Information Technology Reference
In-Depth Information
n
−
−
n
−
Community of interest (COI) boundary
Intraorganizational boundary between various logical COIs
For example, legal cannot access R&D, who cannot access payroll
Host server boundary
Boundary between host server and intraorganizational, external, and
COI
For example, server hardening or creating a bastion host
Application boundary
Boundary between application and intraorganizational, COI
For example, session encryption
−
n
−
−
Included in defense-in-depth are protections against vulnerabilities (known
system weaknesses) and system penetration. Proactive measures to test for weak-
nesses include vulnerability scans and penetration tests. Vulnerability scans check
for obvious configuration flaws and up-to-date patches; penetration testing digs a
little deeper by actually trying to break into the system. Vulnerability scans and
penetration testing help answer the question: Are the security mechanisms in place
actually working?
he
risk analysis
identifies high-probability threats and associated vulnerabili-
ties in the asset space. Any association of a vulnerability with a highly probable
threat is good IA justification.
13.5.2.2
Programmatic Attacks
In addition to system penetration, programmatic attacks are another IT attack
method. Programmatic attacks include malicious code (malware), mobile code,
and denial of service. Consider a recent occurrence of a programmatic attack where
“zombies are fueling a new cyber crime wave.” Extortionists are hitting online
casinos, retailers, and even the Port of Houston with zombie cyber-attacks not with
the primary intent of performing any damage, but to extort money not to damage
their sites and business operations.
The bottom line with respect to IT attack methods is twofold; first, there is a
broad array of methods to penetrate cyber-security, and second, technical security
is not enough. IA justification includes both technical and nontechnical IT attack
methods with respect to the protection of information and information technology.
13.5.2.3
Computer, Automated
Many computer-based attacks may be automated. Automated attacks may be one-
to-one attacker to target (e.g., system probing) or one-to-many (e.g., network map-
http://www.usatoday.com/tech/news/computersecurity/2003-11-12-zombie-blackmail_x.htm.
