security policy related to a bomb threat
What components should be included in a comprehensive security policy related to a bomb threat? What are some of the management principles fundamental to computer security?
Must be at least 350 words with APA citations. Please be sure to make at least one citation from the chapters provided, along with any other citations.
Introduction to Security Ninth Edition. DOI:
2013 Elsevier Inc. All rights reserved.
435
2013
10.1016/B978-0-12-385057-7.00017-8
Computer Technology and
Information Security Issues
OBJECTIVES
The study of the chapter will enable you to:
1. Identify various computer products.
2. Discuss possible attacks on computer systems and software.
3. Discuss options for protecting computers and information from fraudulent use and theft.
Introduction
Computers and information systems have traditionally been treated as something that the
security/loss-prevention director needs to consider as a vulnerability; however, the 21st
century has brought about a revolution in security operations. The following discussion on
computers and information systems security will focus primarily on the services provided
by the traditional roles of security in protecting computers. However, the trend is for security
technologies to rely on the very computers that they are designed to protect. For example,
information technology has bought closed-circuit television (CCTV), primarily used for
surveillance, of age. Technologies like biometrics1 have made possible video monitoring
in the areas of facial and physical characteristics recognition, fire and smoke detection, and
advanced alarm monitoring. With this growing integration of technology and the security
operation, the traditional dichotomy associated with security and information technology
often creates problems.
In 1946 the U.S. Army developed ENIAC (Electronic Numerical Integrator and Calculator),
the first viable full-scale computer. At that time, computers were mysterious boxes utilized
by scientists and thought to be the top-secret weapons of generals. Today, scientific pocket
calculators have greater computing power than ENIAC, and most kindergarten kids know
how to use a computer2 or some type of handheld personal digital assistant (PDA) computing
device, particularly those designed for electronic games. Computers have become an important
part of peoples lives, becoming an integral part of the way we work, teach, learn, and even play.
In government and business, computers are used to process, store and transmit vast
amounts of information. Information processing tasks that used to take days or weeks for
workers to compile are handled by todays computers in mere minutes, translating into
greater efficiencies and greater productivity. Moreover, information systems are becoming
primary methods of communications. E-mail, instant messaging, voice-over Internet protocol
17
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
http://dx.doi.org/10.1016/B978-0-12-385057-7.00017-8
436 INTRODUCTION TO SECURITY
(essentially using computers and the Internet for voice communications, until recently the
exclusive capability of telephones and telephone companies) are common and in many
cases essential means of effective and efficient communications. Cellphones, smart phones
(e.g., iPhone, Blackberry, Android) and laptops, along with tablet computers and electronic
book readers, are virtually ubiquitous in todays society.
The criminal justice sector also relies on computers. Since 1924 the Federal Bureau of
Investigation (FBI) has been responsible for keeping the nations fingerprint and criminal
history records. In 1967 the National Crime Information Center (NCIC) was established. Today
the FBI has a computer system they call the Investigative Data Warehouse (IDW), described as
one-stop shopping, giving FBI agents, from anywhere in the world, almost instant access to a
database containing more than 650 million records. The search capability of this system has
been described as an Uber-Google.3
In the private sector, banks, insurance agencies, and credit rating agencies also process
enormous volumes of computer data. For example, in the early part of this decade it
was estimated that TRW Data Systems of California collected, stored, and sold access to
information containing the credit histories of more than 90 million Americans. Banks, depart-
ment stores, jewelry stores, and credit card companies pay them a subscription fee to access
such information on current and potential customers. Today, Choicepoint, acquired by Reed
Elsevier in September 2008, is a leading information broker with personal files on more than
220 million people in the United States and Latin America. This data is for sale to government
organizations and the private sector.4 Likewise, every major insurance company in America
collects and stores information on past, current, and future policyholders.
Telemarketing and mail order professionals similarly buy, sell, and repackage such
information like so many tangible products. The countless pieces of junk mail stuffed in
Americans mailboxes each day attest to the proliferation of such information brokers.
Information brokers sell personal data to companies who then target for mail campaigns
people who might be interested in their products.
The Dow Jones News/Retrieval Service offers stock market quotations, reports on business
and economic forecasts, plus profiles of companies and organizations. The Source not only pro-
vides news and stock market indexes but also provides games and other forms of entertainment
to its subscribers. Each of these information services is available to anyone with a computer, lap-
top, iPad, smart phone or any other type of personal digital assistant (PDA) device.
