PDF Principles of Information Security Fifth Edition Mattord Ebook Full Chapter

Principles of information security Fifth
Edition Mattord
Visit to download the full and correct content document:
https://textbookfull.com/product/principles-of-information-security-fifth-edition-mattord/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Principles of Information Security 6th Edition Whitman
https://textbookfull.com/product/principles-of-information-
security-6th-edition-whitman/
Encyclopedia of Information Science and Technology

Fifth Edition Mehdi Kosrow
https://textbookfull.com/product/encyclopedia-of-information-
science-and-technology-fifth-edition-mehdi-kosrow/
Principles of information systems Ralph Stair
https://textbookfull.com/product/principles-of-information-
systems-ralph-stair/
Principles of Computer Security: CompTIA Security+ and

Beyond Conklin
https://textbookfull.com/product/principles-of-computer-security-
comptia-security-and-beyond-conklin/
Business driven information systems Fifth Edition.
Edition Baltzan
https://textbookfull.com/product/business-driven-information-
systems-fifth-edition-edition-baltzan/
Information technology control and audit Fifth Edition

Otero
https://textbookfull.com/product/information-technology-control-
and-audit-fifth-edition-otero/
Principles of Security and Trust Lujo Bauer
https://textbookfull.com/product/principles-of-security-and-
trust-lujo-bauer/
Real estate principles: a value approach Fifth Edition

Archer
https://textbookfull.com/product/real-estate-principles-a-value-
approach-fifth-edition-archer/
Fundamentals of information systems security 3rd

Edition Kim
https://textbookfull.com/product/fundamentals-of-information-
systems-security-3rd-edition-kim/
Fifth
Edition
Principles of Information SEcurity

To register or access your online learning solution or purchase materials
for your course, visit www.cengagebrain.com.
Whitman
Mattord
48367_cvr_ptg01_hires.indd 1 16/10/14 7:37 PM

Principles of Information Security
Fifth Edition
Michael E. Whitman, Ph.D., CISM, CISSP
Herbert J. Mattord, Ph.D., CISM, CISSP

Kennesaw State University
Australia • Brazil • Mexico • Singapore • United Kingdom • United States

Principles of Information Security, © 2016, 2012 Cengage Learning
Fifth Edition
WCN: 01-100-101
Michael E. Whitman and
Herbert J. Mattord ALL RIGHTS RESERVED. No part of this work covered by the
copyright herein may be reproduced, transmitted, stored, or used in
SVP, GM Skills & Global Product Management:
any form or by any means—graphic, electronic, or mechanical,
Dawn Gerrain
including but not limited to photocopying, recording, scanning,
Product Development Manager: Leigh Hefferon digitizing, taping, Web distribution, information networks, or
Senior Content Developer: Natalie Pashoukos information storage and retrieval systems, except as permitted under
Development Editor: Dan Seiter Section 107 or 108 of the 1976 United States Copyright Act—without
the prior written permission of the publisher.
Product Assistant: Scott Finger
Vice President, Marketing Services:
For product information and technology assistance, contact us at
Jennifer Ann Baker
Cengage Learning Customer & Sales Support, 1-800-354-9706
Senior Marketing Manager: Eric La Scola For permission to use material from this text or product, submit all
Senior Production Director: Wendy Troeger requests online at www.cengage.com/permissions.
Production Director: Patty Stephan Further permission questions can be e-mailed to
permissionrequest@cengage.com
Senior Content Project Manager:
Brooke Greenhouse
Library of Congress Control Number: 2014944986
Managing Art Director: Jack Pendleton
ISBN: 978-1-2854-4836-7
Software Development Manager: Pavan Ethakota
Cover image(s): ©iStockphoto.com/Vertigo3d
Cengage Learning
20 Channel Center Street
Boston, MA 02210
USA
Cengage Learning is a leading provider of customized learning

solutions with office locations around the globe, including Singapore,
the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your
local office at: www.cengage.com/global.
Cengage Learning products are represented in Canada by

Nelson Education, Ltd.
To learn more about Cengage Learning, visit www.cengage.com

Purchase any of our products at your local college store or at our
preferred online store www.cengagebrain.com.
Notice to the Reader
Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis in connection with any of the product
information contained herein. Publisher does not assume, and expressly disclaims, any obligation to obtain and include information other than that provided
to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described
herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly assumes all risks in connection with such
instructions. The publisher makes no representations or warranties of any kind, including but not limited to, the warranties of fitness for particular purpose or
merchantability, nor are any such representations implied with respect to the material set forth herein, and the publisher takes no responsibility with respect
to such material. The publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or part, from the readers’ use of,
or reliance upon, this material.
Printed in the United States of America

Print Number: 01 Print Year: 2014
To Rhonda, Rachel, Alex, and Meghan, thank you for your loving support.
—MEW
To my granddaughter Ellie; the future is yours.

—HJM
Brief Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
CHAPTER 1
Introduction to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
The Need for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
CHAPTER 3
Legal, Ethical, and Professional Issues in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
CHAPTER 4
Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
CHAPTER 5
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
CHAPTER 6
Security Technology: Firewalls and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
CHAPTER 7
Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools . . . . . 355
CHAPTER 8
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
CHAPTER 9
Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
CHAPTER 10
Implementing Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
CHAPTER 11
Security and Personnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
CHAPTER 12
Information Security Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
v
Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
CHAPTER 1
Introduction to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The History of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The 1960s . . . . . . . . . . ............................................................. 4
The 1970s and 80s. . . . ............................................................. 5
The 1990s . . . . . . . . . . ............................................................. 9
2000 to Present . . . . . . ............................................................. 9
What Is Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Key Information Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Critical Characteristics of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
CNSS Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Components of an Information System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Balancing Information Security and Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Approaches to Information Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Security in the Systems Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
The Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
The Security Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Software Assurance—Security in the SDLC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Software Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
The NIST Approach to Securing the SDLC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Security Professionals and the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Senior Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Information Security Project Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Data Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Communities of Interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Information Security Management and Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Information Technology Management and Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Organizational Management and Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Information Security: Is It an Art or a Science? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Security as Art . . . . . . . . . . . . . ...................................................... 38
Security as Science . . . . . . . . . . ...................................................... 39
Security as a Social Science . . . . ...................................................... 39
Selected Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
vii
viii Table of Contents
CHAPTER 2
The Need for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Business Needs First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Threats and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.5 Billion Potential Hackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Other Studies of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Common Attack Pattern Enumeration and Classification (CAPEC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
The 12 Categories of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Compromises to Intellectual Property. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Software Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Copyright Protection and User Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Deviations in Quality of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Internet Service Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Communications and Other Service Provider Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Power Irregularities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Espionage or Trespass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Hackers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Hacker Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Password Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Forces of Nature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Fire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Earthquakes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Lightning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Landslides or Mudslides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Tornados or Severe Windstorms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Hurricanes, Typhoons, and Tropical Depressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Tsunamis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Electrostatic Discharge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Dust Contamination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Human Error or Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Information Extortion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Sabotage or Vandalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Online Activism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Back Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks . . . . . . . . . . . . . . . . . . . . . . . . 88
E-mail Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Communications Interception Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Technical Hardware Failures or Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
The Intel Pentium CPU Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Mean Time Between Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Technical Software Failures or Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
The OWASP Top 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
The Deadly Sins in Software Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Technological Obsolescence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Theft. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Selected Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Table of Contents ix
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
CHAPTER 3
Legal, Ethical, and Professional Issues in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Law and Ethics in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Organizational Liability and the Need for Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Policy Versus Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Types of Law. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Relevant U.S. Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
General Computer Crime Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Export and Espionage Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
U.S. Copyright Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Financial Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Freedom of Information Act of 1966 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Payment Card Industry Data Security Standards (PCI DSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
State and Local Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
International Laws and Legal Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
U.K. Computer Security Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Australian Computer Security Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Council of Europe Convention on Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
World Trade Organization and the Agreement on Trade-Related Aspects of Intellectual Property Rights . . 128
Digital Millennium Copyright Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Ethics and Information Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Ethical Differences Across Cultures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Ethics and Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Deterring Unethical and Illegal Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Codes of Ethics at Professional Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Major Information Security Professional Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Key U.S. Federal Agencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Department of Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
U.S. Secret Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Federal Bureau of Investigation (FBI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
National Security Agency (NSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
CHAPTER 4
Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Information Security Planning and Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
x Table of Contents
Planning Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Planning and the CISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Information Security Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Information Security Governance Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Information Security Policy, Standards, and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Policy as the Foundation for Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Systems-Specific Security Policy (SysSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
The Information Security Blueprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
The ISO 27000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
NIST Security Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Other Sources of Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Design of Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Security Education, Training, and Awareness Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Security Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Security Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Continuity Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
The CP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Business Impact Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Business Continuity Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Crisis Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
The Consolidated Contingency Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
CHAPTER 5
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
An Overview of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Know Yourself. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Know the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
The Roles of the Communities of Interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Risk Appetite and Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Planning and Organizing the Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Identifying, Inventorying, and Categorizing Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Classifying, Valuing, and Prioritizing Information Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Identifying and Prioritizing Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Specifying Asset Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Planning and Organizing Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Table of Contents xi
Determining the Loss Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Evaluating Loss Magnitude . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Calculating Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Assessing Risk Acceptability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
The FAIR Approach to Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Risk Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Selecting Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Justifying Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Implementation, Monitoring, and Assessment of Risk Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Quantitative Versus Qualitative Risk Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Benchmarking and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Recommended Risk Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Documenting Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
The NIST Risk Management Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
CHAPTER 6
Security Technology: Firewalls and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Access Control Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Access Control Architecture Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Firewall Processing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Firewall Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Selecting the Right Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Configuring and Managing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Content Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Protecting Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Virtual Private Networks (VPNs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
CHAPTER 7
Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools . . . . . 355
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
xii Table of Contents
IDPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Why Use an IDPS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Types of IDPSs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
IDPS Detection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
IDPS Response Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Selecting IDPS Approaches and Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Strengths and Limitations of IDPSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Deployment and Implementation of an IDPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Measuring the Effectiveness of IDPSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Honeypots, Honeynets, and Padded Cell Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Trap-and-Trace Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Active Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Scanning and Analysis Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Port Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Firewall Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Operating System Detection Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Packet Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Wireless Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
CHAPTER 8
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Foundations of Cryptology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Cipher Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Substitution Cipher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Transposition Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Exclusive OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Vernam Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Book-Based Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Cryptographic Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Symmetric Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Asymmetric Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Encryption Key Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Cryptographic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Hybrid Cryptography Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Protocols for Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Securing Internet Communication with S-HTTP and SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Securing E-mail with S/MIME, PEM, and PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Securing Web Transactions with SET, SSL, and S-HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Table of Contents xiii
Securing Wireless Networks with WEP and WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Securing TCP/IP with IPSec and PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
CHAPTER 9
Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Physical Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Physical Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Fire Security and Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Fire Detection and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Failure of Supporting Utilities and Structural Collapse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Heating, Ventilation, and Air Conditioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Power Management and Conditioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Water Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Structural Collapse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Maintenance of Facility Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Interception of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Securing Mobile and Portable Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Remote Computing Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Special Considerations for Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
CHAPTER 10
Implementing Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Information Security Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Developing the Project Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Project Planning Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
The Need for Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Security Project Management Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Technical Aspects of Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Conversion Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
The Bull’s-Eye Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
To Outsource or Not . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Technology Governance and Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
The SANS Top 20 Critical Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
xiv Table of Contents
Nontechnical Aspects of Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

