Tuesday, July 19, 2022

Principle of Information Security: Module 2 The Need for Information Security (Part 16)

Knowledge check Activity 3

Communications interception attacks include all of the following EXCEPT.

A. Sniffers
B. Spoofing
C. Pharming
D. Ransomware
E. Man-in-the-middle

The answer is C Ransomware.

Each of the others involves using the communication network or procedures as a means of attack. Ransomware uses encryption of the victim’s data as a means to extort payment.

Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. Some errors are terminal—that is, they result in the unrecoverable loss of the equipment. Some errors are intermittent in that they only manifest themselves periodically, resulting in faults that are not easily repeated. Thus, equipment can sometimes stop working or work in unexpected ways. Murphy’s law (yes, there really was a Murphy) holds that if something can possibly go wrong, it will. In other words, it’s not a question if something will fail, but when.

Figure 2-19

The Intel Pentium CPU Failure

One of the best-known hardware failures is that of the Intel Pentium II chip (similar to the one shown in Figure 2-19), which had a defect that resulted in a calculation error under certain circumstances. Intel initially expressed little concern for the defect and stated that it would take an inordinate amount of time to identify a calculation that would interfere with the reliability of results. Yet, within days after the chip’s defect was announced, popular computing journals were publishing a simple calculation (the division of 4,195,835 by 3,145,727 within a spreadsheet) that determined whether a machine contained the defective chip and thus the floating-point operation bug. The Pentium floating-point division bug (FDIV) led to a public-relations disaster for Intel that resulted in its first-ever chip recall and a loss of more than $475 million. A few months later, disclosure of another bug, known as the Dan-0411 flag erratum, further eroded the chip manufacturer’s public image. In 1998, Intel released its Xeon chip and discovered it also had hardware errors. Intel said, “All new chips have bugs, and the process of debugging and improving performance inevitably continues even after a product is in the market.”

Mean Time Between Failure

In hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF). While MTBF and MTTF are sometimes used interchangeably, MTBF presumes that the item can be repaired or returned to service, whereas MTTF presumes the item must be replaced. From a repair standpoint, MTBF = MTTF + MTTD + MTTR, where MTTD examines mean time to diagnose and MTTR calculates mean time to repair. The most commonly failing piece of computer hardware is the hard drive, which currently has an average MTBF of approximately 500,000 hours. Hard drive vendors report they are converting from MTBF for hard drives to a new measure, annualized failure rate, which is based on the manufacturer’s product and warranty data. So, instead of a 500,000 hour MTBF, you could have an AFR of 0.5 percent.

Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved. Sometimes, combinations of certain software and hardware reveal new failures that range from bugs to untested failure conditions. Sometimes these bugs are not errors but purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes into programs that bypass security checks are called trap doors, and they can cause serious security breaches.

Software bugs are so commonplace that entire Web sites are dedicated to documenting them. Among the most popular is Bugtraq, found at www.securityfocus.com, which provides up-to-the-minute information on the latest security vulnerabilities as well as a thorough archive of past bugs.

Common failures in software development include;

  • SQL injection
  • Web server-related vulnerabilities (Cross Site Scripting, Cross Site Request Forgery, and response splitting)
  • Web client-related vulnerability (Cross Site Scripting)
  • Use of magic U R Ls and hidden forms
  • Buffer overrun
  • Format string problems
  • Integer bugs (overflows and underflows)
  • C ++ catastrophes
  • Catching exceptions
  • Command injection
  • Failure to handle errors
  • Information leakage
  • Race conditions
  • Poor usability
  • Not updating easily
  • Executing code with too much privilege
  • Failure to protect stored data
  • Sins of mobile code
  • Use of weak password-based systems
  • Weak random numbers
  • Using cryptography incorrectly
  • Failure to protect network traffic
  • Improper use of Public Key Infrastructure (PKI), especially S S L or Secure Socket Layer.
  • Trusting network name resolution
  • Neglecting change control

Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of losing data integrity from attacks. Management’s strategic planning should always include an analysis of the technology currently in use. Ideally, proper planning by management should prevent technology from becoming obsolete, but when obsolescence is clear, management must take immediate action. IT professionals play a large role in the identification of probable obsolescence.

