ABSTRACT
Organizations typically devote substantial information security resources to the prevention of attacks on
computer systems. Strong authentication is used, with passphrases that change regularly, tokens, digital
certificates, and biometrics. Information owners spend time assessing risk. Network components are kept
in access-controlled areas. The least privilege model is used as a basis for access control. There are layers
of software protecting against malicious code. Operating systems are hardened, unneeded services are
disabled, and privileged accounts are kept to a minimum. Some systems undergo regular audits,
vulnerability assessments, and penetration testing. Add it all up, and these activities represent a
significant investment of time and money.