Textbook Principles of Information Security 6Th Edition Whitman Ebook All Chapter PDF

Principles of Information Security 6th
Edition Whitman
Visit to download the full and correct content document:
https://textbookfull.com/product/principles-of-information-security-6th-edition-whitman/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Management of Information Security 6th Edition Michael

E. Whitman
https://textbookfull.com/product/management-of-information-
security-6th-edition-michael-e-whitman/
Principles of information security Fifth Edition

Mattord
https://textbookfull.com/product/principles-of-information-
security-fifth-edition-mattord/
Principles of Development 6th Edition Lewis Wolpert
https://textbookfull.com/product/principles-of-development-6th-
edition-lewis-wolpert/
Principles of information systems Ralph Stair
https://textbookfull.com/product/principles-of-information-
systems-ralph-stair/
Principles of Computer Security: CompTIA Security+ and
Beyond Conklin
https://textbookfull.com/product/principles-of-computer-security-
comptia-security-and-beyond-conklin/
Principles of Security and Trust Lujo Bauer
https://textbookfull.com/product/principles-of-security-and-
trust-lujo-bauer/
Fundamentals of information systems security 3rd

Edition Kim
https://textbookfull.com/product/fundamentals-of-information-
systems-security-3rd-edition-kim/
Security in Computing 6th Edition Pfleeger
https://textbookfull.com/product/security-in-computing-6th-
edition-pfleeger/
Information security fundamentals Peltier
https://textbookfull.com/product/information-security-
fundamentals-peltier/
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-300
Principles of Information Security
Sixth Edition
Michael E. Whitman, Ph.D., CISM, CISSP
Herbert J. Mattord, Ph.D., CISM, CISSP
Kennesaw State University
Australia • Brazil • Mexico • Singapore • United Kingdom • United States
Principles of Information Security, © 2018, 2016, 2012 Cengage Learning
Sixth Edition
ALL RIGHTS RESERVED. No part of this work covered by the
Michael E. Whitman and
copyright herein may be reproduced or distributed in any form or by
Herbert J. Mattord
any means, except as permitted by U.S. copyright law, without the
GM, Science, Technology, & Math: Balraj Kalsi prior written permission of the copyright owner.
Sr. Product Director, Computing: Kathleen SOURCE FOR ILLUSTRATIONS: Copyright © Cengage Learning.
McMahon
Product Team Manager: Kristin McNary For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706
Associate Product Manager: Amy Savino
For permission to use material from this text or product, submit all
Director, Development: Julia Caballero requests online at www.cengage.com/permissions.
Content Development Manager: Leigh Hefferon Further permissions questions can be e-mailed to
permissionrequest@cengage.com
Managing Content Developer: Alyssa Pratt
Senior Content Developer: Natalie Pashoukos
Library of Congress Control Number: 2017930059
Product Assistant: Jake Toth
Marketing Director: Michele McTighe ISBN: 978-1-337-10206-3
Marketing Managers: Stephanie Albracht and Jeff Cengage Learning

Tousignant 20 Channel Center Street
Marketing Coordinator: Cassie Cloutier Boston, MA 02210
Executive Director, Production: Martin USA
Rabinowitz
Production Director: Patty Stephan Cengage Learning is a leading provider of customized learning
Senior Content Project Manager: Brooke solutions with employees residing in nearly 40 different countries
Greenhouse and sales in more than 125 countries around the world. Find your local
representative at www.cengage.com.
Senior Designer: Diana Graham
Cover image(s): iStockPhoto.com/maciek905
Cengage Learning products are represented in Canada by
Nelson Education, Ltd.
To learn more about Cengage Learning, visit www.cengage.com

Purchase any of our products at your local college store or at our
preferred online store www.cengagebrain.com
Notice to the Reader
Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis in connection with any of the product
information contained herein. Publisher does not assume, and expressly disclaims, any obligation to obtain and include information other than that provided
to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described
herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly assumes all risks in connection with such
instructions. The publisher makes no representations or warranties of any kind, including but not limited to, the warranties of fitness for particular purpose or
merchantability, nor are any such representations implied with respect to the material set forth herein, and the publisher takes no responsibility with respect
to such material. The publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or part, from the readers’ use of,
or reliance upon, this material.
Printed in the United States of America

Print Number: 01 Print Year: 2017
To Rhonda, Rachel, Alex, and Meghan, thank you for your loving support.
—MEW
To my mother, Frances Perkins Godwin; it is a wonderful life.

—HJM
Brief Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
CHAPTER 1
Introduction to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
The Need for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
CHAPTER 3
Legal, Ethical, and Professional Issues in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
CHAPTER 4
Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
CHAPTER 5
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
CHAPTER 6
Security Technology: Access Controls, Firewalls, and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
CHAPTER 7
Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools . . . . . 385
CHAPTER 8
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
CHAPTER 9
Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
CHAPTER 10
Implementing Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
CHAPTER 11
Security and Personnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
CHAPTER 12
Information Security Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
iv
Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
CHAPTER 1
Introduction to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The History of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What Is Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
CNSS Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Components of an Information System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Balancing Information Security and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Approaches to Information Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Security in the Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Security Professionals and the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Communities of Interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Information Security: Is It an Art or a Science? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Selected Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
CHAPTER 2
The Need for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Threats and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Compromises to Intellectual Property. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Deviations in Quality of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Espionage or Trespass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Forces of Nature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Human Error or Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Information Extortion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Sabotage or Vandalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Technical Hardware Failures or Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Technical Software Failures or Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Technological Obsolescence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Selected Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
v
vi Table of Contents
CHAPTER 3
Legal, Ethical, and Professional Issues in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Law and Ethics in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Relevant U.S. Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
International Laws and Legal Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Ethics and Information Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Codes of Ethics of Professional Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Key U.S. Federal Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
CHAPTER 4
Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Information Security Planning and Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Information Security Policy, Standards, and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
The Information Security Blueprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Security Education, Training, and Awareness Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Continuity Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
CHAPTER 5
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
An Overview of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Risk Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Quantitative Versus Qualitative Risk Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Recommended Risk Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Table of Contents vii
CHAPTER 6
Security Technology: Access Controls, Firewalls, and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Protecting Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
CHAPTER 7
Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools . . . . . 385
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Honeypots, Honeynets, and Padded Cell Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Scanning and Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
CHAPTER 8
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Foundations of Cryptology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Cipher Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Cryptographic Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Cryptographic Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Protocols for Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
CHAPTER 9
Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Physical Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Fire Security and Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Failure of Supporting Utilities and Structural Collapse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Interception of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Securing Mobile and Portable Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Special Considerations for Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
viii Table of Contents

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
CHAPTER 10
Implementing Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Information Security Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Technical Aspects of Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Nontechnical Aspects of Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Information Systems Security Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
CHAPTER 11
Security and Personnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Positioning and Staffing the Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Credentials for Information Security Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Employment Policies and Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Security Considerations for Temporary Employees, Consultants, and Other Workers. . . . . . . . . . . . . . . . . . . 614
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
CHAPTER 12
Information Security Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Security Management Maintenance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Digital Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Preface
As global networks expand, the interconnection of the world’s information systems

and devices of every description becomes vital, as does the smooth operation of communica-
tion, computing, and automation solutions. However, ever-evolving threats such as malware
and phishing attacks and the success of criminal attackers illustrate the weaknesses in cur-
rent information technologies and the need to provide heightened security for these systems.
When attempting to secure current and planned systems and networks, organizations must
draw on the current pool of information security practitioners. However, to develop more
secure computing environments in the future, these same organizations are counting on the
next generation of professionals to have the correct mix of skills and experience to antici-
pate and manage the complex information security issues that will arise. Thus, improved
texts with supporting materials, along with the efforts of college and university faculty, are
needed to prepare students of technology to recognize the threats and vulnerabilities in exist-
ing systems and to learn to design and develop the secure systems needed.
The purpose of Principles of Information Security, Sixth Edition, is to continue to meet the
need for a current, high-quality academic textbook that surveys the breadth of the informa-
tion security discipline. Even today, there remains a lack of textbooks that provide students
with a balanced introduction to the managerial and technical aspects of information secu-
rity. By creating a book specifically focused on the information security common body of
knowledge, we hope to close this gap. Further, there is a clear need to include principles
from criminal justice, political science, computer science, information systems, and other
related disciplines to gain a clear understanding of information security principles and
ix
x Preface
formulate interdisciplinary solutions for systems vulnerabilities. The essential tenet of

this textbook is that information security in the modern organization is a problem for
management to solve, and not one that technology alone can address. In other words, an
organization’s information security has important economic consequences for which man-
agement will be held accountable.
Approach
Principles of Information Security, Sixth Edition, provides a broad review of the entire field of
information security, background on many related elements, and enough detail to facilitate an
understanding of the topic as a whole. The book covers the terminology of the field, the his-
tory of the discipline, and strategies for managing an information security program.
Structure and Chapter Descriptions

Principles of Information Security, Sixth Edition, is structured to follow an approach that
moves from the strategic aspects of information security to the operational—beginning with
the external impetus for information security, moving through the organization’s governance,
risk management, and regulatory compliance strategic approaches, and continuing with the
technical and operational implementation of security in the organization. This textbook’s use
of this approach is intended to provide a supportive but not overly dominant foundation that
will guide instructors and students through the information domains of information security.
To serve this end, the book is organized into 12 chapters.
Chapter 1—Introduction to Information Security

The opening chapter establishes the foundation for understanding the broader field of infor-
mation security. This is accomplished by defining key terms, explaining essential concepts,
and reviewing the origins of the field and its impact on the understanding of information
security.
Chapter 2—The Need for Security

Chapter 2 examines the business drivers behind the design process of information security
analysis. It examines current organizational and technological security needs while emphasiz-
ing and building on the concepts presented in Chapter 1. One principal concept presented in
this chapter is that information security is primarily a management issue rather than a tech-
nological one. To put it another way, the best practices within the field of information secu-
rity involve applying technology only after considering the business needs.
The chapter also examines the various threats facing organizations and presents methods for
ranking and prioritizing these threats as organizations begin their security planning process.
The chapter continues with a detailed examination of the types of attacks that could result
from these threats, and how these attacks could affect the organization’s information systems.
Chapter 2 also provides further discussion of the key principles of information security, some
of which were introduced in Chapter 1: confidentiality, integrity, availability, authentication
and identification, authorization, accountability, and privacy.
Preface xi
Chapter 3—Legal, Ethical, and Professional Issues in

Information Security
A critical aspect of the field is the inclusion of a careful examination of current legislation,
regulation, and common ethical expectations of both national and international entities that
provides important insights into the regulatory constraints that govern business. This chapter
examines several key laws that shape the field of information security and examines the com-
puter ethics to which those who implement security must adhere. This chapter also presents
several common legal and ethical issues found in today’s organizations, as well as formal
and professional organizations that promote ethics and legal responsibility.
Chapter 4—Planning for Security

This chapter presents a number of widely accepted security models and frameworks. It exam-
ines best business practices and standards of due care and due diligence, and offers an over-
view of the development of security policy. This chapter details the major components, scope,
and target audience for each level of security policy. This chapter also explains data classifi-
cation schemes, both military and private, as well as the security education training and
awareness (SETA) program. The chapter examines the planning process that supports busi-
ness continuity, disaster recovery, and incident response; it also describes the organization’s
role during incidents and specifies when the organization should involve outside law enforce-
ment agencies.
Chapter 5—Risk Management

