interruptions within an organization are bound to happen. The question is when and what can be done to mitigate the damage it causes. Within this module, students will gain an understanding of the purpose and need for contingency planning. Alternately, this is referred to as disaster recovery and business continuity planning. Incident responses are an additional major theme here, as the authors comprehensively provide the components of them and processes used in digital forensics to determine why these events occurred. Toward the conclusion of this module, a discussion is held on how the organization would prepare and execute a test of contingency plans. This is essential to ensure that they work in the event something was to happen.

Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •

PowerPoint slides

•

Test banks, available in Word, as LMS-ready files, and on the Cognero platform

•

MindTap Educator Guide

•

Solution and Answer Guide

•

This instructor’s manual

Module Objectives The following objectives are addressed in this module: 5.1

Discuss the need for contingency planning.

5.2

Describe the major components of incident response, disaster recovery, and business continuity.

5.3

Identify the processes used in digital forensics investigations.

5.4

Define the components of crisis management.

5.5

Discuss how the organization would prepare and execute a test of contingency plans.

Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective 5.1

PPT slide

Activity/Assessment

Duration

6–7

Knowledge Check Activity 1

2 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

5.2 5.3–5.4 5.4–5.5 5.1–5.5

47–48 79–80 92–93 103 MindTap MindTap MindTap

Knowledge Check Activity 2 Knowledge Check Activity 3 Knowledge Check Activity 4 Self-Assessment Module 05 Review Questions Module 05 Case Exercises Module 05 Exercises

MindTap MindTap

Module 05 Security for Life Module 05 Quiz

2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: adverse event: An event with negative consequences that could threaten the organization’s information assets or operations; also referred to as an incident candidate. contingency planning (CP): The actions taken by senior management to specify the organization’s efforts and actions if an adverse event becomes an incident or disaster; CP typically includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis. contingency planning management team (CPMT): The group of senior managers and project members organized to conduct and lead all CP efforts. incident response planning team (IRPT): The team responsible for designing and managing the IR plan by specifying the organization’s preparation, reaction, and recovery from incidents. disaster recovery planning team (DRPT): The team responsible for designing and managing the DR plan by specifying the organization’s preparation, response, and recovery from disasters, including reestablishment of business operations at the primary site after the disaster. business continuity planning team (BCPT): The team responsible for designing and managing the BC plan of relocating the organization and establishing primary operations at an alternate site until the disaster recovery planning team can recover the primary site or establish a new location. crisis management planning team (CMPT): The individuals from various functional areas of the organization assigned to develop and implement the CM plan.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

business impact analysis (BIA): An investigation and assessment of adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process; it includes a determination of how critical a system or set of information is to the organization’s core processes and its recovery priorities. business process: A task performed by an organization or one of its units in support of the organization’s overall mission and operations. recovery time objective (RTO): The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the maximum tolerable downtime. recovery point objective (RPO): The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data. maximum tolerable downtime (MTD): The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations. work recovery time (WRT): The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. This recovery time is identified by the RTO. incident response (IR): An organization’s set of planning and preparation efforts for detecting, reacting to, and recovering from an incident. incident response planning (IRP): The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team. incident candidate: See adverse event. incident: An adverse event that could result in a loss of information assets but does not threaten the viability of the entire organization. incident response plan (IRP): The documented product of incident response planning; a plan that shows the organization’s intended efforts in the event of an incident. computer security incident response team (CSIRT): An IR team composed of technical IT, managerial IT, and InfoSec professionals who are prepared to detect, react to, and recover from an incident; may include members of the IRPT. IR policy: The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams. IR procedures: Detailed, step-by-step methods of preparing, detecting, reacting to, and recovering from an incident.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

electronic vaulting: A backup strategy that transfers data in bulk batches to an off-site facility. remote journaling: A backup strategy that transfers only transaction data in near real time to an off-site facility. database shadowing: A backup strategy that transfers duplicate online transaction data and duplicate databases to a remote site on a redundant server combining electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations. 3-2-1 backup rule: A backup strategy that recommends the creation of at least three copies of critical data (the original and two copies) on at least two different media, with at least one copy stored off-site. incident classification: The process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident. incident detection: The identification and classification of an adverse event as an incident, accompanied by the notification of the CSIRT and the activation of the IR reaction phase. alert roster: A document that contains contact information for personnel to be notified in the event of an incident or disaster. alert message: A description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. after-action review (AAR): A detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery. protect and forget: The organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker’s identification and prosecution; also known as “patch and proceed.” apprehend and prosecute: The organizational CP philosophy that focuses on an attacker’s identification and prosecution, the defense of information assets, and preventing reoccurrence; also known as “pursue and punish.” digital forensics: Investigations that involve the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis, following clear, well-defined methodologies. forensics: The coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting. evidentiary material (EM): Any information that could potentially support an organization’s legal or policy-based case against a suspect; also known as items of potential evidentiary value. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

digital malfeasance: A crime involving digital media, computer technology, or related components. root cause analysis: The determination of the source or origin of an event, problem, or issue like an incident. affidavit: Sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place; the affidavit specifies the facts, the items, and the place. search warrant: Permission to search for evidentiary material at a specified location or to seize items to return to an investigator’s lab for examination. chain of evidence: The detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. chain of custody: See chain of evidence. disaster recovery (DR): An organization’s set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster. disaster recovery planning (DRP): The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams. disaster recovery plan (DR plan): The documented product of disaster recovery planning; a plan that shows the organization’s intended efforts in the event of a disaster. DR policy: The policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams. disaster classification: The process of examining an adverse event or incident and determining whether it constitutes an actual disaster. slow-onset disasters: Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects. rapid-onset disasters: Disasters that occur suddenly, with little warning, taking people’s lives and destroying the means of production. business continuity (BC): An organization’s set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site; typically includes temporarily establishing critical operations at an alternate site until operations can be resumed at the primary site or a new permanent site. business continuity planning (BCP): The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

BC plan: The documented product of business continuity planning; a plan that shows the organization’s intended efforts to continue critical functions when operations at the primary site are not feasible. BC policy: The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams. business resumption planning (BRP): The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams. hot site: A fully configured BC facility that includes all computing services, communications links, and physical plant operations. warm site: A BC facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications. cold site: A BC facility that provides only rudimentary services, with no computer hardware or peripherals. timeshare: A continuity strategy in which an organization co-leases facilities with a business partner or sister organization, which allows the organization to have a BC option while reducing its overall costs. service bureau: A BC strategy in which an organization contracts with a service agency to provide a facility for a fee. mutual agreement: A BC strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster. rolling mobile site: A BC strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer. crisis management (CM): An organization’s set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster. crisis management policy (CM policy): The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams. crisis management plan (CM plan): The documented product of crisis management planning; a plan that shows the organization’s intended efforts to protect its personnel and respond to safety threats. crisis management planning (CMP): The actions taken by senior management to develop and implement the CM policy, plan, and response teams.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

desk check: The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components. structured walk-through: The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event; can also be conducted as a conference room talk-through. talk-through: A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization. simulation: The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts. full-interruption testing: The CP testing strategy in which all team members follow each IR/DR/BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: •

This module was not present in the 6th edition.

•

The contingency planning content that was previously found in Chapter 4 was expanded and enhanced to include incident response technologies, SOCs, CSIRTs, and response strategies.

•

The content on digital forensics was pulled from Chapter 12 and placed into the context of incident response.

[return to top]

Module Outline Introduction to Incident Response and Contingent Planning (5.1, PPT Slide 3) I.

Emphasize that the purpose of this module focuses on plants that are made for adverse events and when the technologies an organization uses are disrupted, and business comes to a halt.

II.

Stress that often the information technology (IT) and information security (InfoSec) communities assess the entire technological infrastructure of the organization using

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

the mission statement and current organizational objectives to drive their planning activities. Emphasize that they must be sanctioned and actively support the general business community of interest. III.

Direct learners to reference the National Institute of Standards and Technology (NIST) Special Publication 800-34, which is a contingency planning guide for federal information systems. Although this is for a government entity, the information included in it applies to a number of topics discussed in the module.

IV.

Present the fact that organizations of every size and purpose should also prepare for the unexpected. Note that incidents or disasters happen in several ways and can be over time or suddenly with no notice.

Emphasize strongly that the development of a plan for handling unexpected events must be a high priority for all managers. Note that key members of the organization must be factored in as not present should an issue or emergency occur for maximum benefit.

VI.

Compare to past efforts that there is a growing interest and emphasis on comprehensive and robust planning for adverse circumstances. Apply that sound risk management practices are essential for an organization to be ready for anything that may come their way operationally.

Fundamentals of Contingency Planning (5.2, PPT Slide 4–28) I.

Define the terms of adverse events and contingency planning (CP) and how the IT and InfoSec communities of interest position themselves to prepare, defend, detect, react, and recover from events that threaten the security of resources and assets. The assets mentioned not only include information but people and capital assets as well.

II.

Outline the four components of a CP:

III.

•

Business impact analysis (BIA)

•

Incident response plan (IR plan)

•

Disaster recovery plan (DR plan)

•

Business continuity plan (BC plan)

Recall that the BIA is a preparatory activity common to both CP and risk management, as this was covered in the fourth module of the course. This also assists an organization to determine which business functions and information systems are the most critical to the success of the organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

IV.

Clarify that the most likely individuals that are responsible for contingency planning are the chief information officer (CIO), system administrations, the chief information security officer (CISO), and key IT and business managers.

Review and develop the foundation of a contingency planning management team (CMPT) and their CP document as recommended by the NIST. Remember that effective CP begins with effective policies. The following steps are mandatory to follow to have a solid plan, as provided in the text:

VI.

•

Develop the CP policy statement: A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

•

Conduct the BIA: The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes. A template for developing the BIA is provided to assist the user.

•

Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.

•

Create contingency strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.

•

Develop a contingency plan: The contingency plan should contain detailed guidance and procedures for restoring damaged organizational facilities unique to each business unit’s impact level and recovery requirements.

•

Ensure plan testing, training, and exercises: Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation, and exercising the plan identifies planning gaps; when combined, the activities improve plan effectiveness and overall organization preparedness.

•

Ensure plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.

Examine and explain the recommended sections that a CP policy should contain as recommended by the NIST and its Special Publication (SP) 800-34: •

An introductory statement of philosophical perspective by senior management as to the importance of CP to the strategic, long-term operations of the organization

•

A statement of the scope and purpose of the CP operations, stipulating the requirement to cover all critical business functions and activities

•

A call for periodic (e.g., yearly) risk assessment and BIA by the CPMT, to include identification and prioritization of critical business functions (while the need for

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

such studies is well understood by the CPMT, the formal inclusion in policy reinforces that need to the rest of the organization)

VII.

•

A description of the major components of the CP to be designed by the CPMT, as described earlier

•

A call for, and guidance in, the selection of recovery options and continuity strategies

•

A requirement to test the various plans on a regular basis (e.g., annually, semiannually, or more often as needed)

•

Identification of key regulations and standards that impact CP and a brief overview of their relevance

•

Identification of key individuals responsible for CP operations, such as establishment of the chief operations officer (COO) as CPMT lead, the CISO as IR team lead, the manager of business operations as DR team lead, the manager of information systems and services as BC team lead, and legal counsel as crisis management team lead

•

An appeal to the individual members of the organization, asking for their support and reinforcing their importance as part of the overall CP process

•

Additional administrative information, including the original date of the document, revision dates, and a schedule for periodic review and maintenance

Recall that the CPMT collects information about the organization and the threats it faces internally and externally. However, in order to plan for incident responses, disasters and their recoveries, and business continuity, list the personnel that should be on these teams for maximum effectiveness and application of the plans created: •

Champion: As with any strategic function, the CP project must have a high-level manager to support, promote, and endorse the findings of the project. This champion could be the chief operation officer (COO) or (ideally) the CEO/president.

•

Project manager: A champion provides the strategic vision and the linkage to the power structure of the organization but does not manage the project. A project manager—possibly a mid-level operations manager or even the CISO— leads the project, putting in place a sound project planning process, guiding the development of a complete and useful project, and prudently managing resources.

•

Team members: The team members should be the managers or their representatives from the various communities of interest: business, IT, and

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

InfoSec. Business managers supply details of their activities and insight into functions that are critical to running the business. IT managers supply information about the at-risk systems used in the development of the BIA and the IR, DR, and BC plans. Some select team member departments that should be involved include: i.

Corporate communications department/public relations

ii.

Legal affairs and/or attorneys

iii.

Supplemental teams from the incident response planning team (IRPT), disaster recovery planning team (DRPT), business continuity planning team, (BCPT), and the crisis management planning team (CMPT)

VIII.

Comment that larger organizations often have distinct groups with little or no overlap, whereas by contrast, smaller businesses often have persons who are responsible for multiple duties on the aforementioned teams above. This can create a major obstacle or challenge if something were to occur.

IX.

Strongly emphasize to students that contingency plans often get little attention or a high priority and, in most cases, don’t address it at all.

Components of Contingency Planning I.

Guide students to review Figures 5-1 and 5-2 in the textbook for a visual aid of contingency planning hierarchies and a contingency planning life cycle.

II.

Recognize that the authors provide extensive detail on how to determine which plan is best suited for the identification, containment, and resolution of an unexpected event throughout the module.

Business Impact Analysis I.

Define the purpose of the business impact analysis (BIA). Stress that this document is the first major component of the CP process and what it is intended for. As mentioned in the text, it serves as an investigation and assessment of the impact that various adverse events can have on the organization.

II.

Compare and contrast the difference between risk management and a BIA. A BIA specifically assumes that controls that are in place have been bypassed or failed or were ineffective to stop the attack from occurring. Critique the approach stating that it is best to assume the worst to be able to recover quickly back to normal operation.

III.

Assemble the considerations that should be included in the BIA document, as provided in the text. These are the following:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

IV.

•

Scope: Carefully consider which parts of the organization to include in the BIA; determine which business units to cover, which systems to include, and the nature of the risk being evaluated.

•

Plan: The needed data will likely be voluminous and complex, so work from a careful plan to ensure that the proper data is collected to enable a comprehensive analysis. Getting the correct information to address the needs of decision makers is important.

•

Balance: Weigh the information available; some information may be objective in nature, while other information may only be available as subjective or anecdotal references. Facts should be weighted properly against opinions; however, sometimes the knowledge and experience of key personnel can be invaluable.

•

Objective: Identify in advance what the key decision makers require for making choices. Structure the BIA to bring them the information they need and to facilitate consideration of those choices.

•

Follow-up: Communicate periodically to ensure that process owners and decision makers will support the process and result of the BIA.

Order and present the three stages that the NIST SP 800-34, Rev. 1, recommend that should be in a BIA: •

Determine mission/business processes and recovery criticality.

•

Identify resource requirements.

•

Identify recovery priorities for system resources.

Determine Mission/Business Processes and Recovery Critically I.

State that the first major BIA task that should be developed is the analysis and prioritization of businesses processes that are in an organization. These should be based on their relationship with the mission of the firm.

II.

Clarify that the term mission or business process is strictly talking about business processes that occur in an organization. Relate the understanding that the NIST uses the terms interchangeably and may cause unnecessary confusion.

III.

Describe to students when information is being gathered, collecting critical information about each business unit before prioritizing functions that must be sustained is a mandatory starting point.

IV.

Recommend the use of a weighted table analysis (WTA) as provided in Table 5-1, which can resolve issues of which business function(s) are the most critical. This likely provides the most accurate assessment of what is critical and what is not as important but essential to the organization’s operations.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

VI.

Align students to the recommendation from the NIST about using simple qualitative categories for recovery criticality. They include: •

Low impact

•

Moderate impact

•

High impact

Review the four terms provided within the section with respect to how much of an asset is needed to recover and the time it takes to do that. These are the following: •

recovery time objective (RTO): The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the maximum tolerable downtime.

•

recovery point objective (RPO): The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data.

•

maximum tolerable downtime (MTD): The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations.

•

work recovery time (WRT): The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. This recovery time is identified by the RTO.

VII.

Stress that there are often situations where nontechnical tasks are required in order for an organization to make information assets usable again for applicable business functions.

VIII.

Express concerns as aligned with the NIST that failing to determine MTD “could leave contingency planners with imprecise direction on (1) selection of an appropriate recovery method and (2) the depth of detail that will be required when developing recovery procedures, including their scope and content.”

IX.

Disseminate Figure 5-5 and provide guidance to learners that the cost balance point provides an optimal point between disruption and recovery costs. Note that this cost will greatly vary from one organization to another.

Establish the knowledge that as the CPMT executes the BIA, they will have asset priorities and relative values for mission and/or business processes.

XI.

Consequentially, critique the fact to students that the presence of high-value information assets may influence the valuation of a particular business process. In any event, once the business processes have been prioritized, the organization should identify, classify, and prioritize the information assets both across the

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

organization and within each business process, placing classification labels on each collection or repository of information to better understand its value and to prioritize its protection.

Identify Recovery Resource Requirements I.

State that once the organization has the list of mission/business processes in place, it will need to recover those processes and the assets that are critical to them.

II.

Review Table 5-2 and walk students through the process of identifying the business process or mission, the required resource components, additional resources that may be needed, and a description of what it would take to get it up and running, as well as estimated costs.

Identify System Resource Recovery Priorities I.

Recall that the final step of the BIA is to prioritize the resources associated with the mission/business processes. This is best done to determine what needs to be recovered first, even with the most critical processes at hand.

II.

Relate that multiple weighted tables can and may need to be created so that the resources can be properly or fairly allocated. This can also assign values to each resource more accurately.

III.

Establish that persons who oversee the team should not get so bogged down in the process that you lose sight of the objective.

Contingency Planning Policies I.

Identify that the CP team should work to develop the policy environment that will enable the BIA process and should provide specific policy guidance toward authoring the creation of each of the planning components (IR, DR, and BC) before documents are created.

II.

Describe the nature of documents that are developed. Here each of the documents that are part of the CP must include a policy that is similar in structure to all other policies used in the organization.

Incident Response (5.2, PPT Slides 29–59) I.

Define what an incident response is and how it is similar or different to an adverse event.

II.

Express concern that incident responses depend on the quick, efficient, and timely containment of an issue that occurs and the resolution of it.

III.

Summarize the purpose of incident response planning (IR plan) and who is primarily responsible for carrying these out, which is often senior management.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

IV.

Describe when an IR plan is activated and give an example or two of simple situations when that would happen. In truth, it is any incident regardless of how minor or major the effect it.

Getting Started I.

Correlate the process mentioned earlier in the module that the CPMT is responsible for creating the IRPT. This team then is tasked with creating the computer security incident response team (CSIRT).

II.

Display and discuss the NIST incident response life cycle as outlined in Figure 5-6. The following steps are included in this process: •

Preparation

•

Detection and analysis

•

Containment eradication and recovery

•

Post-incident activity

Note that detection and analysis as well as the containment eradication and recovery steps are cyclical and can happen multiple times in the life cycle. III.

Translate the NIST Cybersecurity Framework in Figure 5-7. Detail the five stages that are part of this framework: •

Identify: Relates to risk management and governance

•

Protect: Relates to implementation of effective security controls (policy, education, training and awareness, and technology)

•

Detect: Relates to the identification of adverse events

•

Respond: Relates to reacting to an incident

•

Recover: Relates to putting things “as they were before” the incident

Mention to students that the third, fourth, and fifth steps apply to the NIST’s IR strategy in SP 800-61.

Incident Response Policy I.

Present the purpose of the IR policy as a document that provides guidance for developing and implementing IR plans and the formulation and performance of incident response teams.

II.

Analyze the core components of the IR policy as denoted in NIST’s SP 800-61, Rev. 2: •

Statement of management commitment

•

Purpose and objectives of the policy

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

III.

•

Scope of the policy (to whom and what it applies and under what circumstances)

•

Definition of InfoSec incidents and related terms

•

Organizational structure and definition of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements for reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident management process

•

Prioritization or severity ratings of incident

•

Performance measures

•

Reporting and contact forms

Identify that top management must fully be on board and clearly understand the policies being created, as changes to IT infrastructure may be required to prevent or mitigate incidents.

Incident Response Planning I.

Interpret the three characteristics that an InfoSec incident must have in order to be considered a threat (credible or not): •

It is directed against information assets.

•

It has a realistic chance of success.

•

It threatens the confidentiality, integrity, or availability of information resources and assets.

II.

Recognize that IR is a reactive measure and not a preventive one.

III.

Identify the core organization personnel who is responsible for IR planning. These are commonly the CIO, the CISO, or an IT manager with security responsibilities. Other managers may be involved but are likely to be members from the community of interests in the organization.

IV.

Stress that not only the roles of responsibilities of people on the team are clearly defined but also the plan must include an alert roster. This is important because these are the go-tos who must be contacted when an incident occurs.

Outline the following elements an IR plan must include. This is like the CP process but with a few adjustments: •

Mission

•

Strategies and goals

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

VI.

•

Senior management approval

•

Organizational approach to incident response

•

How the incident response team will communicate with the rest of the organization and with other organizations

•

Metrics for measuring incident response capability and its effectiveness

•

Roadmap for maturing incident response capability

•

How the program fits into the overall organization

Detail the three sets of incident handling procedures that are classified in tandem as IR procedures: •

During the incident: The planners develop and document the procedures that must be performed during the incident. These procedures are grouped and assigned to individuals. Systems administrators’ tasks differ from managerial tasks, so members of the planning committee must draft a set of functionspecific procedures.

•

After the incident: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased. Again, separate functional areas may develop different procedures.

•

Before the incident: The planners draft a third set of procedures: those tasks that must be performed to prepare for the incident, including actions that could mitigate any damage from the incident. These procedures include details of the data backup schedules, disaster recovery preparation, training schedules, testing plans, copies of service agreements, and BC plans, if any. At this level, the BC plan could consist just of additional material about a service bureau that stores data off-site via electronic vaulting, with an agreement to provide office space and lease equipment as needed.

VII.

Propose to students that an incident and the responses that are required to mitigate it must be a product of the comprehensive understanding of the information systems and the threats the organization faces.

VIII.

Establish the responsibilities of the CSIRT team with respect to incidents. •

They are the required group that executes the IR plan.

•

Persons that are part of this team must be available when an incident is detected or a suspicious one is detected. Regardless of the severity, everyone on the team has a specific role to perform to squash the threat as quickly as possible with minimal damage to the organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

• IX.

Decisions are made as a team, as their success is dependent on their participation and cooperation with others.

Recall the three phases of incident response actions: •

Detection: Recognition that an incident is under way

•

Reaction: Responding to the incident in a predetermined fashion to contain and mitigate its potential damage (the new NIST CSF refers to this stage as “Respond” in its Detect, Respond, Recover approach)

•

Recovery: Returning all systems and data to their state before the incident. Table 5-3 provides a sample incident handling checklist from NIST SP 800-61, Rev 2.

Data Protection in Preparation in Incidents I.

II.

Detail the four options that organizations can use to get operations back up and running in a timely manner: •

Traditional data backups: The organization can use a combination of on-site and off-site tape-drive, hard-drive, and cloud backup methods, in a variety of rotation schemes; because the backup point is sometime in the past, recent data is potentially lost. Most common data backup schemes involve a redundant array of independent disks (RAID) or disk-to-disk-to-cloud methods.

•

Electronic vaulting: The organization can employ bulk batch transfer of data to an off-site facility, usually via leased lines or secure Internet connections.

•

Remote journaling: The organization can transfer live transactions to an off-site facility. Remote journaling differs from electronic vaulting in two ways: (1) Only transactions are transferred, not archived data, and (2) the transfer takes place online and in much closer to real time. While electronic vaulting is akin to a traditional backup, with a dump of data to the off-site storage, remote journaling involves online activities on a systems level, much like server fault tolerance, where data is written to two locations simultaneously.

•

Database shadowing: The organization can store duplicate online transaction data, along with duplicate databases, at the remote site on a redundant server; database shadowing combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two separate locations.

Explain the 3-2-1 backup rule and why it is important for organizations to apply this method to their data backup plan (or rhythm).

Detecting Incidents

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Summarize the practice of incident classification and why it is important for an IR plan to have this included to determine the severity of threats that may occur.

II.

Recall that incidents are the responsibility of the CSIRT except for an organization having a security operations center (SOC).

III.

Review the first step in the IR process, which is to detect the incident (termed as incident detection in the text).

IV.

Relate that Donald Pipkin identified three categories of incident indicators: possible, probable, and definite.

Possible Indicators I.

II.

Outline indicators that may warrant an incident to be investigated but may be common within an organization depending on one’s interpretation: •

Presence of unfamiliar files

•

Presence or execution of unknown programs or processes

•

Unusual consumption of computing resources

•

Unusual system crashes

Give examples of each of the possible indicators outlined in the text to enhance the meeting and purpose of each one in a real-world environment.

Probable Indicators I.

Compare and contrast probable indicators to possible indicators and explain how they are different from one another.

II.

Review the list of incident candidates as outlined in the text that are considered probable indicators of actual incidents:

III.

•

Activities at unexpected times

•

Presence of new accounts

•

Reported attacks

•

Notification from an intrusion detection and prevention system (IDPS)

Summarize that probable indicators have a greater chance of an incident result but still require some investigation prior to that conclusion being made.

Definite Indicators I.

Stress that definite indicators are incident candidates of something that is happening or has happened. Better put, they are clear signals.

II.

Establish an understanding that the IR plan must be activated immediately in a situation like this, and the CSIRT must act.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

III.

Review the list of incident candidates that are red flags and are considered definite indicators of an actual incident: •

Use of dormant accounts

•

Changes to logs

•

Presence of hacker tools (both physical and digital)

•

Notifications by a partner or peer

•

Notifications by a hacker

Probable Incident Results I.

Focus students’ attention that regardless of whether an incident indicator was possible, probable, or definite, action still must be taken because consequences can still result that could be detrimental for an organization.

II.

Review the five most likely outcomes that an incident can cause. Whether it is a credible threat or a system having issues, these can all result: •

Loss of availability: Information or information systems become unavailable.

•

Loss of integrity: Users report corrupt data files, garbage where data should be, or data that just looks wrong.

•

Loss of confidentiality: There is a notification of a sensitive information leak, or information that was thought to be protected has been disclosed.

•

Violation of policy: There is a violation of organizational policies addressing information or InfoSec.

•

Violation of law or regulation: The law has been broken, and the organization’s information assets are involved.

Reacting to Incidents I.

Recall that once an incident has been confirmed and classified properly, the IR plan moves into the detection phase.

II.

Summarize the action steps for reacting to incidents. They include: •

Notifying key personnel

•

Documenting the incident(s)

•

Strategizing an incident containment plan to minimize impact to the organization

•

Escalating the incident, if applicable

Notification of Key Personnel

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Emphasize the use of an alert roster as the first line of defense and step that is taken once a CSIRT determines that an incident is in progress.

II.

Examine the two ways an alert roster is activated: •

Sequentially: This option requires that a designated contact person initiate contact with each person on the roster using the identified method.

•

Hierarchical: The alternate option is where the roster requires a specific number of people to be contacted who, in turn, do the same thing, and so on until all are notified.

III.

Compare and contrast the advantages and disadvantages of sequentially or hierarchically contacting people within the CSIRT when an incident is in progress.

IV.

Detail the purpose of an alert message and why it is important to broadcast to persons within the CSIRT so the incident can be dealt with quickly and efficiently. Note that other departments such as general management, legal, communications, and human resources are notified prior to external sources using this method.

Report that other organizations may be required to be notified should the incident be part of a larger-scale assault, or it may affect them as a result.

Documenting an Incident I.

Emphasize that once an incident has been confirmed, the team should begin to document it.

II.

Detail that the who, what, when, where, why, and how of each action that is taken should be noted while the incident is ongoing and up until it has concluded.

III.

Note that legally, the standards of due care may offer some protection to the organization if an incident adversely affects individuals inside and outside the organization, or if it affects other organizations that use the target organization’s systems.

Incident Containment Strategies I.

Conclude that the most critical component of an IR plan is to stop the incident and contain the sco0pe and/or impact to the organization. With time being of the essence, detailed analyses here are not the best use of resources as it may prolong the attack and its result.

II.

Propose the following containment strategies that were provided in the text that the CSIRT can execute to slow or stop an incident in progress: •

Disabling compromised user accounts

•

Reconfiguring a firewall to block the problem traffic

•

Temporarily disabling compromised processes or services

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

III.

•

Taking down the conduit application or server—for example, the e-mail server

•

Disconnecting affected networks or network segments

•

Stopping (powering down) all computers and network devices

Justify that the last strategy outlined above is a last-ditch effort to preserve data stored on computers so that operations can resume normally once the incident has concluded.

Incident Escalation I.

Recall that one of the challenges of the CSIRT is determining when an incident requires escalation up to a disaster or when to transfer it to an outside authority to handle. This may be to authorities or another public response unit.

II.

Give an example of when an incident has become too large that an IR plan would be ineffective.

III.

Relate that once this action has been completed, it cannot be undone, so it should only be done when there is proper justification to do this.

Recovering from Incidents I.

Explain that once an incident has been contained and system control has been regained within the organization, the recovery can begin.

II.

Describe that the appropriate human resources must be notified once an incident has been terminated, and, at the same time, the CSIRT team must go into action to do an immediate damage assessment to determine the severity of the breach.

III.

To get a comprehensive picture of what happened and what resulted from the incident, system logs, intrusion detection logs, configuration logs, and other documents, as well as the documentation from the incident response, provide information on the type, scope, and extent of damage.

IV.

Apply information provided by Donald Pipkin as to what the recovery process should entail. His recommendations are the following: •

Identify the vulnerabilities that allowed the incident to occur and spread. Resolve them.

•

Address the safeguards that failed to stop or limit the incident or were missing from the system in the first place. Install, replace, or upgrade them.

•

Evaluate monitoring capabilities (if present). Improve detection and reporting methods or install new monitoring capabilities.

•

Restore the data from backups, as needed. The IR team must understand the backup strategy used by the organization, restore the data contained in backups,

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

and then use the appropriate recovery processes, from incremental backups or database journals, to recreate any data that was created or modified since the last backup. •

Restore the services and processes in use. Compromised services and processes must be examined, cleaned, and then restored. If services or processes were interrupted while regaining control of the systems, they need to be brought back online.

•

Continuously monitor the system. If an incident happened once, it could easily happen again. Hackers frequently boast of their exploits in chat rooms and dare their peers to match their efforts. If word gets out, others may be tempted to try the same or different attacks on your systems. It is therefore important to maintain vigilance during the entire IR process.

•

Restore the confidence of the organization’s communities of interest. The CSIRT, following a recommendation from management, may want to issue a short memorandum outlining the incident and assuring everyone that it was handled, and the damage was controlled. If the incident was minor, say so. If the incident was major or severely damaged systems or data, reassure users that they can expect operations to return to normal as soon as possible. The objective of this communication is to prevent panic or confusion from causing additional disruption to the operations of the organization.

Apply content from NIST SP 800-184 such that every organization, regardless of their size, function, or location, should have a recovery plan to guide specific efforts after an incident has occurred.

VI.

Identify that prior to returning to their routine duties, the CSIRT should conduct an after-action review (AAR). Note that a designated moderator is assigned to complete the document so that it can be shared with internal and external organizations that were directly involved in the containment of the incident.

VII.

List the 10 common mistakes that an organization’s CSIRs make in incident response (IR): •

Failure to appoint a clear chain of command with a specified individual in charge

•

Failure to establish a central operation center

•

Failure to “know their enemy”

•

Failure to develop a comprehensive IR plan with containment strategies

•

Failure to record IR activities at all phases, especially help-desk tickets to detect incidents

•

Failure to document the events as they occur in a timeline

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

VIII.

•

Failure to distinguish incident containment from incident remediation (as part of reaction)

•

Failure to secure and monitor networks and network devices

•

Failure to establish and manage system and network logging

•

Failure to establish and support effective antivirus and antimalware solutions

Differentiate the recommendations that NIST SP 800-61, Rev. 2, makes with respect to handling incidents: •

Acquire tools and resources that may be of value during incident handling.

•

Prevent incidents from occurring by ensuring that networks, systems, and applications are sufficiently secure.

•

Identify precursors and indicators through alerts generated by several types of security software.

•

Establish mechanisms for outside parties to report incidents.

•

Require a baseline level of logging and auditing on all systems and a higher baseline level on all critical systems.

•

Profile networks and systems.

•

Understand the normal behaviors of networks, systems, and applications.

•

Create a log retention policy.

•

Perform event correlation.

•

Keep all host clocks synchronized.

•

Maintain and use a knowledge base of information.

•

Start recording all information as soon as the team suspects that an incident has occurred.

•

Safeguard incident data.

•

Prioritize handling of incidents based on relevant factors.

•

Include provisions for incident reporting in the organization’s incident response policy.

•

Establish strategies and procedures for containing incidents.

•

Follow established procedures for evidence gathering and handling.

•

Capture volatile data from systems as evidence.

•

Obtain system snapshots through full forensic disk images, not file system backups.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

•

Hold lessons-learned meetings after major incidents.

Organizational Philosophy on Incident and Disaster Handling I.

Compare and contrast the two approaches that an organization must choose from with respect to their IR and DR approach as well as involvement with digital forensics and law enforcement agencies. The options are protect and forget and apprehend and prosecute. •

Protect and forget: This approach, also known as “patch and proceed,” focuses on the defense of data and the systems that house, use, and transmit it. An investigation that takes this approach focuses on the detection and analysis of events to determine how they happened and to prevent reoccurrence. Once the current event is over, the questions of who caused it and why are almost immaterial.

•

Apprehend and prosecute: This approach, also known as “pursue and punish,” focuses on the identification and apprehension of responsible individuals, with additional attention paid to the collection and preservation of potential evidentiary material that might support administrative or criminal prosecution. This approach requires much more attention to detail to prevent contamination of evidence that might hinder prosecution.

II.

Stress that an organization may experience difficulties having enough data to administer penalties but rather pursue formal punishment should an employee challenge it.

III.

Emphasize that without notifying individuals of data breaches, companies put themselves seriously at risk for criminal charges or corporate negligence lawsuits.

Quick Quiz 1 1. What is the term called for which actions taken by management specify the organization's efforts and actions if an adverse event becomes an incident or disaster? a. CSIRT plan b. contingency planning c. business continuity plan d. business process Answer: b 2. Which of the following is NOT a stage as described in NIST’s SP 800-34, Rev. 1? a. Determine mission/business process and recovery critically.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

b. Identify resource requirements. c. Identify recovery priorities for system requirements. d. There is no wrong answer, as these are the three stages described in this document. Answer: d 3. Providing customer billing as mentioned in the text is an example of what? a. potential incident that can occur in an organization b. additional resource detail c. mission/business process d. description and estimated cost Answer: c 4. True or False: The NIST Cybersecurity Framework has a total of four processes that are cyclical in nature. Answer: False 5. True or False: Remote journaling is the process in which an organization can transfer live transactions to an off-site facility. Answer: True 6. True or False: An alert roster often is done one of two ways: sequentially or hierarchically. Answer: True

Digital Forensics (5.3, PPT Slides 60–69) I.

Comprehend that when the asset attacked is in the purview of the CISO, they are expected to understand how policies and laws require the matter to be managed. The investigation of what happened and how is called digital forensics.

II.

Detail how digital forensics is based on the field of traditional forensics. Mention to students that forensics is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting.

III.

Define digital forensics in the respect that it involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Like traditional forensics, it follows clear, well-defined methodologies, but still tends to be as much art as science.

IV.

Outline how digital forensics is often used for two key purposes:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

•

To investigate allegations of digital malfeasance: Such an investigation requires digital forensics to gather, analyze, and report the findings.

•

To perform root cause analysis: If the organization suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorized access, as well as to determine how pervasive and successful the attack was.

Relate that depending on the circumstances, some investigations are undertaken by organization personnel, whereas more severe cases require the immediate involvement of law enforcement. This is specific to cases with allegations of digital malfeasance, for example.

The Digital Forensics Team I.

Emphasize that most organizations cannot sustain a permanent digital forensics team. Even so, there should be people in the information security group trained to understand and manage the forensics process.

II.

Recall that this expertise can be obtained by sending staff members to a regional or national information security conference with a digital forensics track or to dedicated digital forensics training. Organizations should be aware that this may be a costly action to take, but depending on their industry and frequency of attacks that may come in, it could be a good investment to do.

Affidavits and Search Warrants I.

Label that an affidavit is sworn testimony that certain facts are in the possession of the investigating officer that they feel warrant the examination of specific items located at a specific place.

II.

Distinguish that when an approving authority signs the affidavit or creates a synopsis form based on this document, it becomes a search warrant.

III.

Stress that in corporate environments, the names of these documents may change and, in many cases, may be verbal in nature, but that the process should be the same. Formal permission is obtained before an investigation occurs.

Digital Forensics Methodology I.

Broadcast that all investigations applying the use of digital forensics apply the same basic methodology below: •

Identify relevant EM.

•

Acquire (seize) the evidence without alteration or damage.

•

Take steps to assure that the evidence at every step is verifiably authentic and is unchanged from the time it was seized.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

•

Analyze the data without risking modification or unauthorized access.

•

Report the findings to the proper authority.

II.

Recommend that to support the selection and implementation of a methodology, legal counsel with local or state law enforcement is a likely option an organization should use.

III.

Recommend that students review the following resources provided in the text that should be part of an organization’s library: •

Electronic Crime Scene Investigation: A Guide for First Responders, 2nd Edition, April 2008 (https://www.ncjrs.gov/pdffiles1/nij/219941.pdf)

•

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf)

•

Scientific Working Group on Digital Evidence: Published Guidelines and Best Practices (https://www.swgde.org/documents/published)

•

First Responders Guide to Computer Forensics (https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14429.p df)

•

First Responders Guide to Computer Forensics: Advanced Topics (http://resources.sei.cmu.edu/asset_files/handbook/2005_002_001_14432.pd f)

Identifying Relevant Items I.