The Culture of Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Considerations for Organizational Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Information Systems Security Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Certification Versus Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
The NIST Security Life Cycle Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
NSTISS Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
ISO 27001/27002 Systems Certification and Accreditation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
CHAPTER 11
Security and Personnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Positioning and Staffing the Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Staffing the Information Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Credentials for Information Security Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
(ISC)2 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
ISACA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
SANS Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
EC Council Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
CompTIA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
ISFCE Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Certification Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Advice for Information Security Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Employment Policies and Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Job Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Background Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Employment Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
New Hire Orientation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
On-the-Job Security Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Evaluating Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Termination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Security Considerations for Temporary Employees, Consultants, and Other Workers .................. 580
Temporary Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................. 580
Contract Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................. 580
Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................. 581
Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................. 581
Internal Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Privacy and the Security of Personnel Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Table of Contents xv
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
CHAPTER 12
Information Security Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Security Management Maintenance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
NIST SP 800-100, Information Security Handbook: A Guide for Managers . . . . . . . . . . . . . . . . . . . . . . 593
The Security Maintenance Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Digital Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
The Digital Forensics Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
Affidavits and Search Warrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Digital Forensics Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Evidentiary Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Preface
As global networks expand the interconnection of the world’s information systems,

the smooth operation of communication and computing solutions becomes vital. However,
recurring events such as malware and phishing attacks and the success of criminal attackers
illustrate the weaknesses in current information technologies and the need to provide
heightened security for these systems.
When attempting to secure their existing systems and networks, organizations must draw on
the current pool of information security practitioners. But, to develop more secure comput-
ing environments in the future, these same organizations are counting on the next generation
of professionals to have the correct mix of skills and experience to anticipate and manage
the complex information security issues that are sure to arise. Thus, improved texts with
supporting materials, along with the efforts of college and university faculty, are needed to
prepare students of technology to recognize the threats and vulnerabilities in existing sys-
tems and to learn to design and develop the secure systems needed in the near future.
The purpose of Principles of Information Security, Fifth Edition, is to continue to meet the
need for a current, high-quality academic textbook that surveys the discipline of information
security. While dozens of good publications on information security are oriented to the
practitioner, there remains a severe lack of textbooks that provide students with a balanced
introduction to both security management and the technical components of information
security. By creating a book specifically from the perspective of information security, we
hope to close this gap. Further, there is a clear need to include principles from criminal jus-
tice, political science, computer science, information systems, and other related disciplines to
xvii
xviii Preface
gain a clear understanding of information security principles and formulate interdisciplinary

solutions for systems vulnerabilities. The essential tenet of this textbook is that information
security in the modern organization is a problem for management to solve, and not one that
technology alone can address. In other words, an organization’s information security has
important economic consequences for which management will be held accountable.
Approach
Principles of Information Security, Fifth Edition, provides a broad review of the entire field of
information security, background on many related elements, and enough detail to facilitate an
understanding of the topic as a whole. The book covers the terminology of the field, the his-
tory of the discipline, and strategies for managing an information security program.
Structure and Chapter Descriptions

Principles of Information Security, Fifth Edition, is structured to follow a model called the
security systems development life cycle (or SecSDLC). This structured methodology can be
used to implement information security in an organization that has little or no formal infor-
mation security in place. The SecSDLC can also serve as a method for improving established
information security programs. The SecSDLC provides a solid framework very similar to that
used in application development, software engineering, traditional systems analysis and
design, and networking. This textbook’s use of a structured methodology is intended to pro-
vide a supportive but not overly dominant foundation that will guide instructors and students
through the information domains of information security. To serve this end, the book is orga-
nized into six sections and 12 chapters.
Section I—Introduction
Chapter 1—Introduction to Information Security The opening chapter estab-
lishes the foundation for understanding the broader field of information security. This is
accomplished by defining key terms, explaining essential concepts, and reviewing the origins
of the field and its impact on the understanding of information security.
Section II—Security Investigation Phase

Chapter 2—The Need for Security Chapter 2 examines the business drivers
behind the design process of information security analysis. It examines current organiza-
tional and technological security needs while emphasizing and building on the concepts pre-
sented in Chapter 1. One principal concept presented here is that information security is
primarily a management issue rather than a technological one. To put it another way, the
best practices within the field of information security involve applying technology only after
considering the business needs.
The chapter also examines the various threats facing organizations and presents methods for
ranking and prioritizing these threats as organizations begin their security planning process.
The chapter continues with a detailed examination of the types of attacks that could result
from these threats and how these attacks could affect the organization’s information systems.
The chapter also provides further discussion of the key principles of information security,
Preface xix
some of which were introduced in Chapter 1: confidentiality, integrity, availability, authenti-

cation and identification, authorization, accountability, and privacy.
Chapter 3—Legal, Ethical, and Professional Issues in Information

Security In addition to being a fundamental part of the SecSDLC investigation process,
a careful examination of current legislation, regulation, and common ethical expectations of
both national and international entities provides important insights into the regulatory con-
straints that govern business. This chapter examines several key laws that shape the field of
information security and examines the computer ethics to which those who implement secu-
rity must adhere. Although ignorance of the law is no excuse, it’s considered better than
negligence (that is, knowing the law but doing nothing to comply with it). This chapter
also presents several common legal and ethical issues found in today’s organizations, as
well as formal and professional organizations that promote ethics and legal responsibility.
Section III—Security Analysis

Chapter 4—Planning for Security This chapter presents a number of widely
accepted security models and frameworks. It examines best business practices and standards
of due care and due diligence, and offers an overview of the development of security policy.
This chapter details the major components, scope, and target audience for each level of secu-
rity policy. It also explains data classification schemes, both military and private, as well as
the security education training and awareness (SETA) program. The chapter examines the
planning process that supports business continuity, disaster recovery, and incident response;
it also describes the organization’s role during incidents and specifies when the organization
should involve outside law enforcement agencies.
Chapter 5—Risk Management Before the design of a new information security

solution can begin, information security analysts must first understand the current state of
the organization and its relationship to information security. Does the organization have
any formal information security mechanisms in place? How effective are they? What policies
and procedures have been published and distributed to security managers and end users?
This chapter describes how to conduct a fundamental information security assessment by
describing procedures for identifying and prioritizing threats and assets as well as proce-
dures for identifying what controls are in place to protect these assets from threats. The
chapter also discusses the various types of control mechanisms and identifies the steps
involved in performing the initial risk assessment. It continues by defining risk management
as the process of identifying, assessing, and reducing risk to an acceptable level and imple-
menting effective control measures to maintain that level of risk. The chapter concludes
with a discussion of risk analysis and various types of feasibility analyses.
Section IV—Design
The material in this section is sequenced to introduce students of information systems to the
information security aspects of various technology topics. If you are not familiar with net-
working technology and TCP/IP, the material in Chapters 6, 7, 8, and 9 may prove difficult.
Students who do not have a grounding in network protocols should prepare for their study
of the chapters in this section by reading a chapter or two from a networking textbook on
TCP/IP.
xx Preface
Chapter 6—Security Technology: Firewalls and VPNs Chapter 6 provides a

detailed overview of the configuration and use of technologies designed to segregate the
organization’s systems from the insecure Internet. This chapter examines the various defini-
tions and categorizations of firewall technologies and the architectures under which firewalls
may be deployed. The chapter discusses the rules and guidelines associated with the proper
configuration and use of firewalls. It also discusses remote dial-up services and the security
precautions necessary to secure access points for organizations still deploying this older tech-
nology. The chapter continues by presenting content-filtering capabilities and considerations,
and concludes by examining technologies designed to provide remote access to authorized
users through virtual private networks.
Chapter 7—Security Technology: Intrusion Detection and Prevention