Before the design of a new information security solution can begin, information security ana-
lysts must first understand the current state of the organization and its relationship to infor-
mation security. Does the organization have any formal information security mechanisms in
place? How effective are they? What policies and procedures have been published and dis-
tributed to security managers and end users? This chapter describes how to conduct a funda-
mental information security assessment by describing procedures for identifying and prioritiz-
ing threats and assets as well as procedures for identifying what controls are in place to
protect these assets from threats. The chapter also discusses the various types of control
mechanisms and identifies the steps involved in performing the initial risk assessment. The
chapter continues by defining risk management as the process of identifying, assessing, and
reducing risk to an acceptable level and implementing effective control measures to maintain
that level of risk. Chapter 5 concludes with a discussion of risk analysis and various types of
feasibility analyses.
Chapter 6—Security Technology: Access Controls,

Firewalls, and VPNs
Chapter 6 provides a detailed overview of the configuration and use of technologies designed
to segregate the organization’s systems from the insecure Internet. This chapter examines the
various definitions and categorizations of firewall technologies and the architectures under
which firewalls may be deployed. The chapter discusses the rules and guidelines associated
with the proper configuration and use of firewalls. Chapter 6 also discusses remote dial-up
services and the security precautions necessary to secure access points for organizations still
xii Preface
deploying this older technology. The chapter continues by presenting content filtering capa-
bilities and considerations, and concludes by examining technologies designed to provide
remote access to authorized users through virtual private networks.
Chapter 7—Security Technology: Intrusion Detection and

Prevention Systems, and Other Security Tools
Chapter 7 continues the discussion of security technologies by examining the concept of
intrusion and the technologies necessary to prevent, detect, react, and recover from intru-
sions. Specific types of intrusion detection and prevention systems (IDPSs)—the host IDPS,
network IDPS, and application IDPS—and their respective configurations and uses are pre-
sented and discussed. The chapter examines specialized detection technologies that are
designed to entice attackers into decoy systems (and thus away from critical systems) or sim-
ply to identify the attackers’ entry into these decoy areas. Such systems are known as honey-
pots, honeynets, and padded cell systems. The discussion also examines trace-back systems,
which are designed to track down the true address of attackers who were lured into decoy
systems. The chapter then examines key security tools that information security professionals
can use to examine the current state of their organization’s systems and identify potential vul-
nerabilities or weaknesses in the organization’s overall security posture. Chapter 7 concludes
with a discussion of access control devices commonly deployed by modern operating systems
and new technologies in the area of biometrics that can provide strong authentication to
existing implementations.
Chapter 8—Cryptography
Chapter 8 continues the section on security technologies by describing the underlying founda-
tions of modern cryptosystems as well as their architectures and implementations. The chap-
ter begins by summarizing the history of modern cryptography and discussing the various
types of ciphers that played key roles in that history. The chapter also examines some of the
mathematical techniques that comprise cryptosystems, including hash functions. The chapter
then extends this discussion by comparing traditional symmetric encryption systems with
more modern asymmetric encryption systems and examining the role of asymmetric systems
as the foundation of public-key encryption systems. Also covered are the cryptography-
based protocols used in secure communications, including S-HTTP, S/MIME, SET, and SSH.
The chapter then discusses steganography and its emerging role as an effective means of hid-
ing information. Chapter 8 concludes by revisiting attacks on information security that are
specifically targeted at cryptosystems.
Chapter 9—Physical Security

A vital part of any information security process, physical security includes the management
of physical facilities, the implementation of physical access control, and the oversight of envi-
ronmental controls. Physical security involves a wide range of special considerations that
encompass designing a secure data center, assessing the relative value of guards and watch-
dogs, and resolving technical issues in fire suppression and power conditioning. Chapter 9
examines these considerations by factoring in the physical security threats that modern orga-
nizations face.
Preface xiii
Chapter 10—Implementing Information Security

The preceding chapters provide guidelines for how an organization might design its informa-
tion security program. Chapter 10 examines the elements critical to implementing this design.
Key areas in this chapter include the bull’s-eye model for implementing information security
and a discussion of whether an organization should outsource components of its information
security program. The chapter also discusses change management, program improvement,
and additional planning for business continuity efforts.
Chapter 11—Security and Personnel

The next area in the implementation stage addresses personnel issues. Chapter 11 examines
both sides of the personnel coin: security personnel and security of personnel. It examines
staffing issues, professional security credentials, and the implementation of employment poli-
cies and practices. The chapter also discusses how information security policy affects and is
affected by consultants, temporary workers, and outside business partners.
Chapter 12—Information Security Maintenance

Last and most important is the discussion of maintenance and change. Chapter 12 describes
the ongoing technical and administrative evaluation of the information security program that
an organization must perform to maintain the security of its information systems. This chap-
ter explores the controlled administration of changes to modern information systems to pre-
vent the introduction of new security vulnerabilities. Special considerations needed for the
varieties of vulnerability analysis in modern organizations are explored, from Internet pene-
tration testing to wireless network risk assessment. The chapter and the book conclude by
covering the subject of digital forensics.
Features
Here are some features of the book’s approach to information security:
Information Security Professionals’ Common Bodies of Knowledge—Because the authors hold
both the Certified Information Security Manager (CISM) and Certified Information Systems
Security Professional (CISSP) credentials, those knowledge domains have had an influence in
the design of the text. Although care was taken to avoid producing a certification study
guide, the authors’ backgrounds ensure that the book’s treatment of information security inte-
grates the CISM and CISSP Common Bodies of Knowledge (CBKs).
Chapter Scenarios—Each chapter opens and closes with a short story that features the same
fictional company as it encounters information security issues commonly found in real-life
organizations. At the end of each chapter, a set of discussion questions provides students and
instructors with opportunities to discuss the issues suggested by the story as well as offering
an opportunity to explore the ethical dimensions of those issues.
Clearly Defined Key Terms Boxes—At the start of every major section, the key terms for that
section are listed and defined. While the terms are referenced in the body of the text, the isola-
tion of the definitions from the discussion allows a smoother presentation of the key terms
and supports their standardization throughout all Whitman and Mattord books.
xiv Preface
Offline and Technical Details Boxes—Interspersed throughout the textbook, these sections
highlight interesting topics and detailed technical issues, giving students the option of delving
into information security topics more deeply.
Hands-On Learning—At the end of each chapter, students will find a chapter summary and
review questions as well as exercises. In the exercises, students are asked to research, analyze,
and write responses to reinforce learning objectives, deepen their understanding of the text,
and examine the information security arena outside the classroom.
New to This Edition

● Coverage of the newest laws and industry trends
● Increased visibility for terminology used in the industry through Key Terms text boxes
and integration of this terminology across the Whitman and Mattord textbook series
● Updated and additional “For More Information” callouts that provide Web locations
where students can find more information about the subject covered
Instructor Resources
MindTap
MindTap® activities for Whitman and Mattord’s Principles of Information Security, Sixth
Edition, are designed to help students master the skills they need in today’s workforce.
Research shows employers need critical thinkers, troubleshooters, and creative problem-
solvers to stay relevant in our fast-paced, technology-driven world. MindTap helps you
achieve this with assignments and activities that provide hands-on practice, real-life relevance,
and mastery of difficult concepts. Students are guided through assignments that progress
from basic knowledge and understanding to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on exer-
cises provide real-life application and practice. Readings and “Whiteboard Shorts” support
the lecture, while “In the News” assignments encourage students to stay current. Pre- and
post-course assessments allow you to measure how much students have learned using analyt-
ics and reporting that makes it easy to see where the class stands in terms of progress,
engagement, and completion rates. Use the content and learning path as is, or pick and
choose how our material will wrap around yours. You control what the students see and
when they see it. Learn more at www.cengage.com/mindtap/.
Instructor Companion Site

Free to all instructors who adopt Principles of Information Security, Sixth Edition, for their
courses is a complete package of instructor resources. These resources are available from the
Cengage Web site, www.cengagebrain.com. Go to the product page for this book in the
online catalog and choose “Instructor Downloads.”
Preface xv
Resources include:
● Instructor’s Manual: This manual includes course objectives and additional informa-
tion to help your instruction.
● Cengage Testing Powered by Cognero: A flexible, online system that allows you to
import, edit, and manipulate content from the text’s test bank or elsewhere, including
your own favorite test questions; create multiple test versions in an instant; and deliver
tests from your LMS, your classroom, or wherever you want.
● PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for each
chapter. These slides are meant to be used as a teaching aid for classroom presenta-
tions, to be made available to students for chapter review, or to be printed for class-
room distribution. Some tables and figures are included in the PowerPoint slides; how-
ever, all are available in the online instructor resources. Instructors are also at liberty
to add their own slides.
● Lab Manual: Cengage has produced a lab manual (Hands-On Information Security
Lab Manual, Fourth Edition) written by the authors that can be used to provide tech-
nical experiential exercises in conjunction with this book. Contact your Cengage
learning consultant for more information.
● Readings and Cases: Cengage also produced two texts—Readings and Cases in the
Management of Information Security (ISBN-13: 9780619216276) and Readings &
Cases in Information Security: Law & Ethics (ISBN-13: 9781435441576)—by the
authors, which make excellent companion texts. Contact your Cengage learning con-
sultant for more information.
● Curriculum Model for Programs of Study in Information Security: In addition to the
texts authored by this team, a curriculum model for programs of study in Information
Security and Assurance is available from the Kennesaw State University Center for
Information Security Education (http://infosec.kennesaw.edu). This document provides
details on designing and implementing security coursework and curricula in academic
institutions, as well as guidance and lessons learned from the authors’ perspective.
Author Team
Michael Whitman and Herbert Mattord have jointly developed this text to merge knowledge
from the world of academic study with practical experience from the business world.
Michael E. Whitman, Ph.D., CISM, CISSP is a Professor of Information Security and Assur-
ance in the Information Systems Department, Michael J. Coles College of Business at Kennesaw
State University, Kennesaw, Georgia, where he is also the Executive Director of the KSU Center
for Information Security Education (infosec.kennesaw.edu). Dr. Whitman is an active researcher
in Information Security, Fair and Responsible Use Policies, Ethical Computing, and Curriculum
Development Methodologies. He currently teaches graduate and undergraduate courses in Infor-
mation Security Management. He has published articles in the top journals in his field, including
Information Systems Research, Communications of the ACM, Information and Management,
Journal of International Business Studies, and Journal of Computer Information Systems. Dr.
Whitman is also the Co-Editor-in-Chief of the Journal of Cybersecurity Education, Research
and Practice. He is a member of the Information Systems Security Association, the Association
xvi Preface
for Computing Machinery, and the Association for Information Systems. Dr. Whitman is also
the co-author of Management of Information Security, Principles of Incident Response and
Disaster Recovery, Readings and Cases in the Management of Information Security, The Guide
to Firewalls and VPNs, The Guide to Network Security, and The Hands-On Information Secu-
rity Lab Manual, among others, all published by Cengage. Prior to his career in academia, Dr.
Whitman was an Armored Cavalry Officer in the United States Army, which included duties as
Automated Data Processing Systems Security Officer (ADPSSO).
Herbert J. Mattord, Ph.D., CISM, CISSP completed 24 years of IT industry experience as an
application developer, database administrator, project manager, and information security
practitioner before joining the faculty of Kennesaw State University in 2002. Dr. Mattord is
the Assistant Chair of the Information Systems Department and the Associate Director of the
KSU Center for Information Security Education and Awareness (infosec.kennesaw.edu).
Dr. Mattord is also the Co-Editor-in-Chief of the Journal of Cybersecurity Education,
Research and Practice. During his career as an IT practitioner, he has been an adjunct profes-
sor at Kennesaw State University, Southern Polytechnic State University in Marietta, Georgia,
Austin Community College in Austin, Texas, and Texas State University: San Marcos. He cur-
rently teaches undergraduate courses in Information Security. He was formerly the Manager
of Corporate Information Technology Security at Georgia-Pacific Corporation, where much
of the practical knowledge found in this textbook was acquired. Dr. Mattord is also the co-
author of Management of Information Security, Principles of Incident Response and Disaster
Recovery, Readings and Cases in the Management of Information Security, The Guide to
Firewalls and VPNs, The Guide to Network Security, and The Hands-On Information Secu-
rity Lab Manual, among others, all published by Cengage.
Acknowledgments
The authors would like to thank their families for their support and understanding for the many
hours dedicated to this project—hours taken away, in many cases, from family activities.
Contributors
Several people and organizations also provided materials for this textbook, and we thank
them for their contributions:
● The National Institute of Standards and Technology (NIST) is the source of many
references, tables, figures, and other content used in many places in the textbook.
Reviewers
● We are indebted to Paul Witman, California Lutheran University, for his perceptive
feedback during the chapter-by-chapter reviews of the text.
Special Thanks
The authors wish to thank the editorial and production teams at Cengage. Their diligent and
professional efforts greatly enhanced the final product:
● Natalie Pashoukos, Senior Content Developer
● Dan Seiter, Development Editor
Preface xvii
● Kristin McNary, Product Team Manager