Recently, the software vendor Symantec retired support for a legacy version of its popular antivirus software, and organizations that wanted continued product support were obliged to upgrade immediately to a different version of antivirus software. In organizations where IT personnel had kept management informed of the coming retirement, these replacements were made more promptly and at lower cost than in organizations where the software had become obsolete.

Perhaps the most significant case of technology obsolescence in recent years is Microsoft’s Windows XP. This desktop operating system was dominant in the market for many years, beginning in 2001. The OS evolved over time to be used in multiple variations such as XP Pro and XP Home, it had feature and capability upgrades in three service packs, and it even made the transition to new processors with a 64-bit edition. It was superseded in the corporation’s lineup of desktop operating systems by Microsoft Vista in January 2007. However, it retained a large following of users and remained in widespread use for many years. Microsoft discontinued support for Windows XP in April 2014. Many industries and organizations built critical elements of their business systems and even their infrastructure control systems on top of Windows XP, or they used it as an embedded operating system inside other systems, such as automated teller machines and power generating and control systems. Similar issues seem to follow other Windows variants, as users get comfortable with a particular OS and then seem reluctant to upgrade to a newer version.

Figure 2-20

Figure 2-20 shows other examples of obsolete technology, including removable storage media in 8-inch, 5-inch, and 3.5-inch formats as well as open-reel magnetic tape.

The threat of theft is a constant. The value of information is diminished when it is copied without the owner’s knowledge. Physical theft can be controlled easily using a wide variety of measures, from locked doors to trained security personnel and the installation of alarm systems. Electronic theft, however, is a more complex problem to manage and control. When someone steals a physical object, the loss is easily detected; if it has any importance at all, its absence is noted. When electronic information is stolen, the crime is not always readily apparent. If thieves are clever and cover their tracks carefully, the crime may remain undiscovered until it is too late.

Theft is often an overlapping category with software attacks, espionage or trespass, information extortion, and compromises to intellectual property. A hacker or other individual threat agent could access a system and commit most of these offenses by downloading a company’s information and then threatening to publish it if not paid.

The increasing use of mobile technology, including smartphones, tablet PCs, and laptops, increases the risk of data theft. More disconcerting than the loss of data is the chance that the user has allowed the mobile device to retain account credentials, allowing the thief to use legitimate access to get into business or personal accounts that belong to the victim.


Information security performs four important functions to ensure that information assets remain safe and useful: protecting the organization’s ability to function, enabling the safe operation of applications implemented on the organization’s IT systems, protecting the data an organization collects and uses, and safeguarding the organization’s technology assets.

To make sound decisions about information security, management must be informed about threats to its people, applications, data, and information systems, and the attacks they face.

Threats are any events or circumstances that have the potential to adversely affect operations and assets. An attack is an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. A vulnerability is a potential weakness in an asset or its defensive controls.

Threats or dangers facing an organization’s people, information, and systems fall into the following categories:

Compromises to intellectual property—Intellectual property, such as trade secrets, copyrights, trademarks, or patents, are intangible assets that may be attacked via software piracy or the exploitation of asset protection controls.

Deviations in quality of service—Organizations rely on services provided by others. Losses can come from interruptions to those services.

Espionage or trespass—Asset losses may result when electronic and human activities breach the confidentiality of information.

Forces of nature—A wide range of natural events can overwhelm control systems and preparations to cause losses to data and availability.

Human error or failure—Losses to assets may come from intentional or accidental actions by people inside and outside the organization.

Threats or dangers facing an organization’s people, information, and systems fall into the following categories:

Information extortion—Stolen or inactivated assets may be held hostage to extract payment of ransom.

Sabotage or vandalism—Losses may result from the deliberate sabotage of a computer system or business, or from acts of vandalism. These acts can either destroy an asset or damage the image of an organization.

Software attacks—Losses may result when attackers use software to gain unauthorized access to systems or cause disruptions in systems availability.

Technical hardware failures or errors—Technical defects in hardware systems can cause unexpected results, including unreliable service or lack of availability.

Threats or dangers facing an organization’s people, information, and systems fall into the following categories:

Technical software failures or errors—Software used by systems may have purposeful or unintentional errors that result in failures, which can lead to loss of availability or unauthorized access to information.

Technological obsolescence—Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems that may result in loss of availability or unauthorized access to information.

Theft—Theft of information can result from a wide variety of attacks.


Post a Comment