Systems, and Other Security Tools Chapter 7 continues the discussion of secu-
rity technologies by examining the concept of intrusion and the technologies necessary to
prevent, detect, react to, and recover from intrusions. Specific types of intrusion detection
and prevention systems (IDPSs)—the host IDPS, network IDPS, and application IDPS—and
their respective configurations and uses are presented and discussed. The chapter examines
specialized detection technologies that are designed to entice attackers into decoy systems
(and thus away from critical systems) or simply to identify the attackers’ entry into these
decoy areas. Such systems are known as honeypots, honeynets, and padded cell systems.
The discussion also examines trace-back systems, which are designed to track down the
true addresses of attackers who were lured into decoy systems. The chapter then examines
key security tools that information security professionals can use to examine the current
state of their organization’s systems and identify potential vulnerabilities or weaknesses in
the organization’s overall security posture. The chapter concludes with a discussion of access
control devices commonly deployed by modern operating systems and new technologies in
the area of biometrics that can provide strong authentication to existing implementations.
Chapter 8—Cryptography Chapter 8 continues the section on security technologies

by describing the underlying foundations of modern cryptosystems as well as their architec-
tures and implementations. The chapter begins by summarizing the history of modern cryp-
tography and discussing the various types of ciphers that played key roles in that history.
The chapter also examines some of the mathematical techniques that comprise cryptosys-
tems, including hash functions. The chapter then extends this discussion by comparing tradi-
tional symmetric encryption systems with more modern asymmetric encryption systems and
examining the role of asymmetric systems as the foundation of public-key encryption sys-
tems. Also covered are the cryptography-based protocols used in secure communications,
including S-HTTP, S/MIME, SET, and SSH. The chapter then discusses steganography and
its emerging role as an effective means of hiding information. The chapter concludes by revi-
siting attacks on information security that are specifically targeted at cryptosystems.
Chapter 9—Physical Security A vital part of any information security process,

physical security includes the management of physical facilities, the implementation of phys-
ical access control, and the oversight of environmental controls. Physical security involves a
wide range of special considerations that encompass designing a secure data center, assessing
the relative value of guards and watchdogs, and resolving technical issues in fire suppression
Preface xxi
and power conditioning. Chapter 9 examines these considerations by factoring in the physi-
cal security threats that modern organizations face.
Section V—Implementation
Chapter 10—Implementing Information Security The preceding chapters pro-
vide guidelines for how an organization might design its information security program.
Chapter 10 examines the elements critical to implementing this design. Key areas in this
chapter include the bull’s-eye model for implementing information security and a discussion
of whether an organization should outsource components of its information security pro-
gram. The chapter also discusses change management, program improvement, and addi-
tional planning for business continuity efforts.
Chapter 11—Security and Personnel The next area in the implementation stage
addresses personnel issues. Chapter 11 examines both sides of the personnel coin: security
personnel and security of personnel. It examines staffing issues, professional security creden-
tials, and the implementation of employment policies and practices. The chapter also dis-
cusses how information security policy affects and is affected by consultants, temporary
workers, and outside business partners.
Section VI—Maintenance and Change

Chapter 12—Information Security Maintenance Last and most important is
the discussion of maintenance and change. Chapter 12 describes the ongoing technical and
administrative evaluation of the information security program that an organization must
perform to maintain the security of its information systems. This chapter explores ongoing
risk analysis, risk evaluation, and measurement, all of which are part of risk management.
It also explores special considerations needed for the varieties of vulnerability analysis in
modern organizations, from Internet penetration testing to wireless network risk assessment.
The chapter and the book conclude by covering the subject of digital forensics.
Features
Here are some features of the book’s approach to information security:
Information Security Professionals’ Common Bodies of Knowledge—Because the authors hold
both the Certified Information Security Manager (CISM) and Certified Information Systems
Security Professional (CISSP) credentials, those knowledge domains have had an influence in
the design of the text. Although care was taken to avoid producing a certification study
guide, the authors’ backgrounds ensure that the book’s treatment of information security inte-
grates the CISM and CISSP Common Bodies of Knowledge (CBKs).
Chapter Scenarios—Each chapter opens and closes with a short story that features the same
fictional company as it encounters information security issues commonly found in real-life
organizations. At the end of each chapter, a set of discussion questions provides students and
instructors with opportunities to discuss the issues suggested by the story and explore the ethi-
cal dimensions of those issues.
xxii Preface
Offline and Technical Details Boxes—Interspersed throughout the textbook, these sections
highlight interesting topics and detailed technical issues, giving students the option of delving
into information security topics more deeply.
Hands-On Learning—At the end of each chapter, students will find a chapter summary and
review questions as well as exercises. In the exercises, students are asked to research, analyze,
and write responses to reinforce learning objectives, deepen their understanding of the text,
and examine the information security arena outside the classroom.
New to This Edition

● Additional discussion questions at the end of each chapter to explore ethical dimen-
sions of the content
● Coverage of the newest laws and industry trends
● Key Terms boxes that provide increased visibility for terminology used in the industry
● “For More Information” features that provide Web locations where students can find
additional information about the subject covered
● Additional figures to illustrate important topics
Additional Resources
To access additional course materials, please visit www.cengagebrain.com. Note the ISBN on
the back cover of your book, and then search for the book’s ISBN using the search box at the
top of the CengageBrain home page.
Instructor Resources
Instructor Companion Site
A variety of teaching tools have been prepared to support this textbook and enhance class-
room learning:
Instructor’s Manual—The Instructor’s Manual includes suggestions and strategies for using
this text, and even suggestions for lecture topics. It also includes answers to the review ques-
tions and suggested solutions to the exercises at the end of each chapter.
Solutions—The instructor resources include solutions to all end-of-chapter material, including
review questions and exercises.
Figure Files—Figure files allow instructors to create their own presentations using figures
taken from the text.
PowerPoint Presentations—This book comes with Microsoft PowerPoint slides for each chap-
ter. These slides are included as a teaching aid to be used for classroom presentation, to be
made available to students on the network for chapter review, or to be printed for classroom
Preface xxiii
distribution. Instructors can add their own slides for additional topics they introduce to the
class.
Lab Manual—Cengage Learning has developed a lab manual to accompany this and other
books: The Hands-On Information Security Lab Manual, Fourth Edition (ISBN-13:
9781285167572). The lab manual provides hands-on security exercises on footprinting,
enumeration, and firewall configuration, as well as detailed exercises and cases that can sup-
plement the book as laboratory components or in-class projects. Contact your Cengage
Learning sales representative for more information.
Cognero—Cengage Learning Testing Powered by Cognero is a flexible, online system that
allows you to:
● Author, edit, and manage test bank content from multiple Cengage Learning solutions
● Create multiple test versions in an instant
● Deliver tests from your LMS, your classroom, or anywhere you want
Author Team
Michael Whitman and Herbert Mattord have jointly developed this text to merge knowledge
from the world of academic study with practical experience from the business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in the Informa-
tion Systems Department, Michael J. Coles College of Business at Kennesaw State University,
Kennesaw, Georgia, where he is also the Director of the KSU Center for Information Security
Education (infosec.kennesaw.edu). Dr. Whitman is an active researcher in Information Secu-
rity, Fair and Responsible Use Policies, Ethical Computing, and Curriculum Development
Methodologies. He currently teaches graduate and undergraduate courses in Information
Security and Contingency Planning. He has published articles in the top journals in his field,
including Information Systems Research, Communications of the ACM, Information and
Management, Journal of International Business Studies, and Journal of Computer Information
Systems. Dr. Whitman is also the Editor-in-Chief of the Information Security Education Jour-
nal. He is a member of the Information Systems Security Association, the Association for
Computing Machinery, and the Association for Information Systems. Dr. Whitman is also
the co-author of Management of Information Security, Principles of Incident Response and
Disaster Recovery, Readings and Cases in the Management of Information Security, The
Guide to Firewalls and VPNs, The Guide to Network Security, and The Hands-On Informa-
tion Security Lab Manual, among others, all published by Cengage Learning. Prior to his
career in academia, Dr. Whitman was an Armored Cavalry Officer in the U.S. Army.
Herbert Mattord, Ph.D., CISM, CISSP completed 24 years of IT industry experience as an
application developer, database administrator, project manager, and information security
practitioner before joining the faculty of Kennesaw State University in 2002. Professor
Mattord is the Coordinator of the Bachelor of Business Administration in Information Secu-
rity and Assurance degree and the Associate Director of the KSU Center for Information
Security Education and Awareness (infosec.kennesaw.edu). He is also an Associate Editor of
the Information Security Education Journal. During his career as an IT practitioner, he has
been an adjunct professor at Kennesaw State University; Southern Polytechnic State University
xxiv Preface
in Marietta, Georgia; Austin Community College in Austin, Texas; and Texas State Univer-
sity: San Marcos. He currently teaches undergraduate courses in Information Security, Data
Communications, Local Area Networks, Database Technology, Project Management, Systems
Analysis and Design, and Information Resources Management and Policy. He was formerly
the Manager of Corporate Information Technology Security at Georgia-Pacific Corporation,
where much of the practical knowledge found in this textbook was acquired. Professor
Mattord is also the co-author of Management of Information Security, Principles of Incident
Response and Disaster Recovery, Readings and Cases in the Management of Information
Security, The Guide to Firewalls and VPNs, The Guide to Network Security, and The
Hands-On Information Security Lab Manual, among others, all published by Cengage
Learning.
Acknowledgments
The authors would like to thank their families for their support and understanding for the
many hours dedicated to this project—hours taken away, in many cases, from family activi-
ties. Special thanks go to Dr. Carola Mattord. Her reviews of early drafts and suggestions for
keeping the writing focused on students resulted in a more readable manuscript.
Contributors
Several people and organizations also provided materials for this textbook, and we thank
them for their contributions. For example, the National Institute of Standards and Technol-
ogy (NIST) is the source of many references, tables, figures, and other content used through-
out the textbook.
Reviewers
We are indebted to the following people for their perceptive feedback on the initial proposal,
the project outline, and chapter-by-chapter reviews of the text:
● Paul Witman, California Lutheran University
● Pam Schmelz, Ivy Tech Community College of Indiana
● Donald McCracken, ECPI University, Virginia
● Michelle Ramim, Nova Southeastern University, Florida
Special Thanks
The authors wish to thank the editorial and production teams at Cengage Learning. Their
diligent and professional efforts greatly enhanced the final product:
● Natalie Pashoukos, Senior Content Developer
● Dan Seiter, Development Editor
● Nick Lombardi, Product Manager
● Brooke Baker, Senior Content Project Manager
Preface xxv
In addition, several professional organizations, commercial organizations, and individuals