● Amy Savino, Associate Product Manager
● Brooke Baker, Senior Content Project Manager
In addition, several professional organizations, commercial organizations, and individuals
aided the development of the textbook by providing information and inspiration. The
authors wish to acknowledge their contributions:
● Dave Lineman
● Donn Parker
● Our colleagues in the Department of Information Systems and the Coles College of
Business at Kennesaw State University
Our Commitment
The authors are committed to serving the needs of adopters and readers of this book. We
would be pleased and honored to receive feedback on the textbook and its supporting mate-
rials. You can contact us at infosec@kennesaw.edu.
Foreword
Information security is an art more than a science, and the mastery of protecting information
requires multidisciplinary knowledge of a huge quantity of information plus experience and
skill. You will find much of what you need here in this book as the authors take you through
the security systems development life cycle using real-life scenarios to introduce each topic.
The authors provide their perspective from many years of real-life experience, combined with
their academic approach for a rich learning experience expertly presented in this book. You
have chosen the authors and the book well.
Since you are reading this book, you are most likely working toward a career in information
security or at least have serious interest in information security. You must anticipate that just
about everybody hates the constraints that security puts on their work. This includes both the
good guys and the bad guys—except for malicious hackers who love the security we install as
a challenge to be beaten. We concentrate on stopping the intentional wrongdoers because it
applies to stopping the accidental ones as well. Security to protect against accidental wrong-
doers is not good enough against those with intent.
I have spent 40 years of my life in a field that I found to be exciting and rewarding, working
with computers and pitting my wits against malicious people, and you will too. Security con-
trols and practices include logging on and off, using passwords, encrypting and backing up
vital information, locking doors and drawers, motivating stakeholders to support security,
and installing antivirus software. These means of protection have no benefit except rarely,
when adversities occur. Good security is in effect when nothing bad happens, and when noth-
ing bad happens, who needs security? Nowadays, in addition to loss experience, we need it
because the law, regulations, and auditors say so—especially if we deal with the personal
information of others, electronic money, intellectual property, and keeping ahead of the
competition.
xviii Preface
There is great satisfaction in knowing that your employer’s information and systems are rea-
sonably secure and that you are paid a good salary, are the center of attention in emergencies,
and are applying your wits against the bad guys. This makes up for the downside of your
security work. It is no job for perfectionists because you will almost never be fully successful,
and there will always be vulnerabilities that you aren’t aware of or that the bad guys discover
first. Our enemies have a great advantage over us. They have to find only one vulnerability
and one target to attack in a known place, electronically or physically at a time of their choos-
ing, while we must defend from potentially millions of attacks against assets and vulnerabil-
ities that are no longer in one computer room but are spread all over the world. It’s like play-
ing a game in which you don’t know your opponents and where they are, what they are
doing, or why they are doing it, and they are secretly changing the rules as they play. You
must be highly ethical, defensive, secretive, and cautious. Bragging about the great security
you are employing might tip off the enemy. Enjoy the few successes that you experience, for
you will not even know about some of them.
There is a story that describes the kind of war you are entering into. A small country inducted
a young man into its ill-equipped army. The army had no guns, so it issued a broom to the
new recruit for training purposes. In basic training, the young man asked, “What do I do
with this broom?”
The instructor took him to the rifle range and told him to pretend the broom is a gun, aim it
at the target, and say, “Bang, bang, bang.” He did that. Then the instructor took him to bay-
onet practice, and the recruit said, “What do I do with this broom?”
The instructor said, “Pretend it is a gun with a bayonet and say, ‘Stab, stab, stab.’”
The recruit did that as well. Then the war started and the army still didn’t have guns; the young
man found himself on the front line with enemy soldiers running toward him across a field. All he
had was his trusty broom, so he could only do what he was trained to do. He aimed the broom at
the enemy soldiers and said, “Bang, bang, bang.” Some of the enemy soldiers fell down, but many
kept coming. Some got so close that he had to say “Stab, stab, stab,” and more enemy soldiers fell
down. However, there was one stubborn enemy soldier (there always is in these stories) running
toward him. The recruit said, “Bang, bang, bang,” but to no effect. The enemy continued to get
closer and the recruit said, “Stab, stab, stab,” but it still had no effect. In fact, the enemy soldier
ran right over the recruit, broke his broom in half, and left him lying in the dirt. As the enemy sol-
dier ran by, the recruit heard him muttering under his breath, “Tank, tank, tank.”
I tell this story at the end of my many lectures on computer crime and security to impress on
my audience that if you are going to win against crime, you must know the rules, and it is the
criminals who are making up their own secret rules as they go along. This makes winning
very difficult.
When I was lecturing in Rio de Janeiro, a young woman performed simultaneous translation
into Portuguese for my audience of several hundred people, all with earphones clapped over
their ears. In such situations, I have no idea what my audience is hearing, and after telling
my joke nobody laughed. They just sat there with puzzled looks on their faces. After the lec-
ture, I asked the translator what had happened. She had translated “tank, tank, tank” into
“water tank, water tank, water tank.” I and the recruit were both deceived that time.
Three weeks later, I was lecturing to an audience of French bankers at the George V Hotel in
Paris. I had a bilingual friend listen to the translation of my talk. The same thing happened as
Preface xix
in Rio. Nobody laughed. Afterwards, I asked my friend what had happened. He said, “You
will never believe this, but the translator translated ‘tank, tank, tank’ into ‘merci, merci, merci’
(thanks).” Even in telling the joke, like the recruit, I didn’t know the rules to the game.
Remember that when working in security, you are in a virtual army defending your employer
and stakeholders from their enemies. From your point of view, the enemies will probably
think and act irrationally, but from their perspective they are perfectly rational, with serious
personal problems to solve and gains to be made by violating your security. You are no lon-
ger just a techie with the challenging job of installing technological controls in systems and
networks. Most of your work should be in assisting potential victims to protect themselves
from information adversities and dealing with your smart but often irrational enemies, even
though you rarely see or even identify them. I spent a major part of my security career hunt-
ing down computer criminals and interviewing them and their victims, trying to obtain
insights to do a better job of defending from their attacks. Likewise, you should use every
opportunity to seek them out and get to know them. This experience gives you great cachet
as a real and unique expert, even with minimal exposure to only a few enemies.
Comprehensiveness is an important part of the game you play for real stakes because the
enemy will likely seek the easiest way to attack vulnerabilities and assets that you haven’t
fully protected yet or even know exist. For example, a threat that is rarely found on threat
lists is endangerment of assets—putting information assets in harm’s way. Endangerment is
also one of the most common violations by security professionals when they reveal too much
about their security and loss experience.
You must be thorough and meticulous and document everything pertinent, in case your com-
petence is questioned and to meet the requirements of the Sarbanes-Oxley Law. Keep your
documents safely locked away. Documentation is important so that when an adversity hits
and you lose the game, you will have proof of being diligent in spite of the loss. Otherwise,
your career could be damaged, or at least your effectiveness will be diminished. For example,
if the loss occurred because management failed to give you an adequate budget and support
for security you knew you required, you need to have documented that failure before the inci-
dent occurred. Don’t brag about how great your security is, because it can always be beaten.
Keep and expand checklists for everything: threats, vulnerabilities, assets, key potential vic-
tims, suspects of wrongdoing, security supporters and nonsupporters, attacks, enemies, crimi-
nal justice resources, auditors, regulators, and legal counsel. To assist your stakeholders, who
are the front-line defenders of their information and systems, identify what they must protect
and know the real extent of their security. Make sure that upper management and other peo-
ple to whom you report understand the nature of your job and its limitations.
Use the best possible security practices yourself to set a good example. You will have a huge
collection of sensitive passwords to do your job. Write them down, and keep the list safely in
your wallet next to your credit card. Know as much as possible about the systems and net-
works in your organization and have access to experts who know the rest. Make good friends
of local and national criminal justice officials, your organization’s lawyers, insurance risk
managers, human resources people, facilities managers, and auditors. Audits are one of the
most powerful controls your organization has. Remember that people hate security and must
be properly motivated by penalties and rewards to make it work. Seek ways to make security
invisible or transparent to stakeholders while keeping it effective. Don’t recommend or install
controls or practices that stakeholders won’t support, because they will beat you every time by
xx Preface
making it look like the controls are effective when they are not—a situation worse than no
security at all.
One of the most exciting parts of the job is the insight you gain about the inner workings and
secrets of your organization, its business, and its culture. As an information security consul-
tant, I was privileged to learn about the culture and secrets of more than 250 of the largest
corporations throughout the world. I had the opportunity to interview and advise the most
powerful business executives, if only for a few minutes of their valuable time. You should
always be ready with a “silver bullet” to use in your short time with top management for the
greatest benefit of enterprise security. Carefully learn the limits of management’s security
appetites. Know the nature of the business, whether it is a government department or a hotly
competitive business. I once found myself in a meeting with a board of directors intensely dis-
cussing the protection of their greatest trade secret, the manufacturing process of their new
disposable diapers.
Finally, we come to the last important bit of advice. Be trustworthy and develop mutual trust
among your peers. Your most important objectives are not just risk reduction and increased
security. They also include diligence to avoid negligence and endangerment, compliance with
all of the laws and standards, and enablement when security becomes a competitive or budget
issue. To achieve these objectives, you must develop a trusting exchange of the most sensitive
security intelligence among your peers so you’ll know where your organization stands relative
to other enterprises. But be discreet and careful about it. You need to know the generally
accepted and current security solutions. If the information you exchange is exposed, it could
ruin your career and others, and could create a disaster for your organization. Your personal
and ethical performance must be spotless, and you must protect your reputation at all costs.
Pay particular attention to the ethics section of this book. I recommend that you join the
Information Systems Security Association, become active in it, and become professionally
certified as soon as you are qualified. My favorite certification is the Certified Information
Systems Security Professional (CISSP) from the International Information Systems Security
Certification Consortium.
Donn B. Parker, CISSP Retired

Los Altos, California
chapter 1
Introduction to Information Security
Do not figure on opponents not attacking; worry about your own lack
of preparation.
BOOK OF THE FIVE RINGS
For Amy, the day began like any other at the Sequential Label and Supply Company
(SLS) help desk. Taking calls and helping office workers with computer problems was not
glamorous, but she enjoyed the work; it was challenging and paid well enough. Some of her
friends in the industry worked at bigger companies, some at cutting-edge tech companies, but
they all agreed that jobs in information technology were a good way to pay the bills.
The phone rang, as it did about four times an hour. The first call of the day, from a worried
user hoping Amy could help him out of a jam, seemed typical. The call display on her monitor
showed some of the facts: the user’s name, his phone number and department, where his
office was on the company campus, and a list of his past calls to the help desk.
“Hi, Bob,” she said. “Did you get that document formatting problem squared away?”
“Sure did, Amy. Hope we can figure out what’s going on this time.”
“We’ll try, Bob. Tell me about it.”
“Well, my PC is acting weird,” Bob said. “When I go to the screen that has my e-mail pro-
gram running, it doesn’t respond to the mouse or the keyboard.”
1
2 Chapter 1
“Did you try a reboot yet?”

