CHAPTER 2
The Need for
Security
Principles of Information Security, 6th Edition
12
Threat Categories
3.6B
Internet Users (2015)
79%
Orgs Hit by Phishing
$52.2B
Software Piracy Value
Learning Objectives
Principles of Information Security, 6th Ed. | Chapter 2
01
Discuss the organizational need for information security and explain why it is a shared responsibility.
02
Explain why InfoSec is shared among three communities: general management, IT management, and InfoSec management.
03
List and describe common threats to information security and typical attacks associated with each.
04
List common development failures that result from poor software security practices.
Why Organizations Need Information Security
Principles of Information Security, 6th Ed. | Chapter 2
Protect Ability to Function
Ensures daily operations run without disruption — downtime equals lost revenue and eroded customer trust.
Protect Sensitive Data
Safeguards data in transit and at rest. Loss of customer data triggers legal liability and regulatory fines.
Enable Safe App Operation
Apps must run within secure parameters. One vulnerable web application can expose an entire enterprise.
Safeguard Technology Assets
Servers, workstations, and network devices are high-value targets — physical and logical controls are both required.
Three Communities of Interest
Principles of Information Security, 6th Ed. | Chapter 2
General Management
Sets organizational risk tolerance
Allocates security budgets
Ultimately accountable for InfoSec
Example: CEO approves security policy
IT Management
Implements technical controls
Manages IT infrastructure
Bridges business & security needs
Example: CTO deploys firewalls & IDS
InfoSec Management
Designs security architecture
Monitors threats & incidents
Runs security awareness training
Example: CISO conducts pen tests
"Security is the shared responsibility of EVERY employee, not just the IT department." — Charles Cresson Wood
The Threat Landscape: By the Numbers
Principles of Information Security, 6th Ed. | Chapter 2
3.6B
Internet users
(2015)
79%
Hit by
phishing
12
Threat
categories
Threat 1: Compromises to Intellectual Property
Principles of Information Security, 6th Ed. | Chapter 2
Key Facts
CASE STUDY
Las Vegas Community College��Institution discovered employees using unlicensed software on college-owned computers.��Outcome: Settled with BSA, paid back-licensing fees plus penalties. Implemented a Software Asset Management (SAM) program.��Lesson: Even educational institutions are liable. Regular software audits are essential.
Threat 2: Deviations in Quality of Service
Principles of Information Security, 6th Ed. | Chapter 2
Downtime Cost vs. Availability SLA
Availability | Downtime/Year | Estimated Cost |
99.999% (5 nines) | ~5 minutes | $18,000 |
99.99% | ~52 minutes | $93,000 |
99.9% | ~8.7 hours | $930,000 |
99.5% | ~43.8 hours | $9.3 million |
Amazon.com Outage (Aug 2013)��30–40 minute outage caused an estimated $3–4 million in lost sales. At $177,000+ per minute, high availability is a core business requirement.
Power Irregularities
Spike
Instantaneous high voltage burst
Sag
Momentary low voltage dip
Surge
Prolonged over-voltage
Brownout
Prolonged under-voltage
Blackout
Complete power loss
Noise
Electromagnetic interference
Threat 3: Espionage or Trespass
Principles of Information Security, 6th Ed. | Chapter 2
Hacker Taxonomy
Expert Hacker
Develops own attack tools; understands systems at deep level
Script Kiddie
Uses tools created by others; limited technical understanding
Pen Tester
Authorized professional hired to discover vulnerabilities
Cracker
Maliciously breaks into systems or removes copy protection
Phreaker
Exploits telephone/telecom systems to make free calls
Packet Monkey
Launches DoS/DDoS attacks using downloaded tools
Kevin Mitnick — Most famous hacker; broke into DEC, Pacific Bell, Nokia, and FBI systems. Arrested 1995; became a security consultant.
Password Attacks & Defense
Principles of Information Security, 6th Ed. | Chapter 2
Attack Methods
Brute Force
Tries every possible combination. Slow but guaranteed if given unlimited time and compute.
Dictionary Attack
Uses wordlists of common passwords. Very fast against weak or common passwords.
Rainbow Tables
Pre-computed hash-to-password lookups. Defeated by adding password salts.
Social Engineering
Tricks users into revealing their own credentials. Exploits human psychology.
How Long to Crack?