Explain that the affidavit and/or warrant that has been issued authorizes a search but must identify which items of evidence can be seized and their locations.

II.

Emphasize that EM that fits the description on the authorization can be seized.

III.

Note, though, that the search and seizures often come under stressful conditions and strict time restrictions.

Acquiring the Evidence I.

Emphasize to students that the principal responsibility of the response team is to get the information without making any adjustments or alterations to it.

II.

Present two options that can be used to acquire evidence from a system: a. Offline: This is when an investigator removes the power source and then uses a utility or special device to make a bit-stream sector-by-sector copy of the hard drives contained in the system.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

b. Online (or live): Alternately, this is when investigators use network-based tools to acquire a protected copy of the information. Classify that the only key difference between the two options is that the source system cannot be taken offline, and the tools required do not alter the system while acquiring data. III.

Present Table 5-4 to students, showing them a summary of methods employed to acquire forensic data.

IV.

State that not all evidentiary material is on a perpetrator’s hard drive, as that would make it too obvious to find out their motive and net acquisition. A technically savvy attacker is more likely to store incriminating evidence on other digital media, such as removable drives, CDs, DVDs, flash drives, memory chips or sticks, or other computers accessed across the organization’s networks or via the Internet.

Relate that once evidence has been acquired, both the copy image and the original drive should be handled so as to ward off legal challenges based on authenticity and preservation of integrity.

VI.

Identify how chain of evidence or chain of custody is defined as the detailed documentation of the collection, storage, transfer, and ownership of collected evidence from the crime scene through its presentation in court.

VII.

Educate learners that the copy or image is typically transferred to the laboratory for the next stage of authentication. The team must be able to demonstrate that any analyzed copy or image is a true and accurate replica of the source EM. This is accomplished using cryptographic hash tools.

VIII.

Justify that the most difficult and often complex part of an investigation is the analysis of the copy or image for potential EM. While the process can be performed manually using simple utilities, two industry-leading applications dominate the market for digital forensics. Recommend students research the following software titles and summarize their findings: a. Guidance Software’s EnCase (www.guidancesoftware.com) b. AccessData Forensic Toolkit (FTK, at www.accessdata.com) c. OSForensics (www.osforensics.com)

IX.

Evaluate the first component of the analysis phase. In the case here, this is indexing. Mention that that tools organize files into categories, such as documents, images, and executables.

Explain that once investigators have found a suitable amount of information, they can summarize their findings with a synopsis of their investigatory procedures in a

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

report and submit it to the appropriate authority. Point out that the authority might be law enforcement or management.

Evidentiary Procedures I.

Compare and contrast how in information security, most operations focus on policies—those documents that provide managerial guidance for ongoing implementation and operations. In digital forensics, however, the focus is on procedures instead.

II.

Establish an understanding that strong procedures for handling evidentiary material minimize the chance an organization would lose a legal challenge.

III.

Outline the core components of specific procedures and how to use these with regard to evidence-based practices:

IV.

•

Who may conduct an investigation

•

Who may authorize an investigation

•

What affidavits and related documents are required

•

What search warrants and related documents are required

•

What digital media may be seized or taken offline

•

What methodology should be followed

•

What methods are required for chain of custody or chain of evidence

•

What format the final report should take, and to whom it should it be given

Explain how the policy document should be supported by a procedures manual, developed based on the documents discussed earlier, along with guidance from law enforcement or consultants.

Disaster Recovery (5.3, PPT Slides 70–80) I.

Differentiate disaster recovery from incident planning and explain what is involved in a disaster recovery plan (DR plan). Explain that, at times, incidents are escalated to disasters depending on their severity.

II.

Refresh one’s memory that the CP team creates the DR planning team (DRPT) and in turn organizes the DR response team (DRRT) should a disaster strike.

III.

Review the responsibilities that a DRRT would need to execute to bring an organization back online in the event of a disaster: •

Recover information assets that are salvageable from the primary facility after the disaster.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

IV.

•

Purchase or otherwise acquire replacement information assets from appropriate sources.

•

Reestablish functional information assets at the primary site if possible or at a new primary site, if necessary.

Assemble the common elements of a DRRT as provided in the text: •

DR management team: Coordinates the on-site efforts of all other DRRTs.

•

Communications team: With representatives from the public relations and legal departments, provides feedback to anyone who wants additional information about the organization’s efforts in recovering from the disaster.

•

Computer recovery (hardware) team: Works to recover any physical computing assets that might be usable after the disaster and acquire replacement assets for resumption of operations.

•

Systems recovery (OS) team: Works to recover operating systems and may contain one or more specialists on each operating system that the organization employs; may be combined with the applications recovery team as a “software recovery team” or with the hardware team as a “systems recovery team” or “computer recovery team.”

•

Network recovery team: Works to determine the extent of damage to the network wiring and hardware (hubs, switches, and routers) as well as to Internet and intranet connectivity.

•

Storage recovery team: Works with the other teams to recover storage-related information assets; may be subsumed into other hardware and software teams.

•

Applications recovery team: Works to recover critical applications.

•

Data management team: Works on data restoration and recovery, whether from on-site, off-site, or online transactional data.

•

Vendor contact team: Works with suppliers and vendors to replace damaged or destroyed materials, equipment, or services, as determined by the other teams.

•

Damage assessment and salvage team: Specialized individuals who provide initial assessments of the extent of damage to materials, inventory, equipment, and systems on-site.

•

Business interface team: Works with the remainder of the organization to assist in the recovery of nontechnology functions.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

•

Logistics team—Responsible for providing any needed supplies, space, materials, food, services, or facilities at the primary site; may be combined with the vendor contact team.

•

Other teams as needed.

The Disaster Recovery Process I.

Examine the two pieces of criteria that classify that a disaster has occurred: the organization is unable to contain or control the impact of an incident, or the level of damage or destruction from an incident is so severe that the organization cannot quickly recover from it.

II.

Emphasize it rests on the DRPT’s shoulders to determine if an event is an incident or a disaster. Whatever is decided provides direction as to which plan will be activated should it occur.

III.

Construct the eight-step sequence of creating a disaster recovery process: •

Organize the DR team: The initial assignments to the DR team, including the team lead, will most likely be performed by the CPMT; however, additional personnel may need to be assigned to the team as the specifics of the DR policy and plan are developed, and as individual roles and responsibilities are defined and assigned.

•

Develop the DR planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.

•

Review the BIA: The BIA was prepared to help identify and prioritize critical information and its host systems. A review of what was discovered is an important step in the process.

•

Identify preventive controls: Measures taken to reduce the effects of business and system disruptions can increase information availability and reduce contingency life cycle costs.

•

Create DR strategies: Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption.

•

Develop the DR plan document: The plan should contain detailed guidance and procedures for restoring a damaged system.

•

Ensure DR plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.

•

Ensure DR plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Disaster Recovery Policy I.

Summarize that upon the creation of the DR team, the manager that is placed in charge of the group will begin the creation of the DR policy. Note that this document may have already been created by the CP team, or the DR policy will need to be created from scratch.

II.

Outline the key elements that are included in the DR plan: •

Purpose: The purpose of the DR program is to provide direction and guidance for all DR operations. In addition, the program provides for the development and support of the DR plan. In everyday practice, those responsible for the program must also work to emphasize the importance of creating and maintaining effective DR functions. As with any major enterprise-wide policy effort, it is important for the DR program to begin with a clear statement of executive vision.

•

Scope: This section of the policy identifies the organizational units and groups of employees to which the policy applies. This clarification is important if the organization is geographically dispersed or is creating different policies for different organizational units.

•

Roles and responsibilities: This section of the policy identifies the roles and responsibilities of the key players in the DR operation. It can include a delineation of the responsibilities of executive management down to individual employees. Some sections of the DR policy may be duplicated from the organization’s overall CP policy. In smaller organizations, this redundancy can be eliminated, as many of the functions are performed by the same group.

•

Resource requirements: An organization can allocate specific resources to the development of DR plans here. While this may include directives for individuals, it can be separated from the previous section for emphasis and clarity.

•

Training requirements: This section defines and highlights training requirements for units within the organization and the various categories of employees.

•

Exercise and testing schedules: This section stipulates the testing intervals of the DR plan as well as the type of testing and the individuals involved.

•

Plan maintenance schedule: This section states the required review and update intervals of the plan and identifies who is involved in the review. It is not necessary for the entire DR team to be involved, but the review can be combined with a periodic test of the DR plan as long as the resulting discussion includes areas for improving the plan.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

•

Special considerations: This section includes such items as information storage and maintenance.

Disaster Classification I.

Examine how disasters can be classified by a DR team and/or in the policies that are created as part of the team.

II.

Recall that disasters can be categorized by severity, type, or the amount of damage they would cause. Recognize the authors split them into two core categories: slowonset disasters and rapid-onset disasters. •

Slow-onset disasters are ones that build up over time and may have been incidents initially and are now disasters.

•

Rapid-onset disasters happen with little or no notice and affect lives, property, and production.

III.

Relate that it is the responsibility of the senior IT or InfoSec manager working with the CSIRT and DR team leads who would classify an incident as a disaster or not.

IV.

Guide learners to review Table 5-5, which has a list of natural disasters, their effects, and mitigation recommendations.

Planning to Recover I.

Emphasize that in the recovery process, information is not the most important asset that should be focused on; rather, it is people.

II.

State that organizations must take a proactive approach to cross-train employees to ensure that an operation will have some sense of normalcy after a disaster strike. This includes periodic testing of the DR plan so the effort can be done quickly and efficiently.

III.

Review the key elements of the DR plan with respect to recovery: •

Clear delegation of roles and responsibilities: Everyone assigned to the DR team should be aware of his or her duties during a disaster. Some team members may be responsible for coordinating with local services, such as fire, police, and medical personnel. Some may be responsible for the evacuation of company personnel, if required. Others may be assigned to simply pack up and leave.

•

Execution of the alert roster and notification of key personnel: These notifications may extend outside the organization to include the fire, police, or medical services mentioned earlier, as well as insurance agencies, disaster teams such as those of the Red Cross, and management teams.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

IV.

•

Clear establishment of priorities: During a disaster response, the priority is always the preservation of human life. Data and systems protection is subordinate when the disaster threatens the lives, health, or welfare of the employees or members of the community. Only after all employees and neighbors have been safeguarded can the DR team attend to protecting other organizational assets.

•

Procedures for documentation of the disaster: Just as in an incident response, the disaster must be carefully recorded from the onset. This documentation is used later to determine how and why the disaster occurred.

•

Action steps to mitigate the impact of the disaster on the operations of the organization: The DR plan should specify the responsibilities of each DR team member, such as the evacuation of physical assets or making sure that all systems are securely shut down to prevent further loss of data.

•

Alternative implementations for the various system components, should primary versions be unavailable: These components include standby equipment that is either purchased, leased, or under contract with a DR service agency. Developing systems with excess capacity, fault tolerance, auto-recovery, and fail-safe features facilitates a quick recovery. Something as simple as using Dynamic Host Control Protocol (DHCP) to assign network addresses instead of using static addresses can allow systems to regain connectivity quickly and easily without technical support. Networks should support dynamic reconfiguration; restoration of network connectivity should be planned. Data recovery requires effective backup strategies as well as flexible hardware configurations. System management should be a top priority. All solutions should be tightly integrated and developed in a strategic plan to provide continuity. Piecemeal construction can result in a disaster after the disaster, as incompatible systems are unexpectedly thrust together.

Highlight that each employee should always have two sets of emergency information in their possession: emergency information (people to notify if something happens such as next of kin, medical conditions, and a form of identification) and instructions what to do in an emergency (such as a number to contact), emergency service numbers, evacuation, and assembly locations. Recommend that students review Figure 5-11 for an example of an emergency ID card.

Responding to the Disaster I.

Stress to students that the response to a disaster can be a make-or-break moment for the organization and how it is handled.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

II.

Emphasize that when a primary site has been destroyed by a disaster (humanmade or otherwise), the DR process transitions into a business continuity process.

Business Continuity (5.3, PPT Slides 81–88) I.

Denote to students that the purpose of business continuity is the continued operations of an organization after a disaster has occurred. This may or may not be at the original location where it took place.

II.

Report the purpose of business continuity planning and the BC plan that results from it. However, mention that not every business requires this, depending on their makeup.

III.

Relate that the BP is another component of contingency planning (CP) and the first step is to plan which is in line with other processes outlined in the module.

IV.

Assemble and construct the steps necessary to develop and maintain a viable and strong BC program: •

Form the BC team: As was done with the DR planning process, the initial assignments to the BC team, including the team lead, will most likely be performed by the CPMT; however, additional personnel may need to be assigned to the team as the specifics of the BC policy and plan are developed, and their individual roles and responsibilities will have to be defined and assigned.

•

Develop the BC planning policy statement: A formal organizational policy provides the authority and guidance necessary to develop an effective continuity plan. As with any enterprise-wide policy process, it is important to begin with the executive vision.

•

Review the BIA: Information contained within the BIA can help identify and prioritize critical organizational functions and systems for the purposes of business continuity, making it easier to understand what functions and systems will need to be reestablished elsewhere in the event of a disaster.

•

Identify preventive controls: Little is done here exclusively for BC. Most of the steps taken in the CP and DRP processes will provide the necessary foundation for BCP.

•

Create relocation strategies: Thorough relocation strategies ensure that critical business functions will be reestablished quickly and effectively at an alternate location following a disruption.

•

Develop the BC plan: The BC plan should contain detailed guidance and procedures for implementing BC strategies at predetermined locations in accordance with management’s guidance.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

•

Ensure BC plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.

•

Ensure BC plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.

Emphasize that the BC plan must continually be updated, as circumstances and the nature and frequency of disasters can change over time.

Business Continuity Policy I.

Recall that business continuity planning begins with the BC policy as outlined in the text and below.

II.

Outline the key sections that must be included in the BC policy document: •

Purpose: The purpose of the BC program is to provide the necessary planning and coordination to help relocate critical business functions should a disaster prohibit continued operations at the primary site.

•

Scope: This section identifies the organizational units and groups of employees to which the policy applies. This is especially useful in organizations that are geographically dispersed or that are creating different policies for different organizational units.

•

Roles and responsibilities: This section identifies the roles and responsibilities of key players in the BC operation, from executive management down to individual employees. In some cases, sections may be duplicated from the organization’s overall CP policy. In smaller organizations, this redundancy can be eliminated because many of the functions are performed by the same group of individuals.

•

Resource requirements: Organizations can allocate specific resources to the development of BC plans. Although this section may include directives for individual team members, it can be separated from the roles and responsibilities section for emphasis and clarity.

•

Training requirements: This section specifies the training requirements for the various employee groups.

•

Exercise and testing schedules: This section stipulates the frequency of BC plan testing and can include both the type of exercise or testing and the individuals involved.

•

Plan maintenance schedule: This section specifies the procedures and frequency of BC plan reviews and identifies the personnel who will be involved in the review. It is not necessary for the entire BC team to be involved; the review

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

can be combined with a periodic test of the BC plan (as in a talk-through) as long as the resulting discussion includes areas for plan improvement. •

Special considerations: In extreme situations, the DR and BC plans overlap, as described earlier. Thus, this section provides an overview of the organization’s information storage and retrieval plans. While the specifics do not have to be elaborated on in this document, the plan should at least identify where more detailed documentation is kept, which individuals are responsible, and any other information needed to implement the strategy.

Propose to students that the structure looks like a disaster recovery policy and plan. Stress that these are similar in nature but have some minor differences.

Business Resumption I.

Explain that, depending on the organization, most often the disaster recovery and business continuity plans are merged together into one single function known as the business resumption plan.

II.

Emphasize that the planning that takes place must support the reestablishment of business at two locations (original and alternate) when applicable.

Continuity Strategies I.

Outline the two most commonly used types of facilities that are used post-disaster as part of a recovery process: exclusive use and shared use.

II.

Describe the three types of exclusive use sites: hot, warm, and cold.

III.

Compare and contrast the exclusive use sites with timeshares and service bureaus, as those are shared-use sites. Note that mutual agreements are likely to have to be in place prior to a disaster occurring for a temporary but smooth transition while the existing facility is being rebuilt.

IV.

Propose to students that a mobile site or cloud-based provisioning may be alternate options depending on the needs of an organization and severity of the damage that was caused.

Timing and Sequence of CP Elements I.

Comment that in most cases, DR plans focus on restoring systems after a disaster or incident has occurred. However, if damage is long-term, then additional planning and strategy must be executed for operations to continue.

II.

Summarize to students that arguments are often made with respect to the similarities of IR, DR, and BC planning, but they all have specific components that differentiate them from one another and are critical to contingency planning. Reference Figure 5-14 for the comparisons.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Crisis Management (5.4, PPT Slides 89–94) I.

Identify that an additional plan that organizations often have in place is a crisis management plan. This is one that deals with human injury, trauma, or loss of life because of a disaster taking place.

II.

Emphasize that the human resource is the most important resource of an organization outside of the information within it.

III.

Outline that the roles the crisis management planning team (CMPT) include:

IV.

•

Supporting personnel and their loved ones during the crisis

•

Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise

•

Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties

Describe the responsibilities the CPMT should establish, which includes personnel from all functional parts of an organization: •

Verifying personnel status

•

Activating the alert roster

•

Coordinating with emergency services

V. Comment that a CM policy and plan should follow the similar structure and methodology as other plans discussed in the module (IR, DR, and BC).

Testing Contingency Plans (5.5, PPT Slide 95) I.

Stress that written plans only go so far, and organizations must frequently test their plans to determine vulnerabilities and areas of improvement, and to accommodate additional threats that may occur over time.

II.

Describe the four most common ways contingency plans can be tested:

III.

•

Desk checks

•

Structured walk-throughs

•

Simulations

•

Full-interruption testing

Emphasize the time of when tests take place, as doing them during the business day may cause unnecessary interruptions and potentially panic when it could be avoidable.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

IV.

Review the recommendations made by former Navy SEAL Richard Marcinko with respect to motivating a team: •

The more you sweat to train, the less you bleed in combat.

•

Training and preparation can hurt.

•

Lead from the front, not the rear.

•

You don’t have to like it; you just have to do it.

•

Keep it simple.

•

Never assume.

•

You are paid for results, not methods

Stress the importance of cross-training so that if a real disaster occurs, people assigned to roles that aren’t available can be filled in with like-minded individuals who can assist much in the same way effectively.

Final Thoughts on CP (PPT Slide 96) I.

Propose to students that a critical component of the NIST-based methodologies presented in this module is continuous process improvement (CPI). Each time the organization rehearses its plans, it should learn from the process, improve the plans, and then rehearse again. Each time an incident or disaster occurs, the organization should review what went right and what went wrong.

Quick Quiz 2 1. Which of the following is NOT part of the disaster recovery policy? a. financing b. purpose c. exercise and testing schedules d. scope Answer: a 2. What type of data acquisition is done where information is taken off as a protected copy while a system is actively live for the purpose of business continuity? a. offline b. online c. transitory d. slow-dripping Answer: b © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

3. A ________ is sworn testimony that certain facts are in the possession of an investigating officer, and they warrant the examination of specific items located in a location. a. memorandum b. piece of evidence c. legal directive d. affidavit Answer: d 4. In a ________, the organization creates a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and is expected to react as if it had occurred. a. desk check b. simulation c. full-interruption test d. structured walk-through Answer: b 5. Which of the following is a primary responsibility of the CPMT? a. conducting a building walk-through during an emergency b. securing financing so that physical infrastructure can be immediately replaced c. coordinating with emergency services in the event someone is injured or killed d. gathering criminal evidence of wrongdoing Answer: c 6. True or False: The term chain of evidence is also known as a chain of custody. Answer: True 7. True or False: An example of a disaster classification plan is a scale that has Minor, Moderate, Severe, and Critical categories. Answer: True [return to top]

Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Compare and contrast the different plans that were described in the module. Split the class into two. On one side, they should explain how they are like each other and why some companies only have one master plan. Have the other side argue how they are different and the importance to have separate plans as part of a contingency plan for an organization. (5.1, 5.2, 5.4, PPT Slides 3–5, 8–46, 50–78, and 81–91) Duration 15 minutes. 2. Explain why crisis planning is as important as securing and protecting information that is within an organization. (5.1, 5.5, PPT Slides 3–5, 93–96) Duration 15 minutes. 3. Poll the class and determine which plan they feel is superior to another. Have them justify their reason why one plan is more important than others described in the module. Although they are all equally important, some may have more applicability to an organization than others. (5.2, 5.3, 5.5, PPT Slides 8–46, 50–78, 81–91, and 94– 96) Duration 15 minutes. [return to top]

Web Browser Security

Malware Defense

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Windows Password Management

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Log Management & Security

Footprinting, Scanning, and Enumeration

student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization.

30 minutes to 1 hour

15–20 minutes

60–90 minutes

30 minutes to 1 hour

40–60 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package. •

AlienVault OSSIM

Image Analysis Using Autopsy

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Have students create a simple contingency plan for a business of their choice. Ask them to apply the information from the text as well as outside resources. Group the persons in the class into small teams and designate one from each team as the spokesperson that explains their plan for the business chosen. 2. Direct students to review a contingency plan for a local business or their school. Compare and contrast the strengths and weaknesses of the plan and how it can be improved upon. Ask them to explain how they would share their findings on what improvements need to be made to executives outlined in the module. [return to top]

Additional Resources Cengage Video Resources •

MindTap Video: Contingency Planning

Internet Resources • • •

American Society of Digital Forensics Automated Notification System Review Incident Handlers Handbook by Patrick Kral

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

•

NIST Cybersecurity Framework

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 4 Module Outline .............................................................................................................................. 4 Discussion Questions .................................................................................................................. 25 Suggested Usage for Lab Activities ............................................................................................ 26 Additional Activities and Assignments ....................................................................................... 27 Additional Resources................................................................................................................... 28 Cengage Video Resources ....................................................................................................................... 28 Internet Resources .................................................................................................................................. 28 Appendix ...................................................................................................................................... 29 Grading Rubrics ....................................................................................................................................... 29

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Purpose and Perspective of the Module Personnel in an organization is the lifeblood that makes it run daily. Maintaining the business and having the right people on the information security team is even more important to ensure data is always kept safe and secure. In this module, students will review where and how information security should be positioned within an organization. This includes the people responsible for it and their role and credentials they could receive to gain more credibility within the industry. Near the end of the module, students will gain an understanding of how employment policies and practices can support the effort. This includes special security controls and considerations that apply to personnel management.

Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •

PowerPoint slides

•

Test banks, available in Word, as LMS-ready files, and on the Cognero platform

•

MindTap Educator Guide

•

Solution and Answer Guide

•

This instructor’s manual

Module Objectives The following objectives are addressed in this module: 6.1

Explain the differences between laws and ethics.

6.2

Describe the relevant laws, regulations, and professional organizations of importance to information security.

6.3

Identify major national and international laws that affect the practice of information security.

6.4

Discuss the role of privacy as it applies to law and ethics in information security.

6.5

Explain the roles of some U.S. law enforcement agencies with an interest in information security.

Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective 6.1 and 6.2

PPT slide

Activity/Assessment

Duration

8–9

Knowledge Check 1

2 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

6.2 6.2 6.2–6.5 6.1–6.5

18–19 24–25 53–54 58 MindTap MindTap MindTap

Knowledge Check 2 Knowledge Check 3 Knowledge Check 4 Self-Assessment Module 06 Review Questions Module 06 Case Exercises Module 06 Exercises

MindTap MindTap

Module 06 Security for Life Module 06 Quiz

2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: laws: Rules that mandate or prohibit certain behavior and are enforced by the state. ethics: The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment. cultural mores: The fixed moral attitudes or customs of a particular group. liability: An entity’s legal obligation or responsibility. restitution: A legal requirement to make compensation or payment resulting from a loss or injury. due care: Reasonable and prudent measures that an organization takes to ensure it is in compliance with a law, regulation, or requirement. due diligence: Measures taken to ensure that an organization continues to meet the obligations imposed by laws, regulations, and requirements; the management of due care. Jurisdiction: The power to make legal decisions and judgments; also, the domain or area within which an entity such as a court or law enforcement agency is empowered to make legal decisions and perform legal actions. long-arm Jurisdiction: The ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case. privacy: In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

aggregate information: Collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. Not to be confused with information aggregation. information aggregation: Pieces of nonprivate data that, when combined, may create information that violates privacy. Not to be confused with aggregate information. identity theft: The unauthorized taking of personally identifiable information with the intent of committing fraud and abuse of a person’s financial and personal reputation, purchasing goods and services without authorization, and generally impersonating the victim for illegal or unethical purposes. personally identifiable information (PII): Information about a person’s history, background, and attributes that can be used to commit identity theft. This information typically includes a person’s name, address, Social Security number, family information, employment history, and financial information. cybersecurity: The affirmation or guarantee of the confidentiality, integrity, and availability of information in storage, processing, and transmission; often used synonymously with “information security.” information assurance: See cybersecurity. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: •

This module was Chapter 3 in the 6th edition.

•

The sections on key laws were updated to include recent changes.

•

The section on ethics was rewritten for a more compact treatment using a revised organization.

•

Information on professional organizations was reorganized and updated to reflect changes in the industry.

[return to top]

Module Outline Introduction to Law and Ethics in Information Security (6.1, PPT Slides 3–6) I.

Describe to students that as a future information security professional, they must understand the scope of an organization’s legal and ethical responsibilities.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

II.

Disseminate that the laws and ethics are not the same thing, as laws carry the authority and ethics do not.

III.

Describe ethics, which are based on cultural mores and express the fixed moral attitudes or customs of a particular group. Some ethics are recognized as universal among cultures.

IV.

Explain how to minimize liabilities and reduce risks from electronic and physical threats, and to reduce all losses from legal action, the information security practitioner must understand the current legal environment, stay current with new laws and regulations, and watch for new issues as they emerge.

Organizational Liability and the Need for Counsel I.

Emphasize that even if there is no breach of criminal law, there can still be liability.

II.

Define the term liability. Explain that this is the legal obligation of an entity that extends beyond criminal or contract law; it includes the legal obligation to make restitution or to compensate for wrongs committed by an organization or its employees.

III.

Stress that an organization increases its liability when it refuse to take measures known as due care. Note that due care has been taken when an organization makes sure that every employee knows what acceptable or unacceptable behavior is and knows the consequences of illegal or unethical actions.

IV.

Identify how due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort.

Recognize the fact that specific to the U.S. legal system, any court can impose its authority over an individual or organization if it can establish jurisdiction—that is, the court’s right to hear a case if the wrong was committed in its territory or involving its citizenry.

VI.

Judge and examine the fact that in most cases when a case is in the injured party’s home area, it is usually more in favor to them than the defendants.

Policy Versus Law I.

Classify the difference between a policy and law and how they are similar and different.

II.

Outline the five criteria for a policy to be enforceable: •

Dissemination (distribution): The organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Common dissemination techniques include hard copy and electronic distribution.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

III.

IV.

•

Review (reading): The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for employees who are illiterate, reading impaired, and unable to read English. Common techniques include recordings of the policy in English and alternate languages.

•

Comprehension (understanding): The organization must be able to demonstrate that the employee understands the requirements and content of the policy. Common techniques include quizzes and other assessments.

•

Compliance (agreement): The organization must be able to demonstrate that the employee agreed to comply with the policy through act or affirmation. Common techniques include login banners, which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.

•

Uniform enforcement: The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.

Review and discuss with students the common types of law that are found in the United States: •

Constitutional law: Originates with the U.S. Constitution, a state constitution, or local constitution, bylaws, or charter.

•

Statutory law: Originates from a legislative branch specifically tasked with the creation and publication of laws and statutes.

•

Regulatory or administrative law: Originates from an executive branch or authorized regulatory agency and includes executive orders and regulations.

•

Common law, case law, and precedent: Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board.

Summarize the three different subtypes of statutory law as outlined in the text. •

Civil law: A wide variety of laws pertaining to relationships among individuals and organizations. Civil law includes contract law, employment law, family law, and tort law.

•

Tort law: This is a subset of civil law that allows individuals to seek redress for injury. Those injuries can be personal, physical, or financial.

•

Criminal law: Addresses violations harmful to society and is actively enforced and prosecuted by the state.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Compare and contrast the differences between private and public laws. Private laws regulate the relationships among individuals and between them and organizations. Public laws include criminal, administrative, and constitutional laws.

VI.

Emphasize that regardless of where a business is located, leadership and employees working there must be aware of the laws and regulations that apply to them.

Types of Law I.

Define civil law, which represents a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people.

II.

Explain how criminal law addresses violations harmful to society and is actively enforced by the state.

III.

Distinguish the differences of private law. Note that it regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law.

IV.

Describe how public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law.

Relevant U.S. Laws (6.2, PPT Slides 10–17, 20–23, and 26–30) I.

Conclude that the United States has been a leader in the development and implementation of information security legislation that prevents the misuse and exploitation of information and information technology.

General Computer Crime Laws I.

Recognize that the cornerstone of many computer-related federal laws as mentioned in the text is the Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA).

II.

Recall that the CFAA was amended in 1996 and rebranded as the National Information Infrastructure Protection Act of 1996. Stress that punishment for prosecuted offenses includes fines, prison sentences of up to 20 years, or both depending on the severity of the crime committed. Note that penalties are often dependent on the value of the information obtained, whether the offense is conclusive of a commercial advantage, private financial gain, or furtherance of a criminal act.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

III.

Discuss the USA PATRIOT Act of 2001, which modified a wide range of existing laws to provide law enforcement agencies with broader latitude of actions to combat terrorism-related activities.

IV.

Report that further modifications took place and in 2006, the act was amended with the USA PATRIOT Improvement and Reauthorization Act, which made permanent 14 of the 16 expanded powers of the Department of Homeland Security (DHS) and the FBI in investigating terrorist activity. The act also reset the date of expiration written into the law for certain wiretaps under the Foreign Intelligence Surveillance Act of 1978 (FISA) and revised many of the criminal penalties and procedures associated with criminal and terrorist activities.

Explain that the PATRIOT Sunset Extension Act of 2011 provided extension of certain provisions of the USA PATRIOT Act, specifically those related to wiretaps, searching of business records, and the surveillance of suspected terrorists.

VI.

State that in May 2015, the U.S. Senate failed to extend the USA PATRIOT Act, resulting in its expiration on June 1, 2015. However, President Obama signed the USA FREEDOM Act into law in June 2015 as a replacement. Note that this has now since expired but has been indefinitely postponed by Congress at the time of publication in 2020.

VII.

Examine the Computer Security Act of 1987. This law was one of one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.

VIII.

Evaluate the passage of the Federal Information Security Management Act (FISMA), which mandates all federal agencies to establish information security programs to protect information assets. Note that this has since been updated by the Federal Information Security Modernization Act of 2014 (FISMA Reform) which enhances the federal government’s ability to respond to security attacks on agencies and departments.

IX.

State that in the future, additional laws and regulations are likely to be created, and it is the responsibility of the information security team to be aware of those should they significantly impact the organization, information managed, or other aspects that could require changes.

Privacy I.

Define the term privacy and why it has become one of the hottest topics in information security since the start of the 21st century. The ability to collect information, combine facts from separate sources, and merge it all with other information has resulted in databases of information that were previously impossible to set up.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

II.

Interpret the understanding that as the pressure for privacy protection has significantly increased, so have the number of statutes addressing one’s right to privacy.

III.

Analyze the privacy of customer information. Note that the Privacy of Customer Information Section of the common carrier regulation specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes. It also stipulates those carriers cannot disclose this information except when necessary to provide their services. The only other exception is when a customer requests the disclosure of information and then the disclosure is restricted to that customer’s information only.

IV.

Define the terms aggregate information and information and why both of those terms should not be confused with one another.

Examine the Federal Privacy Act of 1974. Stress to students that it regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission, but there are agencies, regulated businesses, and select individuals that can claim an exemption from this legislation. They are the following: •

Bureau of the Census

•

National Archives and Records Administration

•

Congress

•

Comptroller General

•

Federal courts with regard to specific issues using appropriate court orders

•

Credit reporting agencies

•

Individuals or organizations that demonstrate information is necessary to protect the health or safety of an individual party

VI.

Review the Electronic Communications Privacy Act (ECPA) of 1986. Commonly referred to as the wiretapping act, this is a compilation of statutes that regulates the interception of wire, electronic, and oral communications. These statutes work in conjunction with the Fourth Amendment to the U.S. Constitution, which protects individual citizens from unlawful search and seizure.

VII.

Discuss the purpose of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy–Kassebaum Act, is to protect the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange. Summarize the following purposes of the legislation to students as described in the text:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

VIII.

•

This law requires organizations that retain healthcare information to use information security mechanisms to protect this information, as well as policies and procedures to maintain this security.

•

It also requires organizations to have readily available a comprehensive assessment of the organization's information security systems, policies, and procedures.

•

Applicable to the patients that an organization may serve, it provides them the right to know who has access to their information and who has accessed it. The standards also restrict the use of health information to the minimum necessary for the healthcare services required.

•

Identify that this was updated in 2013 with a Department of Health and Human Services Regulatory Action intended to strengthen the act’s privacy and security protections.

Review the five fundamental principles that make up HIPAA legislation: •

Consumer control of medical information

•

Boundaries on the use of medical information

•

Accountability to maintain the privacy of specified types of information

•

Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual

•

Security of health information

IX.

Recall the Financial Services Modernization Act, or Gramm–Leach–Bliley Act of 1999. This requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. It also requires due notice to customers so that they can request that their information not be shared with third parties.

Guide students to Table 6-1, which lists key U.S. laws of interest that information security professionals should be cognizant of when managing information in an organization.

Identity Theft I.

Classify what is considered identity theft and provide examples of what personally identifiable information (PII) are that are often stolen. Note from the text that approximately 10% of persons age 16 or older have been a victim of identity theft at least once in the prior calendar year (12 months).

II.

Reference Tables 6-2 and 6-3 for additional insight and a detailed analysis of the types of identity theft and how they have increased between 2014 and 2016.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

III.

Recognize that in May 2006, President Bush signed an executive order creating the Identity Theft Task Force. The goals of this group are to create a strategic plan to improve efforts of the government and private organizations and individuals in combating identity theft. The group seeks better coordination among groups, more effective prosecution of criminals engaged in these activities, and methods to increase restitution made to victims.

IV.

Discuss the fact that numerous states have laws in place specific to identity theft. However, at the federal level, the primary legislation as described is the Fraud and Related Activity in Connection With Identification Documents, Authentication Features, And Information (Title 18, U.S.C. § 1028). This criminalizes the creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment. Penalties for such offenses range from one to 25 years in prison and fines as determined by the courts.

Outline the four steps individuals can do when there is a suspicion or actual case of identity theft:

VI.

•

Place an initial fraud alert.

•

Order your credit reports.

•

Create an identity theft report.

•

Monitor your progress.

Justify that the most up-to-date version of the CFAA is the Identity Theft Enforcement and Restitution Act, which specifically addressed the malicious use of spyware or keyloggers to steal PII. This act also created a new designation of a level of identity theft that provided much stronger penalties for violators who used 10 or more computers to commit theft. The penalties that may be levied under this act include substantial fines, from which the restitution is paid, and prison terms of up to 10 or 20 years, depending on the severity of the crime.

Export and Espionage Laws I.

Establish an understanding that the federal government enacted legislation attempting to protect American ingenuity, intellectual property, and competitive advantage with the help of Congress by passing the Economic Espionage Act (EEA) in 1996. This law attempts to prevent trade secrets from being illegally shared.

II.

Relate the understanding that to further enhance this previous legislation, an additional law was enacted in 1999, the Security and Freedom Through Encryption Act of 1999 (SAFE), which provides guidance on the use of encryption and provides measures of protection from government intervention. The following provisions apply to this piece of legislation:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

•

Reinforce a person’s right to use or sell encryption algorithms without concern for regulations requiring some form of key registration. Key registration is the storage of a cryptographic key (or its text equivalent) with another party for breaking the encryption of data. This is often called “key escrow.”

•

Prohibit the federal government from requiring the use of encryption for contracts, grants, and other official documents and correspondence.

•

State that the use of encryption is not probable cause to suspect criminal activity.

•

Relax export restrictions by amending the Export Administration Act of 1979.

•

Provide additional penalties for the use of encryption in the commission of a criminal act.

U.S. Copyright Law I.

Illustrate to students that intellectual property is recognized as a protected asset in the United States. U.S. copyright laws extend this privilege to the published word, which includes electronic formats.

II.

Explain how fair use of copyrighted materials includes their use to support news reporting, teaching, scholarship, and many other related activities, provided the use is for educational or library purposes, not for profit, and is not excessive.

III.

Emphasize that if proper acknowledgment is provided to the original author of such works, including a proper citation, and the work is not represented as one’s own, it is entirely permissible to include portions of someone else’s work as reference.

Financial Reporting I.

Recall that the Sarbanes–Oxley Act of 2002, which is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms, seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies.

II.

Emphasize that executives working in firms covered by this law will seek assurance on the reliability and quality of information systems from senior information technology managers who, in turn, will likely ask information security managers to verify the confidentiality and integrity of those same information systems.

Freedom of Information Act of 1966 I.

Justify that this law provides the right of any person to request access to federal agency records or information not determined to be a matter of national security.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

These requests must be provided to them in writing and are enforceable in court should noncompliance occur. II.

Stress that this does not apply to state or local government agencies, private businesses, or individuals, with exception to states having their own Freedom of Information Act (FOIA).

Payment Card Industry Data Security Standards (PCI DSS) I.

Explain that the Payment Card Industry (PCI) Security Standards Council offers a standard of performance to which participating organizations must comply. Point out that it is not a law, but is a standard designed to enhance the security of customers’ account data.

II.