“Sure did. But the window wouldn’t close, and I had to turn my PC off. After it restarted, I
opened the e-mail program, and it’s just like it was before—no response at all. The other
stuff is working OK, but really, really slowly. Even my Internet browser is sluggish.”
“OK, Bob. We’ve tried the usual stuff we can do over the phone. Let me open a case, and I’ll
dispatch a tech over as soon as possible.”
Amy looked up at the help desk ticket status monitor on the wall at the end of the room. She
saw that only two technicians were dispatched to user support at the moment, and since it
was the day shift, four technicians were available. “Shouldn’t be long at all, Bob.”
She hung up and typed her notes into the company’s trouble ticket tracking system. She
assigned the newly generated case to the user dispatch queue, which would page the roving
user support technician with the details in a few minutes.
A moment later, Amy looked up to see Charlie Moody, the senior manager of the server
administration team, walking briskly down the hall. He was being trailed by three of his
senior technicians as he made a beeline from his office to the room where the company servers
were kept in a carefully controlled environment. They all looked worried.
Just then, Amy’s screen beeped to alert her of a new e-mail. She glanced down. The screen
beeped again—and again. It started beeping constantly. She clicked the envelope icon and,
after a short delay, the mail window opened. She had 47 new e-mails in her inbox. She opened
one from Davey Martinez in the Accounting Department. The subject line said, “Wait till you
see this.” The message body read, “Funniest joke you’ll see today.” Davey often sent her inter-
esting and funny e-mails, and she clicked the file attachment icon to open the latest joke.
After that click, her PC showed the hourglass pointer icon for a second and then the normal
pointer reappeared. Nothing happened. She clicked the next e-mail message in the queue.
Nothing happened. Her phone rang again. She clicked the icon on her computer desktop to
activate the call management software and activated her headset. “Hello, Help Desk, how
can I help you?” She couldn’t greet the caller by name because her computer had not
responded.
“Hello, this is Erin Williams in Receiving.”
Amy glanced down at her screen. Still no tracking system. She glanced up to the tally board
and was surprised to see the inbound-call counter tallying up waiting calls like digits on a
stopwatch. Amy had never seen so many calls come in at one time.
“Hi, Erin,” Amy said. “What’s up?”
“Nothing,” Erin answered. “That’s the problem.” The rest of the call was a replay of Bob’s,
except that Amy had to jot notes down on a legal pad. She couldn’t dispatch the user support
team either. She looked at the ticket status monitor again. It had gone dark. No numbers at all.
Then she saw Charlie running down the hall from the server room. His expression had chan-
ged from worried to frantic.
Amy picked up the phone again. She wanted to check with her supervisor about what to do
now. There was no dial tone.
The History of Information Security 3
LEARNING OBJECTIVES
1
Upon completion of this material, you should be able to:
• Define information security
• Recount the history of computer security, and explain how it evolved into information
security
• Define key terms and critical concepts of information security
• Explain the role of security in the systems development life cycle
• Describe the information security roles of professionals within an organization
Introduction
Martin Fisher, IT Security Manager at Northside Hospital in Atlanta, believes that enterprise
information security is a “critical business capability that needs to be aligned with corporate
expectations and culture that provides the leadership and insight to identify risks and imple-
ment effective controls.” He is not alone in his perspective. Many information security practi-
tioners recognize that aligning information security needs with business objectives must be the
top priority.
This chapter’s opening scenario illustrates that information risks and controls may not be in
balance at SLS. Though Amy works in a technical support role to help users with their pro-
blems, she did not recall her training about malicious e-mail attachments, such as worms or
viruses, and fell victim to this form of attack herself. Understanding how malware might be
the cause of a company’s problems is an important skill for information technology (IT) sup-
port staff as well as users. SLS’s management also shows signs of confusion and seems to have
no idea how to contain this kind of incident. If you were in Amy’s place and were faced with
a similar situation, what would you do? How would you react? Would it occur to you that
something far more insidious than a technical malfunction was happening at your company?
As you explore the chapters of this book and learn more about information security, you will
become more capable of answering these questions. But, before you can begin studying details
about the discipline of information security, you must first know its history and evolution.
The History of Information Security

Key Term
computer security In the early days of computers, this term specified the need to secure the
physical location of computer technology from outside threats. This term later came to represent
all actions taken to preserve computer systems from losses. It has evolved into the current
concept of information security as the scope of protecting information in an organization has
expanded.
The history of information security begins with the concept of computer security. The need for
computer security arose during World War II when the first mainframe computers were devel-
oped and used to aid computations for communication code breaking messages from enemy
4 Chapter 1
Earlier versions of the German code machine Enigma

were first broken by the Poles in the 1930s. The British
and Americans managed to break later, more complex
versions during World War II. The increasingly complex
versions of the Enigma, especially the submarine or
Unterseeboot version of the Enigma, caused considerable
anguish to Allied forces before finally being cracked. The
information gained from decrypted transmissions was
used to anticipate the actions of German armed forces.
”Some ask why, if we were reading the Enigma, we did
not win the war earlier. One might ask, instead, when, if
ever, we would have won the war if we hadn’t read it.”1
Figure 1-1 The Enigma

Source: Bletchley Park Trust. Used with permission.2
cryptographic devices like the Enigma, shown in Figure 1-1. Multiple levels of security were
implemented to protect these devices and the missions they served. This required new pro-
cesses as well as tried-and-true methods needed to maintain data confidentiality. Access to sen-
sitive military locations, for example, was controlled by means of badges, keys, and the facial
recognition of authorized personnel by security guards. The growing need to maintain
national security eventually led to more complex and technologically sophisticated computer
security safeguards.
During these early years, information security was a straightforward process composed pre-
dominantly of physical security and simple document classification schemes. The primary
threats to security were physical theft of equipment, espionage against products of the systems,
and sabotage. One of the first documented security problems that fell outside these categories
occurred in the early 1960s, when a systems administrator was working on a MOTD (mes-
sage of the day) file while another administrator was editing the password file. A software
glitch mixed the two files, and the entire password file was printed on every output file.3
The 1960s
During the Cold War, many more mainframe computers were brought online to accomplish
more complex and sophisticated tasks. These mainframes required a less cumbersome process
of communication than mailing magnetic tapes between computer centers. In response to this
need, the Department of Defense’s Advanced Research Projects Agency (ARPA) began exam-
ining the feasibility of a redundant, networked communications system to support the mili-
tary’s exchange of information. In 1968, Dr. Larry Roberts developed the ARPANET
Figure 1-2 Development of the ARPANET

Source: Courtesy of Dr. Lawrence Roberts. Used with permission.4
project. Figure 1-2 is an excerpt from his Program Plan. ARPANET evolved into what we
now know as the Internet, and Roberts became known as its founder.
For more information on Dr. Roberts and the history of the Internet, visit his Web site at www
.packet.cc.
The 1970s and 80s

During the next decade, ARPANET became more popular and saw wider use, increasing the
potential for its misuse. In 1973, Internet pioneer Robert M. Metcalfe (pictured in Figure 1-3)
identified fundamental problems with ARPANET security. As one of the creators of Ethernet,
a dominant local area networking protocol, he knew that individual remote sites did not
have sufficient controls and safeguards to protect data from unauthorized remote users.
Other problems abounded: vulnerability of password structure and formats; lack of safety
procedures for dial-up connections; and nonexistent user identification and authorizations.
Phone numbers were widely distributed and openly publicized on the walls of phone booths,
giving hackers easy access to ARPANET. Because of the range and frequency of computer
security violations and the explosion in the numbers of hosts and users on ARPANET, net-
work security was commonly referred to as network insecurity.5 In 1978, Richard Bisbey
and Dennis Hollingworth, two researchers in the Information Sciences Institute at the Univer-
sity of Southern California, published a study entitled “Protection Analysis: Final Report.” It
focused on a project undertaken by ARPA to understand and detect vulnerabilities in
6 Chapter 1
Figure 1-3 Dr. Metcalfe receiving the National Medal of Technology

Source: U.S. Department of Commerce. Used with permission.
operating system security. For a timeline that includes this and other seminal studies of com-
puter security, see Table 1-1.
Security that went beyond protecting the physical location of computing devices effectively
began with a single paper published by the RAND Corporation in February 1970 for the
Department of Defense. RAND Report R-609 attempted to define the multiple controls and
mechanisms necessary for the protection of a computerized data processing system. The doc-
ument was classified for almost ten years, and is now considered to be the paper that started
the study of computer security.
The security—or lack thereof—of systems sharing resources inside the Department of Defense
was brought to the attention of researchers in the spring and summer of 1967. At that time,
systems were being acquired at a rapid rate and securing them was a pressing concern both
for the military and defense contractors.
In June 1967, ARPA formed a task force to study the process of securing classified informa-
tion systems. The task force was assembled in October 1967 and met regularly to formulate
recommendations, which ultimately became the contents of RAND Report R-609.6 The doc-
ument was declassified in 1979 and released as Security Controls for Computer Systems:
Report of Defense Science Board Task Force on Computer Security-RAND Report R-609-1.
The content of the two documents is identical with the exception of two transmittal
memorandums.
For more information on the RAND Report, visit www.rand.org/pubs/reports/R609-1.html.
Date Document
1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems.
1
1970 Willis H. Ware authors the report Security Controls for Computer Systems: Report of Defense
Science Board Task Force on Computer Security-RAND Report R-609, which was not declassified
until 1979. It became known as the seminal work identifying the need for computer security.
1973 Schell, Downey, and Popek examine the need for additional security in military systems in
Preliminary Notes on the Design of Secure Military Computer Systems.
1975 The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) in
the Federal Register.
1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,” which discussed
the Protection Analysis project created by ARPA to better understand the vulnerabilities of
operating system security and examine the possibility of automated vulnerability detection
techniques in existing system software.7
1979 Morris and Thompson author “Password Security: A Case History,” published in the
Communications of the Association for Computing Machinery (ACM). The paper examined the
design history of a password security scheme on a remotely accessed, time-sharing system.
1979 Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” which
discussed secure user IDs, secure group IDs, and the problems inherent in the systems.
1982 The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of the
Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series.
1984 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report, the
authors examined four “important handles to computer security”: physical control of premises and
computer facilities, management commitment to security objectives, education of employees, and
administrative procedures aimed at increased security.8
1984 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise
was: “No technique can be secure against wiretapping or its equivalent on the computer.
Therefore no technique can be secure against the system administrator or other privileged
users...the naive user has no chance.”9
1992 Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory,
develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as
IPSEC security.
Table 1-1 Key Dates in Information Security
RAND Report R-609 was the first widely recognized published document to identify the
role of management and policy issues in computer security. It noted that the wide use of net-
working components in military information systems introduced security risks that could not
be mitigated by the routine practices then used to secure these systems. Figure 1-4 shows an
illustration of computer network vulnerabilities from the 1979 release of this document. This
paper signaled a pivotal moment in computer security history—the scope of computer secu-
rity expanded significantly from the safety of physical locations and hardware to include:
• Securing the data
• Limiting random and unauthorized access to that data
• Involving personnel from multiple levels of the organization in information security
8 Chapter 1
Computer Network Vulnerabilities

