English Proficiency Essay

Language proficiency or linguistic proficiency is the ability of an individual to speak or perform in an acquired language. As theories vary among pedagogues as to what constitutes proficiency,[1] there is little consistency as to how different organizations classify it. Additionally, fluency and language competence are generally recognized as being related, but separate controversial subjects. In predominant frameworks in the United States, proficient speakers demonstrate both accuracy and fluency, and use a variety of discourse strategies.[2] Thus, native speakers of a language can be fluent without being considered proficient. ————————————————- Organizations ACTFL The American Council on the Teaching of Foreign Languages (ACTFL) distinguishes between proficiency and performance. In part, ACTFL’s definition of proficiency is derived from mandates issued by the US government, declaring that a limited English proficient student is one who comes from a non-English background and â€Å"who has sufficient difficulty speaking, reading, writing, or understanding the English language and whose difficulties may deny such an individual the opportunity to learn successfully in classrooms where the language of instruction is English or to participate fully in our society.† ACTFL views â€Å"performance† as being the combined effect of all three modes of communication: interpretive, interpersonal, and presentational. ————————————————- Proficiency frameworks Note that test scores may not correlate reliably, as different understandings of proficiency lead to different types of assessment: * FSI Test (Foreign Service Institute) Scores range from 0 to 5+.[3] (deprecated) * Interagency Language Roundtable Scores range from 0 to 5.[4] (evolved from FSI) * Language Proficiency Index * ACTFL Proficiency Guidelines ACTFL recognises ten different levels of proficiency: â€Å"novice†, â€Å"intermediate†, â€Å"advanced†, and â€Å"superior†, of which the first three are each subdivided into â€Å"low†, â€Å"mid†, and â€Å"high†. * Common European Framework of Reference for Languages CEF recognises six levels: A1, A2, B1, B2, C1 and C2. Proficiency tests * CELPE-Bras (Certificate of Proficiency in Portuguese for Foreigners) * Defense Language Proficiency Tests * DELE (Diplomas of Spanish as Foreign Language) * Examination for Japanese University Admission * General English Proficiency Test * Hà  nyÇ” ShuÇ pà ­ng KÇŽoshà ¬ (æ ±â€°Ã¨ ¯ ­Ã¦ ° ´Ã¥ ¹ ³Ã¨â‚¬Æ'è ¯â€¢) * IELTS (International English Language Testing System) * iTEP (International Test of English Proficiency * Japanese Language Proficiency Test (æâ€" ¥Ã¦Å" ¬Ã¨ ªÅ¾Ã¨Æ' ½Ã¥Å â€ºÃ¨ © ¦Ã© ¨â€œ Nihongo NÃ… ryoku Shiken) * Language Proficiency Assessment for Teachers * The European Language Certificates (telc – language tests) * TOEFL (Test Of English as a Foreign Language) * TOEIC (Test of English for International Communication) * TEPS (Test of English Proficiency developed by Seoul National University) * Test of Russian as a Foreign Language * Test de franà §ais international * Test de connaissance du franà §ais * TOCFL(è  ¯Ã¨ ªÅ¾Ã¦â€"‡èÆ' ½Ã¥Å â€ºÃ¦ ¸ ¬Ã© ©â€" Test of Chinese as a Foreign Language) * UBELT (University of Bath English Language Test) * University of Cambridge ESOL examination See also: Language tests category ————————————————- [edit]Professional organizations * Alliance franà §aise * American Council on the Teaching of Foreign Languages * Association of Language Testers in Europe * Foreign service institute * Goethe-Institut * UCLES * UNIcert * Instituto Cervantes * UBELT ————————————————- References 1. ^ www.ncela.gwu.edu 2. ^ http://lauder.wharton.upenn.edu 3. ^ www.utm.edu 4. ^ www.utm.edu English proficiency is the the ability to speak, read and/or write in English. To be considered truly proficient, one should have advanced abilities in all three areas of communication. English Proficiency In The Philippines I recently read that 80% of teachers failed their English proficiency exam and that some CallCenters are closing because of a lack of applicants who have a level of English fluencydemanded by the industry.I am a Native Speaker (Canadian / UK) with over 20 years experince presenting Englishlanguage programs for the Canadian federal and provincial governments, several colleges and auniversity. After moving to thePhilippinesI continued my presentions and teaching to foreigners in ESL schools.Recently I decided to change my ESL students. Why should I be teaching foreiners English whenwhat I should be doing is giving the Filipno a chance to improve their chances of having achallenging and rewarding career?. It makes more sense to me, to help them to improve their English to a level of fluency that most companies both here in the Philippines and abroaddemand†¦Ã¢â‚¬ ¦Ã¢â‚¬ ¦Ã¢â‚¬ ¦.Lets give the Filipino a chance to improve their position in lifeMy first opportunity was to present my English fluency program to English teachers in the private school sector. 80% failed the initial testing, However, later 80% achieved a much higher level of fluency after completing the program. The EF English Proficiency Index (EF EPI) is a report which attempts to rank countries by the average level of English skills amongst adults. It is the product of EF Education First, a global language training company, and draws its conclusions from data collected via online English tests available for free over the internet. The report was published for the first time in March, 2011 based on the results of over 2 million test takers.[1] The most recent ranking was released in October, 2012. ——†”—————————————- Methodology The 2012 index is compiled from the results of 1.7 million adults who took one of three short online English tests between 2009 and 2011. The test takers were self-selected and no demographic information was collected on them. The tests are used by the company for marketing and placement purposes. 52 countries and 2 territories appear in the 2012 index. All other countries did not have enough test takers to be considered valid. In order to be included a country was required to have at least 400 test takers total.[2] ————————————————- Findings The report is composed of a country ranking table, several pages of analysis with graphs correlating other economic and social factors with English proficiency, and regional analyses of Europe, Asia, Latin America, and the Middle East and North Africa. The 2012 report includes data for the first time comparing women to men, and comparing different age groups by English proficiency. The website displays portions of the report and has in-depth profiles of the role of English in 15 countries [3] which are not contained in the report. Eleven country factsheets are presented separately from the report. These provide data on how cities and regions scored within the country. Primary conclusions 1. Exports per capita, Gross National Income per capita and average number of years of schooling all correlate positively with English proficiency. That is to say wealthier countries speak better English. 2. The factor that correlates best to English proficiency is Internet usage. 3. Europe as a whole speaks the best English, Latin America the worst. 4. Starting English education younger in school does not necessarily improve adult proficiency. ————————————————- Criticism The EF English Proficiency Index has been criticized for its lack of representative sampling in each country.[4] The report states that participants in the tests are self-selected and must have access to the internet. This pushes the index towards the realm of an online survey rather than a statistically valid evaluation. However there are few alternative comparisons available of countries by their English skills, and those that exist are smaller in scale, as is the case with a reported British Council study,[1] or they have other sampling flaws, as is the case with rankings of countries by standardized English test scores such as the TOEFL.[5] The European Commission performed a language survey, SurveyLang, which tests a representative sample of 15 year old European students on their foreign language skills. The first report and data sets were released for 13 European countries in June 2012 [6] ———————————à ¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€- References 1. ^ a b English: Who speaks English?. The Economist. Retrieved on 2011-05-29. 2. ^ EF English Proficiency Index – Comparing English skills between countries – EF EPI. Ef.com. Retrieved on 2011-05-29. 3. ^ English around the world – Country profiles – EF EPI. Ef.com. Retrieved on 2011-05-29. 4. ^ The English Blog: EF English Proficiency Ranking. Jeffreyhill.typepad.com (2011-03-30). Retrieved on 2011-05-29. 5. ^ TOEFL: Test and Score Data Summaries. Ets.org. Retrieved on 2011-05-29. 