However, as with all great advances, there is a downside. Computer technology is changing
so fast that equipment and software are often outdated before or as soon as it is installed,
having a negative impact on the profit margin of the company. This is especially true for
microcomputers.5
Of greater importance for the security professional are the criminal activities associated
with the misuse of computers and the technology supported by them. Early in the 21st
century, one of the fastest growing problems in this arena is identify theft. Problems that did
not exist 25 years ago are commonplace today. For example, 25 years ago, few people had any
fear of computer viruses. Today several major firms are in the business of protecting not only
company computers, but also the computers used at home, from destructive viruses.
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
Chapter 17 l Computer Technology and Information Security Issues 437
CSO, CISO and CIO Interactions
Information and information systems have become so critical to the efficient operation of
business and government that organizations have in place senior executives to direct strate-
gic and tactical operations associated with the creation, processing, transmission, storage and
protection of information. Virtually all major corporations and government organizations have
in place chief information officers (CIO) and chief information security officers (CISO). These
executives either hold a seat in the C-suite (a term used to refer to corporate and organiza-
tional positions of the chief executive level for a particular function, most commonly the chief
executive officer (CEO), chief financial officer (CFO), chief technology officer (CTO) and in the
security profession, the chief security officer (CSO)) or directly report to someone with chief
responsibilities.
The CIO and CISO work closely with the CSO and in most organizations have distinctively
separate responsibilities. Where the CIO is responsible for the delivery of information
services capabilities to the company, its workforce and other stakeholders, the CISO is
responsible for the security of those information systems and the information contained
within. In more traditional companies, the CSO is responsible for determining the sensitivity
of information and is responsible for the protection of information when it is not residing
within information systems. More specifically, CSOs have been, and often still are, responsi-
ble for the protection of information when it is in forms other than electronic. For example,
much information exists in the form of documents. These documents, when containing pages
of sensitive information, require protection. This protection usually is accomplished with
more traditional security methods such as locked containers, files and safes kept in secure or
protected company areas where unauthorized persons are not allowed physical access. These
traditional security methods help prevent compromise or theft of sensitive company or organi-
zation information. In some companies and organizations the CISO duties are assigned to the
CSO; however, it is more common to see them separated or to see a CISO reporting to a CSO.
Furthermore, CSOs are often charged with the responsibility of working with the creators
of information and intellectual property attorneys to determine and assign some level of
sensitivity to information. Information has different degrees of value and sensitivity. Some
information is routine business information with no particular sensitivity or value while other
information may contain trade secrets or strategic data that possess high value to the organi-
zation and perhaps even provide the organization with a unique competitive advantage. To
properly protect sensitive information it is essential to be able to identify that information that
is truly sensitive and separate it from less valuable information, by virtue of a physical separa-
tion or a process of uniquely identifying (marking) that sensitive information so it is clear to
the possessor just how sensitive that information is. Moreover, the CSO is generally charged
with developing procedures for protecting information determined to be sensitive when not
contained within information systems and with ensuring the workforce understands how to
protect sensitive information.
Essentially, the CIO, CSIO and CSO are collectively responsible for protecting the confiden-
tiality, integrity and availability of all company or organization information. Confidentiality
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
438 INTRODUCTION TO SECURITY
of information is the process of ensuring only authorized persons have access to protected
information and that same information is used only for authorized purposes. Integrity of
information is the process of ensuring the information is not manipulated in an unauthorized
way or corrupted, thus diminishing its value and utility to the organization. Availability of
information is the process of information being made available for authorized business use
to authorized persons when they need access to perform work on behalf of the company or
organization. Properly maintaining information in these three conditionsconfidentiality,
integrity and availabilityis particularly complex and difficult for information residing on
electronic information systems.
IT and Security Cooperation
The importance of cooperation between the CIO, CISO and CSO is critical if the organiza-
tion is going to successfully protect information and information systems. It is best expressed
by the reported responses of CIOs to the 2003 CIO Magazine survey. According to this report,
security that had once been on the bottom half of the CIO spending lists has now moved to
the fourth highest priority. Only systems and process integration, and finding ways to lower
cost, are at the top, ahead of security. And even these priorities are of concern to the CSO.6
However, the global economic recession, which began in 2008 and as of early 2012 has shown
some improvement (but with economic forecasts indicating slow growth over the next several
years), has adversely impacted corporate IT spending. In late 2010, Gartner predicted informa-
tion technology (IT) executives would shift their spending focus to IT infrastructure upgrades.7
What impact that will have on security-related spending remains to be seen.