Radiation
Taps
Taps Radiation Radiation
Radiation
Radiation Crosstalk Crosstalk
Communication
lines Switching
Processor
center
Hardware
Files Improper connections
Theft Cross coupling
Operator
Copying Systems Programmer Remote
Replace supervisor
Unauthorized access Disable protective features Consoles
Reveal protective measures
Provide “ins”
Hardware Reveal protective measures
Failure of protection circuits
Maintenance Man Access
contribute to software failures
Disable hardware devices Attachment of recorders
Software Use stand-alone utility programs Bugs User
Failure of protection features Identification
Access control Authentication
Bounds control Subtle software
etc. modifications
Figure 1-4 Illustration of computer network vulnerabilities from RAND Report R-609
Source: RAND Report R-609-1. Used with permission.10
MULTICS Much of the early research on computer security centered on a system called
Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete,
MULTICS is noteworthy because it was the first operating system to integrate security into
its core functions. It was a mainframe, time-sharing operating system developed in the mid-
1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute
of Technology (MIT).
For more information on the MULTICS project, visit web.mit.edu/multics-history.
In 1969, not long after the restructuring of the MULTICS project, several of its developers
(Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlroy) created a new operating
system called UNIX. While the MULTICS system implemented multiple security levels and
passwords, the UNIX system did not. Its primary function, text processing, did not require
the same level of security as that of its predecessor. Not until the early 1970s did even the sim-
plest component of security, the password function, become a component of UNIX.
In the late 1970s, the microprocessor brought the personal computer (PC) and a new age of
computing. The PC became the workhorse of modern computing, moving it out of the data
center. This decentralization of data processing systems in the 1980s gave rise to
networking—the interconnecting of PCs and mainframe computers, which enabled the entire
computing community to make all its resources work together.
Another random document with
no related content on Scribd:
It was not long before they came to the main thoroughfare of
Havana, with its quaint Spanish name of Isabel Segunde. Here, as
the professor had said, were broad walks with numerous trees, and
many fountains. Here was also located the hotel for which they were
bound, a large three-storied affair, with broad verandas upon all
sides, and the usual courtyard, or patio, in the center.
“This is quite like home,” declared Darry, as he looked around. “I
have heard half a dozen folks speaking English. It’s a good deal
different from Caracas.”
“The war made the difference, Dartworth. Before that time Havana
was as foreign a town as one could find on this side of the Atlantic,
and that too although it is but a short journey from Florida.”
The walk to the hotel had tired the party, and all of the boys,
especially Hockley, were glad to rest in the patio, with its easy chairs
and its cooling fountain. From a distance came the sounds of a band
playing some popular air and the effect was most soothing.
“This is what I want,” was the tall youth’s comment. “Beats walking in
the hot sun all to pieces.”
“Tell you what, Glummy, the next time you walk you had better ride,”
said Frank, with a yawn.
There was a laugh at this “bull” and Hockley’s face grew sour at
once.
“How many times must I tell you not to call me ‘Glummy’? I don’t
want it and I won’t stand it.”
“All right then, sit down—it’s what we are here for,” returned Frank.
“But I’ll try to remember,” he added, as he saw that Hockley’s anger
was rising.
“See that you do,” growled the big fellow, and then he dropped into
an easy chair and soon fell asleep.
“He hasn’t got over that affair on the steamer,” whispered Mark. “He
thinks one of us ought to have had that knock-down from Captain
Sudlip.”
“Oh, let us forget Captain Sudlip,” said Frank. “I never want to see
him again. He was too mean to live.”
Professor Strong had to attend to several matters, including the
getting of money on his letter of credit, and while he was gone the
boys made themselves at home at the hotel. The quaint hostelry
possessed every comfort and all would have been content to have
remained there a long while.
But this was not to be. It had already been arranged that they should
spend three days in sight-seeing in and around Havana, and then
take side trips to Matanzas, Cardenas and other important cities not
far away. After this they were to journey to Santiago, where they
were to go out on horseback and view El Caney, San Juan, and
other battlefields of the late war.
When the professor came in on the evening of the second day, he
had a treat in store for them.
“I was passing the Tacon, the principal theater of Havana, when I
saw an announcement of a celebrated Spanish dramatic company
which is playing there in a round of standard dramas. I would like
you to see this playhouse, for its size and beauty is known all over
the world, and so I purchased tickets for to-night’s performance.”
“Good!” came from Darry and Frank in a breath.
“I’d like to see a play first rate,” said Mark. “What is it?”
“Othello. I suppose you have all seen this, so you can follow the play
even if it is in Spanish.”
“Oh, pshaw! I thought it was some Spanish variety show,” sighed
Hockley.
“I should not care to take you to a variety show, Jacob.”
“But this will be dead slow.”
“If you don’t care to go, you can stay here.”
“I guess I’ll stay here then,” answered Hockley. “I’ve got something of
a headache, anyway. I’ll go to bed early.”
Hockley’s headache was largely imaginary, and his thoughts were on
another novel he had picked up, “Handsome Jack, the Dead Game
Sport of Chicago.” He had left off where Handsome Jack was
confronted by four gamblers who wished to rob him of his fifty
thousand dollar diamond stud, and he was anxious to read on and
find out how the “hold-up” terminated.
“Very well, Jacob,” said Professor Strong. “If you have a headache I
think the best thing you can do is to sleep it off. Probably the sight-
seeing has been too much for your eyes.”
At the proper hour the boys were ready to attend the performance at
the Tacon. They were attired in their best, for at this opera house,
people invariably wear the finest clothing they possess. The
professor called a carriage, and soon they were rolling down the
broad highway.
“How foolish Hockley is,” whispered Frank to Mark. “He doesn’t know
what he is missing. Do you think he’ll really go to bed?”
Mark shrugged his shoulders. “It isn’t likely. He’ll read another trashy
novel, I fancy.”
Mark was right, as we already know. But this was not the depth of
Hockley’s shortcomings.
The youth had a strong desire to be considered “mannish.” He
wanted to follow in the footsteps of certain men he had known and
others he had read about. The character of Handsome Jack, “the
Dead Game Sport of Chicago,” appealed strongly to him. Jack
played cards, drank, went to horse races, and always got the best of
the many enemies who tried to “down” him. To poor Hockley, who
swallowed these tales and believed them true, he was more of a
hero than even “Gold Nose Hank, the Mine Discoverer” had been.
Having seen the others off, Hockley strolled over to a cigar counter
in the hotel and invested in a package of cigarettes, one of which he
lit and placed the others in his pocket. Then he entered the café and
called for a glass of liquor, and while it was coming he sat down at a
table in a corner to continue the perusal of his novel.
The fumes of the liquor, and the smoking of several cigarettes, made
the misguided youth far from clear headed. But he kept on reading
until the volume was finished, Handsome Jack having at last killed
off all his enemies in double-quick order. To keep the eyes of the
waiter off of him, Hockley ordered another glass of liquor which he
also consumed. Then he threw the book in a corner, arose and
stretched himself.
“Guess I’ll go out and have some sport,” he muttered. “It’s dead slow
hanging around like this. I came to see the sights and I’m going to
see ’em—professor or no professor. There must be lots of sport
going on in a town of this size,—variety shows, gambling, and such
—and I’m going to hunt ’em up, and if I don’t find ’em then my name
ain’t Jake Hockley!”
And paying the amount of his bill he shuffled out of the brilliantly
lighted café and was soon lost to sight in the darkness of the night.
CHAPTER IX
THE DISAPPEARANCE OF HOCKLEY
“What a truly magnificent place!”

