Q1: What is identity theft and what types of security threats do organizations face?
Identity theft is one of the fastest-growing crimes in Canada because it is relatively easy to do. This kind
of theft involves stealing, misrepresenting, or hijacking the identity of another person or business, and
provides an effective way to commit other crimes.
Security threats to organizations
There are three sources of security threats: human error and mistakes, malicious human activity,
and natural events and disasters.
Human errors and mistakes include accidental problems caused by both employees and non-
Example: employee who misunderstands operating procedures and accidentally deletes customer
records, or physical accidents like an employee driving a forklift through the wall of a computer
Malicious human activity: This category includes employees and others who intentionally destroy
data or other system components.
For example: hackers who break into a system, virus and worm writers who infect computer
systems, and people who send millions of unwanted emails (spam)
Natural events and disasters: this category includes fires, floods, hurricanes, earthquakes,
tsunamis, avalanches, and other acts of nature.
Problems in this category include not only the initial loss of capability and service, but also losses
stemming from actions to recover from the initial problem.
Five types of security problems are listed:unauthorized data disclosure, incorrect data
modification, faulty service, denial of service, loss of infrastructure
PIPEDA Unauthorized data disclosure
Unauthorized data disclosure can occur by human error when someone inadvertently releases data
in violation of policy.
----- In Canada, this type of disclosure is covered by the Personal Information Protection and
Electronic Documents Act (PIPEDA). Personal information is defined under this Act as information
about an identifiable individual, but does not include the name, title, business address, or telephone
number of an employee of an organization. ----- The Act gives individuals the right to know why an organization collects, uses, or discloses their
personal information. So organizations are required to identify why they are collecting information
and how they will use it.
----- PIPEDA also requires organizations to identify anyone in the organization who is responsible for
keeping personal information private and secure and allows other individuals to have access to this
information, as necessary, to check its accuracy.
The popularity and efficacy of search engines have created another source of inadvertent
Of course, proprietary and personal data can also be released maliciously.
Pretexting occurs when someone deceives by pretending to be someone else. For example: A
common scam involves a telephone caller who pretends to be from a credit card company and
claims to be checking the validity of credit card number.
Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email.For
example: the phisher pretends to be a legitimate company and sends an email requesting
Spoofing is another term for someone pretending to be someone else. For example: IP spoofing
occurs when an intruder uses another site’s IP address as if it were that other site. Email Spoofing is
a synonym for phishing.
Sniffing is a technique for intercepting computer communications. For example: Drive-by sniffers
simply take computers with wireless connections through an area and search for unprotected
Incorrect data modification
Incorrect data modification can occur through human error when employees follow procedures
incorrectly or when procedures have been incorrectly designed.
A final type of incorrect data modification caused by human error includes system errors. An
example is the lost-update problem discussed in chapter 5.
Hacking occurs when a person gains unauthorized access to a computer system.
Faulty service includes problems that result because of incorrect system operation. Faulty service
could include incorrect data modification. For example: Human can inadvertently cause faulty
service by making procedural mistakes. System developers can write programs incorrectly or make
errors during the installation of hardware, software programs and data.
Denial of service Human error in following procedures or a lack of procedures can result in denial of service. For
example, employee can inadvertently shut down a web server or corporate gateway router by
starting a computationally intensive application.
Loss of infrastructure
Human accidents can cause loss of infrastructure. Examples are a bulldozer cutting fibre-optic
cable, or the floor polisher crashing into a rack of web servers.
Question: why does not include viruses, worms, and zombies?
Answer: viruses and worms are techniques for causing some of the problems in the figure. They can
cause a denial-of-service attack, or they can be used to cause malicious, unauthorized data access or
Q2: What are the elements of security program?
A security program has three components: senior management involvement, safeguards of various
kinds, and incident response.
Senior management has two critical security functions:
1. Senior management must establish the security policy. This policy sets the stage for the
organization’s response to security threats.
2. Manage risk by balancing the costs and benefits of the security program.
Safeguards are protections against security threats.
The final component of a security program consists of the organization’s planned response to
Q3: How can technical safeguards protect against security threat? Technical safeguards involve the hardware and software components of an information system.
Identification and authentication
Every information system should require some form of authentication.
For example: the user name identifies the user (the process of identification), and the password
authenticates that user (the process of authentication).
Note that authentication methods fall into three categories: what you know (password or PIN),
what you have (smart card), and what you are (biometric).
o Smart cards
A smart card is a plastic card that is similar to a credit card. Unlike credit, debit, and ATM cards,
which have a magnetic strip, however smart cards have a microchip. The microchip, which holds far
more data than a magnetic strip, is loaded with identifying data; Users of smart cards are required
to enter a personal identification number (PIN) in order to be authenticated.
o Biometric authentication
Biometric authentication uses personal physical characteristic such as fingerprints, facial features,
and retinal scans to authenticate users.
Biometric authentication provides strong authentication, but the required equipment is expensive.
o Single Sign-On for multiple systems
Information systems often require multiple sources of authentication.
Today’s operating systems can authenticate you to networks and other servers.
Encryption and Firewalls (chapter6)
Malware is viruses, worms, Trojan horses, spyware, and adware.
Spyware and Adware
Spyware programs are installed on the user’s computer without the user’s knowledge or
permission. Spyware resides in the background and, unbeknownst to the user, observes the user’s
actions and keystrokes, monitors computer activity, and reports that activity to sponsoring
Adware is similar to spyware in that it’s installed without the user’s permission and resides in the
background, in order to observe user behavior. Symptoms occur on your computer, you can remove the spyware or adware using anti-malware
Slow system start-up
Sluggish system performance
Many pop-up advertisements
Suspicious browser homepage changes
Suspicious changes to the taskbar and other system interfaces
Unusual hard-disk activity
1. Install antivirus and anti-spyware programs on your computer.
2. Set up your anti-malware programs to scan your computer frequently.
3. Update malware definitions. Malware definitions—patterns that exist in malware code---should
be downloaded frequently.
4. Open email at