Types of Computer Systems
Regardless of the type of computer system a given agency or company is using, there are four
common elements: input, processing, storage, and output. Input refers to entering data and
programs into the computer. This can be accomplished by using a keyboard, mouse, scanner,
voice recognition software, or telecommunications methods such as traditional phone lines
or wireless transmissions. Processing transforms the input into machine instructions. These
instructions then exist in executable form within the computer. Hardware components such
as the central processing unit (CPU), memory, and basic input/output system (BIOS) affect the
computers ability to process the input. Storage is a generic term that refers to the areas of a
computer and associated media that store information such as data and programs. Examples
of storage include internal or main memory, tapes, zip drives, hard disks, CD-ROMs, and
memory sticks. Output is any on-screen result or printed report generated by the computer.
Output devices are printers, monitors, and communication data.8
Microcomputers, minicomputers, mainframe computers, and supercomputers are the four
general categories of computer systems available today. What separates these categories from
one another is how much information the computer can store, the processing speed of the
system, and the size of the computer system.9
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
Chapter 17 l Computer Technology and Information Security Issues 439
Microcomputers
These are the smallest and least expensive of the four computer categories. Microcomputers
are designed primarily for individuals or small businesses. Such systems can fit either on
or beside a persons desktop.10 Within this category are two types of computers: personal
computers (PCs) and workstations.11
Personal Computers
These machines can sit on a desk, stand on the floor, or are portable, and are either IBM- or
Apple-compatible. Both systems can operate easy-to-use programs such as word processing,
spreadsheets, and data management programs.12
Non-portable PCs require an AC outlet and weigh more than 20 pounds. These systems
do not require special installation requirements (for example, extra air conditioning or heavy-
duty wiring). With desktop and floor-standing computers, the user can add circuit boards to
the system to add functionality, such as boards for modems, scanners, video capture systems,
and fax machines. The following are non-portable PCs:
l Desktops are machines that can fit on a single table or desk. A potential difficulty with this
type of system is how much space the cabinet foot-print occupies.13
l Floor-standing computers are those in which the system cabinet sits as a tower on the
floor next to the desk.14
l Luggable systems weigh between 20 and 25 pounds. These systems contain all the
components (monitor, computer, and keyboard) in one unit, sometimes including a printer
as well. These machines are also called transportable because they are designed to be
moved, but not to be used in transit.15
Portable computers do not require an AC outlet. Instead, these machines operate from
a battery. Weight for portables ranges from pound to 20 pounds. Portable systems are
designed to be used in transit and have no special installation requirements. The following are
portable PCs:
l Laptop computers weigh between 8 and 20 pounds. These systems have a flat display
screen, which can display mono or color images.
l Notebook computers get their name from their size, which is roughly the size of a thick
notebook, and weigh between 4 and 7.5 pounds. These machines can easily be tucked into
a briefcase, backpack, or simply under a persons arm.16 Essentially, notebook computers
are a smaller version of laptop computers.
l Sub-notebooks weigh between 2.5 and 4 pounds.
l Pocket PCs weigh about 1 pound. These computers are also called hand-helds and are
useful in specific situations. Pocket PCs may be classified as either electronic organizers,
palmtop computers, personal digital assistants (PDAs), or personal communicators.17
Personal communicators include smart phones that can function as a video camera,
portable media player and an Internet client with email and browsing capability, in
addition to providing traditional telephone capabilities.18
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
440 INTRODUCTION TO SECURITY
l Pen computers are often the size of a sub-notebook or pocket computer. These machines
lack a keyboard or mouse but allow the user to enter data by writing directly on the screen
with stylus or pen.19
l Tablet computers are mobile computers larger than a mobile phone or PDA and integrated
into a flat touch screen operated by touching the screen rather than using a physical key
board.20 Apples iPad is a prime example of a tablet computer.
Although these computers are used at home or during travel, most also have the ability to
be used as remote terminals to access company information. Through the Internet, it is not
unusual for company employees to access company records and email from home. Given the
ability of hackers to access home computers that are always on the Internet, security execu-
tives need to consider how to protect proprietary systems from well-meaning employees who
may need remote access to systems and data.