Such was Frank’s comment when they entered the opera house and
took the seats Professor Strong had purchased. Frank had been to
the Metropolitan Opera House in New York city, yet the present place
struck him even more favorably, with its immense size, its gorgeous
decorations and its many and varied lights.
“It’s all right,” returned Mark. “But I can’t say as much for the crowd.
It’s quite a mixture.”
And it certainly was, for to-day Havana has a sprinkling of nearly
every nation under the sun. As Darry put it, there were white folks
there and black folks, and a good many who weren’t one or the
other. But all were well dressed, and in the assemblage were a
number of ladies who were truly beautiful.
The Shakespearian play was well produced, and all followed it with
interest, although the boys understood but little of what was said.
Between the acts they strolled around and looked into the various
smoking and lounging rooms, and had some soda water at the
refreshment place. Nearly everybody was smoking and the
atmosphere was decidedly “hazy” in consequence.
“They used to have a curious custom here,” said the professor. “By
paying a little extra you could go behind the scenes and see how the
play looked from the actor’s standpoint.”
“Well, I’d like to see it that way, once,” answered Sam. “Especially
when they were playing something with great mechanical effects,
like a snow-storm, a landslide, a waterfall, or a smash-up on a
railroad.”
At last the play was over, and they walked out to where their carriage
was in waiting. A good part of the crowd lingered, and some went for
a stroll in the cool night air.
“They don’t believe in going to bed early,” was Mark’s comment.
“Well, I don’t blame them, it’s so nice and cool now and so hot during
the middle of the day.”
It had been arranged that all the boys should occupy two large
rooms, while the professor had a smaller room adjoining. As they
went in Amos Strong cautioned them not to disturb Hockley should
the latter be asleep.
“Why, he isn’t here!” exclaimed Mark, who was the first to look
around and make the discovery.
“Isn’t here?” came from the professor.
“No, sir, and the bed hasn’t been disturbed either.”
At once the professor’s face grew grave, and his mind went back to
a certain night in Caracas when Hockley had gone off with Dan
Markel and lost all his money. Had the youth been equally misguided
on this occasion?
“I will go below and make inquiries concerning him,” he said, and left
them.
“I’ll wager Glummy has gone and done it again,” said Frank in a low
voice.
“More than likely,” answered Sam. “How foolish for him if he has! He
might have had a very pleasant evening with us.”
“Oh, Glummy has a big head and thinks he knows it all,” came from
Darry. “Some time he’ll catch it worse than he did when he went out
with that Markel.”
So the comments of the boys ran on. In the meantime Professor
Strong had followed up Hockley from the hotel proper to the café and
here learned that the lad had come in early in the evening for a
package of cigarettes and then gone out on the street.
“Did he have any liquor?” asked Professor Strong, sharply.
“I do not think so, señor,” was the reply. This was a deliberate
falsehood, but the proprietor of the drinking resort did not wish to get
himself into any trouble.
More mystified than ever the professor went out on the street and
looked up and down. He could see nothing of Hockley, and now the
thoroughfares were becoming gradually deserted.
It must be confessed that Amos Strong was in a quandary. What had
become of his charge he could not imagine, although he strongly
feared that Hockley had gone off to see the sights and gotten into
some sort of trouble.
“I can learn nothing of him,” said he, on returning to the rooms
assigned the party. “All of you had better go to bed.”
“And what will you do, Professor?” asked Mark.
“I shall try to hunt him up. I cannot go to rest until I know something
about him.”
“Don’t you think it would be better for one of us to go with you?”
“No, I think I can get along alone.”
Such was Amos Strong’s decision, and he told them they had better
go to bed without delay. Mark and Frank were willing enough and
were soon in the land of dreams. But Darry and Sam sat by an open
window discussing the situation.
“After his experience with Dan Markel in Caracas you would think
Hockley would turn over a new leaf,” said Darry. “But he seems
bound to be wild, no matter what the cost.”
“We mustn’t judge too hastily, Darry. It is barely possible that
everything is all right.”
“Or that Glummy has gotten into trouble through no fault of his own.
If he is in trouble, he will certainly try to put it off on somebody else—
he always does.”
“It must be his nature. He can’t seem to help it.”
“He doesn’t try to help it. He wants to be smart, and when he fails he
isn’t man enough to shoulder the blame.”
For nearly an hour the boys remained at the window discussing the
strange disappearance. Then they followed Mark and Frank to bed,
and were soon sleeping with equal soundness.
The disappearance of Hockley, coupled with the fact that Professor
Strong did not return, awoke the lads early, and by seven o’clock
Darry and Sam were downstairs.
“Let us see if the professor is anywhere about,” suggested Darry,
and they were on the point of moving off when a hotel attendant
came up to them, a man from Florida who spoke English.
“Are you Samuel Winthrop?” he asked.
“I am,” answered Sam.
“I have a private note for you,” went on the attendant.
“A note? What can it mean?”
“Perhaps it’s from the professor?” suggested Darry.
Sam lost no time in tearing open the communication, which ran as
follows:
“Dear Sam: I have got myself in a tight hole and don’t
know how to get myself out of it. I am afraid the professor
will give me rats for getting into it. I think you can help me
a good deal—in fact, I know you can, if you will. Please
come to me at the Fairfax House—an English hotel. If you
bring anybody along let it be Darry. I don’t want the
professor to know of it, and please don’t tell Mark or
Frank, for they would only have the laugh on me. If the
professor wants to know, tell him you want to go on a little
private errand. Do this much for me and I will always be,
“Yours gratefully,
“J. Hockley.”
“Well, what do you make of that?” asked Sam, as he passed the
note over to his companion.
“Glummy is in some sort of fix, that’s certain,” answered Darry, after
reading the communication twice.
“He doesn’t say anything about money. I wonder what the fix can
be?”
Neither could imagine, but Sam determined to go to the Fairfax
House without delay, and inside of two minutes both were on the
way, without leaving word of their destination.
It was an easy matter to find the hostelry named, although to walk
there took longer than they had expected, for the Fairfax House was
situated in a new section of Havana and well toward the outskirts. It
was a modest, well-kept hotel, and on seeing this the boys felt
relieved.
“Looks all right,” was Sam’s comment. “Glad it isn’t the other kind.”
There was an old Cuban volante driver standing in front of the hotel,
and as they came up he accosted them in broken English.
“Pardon, señors,” he said. “Be you de gen’men by de name Winthrop
or de name Carane?”
“Yes, my name is Winthrop,” answered Sam. “And this is Mr. Crane.”
“Dat is verra fortunate, señors. You come to see Señor Hockley, not
so?”
“We did? Is he here?”
“He no here now. He had to go to udder house. He send me here to
drive you dare, señors,” and the Cuban bowed low.
“To drive to another house?” queried Darry.
“Yes, Señor Carane. Dare is my volante. Please to step in, señors.”
“Wait.” Sam caught Darry by the arm. “Is it far?” he questioned.
“Not verra far, señor—verra nice drive dis a-morning.”
“What is the matter with our friend, Mr. Hockley?”
At this the Cuban shrugged his shoulders. “Cannot tell, señor. He is
hurt in de back, I t’ink.”
“Hurt in the back!” came from both Sam and Darry.
“That looks bad,” continued the former. “Let us go to him by all
means.” And he followed the Cuban to the volante.
“It’s a wonder Hockley didn’t come straight to our hotel if he was
hurt,” said Darry. “But it’s just like him. He is as stubborn as an ox
when he wants to be.”
In Cuba the volante, or “flyer” is the national carriage. It is a two-
seated vehicle, slung on leathern straps between two very high
wheels. The shafts are fifteen feet long, and the horses are
harnessed tandem, the leader being for the postillion, or driver. It
makes a very comfortable turnout and, because of the width from
wheel to wheel, such a thing as a volante turning over is unknown.
They were soon moving over the highway at a good rate of speed.
The Cuban offered no more explanations and merely shrugged his
shoulders when questioned.
“Either he is very dumb or he doesn’t wish to explain,” whispered
Darry.
“I don’t suppose Glummy told him everything, Darry. Perhaps the
poor fellow is hurt too much for that.”
“He can’t be so badly off, or he wouldn’t have been able to write that
letter. By the way, what did you do with it?”
“Tore it up.”
They were now passing several private residences and a moment
later turned into a road which seemed almost deserted. Here the
trees grew so low down that they frequently brushed the boys’
heads.
“How much further?” demanded Sam.
“We come dare soon,” shouted back the Cuban, and whipped up his
horses harder than ever.
There was a small brook to cross and then they turned into another
side road. Here they beheld an old stone building, which looked
somewhat like a deserted convent. The windows were barred, but
the doorway stood open.
“He in dare, señors,” said the volante driver. “He have a fall not far
from here.”
The Cuban pointed to the old stone building.
“I don’t understand this,” muttered Sam. “First he said that Hockley
had to go to ‘udder house.’ Now he said he had a fall here.”
“Come on, I’m not afraid, Sam.”
So speaking Darry walked through the open doorway into the stone
building. There being nothing else to do, Sam followed, and the
volante driver came after the pair.
CHAPTER X
THE OLD CONVENT
At first both boys could see but little, for the room they had entered
was semi-dark, while outside the sun was shining brightly. But
gradually their eyes became accustomed to the gloom and then they
made out a staircase running to a floor above.
“Where is he?” demanded Sam, catching the volante driver by the
arm.
“Him up de stairs, señor. Better air up dare.”
“I should hope so,” muttered Darry and bounded up the stone steps
two at a time. Sam came on his heels, but the Cuban remained
below.
There was something of a hallway, dirty and covered with dead
leaves which past storms had blown into the barred slits of windows.
Then came a room with an iron door which stood half open.
Just then a moan reached their ears and it appeared to come from
the room. Thinking Hockley must be within they rushed past the iron
door.
“Jake, are you here?” called out Sam.
There was another moan, but where it came from puzzled both of
the lads.
“Jake, where are you?” exclaimed Darry. “We are here to help you,
Sam and I.”
Both moved forward, peering eagerly to the right and the left. There
were only two windows, each heavily barred, and they were far from
large.
Suddenly the boys heard the iron door shut and an instant later a
heavy bolt was slipped into place. Sam leaped back and shook the
barrier, to find it fast.
“We are locked in!” he ejaculated. “Darry, this is a trick!”
“A trick!” gasped the other. He too shook the door. “Hi! let us out!” he
called.
“Not just yet, my fine young fellows!” came in a strangely familiar
voice. “I did not bring you as far as this just for fun.”
“Why, it is Captain Sudlip!” exclaimed Sam, who could scarcely
believe his ears.
“Captain Sudlip, is that you?” called Darry.
“It is.”
“Where is Jake Hockley?”
“He is not far off.”
“Is he really hurt, or was it only a trick to get us here?”
“I’m not answering all your questions just yet,” returned the ex-
master of the Chester, tartly.
“If you brought us here on a fool’s errand you shall pay for it,” said
Sam.
“You had better not threaten me while you are prisoners.”
“Prisoners!” came from both.
“Do you intend to keep us prisoners?” demanded Sam.
“For the present, yes.”
“What for?”
“To pay you back for your impudence on board of my steamer, for
one thing.”
“We weren’t impudent. We merely stood up for our rights, and for the
rights of that negro you misused.”
“I won’t argue the point with you—at least not now.”
“What are you going to do?”
“Going to get back my rights. I know all about that paper your crowd
gave to my second mate. That paper was a mess of lies and I’m not
going to stand for it.”
“We simply put down the truth, Captain Sudlip,” answered Sam,
firmly. “And if you don’t let us go at once you’ll get yourself into a
worse situation than ever.”
“I can’t get into a much worse fix,” growled the ex-ship’s captain.
“I’ve lost my position and without a recommendation, too. If I can’t
get it back through your crowd I’m going to make you pay for it.
Reckon that professor of yours has considerable money, hasn’t he?”
went on Jason Sudlip, craftily.
“If he has you’ll never get any of it,” answered Darry, quickly. “I’d rot
here first before I’d let him give you any on my account.”
“And I say the same,” came from Sam.
“Reckon you’ll both sing a different tune when you are good and
hungry,” retorted the captain, but it was plain to tell by this tone that
this was not exactly the reply he had anticipated.
“Will you tell us where Hockley is?” went on Sam, after a painful
pause.
“He is not a million miles from here.”
“Is he a prisoner, too?”
“I won’t tell you.”
“How did he come to write that note?”
“I won’t tell you that either.”
The boys could now hear the volante driver calling up from below,
and a moment later they heard the captain move along the hall and
descend the stone stairs.
“Well, this is a pickle and no mistake,” grumbled Darry, when they
found themselves alone. “What do you make of it?”
“I hardly know what to make of it, so far,” was the slow answer. “For
all we know, Hockley has turned traitor to our crowd and is in with
the captain.”
“Do you think he is as bad as that?”
“If he isn’t, how did he come to write that note?”
“That’s true. But I shouldn’t think it, even of Hockley. Ever since we
saved him from that boa constrictor he has acted pretty decently, for
him.”
They moved over to the windows, to see if they could catch sight of
the captain or the volante. At first they saw nothing, but presently
they caught a flying glimpse.
“There go the both of them!” cried Sam. “Darry, we have been left to
our fate.”
“Glummy wasn’t with them.”
“No.”
“I wonder what Professor Strong will say when he finds we, too, are
missing?”
“He’ll be very much worried, no doubt of that. Perhaps he’ll set the
police on the track. I’d like to know if he found out anything about
Glummy.”
They did not intend to remain prisoners if they could help it, and so
set to work immediately, exploring every nook and corner of the
room, which was large and built in the shape of the letter L.
“I don’t see any way out, excepting by way of the iron door, and
that’s as fast as can be,” said Sam, after an hour had passed.
“Excepting we can pry off the bars from one of the windows.”
“Even if you did that, how are you going to get to the ground? It’s a
good eighteen or twenty feet. If you dropped that far on those stones
you might break a leg.”
“Oh, I’d risk a drop. Besides, we can make a rope by tearing up a
shirt, or one of our jackets. Anything to get away, to my way of
thinking.”
They examined the various bars to the windows and began
operations on one which looked to be more loose than the others.
But though they worked with a will on the mortar with their pocket-
knives, the stuff was hard and defied all their efforts.
“We ought to have one of Hockley’s dime novel heroes here,” said
Sam, grimly. “He’d twist this bar out in a jiffy.”
“Or one of the half-dime novel detectives,” returned Darry. “He’d find
a secret passageway leading down into a counterfeiter’s den, with a
trunk full of gold in the bargain.”
“Well, this is no laughing matter, Darry. That ride made me hungry. If
I had known this I’d had breakfast before I started.”
“Yes, indeed, and I’d have packed a big lunch box in the bargain,
Beans. But don’t mention food—it only makes me more hungry. Let’s
take another look around.”
“Bound to find that passageway to the counterfeiter’s den, eh? All
right, Old Flashlight, go ahead and make yourself famous.”
Both boys laughed in spite of the seriousness of the situation, and
then began another hunt around the room.
“I see something that I didn’t notice before,” observed Darry, after
searching around for quarter of an hour. “Do you see this wall? Right
above my reach it is depressed for about a foot. If you’ll boost me up
to the ledge I’ll feel around there for an opening.”
“To be sure I’ll boost you up. But don’t fall and hurt yourself.”
Once up on the ledge, Darry felt around with care. As before, he
found plenty of dirt and mixed in with this were two or three musty
books, a couple of empty bottles, and other odds and ends of no
value whatever.
“Here’s some reading for you—it will help to pass the idle hours,”
cried Darry, tossing the books to Sam.
“They are Spanish prayer books,” said Sam, examining them by the
light of one of the windows. “They are dated fifty and sixty years
back.”
“I thought I had struck rare volumes worth a few thousand dollars,”
returned Darry, dryly. “Too bad! Old Flashlight must renew his
wondrous search! If we only—hullo!”
Darry broke off short and Sam heard the creaking of rusty iron.
“What have you discovered now?” he asked, after an anxious pause.
“Discovered a door, as sure as you live!” exclaimed Darry, and now
he was quite excited. “Hurrah, it’s daylight!”
He had pushed in a small iron door and true enough both could see
a streak of sunlight beyond, streaming into a small stone
passageway. In the passageway was an iron ladder, leading to the
flat roof of the building. There was a trap door above, which the
storms of years had moved several inches out of place.
It did not take Darry long to give Sam a hand up to the ledge, and
then both boys entered the little passageway and crawled up the iron
ladder. The trap door was thrown open and they came up onto the
flat roof of the building. Near at hand was a sloping roof and also a
square tower, all much dilapidated and covered in spots with heavy
trailing vines.
“So far so good,” exclaimed Darry, as he walked over to examine the
tower. “Now if we can only get to the ground from here we’ll be all
right.”
“There must be another stairway to the lower floor, Darry.”
“To be sure, and it’s likely in the tower. Come on.”
Without much difficulty they crawled to the tower in question. Here
they found another trap door, but it was tightly fastened and although
they did their best they could not budge it.
“Stumped again,” grumbled Darry. “Did you ever see such luck?”
“I know what I’m going to do!” exclaimed Sam, suddenly. “I’m going
to climb down on the vines. I am sure they are strong enough.”
“Just the thing! Why didn’t we think of it before.”
They ran over to the edge of the tower and began to test the vines.
Then Sam let himself down a few feet and Darry did the same. Soon
they were moving downward, slowly and cautiously.
“There goes that volante again!” cried Darry, presently. “But it didn’t
have the captain in it.”
“Let us get away as quickly as we can,” came from Sam. “If we don’t
we may run into more trouble.”
“Hi, you boys, come back here!” was the cry which reached their
ears. “Come back, I say!”
In amazement, both looked up. There on the tower stood Captain
Sudlip, shaking his fist at them!
CHAPTER XI
A STRANGE STORY
It was plain to see that Captain Jason Sudlip was as much surprised
as were Sam and Darry. He had returned in the volante expecting to
find the two prisoners just where he had left them. Seeing them thus