aided the development of the textbook by providing information and inspiration. The
authors wish to acknowledge their contributions:
● Charles Cresson Wood
● Donn Parker
● Our colleagues in the Department of Information Systems and the Coles College of
Business at Kennesaw State University
Our Commitment
The authors are committed to serving the needs of adopters and readers of this book. We
would be pleased and honored to receive feedback on the textbook and its supporting mate-
rials. You can contact us through Cengage Learning via e-mail at mis@course.com.
Foreword
Information security is an art more than a science, and the mastery of protecting information
requires multidisciplinary knowledge of a huge quantity of information plus experience and
skill. You will find much of what you need here in this book as the authors take you through
the security systems development life cycle using real-life scenarios to introduce each topic.
The authors provide their perspective from many years of real-life experience, combined
with their academic approach for a rich learning experience expertly presented in this book.
You have chosen the authors and the book well.
Since you are reading this book, you are most likely working toward a career in information
security or at least have serious interest in information security. You must anticipate that just
about everybody hates the constraints that security puts on their work. This includes both the
good guys and the bad guys—except for malicious hackers who love the security we install as
a challenge to be beaten. We concentrate on stopping the intentional wrongdoers because it
applies to stopping the accidental ones as well. Security to protect against accidental wrong-
doers is not good enough against those with intent.
I have spent 40 years of my life in a field that I found to be exciting and rewarding, working
with computers and pitting my wits against malicious people, and you will too. Security con-
trols and practices include logging on and off, using passwords, encrypting and backing up
vital information, locking doors and drawers, motivating stakeholders to support security,
and installing antivirus software. These means of protection have no benefit except rarely,
when adversities occur. Good security is in effect when nothing bad happens, and when noth-
ing bad happens, who needs security? Nowadays, in addition to loss experience, we need it
because the law, regulations, and auditors say so—especially if we deal with the personal
information of others, electronic money, intellectual property, and keeping ahead of the
competition.
There is great satisfaction in knowing that your employer’s information and systems are rea-
sonably secure and that you are paid a good salary, are the center of attention in emergencies,
and are applying your wits against the bad guys. This makes up for the downside of your
security work. It is no job for perfectionists because you will almost never be fully successful,
xxvi Preface
and there will always be vulnerabilities that you aren’t aware of or that the bad guys discover
first. Our enemies have a great advantage over us. They have to find only one vulnerability
and one target to attack in a known place, electronically or physically at a time of their choos-
ing, while we must defend from potentially millions of attacks against assets and vulnerabil-
ities that are no longer in one computer room but are spread all over the world. It’s like
playing a game in which you don’t know your opponents and where they are, what they are
doing, or why they are doing it, and they are secretly changing the rules as they play. You
must be highly ethical, defensive, secretive, and cautious. Bragging about the great security
you are employing might tip off the enemy. Enjoy the few successes that you experience, for
you will not even know about some of them.
There is a story that describes the kind of war you are entering into. A small country inducted
a young man into its ill-equipped army. The army had no guns, so it issued a broom to the
new recruit for training purposes. In basic training, the young man asked, “What do I do
with this broom?”
The instructor took him to the rifle range and told him to pretend the broom is a gun, aim it
at the target, and say, “Bang, bang, bang.” He did that. Then the instructor took him to bay-
onet practice, and the recruit said, “What do I do with this broom?”
The instructor said, “Pretend it is a gun with a bayonet and say, ‘Stab, stab, stab.’ ”
The recruit did that as well. Then the war started and the army still didn’t have guns; the
young man found himself on the front line with enemy soldiers running toward him across a
field. All he had was his trusty broom. So he could only do what he was trained to do. He
aimed the broom at the enemy soldiers and said, “Bang, bang, bang.” Some of the enemy sol-
diers fell down, but many kept coming. Some got so close that he had to say, “Stab, stab,
stab,” and more enemy soldiers fell down. However, there was one stubborn enemy soldier
(there always is in these stories) running toward him. The recruit said, “Bang, bang, bang,”
but to no effect. The enemy continued to get closer and the recruit said, “Stab, stab, stab,”
but it still had no effect. In fact, the enemy soldier ran right over the recruit, broke his broom
in half, and left him lying in the dirt. As the enemy soldier ran by, the recruit heard him mut-
tering under his breath, “Tank, tank, tank.”
I tell this story at the end of my many lectures on computer crime and security to impress on
my audience that if you are going to win against crime, you must know the rules, and it is the
criminal who is making up his secret rules as he goes along. This makes winning very difficult.
When I was lecturing in Rio de Janeiro, a young lady performed simultaneous translation into
Portuguese for my audience of several hundred people, all with earphones clapped over their
ears. In such situations, I have no idea what my audience is hearing, and after telling my joke
nobody laughed. They just sat there with puzzled looks on their faces. After the lecture,
I asked the translator what had happened. She had translated “tank, tank, tank” into “water
tank, water tank, water tank.” The recruit and I were both deceived that time.
Three weeks later, I was lecturing to an audience of French bankers at the George V Hotel in
Paris. I had a bilingual friend listen to the translation of my talk. The same thing happened as
in Rio. Nobody laughed. Afterward, I asked my friend what had happened. He said, “You
will never believe this, but the translator translated ‘tank, tank, tank’ into ‘merci, merci,
merci’ (thanks).” Even in telling the joke, like the recruit, I didn’t know the rules to the game.
Preface xxvii
Remember that when working in security, you are in a virtual army defending your employer
and stakeholders from their enemies. From your point of view the enemies will probably think
and act irrationally, but from their perspective they are perfectly rational, with serious per-
sonal problems to solve and gains to be made by violating your security. You are no longer
just a techie with the challenging job of installing technological controls in systems and net-
works. Most of your work should be in assisting potential victims to protect themselves from
information adversities and dealing with your smart but often irrational enemies, even though
you rarely see or even identify them. I spent a major part of my security career hunting down
computer criminals and interviewing them and their victims, trying to obtain insights to do a
better job of defending from their attacks. Likewise, you should use every opportunity to seek
them out and get to know them. This experience gives you great cachet as a real and unique
expert, even with minimal exposure to only a few enemies.
Comprehensiveness is an important part of the game you play for real stakes because the
enemy will likely seek the easiest way to attack vulnerabilities and assets that you haven’t
fully protected yet or even know exist. For example, a threat that is rarely found on threat
lists is endangerment of assets—putting information assets in harm’s way. Endangerment is
also one of the most common violations by security professionals; it occurs when they reveal
too much about their security and loss experience.
You must be thorough and meticulous and document everything pertinent, in case your com-
petence is questioned and to meet the requirements of the Sarbanes–Oxley Law. Keep your
documents safely locked away. Documentation is important so that when adversity hits and
you lose the game, you will have proof of being diligent in spite of the loss. Otherwise, your
career could be damaged, or at least your effectiveness will be diminished. For example, if
the loss occurred because management failed to give you an adequate budget and support for
security you knew you required, you need to have documented that failure before the incident
occurred. Don’t brag about how great your security is, because it can always be beaten. Keep
and expand checklists for everything: threats, vulnerabilities, assets, key potential victims, sus-
pects of wrongdoing, security supporters and nonsupporters, attacks, enemies, criminal justice
resources, auditors, regulators, and legal counsel. To assist your stakeholders, who are the
front-line defenders of their information and systems, identify what they must protect and
know the real extent of their security. Make sure that upper management and other people
to whom you report understand the nature of your job and its limitations.
Use the best possible security practices yourself to set a good example. You will have a huge
collection of sensitive passwords to do your job. Write them down, and keep the list safely in
your wallet next to your credit card. Know as much as possible about the systems and net-
works in your organization and have access to experts who know the rest. Make good friends
of local and national criminal justice officials, your organization’s lawyers, insurance risk
managers, human resources people, facilities managers, and auditors. Audits are one of the
most powerful controls your organization has. Remember that people hate security and must
be properly motivated by penalties and rewards to make it work. Seek ways to make security
invisible or transparent to stakeholders while keeping it effective. Don’t recommend or install
controls or practices that stakeholders won’t support, because they will beat you every time by
making it look like the controls are effective when they are not—a situation worse than no
security at all.
xxviii Preface
One of the most exciting parts of the job is the insight you gain about the inner workings and
secrets of your organization, its business, and its culture. As an information security consul-
tant, I was privileged to learn about the culture and secrets of more than 250 of the largest
corporations throughout the world. I had the opportunity to interview and advise the most
powerful business executives, if only for a few minutes of their valuable time. You should
always be ready with a “silver bullet” to use in your short time with top management for the
greatest benefit of enterprise security. Carefully learn the limits of management’s security
appetites. Know the nature of the business, whether it is a government department or a hotly
competitive company. I once found myself in a meeting with a board of directors intensely dis-
cussing the protection of their greatest trade secret, the manufacturing process of their new
disposable diapers.
Finally, we come to the last important bit of advice. Be trustworthy and develop mutual trust
among your peers. Your most important objectives are not just risk reduction and increased
security. They also include diligence to avoid negligence and endangerment, compliance with
all laws and standards, and enablement when security becomes a competitive or budget issue.
To achieve these objectives, you must develop a trusting exchange of the most sensitive secu-
rity intelligence among your peers so you’ll know where your organization stands relative to
other enterprises. But be discreet and careful about it. You need to know the generally
accepted and current security solutions. If the information you exchange is exposed, it could
ruin your career and others, and could create a disaster for your organization. Your personal
and ethical performance must be spotless, and you must protect your reputation at all costs.
Pay particular attention to the ethics section of this book. I recommend that you join the
Information Systems Security Association, become active in it, and become professionally
certified as soon as you are qualified. My favorite certification is the Certified Information
Systems Security Professional (CISSP) from the International Information Systems Security
Certification Consortium.
Donn B. Parker, CISSP