Workstations
Workstations look like desktop PCs but are more powerful. These systems cost between
$10,000 and $150,000.21 Essentially, a workstation is a high-end microcomputer.
Minicomputers
Minicomputers make up the middle class of computer size and power. They are popular with
small- to medium-size businesses because they can be used as servers and do not require
special installation. Servers are central computers that hold data and programs for many PCs
or terminals, called clients, which are linked by a computer network. The entire network is
called a client/server network.22
Mainframes
Mainframe systems occupy specially wired, air-conditioned rooms and are the oldest category
of computers. Mainframe computers are capable of great processing speed and data storage,
allowing multiple users to utilize the system simultaneously. Because of their costs (between
$50,000 and $5 million), large organizations use these systems, operating them with a staff of
professional programmers and technicians.23
Supercomputers
The largest and most powerful computers are called supercomputers. Such computers are
high-capacity machines that also require special air-conditioned rooms and specially trained
staff. They are the fastest calculating devices ever invented. To achieve this capability, cost
(typically from $225,000 to more than $30 million) is set aside to achieve the maximum capa-
bilities that technology has to offer. Because of the cost, these machines are used primarily by
government, large companies, and universities.24
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
Chapter 17 l Computer Technology and Information Security Issues 441
Networks
With increasing numbers of computers in the workplace, employees and employers want to be
able to share computer resources. This sharing of resources typically includes proprietary or
sensitive data, printers, and other types of applications. Because of this need, networks were
developed. A network is just two or more computers connected together.25
Local Area Networks
Local area networks (LANs) consist of two or more computers physically connected with some
type of wire or cable (normally coaxial or fiber optic) that forms a data path over which infor-
mation is transferred. Communications to a computer on the LAN are instantly broadcast to all
the computers connected to the LAN.26
The most popular LAN communication protocols are Ethernet, Token Ring, and ARCnet.
The Xerox Corporation developed Ethernet. When using the Ethernet protocol, computers
must ensure that there is no traffic on the network before they are allowed to transmit
information. IBM developed both the Token Ring and ARCnet protocols. LANs using these
protocols pass a special data frame (or token) around the network in a predetermined order to
enable data transmission. Under ARCnet, the order of token movement is based on a network
address; in Token Ring networks, it relies on the physical placement of devices.27
Because of the way LANs are wired and the protocols they use, communication is limited to
a short distance. This is not a major limitation; organizations and businesses have discovered
that as much as 80 percent of their communications occur within a limited geographic area.
This geographic area is frequently within the same department, office, building, or group of
buildings.28
Wireless LANs
New technology has led several major organizations to adopt wireless LANs (WLANs). The
networks operate on the open air, eliminating hardwire applications and their limitations.
While the systems offer added flexibility in connectivity because users are not tied to telephone
or other hard lines, they present real problems for those assigned to the protection of assets.
The federal government will not allow any government-funded agency to introduce wireless
technology until security is improved.
Wide Area Networks
It was generally recognized in the 1970s and 1980s that computers in different locations need
to talk with one other. This led to the development of wide area networks (WANs). WANs are
more powerful networks that can function across wide geographic areas at greater speeds than
LANs. Most WANs are connected via telephone lines, although a variety of other technologies,
such as satellite links, are used as well. Because telephone lines were used in this system,
WANs do not allow multiple computers to share the same communication line, as is possible
with LANs.29
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
442 INTRODUCTION TO SECURITY
The Internet
For years WANs used the X.25 protocol developed by the Consultative Committee for
International Telephone and Telegraph, whereas LANs utilized different protocols. Because
LANs communicate with Ethernet, Token Ring, and ARCnet, and WANs use X.25, these
networks cannot communicate directly with each other.
The Department of Defense started a network in the 1970s called ARPAnet. This system
allowed LANs and WANs to communicate with one another by using a new communications
rule called the Internet Protocol (IP) packet. Today ARPAnet has evolved into the Internet,
which still uses the protocol developed for ARPAnet.30
IP sends information across networks in packets, with each packet containing between 1
and approximately 1,500 characters, creating two problems. First, most information transfers
are longer than 1,500 characters. Second, when data exceeds 1,500 characters, IP breaks the
information into packets. These individual packets are then transmitted, which can lead to
further problems. Packets can get lost or damaged in transit, or may arrive out of sequence.31
The transmission control protocol (TCP) was developed to deal with the problems of IP.