Password Length | Character Set | Time to Crack |
8 characters | Alpha only | 2.7 hours |
8 characters | Mixed case + numbers | 2.1 years |
10 characters | Full ASCII | 2.1 years |
14 characters | Full ASCII | 95 billion years |
The 10.4 Rule��A password with 10+ characters using 4 character types (uppercase, lowercase, numbers, symbols) is exponentially harder to crack.��Example: P@ssw0rd!9 vs. password
Threat 4: Forces of Nature
Principles of Information Security, 6th Ed. | Chapter 2
Fire
2012 Fort Wayne data center struck by lightning — full outage
Flood / Tsunami
2011 Fukushima: tsunami crippled nuclear plant control systems
Lightning / ESD
Static: 12,000V from carpet walking; 10V can destroy a hard drive
Earthquake
2006 Taiwan: undersea cable severed — 80% of Asia connectivity lost
Hurricane / Tornado
Entire data center locations must maintain BCP and DRP plans
Solar Activity
1989 Quebec: solar storm caused 9-hour province-wide blackout
Threat 5: Human Error & Social Engineering
Principles of Information Security, 6th Ed. | Chapter 2
Human Error Stats
70%
of incidents involve human error��
Employees are the #1 threat — not external hackers��
1997 Router Table Error:�
One admin mistake took 45% of the Internet offline��
Controls:�
Training, dual-approval, expert systems
Social Engineering Attacks
Phishing
Mass deceptive emails using URL manipulation + web forgery. 79% of orgs attacked annually.
Spear Phishing
Targeted phishing at specific individuals using personal details for higher success rates.
Whaling
Spear phishing targeting executives (CEO, CFO) to gain high-value system access.
Vishing / Pretexting
Phone-based deception using fabricated scenarios to extract credentials or info.
AFF / 419 Fraud
Advance fee fraud — $82 billion lost globally by 2014. Classic 'Nigerian Prince' emails.
"People are the weakest link in security." — Kevin Mitnick
Threat 6: Information Extortion & Ransomware
Principles of Information Security, 6th Ed. | Chapter 2
Ransomware Types��Lockscreen: Locks the OS UI, demanding payment to restore access.�Encryption: Encrypts all files; decryption key released upon payment.
Cyberextortion is rising 300% year-over-year. Small businesses are targeted 3x more than large enterprises.
Real-World Extortion Cases
CD Universe / Maxus (2000)
Demand: $100K
Refused to pay — 300,000 credit card numbers posted online
Express Scripts (2008)
Demand: $1M reward offered
Patients' prescription data stolen and used for extortion demands
Anthony Digati vs. NY Life (2010)
Demand: $200K escalated to $3M
Demand escalated after initial refusal; perpetrator eventually arrested
Walachi Innovation Tech. (2012)
Demand: $300K
Payment demanded for return of stolen passwords and proprietary data
Threat 7: Sabotage, Vandalism & Cyberwarfare
Principles of Information Security, 6th Ed. | Chapter 2
Escalation of Cyber Threats
WEB DEFACEMENT
Lowest level. Changing website content or appearance.
Example: SANS Institute defaced July 2001 by hacker 'Fluffi Bunni'.
HACKTIVISM
Politically motivated attacks for ideological reasons.
Example: WikiLeaks, Anonymous targeting government/corporations.
CYBERTERRORISM
Term coined by Barry Collin (1980s).
Example: Oct 2002 DDoS on 13 Internet root servers; Feb 2007 DNS attacks.
CYBERWARFARE
Nation-state sponsored attacks.
Example: Stuxnet worm (US/Israel) targeting Iranian nuclear centrifuges.
Low Severity ← → High Severity (Nation-State)
Threat 8: Software Attacks & Malware Taxonomy
Principles of Information Security, 6th Ed. | Chapter 2
Virus
Attaches to host files; spreads when file is executed
Worm
Self-replicates across networks without needing a host file
Trojan Horse
Appears legitimate but carries a hidden malicious payload
Ransomware
Encrypts files or locks OS; demands payment for decryption
Spyware
Secretly monitors user activity and sends data to attacker
Back Door
Hidden access bypass left intentionally in software code
Polymorphic
Mutates its own code to evade antivirus signature detection
Zero-Day
Exploits an unknown vulnerability — no patch exists yet
Robert Morris Worm (1988): First major Internet worm — exploited sendmail, fingerd, and rsh/rexec vulnerabilities. Infected ~6,000 machines (10% of the Internet). Morris convicted under CFAA — first such conviction in U.S. history.