Review the six areas that the PCI DSS addresses with respect to security policies, procedures, and management, as well as technical software and networking specifications. •

Build and maintain a secure network and systems

•

Protect cardholder data

•

Maintain a vulnerability management program

•

Implement strong access control measures

•

Regularly monitor and test networks

•

Maintain an information security policy

State and Local Regulations I.

Remind students that in addition to the national and international restrictions placed on organizational use of computer technology, each state or locality may have a number of its own applicable laws and regulations.

II.

Apply the examples provided in the text how the state of Georgia passed legislation in 1991 and 1998 (the latter being updated in 2002 and 2010). Stress to students that information security professionals must be aware such legislation to ensure that the organization’s security policies and procedures comply with those laws and regulations.

Quick Quiz 1 1. What is a type of law that represents all laws that apply to a citizen (or subject) of a jurisdiction? a. criminal law b. private law

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

c. civil law d. public law Answer: c 2. What is a type of law that addresses violations harmful to society and that is enforced by prosecution by the state? a. criminal law b. private law c. public law d. civil law Answer: a 3. Which law regulates the role of the healthcare industry in protecting the privacy of individuals? a. GLB b. FOIA c. HIPAA d. CFAA Answer: c 4. The generally recognized term for the government protection afforded to intellectual property (written and electronic) is called which of the following? a. computer security law b. copyright law c. aggregate information d. data security standards Answer: b 5. True or False: The cornerstone of many current federal computer-related criminal laws is the Computer Fraud and Abuse Act of 1986. Answer: True 6. True or False: Regardless of what information a company manages, it is shielded from local and state laws and regulations because the federal laws supersede them. Answer: False

International Laws and Legal Bodies (6.3, PPT Slides 32–35) © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Determine that it is important for IT professionals and information security practitioners to realize that when their organizations do business on the Internet, they do business globally. This is especially true with the advent of the Internet and globalization of the marketplace.

II.

Explain that professionals who conduct business internationally must be sensitive to the laws and ethical values of numerous cultures, societies, and countries.

III.

Stress the facts that there are few international laws applicable to privacy and information security, but the ones that exist are limited in their enforceability. This can potentially create challenges and or issues for an organization that is located in multiple countries.

U.K. Computer Security Laws I.

Compare and contrast laws that are enforceable in the United Kingdom (U.K.) with the ones that have been described in the United States. Ones of importance and described in the text are the following: •

Computer Misuse Act, 1990: Defines three “computer misuse offenses”: unauthorized access to computer material, unauthorized access with intent to commit or facilitate commission of further offenses, and unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computers, etc.

•

Privacy and Electronic Communications (EC Directive) Regulations, 2003: Revoked the Data Protection and Privacy Regulations of 1999 and focuses on protection against unwanted or harassing phone, e-mail, and SMS messages.

•

Police and Justice Act, 2006: Updated the Computer Misuse Act, modified the penalties, and created new crimes defined as “unauthorized acts with intent to impair operation of computers, etc.,” and the manufacture or provision of materials used in computer misuse offenses.

•

Personal Internet Safety, 2007: A report published by the House of Lords Science and Technology Committee provided a public service and criticized the U.K. government’s lack of action in protecting personal Internet safety.

Australian Computer Security Laws I.

Review laws that are currently enforceable in Australia and determine how they are similar yet different to ones that are in place here in the United States. Discuss with students the following laws mentioned in the text as described here: •

Privacy Act, 1988: Regulates the collection, storage, use, and disclosure of personal information. Applies both to private and public sectors. Contains 11 information privacy principles for handling personal information by most public-

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

sector agencies, and 10 national privacy principles for handling of personal information by nongovernment agencies. •

Telecommunications Act, 1997: Updated as of October 2013; contains regulation related to the collection and storage of privacy data held by telecommunications service providers.

•

Corporations Act, 2001: Updated by the Corporations Regulations of 2001 and 2002; focuses on business relationships but, like SOX, contains provisions related to financial reporting and audits.

•

Spam Act, 2003: Legislation designed to regulate the amount of unwanted commercial marketing materials, especially via e-mail. Requires businesses to obtain consent of recipients, ensure that businesses accurately identify the recipients, and provide a mechanism by which the recipients may unsubscribe from commercial messages.

•

Cybercrime Legislation Amendment Bill, 2011: Designed to align Australian laws with the European Convention on Cybercrime (see next section); the bill specifies information that communications carriers and Internet service providers must retain and surrender when requested by law enforcement.

Council of Europe Convention on Cybercrime I.

Explain that the Council of Europe adopted the Convention on Cybercrime in 2001. It provides for the creation of an international task force to oversee a range of security functions associated with Internet activities for standardized technology laws across international borders. It also attempts to improve the effectiveness of international investigations into breaches of technology law.

II.

Relate that the updated set of laws known as the General Data Protection Regulation (GDPR) has specific requirements regarding the transfer of data from the EU. One of these requirements is that transfers can occur only to countries deemed to have adequate data protection laws. The Privacy Shield is designed to implement a program in which participating companies are deemed as having adequate protection, which will facilitate the transfer of information.

World Trade Organization and the Agreement on Trade-Related Aspects of Intellectual Property Rights I.

Explain how the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by the World Trade Organization (WTO), introduced intellectual property rules into the multilateral trade system.

II.

Outline the five issues that the WTO TRIPS agreement covers, as mentioned in the text:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

•

How basic principles of the trading system and other international intellectual property agreements should be applied

•

How to give adequate protection to intellectual property rights

•

How countries should enforce those rights adequately in their own territories

•

How to settle disputes on intellectual property between members of the WTO

•

Special transitional arrangements during the period when the new system is being introduced

Digital Millennium Copyright Act I.

Explain how the Digital Millennium Copyright Act (DMCA) is the American contribution to an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially through the removal of technological copyright protection measures.

II.

Discuss with students how in 1995 the European Union had adopted Directive 95/46/EC, which added protection for individuals with regard to the processing of personal data and the use and movement of such data. Note that the United Kingdom has implemented its own version known as the Database Right to comply with this directive.

III.

Classify the provisions of the DMCA:

IV.

•

Prohibits the circumvention of protections and countermeasures implemented by copyright owners to control access to protected content.

•

Prohibits the manufacture of devices to circumvent protections and countermeasures to control access to protected content.

•

Bans trafficking in devices manufactured to circumvent protections and countermeasures to control access to protected content.

•

Prohibits the altering of information attached or imbedded into copyrighted material.

•

Excludes Internet service providers from certain forms of contributory copyright infringement.

Recall that in June 2016, the United States and the European Union (EU) signed an agreement that would supersede the Safe Harbor agreement. This new agreement serves as a data privacy umbrella for EU citizens and allows cooperation between American and European law enforcement agencies in criminal investigations. However, due to the ambiguity of this agreement, companies have considered the adoption of Binding Corporate Rules (BCRs) accreditation.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Ethics and Information Security (6.4, PPT Slides 36–41) I.

Justify that many professional groups have explicit rules governing ethical behavior in the workplace. Note that the information technology and security fields do not have a binding code of ethics.

II.

Detail that professional associations (such as the Association for Computing Machinery and the Information Systems Security Association) and accreditation agencies (such as ISC2) work to establish the profession’s ethical codes of conduct instead.

III.

Recall and encourage students to review the Ten Commandments of Computer Ethics provided in the module.

Ethical Differences Across Cultures I.

Discuss cultural differences that can make it difficult to determine what is and is not ethical, especially when it comes to the use of computers. Note that there are challenges that can arise when one nationality’s ethical behavior is seen as unethical in another national group.

II.

Recall that approximately 90 percent of all software is created in the United States, though 37 percent of all software installed was not properly licensed.

III.

Review the study published in 1999 examining computer-use ethics. Discuss the following conclusions from the study, applying the information in Table 6-5: •

The study selected several computer-use vignettes and presented them to students in universities in nine nations.

•

Responses indicated a degree of ethical sensitivity or knowledge about the performance of the individuals in the short case studies.

•

The scenarios were grouped into three categories of ethical computer use: software license infringement, illicit use, and misuse of corporate resources.

Software License Infringement I.

Review the findings from the study and draw conclusions from the following observations from the study results: •

Overall, most of the nations studied had similar attitudes toward software piracy.

•

Statistically speaking, only the United States and the Netherlands had attitudes that differed substantially from those of all other countries examined.

•

The United States was significantly less tolerant of piracy, while the Netherlands was significantly more permissive.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

•

II.

Peer pressure, the lack of legal disincentives, the lack of punitive measures, or any one of a host of other reasons could also explain why these alleged piracy centers were not oblivious to intellectual property laws.

Emphasize strongly that software license infringement is a serious issue for an information security team, as invalid software on a network can result in numerous financial and nonfinancial consequences for an organization.

Illicit Use I.

Demonstrate that there was a common theme between countries where participants condemned viruses, hacking, and other forms of system abuse.

II.

Establish the fact, though, that there were different degrees of tolerance among groups measured.

Misuse of Corporate Resources I.

Outline that overall, the use of company equipment of personal use was lenient among the groups polled.

II.

Denote that Singapore and Hong Kong were the only countries that viewed the personal use of company equipment as unethical.

III.

Comment that overall, the researchers found that there is a general agreement among nationalities as to what is acceptable or unacceptable computer use.

IV.

There is, however, a range of views as to whether some actions are moderately or highly unacceptable.

Ethics and Education I.

Emphasize that employees must be trained and kept aware of many topics related to information security, not the least of which are the expected behaviors of an ethical employee and cultural differences that can make it difficult to determine what is and is not ethical, especially when it comes to the use of computers.

II.

Recall the fact that it is critically important in information security that many employees may not have the formal technical training to understand that their behavior is unethical or even illegal. Hence, this gap must be closed as promptly as possible with relevant training and knowledge so they can be accountable for unethical actions they may do unknowingly or otherwise.

Deterring Unethical and Illegal Behavior I.

Justify strongly that it is the responsibility of information security personnel to do everything in their power to deter illegal, immoral, or unethical behavior and to use policy, education and training, and technology to protect information and systems.

II.

Compose and describe the three general causes of illegal behavior:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

III.

•

Ignorance: Ignorance of the law is no excuse; however, ignorance of policy and procedures is. The first method of deterrence is education, which is accomplished by designing, publishing, and disseminating an organization’s policies and relevant laws, and by obtaining agreement to comply with these policies and laws from all members of the organization. Reminders, training, and awareness programs keep policy information in front of employees to support retention and compliance.

•

Accident: People who have authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. Careful planning and control help prevent accidental modification to systems and data.

•

Intent: Criminal or unethical intent goes to the state of mind of the person performing the act; it is often necessary to establish criminal intent to successfully prosecute offenders. Protecting a system against those with intent to cause harm or damage is best accomplished by means of technical controls, and vigorous litigation or prosecution if these controls fail.

Relate the three conditions that are present that deter people from executing illegal or unethical behaviors (apply the graphical reference in Figure 6-4 as part of the conversation): •

Penalties: Potential offenders must fear the penalty. Threats of informal reprimand or verbal warnings do not have the same impact as the threat of imprisonment or forfeiture of pay.

•

Apprehension: Potential offenders must have the knowledge that there is a strong chance they will likely be caught.

•

Application of penalties: There must be an awareness of the potential offenders that penalties will likely be administered should something occur.

Code of Ethics of Professional Organizations (6.4, PPT Slides 42–47) I.

Explain how many professional organizations have established codes of conduct or codes of ethics that members are expected to follow.

II.

Stress that codes of ethics often have a positive effect on an individual’s judgment regarding computer use. Comment that the awareness factor is one of many that steers personnel to do the right things, as they know they can be called out or caught.

III.

Guide students to review Table 6-6, as it provides the most common professional organizations applicable to information security professionals.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Explain that most IT and information security organizations have their own codes of ethics, and what is contained in them may vary from one another.

Association for Computing Machinery (ACM) I.

Present that fact that the ACM (www.acm.org) is a respected professional society, originally established in 1947 as “the world's first educational and scientific computing society.”

II.

Summarize that the ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional. The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others.

International Information Systems Security Certification Consortium, Inc. (ISC)2 I.

Distinguish to students that (ISC)2 is a nonprofit organization that focuses on the development and implementation of information security certifications and credentials. Its code of ethics is primarily designed for information security individuals who have earned a certification from the organization.

II.

Describe the four-mandatory ethical canons as outlined in the text with respect to this organization: •

Protect society, the commonwealth, and the infrastructure.

•

Act honorably, honestly, justly, responsibly, and legally.

•

Provide diligent and competent service to principals.

•

Advance and protect the profession.

SANS I.

Describe the System Administration, Networking, and Security Institute (SANS), a professional organization with a large membership group, with over 153,000 members since its inception in 1989, that is dedicated to the protection of information and systems.

II.

Report that SANS offers a set of certifications called the Global Information Assurance Certification, or GIAC.

ISACA I.

Relate that this organization was originally known as the Information Systems Audit and Control Association. ISACA is a professional association that focuses on auditing, control, and security. The membership comprises both technical and managerial professionals.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

II.

Justify that its main purpose is to provide IT control practices and standards and includes many information security components within its areas of concentration, although it does not focus exclusively on information security.

Information Systems Security Association (ISSA) I.

Comment that this organization is a nonprofit society of information security professionals. As a professional association, its primary mission is to bring together qualified practitioners of information security for information exchange and educational development.

II.

Apply the fact that ISSA also promotes a code of ethics whose focus is “promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.”

EC-Council I.

II.

Explain that this is a security organization founded by Jay Bavisi that offers a variety of security, technical, and managerial certifications. This includes its renowned Certified Ethical Hacker (CEH) and CCISO certifications. Emphasize the organization promotes a 19-point code of ethics for its certificateholding programs and recommend that students visit https://www.eccouncil.org/code-of-ethics/ for more information.

Key U.S. Federal Agencies (6.5, PPT Slides 48–52) I.

Discuss the key U.S. federal agencies charged with the protection of American information resources and the investigation of threats to, or attacks on, these resources.

Department of Homeland Security I.

Describe the Department of Homeland Security (DHS), created in 2003 through the Homeland Security Act of 2002, which was passed in response to the events of September 11, 2001.

II.

Outline the structure of DHS and its five directorates or divisions through which it carries out its mission of protecting the people, as well as the physical and informational assets, of the United States. Note the ones that are applicable to information security in the text:

• III.

The Science and Technology Directorate is responsible for research and development activities in support of homeland defense.

Identify that DHS works with academic institutions nationally, focusing on resilience, recruitment, internationalization, growing academic maturity, and academic research.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

IV.

Emphasize that its efforts are ensuring the continuing examination of vulnerabilities throughout the nation’s infrastructure. This occurs through the extended role from its cybersecurity and Infrastructure Security Agency (CISA), which offers a variety of services to government, industry and the private sector, academia, nonprofit/NGO organizations, and the general public through its services portal, as illustrated in its services catalog.

US-CERT I.

Explain that the U.S. Computer Emergency Readiness Team (US-CERT) is a division of DHS’s National Cybersecurity and Communications Integration Center (NCCIC). Note that DHS provides mechanisms to report phishing, malware, software vulnerabilities, and other types of security incidents.

U.S. Secret Service I.

Describe the U.S. Secret Service, which was relocated from the Department of the Treasury to the DHS in 2002. They have been charged with the responsibility of safeguarding the nation’s financial infrastructure and payment systems to preserve the integrity of the economy.

II.

Discuss the strategic objectives that address cybersecurity-related activity as mentioned in the text relative to this organization.

Federal Burau of Investigation (FBI) I.

Recognize that this group is the primary U.S. law enforcement agency, and it investigates both traditional crimes and cybercrimes, as well as works with the U.S. Attorney’s Office to prosecute suspects under federal law (the U.S. Code).

II.

Review the focus and priorities of this agency and that computer network intrusions, identity theft, and fraud are the ones for which it is the most concerned with respect to information security crimes.

National InfraGard Program I.

Explain that the national InfraGard program began as a cooperative effort between the FBI’s Cleveland field office and local technology professionals, and it was established in January 2001.

II.

Summarize the following points made in the text with respect to this program, which is used to share information about attacks, vulnerabilities, and threats: •

This is a collaborative effort between public and private organizations as well as the academic community.

•

The national InfraGard program serves its members in four basic ways: maintaining an intrusion alert network using encrypted e-mail; providing and

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

upkeeping a secure Web site for communication about suspicious activity or intrusions; sponsoring local chapter activities; and operating a help desk for questions.

National Security Agency (NSA) I.

Identify the purpose of the NSA and what it is responsible for within the federal government. Discuss the following with students with respect to this agency: •

The NSA is responsible for signals intelligence and information system security.

II.

Explain that the IAD is responsible for the protection of systems that store, process, and transmit classified information.

III.

Emphasize that the NSA has a program to certify curriculum in information security. •

The Information Assurance Courseware Evaluation process examines information security courses in an institution and, if accepted, provides a threeyear accreditation.

•

Graduates of these programs receive certificates that indicate this accreditation.

Quick Quiz 2 1. Which of the following is an American contribution to an effort to improve copyright protection internationally? a. Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) b. Digital Millennium Copyright Act (DMCA) c. Privacy and Electronic Communications Regulations of 2003 d. Telecommunications Act of 1997 Answer: b 2. Which of the following respected professional society was founded in 1947 as "the world’s first educational and scientific computing society"? a. Council of Europe Convention on Cybercrime b. SANS c. Information Systems Security Association d. Association of Computing Machinery (ACM) Answer: d 3. What is the name of a nonprofit organization that focuses on the development and implementation of information security certifications? a. International Information Systems Security Certification Consortium, Inc

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

b. Information Systems Audit and Control Association c. System Administration, Networking, and Security Institute d. Information Systems Security Association Answer: a 4. True or False: The Federal Bureau of Investigation (FBI) is the federal agency responsible for signal intelligence and information system security of classified systems. Answer: False 5. True or False: The National Security Agency (NSA) is responsible for the security of all national critical infrastructure. Answer: False [return to top]

Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Compile a list of ethical dilemmas your students might face when they are on the job. Pose them as thought problems or ask students to explain their choices. (6.1, 6.2, PPT Slides 3–7, 10–17, 20–23, and 26–31) Duration 15 minutes. 2. Privacy is a hot-button topic for most students. Discuss how the definition of privacy that is commonly used (freedom from observation) may differ from the definition of privacy from the information security perspective (freedom from unsanctioned intrusion). (6.2, 6.4, PPT Slides 3–7, 10–17, 20–23, 26–52) Duration 15 minutes. 3. Regulation of information and the systems it resides in has increased dramatically over the years. Poll students in the course and ask them if there is (a) not enough regulation, (b) enough regulation, or (c) more regulation needs to be in place, and why? (6.2, 6.3, 6.5, PPT Slides 3–7, 10–17, 20–23, 26–35, and 48–52) Duration 15 minutes. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Web Browser Security

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

OS Processes and Services

Log Management & Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.

60–90 minutes

30 minutes to 1 hour

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

1. Have each student find a newspaper or magazine article from the past month that shows a conviction or the ongoing prosecution of a cybercrime perpetrator. 2. Invite students who are employed in larger organizations to write a short essay that documents the enforceability of their organization’s information security according to the terms expressed in the “Policy Versus Law” section on page 225. [return to top]

Additional Resources Cengage Video Resources •

MindTap Video: Intellectual Property and Copyright Law

Internet Resources • • • • • • • •

Center for Democracy and Technology Electronic Frontier Foundation Elcomsoft Verdict: Not Guilty FISMA Implementation Project Legal in US: Jailbreaking your iPhone, ripping a DVD for educational purposes National Security Agency (NSA) PCI DSS Summary of the HIPAA Security Rule

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 3 Module Outline .............................................................................................................................. 4 Discussion Questions .................................................................................................................. 27 Suggested Usage for Lab Activities ............................................................................................ 28 Additional Activities and Assignments ....................................................................................... 30 Additional Resources................................................................................................................... 30 Cengage Video Resources ....................................................................................................................... 30 Internet Resources .................................................................................................................................. 31 Appendix ...................................................................................................................................... 32 Grading Rubrics ....................................................................................................................................... 32

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Purpose and Perspective of the Module In this module, students will review where and how the information security should be positioned within an organization. This includes the people responsible for it and their role and credentials they could receive to gain more credibility within the industry. Near the end of the module, students will gain an understanding of how employment policies and practices can support the effort. This includes special security controls and considerations that applies to personnel management.

Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •

PowerPoint slides

•

Test banks, available in Word, as LMS-ready files, and on the Cognero platform

•

MindTap Educator Guide

•

Solution and Answer Guide

•

This instructor’s manual

Module Objectives The following objectives are addressed in this module: 7.1

Describe where and how the information security function should be positioned within organizations.

7.2

Explain the issues and concerns related to staffing the information security function.

7.3

List and describe the credentials that information security professionals can earn to gain recognition in the field.

7.4

Discuss how an organization’s employment policies and practices can support the information security effort.

7.5

Identify special security controls and privacy considerations for personnel management.

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 7.1 7.2

PPT slide

Activity/Assessment

Duration

6–7 15–16

Knowledge Check Activity 1 Knowledge Check Activity 2

2 minutes 2 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

7.3 7.4

28–29 45–46 59 MindTap MindTap MindTap

Knowledge Check Activity 3 Knowledge Check Activity 4 Self-Assessment Module 07 Review Questions Module 07 Case Exercises Module 07 Exercises

MindTap MindTap

Module 07 Security for Life Module 07 Quiz

2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: exit interview: A meeting with an employee who is leaving the organization to remind the employee of contractual obligations, such as nondisclosure agreements as well as to obtain feedback about the employee’s tenure. separation of duties: The principle that requires significant tasks to be split up so that more than one employee is required to complete them. two-person control: The organization of a task or process so that at least two employees must work together to complete it. Also known as dual control. job rotation: The requirement that every employee be able to perform the work of another employee. task rotation: The requirement that all critical tasks can be performed by multiple employees. need to know: The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks. least privilege: The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation needed: least privilege implies a need to know. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: •

This module was Chapter 11 in the 6th edition.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

•

The entire module was refreshed with a general update and given more current examples.

[return to top]

Module Outline Introduction to Security and Personnel (7.1, PPT Slide 3) I.

Review the key tasks specific to security and personnel that must be done as early as possible to implement information security within an organization. •

First, the organization must decide how to position and name the security function.

•

Second, the information security community of interest must plan for the proper staffing for the information security function.

•

Third, the IT community of interest must assess the impact of information security on every IT function and adjust job descriptions and documented practices accordingly.

•

Finally, the general management community of interest must work with the information security professionals to integrate solid information security concepts into the personnel management practices.

II.

Learn that a behavioral feasibility study must be conducted before any program is carried out. This includes getting employee feedback early in the process, so it can be taken up for consideration when the plan is developed.

III.

Express to students three common questions that are brought up when an information security plan is constructed from personnel that will be impacted by it: •

Will management be monitoring my work or my e-mail?

•

Will information security staff go through my hard drive looking for evidence to fire me?

•

Will the information security changes affect how efficient and effective I am in my job?

Positioning the Security Function (7.2, PPT Slide 4) I.

Emphasize that often in large organizations, the information technology (IT) department houses the information security (IS) department and designates a chief information security officer (CISO) or chief security officer (CSO) to operate it.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

II.

Advocate to learners that according to the 2019 (ISC) Cybersecurity Workforce study, the fewer the people in an organization, the less likely a CISO or CSO would be handling security duties.

III.

Stress that the CISO most commonly reports directly to the company’s top computing executive, the CIO or vice president for IT. Such a structure implies that the goals and objectives of the CISO and CIO are aligned, but this is not always the case.

IV.

Review the core functions that often a CISO or CSO complete daily.

Justify the fact that often a CIO and CISO tend to contradict each other which requires an organization to have to two separate departments to keep the peace.

VI.

Outline the best practices listed in Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy, that an organization should implement so that an information security program is positioned for success within any of the following organizational functions:

VII.

•

IT as a peer of other subfunctions such as networks, applications development, and the help desk.

•

Physical security as a peer of physical security or protective services.

•

Administrative services as a peer of human resources or purchasing.

•

Insurance and risk management.

•

The legal department.

Relate that once a structure has been identified, the next challenge that an organization often faces is the establishment of a reporting structure that balances competing needs of each community of interest they will serve. This balance is between keeping information safe and secure while integrating it into the culture through training, awareness, and support services.

Staffing the Information Security Function (7.2, PPT Slides 8–14 and 19– 22) I.

Discuss the criteria on which selecting information security personnel is based, including the principles of supply and demand. This is likely a combination of experience, certifications, and knowledge.

II.

Recall that most information security (IS) professionals who are wanting to enter the market will do so by gaining the skills, experience, and credentials they need to qualify as a new supply.

III.

Understand that if the new supply of professionals is limited, an organization will have to pay more to get the best talent in the door to meet their needs. Alternately,

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

the opposite is true once the supply meets or exceeds the demand. That is when an organization that needs to hire these individuals can become selective, and the pay they offer drops. IV.

Quantify the fact that by 2029, it is estimated that there will be a 31 percent increased demand for IS professionals and outpaces the 4 percent growth average for other occupations according to the Bureau of Labor Statistics (BLS).

Recommend students review Figure 7-2 to emphasize where demand for personnel is likely the greatest in the field of information security.

VI.

Assess that with current projections and the pace of hiring, there will be a continued shortfall of personnel which could, in turn, put organizations at risk if they are unable to bring in professionals to maintain and protect their data.

Qualifications and Requirements I.

Justify the fact that with information security being a new field, it is often rife with a lack of understanding about what qualifications applicants need to fit in the roles they fill.

II.

Assess the recommendations provided with respect to how an organization can optimize their hiring practices. As mentioned in the text, they are the following: •

The general management community of interest should learn more about the skills and qualifications for information security positions and IT positions that affect information security.

•

Upper management should learn more about the budgetary needs of information security and its positions.

•

This knowledge will enable management to make sound fiscal decisions for information security and the IT functions that carry out many information security initiatives.

•

The IT and general management communities should grant appropriate levels of influence and prestige to information security, especially to the role of CISO.

III. Examine the fundamentals that an IS professional must understand in order to be, at a minimum, considered for an interview or conversation: •

How an organization operates at all levels.

•

Awareness that information security is usually a management problem and is seldom an exclusively technical problem.

•

How to work with people and collaborate with end users, and the importance of strong communications and writing skills.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

•

The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users’ part of the solution rather than part of the problem.

•

Most mainstream IT technologies at a general level, not necessarily as an expert.

•

The terminology of IT and information security.

•

The threats facing an organization and how they can become attacks.

•

How to protect an organization’s information assets from attacks.

•

How business solutions, including technology-based solutions, can be applied to solve specific information security problems.

Entry into the Information Security Profession I.

Outline and classify the two common points of entry that information security professionals come from. These are often ex-law enforcement and military personnel and technical professionals.

II.

Gain awareness that college graduates and upper-division students are selecting and tailoring degree programs to prepare to work in the field of information security.

III.

Assess the common current perception of information security is that a security professional must first be a proven professional in another field of IT. However, IT professionals who move into information security tend to focus on the technology, sometimes in place of general information security issues.

Information Security Positions I.

Applying the use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities among organizations.

II.

Recommend to students that organizations which are revising the roles and responsibilities of information security staff should consult Wood’s book, Information Security Roles and Responsibilities Made Easy.

III.

Present the common job position categories provided in Figure 7-4 and where they are commonly located in an organization’s IS hierarchy.

Chief Information Security Officer (CISO) I.

Comprehend that a CISO is often the top information security officer in an organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

II.

Recognize the facts that CISO’s are often business managers first and technologists second and may not be in an executive-level position depending on the organization.

III.

Outline the responsibilities of a CISO:

IV.

•

Manages the overall information security program for the organization.

•

Drafts or approves information security policies.

•

Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans.

•

Develops information security budgets based on available funding.

•

Sets priorities for the purchase and implementation of information security projects and technology.

•

Makes decisions or recommendations for the recruiting, hiring, and firing of security staff.

•

Acts as the spokesperson for the information security team.

Recall that the most common certification for this type of position is a Certified Information Security Manager (CISM). Additionally, a graduate degree in one of the following areas is also often required: criminal justice, business, or information technology.

Chief Security Officer (CSO) I. Compare and contrast the differences between a CISO and CSO. Depending on the organization, the CISO’s position may be combined with physical security responsibilities or may even report to a security manager who is responsible for both logical (information) security and physical security. II. Stress to students that a CSO must be capable and knowledgeable in both information security requirements and the “guards, gates, and guns” approach to protecting the physical infrastructure, buildings, and grounds of a place of business. III. Recommend that professional experience a CSO possesses often is being a security manager with planning, policy, and budget experience.

Security Manager I. Apply knowledge presented in the text that security managers are accountable for the day-to-day operation of the information security program. They accomplish the objectives that are identified by the CISO and resolve issues that are identified by technicians.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

II. Recall that candidates for this position often have a CISSP. Traditionally, managers earn the CISSP, and technical professionals earn the Global Information Assurance Certification (GIAC). III. Identify the facts that security managers must have the ability to draft middle- and lower-level policies as well as standards and guidelines. They must have experience in traditional business matters, including budgeting, project management, and hiring and firing. They must also be able to manage technicians, both in the assignment of tasks and in the monitoring of activities. IV. Gain awareness that general job descriptions for this type of position often create confusion with respect to the title of the position and reporting relationship.

Security Analyst I. Establish that security analysts are often known as security technicians, security architects, and/or security engineers. II. Examine the core duties of security analysts. Based on the need, they are technically qualified employees who configure firewalls, deploy IDPSs, implement security software, diagnose, and troubleshoot problems, and coordinate with administrators to ensure that security is properly implemented. III. Review the fact that this position is often entry-level, but some technical skills are required for professionals in this role to be successful. If they would want to advance, they need to gain experience in at least one major security technology group or specialize in hardware or software packages the organization uses. IV. Identify the highly specialized nature of security analysts as they tend to be specialized, focusing on one major security technology group, and further specializing in one software or hardware package within the group. V. Relate that the technical qualifications and position requirements for a security analyst are varied. Organizations prefer the expert, certified, proficient technician. Regardless of the area, the job description includes some level of experience with a particular hardware and software package. Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required. Quick Quiz 1 I.

To assess the effect that information security changes will have on the organization’s personnel management practices, the organization should conduct which of the following studies before the implementation phase? a. security audit b. project feasibility

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

c. behavioral feasibility d. employee feedback Answer: c II.

Which of the following positions is typically the top information security employee in the organization? a. CISO b. CEH c. Security Manager d. CSO Answer: c

III.

Which of the information security roles is usually tasked with configuring firewalls, deploying IDSs, implementing security software, diagnosing and troubleshooting problems, and coordinating with systems and network administrators to ensure that security technology is operating to protect the organization? a. Security Analyst b. CISO c. CSO d. Security Manager Answer: d

IV.

Which of the following information security roles is accountable for the day-to-day operation of the information security program? a. Security Analyst b. CISO c. CSO d. Security Manager Answer: a

True or False: In most organizations, the security analyst position is one that is a senior-level position that requires numerous years of experience and certifications. Answer: False

Credentials for Information Security Professionals (7.3, PPT Slides 23– 27 and 30–32) © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Identify that many organizations seek industry-recognized certifications when reviewing the credentials of applicants.

II.

Relate those existing certifications are relatively new and not fully understood by hiring organizations.

III.

Discuss how the certifying bodies are working to educate employers and professionals on the value and qualifications of their certificate recipients.

(ISC)2 Certifications I.

Emphasize that the International Information Systems Security Certification Consortium (ISC)2 is considered the foremost organization offering information security certifications today.

CISSIP I.

Present that the CISSIP certification is considered the ‘gold standard’ and the most prestigious certification for security managers and CISO’s.

II.

Recognize that professionals must possess at least five years of direct, full-time experience as a security professional working in at least two of the eight domains of information security knowledge, or four years of direct security work experience in two or more domains. The candidate must also have a four-year college degree.

III.

Review the eight domains that are included in a 100 to 150 multiple-choice exam that has a completion time of six hours (with exception to accommodations): •

Security and risk management

•

Asset security

•

Security architecture and engineering

•

Communication and network security

•

Identity and access management

•

Security assessment and testing

•

Security operations

•

Software development security

IV.

Understand that, once certified, the CISSP holder must complete 120 hours of continuing professional education (CPE) every three years with a minimum of 20 hours per year.

Examine the CISSP concentrations and stress to students what (ISC)2 offers; several concentrations are available for CISSPs to demonstrate advanced knowledge beyond the CISSP CBK.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

•

ISSAP: Information System Security Architecture Professional

•

ISSEP: Information System Security Engineering Professional

•

ISSMP: Information Systems Security Management Professional

SSCP I.

Contrast that, like the CISSP, the SSCP certification applies more to the security manager than the security technician because the SSCP focuses on practices, roles, and responsibilities as defined by experts from major information security industries.

II.

Outline the seven domains SSCP covers in their 125-question exam that participants have three hours to complete: •

Access controls

•

Security operations and administration

•

Risk identification, monitoring, and analysis

•

Incident response and recovery

•

Cryptography

•

Network and communications security

•

Systems and application security

CSSLP I.

Detail that The Certified Secure Software Lifecycle Professional (CSSLP) is another (ISC)2 certification focused on the development of secure applications.

II.

Encourage students to understand that to get this certification a professional must have at least four years of recent experience in one or more of the following eight domains listed below: •

Secure software concepts

•

Secure software requirements

•

Secure software architecture and design

•

Secure software implementation

•

Secure software testing

•

Secure software lifecycle management

•

Secure software deployment, operations, and maintenance

•

Secure software supply chain

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

III. Differentiate this exam to students and compare it to the others as essays are required to be composed in each of the four areas one has expertise in as the exam submission. IV. Provide learners that as an alternative professionals can qualify for a (ISC)2 Associate certification until the criteria for expertise in the aforementioned areas has been satisfied.

CAP I.

Recognize that this certification is geared towards professionals who with the NIST Risk Management Framework, the Certified Authorization Professional is a certification that focuses on the deployment of the RMF, mainly in the government and the Department of Defense, but also in other public or private sectors.

II.

Review the seven domains the CAP covers in their exam:

III.

•

Information security risk management program

•

Categorization of information systems (IS)

•

Selection of security controls

•

Implementation of security controls

•

Assessment of security controls

•

Authorization of information systems (IS)

•

Continuous monitoring

Recall that candidates only need two years of work experience in one or more domains to take and pass the certification exam.

HCISPP I.

Explain that to qualify for the HCISPP you must focus on security management topics and healthcare; this certification requires the candidate to demonstrate knowledge in six specialty domains on its 125-question multiple-choice exam: •

Healthcare industry

•

Regulatory environment

•

Privacy and security in healthcare

•

Information governance and risk management

•

Information risk assessment

•

Third-party risk management

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

II.

Stress that HCISPP candidates must have two or more years of experience in at least one of these domains and at least one year of experience in the top three domains.

CCSP I.

Stress that the Certified Cloud Security Professional (CCSP) certification exam is sponsored by the Cloud Security Alliance and focuses on professionals who are responsible for specifying, acquiring, securing, and managing cloud-based services for their organization.

II.

Review the six domains that the CCSP covers: •

Architectural concepts and design requirements

•

Cloud data security

•

Cloud platform and infrastructure security

•

Cloud application security

•

Operations

•

Legal and compliance

Associate of (ISC)2 I.

Justify the merit of this certification as it is an innovative approach to the experience requirement that may prohibit others from being able to take other exams outlined in this section of the module.

II.

Recognize that this provides an option that learners can complete the exams, subscribe to the (ISC)2 code of ethics, maintain continuing professional education (CPE) credits, and pay the appropriate fees which can maintain their status as an associate until they have logged the required years of experience.

ISACA Certifications I.

Explain to learners how the Information Systems Audit and Control Association (ISACA) offers several reputable certifications. This includes the CISM, CISA, CGEIT, and CDPSE certifications.

CISM I.

Establish that the CISM credential is focused on information security managers and others who may have similar management responsibilities.

II.

Outline the four domains that the exam covers in this annual exam: •

Information security governance (24 percent)

•

Information risk management (30 percent)

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

III.

•

Information security program development and management (27 percent)

•

Information security incident management (19 percent)

Review the requirements that are provided in the text about what information security managers must have prior to completing the exam.

CISA I.

Discuss the Certified Information Systems Auditor (CISA) credential. Note that it is not specifically a certification but does include many information security components.

II.

Outline the five domains that the exam covers in this annual exam:

III.

•

Information systems auditing process (21 percent)

•

Governance and management of IT (17 percent)

•

Information systems acquisition, development, and implementation (12 percent)

•

Information systems operations and business resilience (23 percent)

•

Protection of information assets (27 percent) Information security governance (24 percent)

Examine the requirements that are presented in the text and stress to students that although this is not specifically an information security certification exclusively it is one that is beneficial to have.

CRISC I.

Express this certification is targeted at managers and employees with knowledge and experience in risk management.

II.

Outline the four domains that the exam covers in this annual exam:

III.

•

IT risk identification (27 percent)

•

IT risk assessment (28 percent)

•

Risk response and mitigation (23 percent)

•

Risk and control monitoring and reporting (22 percent)

Recall that this certification requires the candidate to have a minimum of three years’ experience in risk management and information systems control in at least two of the stated domains, and at least one year of that experience must be in one of the first two domains although the candidate may elect to take the exam before fulfilling the experience requirement.

CGEIT

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Contrast the Certified in the Governance of Enterprise IT (CGEIT) certification with others examined in this section as it is mostly geared towards upper-level executives (CISOs and CIOs), directors, and consultants who have knowledge or experience in IT governance.

II.

Outline the four domains that the exam covers in this annual exam: •

Governance of enterprise IT (40 percent)

•

Benefits realization (26 percent)

•

Risk optimization (19 percent)

•

IT resources (15 percent)

III. Recall that this certification requires the candidate to have a minimum of one year of experience in IT governance and additional experience in at least two of the domains listed.