Los Altos, California
Another random document with
no related content on Scribd:
from the flight or actions of birds. Both systems were learned from
them by the Romans, according to Roman tradition itself.
With the spread of Christianity, hepatoscopy and haruspicy died
out in the west. But meanwhile they had been carried in the opposite
direction from their Babylonian source of origin, and became
established in eastern Asia and finally, in somewhat modified form,
among remote uncivilized peoples. The pagan priests of Borneo and
the Philippines even to-day are foretelling the future by observing the
flight of birds and examining the gall bladder—an organ intimately
associated with the liver—of sacrificial animals. If these primitive
Malaysian peoples had always remained uninfluenced by higher
cultures, their divinatory customs might be imputed to independent
invention. They live, however, at no great distance from the Asiatic
mainland, and are known to have been subjected to heavy cultural
influences from China, Arabia, and especially India. Four centuries
ago, to cite only a few specific instances, the Philippine chieftains
went under the title of rajah, the Hindu word for king. In the southern
Philippine islands there are “sultans” to-day. In all parts of the
Philippines as well as Borneo, even among the rude tribes of the
interior mountains, Chinese jars imported centuries ago are
treasured as precious heirlooms. With these streams of higher
culture flowing into the Malaysian islands, the only reasonable
conclusion is that the arts of liver and bird divination were also
imported. In fact, it seems probable that the broader custom of
sacrificing animals to the gods and spirits, a custom to which the
pagan Malaysians still adhere, is a part of the same wave of
influence from the Orient which has so deeply stamped the Homeric
poems and the Old Testament. Although theoretically it is not
surprising that hepatoscopy and haruspicy still flourish among some
backward and marginally situated peoples, yet, in the concrete and
at first blush, it is striking to find that an institution which was active
in Babylonia three or four thousand years ago should still maintain
an unbroken life in Borneo. Evidently the diffusion principle reaches
far and long.
Another method of foretelling, which has spread equally far,
although its flow has been mainly from the east westward, is
scapulimancy, divination from the cracks that develop in scorched
shoulder blades. This seems to have originated in ancient China with
the heating of tortoise shells; had spread by the third century after
Christ to Japan, where deer shoulder blades were employed; and is
found to-day among the Koryak and Chukchi of northeasternmost
Siberia, who utilize the same bones from seals and reindeer
respectively. Elsewhere domestic animals, above all the sheep,
furnish the proper shoulder blade. All the central Asiatic nations as
far south as the Tibetans and Lolos are addicted to the custom,
which had official status with the Mongol rulers in the thirteenth
century, but must have been older, since it was in vogue among the
Byzantine Greeks two hundred years earlier. The practice spread
over practically all Europe, where it flourished in the fifteenth and
sixteenth centuries and still lingers among belated rural populations;
to Morocco and perhaps other parts of north Africa; and in Asia to
South Arabia, Afghanistan, and westernmost India. Scapulimancy
was not known to the ancient Babylonians, Egyptians, Hebrews,
Greeks, Etruscans, and Romans; it seems not to have penetrated far
into India and not at all into the countries and islands to the east of
India, which are sheepless regions; and it did not obtain a foothold in
North America, where sheep and other tame animals were also not
kept. It appears therefore that the custom, after a period of
somewhat wavering formation in eastern Asia, crystallized into an
association with the domesticated sheep, forming a true culture
“complex,” and was then diffused almost as far as this animal.
98. Tobacco
The speed with which inventions sometimes diffuse over large
areas is in marked contrast to the slowness with which they travel on
other occasions. The art or habit of smoking originated in tropical
America where the tobacco plant is indigenous. From this middle
region the custom spread, like agriculture, pottery, and weaving, in
both directions over most of north and south America. Originally, it
would seem, a tobacco leaf was either rolled on itself to form a rude
cigar, or was stuffed, cigarette fashion, into a reed or piece of cane.
Columbus found the West Indians puffing at cigars. In the
Southwestern United States, the natives smoked from hollow reeds.
Farther into the United States, both to the east and west, the reed
had become a manufactured tube of wood or stone or pottery. This
tubular pipe, something like a magnified cigarette holder, has the
bowl enlarged at one end to receive the tobacco. It has to be held
more or less vertically. This form has survived to the present day
among the California Indians. As the tubular pipe spread into the
central and eastern United States, it was elaborated. The bowl was
made to rise from the top of the pipe, instead of merely forming its
end. This proved a convenience, for the pipe had now no longer to
be pointed skyward to be smoked. Here then was a pipe with a
definite bowl; but its derivation from the straight tubular pipe is
shown by the fact that the bowl was most frequently set not at the
end of the stem, as we “automatically” think a pipe should be, but
near its middle. The bowl evidently represented a secondary addition
which there seemed no more reason to place at the end than in the
middle of the pipe; and the latter happened to become the fashion.
All this evolution took place at least a thousand years ago,
probably much longer. Elaborate stone pipes have been discovered
in the earthworks left by the Mound Builders of the Ohio Valley, a
people whose very existence had been forgotten when the whites
first came. Californian stone pipes occur well down toward the
bottom of shell mounds estimated to have required three or four
thousand years to accumulate.
Here and there this slow diffusion suffered checks. In the Andean
region of South America tobacco came into competition with coca, a
plant whose leaf was chewed. The effect of the contained alkaloid is
to prevent fatigue and hunger. Of the two, coca triumphed over
tobacco, possibly because its action is more drug-like. In North
America, on the other hand, tribes that had not adopted maize and
bean agriculture, sometimes tilled tobacco patches. With them,
tobacco cultivation had outstripped the spread of so important an
institution as food agriculture. In the extreme parts of North America,
climatic factors checked the growth of tobacco, either wild or
cultivated. Where the supply was scarce, it was either diluted with
pulverized tree bark, as by many tribes of the central United States,
or it was eaten, as by a number of groups on the Pacific coast. To
these latter, tobacco seemed too precious to set fire to and lightly
puff away. They mixed it with lime from burnt shells and swallowed it.
Taken in this form, a small quantity produces a powerful effect. In the
farthest north of the continent, even this device had not obtained a
foothold. The development of intertribal trade was too slender and
intermittent for anything but valuables, let alone an article of daily
consumption, to be transported over long distances. The result was
that the Eskimo, when first discovered, knew nothing of tobacco or
pipes.
The use of tobacco was quickly carried to the Old World by the
Spaniards, and before long all Europe was smoking. Throughout that
continent, irrespective of language, the plant is known by
modifications of the Spanish name tabaco, which in turn seems
based on a native American name for cigar. By the Spaniards and
Portuguese, and later also by the Arabs, the habit of smoking was
carried to various points on the shores of Africa, Asia, and the East
Indies. Thence it spread inland. Native African tribes, and others in
New Guinea, who had never seen a white man, have been found not
only growing and smoking tobacco, but firmly believing that their
ancestors from time immemorial had done so. This is a characteristic
illustration of the short-livedness of group memory and the
unreliability of oral tradition.
In northeastern Siberia, where the Russians introduced tobacco, a
special form of pipe came into use. It has a narrow bowl flaring at the
top. Seen from above, this bowl looks like a disk with a rather small
hole in the center. In profile it is almost like a capital T. It is set on the
end of the pipe-stem. This stem may be straight or flattened and
curved. This form of pipe, along with tobacco as a trade article,
crossed Behring Strait and was taken up by the Alaska Eskimo. That
this pipe is not of Eskimo origin is shown by its close resemblance to
the Chukchi pipe of Siberia. The fact that it is impossible for the
Eskimo to grow tobacco corroborates the late introduction, as does
the Alaska Eskimo name: tawak. In short, smoking reached the
Eskimo only after having made the round of the globe. Originating in
Middle America, the custom spread very anciently to its farthest
native limits without being able to penetrate to the Eskimo. As soon
as the Spaniards appeared on the scene, the custom started on a
fresh career of travel and rolled rapidly eastward about the globe
until it reëntered America in the hitherto non-smoking region of
Alaska.
A second invasion of America by a non-American form of pipe
occurred in the eastern United States. The old pipe of this region, as
already stated, had its bowl set well back from the end of the stem.
The whole object thus had nearly the shape of an inverted capital T,
whereas the European pipe might be compared to an L laid on its
back. After the English settlers had become established on the
Atlantic coast, a tomahawk pipe was introduced by them for trade
purposes. This was a metal hatchet with the butt of the blade
hollowed out into a bowl which connected with a bore running
through the handle. One end of the blade served to chop, the other
to smoke. The hatchet handle was also the pipe stem. The
combination implement could be used as a weapon in war and as a
symbol of peace in council. This doubleness of purpose caused it to
appeal to the Indian. The heads of these iron tomahawk pipes were
made in England for the Indian trade. They became so popular that
those natives who were out of reach of established traders, or who
were too poor to buy the metal hatchet-pipes, began to imitate them
in the stone which their forefathers had used. In the Missouri valley,
a generation ago, among tribes like the Sioux and the Blackfeet,
imitation tomahawk pipes, which would never have withstood usage
as hatchets, were being made of red catlinite together with the
standard, native, inverted-T pipes. One of the two coexisting forms
represented a form indigenous to the region since a thousand years
or more, the other an innovation developed in Europe as the result of
the discovery of America and then reintroduced among the
aborigines. Diffusion sometimes follows unexpectedly winding
routes.
99. Migrations
It may seem strange that with all the reference to diffusion in the
foregoing pages, there has been so little mention of migration. The
reason is that migrations of peoples are a special and not the normal
means of culture spread. They form the crass instances of the
process, easily conceived by a simple mind. That a custom travels
as a people travels with it, is something that a child can understand.
The danger is in stopping thought there and invoking a national
migration for every important culture diffusion, whereas it is plain that
most culture changes have occurred through subtler and more
gradual operations. The Mongols overran vast areas of Asia and
Europe without seriously modifying the civilization of those tracts.
The accretions that most influenced them, such as writing and
Buddhism, came to them by the quieter and more pervasive process
of peaceful penetration, in which but few individuals were active. We
are all aware that printing and the steam engine, the doctrine of
evolution and the habit of riming verses, have spread through
western civilization without conquests or migrations, and that each
year’s fashions flow out from Paris in the same way. When however
it is a question of something remote, like the origin of Chinese
civilization, it is only necessary for it to be pointed out that the early
forms of Chinese culture bear certain resemblances to the early
culture of Mesopotamia, and we are sure to have some one
producing a theory that marches the Chinese out of the west with
their culture packed away in little bundles on their backs. That is far
more picturesque, of course, more appealing to the emotions, than
to conceive of a slow, gradual transfusion stretching over a thousand
years. In proportion as the known facts are few, imagination soars
unchecked. It is not because migrations of large bodies of men are
rare or wholly negligible in their influence on civilization that they
have been touched so lightly here, but because we all tend, through
the romantic and sensationalistic streak in us, to think more largely in
terms of them than the sober truth warrants. It is in culture-history as
in geology: the occasional eruptions, quakings, and other cataclysms
stir the mind, but the work of change is mainly accomplished by
quieter processes, going on unceasingly, and often almost
imperceptible until their results accumulate.
CHAPTER IX
PARALLELS
100. General observations.—101. Cultural context.—102. Universal