6. ^ [1]. European Commission. Retrieved on 2012-09-20. Communicative Competence and English as an International Language Language is used for expressing our thoughts , and for verbal thinking, problem-solving, and creative writing, but it is used essentially for communication. What makes it difficult to grasp the language user’s systems of representation for communication with others is the fact that the capability of individuals to interact with others through language is a unique quality and at the same time a universal human quality. The successful language use for communication presupposes the development of communicative competence in the users of that language and that the use of language is constrained by the socio-cultural norms of the society where the language is used. The use of English in Britain is influenced by the British socio-cultural norms which underlie individual differences. So are American English, Indian English, Nigerian English, and Singaporean English. That holds true in areas where English is used daily either as a native language or as a second language. In the use of English for international communication, however, what society’s or societies’ socio-cultural norms should be observed? Should they be the Anglo-American norms because speakers use American or British English as the model? Or would they be the socio-cultural norms of speakers’ native societies, which are not conspicuous nevertheless inevitably ooze out? Or is there what might be called pan- human or universal socio-cultural norm(s) overarching individual societies and cultures? In this paper, I would first review communicative competence briefly, then discuss what English as an International Language (EIL) is, and lastly argue that communicative competence, especially socio-cultural competence, of EIL speakers does not necessarily need to be that of native English speakers. English Proficiency English nowadays is considered as the universal language; for which it is understood by almost all countries around the world. It is used by most people as their second language. First, it is a way of communication in business, negotiations & especially in academics. It plays an important role in the basic education, particularly to speaking and writing (Kumar, 2009). English proficiency must be treated as an additional skill. In reality, a country needs to build familiarity, friendship and collaborate with other countries as well. It is the government’s obligation to give good quality of education to be able to work and communicate in a wider and competitive world (Alave, 2006). English proficiency pertains to the ability to speak, read and write in English. To be considered as truly proficient, you should have an advanced skill in this. We know that English is the universal language, to communicate to those people in other countries; you have to speak in English so they will understand what you are saying. We all know that lately, our country, Philippines is known for being English proficient of its citizen. But, this advantage is being eroded by other rising competitions with declining mastery of some college graduates. Just recently, a language test was taken by IDP Education Pty. Ltd. Philippines which showed that our country is no longer the top English-speaking country in Asia. This may be so because some students nowadays do not even try to enhance their English skill. LOW ENGLISH PROFICIENCY; CAUSES AND EFFECTS TO UNIVERSITY STUDENTS The low levels of English proficiency among university students nowadays becoming a hot issue among academic thinkers. This is because the students’ English language skills are not being developed during their higher education experience. Thus, reflects negatively on the quality of higher education and its graduates. The factors low English proficiency among most learners are due to two factors; internal factors such as no confident when using English, negative attitude towards the English language and external factor like the limited opportunities to use English outside the classroom. Most learners have lack of confidence when using English language. For example, the person that has low self-confidence may refuse to use the language in publics. Anna Freud once said â€Å"I was always looking outside myself for strength and confidence but it comes from within. It is there all the time.† This shown that confident levels are decreasing when the learners are lack of self-confidence to use this language. They are afraid to be wrong and prejudiced about it. The second reason is the negative attitudes towards the English language. For information, attitude has been defined as the inclination to act or to be in a state of ‘readiness’ to act (Gagne, 1985). The learners just learnt English for pass the examination not using it as their second language. Students in university generally find it difficult to maintain their interest in English language learning as English is not seen as important for their immediate needs other than to pass their examination. A lot of negative attitudes build up from unfamiliarity with the culture of the target language (Tucker and lambert, 1973). Malay students from small towns or rural places usually grown up in a situation that English is unimportant language, not like their speaking homes language, Bahasa Melayu. English Proficiency for Global Competitiveness For some years, the Philippines was well-known as the only English-speaking country in Southeast Asia. The fluency of the English language came from the Americans who once occupied our coasts. In that period of time, we stood at an advantage from our neighbor countries. We got a lot of profits because we could speak the language that most developed countries use. Filipinos had already been capable of persuading foreign investors to set in our country even before other Asian countries realized the need to train their citizens in utilizing the English language to be able to converse with other countries and increase their economies. That is why we held a great promise of development during those times. After some years, we shifted to use our national language as the medium for instruction in school, government facilities, and everywhere with our belief that people would learn better and they would become more nationalistic. The advocates of the English language, then, suddenly had to give way to those who are in favor of our native language. Language, indeed, became an issue. Well, it does not mean that if we use the English language, we are less nationalistic. We have been using Filipino in our lives for several years already and we have actually seen its effect. We could say that it had not really made a significant difference in terms of the students’ rate of learning and development in our country. I think, it is about time that we embrace the use of the English language once more so we could be more competitive globally. Surely we have to move back to square one as we try to regain the edge that we lost. Right motivation and proper attitude towards the acquisition of the English language will undoubtedly help us become confident and adept in the language. Stop neglecting the English language, let’s use it. English Proficiency in the Philippines Introduction Because English is so widely spoken, it has often been referred to as a â€Å"world language†, the lingua franca of the modern era, and while it is not an official language in most countries, it is currently the language most often taught as a foreign language. The history of the English language really started with the arrival of three Germanic tribes who invaded Britain during the 5th century AD. These tribes, the Angles, the Saxons and the Jutes, crossed the North Sea from what today is Denmark and northern Germany. At that time the inhabitants of Britain spoke a Celtic language. But most of the Celtic speakers were pushed west and north by the invaders – mainly into what is now Wales, Scotland and Ireland. The Angles came from England and their language was called Englisc – from which the words England and English are derived. Approximately 375 million people speak English as their first language. English today is probably the third largest language by number of native speakers, after Mandarin Chinese and Spanish. However, when combining native and non-native speakers it is probably the most commonly spoken language in the world, though possibly second to a combination of the Chinese languages (depending on whether or not distinctions in the latter are classified as â€Å"languages† or â€Å"dialects†). Countries such as the Philippines, Jamaica and Nigeria also have millions of native speakers of dialect continua ranging from an English-based creole to a more standard version of English. Ways to Improve English Proficiency This article was created by a professional writer and edited by experienced copy editors, both qualified members of the Demand Media Studios community. All articles go through an editorial process that includes subject matter guidelines, plagiarism review, fact-checking, and other steps in an effort to provide reliable information. By Gregory Hamel, eHow Contributor 1. o English is one of the most widely spoken languages in the world. Gaining English proficiency can be an important aspect of education in many fields from business to aviation to science. Even native English speakers can benefit from increasing knowledge and improving writing skills. There are many accessible ways to improve English proficiency effectively without taking formal classes. Speak Regularly o One of the most important aspects of gaining proficiency in any language is speaking it regularly. Self-study can improve reading and comprehension skills, but interacting with other English speakers is essential for boosting real-world comprehension and practical use of the English language. If you live in a bilingual home, designate a certain amount of time each day for speaking only in English. Making English-speaking friends, perhaps those interested in learning a different language that you speak, can help increase proficiency. Living in an English-speaking country will help immerse you in the language and increase all aspects of your English knowledge. Media o Watching or listening to media in English is a way to improve English comprehension without feeling like you are studying. Watch popular English movies and listen to English music. Avoid watching dubbed films in favor of those with English voice and subtitles. ENGLISH LANGUAGE PROFICIENCY LEVELS The definitions of the five limited-English language proficiency levels, as well as Level 6, one of two fully-English language proficiency levels, are from PI 13.08(3)(1)-(6), Wisconsin