TCP divides the information into packets, sequentially numbers each packet, and inserts
some error control information. Each sequentially numbered packet is then addressed to
the recipient. IP then transports the information over the network. When the host computer
receives the packets, TCP then checks for errors in transmitting. If errors occur, TCP asks for
that particular packet to be resent. Once all the packets are received correctly, TCP will use the
sequence numbers to reconstruct the original message.32
There are many services available on the Internet. Electronic mail (email) allows individuals
to send and receive messages from anyone on the Internet. Telnet allows people to log on to a
remote computer and use the resources of that system if they have a valid account. Finger ser-
vices allow people to ask for information about a particular user. Usenet is a system of discussion
groups in which individual articles are distributed throughout the world. File Transfer Protocol
(FTP) allows people to copy or move files from one computer to another. Gophers provide a series
of menus from which a person can access virtually any type of textual information. The World
Wide Web (the Web or WWW) is a hypertext-based tool that allows people to retrieve and display
data. Utilizing both graphics and hypertext (data linked to other data), the Web is one of the most
popular tools on the Internet. This is only a sampling of the services provided by the Internet.33
As noted earlier, although the Web has made life easier, it has also brought with it many
new problems. Anyone using the WWW is well aware of the spam problem, cookies, and
viruses. These are minor problems compared to the possibility that someone could steal your
identity by stealing information that you share while online. In the first half of 2006, Symantec
reported 2,249 documented new vulnerabilities representing an increase of 18 percent over the
previous period and the highest volume of vulnerabilities recorded for any reporting period.34
Five years later (April, 2011), Symantec reported a massive increase in the threat volume to
more than 286 million new threats identified in the previous year. This number represents a
dramatic increase in the frequency and sophistication of attacks on enterprises.35 It also dem-
onstrates how expansive computer usage has become. From government and commerce to
personal usage, global dependence on computers and information systems is massive.
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from apus on 2020-08-16 13:13:21.
C
op
yr
ig
ht
2
01
2.
E
ls
ev
ie
r
S
ci
en
ce
&
T
ec
hn
ol
og
y.
A
ll
rig
ht
s
re
se
rv
ed
.
Chapter 17 l Computer Technology and Information Security Issues 443
The Database Problems
There is little doubt that the data (note: within in this chapter the authors will frequently use
the terms information and date interchangeably depending upon the context of the situa-
tion or description) collected for business has become the backbone of most organizations.
Data management resulted in the creation of data management personnel or IT depart-
ments. Because data is stored in computers the management and security of these systems
has created more problems for security than any other threat in recent years. Some 30 years
ago the security department simply controlled access to the computing center, restrict-
ing access to only those few who needed to work in the center. Today, control of access is
much more complex. The task of safeguarding these assets has many parts. As previously
mentioned, the three major aspects include: 1) integrity: making sure that data is changed
only in intended ways, 2) confidentiality: making sure that only authorized individuals view
the information, 3) availability: making sure the data is available when needed to authorized
persons.
But even when proper measures are in place to assure the above, there are still two problems.
First, even authorized users sometimes use data improperly (deliberately or accidentally). Second,
unknown flaws in policy and its implementation can allow for unintended data access and data
changes.
CIOs stress the importance of accountability in maintaining database integrity. This
accountability should determine who did what to which data when, and by what means. The
CSO generally agrees with this approach. The answer rests in a simple concept: because tech-
nical systems are involved in storing data, technical systems must be involved in safeguarding
the data. Such a program should do the following:
l Send notification when someone changes data or permissions
l Keep a record of all changes to data or permissions
l Know what data was changed, when, and by whom
l Know who has viewed certain data and when
l Generate periodic reports on who accessed certain tables
l Investigate suspicious behavior on certain tables
l Know who modified a set of tables over a period of time
l Automate procedures across multiple servers36
The Need for Computer Security
What is computer security? People normally answer that it is protecting computers and
information from some type of theft. While true, this is only part of the answer. Earlier in this
chapter we mentioned the need to protect information residing on computers or within infor-
mation systems in the context of the confidentiality, integrity and availability of such informa-
tion. This too is a form of computer security as it requires protecting access to the computer
allowing only authorized persons. Furthermore, computer security must also deal with other
hazards such as natural disasters like fires, floods, accidents, and so forth, essentially physically
Fischer, R., Halibozek, E., & Walters, D. (2012). Introduction to security. ProQuest Ebook Central htt
