VeriSign White Paper Sample
Businesses, governments, and other organizations face a wide array of information security risks. Some threaten the confidentiality of private information, some threaten the integrity of data and operations, and still others threaten to disrupt availability of critical systems. Chapter 1 examined the role of organized cybercrime, the prevalence of malicious software and the underground marketplaces that facilitate the exchange of stolen information, and tools of the cybercrime trade. In this chapter we turn our attention inside the organization. Although the external threats are considerable, they are not the only component in the risk equation.
Another important set of factors are the vulnerabilities that lie within an organization. For our purposes, we will broadly organize these vulnerabilities into two categories: technical weaknesses and organizational weaknesses. This specification is to draw attention to the fact that information security is not just about technology, although that is an obvious component. How we perform business operations, how we attend to information systems management, and how we train and help others understand the nature of security risks can make a critical difference in the overall effectiveness of an information security strategy. Perhaps more importantly, it is crucial to understand that technical controls will not compensate for poor organizational practices, and the best trained staff and most well intentioned IT professionals will not be able to protect information assets without proper technical controls. An overall security posture is a combination of technical and organizational controls.
Rapid, reliable, and trustworthy communications are essential in today’s business world. Although postal mail and telephones are still used widely, some of the most cost-effective communications take place online. We routinely e-mail colleagues, customers, clients, and other professional and personal contacts. Instant messaging is especially useful for geographically distributed teams who need an electronic equivalent of talking across the room or over the top of a cubicle partition. Many have taken to social networking services, from LinkedIn and Facebook to Twitter, to keep up to date with large groups of individuals. All these communication mechanisms have their advantages and few would want to ban them from the office, but with their convenience and efficiency comes security risks. When communications are transmitted in unencrypted forms—such as plain text—there is the potential for someone to intercept the message to learn the contents or tamper with the contents before they arrive at the intended recipient’s inbox. We will consider two examples of such attacks: the man-in-the-middle (MITM) attack and the replay attack.