Administrative Rule. Level 7, the other fully-English language proficiency level, is used for purposes of state reporting/state testing. Level 1—Beginning/Preproduction [WIDA level = Entering]: A pupil shall be classified level 1 if the pupil does not understand or speak English with the exception of a few isolated words or expressions. Level 2—Beginning/Production [WIDA level = Beginning]: A pupil shall be classified level 2 if all of the following criteria are met: (a) The pupil understands and speaks conversational and academic English with hesitancy and difficulty. (b) The pupil understands parts of lessons and simple directions. (c) The pupil is at a pre-emergent or emergent level of reading and writing in English, significantly below grade level. Level 3—Intermediate [WIDA level = Developing]: A pupil shall be classified level 3 if all of the following criteria are met: (a) The pupil understands and speaks conversational and academic English with decreasing hesitancy and difficulty. (b) The pupil is post-emergent, developing reading comprehension and writing skills in English. (c) The pupil’s English literacy skills allow the student to demonstrate academic knowledge in content areas with assistance. Level 4—Advanced Intermediate [WIDA level = Expanding]: A pupil shall be classified level 4 if all of the following criteria are met: (a) The pupil understands and speaks conversational English without apparent difficulty, but understands and speaks academic English with some hesitancy. (b) The pupil continues to acquire reading and writing skills in content areas needed to achieve grade level expectations with assistance. ENGLISH PROFICIENCY: HOW MUCH OF A PROBLEM IS IT? For many of us, the state of education in a country speaks volumes. Where English is spoken and taught as a second language, fluency is deemed a basic requirement for proper communication and propagation of ideas and connotes success. Does this fluency actually translate to a country’s economic success and overall standing in the world of nations? Back when American influence on teachers was still strong in the 1950s, I recall instances where all of us, pupils then, were required to speak English in English class or be fined five centavos per instance of speaking in Ilocano, a major dialect of northern Philippines. Five centavos then was a hefty sum. Tagalog, now Filipino, was not commonly in use at the time. Each one of us would try to catch anyone who committed the â€Å"sin† and report it to a classmate assigned to collect the fines who, in turn, would submit the list of offenders to the teacher. We never asked where those collections went. Teachers were the bosses and their word was law. No one questioned them. They stood on pedestals and we looked up to them with much respect. Teaching was a very respectable profession. Looking back, I now realize that our teachers in elementary and high school, then spoke or at least taught us proper English and with much enthusiasm. Perhaps my siblings and I had the added advantage of being raised by parents who happened to be teachers. Several of their brothers and sisters were graduates of the Philippine Normal School. Books we used were brought in by the American teachers and ministers–from readers, to hymnals, to almanacs. There were practically no Filipino authors that we knew of. American influence gave us a decided advantage over our Asian neighbors. The country enjoyed a privileged status in the region as a consequence of this. Engish is the standard form of communication. It’s used worldwide by people who are from different countries but need to communicate with each other. English is also seen as the business language, as for reasons mentioned above. We study it also for the reasons we study any language-we need to have a way to articulate the things we need and desire. English is also used primarily on the internet-which today connects millions of people world wide. English is used in many different countries also because curing the Colonial and Imperial Age, Britain proved to be â€Å"successful† at gaining colonies on different continents around the world. MUCH has been said about the importance of English in our schools and here is another to add to the sum total. There is a saying that if you have something the world wants, it will beat a path to your door wherever you may be; but if the world has something you want, then you have to go out to get it. As of now, what we want from the outside world is the latest knowledge in all fields of human endeavour. Undeniably, most of these are couched in English and to acquire them we have to be proficient in the language. Having acquired and returned with new knowledge, the need is to disseminate it through learning institutions for the benefit of the country. Teaching it to those proficient in English is straight forward. But to recipients who are monolingual in Bahasa Malaysia, translations will be required, and this can be slow and time-consuming. Depending on translations alone is hardly an efficient way to keep up with the latest advances. Perhaps that is why our government is encouraging bilingualism – English and Bahasa Malaysia – in our national schools. But individual proficiency in English will differ and it may require enhancement depending on one’s career leanings. If one wishes to engage in local business or to take up more mundane occupations, then perhaps knowing Bahasa Malaysia alone will be adequate, but of course, a smattering of English will always help. But if one aspires to be a diplomat, a scientist or to enrol in an English university, then a greater depth in English is required. Since Bahasa Malaysia is the national language, it has to be taught in schools. It is the glue that binds our people together for national betterment. English, on the other hand is the currency for international discourse, without which we would be isolated. Hence, until such time when we are an advanced country and our national language is brought to a wider and impeccable level and our people can invent things the world will want, then the world will indeed beat a path to our shores to learn from us and in our national language. C.P.B., Kuala Lumpur. Today, there are many people all of the world study English. Most of people think that maybe english becomes their second language. But have you ever wondered:† Why do we need to learn English†. Why don’t we searching about it? First, English helps you to improve friendship and maybe include our knowledge around the world. Nowadays, many people have a wider friendship around the world. So learning English is an important way to communicate with friends from another countries. Absolutely, learning English can help you to make more friends, we can exchange with a lot of people, improve our relationships. From that, we can learn more, open our knowledge world. Every year, there are lots of teenagers go overseas to learn for themselves, to improve every important, to bring every new thing from another countries to our country. Second, English helps you to connect our country to the world or we can learn more about another countries’s tradition. Learning English, we can introduce every beautiful things, places,†¦ to internaional friends from another countries. Foreigners wil be curious and they will travel to our country. On the contrary, we can understand more special traditional foods, cultures,†¦ from another countries. I think it’s great so we need to learn English Finally, we can find jobsmore easily. Today, all companies need their wokers know at least on language, especially English. In some international companies, every person have to know English well. So we need to learn English in other to have a good job for you. You can see. Learning is very important way to climb on our future stepladder. I hope that people wil learn English for themselves and for their future. English is one of the legacy`s examples that was left by the British colonial rule in Malaysia long time ago. It is one of the most crucial foreign languages in Malaysia and even around the world nowadays, and is used widely and quite extensively in all aspects of daily life. English and the national language of Malaysia, `Bahasa Malaysia`, both play a very important role in tighten together our multicultural nation. English and `Bahasa Malaysia` helps to unite people and to create a unique national awareness. Instead of its history, Malaysia has recently showed a sharp decline in the English language proficiency. According to Murugesan (2003), the decline is largely due to a backwash effect from a change implemented in the early 1960s and 1970s when `Bahasa Malaysia` replaced English as the medium of instruction in schools and as the language used for official matters. On the other hand, according to Lee (2002), the drop in proficiency of English has not been due so much to the emphasis on Malay, but it is primarily the result of bad attitudes to language and poor approaches to the teaching of language. The decline of English language proficiency will lead to other side effects that will someday give out various major problems to us. Due to the decline in our country, it might be a step backward from other country around the world from the information and technology aspect and other related aspects. In this essay, I will critically response about the topic, `English Language Proficiency Should Not Be Taken for Granted` based on the three articles that have been chooses. The first article that I have chooses is mainly about the importance of English language proficiency. The second article talks about the steps that will be taken to enhance the English usage, while the third article discuss about suggestions to strengthen the students English language proficiency.

