The computer security challenge I selected is number seven, “There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until security failure occurs” (Stallings, 2017). Of all the other challenges listed, number seven is both the most common and humorous (in my experience). Too often than not, I find convincing upper management to invest more in security to fall upon deaf ears, leaving me to merely have to wait for disaster to strike, instead of preventing it entirely. However, I have found that creating a presentation consisting of real-world threat occurrences that affected similar businesses to be quite useful in supporting my reasoning for requiring more funding or worktime for a security-related IT problem.
Infosec can be a thankless profession, as if we do our jobs right and reduce the risk of attacks and data loss/corruption, we can prevent the very opportunities that would grant us praise; although, as we all know, maintaining available budgets and human resources can become a chore, especially when upper management sees no immediate benefit to improving or creating a security investment. While the resistance one might face attempting to allocate security funds can be a significant barrier in the overall project of infosec, realize that that barrier exists due to the lack of communication between you and your management team; if he/she is well versed on the dangers of not having/benefits of having a specific security system, tool, or process, they will be more likely to see the bigger picture of the end-goal of the improvement, instead of waiting for their minds to change in the event of a security incident. A break/fix environment is not ideal.
For the next part of the discussion assignment, I will compare and contrast, as well as provide examples, for both passive and active security threats. Passive threats and attacks effectively intercept and modify data in transit, whereas a passive attack merely intercepts it with only the intention of reading the data for analysis (not altering it). While active attacks can negatively impact the CIA of data, they are more likely to be detected due to the obvious effect they have. Passive attacks, on the other hand, merely analyze data and are generally used to decipher the network layout of a system or detect any weak points in security; thus, these attacks can be quite difficult to identify (Stallings, 2017).
An example of a passive attack can be a keylogger, where an intruder can record the affected user’s keystrokes in an attempt to collect their login credentials. Another passive attack can be a footprinting attack, where the intruder attempts to collect data intelligence for use in a future attack (Hassan, 2019). Finally, traffic analysis is another form of a passive attack, where an attacker can identify and observe data transfers seeking aspects such as the frequency and length of messages (Stallings, 2017).
An example of an active attack can be a masquerade, where one user pretends to be another user, usually to obtain higher privileges or permissions (Stallings, 2017). Another example would be a replay attack, where an intruder steals a packet from a network and then forwards it back while impersonating the user who originally sent it; typically, they will edit the package to contain malicious content. Finally, a denial-of-service (DoS) can be an active attack, as it prevents authorized users from accessing a resource, usually by flooding the server (Hassan, 2019).
Stallings, W. (2017). Network Security Essentials: Applications and Standards (Sixth). Pearson.
Hassan, N. (2019, March 5). Learn the Difference Between Active and Passive Encryption Attacks. Retrieved March 9, 2020, from https://www.venafi.com/blog/what-active-attack-vs-passive-attack-using-encryption.