CDPSE I.

Explain to students that this is one of the newest certifications offered.

II.

Stress that the Certified Data Privacy Solutions Engineer (CDPSE) is an exam that focuses on protection of customer’s personal information.

III.

Outline the four domains that the exam covers in this annual exam:

IV.

•

Privacy governance (34 percent)

•

Privacy architecture (36 percent)

•

Data life cycle (30 percent)

Relate that due to the newness of the certifications the ISACA offers an opportunity for professionals to receive it provided they can show at least five years’ experience and expertise in two or more of the domain areas or a minimum of three years’ experience if they possess another certification from the governing body.

SANS Certifications I.

Explain how in 1999, SANS developed a series of technical security certifications known as the Global Information Assurance Certification (GIAC).

II.

Discuss that the GIAC family of certifications covers more than 40 certifications in six focus areas: offensive security, cyber defense, cloud security, industrial control systems, digital forensics and incident response and management, and legal and audit. Note that an individual can attain the various GIAC certifications individually.

III.

Relate that some of the exams require applicants to complete a written practical whereas others are multiple-choice question-based tests.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

IV.

Review Table 7-1 as it provides the list of exams that are available for professionals as of the time the text was being developed (2020).

EC-Council Certifications I.

Identify that EC Council is a new competitor in certifications for security management. They offer a Certified CISO (CCISO) certification which tests security domain knowledge as well as knowledge of executive business management.

II.

Establish the six domains that have certifications available that apply to information security management: •

Security Awareness

•

Fundamentals

•

Core

•

Specialist

•

Advanced

•

Management

III. Arrange and provide the five domains that make up the Certified CISO (CCISO) certification which tests the knowledge of executive business management. •

Governance and risk management

•

Information security controls, compliance, and auditing management

•

Security program management and operations

•

Information security core competencies

•

Strategic planning, finance, procurement, and vendor management

IV. Gain awareness that before an executive or professional can take an exam, the ECCouncil requires five years’ experience in at least three of the domains. As an alternate option as they gain experience, a ‘light’ version is also available.

CompTIA Certifications I.

Explain how the CompTIA Security+ certification assesses entry-level security knowledge. Candidates must have two years of on-the-job networking experience. The exam covers industry-wide topics.

II.

Compare and contrast the following certifications that are provided in the text: Security+, CySA+, PenTest+, and CASP+.

Security+

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Describe the purpose of the CompTIA Security+ certification test as it is geared towards a professional’s entry-level security knowledge and their minimum two years of on-the-job networking experience.

CySA+ I.

Compare and contrast this CompTIA certification with the Security+ one as this is more advanced and geared towards the intermediate certification level.

II.

Recognize that this assessment is both knowledge-based and performance-based.

III.

Stress that professionals wanting to achieve this certification must already have at a minimum Security+ or Network+ certification and four years of related experience.

PenTest+ I.

Emphasize that this is one of the newer certifications CompTIA offers. This exam is known as the Penetration Tester Plus certification, which includes both the managerial and technical skills needed to investigate and examine systems for potential vulnerabilities and susceptibility to successful attacks.

II.

Recognize that this assessment is both knowledge-based and performance-based.

III.

Detail the requirements that a professional must possess for this exam as a minimum of a Security+ certification and three to four years of experience.

CASP+ I.

State that this exam is an advanced-level certification which builds upon the knowledge of both the Security+ and CySA+ certifications and to assess an advanced understanding of risk, security controls, cryptography, cloud security, virtualization, and the enterprise security domain.

II.

Recall that this certification required at least 10 years of experience and is a performance-based and knowledge-based exam.

Cloud Security Certifications I.

Guide learners in the understanding that companies such as Amazon offers specialized professional certificates that can be possessed in addition to certifications listed in the module.

II.

Strictly state that most of these external organizations can only provide certificates and not certifications.

Certification Costs I.

Define the reality that certifications cost money and the better certifications can be quite expensive to attain. Depending on the certification, one can cost more than

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

$750.00 alone, and certifications that require multiple exams are in the thousands of dollars. II.

Explain how while these courses should not serve as the candidate’s only means of preparing for the certification exam, they can help candidates round out their knowledge and fill in gaps.

III.

Emphasize that most examinations require between two and three years of work experience, and they are often structured to reward candidates who have significant hands-on experience.

Advice for Information Security Professionals I.

Establish an understanding that as a future information security professional learners can benefit from keeping the following suggestions in mind as you enter the information security job market: •

Always remember business before technology.

•

When evaluating a problem, look at the source of the problem first, determine what factors affect the problem, and see where organizational policy can lead you in designing a solution that is independent of technology.

•

Your job is to protect the organization’s information.

•

Be heard and not seen.

•

Know more than you say and be more skillful than you let on.

•

Speak to users, not at them.

•

Your education is never complete.

Employment Policies and Procedures (7.4, PPT Slides 33–44) I.

Focus on the critical fact that regardless of the position an organization should always have information security as a documented part of an employee’s job description.

II.

Explain that from an information security perspective the hiring of employees is a responsibility laden with potential security pitfalls.

III.

Detail the prerequisites that the CISO and information security manager should establish a dialogue with the human resources (HR) department to provide information security input to the guidelines used for hiring personnel.

Job Descriptions I.

Discuss how to incorporate information security perspectives into the hiring process and how it begins with reviewing and updating all job descriptions.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

II.

Explain the importance of preventing people from applying for positions based solely on access to sensitive information by having the organization avoid revealing access privileges to prospective employees when it advertises open positions.

Interviews I.

Demonstrate how an opening within the information security department presents a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate.

II.

Recommend to students departments outside of information security, like HR, should limit the information provided to the candidate about the responsibilities and access rights the new hire would have.

III.

Present facts that on-site visits are often part of the interview process and caution must be exercised when showing a candidate around a facility.

Background Checks I.

Examine the purpose of a background check and why it is important to investigate the candidate’s past because criminal behavior could indicate the potential for future misconduct.

II.

Review the restrictions and regulations that govern what the organization can investigate and how much of the information uncovered can be allowed to influence the hiring decision. The security and HR managers should discuss these matters with legal counsel.

III.

Differentiate the level of detail and depth a background check can provide. Additionally, review the various types of background checks a candidate may receive: •

Identity checks

•

Education and credential checks

•

Previous employment verification

•

References checks

•

Worker’s compensation history

•

Motor vehicle records

•

Drug history

•

Credit history

•

Civil court history

•

Criminal court history

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

IV.

Outline the federal regulations that are in place with respect to obtaining personal information for employment decisions and practices: •

One governs consumer credit reporting agencies and the uses of the information procured from these agencies.

•

These reports contain information on a job candidate’s credit history, employment history, and other personal data.

•

The FCRA prohibits employers from obtaining these reports unless the candidate is informed in writing that such a report will be requested as part of the employment process.

•

The FCRA also restricts the periods of time these reports can address.

Employee Contracts I.

Explain how once a candidate has accepted the job offer, the employment contract becomes an important security instrument and must be protected much in the same way as other data sets in an organization.

II.

Classify policies discussed in the text that require an employee to agree in writing to monitoring and nondisclosure agreements.

III.

Relate that if an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation, and as a result, an offer may need to be rescinded to protect the company. This applies a policy that can be instituted which states “employment contingent upon agreement.” Note that this classification means the employee is not actually employed until he or she agrees in writing to conform to the binding organizational policies.

New Hire Orientation I.

Emphasize as new people enter an organization, one of the first pieces of training they should receive is an extensive information security briefing. Note that this briefing should cover all the major policies, procedures, and requirements related to information security within the new position.

II.

Compare and contrast the levels of authorized access that should be outlined, and training should be provided for the secure use of information systems that are in an organization.

III.

Establish the understanding that by the time employees are ready to report to their positions they should be thoroughly briefed and ready to perform their duties securely.

On-the-Job Security Training

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Summarize that an organization should integrate the security awareness education into a new hire’s job orientation and make it a part of every employee’s on-the-job security training.

II.

Discuss how keeping security at the forefront of employees’ minds minimizes employee mistakes and is an important part of the information security mission.

III.

Recommend the use of formal and informal seminars that should be used to increase the security awareness level of all employees, especially security employees.

Evaluating Performance I.

Explain how to heighten information security awareness and change workplace behavior; organizations should incorporate information security components into employee performance evaluations.

II.

Justify the rationale that if employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level.

Termination I.

Review the importance of information security when an employee leaves the organization. Several security-related issues may arise: the key among these is the continuity of protection of all information to which the employee had access.

II.

Outline the tasks that an organization must complete when an employee with information security access leaves the organization. They are the following: •

Access to the organization’s systems must be disabled.

•

Removable media must be returned.

•

Hard drives must be secured.

•

File cabinet locks must be changed.

•

Office door locks must be changed.

•

Keycard access must be revoked.

•

Personal effects must be removed from the organization’s premises.

III.

Stress the importance that once an employee has turned in their keys, keycards, and other property belonging to the organization, they must be escorted off the premises.

IV.

Establish an understanding that most organizations use exit interviews which reminds the departing employee of contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Review the scenarios that may occur when an employee leaves the organization. This is either a hostile departure or friendly departure.

VI.

Discuss that regardless of the reason an employee leaves, the offices and information used by the employee must be inventoried, their files must be stored or destroyed, and all property must be returned to organizational stores.

VII.

Discuss how in either situation, employees might foresee their departures well in advance and might begin collecting organizational information or anything that could be valuable in their future employment. If this occurs, appropriate policies should be followed to regain the information or pursue legal actions.

Hostile Departures I.

State the common causes of a hostile departure: termination for cause, permanent downsizing, temporary layoffs, and quitting.

II.

Stress the cases when employees may not seem hostile, but the chance of them lashing out against the organization may still be possible, and caution would need to be exercised.

III.

Outline the recommended steps the information security team should apply to ensure assets and the departing employee have the least amount of inconvenience for the organization: •

Before the employee knows he or she is leaving, security terminates all logical and keycard access. As soon as the employee reports for work, he or she is escorted into the supervisor’s office for the news.

•

Upon receiving notice, the employee is escorted to his or her area and allowed to collect personal effects. No organizational property is taken from the premises.

•

The employee is asked to surrender all keys, keycards, and other company property. The employee is then escorted out of the building.

Friendly Departures I.

Detail that friendly departures include resignation, retirement, promotion, or relocation. In this case, the employee may have tendered notice well in advance of the actual departure date.

II.

Emphasize this type of departure is more challenging because it makes it more difficult for security to maintain positive control over the employee’s access and information usage.

III.

Outline the recommended steps the information security team should apply to ensure assets and the departing employee have the least amount of inconvenience for the organization:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

•

Employee accounts are usually allowed to continue with a new expiration date.

•

Employees come and go at will and collect their own belongings and leave on their own.

•

They are asked to drop off all organizational property “on their way out the door.”

Personnel Control Strategies (7.4, 7.5, PPT Slides 47–54) I.

Describe the term separation of duties and why it is important in reducing the risk an organization takes on when limiting the chance an employee will violate information security and break the confidentiality, integrity, or availability of information.

II.

Compare and contrast separation of duties with two-person control and how they are similar but uniquely different in their approaches.

III.

Evaluate the use of job/task rotations and the application of mandatory vacations as additional measures to protect an organization’s information security systems and data.

IV.

Recognize the concept of garden leave and why it is important to have the time break in place after someone departs the company and when they join a new organization that is potentially in the similar industry or field.

Establish that the principles of need to know or least privilege and why they are important to have in place in an organization. Here, employees only have access to information that they need relative to their position. Stress to students that the purpose of information security is to allow people who need to use system information to do so without being concerned about its confidentiality, integrity, and availability.

Privacy and the Security of Personnel Data I.

Emphasize the law states organizations are required to protect employee information that is sensitive or personal as you learned in the sixth module. This information includes employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members.

II.

Stress that information security groups should ensure that this data receives at least the same level of protection as other important data in the organization, including intellectual property, strategic planning data, and other business-critical information.

Security Considerations for Temporary Employees, Consultants, and Other Workers

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Summarize knowledge that individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information.

II.

Explain how relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft.

Temporary Employees I.

Distinguish the difference that temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce when compared to permanent employees.

II.

Review the concept of how these employees may be paid employees of a “temp agency” or a similar organization and are hired by them directly. Additionally, they are often not subject to the contractual obligations or general policies of other employees.

III.

Stress if these individuals breach a policy or cause a problem, the strongest action the host organization can take is to terminate their relationships with the individuals and request that they are censured.

IV.

Explain how from a security standpoint access to information for these individuals should be limited to that which is necessary for them to perform their duties.

Critique the practice that the organization can attempt to have temporary employees sign nondisclosure agreements and fair use policies, but a temp agency may refuse, forcing the organization to either dismiss the temp worker or allow him or her to work without the agreement.

VI.

Emphasize you should ensure the temp worker’s supervisor restricts the information to which the temp has access and make sure all employees follow good security practices, especially those practices relating to clean desk policies and the security of classified data.

Contract Employees I.

Compare and contrast the difference between temporary employees and contract employees and their differences and similarities with respect to information security policies.

II.

Explain contracts for consultants should specify all requirements for information or facility access before the consultants are allowed into the workplace. Security and technology consultants especially must be prescreened, escorted through work areas, and subjected to nondisclosure agreements to protect the organization from possible breaches of confidentiality.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

III.

Recognize consultants typically request permission to present work samples to other companies as part of their résumés, but a client organization is not obligated to grant this permission and can even explicitly deny permission in writing.

IV.

Stress organizations remember the protection of their information does not become the consultant’s top priority even if they are paid.

Consultants I.

Explain how consultants are on-site contracted workers who are often selfemployed or are part of an organization for a specific one-time purpose.

II.

Emphasize all requirements for information or facility access before the consultants are allowed into the workplace.

III.

Stress how security and technology consultants must be prescreened and escorted through secure areas as well as subject to non-disclosure agreements to protect the organization.

IV.

Justify the fact that these professionals will want to request work samples for their résumé, but that the organization has the right to accept or deny that request.

Business Partners I.

Identify that on occasion businesses find themselves in strategic alliances with other organizations who want to exchange information, integrate systems, or simply discuss operations for mutual advantage. There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom.

II.

Emphasize that nondisclosure agreements must be in place, and the level of security of both systems must be examined before any physical integration takes place, because when systems are connected, the vulnerability of one system becomes the vulnerability of all.

Quick Quiz 2 1. Which of the following is a certification offered by the International Information Systems Security Certification Consortium (ISC)2? a. Security+ b. GIAC c. CISSP d. CGEIT Answer: c

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

2. Which of the following certifications requires the applicant to complete a written practical assignment to complete the certification process? a. Security+ b. GIAC c. CISSP d. CGEIT Answer: b 3. Which of the following ISACA certifications, while not specifically a security certification, contains many information security systems’ auditing components and is only offered a few times per year? a. CISA b. CISM c. CGEIT d. CRISC Answer: a 4. Once a candidate has accepted the job offer, the employment ________ becomes an important security instrument. a. non-disclosure agreement b. contract c. security acknowledgement d. offer Answer: b 5. True or False: The least privilege principle ensures no unnecessary access to data exists by regulating members, so they can perform only the minimum data manipulation needed. Answer: True [return to top]

Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. What actions can each person take to minimize the risk of identity theft? Take a few minutes to discuss and generate a list of concrete actions each student can take to control this risk. (7.1, 7.2, 7.4, 7.5, PPT Slides 3–5, 8–14, 3–44, and 47–54) Duration 15 minutes. 2. The placement of the security function is a broad topic. Ask students who are familiar with an actual information security organization to describe the placement of security in that organization. (7.4, 7.5, PPT Slides 36–44 and 47–54) Duration 15 minutes. 3. Discuss the different certifications presented in the module. How impactful are the certifications relative to the job duties an information security professional need? Do the costs outweigh the benefits? (7.3, PPT Slides 23–27 and 30–32) Duration 15 minutes. 4. Compare and contrast the different categories of non-permanent employees explained in the module. Why should they or not should be held to the same information security standards that information security professionals abide within their organization? Explain. (7.1, 7.2, 7.5, PPT Slides 3–5, 8–14, and 47–54) Duration 15 minutes. [return to top]

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Web Browser Security

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Log Management & Security

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

60–90 minutes

30 minutes to 1 hour

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Divide the class into teams of three and have each team conduct a mock exit interview. During the interview, one student should play the role of the departing employee, one should play the role of the interviewer, and the other should take notes to see if all critical issues are covered. 2. Have students draw an organization chart for an imaginary organization’s information security department. You can have them include job descriptions for some or all the positions. [return to top]

Additional Resources Cengage Video Resources •

MindTap Video: Personnel Security

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Internet Resources • • • • •

(ISC)2 ISACA Information Shield—Resources from Charles Cresson Wood The Chief Information Security Officer (CISO) Role Explained Data Breach Today

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 8 Module Outline .............................................................................................................................. 8 Discussion Questions .................................................................................................................. 32 Suggested Usage for Lab Activities ............................................................................................ 33 Additional Activities and Assignments ....................................................................................... 34 Additional Resources................................................................................................................... 35 Internet Resources .................................................................................................................................. 35 Appendix ...................................................................................................................................... 36 Grading Rubrics ....................................................................................................................................... 36

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Purpose and Perspective of the Module Protecting information is one of the most important tasks an organization must monitor around the clock and regardless as to where personnel are located. In this module, students will gain knowledge as to the purpose of information security and the need that is present in organizations. Next, they will increase their understanding of why a successful information security program is the shared responsibility of the entire organization and not just departments that focus on technology. In the second half of the module, emphasis is placed on threats that occur to trigger information security solutions and common attacks of them. The final part of the module lists common information security issues that result from poor software development efforts.

Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •

PowerPoint slides

•

Test banks, available in Word, as LMS-ready files, and on the Cognero platform

•

MindTap Educator Guide

•

Solution and Answer Guide

•

This instructor’s manual

Module Objectives The following objectives are addressed in this module: 8.1

Discuss the role of access control in information systems and identify and discuss the four fundamental functions of access control systems.

8.2

Define authentication and explain the three commonly used authentication factors.

8.3

Describe firewall technologies and the various categories of firewalls.

8.4

Explain the various approaches to firewall implementation.

8.5

Identify the various approaches to control remote and dial-up access by authenticating and authorizing users.

8.6

Describe virtual private networks (VPNs) and discuss the technology that enables them.

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Module Objective 8.1 and 8.2 8.3 and 8.4 8.5 and 8.6 8.1–8.6

PPT slide

Activity/Assessment

Duration

16–17 34–35 81–82 88 MindTap MindTap MindTap

Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 08 Review Questions Module 08 Case Exercises Module 08 Exercises

MindTap MindTap

Module 08 Security for Life Module 08 Quiz

2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: access control: The selective method by which systems specify who may use a particular resource and how they may use it. discretionary access controls (DACs): Access controls that are implemented at the judgment or option of the data user. nondiscretionary access controls (NDACs): Access controls that are implemented by a central authority. lattice-based access controls (LDACs): A variation on mandatory access controls that assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects. role-based access control (RBAC): A nondiscretionary control where privileges are tied to the role or job a user performs in an organization and are inherited when a user is assigned to that role. task-based access control (TBAC): A nondiscretionary control where privileges are tied to a task or temporary assignment a user performs in an organization and are inherited when a user is assigned to that task. mandatory access control (MAC): A required, structured data classification scheme that assigns a sensitivity or classification rating to each collection of information as well as each user. attribute-based access control (ABAC): An access control approach whereby the organization specifies the use of objects based on some attribute of the user or system. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

attribute: A characteristic of a subject (user or system) that can be used to restrict access to an object; also known as a subject attribute. subject attribute: See attribute. identification: The access control mechanism whereby unverified or unauthenticated entities who seek access to a resource provide a label or username by which they are known to the system. authentication: The access control mechanism that requires the validation and verification of an entity’s unsubstantiated identity. authentication factors: Mechanisms that provide authentication based on something an unauthenticated entity knows, has, and is. password: A secret word or combination of characters that only the user should know; it is used to authenticate the user. passphrase: A plain-language phrase, typically longer than a password, from which a virtual password is derived. virtual password: A stream of characters generated by taking elements from an easily remembered phrase. dumb card: An authentication card that contains digital user data, such as a personal identification number, against which user input is compared. smart card: An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a personal identification number. synchronous token: An authentication component in the form of a card or fob that contains a computer chip and a display that shows a computer-generated number used to support remote login authentication; the token must be calibrated with the corresponding software on a central authentication server. asynchronous token: An authentication component in the form of a card or fob that contains a computer chip and a display that shows a computer-generated number used to support remote login authentication; the token does not require calibration of the central authentication server but uses a challenge/response system instead. strong authentication: In access control, the use of at least two different authentication mechanisms drawn from two or more different factors of authentication; this is sometimes called multifactor or dual-factor authentication. authorization: The access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

accountability: The access control mechanism that ensures all actions on a system— authorized or unauthorized—can be attributed to an authenticated identity; also known as auditability. auditability: See accountability. biometric access control: The use of physiological characteristics to provide authentication for a provided identification; also referred to as biometrics. minutiae: In biometric access controls, unique points of reference that are digitized and stored in an encrypted format when the user’s system access credentials are created and are then used in subsequent requests for access to authenticate the user’s identity. false reject rate: The rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device; also known as a Type I error or a false negative. false accept rate: The rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in the biometric device; also known as a Type II error or a false positive. crossover error rate (CER): The point at which the rate of false rejections equals the rate of false acceptances; also called the equal error rate. trusted computing base (TCB): Under the Trusted Computer System Evaluation Criteria (TCSEC), the combination of all hardware, firmware, and software responsible for enforcing the security policy. reference monitor: Within the trusted computing base, a conceptual piece of the system that manages access controls. covert channels: Unauthorized or unintended methods of communications hidden inside a computer system. storage channels: TCSEC-defined covert channels that communicate by modifying a stored object, as in steganography. timing channels: TCSEC-defined covert channels that communicate by managing the relative timing of events. zeta trust architecture (ZTA): An approach to access control in IT networks that does not rely on trusting devices or network connections; rather, it relies on mutual authentication to verify the identity and integrity of devices, regardless of their location. firewall: In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

untrusted network: The system of networks outside the organization over which the organization has no control, such as the Internet. trusted network: The system of networks inside the organization that contains its information assets and is under the organization’s control. packet-filtering firewall: A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules. static packet filtering: A firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall. dynamic packet filtering: A firewall type that can react to network traffic and create or modify its configuration rules to adapt. stateful packet inspection (SPI): A firewall type that keeps track of each network connection between internal and external systems using a state table and that expedites the filtering of those communications; also known as a stateful inspection firewall. address restrictions: Firewall rules designed to prohibit packets with certain addresses or partial addresses from passing through the device. state table: A tabular record of the state and context of each packet in a conversation between an internal and external user or system; used to expedite traffic filtering. application layer proxy firewall: A device capable of functioning both as a firewall and an application layer proxy server. application firewall: See application layer proxy firewall. proxy server: A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers; some are also cache servers. reverse proxy: A proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization. demilitarized zone (DMZ): An intermediate area designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. media access control layer firewall: firewall designed to operate at the media access control sublayer of the network’s data link layer A (Layer 2). Unified Threat Management (UTM): Networking devices categorized by their ability to perform the work of multiple devices, such as stateful packet inspection firewalls, network intrusion detection and prevention systems (IDPSs), content filters, spam filters, and malware scanners and filters.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Next Generation Firewall (NextGen or NGFW): A security appliance that delivers Unified Threat Management capabilities in a single integrated device. single bastion host: See bastion host. bastion host: A device placed between an external, untrusted network and an internal, trusted network; also known as a sacrificial host, as it serves as the sole target for attack and should therefore be thoroughly secured. sacrificial host: See bastion host. Network Address Translation (NAT): A networking scheme in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address. Port Address Translation (PAT): A networking scheme in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network. screened host architecture: A firewall architectural model that combines the packetfiltering router with a second, dedicated device such as a proxy server or proxy firewall. screened subnet architecture: A firewall architectural model that consists of one or more internal bastion hosts located behind a packet-filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network. extranet: A segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public. configuration rules: The instructions a system administrator codes into a server, networking device, or security device to specify how it operates. content filter: A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network. reverse firewall: See content filter. data loss prevention: A strategy to ensure that the users of a network do not send highvalue information or other critical information outside the network without authorization. war dialer: An automatic phone-dialing program that dials every number in a configured range and checks whether a person, voicemail, or modem picks up. Remote Authentication Dial-In User Service (RADIUS): A computer connection system that centralizes the management of user authentication by placing the responsibility for authenticating each user on a central authentication server.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Kerberos: An authentication system that uses symmetric key encryption to validate an individual user’s access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises. virtual private network (VPN): A private, secure network operated over a public and insecure network; it uses encryption to protect the data between endpoints. trusted VPN: Also known as a legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected. secure VPN: A VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks. hybrid VPN: A combination of trusted and secure VPN implementations. deperimeterization: The recognition that there is no clear information security boundary between an organization and the outside world, meaning that the organization must be prepared to protect its information both inside and outside its digital walls. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: •

This module was Chapter 6 in the 6th edition.

•

Content to provide context and examples of security concerns in cloud computing were added.

•

The entire module was refreshed with a general update and given more current examples.

[return to top]

Module Outline Introduction to Access Controls (8.1, 8.2, PPT Slides 3–15) I.

Describe how technical controls are essential in enforcing policy for many IT functions that do not involve direct human control.

II.

Explain the concept of technical control solutions, which when properly implemented, can improve an organization’s ability to balance the often conflicting objectives of making information more readily and widely available against increasing the information’s levels of confidentiality and integrity.

III.

Illustrate that access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

IV.

Remind students that there are two general types of access control systems: discretionary and nondiscretionary. •

Discretionary access controls are ones that are at the judgment or option of the user. The most common example is Microsoft Windows.

•

Nondiscretionary access controls are ones that are implemented by a central authority (e.g., IT department). These can be based on role-based access controls (RBAC) or task-based access controls (TBAC) or a combination of both.

Discuss lattice-based access controls (LBACs). Explain that LBACs specify the level of access each subject has to each object, as implemented in access control lists (ACLs) and capability tables.

VI.

Describe how Mandatory Access Control schemes use of data classification schemes for granting access to data. Also, mention that MACs are a form of lattice-based, nondiscretionary access controls.

VII.

Introduce students to attribute-based access controls (ABACs), which represent a newer approach to lattice-based access controls promoted by NIST. Differentiate between the concepts of attributes and subject attributes.

Access Control Mechanisms I.

Outline the four fundamental functions of access control systems: •

Identification

•

Authentication

•

Authorization

•

Accountability

Identification I.

Define identification as a mechanism whereby unverified entities—called supplicants—who seek access to a resource propose a label by which they are known to the system.

II.

Emphasize the fact that the identifier label applied to the supplicant must be mapped to one and only one entity within the security domain.

Authentication I.

Review the definition of authentication. Explain to learners that this is the process of validating an unauthenticated entity’s purported identity.

II.

Assemble and outline the three commonly used authentication factors: •

Something you know

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

III.

•

Something you have

•

Something you are or you can produce

Detail the something you know authentication factor. •

Explain that a password is a private word or combination of characters that only the user should know.

•

Stress that one of the biggest debates in the information security industry concerns the complexity of passwords (apply the 10-4 password recommendation that was mentioned in a previous module).

•

Recall that a password should be difficult to guess but must be something the user can easily remember.

•

State that a passphrase is a series of characters, typically longer than a password, from which a virtual password is derived.

•

Give examples of acceptable passwords and non-acceptable passwords that should be used for professional and personal use.

IV. Discuss the something you have authentication factor.

•

This addresses something the supplicant carries in his or her possession—that is, something they have.

•

These include dumb cards, such as ID cards or ATM cards with magnetic stripes, that contain the digital (and often encrypted) user personal identification number (PIN), against which the number a user inputs is compared.

•

An improved version of the dumb card is the smart card, which contains a computer chip that can verify and validate several pieces of information instead of just a PIN.

•

Another device often used is the token, a card or key fob with a computer chip and a liquid crystal display that shows a computer-generated number used to support remote login authentication.

•

Explain that tokens are synchronous or asynchronous and the differences between them. o

Once synchronous tokens are synchronized with a server, both devices (server and token) use the same time or a time-based database to generate a number that is displayed and entered during the user login phase.

Asynchronous tokens use a challenge-response system, in which the server challenges the supplicant during login with a numerical sequence.

Describe the something you are or can produce authentication factor.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

•

The process of using body measurements is known as biometrics and includes: o

Reliance on individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina/iris scans

Additionally, something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements

•

Strong authentication requires at least two authentication mechanisms drawn from two different factors of authentication.

•

Emphasize that authorization credentials (or known as authorization tickets) can be programmed to be honored by all systems (known as a single-sign on (SSO) and apply a shared directory structure known as Lightweight Directory Access Protocol (LDAP).

Authorization I. Recognize the concept of authorization as the matching of an authenticated entity to a list of information assets and corresponding access levels, which can happen in one of three ways. •

Authorization for each authenticated user o

•

Authorization for members of a group o

•

This is where the system performs an authentication process to verify each entity and then grants access to resources for only that entity. This quickly becomes a complex and resource-intensive process in a computer system. Comparatively speaking, the system matches authenticated entities to a list of group memberships and then grants access to resources based on the group’s access rights. This is the most common authorization method.

Authorization across multiple systems o

Detail that a central authentication and authorization system verifies entity identity and grants it a set of credentials.

Accountability I. Explain that accountability or auditability is a system that directly attributes the actions on a system with an authenticated entity.

Biometrics I.

Detail the fact that biometric access control is dependent on recognition—the same thing that one would to do rely on friends, family, and others they know.

II.

Illustrate different biometric authentication technologies, as summarized in the text:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

III.

•

Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint

•

Palm print comparison of the supplicant’s actual palm print to a stored palm print

•

Hand geometry comparison of the supplicant’s actual hand to a stored measurement

•

Facial recognition using a photographic ID card, in which a human security guard compares the supplicant’s face to a photo

•

Facial recognition using a digital camera, in which a supplicant’s face is compared to a stored image

•

Retinal print comparison of the supplicant’s actual retina to a stored image

•

Iris pattern comparison of the supplicant’s actual iris to a stored image

Stress and explain, though, that only four human characteristics are unique from one another: •

Fingerprints

•

Retina of the eye (blood vessel pattern)

•

Iris of the eye (random pattern of features in the iris: freckles, pits, striations, vasculature, coronas, and crypts)

•

DNA

IV.

Guide students to review Figure 8-5, which shows unique characteristics between people.

Discuss the fact that signature and voice recognition technologies are also considered to be biometric access control measures. •

Retail stores use signature recognition, or at least signature capture, for authentication during a purchase. Currently, the technology for signature capturing is much more widely accepted than that for signature comparison because signatures change due to a number of factors, including age, fatigue, and the speed with which the signature is written.

•

In voice recognition, an initial voiceprint of the user reciting a phrase is captured and stored. Later, when the user attempts to access the system, the authentication process will require the user to speak this same phrase so that the technology can compare the current voiceprint against the stored value.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

VI.

Engage in a conversation with students, getting their feedback as to whether signatures and voice recognition technologies are good ones to use in a corporate environment, and why or why not.

Effectiveness of Biometrics I.

Evaluate the three basic criteria biometrics are judged against: false reject rate, false accept rate, and crossover error rate (CER).

II.

Emphasize that the goal is to find a balance between providing the requisite level of security and minimizing authentic users’ frustrations.

III.

Classify that a CER of 1 percent is more superior and secure compared to one that has a 5 percent or 10 percent rate.

Acceptability of Biometrics I.

Denote that many biometric systems that are exceptionally reliable are often considered obtrusive by users and the system’s effectiveness on security.

II.

Analyze the findings from Table 8-1 and illustrate to students how the rankings differ on various biometric measures.

Access Control Architecture Models I.

Recognize that security access control architecture models illustrate access control implementations and can help organizations quickly make improvements through adaptation.

II.

Note that formal models often do not find their way into usable implementations but rather provide a foundation that an implementation uses.

TCSEC’s Trusted Computing Base I.

Describe the Trusted Computer System Evaluation Criteria (TCSEC). Point out that it is an older Department of Defense (DoD) standard that defines the criteria for assessing the access controls in a computer system. This is also known as the "Orange Book" and is the cornerstone of a larger series of documents that were used to determine access controls for systems within the department.

II.

Identify that the use of TCSEC is reliant on a trusted computing base (TCB) for a security policy to be enforceable.

III.

Recall that TCB is made up of the hardware and software that has been implemented to provide security for a particular information system (usually includes the operating system kernel and a specified set of security utilities).

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

IV.

Point out that one of the biggest challenges in TCB is the existence of covert channels. Mention that TCSEC defines two kinds of covert channels: storage channels and timing channels.

ITSEC I.

Discuss the Information Technology System Evaluation Criteria (ITSEC), which is an international set of criteria for evaluating computer systems.

II.

Emphasize that Targets of Evaluation (ToE) are used to compare detailed security function specifications, which net an assessment of systems functionality and comprehensive penetration testing.

The Common Criteria I.

Introduce students to the Common Criteria for Information Technology Security Evaluation, often called the Common Criteria or just CC.

II.

Mention that it is an international standard for computer security certification. It is classified as ISO/IEC 15408.

III.

Discuss the following CC terminology:

IV.

•

Target of Evaluation (ToE): the system being evaluated

•

Protection Profile (PP): user-generated specification for security requirements

•

Security Target (ST): document describing the ToE’s security properties

•

Security Functional Requirements (SFRs): catalog of a product’s security functions

•

Evaluation Assurance Levels (EALs): the rating/grading of a ToE after evaluation; has a range of EAL1 to EAL7

Examine the EAL scale and systems that would classify for the following ratings in the scale: •

EAL1: Functionally Tested: Confidence in operation against nonserious threats

•

EAL2: Structurally Tested: More confidence required but comparable with good business practices

•

EAL3: Methodically Tested and Checked: Moderate level of security assurance

•

EAL4: Methodically Designed, Tested, and Reviewed: Rigorous level of security assurance but still economically feasible without specialized development

•

EAL5: Semiformally Designed and Tested: Certification requires specialized development above standard commercial products

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

•

EAL6: Semiformally Verified Design and Tested: Specifically designed security ToE

•

EAL7: Formally Verified Design and Tested: Developed for extremely high-risk situations or high-value systems

Bell–LaPadula Confidentiality Model I.

Explain that the Bell–LaPadula (BLP) model ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances.

II.

Compare and contrast between the two access modes that are part of the BLP model: simple security and the * (star) property.

III.

•

Simple security (known as the read property) restricts users with a lower clearance from reading higher-clearance level messages but ones with a higher level can read lower levels without issue.

•

The * property, alternately, prohibits a high-level subject from sending messages to a lower-level object.

Illustrate the example provided in the text of the two access modes that are in the BLP model.

Biba Integrity Model I.

Compare and contrast the differences between the BLP and Biba integrity models. •

II.

Emphasize that the key difference between the two models is the integrity properties, as they accomplish a similar result as a BLP.

Point out that it is based on the premise that higher levels of integrity are more worthy of trust than lower ones.

Clark–Wilson Integrity Model I.

Stress that this model, compared to others, is built on change controls and not integrity levels and is designed for a commercial environment.

II.

Outline the model’s change control principles: •

No changes by unauthorized subjects

•

No unauthorized changes by authorized subjects

•

The maintenance of internal and external consistency

III.

Emphasize that this model establishes a system of subject-program-object relationships so that subjects have no access to objects, and they must go through programs to access an object.

IV.

Detail the three controls that are part of this model:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

•

Subject authentication and identification

•

Access to objects by means of well-formed transactions

•

Execution by subjects on a restricted set of programs

Illustrate the four elements that make up the Clark–Wilson model: •

Constrained data item (CDI): A data item with protected integrity

•

Unconstrained data item: Data not controlled by Clark–Wilson; nonvalidated input or any output

•

Integrity verification procedure (IVP): A procedure that scans data and confirms its integrity

•

Transformation procedure (TP): A procedure that only allows changes to a constrained data item

Graham–Denning Access Control Model I.

Apply that this model has three core parts: sets of objects, sets of subjects, and sets of rights.

II.

Outline the model’s eight primitive protection rights:

III.

•

Create object

•

Create subject

•

Delete object

•

Delete subject

•

Read access right

•

Grant access right

•

Delete access right

•

Transfer access right

Emphasize that within this model, the sets of rights are what govern how subjects may manipulate the passive objects.

Harrison–Ruzzo–Ullman Model I.

Detail that the Harrison–Ruzzo–Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects.

II.

Contrast and emphasize that the Bell–LaPadula model does not allow changes, whereas this model does.

III.

Categorize the set of four generic rights and special set of commands that make up this model:

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

•

Create subject/create object

•

Enter specific command or generic right into a subject or object

•

Delete specific command or generic right from a subject or object

•

Destroy subject/destroy object

Brewer–Nash Model I.

Discuss the Brewer–Nash Model, which is designed to prevent a conflict of interest between two parties. Point out that this model is sometimes known as a Chinese Wall.

Zero Trust Architecture I.

Explain that this model transitions defenses from static, network-based parameters and adjusts them to focus on authentication of users, assets, and resources. From there, they dynamically allow access based on access control rules.

II.

Stress that this includes environments where people bring their own devices (BYOD) and cloud-based infrastructures.

III.

Recognize that the protection is focused on resources and not network segments.