In what ways have changes in technology led to changes Essay

The technological advances of today had greatly influenced the conceptualization up to implementation of software architectures. Miniaturization of hardware dependence, further enhancement of capabilities and features, faster processing time for the most accurate result(s), and the most considered by many as the most important of all, improvement of user-friendliness were only just an ample of the trends happening today for the software industry. Since these were the trends, software architects had to cope up with the peoples demand for better software interaction experience. The large computers that occupy a whole room but do the same capabilities of our personal computers nowadays were had long been obsolete. Computers had long been recognized by many as a nice help for human living. Man then realized that computers need to be portable in order that man could bring it wherever he goes and utilize it whenever he likes or whenever he needed. Hardware for computers is now made to be as compact as possible, (great example would be the hardware of mobile phones). This trend is then accompanied by the need for better algorithms and implementation codes. The task for creating such algorithms and codes had turned to be more complex as time goes. Software makers had then thought that it is better that this problem be distributed to a group of people so that it would be easier to solve. People they will select to handle the task should have the knowledge for the specific task he should do. And then after this creation of algorithm phase, the remaining problem would then be how the person to use would utilize the code without requiring him to know all the science behind it. Technology is fast changing. Computer and software improvements are a part of this changing technology. That is why the field of software architecture emerged. References: Software Architecture. Retrieved July 10, 2007 from http://en. wikipedia. org/wiki/Software_architecture.

Principles of Information Security, 4th Ed. – Michael E. Whitman Chap 01

Licensed to: CengageBrain User Licensed to: CengageBrain User Principles of Information Security, Fourth Edition Michael E. Whitman and Herbert J. Mattord Vice President Editorial, Career Education & Training Solutions: Dave Garza Director of Learning Solutions: Matthew Kane Executive Editor: Steve Helba Managing Editor: Marah Bellegarde Product Manager: Natalie Pashoukos Development Editor: Lynne Raughley Editorial Assistant: Jennifer Wheaton Vice President Marketing, Career Education & Training Solutions: Jennifer Ann Baker Marketing Director: Deborah S.Yarnell Senior Marketing Manager: Erin Coffin Associate Marketing Manager: Shanna Gibbs Production Manager: Andrew Crouth Content Project Manager: Brooke Greenhouse Senior Art Director: Jack Pendleton Manufacturing Coordinator: Amy Rogers Technical Edit/Quality Assurance: Green Pen Quality Assurance  © 2012 Course Technology, Cengage Learning For more information, contact or find us on the World Wide Web at: www. course. com ALL R IGHTS RESERVED.No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage. com/permissions Further permission questions can be emailed to [email  protected] comLibrary of Congress Control Number: 2010940654 ISBN-13: 978-1-111-13821-9 ISBN-10: 1-111-13821-4 Course Technology 20 Channel Center Boston, MA 02210 USA Cengage Learning is a leading provider of custo mized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international. cengage. com/region. Cengage Learning products are represented in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit course. cengage. com Purchase any of our products at your local college store or at our preferred online store www. engagebrain. com. Printed in the United States of America 1 2 3 4 5 6 7 8 9 14 13 12 11 10 Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it . Licensed to: CengageBrain User hapter 1 Introduction to Information Security Do not figure on opponents not attacking; worry about your own lack of preparation. BOOK OF THE FIVE RINGS For Amy, the day began like any other at the Sequential Label and Supply Company (SLS) help desk. Taking calls and helping office workers with computer problems was not glamorous, but she enjoyed the work; it was challenging and paid well. Some of her friends in the industry worked at bigger companies, some at cutting-edge tech companies, but they all agreed that jobs in information technology were a good way to pay the bills.The phone rang, as it did on average about four times an hour and about 28 times a day. The first call of the day, from a worried user hoping Amy could help him out of a jam, seemed typical. The call display on her monitor gave some of the facts: the user’s name, his phone number, the department in which he worked, where his office was on the company campus, and a list of all the calls he’d made in the past. â€Å"Hi, Bob,† she said. â€Å"Did you get that document formatting problem squared away? † â€Å"Sure did, Amy. Hope we can figure out what’s going on this time. † â€Å"We’ll try, Bob. Tell me about it. † â€Å"Well, my PC is acting weird,† Bob said. When I go to the screen that has my e-mail program running, it doesn’t respond to the mouse or the keyboard. † â€Å"Did you try a reboot yet? † 1 Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageB rain User Chapter 1 â€Å"Sure did. But the window wouldn’t close, and I had to turn it off. After it restarted, I opened the e-mail program, and it’s just like it was before—no response at all. The other stuff is working OK, but really, really slowly. Even my Internet browser is sluggish. † â€Å"OK, Bob. We’ve tried the usual stuff we can do over the phone. Let me open a case, and I’ll dispatch a tech over as soon as possible. † Amy looked up at the LED tally board on the wall at the end of the room. She saw that there were only two technicians dispatched to deskside support at the moment, and since it was the day shift, there were four available. Shouldn’t be long at all, Bob. † She hung up and typed her notes into ISIS, the company’s Information Status and Issues System. She assigned the newly generated case to the deskside dispatch queue, which would page the roving deskside team with the details in just a few minutes. A moment later, Amy looked up to see Charlie Moody, the senior manager of the server administration team, walking briskly down the hall. He was being trailed by three of his senior technicians as he made a beeline from his office to the door of the server room where the company servers were kept in a controlled environment. They all looked worried.Just then, Amy’s screen beeped to alert her of a new e-mail. She glanced down. It beeped again—and again. It started beeping constantly. She clicked on the envelope icon and, after a short delay, the mail window opened. She had 47 new e-mails in her inbox. She opened one from Davey Martinez, an acquaintance from the Accounting Department. The subject line said, â€Å"Wait till you see this. † The message body read, â€Å"Look what this has to say about our managers’ salaries†¦Ã¢â‚¬  Davey often sent her interesting and funny e-mails, and she failed to notice that the file attachment icon was unu sual before she clicked it.Her PC showed the hourglass pointer icon for a second and then the normal pointer reappeared. Nothing happened. She clicked the next e-mail message in the queue. Nothing happened. Her phone rang again. She clicked the ISIS icon on her computer desktop to activate the call management software and activated her headset. â€Å"Hello, Tech Support, how can I help you? † She couldn’t greet the caller by name because ISIS had not responded. â€Å"Hello, this is Erin Williams in receiving. † Amy glanced down at her screen. Still no ISIS.She glanced up to the tally board and was surprised to see the inbound-call-counter tallying up waiting calls like digits on a stopwatch. Amy had never seen so many calls come in at one time. â€Å"Hi, Erin,† Amy said. â€Å"What’s up? † â€Å"Nothing,† Erin answered. â€Å"That’s the problem. † The rest of the call was a replay of Bob’s, except that Amy had to jot notes down on a legal pad. She couldn’t dispatch the deskside support team either. She looked at the tally board. It had gone dark. No numbers at all. Then she saw Charlie running down the hall from the server room. He didn’t look worried anymore. He looked frantic. Amy picked up the phone again.She wanted to check with her supervisor about what to do now. There was no dial tone. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 3LEARNING OBJECTIVES: Upon completion of this material, you should be able to: †¢ †¢ †¢ †¢ †¢ Define information security Recount the history of computer security, and explain how it evolved into information security Define key terms and critical concepts of information security Enumerate the phases of the security systems development life cycle Describe the information security roles of professionals within an organization 1 Introduction James Anderson, executive consultant at Emagined Security, Inc. , believes information security in an enterprise is a â€Å"well-informed sense of assurance that the information risks and controls are in balance. He is not alone in his perspective. Many information security practitioners recognize that aligning information security needs with business objectives must be the top priority. This chapter’s opening scenario illustrates that the information risks and controls are not in balance at Sequential Label and Supply. Though Amy works in a technical support role and her job is to solve technical problems, it does not occur to her that a malicious software program, like a worm or virus, might be the agent of the company’s current ills.Management also shows signs of confusion and seems to have no idea how to contain this kind of incident. If you were in Amy’s place and were faced with a similar situation, what would you do? How would you react? Would it occur to you that something far more insidious than a technical malfunction was happening at your company? As you explore the chapters of this book and learn more about information security, you will become better able to answer these questions. But before you can begin studying the details of the discipline of information security, you must first know the history and evolution of the field.The History of Information Security The history of information security begins with computer security. The need for computer security—that is, the need to secure physical locations, hardware, and softwa re from threats— arose during World War II when the first mainframes, developed to aid computations for communication code breaking (see Figure 1-1), were put to use. Multiple levels of security were implemented to protect these mainframes and maintain the integrity of their data.Access to sensitive