elements.—103. Secondary parallelism in the Indo-European
languages.—104. Textile patterns and processes.—105. Primary
parallelism: the beginnings of writing.—106. Time reckoning.—107.
Scale and pitch of Pan’s pipes.—108. Bronze.—109. Zero.—110.
Exogamic institutions.—111. Parallels and psychology.—112.
Limitations on the parallelistic principle.
100. General Observations

The principle of truly independent or convergent invention is more
difficult to establish by positive examples than imitative diffusion. It
has often been assumed as operative, more rarely proved; and even
in the latter cases has perhaps never been found to lead to complete
identity.
In fact, the first observation to be made is that resemblance must
not be too close if independent development is to be the explanation.
A complex device used in two or more parts of the world suggests a
connection between them in very proportion to its complexity. A
combination of two or even three elements might conceivably have
been repeated independently. A combination of five or ten parts
serving an identical purpose in an identical manner must necessarily
appeal as impossible of having been hit upon more than once. One
thinks almost under compulsion, in such a case, of historical
connection, of a transference of the idea or machine from one
people to the other.
If the resemblance includes any inessential or arbitrary parts, such
as an ornament, a proportion that so far as utility is concerned might
be considerably varied but is not, a randomly chosen number, or a
name, the possibility of independent development is wholly ruled out.
Such extrinsic features would not recur together once in a million
times. Their association forces a presumption of common origin,
even though it be difficult to account for the historical connection
involved. The significance of names in this situation has already
been commented on.
There is nothing arbitrary about this limitation on the parallelistic
principle. We all apply similar checks in practical life. If in a court of
law several witnesses testify to the same facts in the same
language, without one of them adding or diminishing an item, if they
follow the identical order of events, if even details such as the
precise minute of an occurrence are stated without variation, judge
and jury will infallibly suspect that the several testimonies go back to
a single source of inspiration. Eyewitnesses will differ. They have
seen from different angles; have followed events with attention that
varied according to their participation and their previous habits and
training; have reacted with individually colored emotion. So with
nations. Their customs, interests, faculties are never wholly alike.
Their independent inventions and innovations, always springing out
of a distinctive soil, therefore necessarily take on a distinctive aspect
even when they embody the same idea. In the degree that the form
as well as the substance of culture traits coincide, does the
probability of independent evolution diminish in favor of some sort of
connection.
101. Cultural Context

The presence or absence of other connections is also a factor of
greatest importance. In other words, no fact relating to human
civilization may be judged wholly without reference to its context or
background. If there are known connections, either in space or in
time, between two nations, the likelihood of their having separately
evolved a common trait is much less than as between two peoples in
different continents or separated by thousands of years. It is not
known precisely how knowledge of the true arch and of liver
divination were carried from ancient western Asia to the Etruscans of
Italy. Yet the fact that Babylonia and Etruria shared two such specific
culture traits as these, greatly increases the probability for each one
having been borrowed from the Asiatic by the European people.
When the consideration is added that the ancients had traditions of
the Etruscans having come to Italy out of Asia Minor, the likelihood of
diffusion is strengthened to the point of practical certainty.
Connection in space is a particularly cogent argument in favor of
diffusion, because of its powerful presumption of accompanying
communication. When several hundred Indian tribes without a break
in their ranks between Quebec and Argentina cultivate maize, it
would be absurd to dream of each of them having originated the
domestication of the plant for itself. To be sure, it is logically
conceivable that maize agriculture was independently developed by
two or three of the most advanced tribes of the hundreds and then
became diffused until the two or three areas of dispersion met and
coalesced into one greater area. Yet the principle that economy of
explanation is the best would militate even against this interpretation
as compared with diffusion from a single center, unless there were
definite indications in favor of the multiple origin explanation. Such
indications might be radically distinct types of the plant or of
agricultural implements in several parts of the maize area.
So, when the tribes on the Alaskan and Siberian sides of Behring
Sea relate similar Raven legends, the geographical proximity is so
close that it would be pedantic to let the fact that two continents are
involved stand in the way of an explanation by diffusion. Even where
the distribution of a trait penetrates much farther into both America
and Asia, as is true of the composite bow (§ 210), the continuity of
area leaves little doubt as to diffusion from a single center, especially
since it is reinforced by other traits showing the same
intercontinental distribution: the Magic Flight story, for instance. It is
only when the areas are discrete as well as remote, when other
similarities between them are few or absent, when their cultural
backgrounds are radically dissimilar, as in the case of the couvade,
that parallelism begins to knock at the door of interpretation with
serious hope of admittance.
102. Universal Elements
When a culture trait is very ancient and of practically world-wide
occurrence, it becomes difficult to estimate between diffusion and
independent invention. The fire-drill, flint chipping, the bow and
arrow, the doctrine of animism or belief in souls and spirits,
sympathetic magic, are in this class. The very universality of these
elements tends to obliterate tangible evidence as to their histories. A
generation or two ago it was generally taken for granted that such
devices and beliefs as these sprang more or less spontaneously out
of the human mind as soon as man had traversed a certain short
distance of the evolutionary road that led him away from the brutes.
At present, anthropological opinion is more cautious about such
assumptions. It is perhaps spontaneous enough for people in the
habit of using tools to try to fashion them from stone if other
materials be lacking, and easy for a nation accustomed to projectile
weapons to invent the bow without ever having learned of it. But this
is far from proving what a people without these habits might do.
Intelligent as an ape is, and gifted with manual dexterity, it rarely
enters his mind to throw a stone as a missile and never to split it into
a knife or weapon. For all we know, it may have cost our ancestors
untold mental energy to bring themselves to the point of fashioning
their first stone implements; so much, indeed, that it is possible all of
them did without until one more gifted or fortunate group made the
difficult invention which was then imitated by the others. It is
temptingly but fatally easy to project our habits of mind into primitive
man—much easier to imagine ourselves in his position than to
imagine him, without reference to ourselves, as he was. Animal
psychologists have learned not to anthropomorphize, that is, endow
the lower animals with specifically human mind processes.
Anthropologists have learned to guard against the similar pitfall of
interpreting low cultures by the standards of our own, of assuming
that because a thing seems “natural” to us it must have seemed
natural and therefore have been done by any savage. It is clear that
what did not happen was for every tribe or race to originate for itself
its fire-making, flint-chipping, bows, animism, and magic. It is
conceivable that each of these culture products traces back to a
single source in human history. There are authorities who have held
this very opinion; some expressedly, others by implication. It is not
necessary to go so far; in fact, wiser not to, because none of these
matters is yet susceptible of real proof. But it does seem profitable to
recognize the possibility of the truth of such views, and that the drift
of accumulating knowledge and experienced interpretation is in their
direction.
A simple consideration which has too often been neglected is that
diffusion and imitation undisputedly do take place in culture on a vast
scale. So far as independent developments occur, be that rarely or
frequently, they are therefore sure to be more or less intertwined with
disseminations. Even one particular device may be partly borrowed
and partly modified or further developed by original effort. Still more
intimate must be the combination of native and diffused elements in
the whole culture of any people. To wage an abstract battle as
between two opposite principles is sterile, when their manifestations
are admittedly frequent for one and at least certain for the other. It is
clearly more profitable to examine the associations and relations of
diffusion and convergence, the conditions under which they
supplement each other. Besides parallels springing up wholly
independently, there are two ways in which their relations to diffusion
may be conceived. An original single growth or wave of diffusion
may differentiate into local or temporal modifications, which even
after separation continue to develop along parallel lines or
reconverge. Or, on the other hand, independent starts in similar
direction may become merged in, or assimilated by, a subsequent
diffusion.
103. Secondary Parallelism in the Indo-