escaping upset all of his calculations.
“Come back here, I say!” he stormed. “Come back!”
“Not much!” replied Darry. “If you want us, crawl down after us.”
“Don’t tell him that!” put in Sam, in a whisper. “He’ll go below and try
to cut us off.”
“Are you coming back?” demanded the ex-master of the Chester.
“Wait a minute until I unloosen my jacket,” returned Sam. “It’s caught
fast on a vine.”
“Gracious, you’re not going back, are you?” whispered Darry, in
dismay.
“No—we’ll fool him,” said Sam, in a still lower voice. Then he
continued aloud: “We may as well give in, Darry, he’s got the best of
us.”
“I hate to do it, but I’ll follow you,” answered Darry, also in a loud
voice. “Will you climb up first?”
“Yes. But I’m caught fast. Wait till I cut that vine loose.”
This talk reached Captain Sudlip’s ears—as it was intended it should
—and his wrathful look gave place to a grim smile.
“Thought I’d make ’em knuckle under,” he muttered.
In the meantime Sam and Darry continued to climb down with all
speed. It was hard for Captain Sudlip to look down at them but he
felt the vines moving. He waited a few seconds. Then he heard a dull
thud as both boys dropped to the ground below.
“Hi! you!” he yelled, and his face changed instantly. “Aren’t you
coming up? Well, I’ll be jiggered!”
For at that moment he caught sight of the two boys, hurrying down
the road leading away from the old convent. They were going at their
best rate of speed and soon disappeared from view.
“Lost ’em!” he muttered and shook his fist in impotent rage. “First
one and now two. I must get out of here. This spot will soon be too
hot to hold me!”
In the meantime the boys had made good their escape, with no
injury excepting half a dozen scratches from the rough vines and the
convent wall. On striking the ground their one thought had been to
put distance between themselves and their enemy, and they ran a
good way before they dropped into a walk.
“That was an adventure truly,” puffed Darry. “Wonder what Professor
Strong will say when he hears of it.”
“We ought to have Captain Sudlip locked up, Darry. Besides we don’t
know yet what has become of Hockley.”
“That’s true. What do you propose?”
Both boys stopped short, to give the situation consideration.
“Let us stop at the first house we come to. Perhaps we can get help
there. If we go all the way back to the hotel it will give the captain an
elegant chance to clear out.”
“All right, Beans, the next house it is,” answered Darry.
It was not long after this that they came in sight of a beautiful villa,
set in a mass of tropical flowers. There was an avenue of palms
leading up to the front veranda and at one side a beautiful fountain of
marble.
On the veranda they found a young lady, sitting in a hammock
reading a novel. She received them politely and they were glad to
learn that she spoke excellent English.
“Papa is not at home at present,” she said. “He left last week to go to
Key West, Florida, on business. Is there anything I can do for you?”
A long conversation ensued, and the boys learned that the young
lady’s name was Isabel Valois. Her father was a tobacco exporter
and owned large plantations both in Cuba and in Porto Rico. She
had been educated in a private seminary in Havana, but had spent
two years at a young lady’s school in the United States. She listened
to their tale with close attention and a face full of concern.
“I think I saw Captain Sudlip drive past yesterday in the volante of
which you speak. And late last night I heard somebody drive past at
a furious rate of speed. I am willing to help you all I can, but there
are at present only three old servants here and one has to look after
my mamma, who is an invalid. Perhaps it would be best for you to
take our carriage and drive back to town or to some other house for
assistance.”
“Thank you, we’ll take the carriage, if you don’t mind. Have you
somebody to drive it and show the way?”
“Yes—myself,” and she laughed merrily. “The adventure will just suit
me. While old Jose is harnessing up you shall have breakfast.”
As both were tremendously hungry they could not resist this
invitation, and soon they were seated in a broad and cool dining hall
and eating the food which was hastily prepared for them. The meal
did not take long and by the time it was over Isabel Valois drove
around with a comfortable carriage of American manufacture. They
climbed in, there was a merry crack of the whip, and off they started
in the direction of Havana proper.
Had their minds been at ease, Sam and Darry would have enjoyed
that ride thoroughly, for Isabel Valois handled the reins with skill, and
the team was a spirited one. She was what Darry called a “jolly” girl,
and as they passed along she entertained them with a bright flow of
talk, as she pointed out many objects of interest.
“I like the people from the United States,” she said, archly. “And I
was so disappointed when Cuba was not taken into the Union. But
papa says it is bound to come sooner or later.”
“And it will,” answered Sam. “But tell me,” he went on, “were you at
home when Havana was blockaded?”
“To be sure I was, and many were scared to death, for fear the big
guns on the warships would bombard our homes. Once, when a wild
shot did come this way, all the servants ran down into our cellar and
hid in a corner.”
“And weren’t you scared?” asked Darry, with a twinkle in his eye.
“No, I was not. I knew the Americans were our friends and would not
hurt us.”
“I am afraid we hurt some Cubans down at Santiago.”
“Oh, that was different. Here it was only a blockade—that was a
direct attack.”
The drive into the city of Havana took them past the Fairfax House,
and here the boys determined to stop and learn if anything had been
seen or heard of Hockley.
They had just leaped to the pavement when Professor Strong ran
forward to meet them.
“Crane and Winthrop!” he ejaculated. “What does this mean?”
“It’s a long story, sir,” answered Sam. “Have you seen anything of
Hockley?”
“No. I was looking for him the best part of the night and also for you,
after I learned that you, too, were missing. I traced Hockley and you
to this hotel by the note which you tore up and which Mark and Frank
patched together. Did you follow Hockley up?”
“We don’t know,” answered Darry, and continued soberly: “It looks as
if poor Glum—I mean Jake—had met with foul play.”
Isabel Valois was introduced, and the discovery was made that
Professor Strong had met her father years before. Then the two boys
told their story. As they proceeded Amos Strong’s face grew dark.
“This Captain Sudlip is a scoundrel!” he murmured. “We shall have
to notify the police. He has been discharged from the command of
the Chester, and it has made him vindictive.”
“So he has lost command of the steamer?” asked Darry.
“Yes. The owners were very angry that he did not have those repairs
made at La Guayra, where they would have been cheaper, it seems,
than here. Then they read the note that we signed, and Captain
Sudlip got his walking papers. I heard afterward that the owners
were tired of him as it was. But of course he lays the blame of his
discharge on us. We may have to——”
“Here comes Hockley!” broke in Darry.
He pointed up the street and all looked in that direction. It was the
lank youth sure enough, but so haggard, ragged and dirty that they
scarcely recognized him. He did not see them until he was close at
hand and then he started and flushed guiltily.
“Hockley, what does this mean?” demanded Professor Strong, but
his voice was not particularly harsh, for he saw that the big youth
had suffered.
“Oh, I’m so glad to get back,” said the truant, when he could speak.
“I’m nearly dead, sir.”
“Where have you been?”
“It’s all that Captain Sudlip’s fault, sir. He got me in a regular box,”
whined Hockley. Then he looked at Sam and Darry. “I thought he—
he carried you off, too.”
“He didn’t carry us off. We tried to follow you, after you wrote that
you were in trouble and wanted us to come.”
“I didn’t write any such note.”
“You didn’t!” burst out Sam and Darry, simultaneously.
“No, I didn’t. I wrote a note for Captain Sudlip, but it wasn’t that.”
“What was it?”
At first Hockley did not want to answer this question, but he finally
admitted that he had written a note stating that Captain Sudlip had
treated him first-class while on the Chester and that he was satisfied
the captain was a good man. He did not add that he had also written
that there was a plot against the captain, hatched out, shortly after
leaving Kingston harbor, by Professor Strong, and the second mate.
“I had to write the note. The captain had me a prisoner and he
threatened me in all sorts of ways,” concluded Hockley.
Again there was a conference, and it was decided that they no
longer needed the services of Isabel Valois, although the young lady
said she would place her carriage at their disposal as long as they
wished it.
“You must surely call on me before you leave Havana,” said she. “I
wish to hear the end of this adventure,” and Sam and Darry
promised.
On the way to the hotel at which the party were stopping Hockley
told his story in detail only leaving out the fact that he had been
drinking and that when he left the café it had been with the intention
of seeking amusement at some low theater.
“I thought I’d take a walk and try to get rid of my headache,” he said.
“I walked further than I intended, and when I was on something of a
lonely street I noticed that I was being followed. It was Captain
Sudlip, and behind him came a Cuban who was driving one of those
volantes. The captain came up to me and started to talk. He was
very friendly and humble and said if he lost his job he wouldn’t know
where to look for another. Then he asked me to ride over to the
home of one of the owner’s of the steamer and put in a good word
for him, and I consented.”
Hockley could tell but little of the ride that had followed, for the
reason that his head had been muddled by the liquor he had
imbibed. He put it down to a headache, and it is quite likely that he
did have a headache.
“At last we stopped in front of some sort of stone building,” he
continued, “and the captain took me inside. Then he laughed at me
and told me I was a prisoner. We had a fight and he knocked me
down and tore my clothing as you see. Then he made me write that
letter. He wanted me to write to the other boys but I refused. After
that he left me alone in the dark. I crawled around until I got to a
barred window. One of the bars was loose and I pulled it out and
crawled through the window. Then I started to run across a field but
fell into a hole and struck my head on a stone. I don’t know how long
I lay there. But when I got up it was light, and then I started to walk
back into town, for I hadn’t a cent left with which to hire a carriage.”
CHAPTER XII
ABOUT CUBA AND TOBACCO RAISING
By the time Hockley had finished his story the party had reached the
hotel, where Mark and Frank were found, wondering what was going
on. They still had the pieces of the torn-up note in their possession,
and now it was noticed that it was written in a crude imitation of
Hockley’s handwriting.
“Jake, we owe you an apology for having thought you wrote that,”
said Sam, frankly.
“Yes,” put in Darry. “We owe you an apology true enough. I guess
you were locked up in the same old convent we were in,” he went
on.
“I am going to proceed against Captain Sudlip without delay,” said
Professor Strong. “We have a strong case against him and he shall
suffer for his misdeeds.”
But though the professor spoke thus, to proceed was no easy matter.
When the old convent was visited no trace of the ex-master of the
Chester was to be found, nor could his whereabouts be traced from
the Fairfax House. The Cuban who had driven the volante had
likewise disappeared.
“Stumped!” said Darry, laconically. “He knows enough to keep shady.
He won’t show himself until after we are gone, and neither will that
rascally Cuban.”
Owing to what had occurred, it was resolved to remain in Havana for
the balance of the week, and during the next few days all the boys
spent a large part of their time in sight-seeing. They inspected Morro
Castle, and a guide explained how it had been fortified during the
Spanish-American War, and they also visited some of the other
fortifications. Next came a trip to the post-office, treasury building,
the military offices and the cathedral. At the latter place they were
shown an urn said to contain the bones of Columbus.
“Are they really his bones?” asked Mark.
“More than likely,” answered Professor Strong. “Yet this statement
has often been disputed. Some say the bones are in Spain and
others that they are in South America. It matters little where his
bones lie. The fame of Columbus will ever remain the same.”
After the visit to the cathedral came another to the public art gallery,
and the museum, and they also visited both the Cuban and the
English cemeteries, beautiful spots, with many tall and imposing
monuments. They also drove out to Principe Castle and spent two
days at other points in the suburbs.
A railroad runs from Havana, south-westward to Pinar del Rio, a
distance of about a hundred miles, and it was decided that one day
should be spent at this city, the most important in the extreme
western section of Cuba. This railroad was formerly of small
importance but since the dawn of Cuban liberty, matters have taken
a brisker turn.
“They had the same trouble here that they are having in South
America,” said the professor, during the journey. “The natives do not
take to the cars, no matter how low the fare. They prefer to journey
on muleback or on foot, even though it takes much longer.”
“What a difference between that and our own country,” said Frank,
with a laugh. “Just let a railroad lop off an hour from the running time
between New York and Chicago, or between Chicago and San
Francisco, and everybody runs to ride on that railroad.” And then all
laughed.
“How large is Cuba?” asked Darry. “I did know, but I stored the
knowledge away so carefully that I’ve forgotten where I put it.”
“Cuba is, roughly speaking, over seven hundred miles from east to
west, and from fifty to a hundred miles from north to south. It
contains nearly forty-four thousand square miles of territory, but a
large portion of this is either very rocky, as in the mountains, or else
very marshy, as along the seacoast. There is a mountain range
running almost the entire length of the island. It is called the Sierra
del Cobra, and boasts of one peak, the Pico de Torginno, 7,670 feet
high. Besides this range of mountains there are numerous hills,
particularly in the east.”
“What of the rivers?” asked Frank.
“As in Jamaica the rivers do not amount to a great deal, for the water
flows directly from the mountains into the sea. There is one, called
the Cauto, which empties on the south coast, just north of
Manzanillo. This can be navigated by small craft for a distance of
sixty miles. But there are a number of bays which make good
harbors. The one at Santiago de Cuba is particularly fine.”
“Where the great fight came off, and where Hobson sunk the
Merrimac!” cried Sam. “We must see that by all means. I once saw
the Merrimac, but she was only a coal boat at that time.”
“The Monitor sunk the Merrimac,” came from Hockley, who was half
asleep in his seat. And then as the other boys began to laugh he
straightened up. “What are you laughing at anyway?” he growled. “I
know I’m right.”
“We are talking about the Spanish-American War, not the Civil War,”
explained the professor.
“Oh!”
“There are only two great industries in Cuba,” went on Professor
Strong. “But some day there will be a third. The two are tobacco and
sugar. They dominate trade and have made many Spaniards and
Cubans rich. The town we are now bound for, Pinar del Rio, is the
center of trade of the Vuelta Abajo tobacco district. The folks for
miles around do nothing but raise tobacco.”
“And what will that third industry be?” asked Darry.
“The development of the mineral resources of the island. There are
large quantities of minerals in the mountains, and sooner or later
companies will be organized to dig them out. The very name of the
mountain, Sierra del Cobra, means Copper Mountains.”
“I’d like to explore those mountains,” said Mark. “It would be lots of
fun to peep down into an extinct volcano or two.”
“We can do that when we get to other places, Mark. South America
is full of old volcanoes.”
“That’s the talk!” cried Frank, enthusiastically. “We’ll become volcano
explorers. It will be fine. Who knows but that we may find a fortune in
gold.”
The ride to Pinar del Rio soon came to an end. The boys were
somewhat disappointed in the town, which boasts of about nine
thousand inhabitants. There are but few public buildings of note and
everything looked rather hot and dusty. But the tobacco warehouses
were something new to them, and the professor had a Cuban who
could speak English take them around.
“Tobacco is grown in various ways in different countries,” said the
professor, as they walked around. “But the usual method, and the
easiest, is to plant the seed in a specially prepared garden, or hot-
house frame. As soon as it is up a few inches the plants are taken to
the field and each is set out on its own little hill. Plants, to be good,
require constant care, especially against the insects, that would
otherwise eat holes in the leaves and render them of small value.
“When the leaves are full grown the plant is cut down and the leaves
are hung up, ends down, to dry. From this drying process they are
taken to the curing shed where they are thoroughly cured, after
which they are ready for packing, in hogsheads or large cases. How
they make cigars you saw down in Venezuela.”
“My father frequently has cigars that are all spotted,” said Mark.
“What do the spots come from?”
“If they are genuine they come from a gum in the leaf, which appears
on the surface when the leaf is fully ripe. But many of the spots—
which some smokers look for—are put on artificially.”
“What about smoking tobacco and snuff?” asked Darry.
“And cigarettes?” put in Hockley.
“Smoking tobaccoes are nothing more than tobacco leaves cut up in
various ways and snuff is tobacco ground up. The smoking
tobaccoes are flavored with a hundred and one different things and
chemicals are often used to keep them moist, and this treatment is
also true of chewing tobacco. Some snuffs are allowed to rot before
being used and others are baked, and many of them are perfumed.
As to cigarettes, the best of them are made of carefully selected
tobacco leaves, cut fine, and rolled up in a high grade of specially
prepared rice paper. But the ordinary cigarette, of which millions are
sold, is made of the very commonest of tobacco, adulterated in many
ways, and is utterly unfit for smoking. These cigarettes, often used
by boys and young men, are so utterly bad that even old tobacco-
saturated Cubans—like these working around this warehouse—
cannot use them without feeling sick.”
The last words were uttered for Hockley’s benefit. The eyes of the
tall youth sought the ground and a moment later he turned away. But
it was evident that he was doing some deep thinking. A little later,
when he felt he was unobserved, he dropped a half package of
cigarettes in an out-of-the-way corner.
The ride back to Havana in the cool of the evening was delightful
and the boys enjoyed it thoroughly, that is, all but Hockley, who soon
went to sleep.
“I really can’t see why he came with us,” observed Sam to the
others, in a low tone. “He doesn’t seem to enjoy the sight-seeing a
bit.”
“He wants something more startling,” answered Frank. “He told me
this morning that everything was dead slow. He wants more sport. If
he had his way I really believe he’d turn in to paint the town red, as
they call it.”
“I don’t believe he told us the whole truth about his meeting with
Captain Sudlip, do you?”
“No, I don’t. I think he went out for a good time and perhaps he had
some liquor.”