military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards. The growing need to maintain national security eventually led to more complex and more technologically sophisticated computer security safeguards. During these early years, information security was a straightforward process composed predominantly of physical security and simple document classification schemes. The primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.One of the first documented security problems that fell outside these categories occurred in the early 196 0s, when a systems administrator was working on an MOTD Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.Licensed to: CengageBrain User 4 Chapter 1 Earlier versions of the German code machine Enigma were ? rst broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during World War II. The increasingly complex versions of the Enigma, especially the submarine or Unterseeboot version of the Enigma, caused considerable anguish to Allied forces before ? nally being cracked. The information gained from decrypted transmissions was used to anticipate the actions of German armed forces. Some ask why, if we were reading the Enigma, we did not win the war earlier. One might ask, instead, when, if ever, we would have won the war if we hadn’t read it. †1 Figure 1-1 The Enigma Source: Courtesy of National Security Agency (message of the day) file, and another administrator was editing the password file. A software glitch mixed the two files, and the entire password file was printed on every output file. 2 The 1960s During the Cold War, many more mainframes were brought online to accomplish more complex and sophisticated tasks.It became necessary to enable these mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers. In response to this need, the Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant, networked communications system to support the military’s exchange of information. Larr y Roberts, known as the founder of the Internet, developed the project—which was called ARPANET—from its inception. ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the ARPANET Program Plan).The 1970s and 80s During the next decade, ARPANET became popular and more widely used, and the potential for its misuse grew. In December of 1973, Robert M. â€Å"Bob† Metcalfe, who is credited Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 5 1 Figure 1-2 Development of the ARPANET Program Plan3 Source: Courtesy of Dr. Lawrence Roberts with the development of Ethernet, one of the most popular networking protocols, identified fundamental problems with ARPANET security. Individual remote sites did not have sufficient controls and safeguards to protect data from unauthorized remote users.Other problems abounded: vulnerability of password structure and formats; lack of safety procedures for dial-up connections; and nonexistent user identification and authorization to the system. Phone numbers were widely distributed and openly publicized on the walls of phone booths, giving hackers easy access to ARPANET. Because of the range and frequency of computer security violations and the explosion in the numbers of hosts and users on ARPANET, network security was referred to as network insecurity. In 1978, a famous study entitled â€Å"Protection Analysis: Final Report† was published. It focused on a project undertaken by ARPA to discover the vulnerabilitie s of operating system security. For a timeline that includes this and other seminal studies of computer security, see Table 1-1. The movement toward security that went beyond protecting physical locations began with a single paper sponsored by the Department of Defense, the Rand Report R-609, which attempted to define the multiple controls and mechanisms necessary for the protection of a multilevel computer system.The document was classified for almost ten years, and is now considered to be the paper that started the study of computer security. The security—or lack thereof—of the systems sharing resources inside the Department of Defense was brought to the attention of researchers in the spring and summer of 1967. At that time, systems were being acquired at a rapid rate and securing them was a pressing concern for both the military and defense contractors. Copyright 2011 Cengage Learning. All Rights Reserved.May not be copied, scanned, or duplicated, in whole or in pa rt. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 6 Chapter 1 Date 1968 1973 1975 1978 Documents Maurice Wilkes discusses password security in Time-Sharing Computer Systems.Schell, Downey, and Popek examine the need for additional security in military systems in â€Å"Preliminary Notes on the Design of Secure Military Computer Systems. †5 The Federal Information Processing Standards (FIPS) examines Digital Encryption Standard (DES) in the Federal Register. Bisbey and Hollingworth publish their study â€Å"Protection Analysis: Final Report,† discussing the Protection Analysis project created by ARPA to better understand the vulnerabilities of opera ting system security and examine the possibility of automated vulnerability detection techniques in existing system software. Morris and Thompson author â€Å"Password Security: A Case History,† published in the Communications of the Association for Computing Machinery (ACM). The paper examines the history of a design for a password security scheme on a remotely accessed, time-sharing system. Dennis Ritchie publishes â€Å"On the Security of UNIX† and â€Å"Protection of Data File Contents,† discussing secure user IDs and secure group IDs, and the problems inherent in the systems. Grampp and Morris write â€Å"UNIX Operating System Security. In this report, the authors examine four â€Å"important handles to computer security†: physical control of premises and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increased security. 7 Reeds and Weinberger publish â€Å"File Secu rity and the UNIX System Crypt Command. † Their premise was: â€Å"No technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the systems administrator or other privileged users †¦ the naive user has no chance. 8 1979 1979 1984 1984 Table 1-1 Key Dates for Seminal Works in Early Computer Security In June of 1967, the Advanced Research Projects Agency formed a task force to study the process of securing classified information systems. The Task Force was assembled in October of 1967 and met regularly to formulate recommendations, which ultimately became the contents of the Rand Report R-609. 9 The Rand Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security.It noted that the wide utilization of networking components in information systems in the military introduced security risks that could not be mitigated by the routine pra ctices then used to secure these systems. 10 This paper signaled a pivotal moment in computer security history—when the scope of computer security expanded significantly from the safety of physical locations and hardware to include the following: Securing the data Limiting random and unauthorized access to that data Involving personnel from multiple levels of the organization in matters pertaining to information securityMULTICS Much of the early research on computer security centered on a system called Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete, MULTICS is noteworthy because it was the first operating system to integrate security into Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 7 its core functions. It was a mainframe, time-sharing operating system developed in the mid1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT). In mid-1969, not long after the restructuring of the MULTICS project, several of its developers (Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlro) created a new operating system called UNIX.While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not. Its primary function, text processing, did not require the same level of security as that of its predecessor. In fact, it was not until the early 1970s that even the simplest component of security, the password function, became a component of UNIX. In the late 1970s, the microprocessor brought the personal computer and a new age of computing. The PC became the workhorse of modern computing, thereby moving it out of the data center.This decentralization of data processing systems in the 1980s gave rise to networking—that is, the interconnecting of personal computers and mainframe computers, which enabled the entire computing community to make all their resources work together. 1 The 1990s At the close of the twentieth century, networks of computers became more common, as did the need to connect these networks to each other. This gave rise to the Internet, the first global network of networks. The Internet was made available to the general public in the 1990s, having previously been the domain of government, academia, and dedicated industry professionals.The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area network (LAN). After the Internet was commercialized, the tec hnology became pervasive, reaching almost every corner of the globe with an expanding array of uses. Since its inception as a tool for sharing Defense Department information, the Internet has become an interconnection of millions of networks. At first, these connections were based on de facto standards, because industry standards for interconnection of networks did not exist at that time.These de facto standards did little to ensure the security of information though as these precursor technologies were widely adopted and became industry standards, some degree of security was introduced. However, early Internet deployment treated security as a low priority. In fact, many of the problems that plague e-mail on the Internet today are the result of this early lack of security. At that time, when all Internet and e-mail users were (presumably trustworthy) computer scientists, mail server authentication and e-mail encryption did not seem necessary.Early computing approaches relied on secu rity that was built into the physical environment of the data center that housed the computers. As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more exposed to security threats. 