Professional Documents
Culture Documents
HandbookofInformationSecurityManagement:AccessControl
Chapter112
PurposesofInformationSecurityManagement
HaroldF.Tipton
Managingcomputerandnetworksecurityprogramshasbecomeanincreasinglydifficultandchallenging
job.Dramaticadvancesincomputingandcommunicationstechnologyduringthepastfiveyearshave
redirectedthefocusofdataprocessingfromthecomputingcentertotheterminalsinindividualofficesand
homes.Theresultisthatmanagersmustnowmonitorsecurityonamorewidelydispersedlevel.These
changesarecontinuingtoaccelerate,makingthesecuritymanagersjobincreasinglydifficult.
Theinformationsecuritymanagermustestablishandmaintainasecurityprogramthatensuresthree
requirements:theconfidentiality,integrity,andavailabilityofthecompanysinformationresources.Some
securityexpertsarguethattwootherrequirementsmaybeaddedtothesethree:utilityandauthenticity
(i.e.,accuracy).Inthisdiscussion,however,theusefulnessandauthenticityofinformationareaddressed
withinthecontextofthethreebasicrequirementsofsecuritymanagement.
CONFIDENTIALITY
Confidentialityistheprotectionofinformationinthesystemsothatunauthorizedpersonscannotaccessit.
Manybelievethistypeofprotectionisofmostimportancetomilitaryandgovernmentorganizationsthat
needtokeepplansandcapabilitiessecretfrompotentialenemies.However,itcanalsobesignificantto
businessesthatneedtoprotectproprietarytradesecretsfromcompetitorsorpreventunauthorized
personsfromaccessingthecompanyssensitiveinformation(e.g.,legal,personnel,ormedicalinformation).
Privacyissues,whichhavereceivedanincreasingamountofattentioninthepastfewyears,placethe
importanceofconfidentialityonprotectingpersonalinformationmaintainedinautomatedsystemsbyboth
governmentagenciesandprivatesectororganizations.
Confidentialitymustbewelldefined,andproceduresformaintainingconfidentialitymustbecarefully
implemented,especiallyforstandalonecomputers.Acrucialaspectofconfidentialityisuseridentification
andauthentication.Positiveidentificationofeachsystemuserisessentialtoensuringtheeffectivenessof
policiesthatspecifywhoisallowedaccesstowhichdataitems.
ThreatstoConfidentiality
Confidentialitycanbecompromisedinseveralways.Thefollowingaresomeofthemostcommonly
encounteredthreatstoinformationconfidentiality:
Hackers.
Masqueraders.
Unauthorizeduseractivity.
https://www.cccure.org/Documents/HISM/019021.html
1/3
2/14/2016
HandbookofInformationSecurityManagement:AccessControl
Unprotecteddownloadedfiles.
Localareanetworks(LANs).
Trojanhorses.
Hackers
Ahackerissomeonewhobypassesthesystemsaccesscontrolsbytakingadvantageofsecurity
weaknessesthatthesystemsdevelopershaveleftinthesystem.Inaddition,manyhackersareadeptat
discoveringthepasswordsofauthorizeduserswhofailtochoosepasswordsthataredifficulttoguessor
notincludedinthedictionary.Theactivitiesofhackersrepresentseriousthreatstotheconfidentialityof
informationincomputersystems.Manyhackershavecreatedcopiesofinadequatelyprotectedfilesand
placedtheminareasofthesystemwheretheycanbeaccessedbyunauthorizedpersons.
Masqueraders
Amasqueraderisanauthorizeduserofthesystemwhohasobtainedthepasswordofanotheruserand
thusgainsaccesstofilesavailabletotheotheruser.Masqueradersareoftenabletoreadandcopy
confidentialfiles.Masqueradingisacommonoccurrenceincompaniesthatallowuserstoshare
passwords.
UnauthorizedUserActivity
Thistypeofactivityoccurswhenauthorizedsystemusersgainaccesstofilesthattheyarenotauthorized
toaccess.Weakaccesscontrolsoftenenableunauthorizedaccess,whichcancompromiseconfidential
files.
UnprotectedDownloadedFiles
Downloadingcancompromiseconfidentialinformationif,intheprocess,filesaremovedfromthesecure
environmentofahostcomputertoanunprotectedmicrocomputerforlocalprocessing.Whileonthe
microcomputer,unattendedconfidentialinformationcouldbeaccessedbyauthorizedusers.
LocalAreaNetworks
LANspresentaspecialconfidentialitythreatbecausedataflowingthroughaLANcanbeviewedatany
nodeofthenetwork,whetherornotthedataisaddressedtothatnode.Thisisparticularlysignificant
becausetheunencrypteduserIDsandsecretpasswordsofusersloggingontothehostaresubjectto
compromiseasthisdatatravelsfromtheusersnodethroughtheLANtothehost.Anyconfidential
informationnotintendedforviewingateverynodeshouldbeprotectedbyencryption.
TrojanHorses
Trojanhorsescanbeprogrammedtocopyconfidentialfilestounprotectedareasofthesystemwhenthey
areunknowinglyexecutedbyuserswhohaveauthorizedaccesstothosefiles.Onceexecuted,theTrojan
horsebecomesresidentontheuserssystemandcanroutinelycopyconfidentialfilestounprotected
resources.
https://www.cccure.org/Documents/HISM/019021.html
2/3
2/14/2016
HandbookofInformationSecurityManagement:AccessControl
TheCISSPOpenStudyGuideWebSite
Weareproudtobringtoallofourmembersalegalcopyofthisoutstandingbook.Ofcoursethisversionis
gettingabitoldandmaynotcontainalloftheinfothatthelatestversionarecovering,howeveritisoneofthe
besttoolyouhavetoreviewthebasicsofsecurity.Investinginthelatestversionwouldhelpyououtinyour
studiesandalsoshowyourappreciationtoAuerbachforlettingmeusetheirbookonthesite.
https://www.cccure.org/Documents/HISM/019021.html
3/3