Quick Quiz 1 1. The method by which systems determine whether and how to admit a user into a trusted area of the organization is known as which of the following? a. attribute b. accountability c. access control d. auditability Answer: c 2. Which term is used to describe the process of validating a supplicant’s purported identity? a. accountability b. authentication c. authorization d. biometrics Answer: b

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

3. True or False: The authentication factor something a supplicant has relies upon individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina and iris scans. Answer: False 4. The biometric technology criteria that describes the number of legitimate users who are denied access because of a failure in the biometric device is known as which of the following? a. false reject rate b. false accept rate c. crossover error rate d. accountability rate Answer: a 5. The piece of the system that manages access controls within TCB is an object known as which of the following? a. covert channel b. storage channel c. reference monitor d. standard Answer: c

Firewall Technologies (8.3, 8.4, PPT Slides 18–33) I.

Recall how a firewall prevents specific types of information from moving between an external network, known as the untrusted network, and an internal network, known as the trusted network.

II.

Discuss how the firewall may be a separate computer system, a software service running on an existing router or server, or a separate network containing several supporting devices.

III.

Categorize firewalls into three areas: processing modes, development eras, or structures.

Firewall Processing Modes I.

Classify firewalls and the four major categories of processing modes they fall into: packet-filtering firewalls, application layer proxy firewalls, MAC layer firewalls, and hybrids.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Packet-Filtering Firewalls I.

Explain that packet-filtering firewalls examine the header information of data packets that come into a network. Apply Figure 8-7 as a visual illustration of a standard IPv4 packet structure.

II.

Relate that packet-filtering firewalls scan network data packets looking for rule compliance against the database of the firewall. Packets are inspected at Level 3 of the Open Systems Interconnect (OSI) model (which has a total of seven layers).

III.

Emphasize the restrictions most implemented are based on a combination of the following: •

IP source and destination address

•

Direction (inbound or outbound)

•

Protocol, for firewalls capable of examining the IP protocol layer

•

Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests (apply Figures 8-8 and 8-9 illustrating these)

IV.

Describe simple firewall models, which examine one aspect of the packet header: the destination and source address. Emphasize that they enforce address restrictions, rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.

Explain that they accomplish this through access control lists (ACLs), which are created and modified by the firewall administrators.

VI.

Identify the three subsets of packet filtering firewalls: •

Static filtering

•

Dynamic filtering

•

Stateful packet inspection (SPI)

VII.

Evaluate how static filtering requires that the filtering rules be developed and installed with the firewall.

VIII.

Describe dynamic filtering, which allows the firewall to react to an emergent event and update or create rules to deal with the event. Note that while static filtering firewalls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic packet filtering firewall allows only a particular packet with a particular source, destination, and port address to enter through the firewall.

IX.

Detail how stateful inspection firewalls, or stateful firewalls, keep track of each network connection between internal and external systems using a state table,

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

which tracks the state and context of each packet in the conversation by recording which station sent which packet and when. X.

Stress the difference between simple packet filtering firewalls and stateful firewalls. Whereas simple packet filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can block incoming packets that are not responses to internal requests.

XI.

Critique how the primary disadvantage of a stateful firewall is the additional processing required to manage and verify packets against the state table, which can leave the system vulnerable to a DoS or DDoS attack.

Application Layer Proxy Firewalls I.

Describe that an application layer firewall or application firewall, is frequently installed on a dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router.

II.

Identify how the application firewall is also known as a proxy server, since it runs special software that acts as a proxy for a service request.

III.

Emphasize that since the proxy server is often placed in an unsecured area of the network or in the DMZ, it—rather than the Web server—is exposed to the higher levels of risk from the less trusted networks.

IV.

Define the four common applications these firewalls protect at the application layer: •

File Transfer Protocol (FTP)

•

Telnet

•

Hypertext Transfer Protocol (HTTP)

•

Simple Mail Transfer Protocol (SMTP) or Simple Network Management Protocol (SNMP)

Media Access Control Layer Firewalls I.

Comment how MAC layer firewalls are designed to operate at the media access control layer of the OSI network model. Point out that this type of firewall is not as well known or widely referenced.

II.

Explain how using this approach, the MAC addresses of specific host computers are linked to ACL entries that identify the specific types of packets that can be sent to each host, and all other traffic is blocked.

III.

Emphasize the differences between MAC layer firewalls and mandatory access controls (MACs).

IV.

Reference Figure 8-11 for additional information on this type of firewall.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Hybrid Firewalls I.

Identify that hybrid firewalls combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways.

II.

Propose how, alternately, a hybrid firewall system can consist of two separate firewall devices; each is a separate firewall system, but they are connected so that they work in tandem.

III.

Report the most recent generation of firewalls, known as Unified Threat Management (UTM) and the Next Generation Firewall (NextGen or NGFW). Point out that UTMs are categorized by their ability to perform the work of an SPI firewall, network intrusion detection and prevention system, content filter, spam filter, and malware scanner and filter.

IV.

Contrast that smaller organizations may prefer to have an all-in-one firewall approach due to budgetary constraints, whereas larger organizations may have separate firewalls.

Firewall Architectures I.

Emphasize that each of the firewall devices noted earlier can be configured in several network connection architectures.

II.

Briefly discuss the impact that cloud-based IT solutions and bring your own devices (BYOD) have on securing networks today.

III.

Stress that the firewall configuration that works best for a particular organization depends on three factors: the objectives of the network, the organization’s ability to develop and implement the architectures, and the budget available for the function.

IV.

Describe three common architectural implementations of firewalls: •

Single bastion hosts

•

Screened host firewalls

•

Screened subnet firewalls

Single Bastion Hosts I.

Emphasize that this approach provides one single firewall layer to protect an organization’s router. Denote that the single bastion host architecture can be implemented as a packet filtering router or as a firewall behind a router that is not configured for packet filtering.

II.

State that anything that is exposed to an untrusted network is often referred to as a bastion or sacrificial host.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

III.

Present the understanding that this type of setup is often common on most homes and small office/home office (SOHO) environments.

IV.

Explain that a bastion host is usually implemented as a dual-homed host. The bastion host contains two NICs. One NIC is connected to the external network, and one is connected to the internal network, providing an additional layer of protection. Reference Figure 8-12 for a visual understanding of this concept.

Relate that with a two-NIC setup, all traffic must go through the firewall to move between the internal and external networks.

VI.

Discuss the implementation of this architecture, which often makes use of Network Address Translation (NAT). NAT is a method of mapping assigned IP addresses to special ranges of nonroutable internal IP addresses, thereby creating yet another barrier to intrusion from external attackers.

VII.

Compare the similarities and differences between Port Address Translation (PAT) and Network Address Translation (NAT).

Screened Host Architecture I.

Detail the process as a combination of a packet-filtering router with a separate dedicated firewall (i.e., application proxy server), which gets information for users and caches copies of Web pages and other information on its internal devices to expedite access to them.

II.

Denote that this gives a route an option to prescreen packets to reduce network traffic and load that on the internal proxy.

III.

Relate the fact, however, that a screened host firewall may present a promising target because compromise of the bastion host can lead to attacks on the proxy server that could disclose the configuration of internal networks and possibly provide attackers with an opportunity to retrieve internal information.

IV.

Apply Figure 8-13 to the discussion and explanation of screen-hosted architectures.

Screened Subnet Architecture (with DMZ) I.

Explain how the screened host architecture combines the packet filtering router with a separate, dedicated firewall, such as an application proxy server, allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy.

II.

Illustrate how the application proxy examines an application layer protocol and performs the proxy services. Use Figures 8-14 and 8-15 as supplements to the discussion.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

III.

Emphasize that the dominant architecture used today, the screened subnet firewall, provides a DMZ. State how the DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet.

IV.

Classify that a common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet filtering router, with each host protecting the trusted network:

•

Connections from the outside or untrusted network are routed through an external filtering router.

•

Connections from the outside or untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ.

•

Connections into the trusted internal network are allowed only from the DMZ bastion host servers.

Explain how the screened subnet is an entire network segment that performs two functions: •

It protects the DMZ systems and information from outside threats by providing a network of intermediate security.

•

It protects the internal networks by limiting how external connections can gain access to internal systems.

VI.

Identify that DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the public.

VII.

Detail the process as a combination of a packet-filtering router with a separate dedicated firewall (i.e., application proxy server), which gets information for users and caches copies of Web pages, and other information on its internal devices to expedite access to them. Use Figure 8-15 for additional visual assistance with the concept to explain to students.

Selecting the Right Firewall I.

Outline the four questions that persons will need to answer to determine the best firewall for their organization and/or their needs: •

Which type of firewall technology offers the right balance between protection and cost for the needs of the organization?

•

What features are included in the base price? What features are available at extra cost? Are all cost factors known?

•

How easy is it to set up and configure the firewall? Does the organization have staff members on hand who are trained to configure the firewall, or would the

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

hiring of additional employees (or contractors or managed service providers) be required? • II.

Can the firewall adapt to the organization’s growing network?

Stress that cost is likely the second most important issue, and naturally the most important is the protection it will provide for the situation.

Configuring and Managing Firewalls I.

Relate that the configuration of firewall policies can be complex and difficult. Explain how each configuration rule must be carefully crafted, debugged, tested, and sorted.

II.

Emphasize that when configuring firewalls, keep one thing in mind: when security rules conflict with the performance of business, security often loses.

Best Practices for Firewalls I.

Illustrate the most frequently recommended best practices as outlined in the text for firewall installation, upkeep, and maintenance: •

All traffic from the trusted network is allowed out.

•

The firewall device is never directly accessible from the public network.

•

SMTP data is allowed to pass through the firewall, but it should be routed to a well-configured SMTP gateway to filter and route messaging traffic securely.

•

All ICMP data should be denied.

•

Telnet access to all internal servers from the public networks should be blocked.

•

When Web services are offered outside the firewall, HTTP traffic should be denied from reaching your internal networks through the use of some form of proxy access or DMZ architecture.

•

All data that is not verifiably authentic should be denied.

Firewall Rules I.

Explain how firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules.

II.

Discuss the logic, which is based on a set of guidelines programmed by a firewall administrator or created dynamically and based on outgoing requests for information.

III.

Apply the understanding that this logical set is most often referred to as firewall rules, rule base, or firewall logic.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

IV.

Explain that most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped.

Summarize the rule sets provided in the text and within Tables 8-5 through 8-19. •

Rule Set 1: Responses to internal requests are allowed.

•

Rule Set 2: The firewall device is never accessible directly from the public network.

•

Rule Set 3: All traffic from the trusted network is allowed out.

•

Rule Set 4: Packets governed by this rule are allowed to pass through the firewall but are routed to a well-configured SMTP gateway (see Table 8-9 for SMTP data).

•

Rule Set 5: All ICMP (formally known as ICMP Echo requests) should be denied.

•

Rule Set 6: Telnet (terminal emulation) access should be blocked to all internal servers from the public networks. This is more specific for UNIX and LINUXbased machines and less so on Windows machines.

•

Rule Set 7: When Web services are offered outside of the firewall, HTTP and HTTPS traffic should be blocked from the internal networks via the use of a proxy access or DMZ architecture.

•

Rule Set 8: As a general practice in firewall rule construction, if a request for a service is not explicitly allowed by policy, that request should be denied by a rule.

Content Filters I.

Describe a content filter, which is a software filter—technically not a firewall—that allows administrators to restrict access to content from within a network. It is a set of scripts or programs that restricts user access to certain networking protocols and Internet locations or restricts users from receiving general types or specific examples of Internet content.

II.

Note that some refer to content filters as reverse firewalls, as their primary focus is to restrict internal access to external material.

III.

Explain to students that in most common implementation models, the content filter has two components: rating and filtering.

IV.

Emphasize that the rating is like a set of firewall rules for Web sites, and it is common in residential content filters.

Classify how the filtering is a method used to restrict specific access requests to the identified resources, which may be Web sites, servers, or whatever resources the content filter administrator configures.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

VI.

Relate the most common content filters, which restrict users from accessing Web sites with obvious non-business-related material, such as pornography, or deny incoming spam e-mail.

Quick Quiz 2 1. What type of firewall examines every incoming packet header and can selectively filter packets based on header information, such as destination address, source address, packet type, and other key information? a. packet filtering b. proxy server c. media access control (MAC) layer d. application Answer: a 2. Which type of firewall filtering allows the firewall to react to an emergent event and update or create rules to deal with the event? a. static b. stable c. unstable d. dynamic Answer: d 3. True or False: All traffic exiting from the trusted network should be filtered. Answer: False 4. A network filter that allows administrators to restrict access to external content from within a network is known as which of the following? a. content filter b. dynamic filter c. static filter d. stateful filter Answer: a

Protecting Remote Connections (8.5, 8.6, PPT Slides 36–80) I.

Discuss installing Internet connections, which requires using leased lines or other data channels provided by common carriers, and therefore these connections are

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

usually permanent and secured under the requirements of a formal service agreement. II.

Explain how, in the past, organizations provided remote connections exclusively through dial-up services like Remote Authentication Service (RAS). Since the Internet has become more widespread in recent years, other options, such as Virtual Private Networks (VPNs), have become more popular.

III.

Stress that as more employees work from home or elsewhere, the need for VPNs greatly increases.

Remote Access I.

Explain how it is a widely held view that these unsecured, dial-up connection points represent a substantial exposure to attack.

II.

Comprehend that an attacker who suspects that an organization has dial-up lines can use a device called a war dialer to locate the connection points.

III.

Illustrate how a war dialer is an automatic phone-dialing program that dials every number in a configured range and checks to see if a person, answering machine, or modem picks up.

IV.

Discuss how some technologies, such as RADIUS, Diameter, TACACS, and CHAP password systems, have improved the authentication and apply strong encryption.

RADIUS, Diameter, and TACACS I.

Report that these systems are ones that authenticate the credentials of users who attempt to access an organization’s network through dial-up connections.

II.

Explain how Remote Authentication Dial-In User Service systems place the responsibility for authenticating each user in the central RADIUS server.

III.

Evaluate that when a remote access server (NAS) receives a request for a network connection from a dial-up client, it passes the request along with the user’s credentials to the RADIUS server, which then validates the credentials and passes the resulting decision (accept or deny) back to the accepting RAS.

IV.

Detail how the Diameter protocol defines the minimum requirements for a system that provides authentication, authorization, and accounting (AAA) services and can go beyond these basics and add commands and/or object attributes.

Discuss diameter security, which uses respected encryption standards including IPSec or TLS, and its cryptographic capabilities are extensible and will be able to use future encryption protocols as they are implemented.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

VI.

Compare how the RADIUS system is similar in function to the Terminal Access Controller Access Control System (TACACS). Distinguish that, like RADIUS, it is a centralized database, and it validates the user’s credentials at the TACACS server.

VII.

Recommend that students review Figure 8-16 for a visual explanation of RADIUS configurations.

Kerberos I.

Present two authentication systems that provide secure third-party authentication services: Kerberos and SESAME.

II.

Detail that Kerberos keeps a database containing the private keys of clients and servers. Note that in the case of a client, this key is simply the client’s encrypted password.

III.

Illustrate how the Kerberos system remembers private keys and has the ability to authenticate one network node (client or a server) to another. Outline the following interacting services, which include database libraries:

IV.

•

Authentication server (AS), which is a Kerberos server that authenticates clients and servers

•

Key Distribution Center (KDC), which generates and issues session keys

•

Kerberos ticket granting service (TGS), which provides tickets to clients who request services

Outline the following principles that Kerberos is based on: •

The KDC knows the secret keys of all clients and servers on the network.

•

The KDC initially exchanges information with the client and server by using these secret keys.

•

Kerberos authenticates a client to a requested service on a server through TGS and by issuing temporary session keys for communications between the client and KDC, the server and KDC, and the client and server.

•

Communications then take place between the client and server using these temporary session keys.

•

Recommend that students review Figures 8-17 and 8-18 for a detailed view of Kerberos login and service request procedures.

SESAME I.

Detail that the Secure European System for Applications in a Multivendor Environment (SESAME), defined in RFC 1510, is the result of a European research and development project partly funded by the European Commission. SESAME is

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

like Kerberos in that the user is first authenticated to an authentication server and receives a token. II.

Discuss the detailed response on how the Secure European System for Applications in a Multivendor Environment (SESAME) is like Kerberos in that the user is first authenticated to an authentication server and receives a token.

III.

Explain how the token is then presented to a privilege attribute server (instead of a ticket granting service as in Kerberos) as proof of identity to gain a privilege attribute certificate (PAC).

IV.

Note that SESAME also builds on the Kerberos model by adding additional and more sophisticated access control features and more scalable encryption systems, as well as improved manageability, auditing features, and the delegation of responsibility for allowing access.

Virtual Private Networks (VPNs) I.

Define VPN as a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. VPNs are commonly used to securely extend an organization’s internal network connections to remote locations beyond the trusted network.

II.

Discuss the three VPN technologies that the VPNC defines:

III.

•

A trusted VPN, or legacy VPN, uses leased circuits from a service provider and conducts packet switching over these leased circuits.

•

A secure VPN uses security protocols and encrypts traffic transmitted across unsecured public networks like the Internet.

•

A hybrid VPN combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.

Note that a VPN that proposes to offer a secure and reliable capability while relying on public networks must address: •

Encapsulation of incoming and outgoing data, wherein the native protocol of the client is embedded within the frames of a protocol that can be routed over the public network as well as be usable by the server network environment.

•

Encryption of incoming and outgoing data to keep the data contents private while in transit over the public network, but usable by the client and server computers and/or the local networks on both ends of the VPN connection.

•

Authentication of the remote computer and, perhaps, the remote user. Authentication and the subsequent authorization of the user to perform specific

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

actions are predicated on accurate and reliable identification of the remote system and/or user. IV. Point out that VPN support is built into most Microsoft server software, including 2012, and client support for VPN services is built into most Windows clients.

Transport Mode I.

Explain how in transport mode, the data within an IP packet is encrypted, but the header information is not.

II.

Emphasize that this allows the user to establish a secure link directly with the remote host, encrypting only the data contents of the packet. Direct learners to review Figure 8-19 for a visual reference.

III.

Describe the two popular uses for transport mode VPNs: •

The end-to-end transport of encrypted data

•

A remote access worker or teleworker connecting to an office network over the Internet by connecting to a VPN server on the perimeter

Tunnel Mode I.

Detail that the purpose of this mode is to encrypt all traffic that will traverse an unsecured network, and the receiving server decrypts the packet to be able to send the final address.

II.

Stress that the benefit of this model is that the intercepted packet never reveals anything about its true destination system.

III.

Note that in tunnel mode, the entire client packet is encrypted and added as the data portion of a packet that is addressed from one tunneling server and to another. The receiving server decrypts the packet and sends it to the final address.

Final Thoughts on Remote Access and Access Controls (PPT Slides 68 and 83) I.

Discuss the concept of deperimeterization and how it applies to information security.

II.

Emphasize the importance of remote access to systems and how COVID-19 accelerated the need for protected connections away from the office.

Deperimeterization I.

Describe this phenomenon as the ability to expand an organization beyond the traditional security boundaries a firm would have in place.

II.

Explain the concept of “death of the perimeter” and why it is important to still have strong information system firewalls and infrastructure in place.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

III.

Realize that the network perimeter is whatever an organization defines it to be. Wherever it exists, it is the boundary between the information inside trusted technical systems and the many untrusted environments that may be interconnected to it. Regardless of the location, it still must be protected.

Remote Access in the Age of COVID-19 I.

Justify the facts that organizations that had remote access systems in place were far better equipped to handle the transformation of the workplace that was the result of the pandemic.

II.

Critique that many organizations successfully were able to transition the workplace due to this one in a lifetime event, but ones that did not likely failed.

Quick Quiz 3 1. What is the system most often used to authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection?? a. VPN b. RADIUS c. SEASAME d. KDC Answer: b 2. In which mode of IPSEC is the data within an IP packet encrypted, while the header information is not? a. process mode b. tunnel mode c. transport mode d. encryption mode Answer: c 3. What is used to dial every number in a configured range and checks to see if a person, answering machine, or modem picks up? a. war dialer b. number redialer c. modem redialer d. incident redialer Answer: a © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

4. True or False: SESAME is an authentication system that is the result of a European research and development project and is similar to Kerberos. Answer True 5. Which VPN technology uses leased circuits from a service provider and conducts packet switching over these leased circuits? a. secure VPN b. hybrid VPN c. trusted VPN d. transport VPN Answer: c [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Web Browser Security

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

OS Processes and Services

Log Management & Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

60–90 minutes

30 minutes to 1 hour

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

1. A hands-on exercise or even a classroom demonstration can go a long way to cementing the learning objectives of this chapter. A simple SOHO or residential router with NAT and limited firewall reporting can be brought into the classroom with two or three portable computers and used to show how a simple NAT firewall approach can be used. 2. If a more elaborate firewall environment is needed, a field trip to your organization’s main network operations center may be in order. [return to top]

Additional Resources Internet Resources • • • • •

Exposing the Underground: Adventures of an Open Proxy Firewall Guide to IPsec VPNs ICSA Labs IPSec Testing Network Policy and Access Services

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools

Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 6 Module Outline .............................................................................................................................. 7 Discussion Questions .................................................................................................................. 31 Suggested Usage for Lab Activities ............................................................................................ 32 Additional Activities and Assignments ....................................................................................... 34 Additional Resources................................................................................................................... 34 Cengage Video Resources ....................................................................................................................... 34 Internet Resources .................................................................................................................................. 34 Appendix ...................................................................................................................................... 36 Grading Rubrics ....................................................................................................................................... 36

Purpose and Perspective of the Module Security technologies are critically important to be current, up-to-date, and to prepare for future attacks on networks whenever possible. This module outlines and describes categories and models of intrusion detection and preventive systems. Learners will also be able to apply knowledge gained on modern intrusion and protection systems to keep information security systems intact. Finally, major categories specific to scanning, and analysis tools that are used to detect instructions, are described in detail to close out the module.

Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •

PowerPoint slides

•

Test banks, available in Word, as LMS-ready files, and on the Cognero platform

•

MindTap Educator Guide

•

Solution and Answer Guide

•

This instructor’s manual

Module Objectives The following objectives are addressed in this module: 9.1

Identify and describe the categories and models of intrusion detection and prevention systems.

9.2

Describe the detection approaches employed by modern intrusion detection and prevention systems.

9.3

Define and describe honeypots, honeynets, and padded cell systems.

9.4

List and define the major categories of scanning and analysis tools and describe the specific tools used within each category.

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 9.1 and 9.2 9.1 and 9.2 9.3 and 9.4

PPT slide

Activity/Assessment

Duration

24–25 45–46 56–57

Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3

2 minutes 2 minutes 2 minutes

9.1–9.4

66 MindTap MindTap MindTap

Self-Assessment Module 09 Review Questions Module 09 Case Exercises Module 09 Exercises

MindTap MindTap

Module 09 Security for Life Module 09 Quiz

5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: intrusion: An adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm. intrusion detection system (IDS): A system capable of automatically detecting an intrusion into an organization’s networks or host systems and notifying a designated authority. intrusion detection and prevention system (IDPS): The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology. known vulnerability: A published weakness or fault in an information asset or its protective systems that may be exploited and result in loss. zero-day vulnerability: An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss; once it is discovered, there are zero days to identify, mitigate, and resolve the vulnerability. network-based IDPS (NIDPS): An IDPS that resides on a computer or appliance connected to a segment of an organization’s network and monitors traffic on that segment, looking for indications of ongoing or successful attacks. agent: See sensor. sensor: A hardware and software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application. For example, IDPS sensors report to an IDPS application.

monitoring port: A specially configured connection on a network device that can view all the traffic that moves through the device, also known as a switched port analysis (SPAN) port or mirror port. switching port analysis (SPAN) port: See monitoring port. mirror port: See monitoring port. protocol stack verification: The process of examining and verifying network traffic for invalid data packets, which are packets malformed under the rules of the TCP/IP protocol. application protocol verification: The process of examining and verifying the higherorder protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use. passive mode: An IDPS sensor setting in which the device simply monitors and analyzes observed network or system traffic. inline sensor: An IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall. host-based IDPS (HIDPS): An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system, also known as a system integrity verifier. signature-based detection: The examination of system or network data in search of patterns that match known attack signatures, also known as knowledge-based detection or misuse detection. knowledge-based detection: see signature-based detection. misuse detection: see signature-based detection. signatures: patterns that correspond to a known attack. anomaly-based detection: An IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy, also known as behavior-based detection. Behavior-based detection: See anomaly-based detection. clipping level: A predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file, notify an administrator, or both. stateful protocol analysis (SPA): The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns to detect misuse and attacks, sometimes referred to as deep packet inspection.

log file monitor (LFM): An attack detection method that reviews log files generated by computer systems looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred. security information and event management (SIEM): An information management system specifically tasked to collect and correlate events and other log data from a number of servers or other network devices for the purpose of interpreting, filtering, correlating, analyzing, storing, reporting, and acting on the resulting information. threat intelligence: A process used to develop knowledge that allows an organization to understand the actions and intentions of threat actors and develop methods to prevent or mitigate cyberattacks. centralized IDPS control strategy: An IDPS implementation approach in which all control functions are managed in a central location. fully distributed IDPS control strategy: An IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component. partially distributed IDPS control strategy: An IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies. threshold: A value that sets the limit between normal and abnormal behavior. See also clipping level. blacklist: A list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access. whitelist: A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite access to systems or networks. honeypot: An application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion. honeypot farm: See honeynet. honeynet: A monitored network or network segment that contains multiple honeypot systems. honeytoken: Any system resource that is placed in a functional system but has no normal use in the system, and that instead serves as a decoy and alarm, similar to a honeypot. padded cell system: An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network. trap-and-trace application: An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.

pen register: An application that records information about outbound communications. back hack: The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system. enticement: The act of attracting attention to a system by placing tantalizing information in key locations. entrapment: The act of luring a person into committing a crime in order to get a conviction. attack protocol: A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network. footprinting: The organized research and investigation of Internet addresses owned or controlled by a target organization. fingerprinting: The systematic survey of a targeted organization’s Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range. port scanner: A type of tool used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information. attack surface: The functions and features that a system exposes to unauthenticated users. active vulnerability scanner: An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers. passive vulnerability scanner: A scanner that listens in on a network and identifies vulnerable versions of both server and client software. packet sniffer: A software program or hardware appliance that can intercept, copy, and interpret network traffic. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: • •

This Module was Chapter 7 in the 6th edition. The entire Module was refreshed with a general update and given more current examples.

[return to top]

Module Outline Introduction to Intrusion Detection and Prevention Systems (9.1, 9.2, PPT Slides 3–23 and 26–44) I.

Define the concept of intrusion and how it is a type of attack on information assets in which the instigator attempts to enter a system or disrupt the normal operations of a system with the intent to do malicious harm.

II.

Discuss intrusion prevention, which consists of activities that seek to deter an intrusion from occurring.

III.

Identify the purpose of instruction detection and why it is important to have up to date systems in place so that losses are minimal and interruptions to business are much in the same.

IV.

Compare and contrast the differences between intrusion detection systems (IDS) and intrusion detection and prevention systems (IDPS). Explain why IDSs are less frequently used now than IDPSs.

Discuss how system administrators can choose the configuration of the various alerts and the associated alarm levels for each type of alert.

VI.

Review response techniques that are recommended from NIST Special Publication (SP) 800-94 Rev. 1.

IDPS Terminology I.

Recall and review the following terms that are applicable to how an IDPS operates: •

•

Alarm or alert: An indication or notification that a system has just been attacked or is under attack. IDPS alerts and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up windows. Alarm clustering and compaction: A process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. This consolidation reduces the number of alarms, which reduces administrative overhead and identifies a relationship among multiple alarms. Clustering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by system administrators. Alarm filtering: The process of classifying IDPS alerts so they can be more effectively managed. An IDPS administrator can set up alarm filtering by running the system for a while to track the types of false positives it generates and then adjusting the alarm classifications. For example, the administrator may set the IDPS to discard alarms produced by false attack stimuli or normal network operations. Alarm filters are similar to packet filters in that they can filter items

•

• •

•

• •

•

by their source or destination IP addresses, but they can also filter by operating systems, confidence values, alarm type, or alarm severity. Confidence value: The measure of an IDPS’s ability to correctly detect and identify certain types of attacks. The confidence value an organization places in the IDPS is based on experience and past performance measurements. The confidence value, which is based on fuzzy logic, helps an administrator determine the likelihood that an IDPS alert or alarm indicates an actual attack in progress. For example, if a system deemed 90 percent capable of accurately reporting a denial-of-service (DoS) attack sends a DoS alert, there is a high probability that an actual attack is occurring. Evasion: The process by which attackers change the format or timing of their activities to avoid being detected by an IDPS. False attack stimulus: An event that triggers an alarm when no actual attack is in progress. Scenarios that test the configuration of IDPSs may use false attack stimuli to determine if the IDPSs can distinguish between these stimuli and real attacks. False negative: The failure of a technical control (such as an IDPS) to react to an actual attack event. This is the most grievous IDPS failure, given that its purpose is to detect and respond to attacks. False positive: An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactions to actual intrusion events. Noise: In incident response these are alarm events that are accurate and noteworthy but do not pose significant threats to information security. Unsuccessful attacks are the most common source of IDPS noise although some noise might be triggered by scanning and enumeration tools run by network users without harmful intent. Site policy: The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization. Site policy awareness: An IDPS’s ability to dynamically modify its configuration in response to environmental activity. A so-called dynamic IDPS can adapt its reactions in response to administrator guidance over time and the local environment. A dynamic IDPS logs events that fit a specific profile instead of minor events, such as file modifications or failed user logins. A smart IDPS knows when it does not need to alert the administrator; for example: when an attack is using a known and documented exploit from which the system is protected. True attack stimulus: An event that triggers an alarm and causes an IDPS to react as if a real attack is in progress. The event may be an actual attack in which an attacker is attempting a system compromise, or it may be a drill in which security

II.

personnel are using hacker tools or performing port scanning to test a network segment. • Tuning: The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives. Compare and contrast the differences between false attacks, negatives, and positives with a legitimate true attack stimulus. Why should an organization take false events seriously?

Why Use an IDPS? I. Classify the most important reasons why an IDPS is a good tool to use to detect network intrusions.

Intrusion Detection I.

Focus on the fact that the primary purpose of an IDPS is to identify and report an intrusion.

II.

Emphasize that IDPSs can provide triggers or clues of potential upcoming or hidden intrusions that would otherwise likely go unnoticed. This is through probing activities known as doorknob rattling or fingerprinting.

III.

Recognize the fact that they can also protect assets even though systems are still exposed to known vulnerabilities or cannot respond quickly in a rapidly-changing environment.

IV.

Relate to the fact that vulnerability-tracking groups are likely aware of vulnerabilities while the public may be shielded from the information.

Review the term zero-day vulnerabilities and why those are important to be aware of since they cannot be predicted or prepared for. Remember that most vulnerabilities become known when they are used in an attack.

Data Collection I.

Examine the reasons why log data should be compiled for analysis over time. This helps to examine what happened when an intrusion occurred and the motive (or reason why) as well as who may also be exposed.

II.

Recall that even though an IDPS may fail at an intrusion, the data and information collected can aid in an investigation and provide forensic evidence that could help catch the perpetrator. Additionally, this can also determine how frequently intrusions occur.

Attack Deterrence I.

Establish an understanding that an IDPS serves as a deterrent by increasing the fear factor that one may be detected among would-be attackers. If attackers are aware that this in place, they are less likely to plan an attack let alone probe the system.

Other Reasons to Deploy and IDPS I.

Review and examine the other reasons outlined in the text why an IDPS should be deployed to protect an organization’s systems from internal and external intrusions. These are summarized below: •

Provide a level of quality control for system implementations.

•

Monitoring of network traffic and system data flows.

•

Application of the kill chain process where the attack can be stopped while it is in progress once discovered. Review figure 9-1 as to the process of a cyberattack kill chain.

Types of IDPS I.

Assess the different type of IDPSs provided in the text with the foundational knowledge they are network or host-based systems.

II.

Justify that in larger organizations it is likely that both systems are used in tandem with each other or in different parts of the business depending on business needs.

Network-Based IDPS I.

Analyze and review the concept of a network based IDPS (or known as a NIDPS). •

A network based IDPS (NIDPS) resides on a computer or appliance connected to a segment of an organization’s network and monitors network traffic on that network segment, looking for indications of ongoing or successful attacks.

•

The NIDPS may include separate management software, referred to as a console, and several specialized agents or sensors.

•

When a situation occurs that the NIDPS is programmed to recognize as an attack, it responds by sending notifications to administrators.

•

When examining the packets transmitted through an organization’s networks, a NIDPS looks for attack patterns within network traffic or it looks for the exchange of a series of related packets in a certain pattern, which could indicate that a port scan is in progress.

•

NIDPSs are installed at a specific place in the network (such as on the inside of an edge router) from where it is possible to watch the traffic going into and out of a particular network segment.

•

The NIDPS can be deployed to watch a specific grouping of host computers on a specific network segment, or it can be installed to monitor all traffic between the systems that make up an entire network.

II.

III.

•

To determine whether an attack has occurred or may be underway, NIDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base.

•

This is accomplished by the comparison of captured network traffic using a special implementation of the TCP/IP stack that reassembles the packets and applies protocol stack or application protocol verification. In the process of protocol stack verification, the NIDSs look for invalid data packets.

•

In application protocol verification, the higher-order protocols are examined for unexpected packet behavior, or improper use.

Outline the advantages of a NIDPS: •

Good network design and placement of NIDPS devices can enable an organization to use a few devices to monitor a large network.

•

NIDPSs are usually passive devices and can be deployed into existing networks with little or no disruption to normal network operations and are often not susceptible to direct attacks.

•

To the benefit of an organization, these may not be detectable by attackers at all.

Consequentially, determine the disadvantages of NIDPSs: •

They can quickly become overwhelmed by network volume and fail to recognize attacks that could be detected otherwise.

•

They must have access to all traffic to effective monitor potential intrusions.

•

NIDPSs cannot analyze encrypted packets, making some of the network traffic invisible to the process nor reliably ascertain if an attack was successful or not.

•

Attacks that are executed with fragmented packets are likely to be undetected in error.

IV.

Examine the use of wireless IDPS monitors and how they assist with analyzing wireless network traffic as that infrastructure becomes more commonplace in organizations today.

Establish that wireless IDPSs can detect existing WLANs and WLAN devices for inventory purposes and detect the following: •

Unauthorized WLANs and WLAN devices.

•

Poorly secured WLAN devices.

•

Unusual usage patterns.

•

The use of wireless network scanners.

•

DoS attacks and conditions.

• VI.

VII.

Impersonation and man-in-the-middle attacks.

List potential drawbacks of wireless IDPSs as the technology has some critical flaws: •

Physical security.

•

Sensor ranges.

•

Access point and wireless switch locations.

•

Wired network connections.

•

Cost.

•

Access points and wireless switch locations.

Identify what a network behavior analysis (NBA) system is and how it can assist in detecting network intrusions. Recall that when an intrusion occurs, this system provides the following flow data pieces:

VIII.

•

Source and destination IP addresses.

•

Source and destination TCP or UDP ports or ICMP types and codes.

•

Number of packets and bytes transmitted in the session.

•

Starting and ending timestamps for the session.

Outline what an NBA sensor can often detect on a network through passive only sensors, inline sensors, or a combination of both: •

DoS attacks (including DDoS attacks).

•

Scanning.

•

Worms.

•

Unexpected application services, such as tunneled protocols, back doors, and use of forbidden application protocols.

•

Policy violations.

Host-Based IDPS I.

Explain the differences between a host-based IDPS and network-based IDPS.

II.

Recall that the main purpose of this type of IDPS is to protect the server or host’s information assets.

III.

Detail the following description as to what is comprised in a host-based IDPS: •

A host-based IDPS (HIDPS) resides on a particular computer or server, known as the host, and monitors activity only on that system.

IV.

•

HIDPSs are also known as system integrity verifiers as they benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.

•

A HIDPS has an advantage over NIDPS in that it can usually be installed in such a way that it can access information that is encrypted when traveling over the network.

•

Most HIDPSs work on the principle of configuration or change management, which means they record the sizes, locations, and other attributes of system files. The HIDPS then triggers an alert when one of the following changes occurs: file attributes change, new files are created, or existing files are deleted.

•

A HIDPS relies on the classification of files into various categories and then applies various notification actions, depending on the rules in the HIDPS configuration.

•

Managed HIDPSs can monitor multiple computers simultaneously by creating a configuration file on each monitored host and by making each HIDPS report back to a master console system, which is usually located on the system administrator’s computer.

Justify the strengths of a HIDPS: •

A HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.

•

A HIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing.

•

The use of switched network protocols does not affect an HIDPS.

•

An HIDPS can detect inconsistencies in how applications and systems programs were used by examining the records stored in audit logs.

Recognize the fact there are some critical flaws with a HIDPS: •

HIDPSs pose more management issues since they are configured and managed on each monitored host and are vulnerable both to direct attacks and to attacks against the host operating system.

•

An HIDPS is not optimized to detect multi-host scanning, nor is it able to detect the scanning of non-host network devices, such as routers or switches and are. susceptible to some DoS attacks.

•

This option often uses large amounts of disk space to retain the host OS audit logs, and to function properly, it may require disk capacity to be added to the system.

•

Finally, these can inflict a performance overhead on its host systems, and in some cases, may reduce system performance below acceptable levels when fully engaged.

IDPS Detection Methods I.

Analyze the three methods that often dominate detection methods and evaluate network traffic: signature-based detection, anomaly-based detection, and stateful protocol analysis.

Signature-Based Detection I.

Explain that a signature-based IDPS (also known as a knowledge-based IDPS or misuse detection) examines data traffic in search of patterns that match known signatures: preconfigured, predetermined attack patterns.

II.

Focus on the fact that many signature-based IDS technologies are often widely used due to attacks having clear and distinct signatures.

III.

Recognize the downside to this type of detection is that as new attack strategies are identified, the IDS’s database of signatures must be continually updated.

Anomaly-Based Detection I.

Compare and contrast anomaly-based detection with signature-based detection. Explain how they are similar but uniquely different when examining intrusions into an information security system.