2000 to Present Today, the Internet brings millions of unsecured computer networks into continuous communication with each other. The security of each computer’s stored information is now contingent on the level of security of every other computer to which it is connected.Recent years have seen a growing awareness of the need to improve information security, as well as a realization that information security is important to national defense. The growing threat of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 8 Chapter 1 cyber attacks have made governments and companies more aware of the need to defend the computer-controlled control systems of utilities and other critical infrastructure. There is also growing concern about nation-states engaging in information warfare, and the possibility that business and personal information systems could become casualties if they are undefended.What Is Security? In general, security is â€Å"the quality or state of being secure—to be free from danger. †11 In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective. National security, for example, is a multilayered system that protects the sovereignty of a st ate, its assets, its resources, and its people. Achieving the appropriate level of security for an organization also requires a multifaceted system.A successful organization should have the following multiple layers of security in place to protect its operations: Physical security, to protect physical items, objects, or areas from unauthorized access and misuse Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations Operations security, to protect the details of a particular operation or series of activities Communications security, to protect communications media, technology, and content Network security, to protect networking components, connections, and contents Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and techno logy.The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. 12 Figure 1-3 shows that information security includes the broad areas of information security management, computer and data security, and network security. The CNSS model of information security evolved from a concept developed by the computer security industry called the C. I. A. triangle. The C. I. A. triangle has been the industry standard for computer security since the development of the mainframe. It is based on the three characteristics of information that give it value to organizations: confidentiality, integrity, and availability.The security of these three characteristics of information is as important today as it has always been, but the C. I. A. triangle model no longer adequately addresses the constantly changing environment. The threats to the c onfidentiality, integrity, and availability of information have evolved into a vast collection of events, including accidental or intentional damage, destruction, theft, unintended or unauthorized modification, or other misuse from human or nonhuman threats. This new environment of many constantly evolving threats has prompted the development of a more robust model that addresses the complexities of the current information security environment.The expanded model consists of a list of critical characteristics of information, which are described in the next Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 9 1 Information security Figure 1-3 Components of Information SecuritySource: Course Technology/Cengage Learning section. C. I. A. triangle terminology is used in this chapter because of the breadth of material that is based on it. Key Information Security Concepts This book uses a number of terms and concepts that are essential to any discussion of information security. Some of these terms are illustrated in Figure 1-4; all are covered in greater detail in subsequent chapters. Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability.Asset: The organizational resource that is being protected. An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, c omputer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect. Attack: An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Someone casually reading sensitive information not intended for his or her use is a passive attack.A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a fire in a building is an unintentional attack. A direct attack is a hacker using a personal computer to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems, for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the attacker’s choosing, can operate autonomously or under the attacker’s direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself.Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 10 Chapter 1 Vulnerability: Buffer overflow in online database Web interfaceThreat: Theft Threat agent: Ima Hacker Exploit: Script from MadHackz Web site Attack: Ima Hacker downloads an exploit from MadHackz web site and then accesses buybay’s Web site. Ima then applies the script which runs and compromises buybay's security controls and steals customer data. These actions cause buybay to experience a loss. Asset: buybay’s customer database Figure 1-4 Information Security Terms Source: Course Technology/Cengage Learning Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.The various levels and types of controls are discussed more fully in the following chapters. Exploit: A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker. Exploits make use of existing software tools or custom-made software components. Exposure: A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present.Loss: A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organization’s information is stolen, it has suffered a loss. Protection profile or security posture: The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience.Cen gage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 11 organization implements (or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the term security program, although the security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs. Risk: The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk the organization is willing to accept.Subjects and objects: A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack—the target entity, as shown in Figure 1-5. A computer can be both the subject and object of an attack, when, for example, it is compromised by an attack (object), and is then used to attack other systems (subject). Threat: A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected. For example, hackers purposefully threaten unprotected information systems, while severe storms incidentally threaten buildings and their contents. Threat agent: The specific instance or a component of a threat.For example, all hackers in the world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms. Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and pu blished; others remain latent (or undiscovered). 1 Critical Characteristics of InformationThe value of information comes from the characteristics it possesses. When a characteristic of information changes, the value of that information either increases, or, more commonly, decreases. Some characteristics affect information’s value to users more than others do. This can depend on circumstances; for example, timeliness of information can be a critical factor, because information loses much or all of its value when it is delivered too late. Though information security professionals and end users share an understanding of the characteristics of subject object Figure 1-5 Computer as the Subject and Object of an Attack Source: Course Technology/Cengage LearningCopyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Edit orial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 12 Chapter 1 information, tensions can arise when the need to secure the information from threats conflicts with the end users’ need for unhindered access to the information.For instance, end users may perceive a tenth-of-a-second delay in the computation of data to be an unnecessary annoyance. Information security professionals, however, may perceive that tenth of a second as a minor delay that enables an important task, like data encryption. Each critical characteristic of information—that is, the expanded C. I. A. triangle—is defined in the sections below. Availability Availability enables authorized users—persons or computer systems—to access information without interference or obstr uction and to receive it in the required format. Consider, for example, research libraries that require identification before entrance.Librarians protect the contents of the library so that they are available only to authorized patrons. The librarian must accept a patron’s identification before that patron has free access to the book stacks. Once authorized patrons have access to the contents of the stacks, they expect to find the information they need available in a useable format and familiar language, which in this case typically means bound in a book and written in English. Accuracy Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate. Consider, for example, a checking account.You assume that the information contained in your checking account is an accurate representation of your finances. Incorrect information in your che cking account can result from external or internal errors. If a bank teller, for instance, mistakenly adds or subtracts too much from your account, the value of the information is changed. Or, you may accidentally enter an incorrect amount into your account register. Either way, an inaccurate bank balance could cause you to make mistakes, such as bouncing a check. Authenticity Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.Information is authentic when it is in the same state in which it was created, placed, stored, or transferred. Consider for a moment some common assumptions about e-mail. When you receive e-mail, you assume that a specific individual or group created and transmitted the e-mail—you assume you know the origin of the e-mail. This is not always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem for many people today, because often the mo dified field is the address of the originator. Spoofing the sender’s address can fool e-mail recipients into thinking that messages are legitimate traffic, thus inducing them to open e-mail they otherwise might not have.Spoofing can also alter data being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing, which can enable the attacker to get access to data stored on computing systems. Another variation on spoofing is phishing, when an attacker attempts to obtain personal or financial information using fraudulent means, most often by posing as another individual or organization. Pretending to be someone you are not is sometimes called pretexting when it is undertaken by law enforcement agents or private investigators. When used in a phishing attack, e-mail spoofing lures victims to a Web server that does not represent the organization it purports to, in an attempt to steal their private data such as account numbers and passwords.The most c ommon variants include posing as a bank or brokerage company, e-commerce organization, or Internet service provider. Even when authorized, pretexting does not always lead to a satisfactory outcome. In 2006, the CEO of Hewlett-Packard Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.Licensed to: CengageBrain User Introduction to Information Security 13 Corporation, Patricia Dunn, authorized contract investigators to use pretexting to â€Å"smokeout† a corporate director suspected of leaking confidential information. The resulting firestorm of negative publicity led to Ms. D unn’s eventual departure from the company. 