European Languages
Parallel growth secondary to a former unity and differentiation is
illustrated by the Indo-European languages. All the known ancient
forms of this speech family, Sanskrit, Avestan, Greek, Latin, Gothic,
were highly inflecting and compounding. Their tendency was
synthetic (§ 51, 57).
Grammatical ideas such as voice, tense, number, case, were
expressed by elements affixed to the word stem and incapable of a
separate existence. For they will have loved Latin says ama-v-eru-nt.
The -v- has the force of have, the -eru- of will, -nt of they; but none of
these parts can be used alone, as their equivalents in English can
be, or as in French ils auront aimé. The two latter languages are
analytical. They break an idea into parts which they express by
separate words that change form but little. They retain only
fragments of conjugations and declensions. Sanskrit had eight noun
cases, Latin six; English has only two, the subjective-objective and
the possessive, and French only one, or rather no case-form at all.
[15]
This development toward a more analytical form is not only

traceable in several non-Indo-European speech families, such as
Chinese and Malayo-Polynesian (§ 61), but has gone on in all the
branches of Indo-European. It is visible in the growth of English from
Anglo-Saxon; of French, Spanish, and Italian from Latin; of modern
from ancient Persian; of Hindi and Bengali from Sanskrit. True, some
of these have been in contact, like the Germanic and Latin
languages, and might therefore be imagined to have set one another
an example, although there is little evidence that languages seriously
influence each other’s forms. But many of the Indo-European idioms
have not been in contact at all for thousands of years. The Germanic
and the Indo-Iranic branches, for instance, must have separated at
least four thousand years ago. For the greater part of this period,
accordingly, the related but no longer communicating languages that
have resulted in modern English and Bengali, to take only one
instance, have independently driven toward the same goal of more
and more analytical structure. It may well be that the hidden germ of
this impulse lay implanted in the common Indo-European mother-
tongue at the time of its differentiation five or more thousand years
ago. But the movement of its daughters has certainly been an
astoundingly parallel one.
104. Textile Patterns and Processes

An analogous situation is provided by the similarity of diamond
shaped patterns woven in twilled baskets in parts of North and South
America, Asia and the East Indies, and Africa. This looks like
parallelism and is parallelism. But it is clearly a secondary result of
the twilling process, as this, in turn, flourishes most vigorously where
woody monocotyledonous plants—cane, bamboo, palms—are
available to furnish hard, durable, flat, pliable splints. The technique
of the weave is such that if materials of two colors are used, the
characteristic patterns evolve themselves almost of necessity. The
twilling process may have been invented independently in several of
the regions addicted to it, or have been devised only once in the
world’s history. It is too simple and too ancient a technique for
modern knowledge to choose between the alternatives with
positiveness. Brazilian and East Indian patterns are much more likely
to have been each developed on the spot, as derivatives from the
more fundamental and possibly transmitted twilling process.
The coiling technique for making baskets looks from its distribution
in Africa and about the Mediterranean, in northeast Asia and
northwest America, in the southern extremity of South America, in
Malaysia and Australia, as if it had originated independently several
times, and there is partial confirmation in the fact that different
varieties of coiling are typical of most of the areas. If however further
knowledge should connect the now separate areas of coiling, the art
would then have to be regarded as probably due to diffusion from a
single invention. In that case, however, special varieties, such as
half-hitch coiling in Tierra del Fuego and Tasmania, and single-rod
coiling in the East Indies and California, would remain as instances
of secondary parallelism affecting particular aspects or parts of the
generic process.
A blending of diffusion and parallelism is apparent also in other
textile processes. The fundamentals, as embodied in simple woven
basketry, mats, and wiers, were probably carried into America by the
first immigrants. Weaving from suspended warps and in an
incomplete loom frame may possibly have been similarly transmitted
by diffusion or have been developed locally. Thread spinning,
however, the complete loom, and the heddle were clearly devised in
the middle region of America independently of their invention in the
Old World, as is evident from their absence in the connecting areas
of North America and Siberia (§ 187, 188). But the treadle shed, the
next step in the Eastern hemisphere, was never invented in the
Western, so that at this point the parallelism ends.
Again, diffusion and convergence both enter into the history of
what is known as resist dyeing, that is, the covering of portions of
textile patterns before immersion into the dye. Batik, when wax is
used as the protecting medium, is one form of resist dyeing. Another
method is “to tie little bunches of cloth with a cord either soaked in
clay or wax or spun from fiber which has no affinity for the colors and
then dip the tied web into the pot.” In the Old World, tie dyeing is of
Asiatic, probably of Indian origin, and was in use by the seventh
century, perhaps earlier. The Mohammedan conquests carried the
art to Malaysia on the one hand, to western Africa and Spain on the
other, whence it was transmitted to the Indians of Guatemala after
their subjugation by the Spaniards—like the double-headed eagle.
The Peruvians, however, had long before hit upon the same art, as
attested by textile remains in pre-Columbian graves. Here then, we
have a wide and long enduring diffusion of the general resist dyeing
process, and a locally limited instance of independent parallelism for
one phase of it.
105. Primary Parallelism: the Beginnings of

Writing
Primary parallelism can be established fairly frequently, but usually
only with reference to a general principle, the applications of which
invariably retain evidence of their original separateness.
An illustration is furnished by the history of writing, as sketched in
the introductory paragraphs of the chapter on the Alphabet (§ 130-
133). Many nations have entered the simple stage of pictography.
Only a few are known to have gone on to the stage of rebus or
transitional writing—mixed pictograms or ideograms and
phonograms. Of these, certainly two and possibly as many as four,
five, or six devised their own rebus systems: the Egyptians,
Sumerians, Chinese, Hittites, Cretans, and Mayas, in four
continents. But here the parallel ceases. The content of the systems,
the signs themselves and their sound values, are wholly different.
The similarity applies only to the principle of reading pictures or
symbols for their pictureless homonyms. The concrete application of
this method has nothing in common in the several parallel cases.
Finally, complete phonetic writing was invented but once, all
alphabets, however diverse, being historical descendants of the
primitive Semitic alphabet, which served as the sole source of a
tremendous diffusion (§ 134-149).
It is worth noting, however, that the first or pictographic stage of
writing is by no means a thing that flows instinctively from all men.
There are peoples, like some of the Indians of Brazil and California,
deficient in the ability or habit, according as one may wish to term it,
of expressing themselves in linear representations. They do not draw
rude outlines to depict objects. Asked to do so, they profess inability,
though set an example, or make a pathetically crude attempt. Their
failure or refusal does not argue inherent lack of faculty, since the
children of the same races, when put to school, draw figures with
interest and often with success. The attitude of the adults is rather
that of a person who had never heard even a snatch of music of any
kind or seen an instrument, being taken to a concert and then asked
to compose a simple little song. He would look upon this task as
transcendently beyond his powers. There are no songless nations,
but there are pictureless ones. Consequently picture-writing is not
the spontaneous product which we, who as children are reared in an
environment of pictures, might imagine it to be. If pictography were
due to a primary parallelism, to a spontaneous outflow of the human
mind, its absences would be in need of explanation. If, on the other
hand, it is the result of a single diffusing development, this must have
an antiquity of more than fifteen thousand years, as attested by the
Old Stone Age paintings, and the failure of certain peoples to be
affected is also in need of explanation.
Another case of parallelism is the recurring tendency to write
syllabically instead of alphabetically. The Hindu inclination in this
direction is discussed below (§ 146). That the phonetic symbols of
rebus systems should be largely syllabic is small wonder, for they
are pictures of things named with whole words. But the Hindu script
was derived from a Semitic letter alphabet, and its essentially
syllabic nature thus represents a reversion. The Japanese in adding
47 purely phonetic characters to the Chinese ideograms in order to
express grammatical elements, proper names, and the like in their
speech, denoted a syllable by each character. A third as many
consonant and vowel signs would have answered the same purpose.
When Sequoya the Cherokee devised an alphabet for his people in
order to equate them with the whites, he incorporated the forms of a
number of the English letters, but the values of all his signs were
syllabic. The same holds of the West African Vei writing invented in
the nineteenth century by a native. He had had enough mission
schooling to be stimulated by the idea of writing, but “instinctively”
fell back on syllable signs even though this necessitated two
hundred different characters.
There is an evident psychological reason for the uniformity of
these endeavors: we image words, in fact produce them, in syllables,
not in sounds. Any one, in slow speech, tends to syllabify, whereas
few wholly illiterate people can be induced without patient training to
utter the separate consonants and vowels of a word, even for the
purpose of teaching a foreigner.
This case of parallelism rests, therefore, on a psychological fact of
apperception. But it was the “accidents” of culture, not innate
psychology, that determined the particular symbols, and their values,
chosen by the Hindus, Japanese, Cherokee, and Vei, with the result
that in these symbols there is no specific similarity.
106. Time Reckoning