II.

Review the purpose of a clipping level and why it is important to know that as a trigger that can be sent to system administrators to investigate possible issues.

III.

Summarize the benefits and drawbacks of this detection method.

Stateful Protocol Analysis I.

Justify the purpose and reasoning why this IDPS extension is beneficial to have available when detecting possible intrusions that have come into a system.

II.

Recall that stateful protocol analyses (SPA) rely on vendor-developed universal profiles that specify how particular protocols should and should not be used.

III.

Assess the concept of deep packet inspections and why it is important to examine them at the application layer.

IV.

Identify a consequence of this type of analysis may result in an intrusion being completely undetected because the protocol is in line with acceptable behaviors. Additionally, the interference with normal operations is an additional consequence.

Log File Monitors

Explain the purpose of a log file monitor (LFM) is and how it is similar and different to an NIDPS.

II.

Discuss how IDPS responses can be classified: active or passive. An active response is one in which a definitive action is initiated when certain types of alerts are triggered. IDPSs with passive response options simply report the information they have already collected and wait for the administrator to take actions.

Security Information and Event Management (SIEM) I.

Justify the reasons why an organization turns to a SIEM as a central location to empower a security operations center (SOC) to react and identify various events against their information systems.

II.

Describe the process of threat intelligence and why it is a core capability of SIEM systems.

III.

Review the needs that a system like this can address for large organizations, which include the following:

IV.

•

Aggregation of security-related events from across the organization regardless of the source technology.

•

Correlation of events with context from external sources, including vendorspecific updates and cooperative industry associations.

•

Integration of events from devices, systems, and technologies from disparate sources deployed throughout the organization.

•

Detection of known threats when patterns of attack behavior are known.

•

Possible detection of emerging threats when analysis is coupled with threat analysis techniques designed into the SIEM system.

•

Enabling of ad hoc searches and reporting from recorded events to allow advanced breach analysis during and after incident response and provide support for forensic investigation into breach events.

•

Tracking the actions of attackers and allowing sequencing of events to provide an understanding of what happened and when it occurred.

Evaluate the essential capabilities of an analytics-driven SIEM system: •

Real-time monitoring.

•

Incident response.

•

User monitoring.

•

Threat intelligence.

•

Analytics and threat detection.

Real-Time Monitoring I.

Express concerns that on average the duration between the start of a cyber intrusion to the time it was discovered was about 56 days according to Mandiant.

II.

Recall that improvement in an organization’s capability to detect intrusions reduces the amount of dwell time and lessens the amount of time needed to recover from it.

Incident Response I.

Conclude that SIEM platforms that are properly implemented enable the ability to identify incidents and enable a process to track and respond to them.

II.

Recognize some SIEM systems can initiate predefined defensive scripts to automatically disrupt ongoing cyberattacks.

User Monitoring I.

Review the facts that SIEM systems have the capability to analyze user access and authentication activities. This, in turn, can provide alerts for suspicious behaviors and violation of policy.

Threat Intelligence I.

Emphasize that a SIEM system must have an ability to integrate threat intelligence services that provide current information on compromise indicators and adversary tactics, techniques, and procedures (TTP) with knowledge of organizational asset criticality and usage behaviors.

II.

Express the importance of enabling event data correlations with the nature of infrastructure to prioritize threats and organizational assets.

Analytics and Advanced Threat Detection I.

Identify one of the core needs of threat intelligence is the ability for the SIEM system to analyze event data to detect anomalies or track interactions between users and places where data is stored.

II.

Recognize that some SIEM systems can initiate predefined defensive scripts to automatically disrupt ongoing cyberattacks.

IDPS Response Behavior I.

Review how once an IDPS detects an anomalous network situation, it has several options, depending on the policy and objectives of the organization that has configured it as well as the capabilities of the organization’s system.

IDPS Response Options I.

Examine and disseminate how IDPS responses can be classified as an active or passive response.

II.

•

An active response is one in which a definitive action is initiated when certain types of alerts are triggered.

•

IDPSs with passive response options simply report the information they have already collected and wait for the administrator to take actions.

Construct a list of responses that an IDS can be configured to produce: •

Audible/visual alarm.

•

SNMP traps and plug-ins.

•

E-mail message.

•

Phone, pager, or SMS message.

•

Log entry.

•

Evidentiary packet dump.

•

Actions against intruders.

•

Launch programs.

•

Firewall reconfigurations.

Reporting and Archiving Capabilities I.

Conclude that many commercial IDPSs can generate routine reports and other detailed documents, such as reports of system events and intrusions detected over a particular reporting period.

Fail-Safe Considerations for IDPS Responses I.

Examine fail-safe procedures that are built into an IDPS that prevent it from being circumvented or defeated by an attacker or intrusion.

II.

Stress that encrypted tunnels or other cryptographic measures that hide and authenticate communications are excellent ways to ensure the reliability of the IDPS.

Selecting IDPS Approaches and Products I.

II.

Disseminate the following areas of information when selecting the best IDPS for the needs of an organization and processes. They include the following: •

Technical and policy considerations.

•

Organizational requirements and constraints.

•

IDPS features and qualities of the system.

Compile a list of benefits and drawbacks when reviewing multiple systems side-byside prior to selecting one for the organization.

Technical and Policy Considerations I.

Review the following key questions that should be asked with respect to the technical and policy capabilities of an IDPS. •

•

What is your systems environment? •

What are the technical specifications of your systems environment?

•

What are the technical specifications of your current security protections?

•

What are the goals of your enterprise?

•

How formal is the systems environment and management culture in your organization?

What are your security goals and objectives? •

Is the primary concern of your organization to be protected from threats that originate outside of your organization?

•

Is your organization concerned about insider attacks?

•

Does your organization want to use the output of your IDS to determine new needs?

•

Does your organization want to use an IDPS to maintain managerial control over network usage?

What is your existing security policy? •

How is it structured?

•

What are the general job descriptions of your system users?

•

Does the policy include reasonable use policies or other management provisions?

•

Has your organization defined processes for dealing with specific policy violations?

Organizational Requirements and Constraints I.

Discuss organizational requirements and constraints. Review and compose a list of questions like ones provided below with respect to this area of an IDPS to ask. •

What requirements are levied from outside the organization? •

Is your organization subject to oversight or review by another organization?

•

Are there requirements for public access to information on your organization’s systems?

•

Are there other security-specific requirements levied by law?

•

Are there internal audit requirements for security best practices or due diligence?

•

Is the system subject to accreditation?

•

Are there requirements for law enforcement investigation and resolution of security incidents?

What are your organization’s resource constraints? •

What is the budget for acquisition and life cycle support of intrusion detection hardware, software, and infrastructure?

•

Is there sufficient existing staff to monitor an IDPS full time?

•

Does your organization have authority to instigate changes based on the findings of an IDPS?

IDPS Product Features and Quality I.

Examine in-depth the product features and quality of IDPSs. When asking for specific details of the system, apply the following top-level questions and subquestions as outlined in the text: •

Is the product sufficiently scalable for your environment?

•

How has the product been tested? •

Has the product been tested against functional requirements?

•

Has the product been tested for performance against anticipated load?

•

Has the product been tested to reliably detect attacks?

•

Has the product been tested against attack?

•

What is the user level of expertise targeted by the product?

•

Is the product designed to evolve as the organization grows?

•

Can the product adapt to growth in user expertise?

•

Can the product adapt to growth and change of the organization’s systems infrastructure?

•

Can the product adapt to growth and change of the security threat environment?

What are the support provisions for the product? •

What are commitments for product installation and configuration support?

II.

•

What are commitments for ongoing product support?

•

Are subscriptions to signature updates included?

•

How often are subscriptions updated?

•

How quickly after a new attack is made public will the vendor ship a new signature?

•

Are software updates included?

•

How quickly will software updates and patches be issued after a problem is reported to the vendor?

•

Are technical support services included?

•

What are the provisions for contacting technical support?

•

Are there any guarantees associated with the IDPS?

•

What training resources does the vendor provide as part of the product?

•

What additional training resources are available from the vendor and at what cost?

Compile answers provided from the vendors to determine which system, if any, that were analyzed is the best option based on the needs of the organization.

Strengths and Limitations of IDPSs I. Comment that as one plans the security strategy for their organization’s systems, they have to understand that IDPSs can be trusted and do what goals might be better served by other security mechanisms. II. Apply these strengths and limitations provided below are based on NIST SP 800-94 and SP 800-94, Rev. 1, “Guide to Intrusion Detection and Prevention Systems,” and their predecessor, NIST SP 800-31, “Intrusion Detection Systems.” Strengths of IDPSs I. Analyze the strengths of an IDPS with respect to intrusion detection: •

Monitoring and analysis of system events and user behaviors.

•

Testing the security states of system configurations.

•

Baselining the security state of a system and then tracking any changes to that baseline.

•

Recognizing patterns of system events that correspond to known attacks.

•

Recognizing patterns of activity that vary statistically from normal activity.

•

Managing operating system audit and logging mechanisms and the data they generate.

•

Alerting appropriate staff by appropriate means when attacks are detected.

•

Measuring enforcement of security policies encoded in the analysis engine

•

Providing default information security policies.

•

Allowing people who are not security experts to perform important security monitoring functions.

Limitations of IDPSs •

Compensating for weak or missing security mechanisms in the protection infrastructure, such as firewalls.

•

Identification and authentication systems, link encryption systems, access control mechanisms, and virus.

•

Detection and eradication software.

•

Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing.

•

Load.

•

Detecting newly published attacks or variants of existing attacks.

•

Effectively responding to attacks launched by sophisticated attackers.

•

Automatically investigating attacks without human intervention.

•

Resisting all attacks that are intended to defeat or circumvent them.

•

Compensating for problems with the fidelity of information sources.

•

Dealing effectively with switched networks.

•

Configuring an IDPS to respond accurately to perceived threats.

Deployment and Implementation of an IDPSs I.

Understand that deploying and implementing an IDPS is often not always a straightforward task. The strategy for deploying an IDPS should consider several factors, the foremost being how the IDPS will be managed and where it should be placed.

II.

Review the NIST SP 800-94 Rev. 1 recommendation for implementation of an IDPS. In summary: •

All components should be secured appropriately as they are a prime target for attackers.

•

Consider multiple types of IDPS technologies to achieve more comprehensive and accurate detection while preventing malicious activities from taking place.

•

Organizations that plan to use multiple types of IDPS technologies or multiple products of the same IDPS technology type should consider whether the IDPSs should be integrated.

•

Requirements should be defined before evaluating IDPS products.

•

When evaluating IDPS products, organizations should consider using a combination of data sources to evaluate the products’ characteristics and capabilities.

IDPS Control Strategies I.

Recall the purpose of a control strategy is to determine how an organization maintains and supervises the configuration of an IDPS.

II.

Examine the differences between centralized, partially distributed, or fully distributed strategies. •

A centralized IDPS control strategy implements and manages all IDPS control functions in a central location.

•

A fully distributed IDPS control strategy distributes all control functions that are applied at the physical location of each IDPS component.

•

A partially distributed IDPS control strategy combines the best of the other two strategies. While the individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable the organization to detect widespread attacks.

IDPS Deployment I.

Recalling concept of control strategies, decisions about where to locate elements of the intrusion detection systems can be an art.

II. Comprehend as an organization selects an IDPS and prepares for implementation, planners must select a deployment strategy based on a careful analysis of the organization’s information security requirements and that integrates with the organization’s existing IT infrastructure, but at the same time, causes minimal impact. III. Emphasize NIDPSs and HIDPSs can be used in tandem to cover both the individual systems that connect to an organization’s networks and the networks themselves. IV. Discuss deploying network-based IDPSs: •

NIST recommends four locations for NIDS sensors as described below:

•

Location 1: Behind each external firewall in the network DMZ

•

IDPS sees attacks that originate from the outside world and may penetrate the network’s perimeter defenses.

•

IDPS can identify problems with the network firewall policy or performance.

•

IDPS sees attacks that might target the Web server or FTP server, both of which commonly reside in this DMZ.

•

Even if the incoming attack is not detected, the IDPS can sometimes recognize in the outgoing traffic patterns that suggest that the server has been compromised.

Location 2: Outside an external firewall •

IDPS documents the number of attacks originating on the Internet that target the network.

•

IDPS documents the types of attacks originating on the Internet that target the network.

Location 3: On major network backbones •

IDPS monitors a large amount of a network’s traffic, thus increasing its chances of spotting attacks.

•

IDPS detects unauthorized activity by authorized users within the organization’s security perimeter.

Location 4: On critical subnets •

IDPS detects attacks targeting critical systems and resources.

•

This location allows organizations with limited resources to focus these resources on the network assets that have the greatest value.

Reference Figure 9-11 to show where each of the four locations have sensors.

Measuring the Effectiveness of IDPSs I. Comparative effectiveness can be achieved by the following:

II.

•

Thresholds

•

Blacklists

•

Whitelists

•

Alert Settings

Direct students to the point that once implemented, IDPSs are evaluated using two dominant metrics: administrators evaluate the number of attacks detected in a known collection of probes and examine the level of use at which the IDPSs fail.

III.

Explain that since developing this collection can be tedious, most IDPS vendors provide testing mechanisms that verify that their systems are performing as expected. Some of these testing processes will enable the administrator to do the following: •

Record and retransmit packets from a real virus or worm scan.

•

Record and retransmit packets from a real virus or worm scan with incomplete TCP/IP session connections (missing SYN packets).

•

Conduct a real virus or worm attack against a hardened or sacrificial system.

Quick Quiz 1 1. Which of the following is an event that triggers alarms when no actual attacks are in progress? a. evasion b. false positive c. false attack stimulus d. false negative Answer: c 2. The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives is known as which of the following? a. tuning b. filtering c. clustering d. footprinting Answer: a 3. Which of the following terms involves activities that gather information about the organization and its network activities and assets? a. tuning b. filtering c. clustering d. footprinting Answer: d

4. True or False: Signature-based IDPS technology is widely used because many attacks have clear and distinct signatures. Answer: True 5. In which IDPS control strategy are all IDPSs control functions implemented and managed in a central location? a. centralized control strategy b. fully distributed control strategy c. partially distributed control strategy d. network-based control strategy Answer: a

Honeypots, Honeynets, and Padded Cell Systems (9.3, PPT Slides 47–51) I.

Identify the concept of honeypots as decoy systems designed to lure potential attackers away from critical systems.

II.

Explain how by encouraging attacks against these bait systems, the defender may lure them away from actual targets and perhaps detect their presence and then block access.

III.

Review the purpose of honeypots and their design: •

Divert an attacker from critical systems.

•

Collect information about the attacker’s activity.

•

Encourage the attacker to stay on the system long enough for administrators to document the event and perhaps respond.

IV.

Comprehend that honeytokens are a smaller version of a honeypot that is a single service, record, or file placed into a production system.

Differentiate between standard honeypots and padded cell systems which are hardened ones. The key with this type of honeypot is the intruder transfers to a simulated environment and as a result causes no harm.

VI.

Examine the advantages of the advantages of honeypots, honeynets, and padded cell systems. •

Attackers can be diverted to targets that they cannot damage.

•

Administrators have time to decide how to respond to an attacker.

•

Attackers’ actions can be easily and more extensively monitored, and the records can be used to refine threat models and improve system protections.

• VII.

Honeypots may be effective at catching insiders who are snooping around a network.

Discuss the disadvantages of honeypots, honeynets, and padded cell systems. •

The legal implications of using such devices are not well defined.

•

Honeypots and padded cells have not yet been shown to be generally useful security technologies.

•

An expert attacker, once diverted into a decoy system, may become angry and launch a more hostile attack against an organization’s systems.

VIII.

Administrators and security managers will need a high level of expertise to use these systems

IX.

Review Table 9-1 to examine the advantages and disadvantages of honeypots or padded cell systems.

Trip-and-Trace Systems I.

Identify the purpose of a trap and trace system and how it can be used to trace incidents back to their sources.

II.

Outline the process of how a trap often works. As mentioned in the text, it usually consists of a honey pot or padded cell and an alarm. Note that while the intruders are distracted, or trapped, by what they perceive to be successful intrusions, the system notifies the administrator of their presence.

III.

Examine and review the trace feature of the system as it is a process by which the organization attempts to determine the identity of someone who is discovered in unauthorized areas of the network or system.

IV.

Emphasize that if the individual is outside the security perimeter of the organization, then numerous legal issues arise.

Compare and contrast the facts that trap-and-trace systems are similar to pen registers and earlier versions of which recorded numbers that were dialed in voice communications.

VI.

Identify the legal restrictions and drawbacks of trip-and-trace systems. •

The trap portion frequently involves the use of honey pots or honey nets.

•

When using honey pots and honey nets, administrators should be careful not to cross the line between enticement (the process of attracting attention to a system by placing tantalizing bits of information in key locations) and entrapment (luring an individual into committing a crime to get a conviction).

•

Justify the facts that enticement is legal and ethical whereas entrapment is not.

Active Intrusion Prevention I.

Emphasize that organizations often implement active countermeasures to stop attacks from occurring on their systems.

II.

Present the tool known as LaBrea as it provides active intrusion prevention. This also works by taking up the unused IP address space within a network.

III.

Discuss how if an address is not currently being used by a real computer or network device, LaBrea will pretend to be a computer at that IP address and allow the attacker to complete the connection request, also known as the three-way handshake.

IV.

Explain how once the handshake is complete, LaBrea will change the TCP sliding window size down to a low number to hold the TCP connection from the attacker open for many hours, days, or even months.

Advise that holding the connection open but inactive greatly slows down networkbased worms and other attacks and it allows the LaBrea system time to notify the system and network administrators about the anomalous behavior on the network.

Scanning and Analysis Tools (9.4, PPT Slides 53–55 and 58–62) I.

Remind students that to secure a network, it is imperative that someone in the organization knows exactly where the network needs securing. Without that, it will be difficult to have a secure infrastructure in place.

II.

State that to assess the risk within a computing environment, one must deploy technical controls using a strategy of defense in depth.

III.

Explain how scanner and analysis tools can find vulnerabilities in systems, holes in security components, and unsecured aspects of the network. These are also typically used as part of an attack protocol to collect information that an attacker would need to launch a successful attack.

IV.

Review the attack protocol, which is a series of steps or processes used by an attacker in a logical sequence to launch an attack against a target system or network.

Definite the process of footprinting and how it is completed as a step to complete prior to an attack to take place. Tasks that an attacker may embark upon include the following: •

Online organized research of the Internet addresses owned or controlled by a target organization.

•

Use public Internet data sources to perform keyword searches to identify the network addresses of the organization.

VI.

Emphasize the point that to assist in the footprint intelligence collection process, an enhanced Web scanner can be used. •

VII.

Compare and contrast the differences between footprinting and fingerprinting when using scanning and analysis tools. •

VIII.

Recommend students to review Figure 9-12 for additional insight.

Footprinting is often seen as the first process whereas fingerprinting is a second and more advanced data-gathering process.

Explain how fingerprinting reveals useful information about the internal structure and operational nature of the target system or network for the anticipated attack. Since these tools were created to find vulnerabilities in systems and networks, they are valuable for the network defender since they can quickly pinpoint the parts of the systems or network that need a prompt repair to close the vulnerability.

Port Scanners I.

Describe the purpose of a port scanner (or port scanning utility device) and why it is important to use when detecting intrusions and/or attacks on systems. Relate to the fact that both attackers and defenders use this to identify (or fingerprint) the computers that are active on a network, as well as the ports and services that are active on those computers, the functions, and roles the machines are fulfilling, and other useful information.

II.

Apply knowledge that these tools can scan for specific types of computers, protocols, or resources, or their scans can be generic.

III.

Emphasize the more sophisticated the scanner is both parties can access more detailed information that can be used in the future for better or worse.

IV.

Strongly recommend generic, broad-based port scanners should be in the toolbox alongside more specific ones.

Provide students and opportunity to learn more about ports. These are network channels or connection points in a data communication system. Refer them to Table 9-2 for additional information.

Firewall Analysis Tools I.

Note that several tools automate the remote discovery of firewall rules and assist an administrator in analyzing the rules to determine exactly what they allow and what they reject.

II. Emphasize that administrators who feel wary of using the same tools that attackers use should remember:

•

Regardless of the tool that is used to validate or analyze a firewall’s configuration, it is the intent of the user that will dictate how the information gathered will be used.

•

In order to defend a computer or network well, it is necessary to understand the ways it can be attacked.

•

Thus, a tool that can help close up an open or poorly configured firewall will help the network defender minimize the risk from attack.

Operating System Detection Tools I.

State how detecting a target computer’s OS is very valuable to an attacker because once the OS is known, all of the vulnerabilities to which it is susceptible can easily be determined.

II. Stress that there are many tools that use networking protocols to determine a remote computer’s OS and adds additional opportunities to make them vulnerable to attacks. III. Identify most OSs have a unique way of responding to ICMP requests. Provide additional to attention to XProbe as it is very reliable in finding matches and thus detecting the OSs of remote computers. IV. Explain how system and network administrators should take note of this and plan to restrict the use of ICMPs through their organization’s firewalls and, when possible, within its internal networks.

Vulnerability Scanners I.

Identify the purpose of a vulnerability scanner and its purpose to determine security holes in a system.

II. Introduce students to a class of vulnerability scanners called black-box scanners or fuzzers that look for vulnerabilities in a program by feeding random input to the program or a network running the protocol. III. Compare and contrast the differences between active and passive vulnerability scanners. •

Active vulnerability scanners initiate traffic on the network to determine security holes.

•

Passive vulnerability scanners are ones that listens in on the network and determines vulnerable versions of both server and client software. They can also detect client-side vulnerabilities that active scanners cannot detect.

IV. Recognize that these tools simply monitor the network connections to and from a server to gain a list of vulnerable applications.

Packet Sniffers I.

Describe the purpose of a packet sniffer (or network protocol analyzer). These can provide a network administrator with valuable information for diagnosing and resolving networking issues.

II. Stress how putting sniffers in the wrong hands results in eavesdropping on network traffic. III. Understand these are often required to be connected to a network from a centralized location. IV. Outline the appropriate legal uses to use packet sniffers. They are the following: •

Be on a network that the organization owns.

•

Be under direct authorization of the owners of the network.

•

Have knowledge and consent of the content creators.

Wireless Security Tools I.

Classify a common fact that an organization that spends all of its time securing the wired network and leaves wireless networks to operate in any manner is opening itself up for a security breach.

II. Apply the knowledge that a security professional must be responsible for both hardwire and wireless networks and assess the risk for both. III. Compose a wireless security toolkit. This should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network. Quick Quiz 2 1. What term is used to describe decoy systems designed to lure potential attackers away from critical systems?

a. trap b. honeypot c. trace d. sniffer Answer: b 2. Which of the following terms are used to describe organized research of the Internet addresses owned or controlled by a target organization?

a. fingerprinting

b. trapping c. footprinting d. tracing Answer: c 3. A scanner that listens in on a network and identifies vulnerable versions of both server and client software is known as which of the following?

a. port scanner b. active vulnerability scanner c. sniffer d. passive vulnerability scanner Answer: d 4. What is a network tool that collects copies of packets from the network and analyzes them?

a. footprint b. router c. network trapper d. packet sniffer Answer: d 5. True or False: A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network. Answer: True [return to top]

1. Many vendors have created enhancements to IDS systems to make them into IDPSs. Look into current developments in this area and discuss them with your class. (9.1, 9.2, PPT Slides 3–23 and 26–44) Duration 15 minutes. 2. The legal issues surrounding active defense (see “Trap and Trace Systems”) are constantly evolving. This provides an interesting focal point for discussing ethical responses to complex workplace issues. (9.3, PPT Slides 47–51) Duration 15 minutes. 3. As internet privacy increases in news coverage, consumers and organizations alike are growing concerned that they are being spied on. How can organizations defend their position when it is in their legal right to monitor networks for possible attacks or intrusions? Is it necessary for them to have to defend themselves? Explain. (9.3, 9.4, PPT Slides #52–55 and 58–62) Duration 15 minutes. [return to top]

Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. Following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title

Objective

Duration

Ethical Considerations in IT and Detecting Phishing Attacks

Upon completion of this activity, you will:

Ethical Considerations lab in 15 to 20 minutes.

•

Web Browser Security

Upon completion of this activity, the student will be able to: •

Malware Defense

have a better understanding of the ethical expectations of IT professionals; and be able to identify several types of social engineering attacks that use phishing techniques.

Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

Review and configure the security and privacy settings in the most popular web browsers.

Upon completion of this activity, the student will be able to: •

1 to 1.5 hours

Understand the basic setup and

Windows Password Management

use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the 30 minutes to 1 hour student will be able to: Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: •

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to:

Log Management & Security

Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to:

15–20 minutes

•

60–90 minutes

•

30 minutes to 1 hour

Access and review the various logs present in a Windows 10 computer.

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

Upon completion of this activity, the student will be able to: Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab.

40–60 minutes

•

Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Demonstrate an IDPS and/or a packet sniffer to your class. Students are enthusiastic about seeing the contents of IP traffic and then watching the responses of the IDPS as the rules are evaluated. 2. Take a field trip to see your organization’s IDPS technology. [return to top]

Additional Resources Cengage Video Resources • •

MindTap Video: Security Information and Event Management MindTap Video: IDPS

Internet Resources •

Firewalk

• • • •

Host-based Intrusion Prevention LaBrea “Sticky Honeynet” Nessus Wireshark

[return to top]

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 6 Module Outline .............................................................................................................................. 6 Discussion Questions .................................................................................................................. 22 Suggested Usage for Lab Activities ............................................................................................ 23 Additional Activities and Assignments ....................................................................................... 24 Additional Resources................................................................................................................... 25 Internet Resources .................................................................................................................................. 25 Appendix ...................................................................................................................................... 26 Grading Rubrics ....................................................................................................................................... 26

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Purpose and Perspective of the Module Contrary to popular belief, most people think that cryptology is a science that is highly technical in nature and complex. Knitting, and word puzzles are great examples of this. In this module, students will gain an understanding of what cryptography and its application in maintaining information security systems. Additionally, one will learn about its history, basic operating principles, and major protocols that are used for secure communications.

Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •

PowerPoint slides

•

Test banks, available in Word, as LMS-ready files, and on the Cognero platform

•

MindTap Educator Guide

•

Solution and Answer Guide

•

This instructor’s manual

Module Objectives The following objectives are addressed in this module: 10.1

Chronofile the most significant events and discoveries in the world of cryptology.

10.2

Explain the basic principles of cryptography.

10.3

Describe the operating principles of the most popular cryptographic tools.

10.4

List and explain the major protocols used for secure communications.

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 10.1 10.2 10.3 and 10.4 10.1–10.4

PPT slide

Activity/Assessment

Duration

18–19 31–32 52–53

Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3

2 minutes 2 minutes 2 minutes

57 MindTap MindTap

Self-Assessment Module 10 Review Questions Module 10 Case Exercises

5 minutes 30–40 minutes 30 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

MindTap

Module 10 Exercises

MindTap MindTap

Module 10 Security for Life Module 10 Quiz

10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: cryptology: The field of science that encompasses cryptography and cryptanalysis. cryptography: The process of making and using codes to secure information. cryptanalysis: The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption. substitution cipher: An encryption method in which one value is substituted for another. monoalphabetic substitution: A substitution cipher that incorporates a single alphabet in the encryption process. polyalphabetic substitution: A substitution cipher that incorporates two or more alphabets in the encryption process. Vingenère cipher: An advanced type of substitution cipher that uses a simple polyalphabetic code. transposition cipher: A cryptographic operation that involves simply rearranging the values within a block based on an established pattern; also known as a permutation cipher. permutation cipher: See transposition cipher. exclusive OR operation (XOR): A function within Boolean algebra used as an encryption function in which two bits are compared; identical bits result in a binary 0 while different bits result in a binary 1. Vernam cipher: A cryptographic technique developed at AT&T and known as the “one-time pad,” this cipher uses a set of characters for encryption operations only once and then discards it. hash functions: Mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm the message’s identity and integrity. hash algorithms: Public functions that create a hash value, also known as a message digest, by converting variable length messages into a single fixed length value. hash value: See hash algorithm.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

message digest: A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient’s locally calculated hash of the same message; also known as a hash value. message authentication code (MAC): A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest. Secure Hash Standard (SHS): A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file. secret key: A key that can be used in symmetric encryption both to encipher and decipher the message. symmetric encryption: A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message. private-key encryption: See symmetric encryption. Advanced Encryption Standard (AES): The current federal standard for the encryption of data, as specified by NIST; based on the Rijndael algorithm. asymmetric encryption: A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message; either key can be used to encrypt a message, but the other key is required to decrypt it. public-key encryption: See asymmetric encryption. public key infrastructure (PKI): An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates. digital certificates: Public-key container files that allow PKI system components and end users to validate a public key and identify its owner. certificate authority (CA): In PKI, a third party that manages users’ digital certificates. registration authority (RA): In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions. certificate revocation list (CRL): In PKI, a published list of revoked or terminated digital certificates. nonrepudiation: The process of reversing public-key encryption to verify that a message was sent by the user and thus cannot be refuted. digital signatures: Encrypted message components that can be mathematically proven as authentic.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Digital Signature Standard (DSS): The NIST standard for digital signature algorithm usage by federal information systems; based on a variant of the ElGamal signature scheme. Diffle-Hellman key exchange: A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption. session keys: Limited-use symmetric keys for temporary communications during an online session. steganography: The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists. Secure Socket Layer (SSL): A security protocol developed by Netscape to use public-key encryption to secure a channel over the Internet. Secure HTTP (HTTPS): An extended version of Hypertext Transfer Protocol that provides for the encryption of protected Web pages transmitted via the Internet between a client and server. Secure/Multipurpose Internet Mail Extensions (S/MIME): A security protocol that builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail. Privacy-Enhanced Mail (PEM): A standard proposed by the IETF that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures. Secure Electronic Transactions (SET): A protocol developed by credit card companies to protect against electronic payment fraud. IP Security (IPSec): The primary and dominant cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group; provides application support for all uses within TCP/IP, including virtual private networks. transport mode: In IPSec, an encryption method in which only a packet’s IP data is encrypted, not the IP headers themselves; allows intermediate nodes to read the source and destination addresses. tunnel mode: In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet; requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination. authentication header (AH) protocol: In IPSec, a protocol that provides system-to-system authentication and data integrity verification but does not provide secrecy for the content of a network communication.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

encapsulating security payload (ESP) protocol: In IPSec, a protocol that provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: •

This module was Chapter 8 in the 6th edition.

•

Foundation topics in cryptography were reorganized and refined.

•

Content on blockchain technologies and payment systems security was added.

[return to top]

Module Outline Introduction to Information Cryptography (10.1, 10.2, PPT Slides 3–30) I.

Recall how cryptography and cryptoanalysis can provide a sophisticated approach to security issues an organization may run into.

II.

Emphasize that many security-related tools use embedded encryption technologies.

III.

Explain how the science of encryption, known as cryptology, encompasses cryptography and cryptanalysis.

The History of Cryptology I.

Recognize that cryptology has been around since approximately 1900 B.C. and is not a new phenomenon of the Internet.

II.

Review and list key dates in history critical to the transformation and growth of cryptology.

III.

Conclude that in 1992, encryption tools were officially listed as Auxiliary Military Technology under the Code of Federal Regulations: International Traffic in Arms Regulations.

Key Cryptology Terms I.

List and define key terms that are commonly used in the field of cryptology: •

Algorithm: The mathematical formula or method used to convert an unencrypted message into an encrypted message; sometimes refers to the programs that enable the cryptographic processes.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

•

Bit stream cipher: An encryption method that involves converting plaintext to ciphertext one bit at a time.

•

Block cipher: An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext to ciphertext one block at a time.

•

Cipher: When used as a verb, the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components or vice versa (see Decryption and Encryption); when used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with cryptosystem.

•

Ciphertext or cryptogram: The unintelligible encrypted or encoded message resulting from an encryption.

•

Code: The process of converting components (words or phrases) of an unencrypted message into encrypted components.

•

Decipher: See Decryption.

•

Decryption: The process of converting an encoded or enciphered message (ciphertext) back to its original readable form (plaintext), also referred to as deciphering.

•

Encipher: See Encryption.

•

Encryption: The process of converting an original message (plaintext) into a form that cannot be used by unauthorized individuals (ciphertext), also referred to as enciphering.

•

Key or cryptovariable: The information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in an algorithm or the knowledge of how to manipulate the plaintext. Sometimes called a cryptovariable.

•

Keyspace: The entire range of values that can be used to construct an individual key.

•

Link encryption: A series of encryptions and decryptions between a number of systems wherein each system in a network decrypts the message sent to it, reencrypts the message using different keys, and sends it to the next neighbor. This process continues until the message reaches the final destination.

•

Plaintext or cleartext: The original unencrypted message that is encrypted and the message that results from successful decryption.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

II.

•

Steganography: The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists.

•

Work factor: The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message.

Explain how many common IT tools use embedded encryption technologies to protect sensitive information within applications.

Encryption Models (10.2, PPT Slides 19–30) I.

Analyze the two most common methods of encrypting plaintext: bit stream and block cipher.

II.

Review that in the bit stream method, each bit in the plaintext is transformed into a cipher bit one bit at a time whereas the block cipher method, messages are divided into 8, 16, 32, or 64-bit blocks while using an algorithm and a key.

Substitution Cipher I.

Explain how in a substitution cipher you substitute one value for another.

II.

Describe a type of substitution based on a monoalphabetic substitution and how it only uses one alphabet whereas a polyalphabetic substitution uses at least two alphabets and are more advanced in nature.

III.

Note that an advanced type of substitution cipher that uses a simple polyalphabetic code is the Vigenère cipher. Ongoing information security activities provide the appropriate support to the goals aligned with the agency mission.

Transposition Cipher I.

Compare and contrast the transposition cipher to the substitution cipher and explain how transposition ciphers can be more difficult to decipher using that method.

II.

Recall transposition ciphers can be done both at the bit level or the byte (or character) level.

III.

Discuss how transposition ciphers move these bits or bytes to another location in the block, so the bit or byte in position 1 moves to position 4, and the bit or byte in position 2 moves to position 8, and so on.

Exclusive OR I.

Define the concept of an exclusive OR operation (OR) and its importance to cryptography.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

II.

Comprehend that bit stream methods commonly use algorithm functions like the exclusive OR operation (XOR), whereas block methods can use substitution, transposition, XOR, or some combination of these operations.

III.

Identify that XOR is a function of Boolean algebra, and if two bits are identical when compared, the binary result is 0, and when they are not, it is 1. Apply Table 10-3 as part of the discussion.

Vernam Cipher I.

Relate that this is one of the oldest modern encryption methods still used to this day, having been a key factor in cryptography for well over 100 years (1917).

II.

Assemble and list the process of a Vernam cipher encryption operation: •

The pad values are added to numeric values that represent the plaintext that needs to be encrypted.

•

Each character of the plaintext is turned into a number, and a pad value for that position is added to it.

•

The resulting sum for that character is then converted back to a ciphertext letter for transmission.

•

When the two are added, if the values exceed 26, then 26 is subtracted from the total. (This is referred to as Modulo 26.)

•

The corresponding results are then converted back to text.

Book-Based Cipher I.

Examine the similarities and differences between book ciphers and key ciphers and why they are important to use in cryptography and protect the organization’s information.

II.

Analyze how the use of text in a book can be a third way to be a key to decrypting messages (although its popularity stems from spy movies).

Book Cipher I.

Detail how the cyphertext consists of a list of codes representing the page number, line number, and word number of the plaintext word.

II.

Comprehend that the receiver must have knowledge as to which book to use to decipher a message.

III.

Explain how dictionaries and thesauruses are likely the most popular sources since they guarantee every word needed. Note that almost any book will suffice applying this method.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Running Key Cipher I.

Define the use of a running key cipher and how it applies concepts a book cipher uses for its own decrypting messages.

II.

Comprehend how the mirrored layout of a table simplifies the selection of rows and columns during encryption and decryption exercises.

Template Cipher I.

Gain awareness that a template cipher or perforated page cipher is not strictly an encryption cipher but more of an example of steganography.

II.

Examine that ciphering is often difficult to complete, physical in nature, and easy to detect, and its usefulness is minimal in cryptography if at all.

Hash Functions I.

Identify the concept of hash functions, how they are mathematical algorithms used to confirm the identity of a specific message, and confirm that the content has not been changed.

II.

Examine how hash algorithms are functions that create hash values or message digests. This is done by converting variable-length messages into a single fixedlength value.

III.

Emphasize that hashing functions do not require the use of keys. Rather, the use of a message authentication code (MAC), which is essentially a one-way hash value that is encrypted with a symmetric key, may be attached to a message to allow only specific recipients to access the message digest. Here, the recipient must have a key to access (or unlock) the message digest and to confirm the integrity of that message.

IV.

Define the concept of a Secure Hash Standard (SHS) and compare the original Secure Hash Algorithm (SHA-1) to more modern hash algorithms in use or are being proposed (SHA-256, SHA-384, and SHA-512).

Stress that a recently developed attack method called rainbow cracking has generated concern about the strength of the processes used for password hashing.

VI.

Examine the 10.4 password standard and why they are important to apply to places one may access daily.

VII.

Compare and contrast ways that one can defend against time-memory trade-off attacks. This includes password hash salting, key stretching, and key strengthening.

Quick Quiz 1 1. True or False: Julius Caesar was associated with an early version of the substitution cipher. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Answer: True 2. Which of the following terms is used to describe the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext? a. cipher b. code c. cleartext d. key Answer: d 3. The science of encryption is known as which of the following? a. cryptanalysis b. steganography c. cryptology d. algorithm Answer: c 4. Which of the following terms describes the process of making and using codes to secure the transmission of information? a. algorithm b. cryptography c. steganography d. cryptanalysis Answer: b 5. True or False: Hashing functions require the use of keys. Answer: False

Cryptographic Algorithms (10.2, PPT Slides 19–30) I.

