Abstract
During the last several years a great deal has been written in academic and trade journals that has focused on security. There are several different terms often used, but the following—information security (InfoSec), computer security, and information assurance—are typically meant to be the same, that is, the protection of data, although information assurance is also expanded to include aspects such as personnel, plant, and equipment. While one main theme that has been written has been to improve the effectiveness and understanding of security, apply the various security concepts learned and understand the technologies developed, it is important to recognize that computer security may take on different meanings, dependent on the context that it is being discussed. Computer security is a very large field, and one that is often misunderstood. When we discuss computer security, are we discussing our personal computer at work or home? Are we discussing portable devices, such as mobile devices like Blackberries, PDAs, or laptops? Are we discussing security laws and regulations that might impact the safeguard of personal information, or could we be discussing, designing, and implementing, a risk-based security plan for an organization? It is therefore difficult to discuss computer security unless it is discussed in a frame of reference. Therefore, this paper will discuss some of the issues and concerns of computer security in different frames of reference, and the importance of teaching security with that focus in mind.
Key Terms in this Chapter
Social engineering: An activity that is conducted by perpetrators on individuals in the hopes of gaining some personal information, such as credit card numbers, banking information, user names, passwords, and so forth. Social engineering can take the form of e-mails, mail, and phone calls. The authors of social engineering activities exploit individuals willing to trust, often with bad consequences. It often relies on non-technical means and involves tricking individuals to give up personal information. Social engineering perpetrators often rely on the goodness and natural tendency of people to help others.
Computer Security: An information technology definition term often referred to by several names, for example, information security (InfoSec), computer security, and information assurance. It includes the protection of personal and organization assets, which includes hardware and software. It includes the data that is stored on systems and the data in transit. It also includes management processes, procedures, and policies that are developed to protect these resources, for example, a disaster recover plan, a business continuity plan, and so forth.
Security Model: A security model is a framework in which a security policy is developed. The development of this security policy is geared to a particular setting or instance of a policy, for example, a security policy based upon authentication, but built within the confines of a security model. For example, designing a security model based upon authentication and authorization, one would consider the 4-factor model of security, that is, authentication, authorization, availability, and authenticity.
Information Systems Curriculum: An information systems curriculum is a model curriculum consisting of a fundamental body of knowledge in the information systems area. It is a consensus of the information system community of scholars, researchers, and practitioners who lead the field. It consists of the five majors areas in IS, namely: information systems fundamentals, information systems theory and practice, information technology, information systems development, and information systems deployment and management processes.
Phishing: An activity based upon social engineering, where perpetuators or phishers attempt to exploit the trustworthiness of individuals to reveal personal information, such as user name, passwords, credit card numbers, banking information, and so forth. Communications are attempted by several means - e-mail, phone, letters - but most often carried out by e-mail due to the ease and relative ease in which phishers can obtain mailing lists with thousands of e-mail addresses. Phishing techniques are varied and often very business looking stating that your financial institution needs you to update your records immediately or your account will be locked. Phishers do not really know your banking institution, but after they send out 10,000 e-mails, the chances are good that some of those e-mail addresses actually conduct business with the named institution in the e-mail. It is the unsuspected individual who does not identify this as such, and instead of calling his or her financial institution, offers their valuable information, often at a Web site that looks identical to their main institution.
Identify Theft: An activity where a perpetrator uses someone else’s personal information without their permission for financial gain. Examples could be credit card and mortgage fraud, where credit is issued to the perpetrator based upon the financial rating of the victim. Perpetrators steal identities in numerous ways: e-mails, key loggers, impersonations, phone calls, and stealing trash from an individual’s home.
Trusted Computer System Evaluation Criteria (TCSEC): The Trusted Computer System Evaluation Criteria (TCSEC) was issued by the U.S. Department of Defense (1985 AU16: The in-text citation "Defense (1985" is not in the reference list. Please correct the citation, add the reference to the list, or delete the citation. ) directive DoD 5200.28-STD in December 1985. It was one of the first models to evaluate information systems in increasing terms of security. Its main goal was to provide hardware and software criteria and evaluation methodologies. It was contained in a set of documents called the rainbow series, and widely referred to by the color of the document, for example, the orange book.