Still another case of primary parallelism is provided by the Maya-
Aztec system of time denotation by coupling two series of symbols in
an overlapping system of permutations, as described below (§ 197).
This is as if we denoted the successive days of the year 1 January, 2
February, 3 March, and so on, until, having come to 12 December
we went on 13 January, 14 February, and so once more around until
31 July was reached, when the next days would be 1 August and 2
September instead of February 1 and 2. Cumbersome and strange
as this system appears, an exact parallel to it in principle was
devised by the Hellenistic philosophers when they coupled the
twenty-four hours of the day with the seven planets in a 168-hour
cycle which gave the order and names to the days of the week (§
124). A third case occurs in China where ten “celestial stems” and
twelve “terrestrial branches” were permutated to form a sixty year
chronological cycle.[16] All three of these devices are based on the
same mathematical principle and serve the same end of time
reckoning. But their content and result is different. The Greeks
combined 24 with 7, the Chinese 12 with 10, the Mayas 13 with 20
and 260 with 365; and the periods treated ranged from hours to
years.
These cases of primary parallelism allow the inference that there
are certain inherent tendencies of the human mind in certain
directions, such as operation in rebus reading, syllabic writing,
reckoning by least common multiples. Here, then, is a seeming
approach for a definite psychological interpretation of the history of
civilization. Yet the results of such a method of attack must not be
overestimated. The generic manner of culture in these several
instances is indeed uniform enough to permit the conclusion that it
springs from a uniform impulse or bent of the mind. But all the
particular, concrete content of these cultural manifestations is as
diverse as their historical origins are separate; which means that
psychology may explain what is psychological in the cases, but that
a larger cultural constituent remains over before which the
generically valid principles of psychology are ineffective as
explanations. As in the case of the influence of physical environment
it might be said that psychological factors provide the limiting
conditions of cultural phenomena.
107. Scale and Pitch of Pan’s Pipes

A startling parallelism has been demonstrated between the Pan’s
pipes of the Solomon islands in Melanesia and those of the
northwest Brazilian Indians. The odd pipes differ, each from the next,
by the interval of a fourth. The even pipes give notes half-way in
pitch between the adjacent odd ones, and thus form another “circle
of fourths.” But the similarity does not end here. The absolute pitch
of the examined instruments from Melanesia and Brazil is the same.
Thus, the vibration rates in successive pipes are 557 and 560.5; 651
and 651; 759 and 749; 880 and 879! This is so close a coincidence
as to seem at first sight beyond the bounds of accidental
convergence. The data have in fact been offered, and in some
quarters accepted, as evidence of a historical connection between
the western Pacific and South America. Yet the connection would
have had to be ancient, since no memory of it remains nor is it
supported by resemblances in race, speech, nor anything obvious in
culture. The instruments are perishable. Primitive people, working by
rule of thumb, would be unable to produce an instrument of given
absolute pitch except by matching it against another, and perhaps
not then. Moreover, it is not known that absolute pitch is of the least
concern to them. It is therefore incredible that this correspondence
rests on any ancient diffusion: there must be an error in the record
somewhere, or the one accident in a million has happened in the
particular instruments examined.
The identity of scale or intervals however remains, and may be a
true case of parallelism. Only, as usual, it boils down to a rather
simple matter. The circles of fourths evidently originate in the
practice, in both regions, of overblowing the pipes. This produces
over-tones; of which the second, the “third partial tone,” is the fifth
above the octave of the fundamental, so that successive notes in
either the odd or even series of pipes, would, on the octave being
disallowed, differ by fourths. The basis of the resemblance, then, is a
physical law of sound. The cultural similarity shrinks to the facts of
pipes in series, the use of overblown tones, and the intercalating
odd-even series. Even these resemblances are striking, and more
specific than many cited cases of parallelism. In fact, were they
supported by enough resemblances in other aspects of culture, they
would go far to compel belief in actual connections between
Melanesia and Brazil.
108. Bronze
A striking case of independent development is offered by the
history of bronze. Bronze is copper alloyed with five to twenty per
cent of tin. The metals form a compound with properties different
from those of the two constituents. Tin is a soft metal, yet bronze is
harder than copper, and therefore superior for tools. Also, it melts at
a lower temperature and expands in solidifying from the molten
condition, and thus is better material for castings.
In the eastern hemisphere bronze was discovered early and used
widely. For nearly two thousand years it was the metal par
excellence of the more advanced nations. A Bronze Age, beginning
about 4,000 B.C., more or less simultaneously with the first phonetic
writing, is recognized as one of the great divisions of cultural time (§
66, 225).
In the western hemisphere bronze was apparently invented later
than in the eastern and spread less extensively. It was discovered in
or near the Bolivian highland, which is rich in tin (§ 196). From there
its use diffused to the Peruvian highland, then to the coast, then
north to about Ecuador, and finally, perhaps by maritime contacts, to
Mexico, where local deposits of tin were probably made use of after
their value was realized.
Theoretically, it might be queried whether knowledge of bronze
had possibly been carried to the Andes from the eastern hemisphere
by some now forgotten migration or culture transmission. Against
such a supposition there stands out first of all the isolated and
restricted distribution of the South American bronze art. It is ten
thousand miles by land from the metal-working nations of Asia to the
middle Andes. A people or culture wave that had traveled so far
could not but have left traces of its course by the way. The utilitarian
superiority of bronze over stone tools is so great that no people that
had once learned the art would be likely to give it up. Even if here
and there a group of tribes had retrograded, it cannot be imagined
that all the nations between China and Peru could have slipped back
so decisively. Certainly peoples like the Mayas and Chibchas, expert
metallurgists, would never have abandoned bronze-making.
The theory of a Chinese junk swept out of its course and washed
on a South American shore might be invoked. But the original South
American bronze culture occupies an inland mountain area. Further,
while Asiatic ships have repeatedly been wrecked on the Pacific
coast of North America and probably at times also on that of South
America, there is everything to indicate that the civilizational effects
of such accidents were practically nil. The highest cultures of Mexico
and South America were evolved in interior mountain valleys or
plateaus. Not one of the great accomplishments of the American
race—architecture, sculpture, mathematics, metallurgy—shows any
specific localization on the shore of the Pacific.
Further, it is hard to understand how the arrival of a handful of
helpless strangers could initiate an enduring culture growth. It is
easy enough for us, looking backward through the vista of history, to
fancy the lonely Indians standing on the shore to welcome the
strangers from the west, and then going with docility to school to
learn their superior accomplishments. Actually, however, people
normally do not feel or act in this way. Nations are instinctively
imbued with a feeling of superiority. They look down upon the
foreigner. Even where they admit his skill in this matter or that, they
envy rather than admire him. Thus, there is historic record of Oriental
and European vessels being wrecked on the Pacific coast of North
America, during the last century and a half, among tribes that were
still almost wholly aboriginal. In no case did the natives make any
attempt to absorb the higher culture of the strangers. Generally
these were enslaved or killed, their property rifled; sometimes the
wreck was set on fire. The greed for immediate gain of the treasures
in sight proved stronger than any dim impulses toward self-
improvement by learning.
As one conservative author has put it, occasional visits of Asiatics
or Pacific islanders to the shores of America would be, from the point
of view of the growth of the vast mass of culture in that continent,

PDF Principles of Information Security Fifth Edition Mattord Ebook Full Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PDF Principles of Information Security Fifth Edition Mattord Ebook Full Chapter

Uploaded by

Copyright:

Available Formats

Principles of information security Fifth

Principles of Information Security 6th Edition Whitman

Encyclopedia of Information Science and Technology

Principles of information systems Ralph Stair

Principles of Computer Security: CompTIA Security+ and

Information technology control and audit Fifth Edition

Principles of Security and Trust Lujo Bauer

Real estate principles: a value approach Fifth Edition

Fundamentals of information systems security 3rd

Principles of Information SEcurity

48367_cvr_ptg01_hires.indd 1 16/10/14 7:37 PM

Michael E. Whitman, Ph.D., CISM, CISSP

Herbert J. Mattord, Ph.D., CISM, CISSP

Australia • Brazil • Mexico • Singapore • United Kingdom • United States

Cengage Learning is a leading provider of customized learning

Cengage Learning products are represented in Canada by

To learn more about Cengage Learning, visit www.cengage.com

Printed in the United States of America

To my granddaughter Ellie; the future is yours.

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Planning Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Determining the Loss Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

IDPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Securing Wireless Networks with WEP and WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Nontechnical Aspects of Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Case Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

As global networks expand the interconnection of the world’s information systems,

gain a clear understanding of information security principles and formulate interdisciplinary

Structure and Chapter Descriptions

 Section II—Security Investigation Phase

some of which were introduced in Chapter 1: confidentiality, integrity, availability, authenti-

Chapter 3—Legal, Ethical, and Professional Issues in Information

 Section III—Security Analysis

Chapter 5—Risk Management Before the design of a new information security

Chapter 6—Security Technology: Firewalls and VPNs Chapter 6 provides a

Chapter 7—Security Technology: Intrusion Detection and Prevention

Chapter 8—Cryptography Chapter 8 continues the section on security technologies

Chapter 9—Physical Security A vital part of any information security process,

 Section VI—Maintenance and Change

New to This Edition

In addition, several professional organizations, commercial organizations, and individuals

Donn B. Parker, CISSP

100. General observations.—101. Cultural context.—102. Universal

100. General Observations

101. Cultural Context

103. Secondary Parallelism in the Indo-

This development toward a more analytical form is not only

104. Textile Patterns and Processes

105. Primary Parallelism: the Beginnings of

106. Time Reckoning

107. Scale and Pitch of Pan’s Pipes

You might also like

Section II—Security Investigation Phase

Section III—Security Analysis

Section VI—Maintenance and Change