Explain that cryptographic algorithms are often grouped into two broad categories: symmetric and asymmetric.

II.

Gain awareness that most cryptosystems often deploy a hybrid combination of symmetric and asymmetric algorithms.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

III.

Review that symmetric and asymmetric algorithms can be distinguished by the types of keys they use for encryption and decryption operations.

Symmetric Encryption I.

Describe how symmetric encryption uses the same key, also known as a secret key, to encrypt and decrypt a message.

II.

Analyze the efficiency of symmetric encryption methods as they only require minimal processing to either encrypt or decrypt the message.

III.

Distinguish the drawback with this type of encryption is that both the sender and receiver must have the same key to transmit a message between them. Emphasize if either copy of the key is compromised, an intermediate can decrypt and read the messages.

IV.

Review the evolution of symmetric encryption cryptosystems and what is commonly used now which is the Advances Encryption Standard (AES). •

The Data Encryption Standard (DES) was developed in 1977 by IBM and is based on an algorithm that uses a key length of 128 bits. As implemented, DES uses a 64-bit block size and a 56-bit key. However, this is an insecure method to use.

•

Triple DES (3DES) was developed as an improvement to DES. 3DES encrypts the message three times with three different keys. While it was stronger than DES, it soon proved too weak to survive.

•

AES is based on the Rinjndael Block Cipher, a block cipher with a variable block length and a key length of either 128, 192, or 256 bits. This is the most common one used today.

Asymmetric Encryption I.

Comprehend that symmetric encryption is also known as public-key encryption.

II.

Explain that symmetric encryption uses a single key to encrypt and decrypt, but asymmetric encryption uses two different but related keys, one public and one private. For example, if Key A is used to encrypt the message, only Key B can decrypt it.

III.

Differentiate the difference between a public key and a private key. Public keys are often stored in public locations whereas private keys are only known to the owner of the key pair.

IV.

Classify asymmetric algorithms as one-way functions. This means they are simple to compute in one direction but complex to compute in the opposite direction.

Introduce students to the RSA algorithm, which is one of the most popular publickey cryptosystems.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

VI.

Criticize the understanding that with asymmetric encryption, four keys are required to hold a single conversation between two parties (two public and two related private keys). The more parties that are involved in a conversation, the exponential rise of the number of keys required to be managed.

Encryption Key Size I.

Apply an understanding that when deploying ciphers, users must decide on the size of the cryptovariable (or key) as it determines the strength of the algorithm.

II.

Explain how when it comes to cryptosystems, the security of encrypted data is not dependent on keeping the encrypting algorithm secret; in fact, algorithms are often published so research to uncover their weaknesses can be done.

III.

Stress how the security of any cryptosystem depends on keeping some or all the elements of the cryptovariable(s) or key(s) secret. If any of them are shared outside of the domain, the strength quickly decreases or is eliminated.

IV.

Examine and apply Table 10.5 to illustrate the amount of time often needed to crack a cipher by guessing its key. Note as the key grows, so does the amount of time with each exponential bit.

Quick Quiz 2 1. True or False: Two hundred and eighty-five computers could crack a 56-bit key in one year, whereas 10 times as many could do it in a little over a month. Answer: True 2. Which of the following is the strongest symmetric encryption cryptosystem? a. Data Encryption System (DES) b. Advanced Encryption Standard (AES) c. Triple DES (3DES) d. RSA algorithm Answer: d 3. What term is used to describe a cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message? a. private-key encryption b. symmetric encryption c. Advanced Encryption Standard (AES) d. Asymmetric encryption © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Answer: d 4. Which algorithm was the first public-key encryption algorithm developed (in 1977) and published for commercial use? a. 3DES b. Blowfish c. RSA d. Diffle-Hellman Answer: c 5. True or False: In the event either a public key or private key is compromised, the communication terminates as there is no way to be able to override a compromised key. Answer: False

Cryptographic Tools (10.3, PPT Slides 28–30 and 33–40) I.

Manage expectations that cryptographic capabilities must be embodied in tools that allow IT and information security practioners to apply the elements of cryptography in the world of information systems.

II.

Review some of the most widely used tools that apply the functions of cryptography to the world of information systems.

Public Key Infrastructure (PKI) I.

Examine and describe how public-key infrastructure (PKI) is an integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely.

II.

Apply information in the text regarding digital certificates as public-key container files that allow PKI system components and end users to validate a public key and identify its owner.

III.

List the ways how PKI can protect information assets. They use the following techniques: •

Authentication

•

Integrity

•

Privacy

•

Authorization

•

Nonrepudiation

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

IV.

Outline components that a typical PKI solution uses to protect transmission and reception of secure information: •

Certificate authority (CA)

•

Registration authority (RA)

•

Certificate directories

•

Management protocols

•

Policies and procedures

Apply the common implementations of a PKI: •

Issuance of digital certificates to servers and users.

•

Directory enrollment.

•

Key issuing systems.

•

Provide tools to secure information.

•

Provide verification and return of certificates.

VI. Stress that certificate authorities (CAs) often perform many housekeeping activities regarding the use of keys and certificates that are used within its zone of authority. VII. Justify that periodically, certificate revocation lists (CRLs) are sent out to users at the discretion of the information security team.

Digital Signatures I.

Define what a digital signature is and which type of encryption processes are used to create them (asymmetric).

II.

Identify the process when an asymmetric cryptographic process uses the sender’s private key to encrypt a message, the sender’s public key must be used to decrypt the message.

III.

Review the process of how and when the decryption happens successfully, it provides verification that the message was sent by the sender and cannot be refuted. Note that this process is known as nonrepudiation and is the principle of cryptography that underpins the authentication mechanism collectively known as a digital signature.

IV.

Emphasize the knowledge that a digital signature is an encrypted message and can be mathematically proven authentic.

Recommend digital signatures should be created using processes and products that are based on the Digital Signature Standard (DSS).

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Digital Certificates I.

Compare and contrast the differences between a digital signature and a digital certificate.

II.

Explain that a digital certificate, which is an electronic document, is like a digital signature that is attached to a file and certifies that the file is from the organization it claims to be from and has not been modified from the original format.

III.

Justify the message that digital certificates authenticate the cryptographic key that is embedded inside a certificate and not the origin of a message.

IV.

Review Figure 10-7 as a visual example of a digital certificate.

Hybrid Cryptography Systems I.

Establish an understanding that asymmetric key encryption is used limitedly and most often only for certificates.

II.

Comprehend asymmetric key encryption, which is more often used in conjunction with symmetric key encryption as a part of a hybrid encryption system.

III.

Describe the Diffle-Hellman key exchange and why it is the most common hybrid system that is used to exchange session keys. Apply information in Figure 10-8 to aid in students understanding how hybrid encryption functions.

IV.

Emphasize that keys used in hybrid systems are limited-use symmetric keys for temporary communications. They allow two organizations to conduct quick, efficient, secure communications based on symmetric encryption.

Express importance that the Diffie-Hellman approach provides the foundation for subsequent developments in public-key encryption.

Steganography I. Explain what steganography is and how it applies to cryptography and encryption standards. Stress that this is used as a data hiding method and involves embedding information within files. II. Emphasize that the word “steganography” is derived from the Greek words, “steganos,” meaning “covered” and, “graphein,” meaning “to write.” III. Assess and propose the most popular modern version of steganography, which involves hiding information within files that appear to contain digital pictures or other images. IV. State that most computer graphics standards use a combination of three-color values (red, blue, and green (RGB)) to represent a picture element, or pixel. Each one

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

of the colors has an 8-bit binary code. For example, 00000000 is no red and 11111111 is all red. V. Provide examples and justifications of applications that can hide messages. This includes .bmp, .wav, .mp3, and .au files. Unused storage on CDs and DVDs are alternate examples to share with students.

Protocols for Secure Communications (10.4, PPT Slides 41–51) I.

Recognize that most of the software currently used to protect the confidentiality of information within organizations are not true cryptosystems. Rather, they are applications that have cryptographic protocols that were added after the fact.

II.

Review Table 10-7 for a list of summarized communication protocols needed to handle exponential increases of threats.

Secure Internet communication with HTTPS and SSL I.

Provide context of the history of Secure Socket Layer (SSL) protocol to use publickey encryption and Netscape’s intention to create secure channel over public Internet connections. This birthed the opportunity to enabling secure communications.

II.

Define what Hypertext Transfer Protocol (HTTP) is any why it is important to use for secure Internet communications.

III.

Review the concept of Secure Hypertext Transfer Protocol (S-HTTP) and how it is an extended version of the Hypertext Transfer Protocol (HTTP) that provides for the encryption of individual messages between a client and server across the Internet. S-HTTP is the application of SSL over HTTP, which allows the encryption of all information passing between two computers through a protected and secure virtual connection.

IV.

Emphasize the importance for organizations to use HTTPS for internal and external websites.

Secure E-Mail with S/MIME, PEM, and PGP I.

Define the concept of Secure/Multipurpose Internet Mail Extensions (S/MIME) and their importance to use in e-mail communications.

II.

Explain what the concept of Privacy-Enhanced Mail (PEM) is and how it can be used in conjunction with S/MIME. Present to students the concept of how PEM uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.

III.

Recognize that Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses the IDEA Cipher along with RSA for key exchange. Focus on the point that PGP

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

is functionally like S/MIME, incorporates some of the same algorithms, and can interoperate with S/MIME to some degree. IV.

Review the history of Internet email standards and state to students the first one that was used is SMTP/RFC 822 (also called SMTP). Note this standard has problems and limitations. MIME was developed to address the problems associated with SMTP.

Detail how S/MIME builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail.

Securing Web Transactions with SET, SSL, and HTTPS I.

Emphasize that just as PGP, PEM, and S/MIME work to secure e-mail operations, several related protocols work to secure Web browsers, especially at electronic commerce sites.

II.

Compare and contrast Secure Electronic Transactions (SET), Secure Socket Layer (SSL), Secure Hypertext Transfer Protocol (S-HTTP), Secure Shell (SSH-2), and IP Security (IPSec).

III.

Establish an understanding that Secure Electronic Transactions (SET) was developed by MasterCard and Visa in 1997 to provide protections from electronic payment fraud. Also state that SET uses DES to encrypt credit card information transfers and RSA for key exchange and provides the security for both Internet-based credit card transactions and credit card swipe systems in retail stores.

IV.

Mention SSL uses several algorithms but mainly relies on RSA for key transfer and uses IDEA, DES, or 3DES for encrypted symmetric key-based data transfers.

Securing Wireless Networks with WPA and RSN I.

Discuss wireless local area networks, which are thought by many in the IT industry to be inherently insecure. Without some form of protection, these signals can be intercepted by anyone with a wireless packet sniffer.

Wired Equivalent Privacy (WEP) I.

Define the concept of Wired Equivalent Privacy (WEP) and how it applies to information security systems and cryptography. •

WEP was an early attempt to provide security with the 8002.11 network protocol.

•

It is now considered too cryptographically weak to provide any meaningful protection from eavesdropping.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

II.

•

An intruder who collects enough data can threaten a WEP network in just a few minutes by decrypting or altering the data being transmitted, or by forging the WEP key to gain unauthorized access to the network.

•

WEP also lacks a means of validating user credentials to ensure only those who should be on the network are allowed to access it.

Compare and critique the reasons why WEP is too weak for use in most network settings.

Wi-Fi Protected Access (WPA and WPA2) I.

Examine the purpose of WPA and why it was created to resolve issues with WEP.

II.

Explore the process that WPA uses dynamic keys through a shared authentication server and the use of Temporal Key Integrity Protocols (TKIPs).

III.

Review the four algorithms that TKIP adds to the mix above and beyond what WEP uses: •

A cryptographic message integrity code, or MIC, called Michael, to defeat forgeries.

•

A new IV sequencing discipline to remove replay attacks from the attacker’s arsenal.

•

A per-packet key mixing function to decorrelate public IVs from weak keys.

•

A rekeying mechanism to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse.

IV. Summarize the history of WPA technologies and detail the newest iteration of this technology – WPA3. V. Compare and contrast the differences between WEP and WPA via information provided in Table 10-9 within the text.

Next Generation Wireless Protocols I.

Describe in detail what the purpose of a Robust Secure Network (RSN) is and why it is important to use as more devices and systems go online for organizations.

II.

Summarize the RSN protocol functions as provided in the text: •

The wireless network interface card (NIC) sends a probe request.

•

The wireless access point sends a probe response with an RSN Information Exchange (IE) frame.

•

The wireless NIC requests authentication via one of the approved methods.

•

The wireless access point provides authentication for the wireless NIC.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

•

The wireless NIC sends an association request with an RSN IE frame.

•

The wireless access point sends an association response.

III.

Stress the facts that AES supports key lengths of up to 256 bits but lacks compatibility with older hardware.

IV.

Emphasize that a specification known as Transitional Security Network (TSN) allows RSN and WEP to coexist on the same wireless LAN.

Bluetooth I.

Analyze what Bluetooth is and its importance as being a short-range wireless communication option between devices within a 30-foot range without the addition of security controls implemented.

II.

Diagnose the two ways that Bluetooth enabled devices can be secure. Those are turning it off or not accept incoming communications requesting pairing unless one is aware of what that device is that is asking for the connection.

Securing TCP/IP with IPSec and RGP I.

Define how IP Security (IPSec) is the cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group. Emphasize that this protocol is used to create virtual private networks (VPNs) and is an open framework for security development within the TCP/IP family of protocol standards.

II.

Compare and contrast the two modes of operation IPSec works in: transport mode and tunnel mode.

III.

•

In transport mode, only the IP data is encrypted, not the IP headers.

•

In tunnel mode, the entire IP packet is encrypted and is then placed as the payload in another IP packet.

Evaluate the IPSec protocol and describe how it operates to students. Use Figure 109 as a visual aid to assist with the explanation. •

IPSec combines several different cryptosystems in its operations: •

Diffie-Hellman key exchange for deriving key material between peers on a public network.

•

Public-key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties.

•

Bulk encryption algorithms, such as DES, for encrypting the data.

•

Digital certificates signed by a certificate authority to act as digital ID cards.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

•

An IP layer security is obtained by using an application header protocol or an encapsulating security payload protocol.

•

The application header (AH) protocol provides system-to-system authentication and data integrity verification, but it does not provide secrecy for the content of a network communication.

•

The encapsulating security payload (ESP) protocol provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification.

Pretty Good Privacy (PGP) I.

Describe the purpose of PGP and its benefit of being a hybrid cryptosystem to storing and maintaining information. Note that this system uses some of the best available cryptographic algorithms to become the open-source de facto standard for encryption and authentication of e-mail and file storage applications.

II. Review the six services that a PGP security solution can provide: •

Authentication by digital signatures

•

Message encryption

•

Compression

•

E-mail compatibility

•

Segmentation

•

Key Management

Quick Quiz 3 1. True or False: Popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms. Answer: True 2. True or False: PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities. Answer: True 3. Nonrepudiation means that customers or partners cannot be held accountable for transactions, such as online purchases, which they cannot later deny. Answer: False 4. The process of hiding information within other files, such as digital pictures or other images, is known as which of the following?

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

a. digital signatures b. steganography c. registration authority d. digital certificates Answer: b 5. Which of the following is a hybrid cryptosystem that has become the open-source de facto standard for encryption and authentication of e-mail and file storage applications? a. PGP b. S-HTTP c. SSL d. S/MIME Answer: a [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. Following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks

Web Browser Security

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

OS Processes and Services

Log Management & Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

60–90 minutes

30 minutes to 1 hour

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include the following: © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

1. Have students encode and decode messages using simple and progressively more complex encoding processes. Start with a simple Caesar cipher and move on to running book and substitution ciphers. 2. Ask students to share their experiences with cryptographic security tools. [return to top]

Additional Resources Internet Resources • • • • •

Bruce Schneier RSA Intelligence Driven Security Phillip Zimmermann, Why I Wrote PGP Distributed.net History of SSL Certificate

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 4 Module Outline .............................................................................................................................. 4 Discussion Questions .................................................................................................................. 20 Suggested Usage for Lab Activities ............................................................................................ 20 Additional Activities and Assignments ....................................................................................... 22 Additional Resources................................................................................................................... 23 Internet Resources .................................................................................................................................. 23 Appendix ...................................................................................................................................... 24 Grading Rubrics ....................................................................................................................................... 24

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Purpose and Perspective of the Module The purpose of this module is to explore the transition of an information system blueprint and its evolution into a project plan. Within this module, students will gain an understanding of the critical personnel that make up a project team and why a project manager’s role with an information security background is paramount for projects of this nature to succeed. Additional emphasis and attention are focused on organizational considerations that a project must address as well as the technical and nontechnical strategies that must be executed. These need to be in place so that a project to be successful both in the short-term and long-term.

PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual

Module Objectives The following objectives are addressed in this module: 11.1

Explain how an organization’s information security blueprint becomes a project plan.

11.2

Explain the significance of the project manager’s role in the success of an information security project.

11.3

Discuss the many organizational considerations that a project plan must address.

11.4

Describe the need for professional project management for complex projects.

11.5

Discuss technical strategies and models for implementing a project plan.

11.6

List and discuss the nontechnical problems that organizations face in times of rapid change.

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 11.2–11.4

PPT slide

Activity/Assessment

Duration

27–28

Knowledge Check Activity 1

2 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

11.2–11.4 11.5 11.1–11.6

43–44 53–54 61 MindTap MindTap MindTap

Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 11 Review Questions Module 11 Case Exercises Module 11 Exercises

MindTap MindTap

Module 11 Security for Life Module 11 Quiz

2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: systems development life cycle (SDLC): A methodology for the design and implementation of an information system, which may contain different phases depending on the methodology deployed, but generally addresses investigation, analysis, design, implementation, and maintenance. methodology: A formal approach to solving a problem based on a structured sequence of procedures. waterfall model: A type of SDLC in which each phase of the process “flows from” the information gained in the previous phase with multiple opportunities to return to previous phases and make adjustments. software assurance: A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. project management: The process of identifying and controlling the goals, objectives, tasks, scheduling, and resources of a project. project plan: The documented instructions for participants and stakeholders in a project that provide details on goals, objectives, tasks, scheduling, and resource management. work breakdown structure (WBS): A list of the tasks to be accomplished in a project, the employee skill sets needed to perform the tasks, the start and end dates , the estimated resources required, and the dependencies among tasks. projectitis: A situation in project planning in which a project manager spends more time manipulating and adjusting aspects of the project management software than accomplishing meaningful project work.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

gap analysis: The process of comparing measured results against expected results and then using the resulting “gap” as a measure of project success and as feedback for project management. direct changeover conversion strategy: The conversion strategy that involves stopping the old system and starting the new one without any overlap. phased implementation conversion strategy: The conversion strategy that involves a measured rollout of the planned system: only part of the system is brought out and disseminated across an organization before the next piece is implemented. pilot implementation conversion strategy: The conversion strategy that involves implementing the entire system into a single office, department, or division and dealing with issues that arise before expanding to the rest of the organization. parallel operations conversion strategy: The conversion strategy that involves running the new system concurrently with the old system. bulls-eye model: A method for prioritizing a program of complex change that requires issues to be addressed from the general to the specific and focuses on systematic solutions instead of individual problems. technology governance: A process that organizations use to manage the effects and costs of technological implementation, innovation, and obsolescence. change control A method of regulating the modification of systems within the organization by requiring formal review and approval for each change. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: • • • •

This Module was Chapter 10 in the 6th edition. The entire module was refreshed with a general update and given more current examples. The section on Certification & Accreditation was moved to Module 4 and rewritten to align with NIST RMF standards. The section on security models was expanded and updated.

[return to top]

Module Outline Introduction to Information Security Implementation (11.1, PPT Slides 3–18)

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Define the term systems development life cycle (SDLC) and why an organization’s set of needs and their culture will dictate what will be compromised.

II.

Gain awareness that information security must be implemented into every system of an organization and especially major systems.

III.

Identify that most organizations prefer to use an off-the-shelf application when it comes to developing and/or deploying information systems and not develop one inhouse.

IV.

Compare and contrast the following systems development protocols: •

Joint application development

•

Rapid application development

•

Agile or extreme programming

•

Development operations (DevOps)

•

Security development operations (SecDevOps)

The Systems Development Life Cycle (11.1, PPT Slides 5–18) I.

Explain why a SDLC is a methodology and its purpose for an information system.

Traditional Development Methods I.

Describe the six general phases of a traditional SDLC approach and how the waterfall model is applied to the phases.

II. Justify the reasons that once a system is implemented, it is often maintained and modified over its working life. III. Recognize that an information system often may have multiple iterations due to the cyclical nature of the SDLC.

Investigation I.

Distinguish why the investigation phase is the most important phase of the SDLC process.

II. Explain tasks that are often completed at the end of each major phase of the SDLC, including an assessment of economic, technical, and behavioral feasibilities.

Analysis I.

Classify the reasoning why information gathered in the investigation phase is important and applicable to the analysis phase of the SDLC.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

II. Establish an understanding that assessments completed in this phase are what the new system is aimed to do and how it interacts with other systems, existing or otherwise.

Logical Design I.

Emphasize the importance of designing a solution around a business need and why it is necessary.

II. Evaluate the process of this step and why having a logical design is the blueprint for a desired solution. III. Describe the reasons a design created in the SDLC is implementation independent.

Physical Design I.

Compare and contrast the Logical Design phase with the Physical Design phase.

II. Recall that selected components for the system in question are evaluated based on developing it in-house or purchasing them from a vendor.

Implementation I.

Explain the tasks performed in this part of the SDLC process.

II. Understand that individual components are often tested individually prior to them as a whole system.

Maintenance and Change I.

Present reasons why this phase of the SDLC is often the most time consuming and expensive.

II. Explain the life cycle does not have a hard ending for a system once this phase has been completed. Note that the team determines when the investigation phase may need to be launched again sometime in the future. III. Describe what happens to a system once it has reached its useful life.

Software Assurance I.

Outline the reasons why information security issues are often the consequence of software elements implemented within a system.

II. Define the concept of software assurance (SA) and the evolution of the Software Assurance Initiative created by Joe Jarzombek. III. Review the elements of the Software Assurance Common Body of Knowledge (SwA CBK) and which sections should be implemented into a software specific SDLC.

Software Design Principles

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Review the comments provided by software development leaders J.H. Saltzer and M.D. Schroeder regarding how security considerations are a vital component to good software development.

II. Identify commonplace security principles that must be implemented for a piece of software developed to be highly effective: •

Economy of mechanism

•

Fail-safe defaults

•

Complete mediation

•

Open design

•

Separation of privilege

•

Least privilege

•

Least common mechanism

•

Psychological acceptability

The NIST Approach to Securing the SDLC I.

Compare the five-phased approach NIST applies to a standard SDLC which has six phases.

II. Outline the five phases of the NIST approach to a SDLC: initiation, development/acquisition, implementation/assessment, operation/maintenance, and disposal. III. Recognize that the recommendations provided by the NIST are in the context of traditional methods but can be applied to other methods of systems development.

Initiation I.

Examine the differences between this phase and the investigation and analysis phases of a traditional SDLC.

II. Review the key security activities for this phase and the benefits of early planning and awareness of them.

Development/Acquisition I.

Outline the key activities application to security and why security components are not sequentially fixed in a top-down manner.

II. Review the core outputs generated from development and/or acquisition activities within this step of the NIST SDLC.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Summarize the key steps performed within this part of the NIST SDLC.

Operations and Maintenance I.

Analyze the tasks required to be performed in this part of the NIST SDLC. Understand that that the system often requires enhancements and updates over time, and it evolves over its useful life.

II. Justify the reasons why a system is updated so that it maintains effectiveness, security, and efficiency. III. Recognize a system can reenter a previous phase of the SDLC should necessary modifications warrant a need.

Disposal I.

Describe the process outlined with respect to how a system is properly disposed. Focus should be on preserving all data from the system should it be needed for a future system.

II. Explain why there is often no definitive end for a system. III. Justify the reasons why information security should be implemented from the time a system is created and not in a particular phase of a SDLC. IV. Compare and contrast the Microsoft System Security Development Lifecycle (SDL) with the recommendations made by NIST.

Information Security Project Management (11.2–11.4, PPT Slides 19–26 and 28–42) I.

Review and list the five items that often need changed to successfully execute an information security blueprint: procedures, people, hardware, software, and data.

II. Define what a project plan is and what its intended purpose is within the implementation of the SDLC. III. Assess the importance of the information security blueprint as it is applied into a project plan. IV. Identify the three major steps in executing the project plan: project planning, task supervision and action execution, and project wrap-ups. V. Discover the importance of a project office and the benefit of using it in an information security project.

Developing the Project Plan I.

Recognize that creation of a project plan is often assigned to a project manager or champion.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

II. Examine the purpose and contents of a work breakdown structure (WBS). •

Work required to be accomplished

•

People or skill sets assigned to perform project tasks

•

Timelines which include a start and end date and the number of hours and work days

•

Estimated capital and noncapital expenses

•

Identification of dependencies between and amongst tasks in the project

III. Establish major tasks within a project plan which can then be divided into subtasks or action steps. IV. Gain awareness of projectitis and how it can affect project managers and their ability to make progress.

Work to be Accomplished I.

Discuss the importance of differentiating activities and deliverables early on in a project and why the project planner needs to provide thorough descriptions of tasks.

Assignments I.

Examine the reasoning behind why a project planner should describe the resources needed to accomplish project tasks.

II. Establish skill sets in lieu of making individual assignments.

Start and End Dates I.

Define what a project milestone is and the importance of establishing them early in the project process.

II. Comprehend the understanding that start and end dates can be added as needed.

Amount of Effort I.

Discuss the process project planners must go through in order to determine the proper amount of effort required to complete project tasks and subtasks.

II. Recognize that it is best practice to consult people who are familiar with project tasks to get an accurate estimate on the time needed for project tasks.

Estimated Capital Expenses I.

Review the process a project planner executes to accurately determine the costs for each project task.

Estimated Noncapital Expenses

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Classify the difference between a capital and noncapital expense.

II. Give examples of commonly used noncapital expenses a project planner needs to incorporate into an information security plan.

Task Dependencies I.

Define the difference between predecessors and successors that are comprised within a WBS.

Quick Quiz 1 1. Which step of the systems development life cycle (SDLC) reviews issues with a current system and establishes the requirements of the new system being created? a. maintenance and change b. investigation c. analysis d. physical design Answer: c 2. Which steps in a traditional SDLC are combined in the first phase of a NIST approach to projects? a. logical design b. investigation c. analysis d. B and C are correct answers Answer: d 3. When reviewing the Microsoft SDL, what is the final phase of their plan where an incident response plan is executed? a. response b. verification c. design d. training Answer: a 4. What is the situation called when a project manager spends more time adjusting a project management software file than focusing on the project itself? a. project creep

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

b. projectitis c. task delegation d. strategic project management Answer: b 5. True or False: When changing a security blueprint, training employees is not included as part of the process. Answer: False 6. True or False: Major tasks that are part of a work breakdown structure (WBS) are known as subtasks. Answer: True

Project Planning Considerations I.

Explain the numerous factors that project planners must consider about what they need to include in a comprehensive workplan.

Financial Considerations I.

Apply the use of a cost-benefit analysis (CBA) in determining technologies required to be used for a project, their impacts, and costs.

II. Compare and contrast the differences between public and private organizations and their budgetary approaches. III. Examine and apply benchmarked expenses for organizations similar in nature to gain insight on planned and unplanned spending.

Priority Considerations I.

Establish protocols in place to determine the order of information security controls for a project.

Time and Scheduling Considerations I.

Develop realistic timelines to schedule security control implementation, training, and other factors which can alter the project speed and timing.

Staffing Considerations I.

Review staff availability and determine if new personnel will need to be contracted for the project in order to meet and exceed project goals.

Procurement Considerations

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Examine possible constraints that are provided which can limit which technologies can be used and/or the timing of purchasing software packages to complete a project in a timely manner.

II. Recognize that financial costs are not the only costs affected when procurement decisions are made. Project timing, staffing, and implementation are also affected.

Organizational Feasibility Considerations I.

Construct an action plan where system users are provided transparency regarding the new procedures that are implemented because of a project.

II. Organize training sessions once processes are in place but prior to implementation to achieve better user buy-in.

Training and Indoctrination Considerations I.

Execute a phased-in or pilot implementation so that change can be gradually made prior to a full rollout of new information security protocols.

II. Ensure that compliance documents are distributed in a timely fashion so that all employees understand and agree to the updated policies because of the project.

Scope Considerations I.

Recognize that the project scope should be as small as possible applicable to the objectives that are in place.

II. Comprehend the fact that information security projects must be adjusted with care as they may interrupt an organization’s operations and conflict with existing controls in place.

The Need for Project Management I.

Recognize that a project manager often has a unique set of skills and a thorough understanding of several specialized knowledge categories.

II. Recall that a project manager assigned to an information security project must have experience in the field so that they understand the security environment they are manipulating.

Supervised Implementation I.

Review the purpose and reasons why a project champion may be installed as the leader of an information security project and how a project team could be structured as a result.

Executing the Plan I.

Define what a gap analysis is and why it is important to implementing an information security project.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

II. Examine the two basic situations where corrective action is taken when significant deviations occur within project tasks: flawed estimates or lagging performance. III. Name three parameters and decisions a project manager can make to correct tasks: •

Effort and money allocation

•

Elapsed time or scheduling impacts

•

Deliverable quality or quantity

Project Wrap-Up I.

Describe the process of who is tasked with wrapping up an information security project.

II. Review the tasks that are part of a project wrap-up: •

Documentation collection

•

Finalizing status reports

•

Delivering a final report

III. Interpret the goals of a project wrap-up so process improvements can be applied to future projects.

Security Project Management Certifications I.

Analyze the four types of project management certifications that often apply to an information security project: •

GIAC Certified Project Manager

•

EC-Council IT Security Project Management

•

SIA Certified Security Project Manager

•

PMI Project Management Professional

GIAC Certified Project Manager I.

Recall the focus of the SANS Institute and the topic areas they cover in their securityfocused project management course: •

Earned value technique (EVT)

•

Leadership and management strategy

•

Project communication management

•

Project cost management

•

Project human resource management

•

Project integration management

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

•

Project management framework and approach

•

Project procurement management

•

Project quality management

•

Project risk management

•

Project scope management

•

Project stakeholder management

•

Project time management

EC-Council IT Security Project Management I.

Recognize the EC-Council and their Certified Project Management (CPM) program offering as an alternative option for a security professional to become versed in project management fundamentals.

II. State the topics of their program offerings: •

Introduction to project management

•

Project scope and technology integration

•

Project scheduling and time management

•

Project cost and budget management

•

Project sourcing and vendor management

•

Project controls and quality assurance

•

Project opportunity and risk management

•

Project governance and team management

•

Project visualization, analytics, and reporting

•

Project stakeholder engagement and expectations management

SIA Certified Security Project Manager I.

Differentiate between the SIA Certified Security Project Management program and the others outlined in the text. Note that this certification focuses primarily on physical security but also includes information security.

II. Identify their project management certification program is the Certified Security Project Manager (CSPM).

PMI Project Management Profession I.

Relate that the Project Management Professional (PMP) certification is often regarded as the premier certification in the field.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Technical Aspects of Implementation (11.5, PPT Slides 45–52) I.

Differentiate between conversion strategies, prioritization among multiple components, outsourcing, and technology governance.

Conversion Strategies I.

Examine the four commonly used strategies transitioning from an old system to a new system: •

Direct changeover

•

Phased implementation

•

Pilot implementation

•

Parallel operations

II. Recognize that existing systems must still be functional prior to the new system taking its place is fully operational for a smooth transition.

Direct Changeover I.

Present the idea that this type of conversion is known as a “cold-turkey” approach because it stops using the old method and immediately implements the new.

II. Interpret examples of a direct changeover strategy that can be implemented in an information security framework: •

Password resets with stronger levels of authentication

•

Firewall replacements

III. Understand that the major drawback of this approach is that without complete testing, the system may leave users without the system while bugs are worked out.

Phased Implementation I.

Comprehend that this is the most common approach to system implementation. This applies a measured roll of the planned system while the old one is retired piece-by-piece.

II. Justify that this approach is the best to use for security project implementation.

Pilot Implementation I.

Establish an understanding that the entire security system is put into a single entity such as an office, department, or division prior to a full implementation rollout.

II. Provides predictability with respect to what needs adjusting while minimally interfering with the performance of an organization as it is optimized.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Summarize that this system implementation approach has both systems running at the same time.

II. Recognize that this approach is often the most complex although it provides an opportunity for the old system to act as a backup should the new one fail. III. Conclude that the drawback to this approach is both systems require maintenance for the time they are both operational. IV. Interpret examples of a direct changeover strategy that can be implemented in an information security framework.

The Bulls-Eye Model I.

Discuss the purpose of these four layered model approaches with respect to a project plan process: •

Policies: this is the outer-most layer of the diagram. It also provides the ground rules that systems must use to function correctly. When implementing complex changes, these should be used to provide clarity as to the purpose of the project being executed.

•

Networks recognize the fact that for a long time information security was focused strictly on this layer. Now, though, it is more complex due to the infrastructure encountering threats from public networks. This layer also focuses on authentication and authorization to connect to an organization’s systems via public networks.

•

Systems gain understanding that as a system gets more complex, the harder it is to maintain a secure environment for it. Additionally, this includes servers and desktops for process control and manufacturing systems.

•

Applications: this is the inner-most layer of the model and includes programs that help run an organization so work can be completed. Examples of this include office automation, e-mail programs, and customized software packages.

II. Applying this model provides knowledge necessary where to focus resources and capabilities in the information security blueprint which is then applied to the overall project plan. III. Understand how the following relate to what the model dictates regarding information security practices: •

No additional resources should be spent on controls until a sound and usable IT and information security policy is in place and deployed.

•

All resources should be focused on the goal of having strong network controls in place unless the policy needs of an organization need adjustment.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

•

Implementation should focus primarily on the process, manufacturing systems, and information once policies and network controls are established.

•

Provided that assurance is achieved and policies in place are solid, attention can then be diverted to assessing and remediating the security needs of the organization’s applications. Critical applications should, by default, get the most attention.

To Outsource or Not I.

Define best practices as to when an organization should outsource their information security and not attempt to do it in-house.

II. Emphasize that information security should be part of the contract arrangement with the supplier chosen if executing this option.

Technical Governance and Change Control I.

Review the concepts of technology governance and change controls and how they apply to a project plan: •

Technology governance are the policies in place that determine how often technical systems are updated, approved, and funded.

•

Change control are processes in place that medium-sized businesses often use to control adjustments to their systems. The benefits of using this option often include improve communication about system changes, enhanced coordination between groups, limited disruptions, higher quality of service levels, and management assurance that all are complying with policies for technology governance, procurement, accounting, and information security.

The Center for Internet Security’s Critical Security Controls I.

Define what the Center for Internet Security (CIS) is and their purpose for assisting with cyberattacks and methods to control them through the Multi-State Information Sharing and Analysis Center (MS-ISAC).

II. Examine the U.S. National Security Agency (NSA) approach as they apply an “offense must inform defense” so that controls are implemented backed on a prioritization model with intentions to block actual threats and not generate compliance documentation. III. Review the three level of controls that the CIS established to create a framework that emphasized standardized approaches and automation wherever possible or practical.

Nontechnical Aspects of Implementation (11.6, PPT Slide 55)

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Recall that not all aspects of implementing an information security project plan are technical and deal with human interfaces and interactions.

II. Recognize the need that a culture of change management is necessary for organizations facing change over time.

The Culture of Change Management I.

Comprehend that the foundation of change management are the moods and philosophy of the organization and how it adapts when changes are made.

II. Apply the Lewin change model to minimize cultural disruptions. •

•

Unfreezing is the approach of thawing hard-and-fast habits and established procedures. Preparing the organization for major changes through training and awareness assists with the adoption to the net results of a project. Moving is the transition from the old system to the new system. This often includes physical implantation of the new methods and departure from existing and outdates ones. Refreezing is the integration of the new method into the culture of the organization. An atmosphere of change acceptance is achieved and the new way of accomplishing a task is one used going forward and the old methods are no longer valid.

Considerations for Organizational Change I.

Recognize that organizational change often includes resistance from others and the development of a culture that welcomes changes.

Reducing Resistance to Change from the Start I.

Analyze how the level of change resistance can affect the implementation of procedural and managerial changes when a new system is adopted.

II. Recall that the more ingrained previous methods and behaviors are in place, the more difficult the changes required will be to implement. III. Review the three-step process that project managers can implement to reduce change from the start of a project: •

Communication

•

Education

•

Involvement

Developing a Culture That Supports Change I.