Textbook Principles of Information Security 6Th Edition Whitman Ebook All Chapter PDF

Uploaded by

Copyright:

Available Formats

You might also like

Textbook Principles of Information Security 6Th Edition Whitman Ebook All Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Textbook Principles of Information Security 6Th Edition Whitman Ebook All Chapter PDF

Uploaded by

Copyright:

Available Formats

Principles of Information Security 6th

Management of Information Security 6th Edition Michael

Principles of information security Fifth Edition

Principles of Development 6th Edition Lewis Wolpert

Principles of information systems Ralph Stair

Principles of Security and Trust Lujo Bauer

Fundamentals of information systems security 3rd

Security in Computing 6th Edition Pfleeger

Information security fundamentals Peltier

Michael E. Whitman, Ph.D., CISM, CISSP

Herbert J. Mattord, Ph.D., CISM, CISSP

Kennesaw State University

Australia • Brazil • Mexico • Singapore • United Kingdom • United States

Marketing Managers: Stephanie Albracht and Jeff Cengage Learning

To learn more about Cengage Learning, visit www.cengage.com

Printed in the United States of America

To my mother, Frances Perkins Godwin; it is a wonderful life.

Selected Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

As global networks expand, the interconnection of the world’s information systems

formulate interdisciplinary solutions for systems vulnerabilities. The essential tenet of

Structure and Chapter Descriptions

 Chapter 1—Introduction to Information Security

 Chapter 2—The Need for Security

 Chapter 3—Legal, Ethical, and Professional Issues in

 Chapter 4—Planning for Security

 Chapter 5—Risk Management

 Chapter 6—Security Technology: Access Controls,

 Chapter 7—Security Technology: Intrusion Detection and

 Chapter 9—Physical Security

 Chapter 10—Implementing Information Security

 Chapter 11—Security and Personnel

 Chapter 12—Information Security Maintenance

New to This Edition

 Instructor Companion Site

● Kristin McNary, Product Team Manager

Donn B. Parker, CISSP Retired

Introduction to Information Security

“Did you try a reboot yet?”

The History of Information Security

Earlier versions of the German code machine Enigma

Figure 1-1 The Enigma

Figure 1-2 Development of the ARPANET

 The 1970s and 80s

Figure 1-3 Dr. Metcalfe receiving the National Medal of Technology

For more information on the RAND Report, visit www.rand.org/pubs/reports/R609-1.html.

Table 1-1 Key Dates in Information Security

Computer Network Vulnerabilities

For more information on the MULTICS project, visit web.mit.edu/multics-history.

“What a truly magnificent place!”

You might also like

Chapter 1—Introduction to Information Security

Chapter 2—The Need for Security

Chapter 3—Legal, Ethical, and Professional Issues in

Chapter 4—Planning for Security

Chapter 5—Risk Management

Chapter 6—Security Technology: Access Controls,

Chapter 7—Security Technology: Intrusion Detection and

Chapter 9—Physical Security

Chapter 10—Implementing Information Security

Chapter 11—Security and Personnel

Chapter 12—Information Security Maintenance

Instructor Companion Site

The 1970s and 80s