13 1 Confidentiality Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is breached.To protect the confidentiality of information, you can use a number of measures, including the following: Information classification Secure document storage Application of general security policies Education of information custodians and end users Confidentiality, like most of the characteristics of information, is interdependent with other characteristics and is most closely related to the characteristic known as privacy. The relationship between these two characteristics is covered in more detail in Chapter 3, â€Å"Legal and Ethical Issues in Security. † The value of confidentiality of information is especially high when it is personal information about employees, customers, or patients. Individuals who transact with an organization expect that their personal information will remain confidential, whether the organization is a federal agency, such as the Internal Revenue Service, or a business. Problems arise when companies disclose confidential information.Sometimes this disclosure is intentional, but there are times when disclosure of confidential information happens by mistake—for example, when confidential information is mistakenly e-mailed to someone outside the organization rather than to someone inside the organization. Several cases of privacy violation are outlined in Offline: Unintentional Disclosures. Other examples of confidentiality breaches are an employee throwing away a document containing critical information without shredding it, or a hacker who successfully breaks into an internal database of a Web-based organization and steals sensitive information about the clients, such as names, addresses, and credit card numbers.As a consumer, you give up pieces of confidential information in exchange for convenience or value almost daily. By using a â€Å"members only† card at a grocery store, you disclose some of your spending habits. When you fill out an online survey, you exchange pieces of your personal history for access to online privileges. The bits and pieces of your information that you disclose are copied, sold, replicated, distributed, and eventually coalesced into profiles and even complete dossiers of yourself and your life. A similar technique is used in a criminal enterprise called salami theft. A deli worker knows he or she cannot steal an entire salami, but a few slices here or there can be taken home without notice.Eventually the deli worker has stolen a whole salami. In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more wou ld be noticed—but eventually the employee gets something complete or useable. Integrity Information has integrity when it is whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 14 Chapter 1 Offline Unintentional Disclosures In February 2005, the data aggregation and brokerage firm ChoicePoint revealed that it had been duped into releasing personal information about 145,000 people to identity thieves during 2004. The perpetr ators used stolen identities to create obstensibly legitimate business entities, which then subscribed to ChoicePoint to acquire the data fraudulently.The company reported that the criminals opened many accounts and recorded personal information on individuals, including names, addresses, and identification numbers. They did so without using any network or computer-based attacks; it was simple fraud. 14 While the the amount of damage has yet to be compiled, the fraud is feared to have allowed the perpetrators to arrange many hundreds of instances of identity theft. The giant pharmaceutical organization Eli Lilly and Co. released the e-mail addresses of 600 patients to one another in 2001. The American Civil Liberties Union (ACLU) denounced this breach of privacy, and information technology industry analysts noted that it was likely to influence the public debate on privacy legislation.The company claimed that the mishap was caused by a programming error that occurred when patients w ho used a specific drug produced by the company signed up for an e-mail service to access support materials provided by the company. About 600 patient addresses were exposed in the mass e-mail. 15 In another incident, the intellectual property of Jerome Stevens Pharmaceuticals, a small prescription drug manufacturer from New York, was compromised when the FDA released documents the company had filed with the agency. It remains unclear whether this was a deliberate act by the FDA or a simple error; but either way, the company’s secrets were posted to a public Web site for several months before being removed. 16 damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being stored or transmitted.Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this reason, a key method for detecting a virus or worm is to look for changes in file integrity as shown by the size of the file. Another key method of assuring information integrity is file hashing, in which a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value. The hash value for any combination of bits is unique. If a computer system performs the same hashing algorithm on a file and obtains a different number than the recorded hash value for that file, the file has been compromised and the integrity of the information is lost.Information integrity is the cornerstone of information systems, because information is of no value or use if users cannot verify its integrity. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 15File corruption is not necessarily the result of external forces, such as hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information. During each transmission, algorithms, hash values, and the error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is retransmitted. 1 Utility The utility of information is the quality or state of having value for some purpose or end.Information has value when it can serve a purpose. If information is available, but is not in a format meaningful to the end user, it is not useful. For example, to a private citizen U. S. Census data can quickly become overwhelming and difficult to interpret; however, for a politician, U. S. Census data reveals information about the residents in a district, such as their race, gender, and age. This information can help form a politician’s next campaign strategy. Possession The possession of information is the quality or state of ownership or control. Information is said to be in one’s possession if one obtains it, independent of format or other characteristics.While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. For example, assume a company stores its critical customer data using an encrypted file system. An employee who has quit decides to take a copy of the tape backups to sell the customer records to the competition. The removal of the tapes from their secure environment is a breach of possession. But, because the data is encrypted, neither the e mployee nor anyone else can read it without the proper decryption methods; therefore, there is no breach of confidentiality. Today, people caught selling company secrets face increasingly stiff fines with the likelihood of jail time.Also, companies are growing more and more reluctant to hire individuals who have demonstrated dishonesty in their past. CNSS Security Model The definition of information security presented in this text is based in part on the CNSS document called the National Training Standard for Information Systems Security Professionals NSTISSI No. 4011. (See www. cnss. gov/Assets/pdf/nstissi_4011. pdf. Since this document was written, the NSTISSC was renamed the Committee on National Security Systems (CNSS)— see www. cnss. gov. The library of documents is being renamed as the documents are rewritten. ) This document presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.T he model, created by John McCumber in 1991, provides a graphical representation of the architectural approach widely used in computer and information security; it is now known as the McCumber Cube. 17 The McCumber Cube in Figure 1-6, shows three dimensions. If extrapolated, the three dimensions of each axis become a 3 3 3 cube with 27 cells representing areas that must be addressed to secure today’s information systems. To ensure system security, each of the 27 areas must be properly addressed during the security process. For example, the intersection between technology, integrity, and storage requires a control or safeguard that addresses the need to use technology to protect the integrity of information while in storage.One such control might be a system for detecting host intrusion that protects the integrity of Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party co ntent may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 16 Chapter 1 Figure 1-6 The McCumber Cube18 Source: Course Technology/Cengage Learning information by alerting the security administrators to the potential modification of a critical file.What is commonly left out of such a model is the need for guidelines and policies that provide direction for the practices and implementations of technologies. The need for policy is discussed in subsequent chapters of this book. Components of an Information System As shown in Figure 1-7, an information system (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information r esources in the organization. These six critical components enable information to be input, processed, output, and stored. Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses.Each component of the information system also has its own security requirements. Software The software component of the IS comprises applications, operating systems, and assorted command utilities. Software is perhaps the most difficult IS component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The information technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, from smartphones that crash to flawed automotive control computers that lead to recalls.Software carries the lifeblood of information through an organization. Unfortunately, software programs are often created under the constraints of project management, which limit time, cost, and manpower. Information security is all too often implemented as an afterthought, rather than developed as an integral component from the beginning. In this way, software programs become an easy target of accidental or intentional attacks. Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 17 1 Figure 1-7 Components of an Information System Source: Course Technology/Cengage Learning Hardware Hardware is the physical te chnology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft.Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible. Before September 11, 2001, laptop thefts in airports were common. A two-person team worked to steal a computer as its owner passed it through the conveyor scanning devices.The first perpetrator ente red the security area ahead of an unsuspecting target and quickly went through. Then, the second perpetrator waited behind the target until the target placed his/her computer on the baggage scanner. As the computer was whisked through, the second agent slipped ahead of the victim and entered the metal detector with a substantial collection of keys, coins, and the like, thereby slowing the detection process and allowing the first perpetrator to grab the computer and disappear in a crowded walkway. While the security response to September 11, 2001 did tighten the security process at airports, hardware can still be stolen in airports and other public places.Although laptops and notebook computers are worth a few thousand dollars, the information contained in them can be worth a great deal more to organizations and individuals. Data Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. Systems developed in recent years are likely to make use of database Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User 18 Chapter 1 management systems. When done properly, this should improve the security of the data and the application. Unfortunately, many system development projects do not make full use of the database management system’s security capabilities, and in some cases the database is implemented in ways that are less secure than traditional file systems. People Though often overlooked in co mputer security considerations, people have always been a threat to information security.Legend has it that around 200 B. C. a great army threatened the security and stability of the Chinese empire. So ferocious were the invaders that the Chinese emperor commanded the construction of a great wall that would defend against the Hun invaders. Around 1275 A. D. , Kublai Khan finally achieved what the Huns had been trying for thousands of years. Initially, the Khan’s army tried to climb over, dig under, and break through the wall. In the end, the Khan simply bribed the gatekeeper—and the rest is history. Whether this event actually occurred or not, the moral of the story is that people can be the weakest link in an organization’s information security program.And unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest link. S ocial engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate the actions of people to obtain access information about a system. This topic is discussed in more detail in Chapter 2, â€Å"The Need for Security. † Procedures Another frequently overlooked component of an IS is procedures. Procedures are written instructions for accomplishing a specific task. When an unauthorized user obtains an organization’s procedures, this poses a threat to the integrity of the information.For example, a consultant to a bank learned how to wire funds by using the computer center’s procedures, which were readily available. By taking advantage of a security weakness (lack of authentication), this bank consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the loss of over ten million dollars before the situation was corrected. Most organizations distrib ute procedures to their legitimate employees so they can access the information system, but many of these companies often fail to provide proper education on the protection of the procedures. Educating employees about safeguarding procedures is as important as physically securing the information system.After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of the organization only on a need-to-know basis. Networks The IS component that created much of the need for increased computer and information security is networking. When information systems are connected to each other to form local area networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. The physical technology that enables network functions is becoming more and more accessible to organizations of every size.Applying the traditional tools of phys ical security, such as locks and keys, to restrict access to and interaction with the hardware components of an information system are still important; but when computer systems are networked, this approach is no longer enough. Steps to provide network Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Licensed to: CengageBrain User Introduction to Information Security 19 security are essential, as is the implementation of alarm and intrusion ystems to make system owners aware of ongoing compromises. 1 Balancing Information Security and Access Even with the best planning and imple mentation, it is impossible to obtain perfect information security. Recall James Anderson

Exploring Customer Attitude Essay Example | Topics and Well Written Essays - 2000 words

Exploring Customer Attitude - Essay Example The pilot study will be undertaken to capture the attitude of a convenient sample in and around Hertfordshire, where Playful Times Toys which will be representative of the companies population. Both qualitative and quantitative techniques will be used. In the qualitative categories, in depth interviews of about 25 existing channel partners of the acquired company will be undertaken using the semi-structured interview technique. In the quantitative category, questionnaires will be administered both physically and using internet to about 500 potential customers comprising parents and grandparents of kids. The qualitative data will be analysed using subjective, interpretative techniques. The quantitative data will be analysed using both descriptive and inferential statistical techniques such as hypothesis testing, Chi-square testing, analysis of variance, correlational studies, and regression analysis. Subsequently conclusions will be drawn and recommendations will be made. 2. Introduct ion 2.1 Background Playful Times Toys’ decision to move away from the electronic toy market to traditional wooden toy market and consequent acquisition of a company that specialised in production of traditional wooden toys necessitated a market research to develop suitable promotional programme aimed at the potential customers in the wooden toys market. The research is significant for Playful Times Toys as the acquired company specialised in production of wooden building blocks, farmyard animals, train sets, and other vehicles for children aged 2-10. The company marketed these products on the basis of their perceived educational value. Playful Times Toys intention to develop promotional programmes aimed at the parents and grandparents customer segment signs a departure from its own and that of the acquired company’s marketing experience and infrastructure. 2.2 Overview of toy market Toy market is dependent on two factors (1) the number of children, and (2) gross domest ic product (GDP), which would enable to purchase. Usually toy products are categorised under 11 categories as (1) action figures & accessories; (2) arts & crafts; (3) building sets; (4) dolls; (5) games & puzzles; (6) infant/preschool toys; (7) youth electronics; (8) outdoor & sports toys; (9) plush; (10) vehicles; and (11) all other toys. World’s toy market can be divided into two categories (1) 0 to 14 years old, and (2) 15 + years based on based on the GDP/Inhabitant. 2.2.1 Top toy markets of the world In 2007, European region was the largest market with 32 per cent market share, closely followed by North American region with 31 per cent market share, while the Asiatic region accounted for 24 per cent market share. Latin America and the Caribbean markets accounted for 7 per cent, African region 4 per cent and the Oceania accounted for 2 per cent of the global market share. However, by the end of 2008, the Asiatic market grew by three per cent whereas both North American an d European markets registered decline. Latin American and the Caribbean markets grew by 1 per cent. The composition of world toy market by region is placed in the figure below. Figure 1: World toy market by region – 2008 Source: Guinaudeau, P., 2009. Toy Markets in the World. [Online] The NPD Group (2009 Edition) Available

Incidents Essay Example | Topics and Well Written Essays - 1250 words

Incidents - Essay Example As an autoethnographic text, however, Incidents also demonstrates that Linda, the main character, has a very clear idea of her own cultural identity, and that that cultural identity is in large part imposed upon her from beyond her control. As a black salve girl, she is expected to fit those cultural norms regardless of anything else in her life, and she recognizes that she must take every step she can to navigate theses issues throughout her life. Linda’s family situation is one of the main things that creates an autoethnographic understanding of herself. A child is usually innocent with the social environment during the early stages of his/her life. However, as time passes, a child is faced with the inevitable task of acknowledging the state of affairs surrounding his/her life. For Linda this meant one thing: dealing with the situation of slavery, which she experiences almost entirely through the lens of her family. The story Incidents is, in large part, the story of Lindaâ €™s growing understanding of her family. ... Linda admires her grandmothers hardworking nature and appreciates all the efforts she made while trying to free her family from bondage. This aspect of hard work and objectivity in her grandmother chores even as a slave encouraged Linda in many aspects of her life. It is through the lenses of these stories about family that Linda begins to understand her own cultural identity – her cultural understanding of self is constantly influenced by the way her family describes their interactions with slave owners. In every slavery situation, the victim faces unfair and unjustified treatment from their masters. Such mistreatments extend from basic acts of discrimination to other inhumane acts. In her narration about the condition surrounding the childhood life of her mother, the girl highlights this act of oppression on the relationship between her mother and the grandmother’s mistress daughter. Linda’s maternal grandmother was used as the foster mother of her motherâ€⠄¢s mistress. After birth, her mother as weaned from her grandmother so as to give the mistress the chance to be breast fed sufficiently by her grandmother. In the story, Linda is bitter about this content and feels that the people who at the same time pretended to care for her mistreated her mother as a child. Linda’s identity formation process is not solely centered on her blood family, however. Her extended family in the form of other slaves, and especially god-parents, leads in large part to Linda understanding her cultural place in the world. Jacobs illustrates the roles played by the people who care about us in life. Jacobs is not different to the significance of Linda’s mother mistress in taking care of her and her sibling. As we can witness from the text,