DoS/DDoS Attacks & Communications Interception
Principles of Information Security, 6th Ed. | Chapter 2
How a DDoS Attack Works
Attacker
infects bots
Bot army
(zombies)
Command
& Control
Flood traffic
to target
Target
goes down
Mafiaboy (2000): 15-year-old Michael Calce launched DDoS attacks on CNN, Yahoo, eBay, Dell, Amazon — ~$1.2B in damages. New World Hacking (2016): 602 Gbps DDoS on BBC — largest recorded at the time.
Communications Interception Attacks
Packet Sniffer
Captures network packets in transit to steal credentials and data
IP Spoofing
Forges source IP address to impersonate a trusted host or system
Pharming
DNS cache poisoning; redirects users silently to fraudulent sites
Man-in-the-Middle
Intercepts and relays communications between two parties (TCP hijacking)
Malware Hall of Shame: Most Costly Attacks in History
Principles of Information Security, 6th Ed. | Chapter 2
Threats 9–10: Technical Failures & OWASP Top 10
Principles of Information Security, 6th Ed. | Chapter 2
Reliability Formulas��MTBF = MTTF + MTTD + MTTR��MTTF: Mean Time To Failure
MTTD: Mean Time To Diagnose
MTTR: Mean Time To Recover
Hard drives: avg MTBF ~500,000 hours
Intel Pentium II FDIV Bug��Floating-point division flaw caused subtle calculation errors in all affected chips.
Cost: $475 million in recalls — the first CPU chip recall in history.
OWASP Top 10 Web App Vulnerabilities (2013)
Threats 11–12: Technological Obsolescence & Theft
Principles of Information Security, 6th Ed. | Chapter 2
Threat 11: Technological Obsolescence
Outdated systems become permanent liabilities:��No security patches released after EOL�Vulnerabilities permanently unpatched�Legacy systems in ATMs, power grids, hospitals��Windows XP End-of-Life (April 2014)��Microsoft ended XP support in April 2014. Millions of ATMs, hospital systems, and government machines continued running XP — permanently and irreparably vulnerable.��Symantec also retired legacy antivirus products, leaving customers exposed.
Threat 12: Theft
Physical Theft
Stolen laptops, servers, or storage media. One stolen laptop can expose thousands of records.
Electronic Theft
Data copied digitally — no physical trace. Hard to detect until data surfaces elsewhere.
Credential Theft
Stealing login credentials via mobile devices, keyloggers, or network sniffing attacks.
Overlapping Threats
Theft often combines with espionage, extortion, IP compromise, and software attacks.
Software Development Failures: 24 Deadly Sins
Principles of Information Security, 6th Ed. | Chapter 2
1. SQL Injection
Example: Login bypass: ' OR '1'='1 exposes the entire database
2. Buffer Overrun
Example: Overflow an input field to overwrite memory and execute code
3. XSS (Cross-Site Scripting)
Example: Inject JS into a web page to steal user session cookies
4. Failure to Handle Errors
Example: Unhandled exceptions expose stack traces with server paths
5. Race Conditions (TOCTOU)
Example: Time-of-check to time-of-use gap exploited for privilege escalation
6. Use of Weak Passwords
Example: Default 'admin/admin' credentials on IoT devices are never changed
7. Insecure Data Storage
Example: Storing plaintext passwords in log files or unencrypted databases
8. Unprotected Network Traffic
Example: Using HTTP instead of HTTPS — credentials transmitted in cleartext
9. Integer Bugs
Example: Integer overflow causing pricing miscalculation or auth bypass logic
Source: 24 Deadly Sins of Software Security — John Viega / DHS (9 of 24 shown)
Chapter 2 Key Takeaways
01
InfoSec protects organizational functions, sensitive data, applications, and technology assets.
02
Three communities share responsibility: General Management, IT Management, and InfoSec Management.
03
12 threat categories span IP theft, QoS failures, espionage, human error, ransomware, cyberwarfare, and more.
04
Human error and social engineering are the #1 threat — technology alone cannot solve the people problem.
05
Ransomware and cyberextortion are rising 300% year-over-year. Every organization is a potential target.
06
Malware families (viruses, worms, Trojans, zero-days) cause tens of billions in damages annually.
07
OWASP Top 10 and the 24 Deadly Sins help developers build applications that resist common attacks.
08
Obsolete unpatched systems (like Windows XP) leave critical infrastructure permanently exposed.