Review the facts that a resilient culture will prohibit necessary changes within an organization that projects attempt to achieve.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

II. Identify a project champion which is often at the executive level that can provide support for changes that need to be made. Quick Quiz 2 1. Which layer of the bulls-eye model should information security projects focus the most on? a. networks b. policies c. systems d. applications Answer: a 2. Which changeover strategy should be used when transitioning from an old system to a new system gradually? a. direct b. pilot c. phased d. parallel Answer: c 3. The ________ is a certification program that is administered by the Security Industry Association (SIA). a. CAPM b. CSPM c. PMP d. ECCPM Answer: b 4. Which consideration is focused on the selection of equipment and services for a project? a. staffing b. organizational feasibility c. procurement d. scope Answer: c

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

5. True or False: The parallel operations conversion strategy often involves running two systems concurrently. Answer: True 6. True or False: The Center for Internet Security (CIS) outlines three categories of control to detect, prevent, respond to, and mitigate damage from attacks: Basic, Foundational, and Organizational. Answer: True [return to top]

Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Outsourcing is a common option an organization can use to complete projects when resources are limited, or specific skill sets are not available. However, there are times when it may do more harm than good. What are some instances that outsourcing should not be considered when implementing information security? (11.3, PPT Slides 29–37) Duration 15 minutes. 2. Why are project management professionals with information security credentials critical to the success of projects of this type? (11.4, PPT Slide 39) Duration 15 minutes. 3. What are additional nontechnical problems that can arise that were not mentioned in the text when implanting information security changes? Why are these important to address? (11.6, PPT Slide 55) Duration 15 minutes. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Lab Title Ethical Considerations in IT and Detecting Phishing Attacks

Web Browser Security

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

OS Processes and Services

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

60–90 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

services. Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package. •

Log Management & Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

30 minutes to 1 hour

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Develop an exercise that consists of a defined information security project and have your students develop an appropriate project plan. The students should use a simple planning tool such as work breakdown structure (WBS). 2. Provide students with a link to the PMI Web site (www.pmi.org) and describe the PMI mission and objectives. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Additional Resources Internet Resources • • • • • • • •

Azure Development Environment and DevSecOps Microsoft SDL Project Management Certifications in the Federal Sector Project Management Institute Sample Change Management and Control Policy Template SANS GIAC Certified Project Manager Certification Software Assurance Common Body of Knowledge The Case for Outsourcing Security—Bruce Schneier

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 3 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 5 Module Outline .............................................................................................................................. 5 Discussion Questions .................................................................................................................. 28 Suggested Usage for Lab Activities ............................................................................................ 29 Additional Activities and Assignments ....................................................................................... 30 Additional Resources................................................................................................................... 31 Internet Resources .................................................................................................................................. 31 Appendix ...................................................................................................................................... 32 Grading Rubrics ....................................................................................................................................... 32

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Purpose and Perspective of the Module In the final module of the text, learners will be able to discuss the need for ongoing maintenance that is required for an information security program. This includes reviewing various recommended security management models to establish a full maintenance program. With regard to the maintenance program, students will be able to learn the key factors that may influence internal and external environments and how they affect system monitoring. Another important topic that is discussed is planning that must take place for a system to always remain online. While it is optimal for this to occur, it may not be the case; hence, planning, risk assessment, vulnerability, assessment, and remediation tie into this exercise. Finally, the development of readiness and review procedures and physical security controls round out this important concluding module.

PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual

Module Objectives The following objectives are addressed in this module: 12.1

Discuss the need for ongoing maintenance of the information security program.

12.2

Describe recommended security management models.

12.3

Define a model for a full maintenance program.

12.4

Identify the key factors involved in monitoring the external and internal environment.

12.5

Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance.

12.6

Explain how to build readiness and review procedures into information security maintenance.

12.7

Discuss physical security controls.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 12.1 12.2–12.6 12.7 12.1–12.7

PPT slide

Activity/Assessment

Duration

18–19 37–38 57–58 71 MindTap MindTap MindTap

Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 12 Review Questions Module 12 Case Exercises Module 12 Exercises

MindTap MindTap

Module 12 Security for Life Module 12 Quiz

2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes

[return to top]

Key Terms In order of use: configuration and change management (CCM): An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation. configuration management: See configuration and change management (CCM). InfoSec performance management: A process of designing, implementing, and managing the use of specific measurements to determine the effectiveness of the overall security program. metric: A term traditionally used to describe any detailed statistical analysis technique on performance, but now commonly synonymous with performance measurement. See performance measurements. performance measurements: Data or the trends in data that may indicate the effectiveness of security countermeasures or technical and managerial controls implemented in the organization. Also known as performance measures or metrics. performance measures: See performance measurements. external monitoring domain: The component of the maintenance model that focuses on evaluating external threats to the organization’s information assets. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

internal monitoring domain: The component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization. difference analysis: A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services). planning and risk assessment domain: The component of the maintenance model that focuses on identifying and planning ongoing information security activities and identifying and managing risks introduced through IT information security projects. vulnerability assessment and remediation domain: The component of the maintenance model focused on identifying specific, documented vulnerabilities and remediating them in a timely fashion. vulnerability assessment (VA): The process of identifying and documenting specific and provable flaws in the organization’s information asset environment. penetration testing: A set of security tests and evaluations that simulate attacks by a hacker or other malicious external source. Internet vulnerability assessment: An assessment approach designed to find and document vulnerabilities that may be present in the organization’s public-facing networks. intranet vulnerability assessment: An assessment approach designed to find and document selected vulnerabilities that are present on the organization’s internal networks. platform security validation (PSV): An assessment approach designed to find and document vulnerabilities if misconfigured systems are used within the organization. wireless vulnerability assessment: An assessment approach designed to find and document vulnerabilities in the organization’s wireless local area networks. war driving: The use of mobile scanning techniques to identify open wireless access points. remediation: The processes of removing or repairing flaws in information assets that cause a vulnerability or reducing or removing the risk associated with the vulnerability. physical security: The protection of physical items, objects, or areas from unauthorized access and misuse. facilities management: The aspect of organizational management focused on the development and maintenance of buildings and physical infrastructure. secure facility: A physical location with access barriers and controls in place to minimize the risk of attacks from physical threats.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

tailgating: The process of gaining unauthorized entry into a facility by closely following another person through an entrance and using the credentials of the authorized person to bypass a control point. mantrap: A small room or enclosure with separate entry and exit points, designed to restrain a person who fails an access authorization attempt. [return to top]

What's New in This Module The following elements are improvements in this module from the previous edition: • • • •

This module was Chapter 12 in the 6th edition. Digital forensics was moved to Module 5 to be integrated with the coverage of incident response. The content on physical security that was formerly in Chapter 9 of the 6th edition was reorganized and compressed and moved to this module. Additional content was added on security performance measures and benchmarking.

[return to top]

Module Outline Introduction To Information Security Maintenance (12.1, PPT Slides 3– 17) I.

Review how the successful implementation and testing of a new and improved security profile may provide a false sense of security for an organization as it feels more confident about the protection level it receives. The organization should always be on guard.

II.

Outline that once changes have been implemented and mandated by an upgraded security program, a lot of time has likely passed. Hence, the environment and security needs may have already changed and need additional refinement.

III.

Review factors that may influence or trigger changes that have to be made in an information security environment: •

Acquisitions of new assets and the divestiture of old assets

•

Emergence of vulnerabilities associated with new or existing assets

•

Shifting business priorities

•

The formation of new partnerships and potential dissolution of old partnerships

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

IV.

•

Personnel who departed who were trained, educated, and aware of policies, procedures, and technologies within the business

•

The hiring of personnel

Emphasize the importance that if a strong structure of procedures and systems is in place that are adjustable to everchanging environmental conditions, the security protocols in place are likely to remain sufficient.

Security Management Maintenance Models (12.1, PPT Slides 3–17) I. II. III.

Establish an understanding that an organization must adopt a management maintenance model for its information security systems. State that continuous improvements are essential for the model being the most up to date to protect the information it has within it. Recall the fact that, generally, management models are frameworks that structure the tasks of managing a particular set of activities or business functions.

NIST SP 800-100, “Information Security Handbook: A Guide for Managers” I.

Review the purpose of the NIST SP 800-100 handbook. Note that this document is a guide to information security governance and provides managerial guidance for the establishment and implementation of an information security program.

II.

Recognize that this handbook addresses the ongoing tasks expected of an information security manager once the program is working and day-to-day operations are established.

III.

Identify the 13 core areas of information security that are presented in the handbook. •

Information Security Governance

•

Systems Development Life Cycle

•

Awareness and Training

•

Capital Planning and Investment Control

•

Interconnecting Systems

•

Performance Management

•

Security Planning

•

Information Technology Contingency Planning

•

Risk Management

•

Certification, Accreditation, and Security Assessments

•

Security Systems and Products Acquisition

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

•

Incident Response

•

Configuration and Change Management

1. Information Security Governance I.

Comprehend that an effective information security governance program requires continuous review so that it remains relevant and accurate.

II.

Reference Table 12-1, as this illustration provides a broad overview of key ongoing activities that can assist in monitoring and improving an agency’s information governance activities. Agencies should monitor the status of their programs to ensure that: • • • •

Ongoing information security activities provide the appropriate support to the goals aligned with the agency mission. Policies and procedures are current and aligned with evolving technologies, if appropriate. Controls are accomplishing their intended purpose. Performance improvements are communicated so that security program managers can help identify areas which need improvement.

2. Systems Development Life Cycle I.

Analyze and distinguish the importance of information security activities being a critical component of the systems development life cycle (SDLC).

II.

Outline the six common core components of the SDLC and ongoing information security activities within them.

III.

Reference Table 12-2 and gain an understanding that a preliminary risk assessment is required to be done early in the life cycle so opportunities for security implementation can be done properly.

IV.

Define the purpose of configuration and change management (CCM) and that the system’s constant evolution is important to monitor and keep up to date.

3. Awareness and Training I.

Discuss awareness and training as the backbone of an information security program, ensuring that all users are both aware and trained on a minimum level of information security.

II.

Establish key performance indicators or other metrics to identify gaps or problems within an information security system.

4. Capital Planning and Investment Control I.

Identify the concept of capital planning and investment control and its relation to an information security system.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

II.

Establish key performance indicators or other metrics to identify gaps or problems within an information security system.

III.

Recall the importance that a formal enterprise capital planning and investment control process for the investment life cycle results in a seven-step process for prioritizing security investments. •

Identify the baseline.

•

Identify prioritization requirements.

•

Conduct enterprise-level prioritization.

•

Conduct system-level prioritization.

•

Develop supporting materials.

•

Implement an investment review board (IRB) and portfolio management.

•

Submit any required budget approval paperwork.

5. Interconnecting Systems I.

Define system interconnections and why an organization chooses to interconnect information systems.

II.

Interpret the risks associated with interconnecting information systems within an organization.

III.

Review the NIST SP 800-47 four-phase life cycle management approach as outlined: planning, establishing, maintaining, and disconnecting interconnections.

IV.

Analyze Table 12-3 for a checklist that an organization should apply when considering interconnecting multiple systems and identify issues that may need to be resolved should something occur.

6. Performance Management I.

Define the purpose of InfoSec performance management and the data that it produces.

II.

Explain what the purpose of performance measurements (or measures) are and why they need to be monitored in order to make managerial decisions, hold personnel accountable, and improve the effectiveness of the InfoSec function.

III.

Review the three types of measurements that organizations commonly apply to performance measurement: •

Effectiveness of the execution of InfoSec policies

•

Efficiency of the delivery of InfoSec services

•

Impacts of an incident or other security event on the organization or its mission

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

IV.

Classify the four factors that are critical to an InfoSec performance program as outlined in SP 800-55, Rev. 1.

Outline the two major activities as recommended by the NIST with respect to InfoSec measurement development processes: identification and definition and measuring development and selection. Additionally, examine the seven phases that are comprised within these activities.

VI.

Explain how the 60 percent rule can be used by security personnel when exploring the issues of system and network performance.

7. Security Planning I.

Relate that planning is one of the most critical ongoing responsibilities in security management.

II.

Emphasize the importance of strategic, tactical, and operational plans that must be developed in alignment with and support of organizational and IT plans, goals, and objectives for a cohesive strategy.

8. Information Technology Contingency Planning I.

Outline what needs to be included in an information technology contingency plan. Items of note include a process for recovery and documentation of procedures for conducting recovery.

II.

Stress that contingency plans must always be in a ready state and be able to be used immediately should an emergency occur.

9. Risk Management I.

Critique the reality that risk management is a cyclical event that is fundamental to the information security program and requires continuous improvement.

II.

Examine that the principal goal is to protect the organization while the ability to perform its mission remains untouched.

III.

Recognize that risk management carries through the entire process of the SDLC, and no one step is excluded from it.

10. Certification, Accreditation, and Security Assessments I.

Comprehend that security certification and accreditation processes are strictly designed to ensure that an information system operates with the appropriate management review, ongoing security controls, and the awareness that reaccreditation periodically occurs.

II.

Review the components of an effective monitoring program.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

III.

•

Configuration management and configuration control processes for the information system

•

Security impact analyses of changes to the information system

•

Assessment of selected security controls in the information system and reporting of the system’s security status to appropriate organization officials

Summarize program questions within Table 12-5 with regard to what is commonly included in an information security assessment survey.

11. Security Services and Product Acquisition I.

Define the purpose of a cost-benefit analysis when acquiring products or services for information security system purposes.

II.

Decide what the tolerance level is based on the analysis with respect to the life cycle cost estimate for the status quo and one for each alternative selected as part of the process.

III.

Review Table 12-6, which illustrates six phases of the information security services life cycle, as they are slightly different compared to a traditional SDLC.

12. Incident Response I.

Stress the importance of accurate reporting, information gathering, and resolution as to when and why an attack occurs.

II.

Conclude that a well-defined incident response capability helps the organization detect incidents rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations in a short period of time.

III.

Emphasize the importance of help-desk technicians or other IT personnel and the differences between a security problem and other systems problems that may occur in an organization.

13. Configuration and Change Management I.

Define that the purpose of configuration and change management is to manage the effects changes have on an information system and/or network.

II.

Express an understanding that configuration management varies widely from one organization to another.

III.

Discuss the reasoning why continuous monitoring and management of information system changes must be monitored to protect the health of an information security system.

IV.

Review the following terms as they apply to change management processes: •

Configuration item

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

•

Configuration

•

Version

•

Built list

•

Major release

•

Revision date

•

Software library

•

Minor release

Explain the change management (CM) process and the steps required to ensure that all changes are properly requested, evaluated, and authorized. Review the five steps that make up this process: •

Step 1: Identify change

•

Step 2: Evaluate change request

•

Step 3: Implementation decision

•

Step 4: Implement approved change request

•

Step 5: Continuous monitoring

Quick Quiz 1 1. An effective information security governance program requires a(n) ________ review. a. periodic b. constant c. consistent d. annual Answer: b 2. Which of the following is defined as the direct connection of two or more information systems for sharing data and other information resources? a. system interconnection b. process interconnection c. resource interconnection d. data interconnection Answer: a

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

3. Which of the following types of planning consists of a process for recovery and documentation of procedures for conducting recovery? a. security b. contingency c. risk management d. performance Answer: b 4. Which of the following terms best describes the process of repairing known vulnerabilities? a. monitoring b. testing c. patching d. updating Answer: c 5. True or False: With respect to changes that often occur in information security systems, persons maintaining the system often need to do major and minor release updates to ensure that the system is continuously up to date. Answer: True 6. True or False: Among other factors, one of the things that is NOT likely to change with respect to an organization's information security environment is the dissolution of old partnerships. They are present indefinitely. Answer: False

The Security Maintenance Model (12.2–12.6, PPT Slides 20–36 and 39– 40) I.

II.

Comprehend that the recommended security maintenance model is dependent on the following subject areas (or domains): external monitoring, internal monitoring, planning and risk assessment, vulnerability assessment and remediation, and readiness and review. Relate the fact that maintenance models focus on an organization’s efforts to maintain the systems it has.

Monitoring the External Environment

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Understand that the objective of the external monitoring domain process in the maintenance model is to provide an early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that are needed to mount an effective and timely defense.

II.

Gain awareness that external monitoring entails collecting intelligence from data sources and then giving that intelligence context and meaning for use by decision makers within the organization.

Data Sources I.

Categorize the purpose and types of data sources that are provided relevant to monitoring external environments. Highlighted sources that these can come from include: •

Vendors

•

CERT organizations

•

Public network sources

•

Membership sites

II.

Review Table 12-8, as it provides several different external intelligence sources that can aid in collecting data on external threats. Stress that this is not an all-inclusive list.

III.

Stress the importance of the CISO and their role of creating an effective external monitoring program. Tasks that this individual and their team may need to create include: •

Staff the function with people who understand the technical aspects of information security, have a comprehensive understanding of the IT infrastructure, and have a thorough grounding in the organization’s business operations.

•

Provide up-to-date documented and repeatable procedures.

•

Train primary and backup staff assigned to perform the monitoring tasks.

•

Equip assigned staff with proper access and tools to perform the monitoring function both on-site and off-site when applicable.

•

Cultivate expertise among the monitoring analysts so that they can cull meaningful summaries and actionable alerts from the vast flow of raw intelligence.

•

Develop suitable communications methods for moving processed intelligence to designated internal decision makers in all three communities of interest.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

•

Integrate the incident response plan with the results of the external monitoring process for appropriate, timely responses.

Monitoring, Escalation, and Incident Response I. Compose a monitoring, escalation, and incident response process with information provided in the text. Understand that the basic function of the external monitoring process is to monitor activity, reports results, and escalate warnings. II.

Compare three primary deliverables that a monitoring process delivers to end users and the information security team: a. Specific warning bulletins issued when developing threats and specific attacks pose a measurable risk to the organization. b. Periodic summaries of external information. c. Detailed intelligence on the highest risk warnings.

Data Collection and Management I. Compile executive summaries and data to present to executive leadership so they are abreast of external environmental forces on the organization’s systems and action plans that can be taken in a time to maintain the integrity of the system.

Monitoring the Internal Environment I.

Define the purpose of an internal monitoring domain, which is an informed awareness of the state of the organization’s networks, information systems, and information security defenses.

II.

Review the core components that internal monitoring is composed of: •

Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements

•

Leading the IT governance process within the organization to integrate the inevitable changes found in all network, IT, and information security programs

•

Monitoring of IT activity in real time using IDPS to detect and initiate responses to specific actions or trends of events that introduce risk to the organization’s assets

•

Monitoring the internal state of the organization’s networks and systems

Network Characterization and Inventory I.

Recall the network characterization and inventory process. Regardless of an organization’s size, it must have a fully populated inventory for all network devices, communication channels, and computing devices (through the process known as characterization). Once the characteristics have been identified, they must be

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

carefully organized and stored using a manual or automated mechanism that allows timely retrieval and rapid integration of disparate facts.

Making IDPSs Work I.

Demonstrate the thought that for internal monitoring to be successful, information coming from an IDPS must be integrated into the maintenance process. Additionally, review the purposes of the IDPS, as they include raw intelligence of anomalies that occur in an information system program and traffic analysis that can show spikes that could be a result of an attempted attack on the system.

Detecting Differences I. II.

Explain the concept of difference analysis and apply the purpose to the contents located in Table 12-9 with respect to different types of difference analyses. Conclude that the value of an analysis is dependent on the quality of the baseline and degree to which a notification of discovered differences induces actions.

Planning and Risk Assessment I.

Name the primary objective of the planning and risk assessment domain. The objective is to keep an eye on the entire information security program, in part by identifying and planning ongoing information security activities to reduce risk over time.

II.

Review the following objectives of this domain:

III.

•

Establish a formal review process for the information security program that complements and supports both IT planning and strategic planning.

•

Institute formal project identification, selection, planning, and management processes for follow-up activities that augment the current information security program.

•

Coordinate with IT project teams to introduce risk assessment and review for all IT projects so that risks introduced by the launches of new IT projects are identified, documented, and factored into decisions about the projects.

•

Integrate a mindset of risk assessment throughout the organization that encourages other departments to perform risk assessment activities when any technology system is implemented or modified.

Examine that the risk assessment group also identifies and documents risks introduced by both IT projects and information security projects. The group also identifies and documents risks that may be latent in the present environment.

Information Security Program Planning and Review

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

II.

Outline the following issues that often come up with respect to information security programs planning and review: •

An organization should periodically review its ongoing information security program and any planning for enhancements and extensions.

•

The strategic planning process should examine the future IT needs of the organization and the impact those needs will have on information security.

•

A recommended approach is to take advantage of the fact that most larger organizations have annual capital budget planning cycles.

•

Projects that organizations might fund to maintain, extend, or enhance the information security program will arise in almost every planning cycle. Larger information security projects should be broken into smaller, incremental projects.

Examine the reasons why larger information security projects should be broken down into smaller or more incremental projects. They include the following: • • • •

Smaller projects tend to have more manageable impacts on the networks and users. Larger projects tend to complicate the change control process in the implementation phase. Shorter planning, development, and implementation schedules reduce any uncertainty for IT planners and financial sponsors. Most large projects can easily be broken into smaller projects, providing more opportunities to change direction and gain flexibility as events occur and circumstances change.

Security Risk Assessments I.

Identify the purpose of risk assessments and why they are the core component that drives change in the information security programs executed.

II.

Outline, compare, and contrast different types of risk assessment (RA) documents as mentioned in the text: •

Network connectivity RA

•

Business partner RA

•

Application RA

•

Vulnerability RA

•

Privacy RA

•

Acquisition or divestiture RA

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

III.

Review the structure and components provided in Table 12-10 that are commonly included in a risk assessment document.

Vulnerability Assessment and Remediation I.

Analyze and define the primary goal of the vulnerability assessment and remediation domain.

II.

Review the following tasks that are used to accomplish goals this domain attempts to achieve:

III.

•

Using documented vulnerability assessment procedures to safely collect intelligence about internal and public networks; platforms, including servers, desktops, and process control; and wireless network systems

•

Documenting background information and providing tested remediation procedures for reported vulnerabilities

•

Tracking vulnerabilities from the time they are identified until they are remediated, or the risk of loss has been accepted by an authorized member of management

•

Communicating vulnerability information, including an estimate of the risk and detailed remediation plans to the owners of vulnerable systems

•

Reporting on the status of vulnerabilities that have been identified

•

Ensuring that the proper level of management is involved in deciding to accept the risk of loss associated with unrepaired vulnerabilities

Outline the four common vulnerability assessment (VA) processes as depicted in Figure 12-8.

Penetration Testing I.

Recognize the fact that a penetration test, or pen test, is performed as part of a fullscale security audit.

II.

Highlight that vulnerability testing is usually performed inside the organization’s security perimeter with complete knowledge of the networks’ configuration and operations; pen testing can be conducted in one of two ways—black box pen testing and white box pen testing.

III.

Point out that in black box pen testing, or blind testing, the “attacker” has no prior knowledge of the systems or network configurations and thus must investigate the organization’s information infrastructure from scratch. In white box testing, also known as full-disclosure testing, the organization provides information about the systems to be examined, allowing for a faster, more focused test.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

IV.

Emphasize that a common methodology for pen testing is found in the Open Source Security Testing Methodology Manual (OSSTMM), a manual on security testing and analysis created by Pete Herzog and provided by ISECOM, the nonprofit Institute for Security and Open Methodologies.

Internet Vulnerability Assessment I.

Define the purpose of an Internet vulnerability assessment and outline the steps that make up the process of it. •

Planning, scheduling, and notification of penetration testing

•

Target selection

•

Test selection

•

Scanning

•

Analysis

•

Record keeping

II.

Emphasize the fact that devices that personnel bring from the outside onto the network (known as BYOD) are in scope for a vulnerability assessment—whether for an Internet or intranet review.

III.

Construct the sequence of processes that make up an intranet vulnerability assessment. Like an Internet vulnerability assessment, they are the following: •

Planning, scheduling, and notification of the penetration testing: Large organizations often take an entire month to perform the data collection phase, using nights and weekends and avoiding change control blackout windows.

•

Target selection: Working from the network characterization elements that are stored in the risk, threat, and attack database, the penetration targets are selected.

•

Test selection: Using the external monitoring intelligence generated previously, the test engine is configured for the tests to be performed.

•

Scanning: The penetration test engine is unleashed at the scheduled time using the planned target list and test selection. The results of the entire test run are logged in text log files for analysis.

•

Analysis: A knowledgeable and experienced vulnerability analyst screens the test results for the vulnerabilities logged during scanning.

•

Record keeping: The organization records the details of the documented vulnerability in the vulnerability database, identifying the logical and physical

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

characteristics and assigning a response risk level to the vulnerability to differentiate the truly urgent from the merely critical. IV.

Conclude that skilled attackers from this direction can take advantage of any loophole or flaw; this assessment is usually performed against all public-facing addresses, using every possible penetration testing approach.

Intranet Vulnerability Assessment I.

Compare and contrast an Internet vulnerability assessment with an intranet vulnerability assessment. Explain the differences and similarities.

II.

Construct the sequence of processes that make up an intranet vulnerability assessment. Although they are the same steps as an Internet assessment, the details of each step are different: •

Planning, scheduling, and notification of the penetration testing: There will be substantially more systems to assess. Intranet administrators often prefer that penetration testing is performed during working hours.

•

Target selection: At first, the penetration test scanning and analysis should focus on testing only the highest-value and most critical systems. As the configuration of these systems is improved, and fewer candidate vulnerabilities are found in the scanning step, the target list can be expanded.

•

Test selection: The selection of the tests to be performed usually evolves over time to correspond with the evolution of the threat environment. Most organizations focus their intranet scanning efforts on a few critical vulnerabilities at first, and then expand the test pool to include more scripts.

•

Scanning: Just as it is in Internet scanning, the process should be monitored so that if an invasive penetration test causes disruption, it can be reported for repair.

•

Analysis: It follows the same three steps as Internet analysis: classify, validate, and document.

•

Record keeping: It is identical to the one followed in an Internet vulnerability analysis.

Platform Security Validation I.

Detail the purpose of a platform security validation (PSV) assessment and what is used to validate compliance of platform configurations. Gain awareness that misconfigured systems fail to comply with company policy or standards as adopted by the IT governance groups and are communicated in the information security and awareness program are flagged in this process.

II.

Discuss the approach to achieving PSV:

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

•

Product selection

•

Policy configuration

•

Deployment

•

Measurement

•

Exclusion handling

•

Reporting

•

Remediation

Wireless Vulnerability Assessment I.

Explain that the purpose of a wireless vulnerability assessment is to find and document vulnerabilities in the organization’s wireless networks.

II.

Gain an understanding that attackers from this direction are likely to take advantage of any loophole or flaw; this assessment is usually performed against all publicly accessible areas, using every possible wireless penetration testing approach (or the use of war testing).

III.

Arrange the steps in this process in the following order: •

Planning, scheduling, and notification of wireless penetration testing

•

Target selection

•

Test selection

•

Scanning

•

Analysis

Documenting Vulnerabilities I.

Classify the details that data stored in a vulnerability database should contain to be effective when an issue occurs: •

A unique vulnerability ID number for reporting and tracking remediation actions

•

Linkage to the risk, threat, and attack database based on the physical information asset underlying the vulnerability; the IP address is a good choice for this linkage

•

Vulnerability details, which are usually based on the test script used during the scanning step of the process; if the Nessus scanner is used, each test script has an assigned code (NASL, or Nessus attack scripting language) that can identify the vulnerability effectively

•

Dates and times of notification and remediation activities

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

II.

•

The current status of the vulnerability, such as found, reported, or repaired

•

Comments, which give analysts the chance to provide system administrators with detailed information for fixing the vulnerability

•

Other fields as needed to manage the reporting and tracking processes in the remediation phase

Establish an understanding that the vulnerability database is an essential part of an effective remediation process because it helps organizations keep track of vulnerabilities as they are reported and mediated.

Remediating Vulnerabilities I.

Define the purpose and goal of remediation.

II.

Assemble a strategic plan when approaching the remediation process. It is important to recognize that building relationships with those who control the information assets is the key to success. Success depends on the organization adopting a team approach to remediation in place of push and pull between departments.

Readiness and Review I.

Establish that the primary goal of readiness and review is to keep information security programs functioning as they are designed and continuously over time.

II.

Examine the three tasks that can accomplish the goal of keeping a domain ready and reviewed. They are policy reviews, program reviews, and rehearsals.

Policy Review and Planning Review I.

Explain how policy review is the primary initiator of the readiness and review domain. Note that policy needs to be reviewed periodically. Apply the use of Figure 12-9 to aid the discussion.

II.

Stress the understanding that as a policy shifts, an independent and thorough review of the entire information security program is needed.

III.

Discuss how major planning elements should be rehearsed whenever possible. Rehearsal adds value by exercising procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed. In addition, rehearsals make people more effective when an actual event occurs. Rehearsals that closely match reality are called war games.

Quick Quiz 2 1. Which of the following is the component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization? © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

a. external monitoring domain b. planning and risk assessment domain c. internal domain d. planning domain Answer: c 2. Which of the following is designed to find and document vulnerabilities that may be present in the organization’s public network? a. difference analysis b. Internet vulnerability assessment c. external monitoring d. digital assessment Answer: b 3. The primary objective of the ________ domain is to keep a lookout over the entire information security program. a. internal b. external c. planning and risk assessment d. digital assessment Answer: c 4. The primary goal of the ________ domain is to identify specific, documented vulnerabilities and their timely remediation. a. vulnerability assessment and remediation b. external c. planning and risk assessment d. digital assessment Answer: a 5. True or False: Penetration testing is a set of security tests and evaluations that simulate attacks by a hacker or other malicious external source. Answer: True

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Assess the need that physical security of information security systems is as important as logical or computer security processes.

II.

Review the list of the seven most common sources of physical loss as denoted in the book written by Donn B. Parker and outlined in the text.

III.

•

Extreme temperatures

•

Gases

•

Liquids

•

Living organisms

•

Projectiles

•

Movement

•

Energy anomalies

Justify that the importance that implementation of physical security measures requires sound organizational policies to be in place and up to date.

Physical Access Controls I.

Define the concept of facility management and its role in maintaining a secure facility where information is stored, housed, and transmitted.

II.

Summarize the purpose of a secure facility and why there must be multiple layers of defense in place should an attack occur—physically or otherwise.

Physical Security Controls I.

Compose a list of common major controls that a facility may have to protect itself from external forces. These include but are not limited to the following: • • • • • • • •

Walls, fencing, and gates Guards and dogs ID cards and badges Locks and keys Electronic monitoring Alarms and alarm systems Computer rooms and wiring closets Interior walls and doors

Walls, Fencing, and Gates I.

Measure the level of access to determine if external perimeter controls, walls, and fences with suitable gates are an essential starting point when employees require access to physical locations the organization owns or controls.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

II.

Judge the level of security by being aware that expert planning is required for this type of physical barrier to be effective.

Guards and Dogs I.

Relate to the fact that guards can evaluate each situation as it arises and make reasoned responses.

II.

Select the use of dogs if a facility requires a need to sense and smell intrusions that humans may otherwise not detect and detect intrusions should they occur.

ID Cards and Badges I.

Compare the differences between an identification (ID) card and badge.

II.

Discuss the concept of tailgating and why it is a common source of access issues in a secure facility.

III.

Explain the use of mantraps and why they are effective and ineffective.

Locks and Keys I.

Compare and contrast the use of mechanical and electromechanical lock mechanisms. Briefly summarize the different types of keys and locks that are often used in a facility.

II.

Examine the backup protocols that must be in place when controlled access devices fail.

Computer Rooms and Wiring Closets I.

Obtain an understanding that janitors or custodians are often the least scrutinized people in a facility, yet they have access to nearly every part of a facility—including computer rooms and wiring closets.

II.

Establish an understanding of the consequences that can occur should a person obtain access to computing equipment that is critical to information security management.

Fire Safety and Security I.

Recognize that fires account for more property damage, personal injury, and death than any other threat to physical security. Physical security plans must implement strong measures to detect and respond to fires and fire hazards.

II.

Classify that the most combustible item in an office setting is paper.

III.

Maintain awareness that before a fire can be suppressed, it must be detected.

Failure of Supporting Utilities and Structural Collapse

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

II.

Demonstrate an understanding that supporting utilities, such as heating, ventilation, air conditioning, power, and water, have a significant impact on a facility’s safe operation. Assess the need that utilities must be responsibly managed to prevent damage to information and information systems within an organization. Backup systems should be in place in areas where fluctuations are likely to occur.

Heating, Ventilation, and Air Conditioning I.

II.

Interpret the fact that traditionally a responsibility of facilities management, the operation of the heating, ventilation, and air conditioning (HVAC) system can have a dramatic impact on information, information systems, and their protection. Justify things such as the impact temperature and filtration, humidity, and static electricity can have on information systems and security systems in place.

Temperature and Filtration I.

Outline the core temperatures that computing equipment can efficiently operate in. •

Temperatures below 32 degrees Fahrenheit or above 100 degrees can cause hardware and media failures and potentially destroy the equipment.

•

Optimal temperatures for a facility without protective clothing is 70 to 74 degrees Fahrenheit.

Humidity and Static Electricity I.

Recognize that high humidity levels often create condensation problems, and a lack of humidity can increase the risk of static electricity.

II.

Justify the fact that electrostatic discharges (ESDs) are a leading cause of failure for sensitive circuitry. Static electricity can exceed 12,000 volts when someone walks across a carpet.

III.

Examine the two common types of failures damaged chips receive. •

Immediate or catastrophic failures: occur right away and require chip replacement

•

Latent failures: delayed failures that can occur weeks or months after damage occurs

Ventilation Shafts I.

Recall the fact that some ductwork in commercial buildings may pose a security threat, as a person can climb through it to reach a destination unnoticed.

II.

Recommend the use of wire mesh grids to act as a barrier to various points to compartmentalize ventilation shaft runs.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Power Management and Conditioning I.

Emphasize the need that power supplies must be properly grounded when used to maintain an organization’s physical environment. II. Recommend that in areas where water accumulation is possible, computing and other electrical equipment must be uniquely grounded using ground fault circuit interruption (GFCI) equipment. III. Organizations should identify computing systems that are critical to the operation of the facility so that they can be connected to an uninterruptible power supply (UPS). • Can exceed upward of up to 10,000 VA • Goal of a UPS is to have enough time to keep critical systems online and give them time to safely shut down IV. Recommend that backup systems be tested frequently and documentation of the facility’s configuration, operation, and function should be integrated into disaster recovery plans and standard operating procedures.

Interception of Data I.

Review the three types of data interception: direct observations, interception of data transmissions, and electromagnetic interception. • Direct observations require that a person be close enough to the information to breach confidentiality. • Interception of data transmissions can occur from anywhere, as they are not restricted to a location with the exception to tapping into a LAN, eavesdropping on a secure network, or wiretapping. • Electromagnetic interception is another type of interception, although it is unlikely to occur. Though possible, it is difficult, impractical, and expensive to carry out.

Securing Mobile and Portable Systems I.

II. III.

Justify the cause-and-effect mobile devices and portable systems have on an information security network. Due to their portability, they must have stronger levels of security than stationary counterparts such as desktops. Review different software and hardware techniques that can be used to protect devices that move in and out of an office. Emphasize the fact that laptops must always remain secure. Apply suggestions provided in the text to reduce the risk that a mobile computing device is stolen or damaged.

Remote Computing Security

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Comprehend the fact that remote site computing involves a wide variety of computing sites outside the organization’s main facility and includes all forms of telework.

II.

Define the concept of telework and how it impacts an organization’s information security plan and protocols.

III.

Obtain an understanding that mobile devices and off-site media must be made more secure than the organization's systems due to the risk of them being stolen or damaged.

IV.

Decide what an organization needs to do to accommodate personnel off-site so that they have the strongest protections possible away from the office, yet they can complete tasks in a timely manner.

Special Considerations for Physical Security I.

Review special considerations an organization must employ to develop a comprehensive physical security program and the advantages and disadvantages of them. They include the choice of handling physical security in-house or outsourcing it and social engineering.

Quick Quiz 3 1. What is the optimal temperature that computing equipment can operate in? a. no less than 40 degrees Fahrenheit b. between 50 and 60 degrees Fahrenheit c. between 70 and 74 degrees Fahrenheit d. does not matter, as computing equipment can operate at any temperature Answer: c 2. How many volts of static electricity can be discharged if someone is walking across a carpeted floor/surface? a. in excess of 1,200 VA b. up to 4,000 VA c. up to 8,000 VA d. upward of 12,000 VA Answer: d 3. The primary power source for an organization’s computing equipment is most often the ________ utility that serves the facility.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Answer: electric 4. What is the concept called when someone gains unauthorized entry by closely following another person through a secure entrance using their credentials to bypass a control point? a. tailgating b. man trapping c. sprinting d. human chaining Answer: a 5. True or False: It is not necessary to have an alternate procedure in place in the event a lock fails because a door or access point will open automatically without any additional assistance. Answer: False [return to top]

Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Maintenance is an essential task that is often considered to be dull. In information security, penetration testing may be wrongly perceived as being a hacker-like activity. In fact, when done correctly, ethical hacking is an important part of risk management. Clarify to your students that penetration analysts work under very restrictive rules of engagement when testing systems. You may want to brainstorm ways that penetration analysts limit the risk they pose to internal systems. (12.1, 12.2, 12.3, 12.4, PPT Slides 3–17 and 20–23) Duration 15 minutes. 2. Do risk assessments catch all risks that an information security system could receive? What are additional topics not discussed that may need to be discussed in the future as technology evolves? (12.5, PPT Slides 24–38) Duration 15 minutes. 3. Of the physical security controls that were discussed, which ones are the most likely to be used the most and the least? How would they affect the integrity of information security systems? (12.7, PPT Slides 41–57 and 60–63) Duration 15 minutes.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

[return to top]

Web Browser Security

Malware Defense

Windows Password Management

Backup and Recovery and File Integrity Monitoring

Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.

1 to 1.5 hours

30 minutes to 1 hour

15–20 minutes

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

OS Processes and Services

Log Management & Security

Footprinting, Scanning, and Enumeration

AlienVault OSSIM

Image Analysis Using Autopsy

processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.

60–90 minutes

30 minutes to 1 hour

40–60 minutes

2–3 hours

45–70 minutes

[return to top]

Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module.

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Additional project options include: 1. See if your organization has a penetration testing team in place. Ask if the members of the team can address your class or if your class can observe their work. If a penetration testing team is not available on campus, see if any local organizations can help. 2. Have students look at popular news sources for stories related to computer vulnerabilities. Then have students research the vulnerabilities that they read about to see if there are any inconsistencies between the way the press reports them and the way researchers have documented them. [return to top]

Additional Resources Internet Resources • • • • • •

Cyber Security Certifications ISACA’s CMMI Maturity Models NISP SP 800-100 OSSTMM SANS Reading Room—Penetration Testing US-CERT Program

[return to top]

Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance

Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]