Principle of Information Security: Module 2 The Need for Information Security (Part 5)

A tool that security professionals can use to understand attacks is the Common Attack Pattern Enumeration and Classification (CAPEC) Web site hosted by Mitre—a nonprofit research and development organization sponsored by the U.S. government. This online repository can be searched for characteristics of a particular attack or simply browsed by professionals who want additional knowledge of how attacks occur procedurally.

The scheme shown in Table 2-5 above consists of 12 general categories of threats that represent a clear and present danger to an organization’s people, information, and systems. Each organization must prioritize the threats it faces based on the particular security situation in which it operates, its organizational strategy regarding risk, and the exposure levels of its assets. Module 4 covers these topics in more detail. You may notice that many of the attack examples in Table 2-5 could be listed in more than one category. For example, an attack performed by a hacker to steal customer data falls into the category of “theft,” but it can also be preceded by “espionage or trespass,” as the hacker illegally accesses the information. The theft may also be accompanied by Web site defacement actions to delay discovery, qualifying it for the category of “sabotage or vandalism.” As mentioned in Module 1, these are technically threat sources, but for simplicity’s sake, they are described here as threats.

Many organizations create or support the development of intellectual property (IP) as part of their business operations. (You will learn more about IP in Module 6.) IP includes trade secrets, copyrights, trademarks, and patents. IP is protected by copyright law and other laws, carries the expectation of proper attribution or credit to its source, and potentially requires the acquisition of permission for its use, as specified in those laws. For example, use of some IP may require specific payments or royalties before a song can be used in a movie or before the distribution of a photo in a publication. The unauthorized appropriation of IP constitutes a threat to information security—for example, when employees take an idea they developed at work and use it to make money for themselves. Employees may have access privileges to a variety of IP, including purchased and developed software and organizational information, as many employees typically need to use IP to conduct day-to-day business.

Organizations often purchase or lease the IP of other organizations and must abide by a purchase or licensing agreement for its fair and responsible use. The most common IP breach is software piracy. Because most software is licensed to an individual user, its use is restricted to a single installation or to a designated user in an organization. If a user copies the program to another computer without securing another license or transferring the license, the user has violated the copyright. The nearby feature describes a classic case of this type of copyright violation. While you may note that the example is from 1997, which seems a long time ago, it illustrates that the issue remains significant today.

Software licenses are strictly enforced by regulatory and private organizations, and software publishers use several control mechanisms to prevent copyright infringement. In addition to laws against software piracy, two watchdog organizations investigate allegations of software abuse: the Software and Information Industry Association (SIIA) at www.siia.net, formerly known as the Software Publishers Association, and the Business Software Alliance (BSA) at www.bsa.org. BSA estimates that approximately 37 percent of software installed on personal computers globally, as reported in the 2018 findings, was not properly licensed. This number is only slightly lower than the 39 percent reported in the 2016 BSA global study; however, the majority of countries in the study indicate unlicensed rates in excess of 50 percent. Furthermore, BSA estimates an increased risk of malware for systems using unlicensed software. Figure 2-1 shows the BSA’s software piracy reporting Web site.